在 Lync Server 2013 中部署 SQL Server 非标准端口和别名Deploying a SQL Server nonstandard port and alias in Lync Server 2013

 

上次修改的主题: 2015-09-16Topic Last Modified: 2015-09-16

Microsoft Lync Server 2013 支持在 SQL Server 中使用非标准端口和别名。Microsoft Lync Server 2013 supports using a non-standard port and alias in SQL Server. 使用 SQL Server 非标准端口和别名可提高安全性,并为 Lync 部署创建更灵活的环境。Using a SQL Server non-standard port and an alias increases security and creates a more flexible environment for the Lync deployment. 这些步骤只是正确保护 Lync Server 2013 环境的一个步骤。These steps are only a single step in properly securing your Lync Server 2013 environment. 应采取其他步骤来减小 Lync Server 2013 实施的受攻击面。Additional steps should be taken to reduce the attack surface of a Lync Server 2013 implementation.

下面的文章介绍了在 Lync Server 2013 中设置 SQL Server 非标准端口和别名所需的步骤。The following article describes the steps required to setup a SQL Server non-standard port and alias in Lync Server 2013.

在 Lync Server 2013 中部署 SQL Server 非标准端口和别名Deploying a SQL Server Non-Standard Port and Alias in Lync Server 2013

Lync Server 2013 拓扑生成器支持在配置 Lync Server 2013 时使用 SQL Server 别名作为完全限定的域名 (FQDN) 而不是实际的 SQL Server FQDN。Lync Server 2013 Topology Builder supports using a SQL Server alias as the Fully Qualified Domain Name (FQDN) instead of the actual SQL Server FQDN when configuring Lync Server 2013. 这样,就可以从任何恶意攻击者中隐藏实际的 SQL Server FQDN。This allows the actual SQL Server FQDN to be hidden from any malicious attacker. 此外,如果使用非标准端口遮盖实际端口,攻击者可能会试图攻击标准端口1433上的数据库,如下图所示。In addition, using a non-standard port obscures the actual port from any would be attacker attempting to attack the database on the standard port 1433, as shown in the following figure.

黑客不知道要攻击的端口号。A hacker doesn't know the port number to attack.

为了在确定端口 Lync Server 2013 正在使用与 SQL Server 通信时成功,攻击者需要扫描所有端口以获取端口信息。In order to be successful in determining the port Lync Server 2013 is using to communicate with SQL Server, the attacker would need to scan all ports to obtain the port information. 攻击者对端口进行扫描可提高安全性检测和停止指令的机会。A port scan by an attacker increases the chances that security can detect and stop the instruction. 除了使用非标准端口添加更高的安全性之外,还可以使用 SQL Server 别名为部署提供灵活性。In addition to adding increased security with a non-standard port, you can also use a SQL Server alias to provide flexibility for the deployment. 在需要更改 SQL Server 名称的情况下,这一点非常有用,从而减少了配置更改。This is valuable in order to reduce configuration changes in situations where a SQL Server name change is required.

备注

SQL Server 在故障转移群集和镜像) 中提供了两种容错方法 (。SQL Server provides two fault tolerance methods (Failover Clustering and Mirroring). 使用 SQL Server 的非标准端口和使用 Lync Server 2013 的别名都支持这两种 SQL Server 容错方法。Both SQL Server fault tolerance methods are supported using a SQL Server non-standard port and alias with Lync Server 2013. 如果池使用的 SQL Server 后端在镜像配置中,则当数据库故障转移到镜像 SQL Server 时,SQL Server 后端服务器上的 SQL browser service 应运行,以便前端服务器连接到镜像数据库。If the SQL Server backend used by the pool is in a mirrored configuration, then the SQL browser service on the SQL Server backend servers should be running for Front End servers to connect to the mirrored database when the databases are failed over to the mirrored SQL Server.

