Configure a Windows Firewall for Access to the SSIS Service
Applies To: SQL Server 2016
The windowsfirewall system helps prevent unauthorized access to computer resources over a network connection. To access Integration Services through this firewall, you have to configure the firewall to enable access.
The Integration Services service uses the DCOM protocol. For more information about how the DCOM protocol works through firewalls, see the article, "Using Distributed COM with Firewalls," in the MSDN Library.
There are many firewall systems available. If you are running a firewall other than windowsfirewall, see your firewall documentation for information that is specific to the system you are using.
If the firewall supports application-level filtering, you can use the user interface that Windows provides to specify the exceptions that are allowed through the firewall, such as programs and services. Otherwise, you have to configure DCOM to use a limited set of TCP ports. The Microsoft website link previously provided includes information about how to specify the TCP ports to use.
The Integration Services service uses port 135, and the port cannot be changed. You have to open TCP port 135 for access to the service control manager (SCM). SCM performs tasks such as starting and stopping Integration Services services and transmitting control requests to the running service.
The information in the following section is specific to windowsfirewall. You can configure the windowsfirewall system by running a command at the command prompt, or by setting properties in the windowsfirewall dialog box.
For more information about the default windowsfirewall settings, and a description of the TCP ports that affect the Database Engine, Analysis Services, Reporting Services, and Integration Services, see Configure the Windows Firewall to Allow SQL Server Access.
You can use the following commands to open TCP port 135, add MsDtsSrvr.exe to the exception list, and specify the scope of unblocking for the firewall.
Run the command:
netsh firewall add portopening protocol=TCP port=135 name="RPC (TCP/135)" mode=ENABLE scope=SUBNET
Run the command:
netsh firewall add allowedprogram program="%ProgramFiles%\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe" name="SSIS Service" scope=SUBNET
To open the firewall for all computers, and also for computers on the Internet, replace scope=SUBNET with scope=ALL.
The following procedure describes how to use the Windows user interface to open TCP port 135, add MsDtsSrvr.exe to the exception list, and specify the scope of unblocking for the firewall.
In the Control Panel, double-click Windows Firewall.
In the Windows Firewall dialog box, click the Exceptions tab and then click Add Program.
In the Add a Program dialog box, click Browse, navigate to the Program Files\Microsoft SQL Server\100\DTS\Binn folder, click MsDtsSrvr.exe, and then click Open. Click OK to close the Add a Program dialog box.
On the Exceptions tab, click Add Port.
In the Add a Port dialog box, type RPC(TCP/135) or another descriptive name in the Name box, type 135 in the Port Number box, and then select TCP.
Integration Services service always uses port 135. You cannot specify a different port.
In the Add a Port dialog box, you can optionally click Change Scope to modify the default scope.
In the Change Scope dialog box, select My network (subnet only) or type a custom list, and then click OK.
To close the Add a Port dialog box, click OK.
To close the Windows Firewall dialog box, click OK.
To configure the windowsfirewall, this procedure uses the Windows Firewall item in Control Panel. The Windows Firewall item only configures the firewall for the current network location profile. However, you can also configure the windowsfirewall by using the netsh command line tool or the Microsoft Management Console (MMC) snap-in named windowsfirewall with Advanced Security. For more information about these tools, see Configure the Windows Firewall to Allow SQL Server Access.