Specifying and Restricting Ports

There are a variety of ports that are used to access Microsoft SQL Server 2005 Analysis Services (SSAS). The ports that a client uses depend on the Analysis Services configuration.

Following are the ports that are available for accessing Analysis Services:

  • The port that is used by Analysis Services.   Each instance of Analysis Services listens on a specific TCP/IP port for incoming client requests. The default instance of Analysis Services listens on TCP/IP port 2383, but named instances of Analysis Services do not use a default port. Named instances can use a variety of ports. For increased security, use a firewall to restrict user access to Analysis Services from the Internet.
  • The port that is used by Internet Information Services (IIS).   Users can also connect to an instance of Analysis Services through IIS. When you use a firewall to prevent direct access to Analysis Services from the Internet, you can use IIS to authenticate Internet users before they can connect to the instance of Analysis Services. When you use IIS, only the IIS port needs be open on the Internet firewall.

Restricting the TCP/IP Ports Used by Analysis Services

Although the default instance of Analysis Services listens on port 2383, the port that a named instance of Analysis Services uses varies. Each named instance listens either on the port that an Administrator specifies, or on the port that is dynamically assigned at startup. This variability among ports means that clients do not automatically know which port a particular named instance of Analysis Services is using, and therefore do not automatically know where to send their requests.

To make it easy for clients to send requests to named instances of Analysis Services, SQL Server has a service called SQL Server Browser. SQL Server Browser keeps track of the ports on which each named instance listens. Client connection requests for a named instance that do not specify a port number are directed to port 2382, the port on which SQL Server Browser listens. SQL Server Browser then redirects the request to the port that the named instance uses.

Users can also issue a discover request to SQL Server Browser for a list of the named instances running on the computer. In a secure, intranet environment, this ability to query SQL Server Browser for a list of named instances makes it easy for users to connect to those instances, and poses only a small security risk. However, this ability to query SQL Server Browser does pose security issues when clients can access Analysis Services from the Internet. To increase the security when instances of Analysis Services can be accessed over the Internet, disable SQL Server Browser, and thereby prevent users from discovering named instances of Analysis Services.

Restricting TCP/IP Ports Not Used by Analysis Services

To restrict TCP/IP ports that Analysis Services is not using, first review the ports that are active on the computer on which Analysis Services is running. This review process includes verifying which TCP/IP ports are listening and also verifying the status of the ports.

To verify which ports are listening, use the netstat command-line utility. In addition to displaying active TCP connections, the netstat utility also displays a variety of IP statistics and information.

To verify which TCP/IP ports are listening

  1. Open the Command Prompt window.

  2. At the command prompt, type netstat -n -a.

    The -n switch instructs netstat to numerically display the address and port number of active TCP connections. The -a switch instructs netstat to display the TCP and UPD ports on which the computer is listening.

To verify the status of the TCP/IP ports, use the PortQry utility. This command-line utility reports the status of TCP/IP ports as listening, not listening, or filtered. (With a filtered status, the port may or may not be listening; this status indicates that the utility did not receive a response from the port.) The PortQry utility is available for download from the Microsoft Download Center.

After you review which ports are active and the status of those ports, determine which of those ports are unnecessary for connecting to Analysis Services. Then, disable services on those unnecessary ports or restrict access to those ports by using a firewall.

Restricting IIS Ports

If users access Analysis Services through IIS and the Internet, you should deploy a firewall between the client and IIS. The firewall lets you restrict the ports through which users can access both IIS and the computer on which Analysis Services is running. For more information about firewalls, see Perimeter Firewall Design on Microsoft TechNet.

If you deploy a firewall, you have to open the port on which IIS is listening and specify that port in the client connection string. In this case, no ports have to be open for direct access to Analysis Services. The default port, 2382, should be restricted together with all other ports that are not required.

See Also

Concepts

Restricting Interactive Logon Access
Restricting Network Access
Disabling Unneeded Services
Granting Local Administrative Rights

Help and Information

Getting SQL Server 2005 Assistance