在拓扑生成器中配置 SQL Server 数据库连接时,或者在使用 Install-CsDatabase cmdlet 时,不可能显式定义 SQL Server 非标准端口号,并将其与 SQL 实例关联。When configuring SQL Server database connectivity from within Topology Builder, or when using the Install-CsDatabase cmdlet, it’s not possible to explicitly define a SQL Server non-standard port number and associate it with a SQL instance. 若要设置非标准端口,需要使用 SQL Server 和 Windows Server 实用程序。To set a non-standard port, you’ll need to use SQL Server and Windows Server utilities.

若要设置与 Lync Server 2013 一起使用的 SQL Server 非标准端口和别名,您需要完成三个主要步骤。To set up a SQL Server non-standard port and alias for use with Lync Server 2013, you will need to complete three primary steps. 这些步骤是:These steps are:

  • 确认 Lync Server 2013 应用了最新的更新。Confirm that Lync Server 2013 has the Latest Updates Applied.

  • 设置 SQL Server 非标准端口和别名。Setup the SQL Server Non-Standard Port and Alias.

  • 使用拓扑生成器将 Lync Server 2013 配置为 SQL Server 别名。Configure Lync Server 2013 with the SQL Server alias using Topology Builder.

  • 发布拓扑,并验证数据库。Publish the Topology, and Verify the Database.

确认 Lync Server 2013 已应用最新的更新Confirm that Lync Server 2013 has the Latest Updates Applied

将 Lync Server 2013 保持为最新状态非常重要。It is important to keep Lync Server 2013 up to date. 若要查看有关如何应用这些更新的最新更新和信息,请参阅 Lync Server 2013 更新To check for the most recent updates and information on how to apply them, see Updates for Lync Server 2013.

设置 SQL Server 非标准端口和别名Setup the SQL Server Non-Standard Port and Alias

必须先在数据库实例上设置 SQL Server 非标准端口和别名,然后才能从 Lync Server 2013 拓扑生成器中引用它。The SQL Server non-standard port and alias must be set up on the database instance before it can be referenced from Lync Server 2013 Topology Builder. 若要设置 SQL Server 非标准端口和别名,您将需要完成三个主要步骤。To set up a SQL Server non-standard port and alias, you will have to complete three primary steps. 这些步骤如下:These steps are as follows:

  • 更改默认的 TCP/IP 协议值。Change the Default TCP/IP Protocol Values.

  • 创建和配置 SQL Server 别名。Create and Configure a SQL Server Alias.

  • (DNS) 规范名称 (CNAME) 资源记录中创建域名系统。Create a Domain Name System (DNS) Canonical Name (CNAME) Resource Record.

修改默认的 TCP/IP 协议值Modify the Default TCP/IP Protocol Values

  1. 选择 " 开始",然后选择 " SQL Server 配置管理器",如下图所示。Select Start, and choose SQL Server Configuration Manager, as shown in the following figure.

    SQL Server Management Studio 图标The SQL Server Management Studio icon

  2. 在导航窗格中,选择展开 " Sql server" 实例,选择展开 " Sql server 网络配置",然后** <instance name> **选择 "协议",如下图所示。In the navigation pane, choose to expand the SQL Server instance, choose to expand SQL Server Network Configuration, and choose Protocols for <instance name>, as shown in the following figure.

    ![导航到 "TCP/IP 属性"](images/Dn776290.3d7a964c-f17e-47fd-8f0c-535453da7fad(OCS.15).jpg "导航到 "TCP/IP 属性"")Navigate to TCP/IP Properties

  3. 在右窗格中,右键单击 " tcp/ip",然后选择 " 属性"。In the right pane, right-click TCP/IP, and select Properties. 将显示 "TCP/IP 属性" 对话框。The TCP/IP Properties dialog box is displayed.

  4. 选择 " IP 地址 " 选项卡。"IP 地址" 选项卡显示服务器上的所有活动 IP 地址。Select the IP Addresses tab. The IP Addresses tab shows all of the active IP addresses on the server. 这些格式的格式为 IP1、IP2、最高为 IPAll,如下图所示。These are in the format IP1, IP2, up to IPAll, as shown in the following figure.

