Server Network Configuration
Applies To: SQL Server 2016
Server network configuration tasks include enabling protocols, modifying the port or pipe used by a protocol, configuring encryption, configuring the SQL Server Browser service, exposing or hiding the SQL Server Database Engine on the network, and registering the Server Principal Name. Most of the time, you do not have to change the server network configuration. Only reconfigure the server network protocols if special network requirements.
Network configuration for SQL Server is done using SQL Server Configuration Manager. For earlier versions of SQL Server, use the Server Network Utility that ships with those products.
Use SQL Server Configuration Manager to enable or disable the protocols used by SQL Server, and to configure the options available for the protocols. More than one protocol can be enabled. You must enable all protocols that you want clients to use. All protocols have equal access to the server. For information about which protocols you should use, see Enable or Disable a Server Network Protocol.
You can configure the TCP/IP protocol to listen on a designated port. By default, the default instance of the Database Engine listens on TCP port 1433. Named instances of the Database Engine and SQL Server Compact are configured for dynamic ports. This means they select an available port when the SQL Server service is started. The SQL Server Browser service helps clients identify the port when they connect.
When configured for dynamic ports, the port used by SQL Server may change each time it is started. When connecting to SQL Server through a firewall, you must open the port used by SQL Server. Configure SQL Server to use a specific port, so you can configure the firewall to allow communication to the server. For more information, see Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).
You can configure the named pipe protocol to listen on a designated named pipe. By default, the default instance of SQL Server Database Engine listens on pipe \\.\pipe\sql\query for the default instance and \\.\pipe\MSSQL$<instancename>\sql\query for a named instance. The Database Engine can only listen on one named pipe, but you can change the pipe to another name if you wish. The SQL Server Browser service helps clients identify the pipe when they connect. For more information, see Configure a Server to Listen on an Alternate Pipe (SQL Server Configuration Manager).
The Database Engine can be configured to require encryption when communicating with client applications. For more information, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).
Support for Extended Protection for Authentication by using channel binding and service binding is available for operating systems that support Extended Protection. For more information, see Connect to the Database Engine Using Extended Protection.
SQL Server supports Kerberos authentication. For more information, see Register a Service Principal Name for Kerberos Connections and Microsoft Kerberos Configuration Manager for SQL Server.
The Kerberos authentication service uses an SPN to authenticate a service. For more information, see Register a Service Principal Name for Kerberos Connections.
SPNs may also be used to make client authentication more secure when connecting with NTLM. For more information, see Connect to the Database Engine Using Extended Protection.
The SQL Server Browser service runs on the server, and helps client computers to find instances of SQL Server. The SQL Server Browser service does not need to be configured, but must be running under some connection scenarios. For more information about SQL Server Browser, see SQL Server Browser Service (Database Engine and SSAS)
When running, SQL Server Browser responds to queries, with the name, version, and connection information for each installed instance. For SQL Server, the HideInstance flag, indicates that SQL Server Browser should not respond with information about this server instance. Client applications can still connect, but they must know the required connection information. For more information, see Hide an Instance of SQL Server Database Engine.