RE: Firewall ports to open
From: Sophie Guo (v-sguo_at_microsoft.com)
Date: 12/27/04
- Previous message: Sophie Guo: "Re: Firewall ports to open"
- In reply to: Rob Nicholson: "Firewall ports to open"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Dec 2004 08:16:58 GMT
Hello Rob,
To communicate with a SQL server through the NetScreen firewall, you need
configure the firewall, you must allow traffic from *ANY* to 1433, and from
1433 to *ANY*, where *ANY* is a port greater than 1024.
*ANY* -> 1433
1433 -> *ANY*
The firewall software should allow this dynamic allocation to occur through
the use of rules. If it does, you can configure 1433 -> *ANY* established;
this will dynamically open the response port after a syn followed by a
syn/ack by way of a statefull packet inspection.
There is no way to limit the number of source TCP ports used for a SQL
Server client to connect; this would defeat the purpose of having the
client allocate a new, unused dynamic port. This is a TCP/IP standard that
is defined for Winsock applications; this is not a limitation of SQL Server
client communication.
If you want you can use firewall to allow connection to SQL server only
from IIS server. You need enable TCPIP protocol on both server and client
side.
In addition, a named instance of SQL Server 2000 will use a dynamic
destination port by default. This port should be changed to a fixed port
prior to configuring the firewall. The SQL Server Network Utility should be
used to configure the destination port. See SQL Server Books Online for
information on how to use the SQL Server Network Utility.
You can refer to the following article regarding how to find the SQL Server
instance port number:
INF: How to Connect to an SQL Server 2000 Named Instance with the Previous
Version's Client Tools (265808)
http://support.microsoft.com/default.aspx?scid=KB;EN-US;265808
Otherwise, the client computer would need to open a random UDP port and the
server UDP port 1434 will be used to send the instance name, and if the
instance is clustered, the version of the SQL instance, the TCP port number
that the instance is listening on, and the named pipe that the instance is
using. However, if the goal is to minimize the number of ports open on the
firewall, a static port number should be chosen for the default instance
and any named instance. The client computers would need to be configured to
connect to a particular ServerName or ServerName instance and specific port
number.
When SQLMail is started on a SQL Server, a DLL responsible for this creates
a socket and listens for connections. SQL Enterprise Manager will
periodically connect to this socket and read a DWORD (32bit) value returned
from the server. This value determines the state of sqlmail. By default the
port which sqlmail use is 9127.
I hope above information is helpful.
Sophie Guo
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
- Previous message: Sophie Guo: "Re: Firewall ports to open"
- In reply to: Rob Nicholson: "Firewall ports to open"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