    ![打开 "TCP/IP 属性"。](images/Dn776290.ed2fd70d-1836-4ebf-80fe-09191d96585e(OCS.15).jpg "打开 "TCP/IP 属性"。")Open TCP/IP properties.

  5. 清除所有 IP 地址的 " TCP 动态端口 " 字段。Clear the TCP Dynamic Ports field for all IP addresses. 如果该字段包含零个字符,则表示 SQL Server 正在侦听动态端口。If the field contains a zero character, then it means SQL Server is listening on dynamic ports. 请确保这些字段已清除且不包含零。Make sure these fields are cleared and do not contain a zero.

  6. 对于 Lync Server 将用于连接到数据库的 IP 地址,请确保 " 已启用 " 设置为 "是",如下图所示。For the IP address that Lync Server will be using to connect to the database, make sure that Enabled is set to Yes, as shown in the following figure.

    对于正确的 IP,请将启用设置为 Yes。Set enabled as Yes for the correct IP.

  7. 在对话框底部的 " IPAll " 部分中,在 " TCP 端口 " 字段中输入所需的端口,如下图所示。In the IPAll section at the bottom of the dialog, enter the desired port in the TCP Port field, as shown in the following figure. 在此示例中,我们使用端口50062,但你可以使用49152和65535之间的任何端口。In this example, we use port 50062, but you can use any port between 49152 and 65535. 这些端口分配给动态和专用用途,这样可确保您不会与 Lync Server 2013 部署中使用的其他端口发生冲突。These are the ports assigned to dynamic and private use, and this ensures you won’t conflict with other ports being used in the Lync Server 2013 deployment.

    ![在 "IPAll" 部分中设置端口。](images/Dn776290.b5af53e2-7961-4664-b586-3ca8f3a17f06(OCS.15).jpg "在 "IPAll" 部分中设置端口。")Set port in IPAll section.

  8. 选择 "确定" 退出 "tcp/ip 属性" 对话框。Choose OK to exit the TCP/IP Properties dialog.

  9. 在 "SQL Server 配置管理器" 的左窗格中选择 " Sql Server 服务 ",以重新启动 sql server 实例。Restart the SQL Server instance by selecting SQL Server Services in the left pane of SQL Server Configuration Manager. 然后,在右侧窗格中右键单击 " **SQL Server <instance name> ** ",然后选择 "**重新启动**",如下图所示。Then right-click SQL Server <instance name> in the right pane, and select Restart, as shown in the following figure.

    为实例重置 SQL Server 服务。Reset the SQL Server service for instance.

重要

请确保更新防火墙设置以适应新的 SQL Server 端口。Make sure you update your firewall settings to accommodate the new SQL Server port.

创建和配置 SQL Server 别名Create and Configure a SQL Server Alias

  1. 选择 " 开始",然后选择 " SQL Server 配置管理器",如下图所示。Select Start, and choose SQL Server Configuration Manager, as shown in the following figure.

    SQL Server Management Studio 图标The SQL Server Management Studio icon

  2. 在左窗格中,选择展开 " Sql Server 实例",选择展开 " sql Native Client <version> 配置",然后选择 " 别名",如下图所示。In the left pane, choose to expand SQL Server instance, choose to expand SQL Native Client <version> Configuration, and then choose Aliases, as shown in the following figure.

    SQL Server 配置管理器中的别名。Aliases in SQL Server Configuration Manager.

  3. 右键单击 " 别名",然后选择 " 新建别名 ..."。Right-click Aliases, and select New Alias….

  4. 输入 别名名称端口号协议服务器,如下图所示。Enter the Alias Name, Port Number, Protocol, and Server, as shown in the following figure.

    创建新别名Creating a new alias

    注意

    请务必输入在上一步中使用的非标准端口,因为这是 SQL Server 将要侦听的端口。Make sure to enter the same non-standard port you used in the previous step since that is the port SQL Server will be listening on. 如果配置的别名连接到了错误的 SQL Server FQDN 或实例,请禁用并重新启用关联的网络协议。If a configured alias is connecting to the wrong SQL Server FQDN or Instance, disable and then re-enable the associated network protocol. 执行此操作将清除所有缓存的连接信息,并允许客户端正确连接。Doing this clears any cached connection information and allows the client to connect correctly.

