-
Notifications
You must be signed in to change notification settings - Fork 10
Setup Firewall Port Exceptions
| Previous Setup Windows Audit | Manual Install | Setup Network Adaptors Next |
|---|
FineBuild can set up Firewall Port Exceptions needed for SQL Server.
It is now standard practice to use the Windows Firewall facilities as one of the lines of defence around a server. FineBuild can open the ports needed in the Firewall to allow SQL Server to function correctly.
The following ports will be used by SQL Server. It is recommended that site-specific ports are used in place of the default values and that the SQL Server standard port 1433 remains blocked. The port values that are used will need to be configured into the firewall, so that client machines in different subnets can communicate with the SQL instance.
The ports used by SQL Server database engine are shown below. Replace MSSQLSERVER with the instance name actually installed and replace 1433 with the port number used for the instance. The Direction value is not relevant when installing on Windows 2003 or XP.
The ports used by SQL Server DB Engine are shown below:
| Name | Default Port | Type | Direction |
|---|---|---|---|
| SQL Server (MSSQLSERVER) | 1433 | TCP | In |
| SQL DAC | 1434 | TCP | In |
| SQL DB Mirroring | 5022 | TCP | In |
| SQL Browser | 1434 | UDP | In |
| SQL Service Broker | 4022 | TCP | In |
If Filestream is enabled, then the following ports are also opened:
| Name | Default Port | Type | Direction |
|---|---|---|---|
| SQL Filestream | 139 | TCP | In |
| SQL Filestream | 145 | TCP | In |
If PolyBase is enabled, then the following ports are also opened:
| Name | Default Port | Type | Direction |
|---|---|---|---|
| PolyBase | 16450-16460 | TCP | In |
The ports used by Analysis Services are shown below:
| Name | Default Port | Type | Direction |
|---|---|---|---|
| SQL Analysis Server | 2383 | TCP | In |
| SQL Browser | 2382 | TCP | In |
The ports used by Integration Services are shown below:
| Name | Default Port | Type | Direction |
|---|---|---|---|
| SQL RPC | 135 | TCP | In |
If SSIS Scaleout Master is installed, then the following ports are also opened:
| Name | Default Port | Type | Direction |
|---|---|---|---|
| SSIS Scaleout Master | 8391 | TCP | In |
The ports used by Reporting Services are shown below:
| Name | Default Port | Type | Direction |
|---|---|---|---|
| HTTP | 80 | TCP | In |
Firewall Port Exceptions configuration helps to reduce the network surface area available for attack. If you setup Security Compliance then Firewall Port Exceptions configuration will always be implemented.
Processing of Firewall Port Exceptions relates to Process Id 1DA in the FineBuild1Preparation script, and is controlled by the parameter below:
| SQL Version | Parameter | FULL Build | WORKSTATION Build | CLIENT Build |
|---|---|---|---|---|
| SQL2019 | /SetupFirewall: | Yes | Yes | Yes |
| SQL2017 | /SetupFirewall: | Yes | Yes | Yes |
| SQL2016 | /SetupFirewall: | Yes | Yes | Yes |
| SQL2014 | /SetupFirewall: | Yes | Yes | Yes |
| SQL2012 | /SetupFirewall: | Yes | Yes | Yes |
| SQL2008R2 | /SetupFirewall: | Yes | Yes | Yes |
| SQL2008 | /SetupFirewall: | Yes | Yes | Yes |
| SQL2005 | /SetupFirewall: | Yes | Yes | Yes |
FineBuild also uses the following parameters to help Configure the Firewall Port Exceptions:
| Parameter | Default Value | Description |
|---|---|---|
| /TCPPort: | 1433 | TCP Port for default SQL instance |
| /TCPPortAS: | 2383 | See Configure AS Instance General Properties |
| /TCPPortDAC: | 1434 | TCP Port for Dedicated Administrator Connection |
| /TCPPortISMaster: | 8391 | TCP Port for SSIS Scaleout Master |
SQL FineBuild will set up the Firewall Port exceptions as shown above, using the port numbers specified by the parameters. Only the ports for the components being installed will be opened.
The following steps show what you would have to do to setup Firewall Port Exceptions manually. FineBuild does all of this work for you automatically.
-
Use the following syntax to open the ports in the Firewall
Use the port details from the above table and replace MSSQLSERVER with the instance name being installed. Only the ports for the components being installed should be opened. For example, if Analysis Services is not being installed, do not open the ports for Analysis Services.
The ports for SQLBrowser only need to be opened if a named instance is being installed.
For Windows 2003 and XP:
NETSH FIREWALL ADD PORTOPENING NAME="name" PORT=port PROTOCOL=type ^
MODE=ENABLE SCOPE=ALL PROFILE=DOMAIN
For Windows 2008 and above:
NETSH ADVFIREWALL FIREWALL ADD RULE NAME="name" LOCALPORT=port PROTOCOL=type ^
ACTION=ALLOW PROFILE=DOMAIN DIR=direction
Copyright FineBuild Team © 2014 - 2018. License and Acknowledgements
| Previous Setup Windows Audit | Top | Setup Network Adaptors Next |
|---|
Key SQL FineBuild Links:
SQL FineBuild supports:
- All SQL Server versions from SQL 2019 through to SQL 2005
- Clustered, Non-Clustered and Core implementations of server operating systems
- Availability and Distributed Availability Groups
- 64-bit and (where relevant) 32-bit versions of Windows
The following Windows versions are supported:
- Windows 2022
- Windows 11
- Windows 2019
- Windows 2016
- Windows 10
- Windows 2012 R2
- Windows 8.1
- Windows 2012
- Windows 8
- Windows 2008 R2
- Windows 7
- Windows 2008
- Windows Vista
- Windows 2003
- Windows XP