创建 DNS CNAME 资源记录Create a DNS CNAME Resource Record

  1. 登录到管理 DNS 的计算机。Sign into the computer managing DNS.

  2. 选择 " 开始",然后选择 " 服务器管理器",如下图所示。Select Start, and choose Server Manager, as shown in the following figure.

    打开服务器管理器Opening Server Manager

  3. 选择 " 工具 " 下拉下拉箭头,然后选择 " DNS",如下图所示。Choose the Tools drop-down, and select DNS, as shown in the following figure.

    从服务器管理器打开 DNS。Opening DNS from Server Manager.

  4. 在左窗格中,展开 "服务器名称" 节点,展开 "正向查找区域" 节点,然后选择相关域。In the left pane, expand the server name node, expand the Forward Lookup Zones node, and choose the relevant domain.

  5. 右键单击域,然后选择 " 新建别名 (CNAME) ...",如下图所示。Right-click the domain, and select New Alias (CNAME)…, as shown in the following figure.

    选择创建新的别名 CNAME 的选项Selecting option to create a new alias CNAME

  6. 输入 " 别名 " 和 " SQL Server 的 FQDN",如下图所示。Enter the Alias Name and the FQDN for SQL Server, as shown in the following figure.

    ![填写 "新建别名 CNAME" 对话框。](images/Dn776290.dd0ebd2d-3407-4459-8bd9-2b389a7bc440(OCS.15).jpg "填写 "新建别名 CNAME" 对话框。")Filling in the new alias CNAME dialog.

  7. 选择 "确定" 以保存 CNAME 并在 DNS 管理器中查看。Choose OK to save the CNAME and view it in DNS Manager.

验证数据库连接Validate Database Connectivity

有多种不同的方法可确保其正常工作。There are many different ways to make sure it is working. 您希望确保 SQL Server 数据库使用别名在指定的端口上进行侦听。You want to make sure that the SQL Server database is listening on the specified port using the alias. 可以使用 netstattelnet 命令完成快速检查。A quick check can be completed using the netstat and telnet commands.

备注

Telnet 客户端是 Windows Server 附带但必须安装的一项功能。Telnet Client is a Feature that comes with Windows Server but that must be installed. 可以通过打开服务器管理器并从 "管理" 菜单中选择 "添加角色和功能" 来安装 Windows Server 功能。A Windows Server Feature can be installed by opening Server Manager and selecting Add Roles and Features from the Manage menu.

使用 netstat 和 telnet 验证数据库连接Use netstat and telnet to verify database connectivity

  1. 选择 " 开始",然后键入 cmd 以打开命令提示符。Select Start, and type cmd to open a command prompt.

  2. 键入 netstat-a-f,并确认 SQL Server 正在使用正确的端口运行,如下图所示。Type netstat -a -f, and confirm that SQL Server is running with the correct port, as shown in the following figure.

    使用 netstat 验证端口。Using netstat to verify port.

  3. 键入**telnet <alias name> <port #> **以确认与 SQL Server 实例的连接。Type telnet <alias name> <port #> to confirm the connection to the SQL Server instance. 如果连接成功,telnet 将会连接,并且您不会看到错误。If the connection is successful, telnet will connect and you shouldn’t see an error. 这表明 SQL Server 实例正在使用正确的别名在正确的端口上侦听。This shows that the SQL Server instance is listening on the correct port with the correct alias. 如果连接到 SQL Server 数据库时出现问题,telnet 将显示一条错误消息,指出无法建立连接。If there’s a problem connecting to the SQL Server database, then telnet shows an error that the connection cannot be made. 现在您已经检查了数据库服务器上的数据库连接,您可以通过网络) 从 Lync Server (中执行相同的操作,并确保没有任何防火墙阻止访问。Now that you have checked database connectivity on the database server, you can do the same thing from Lync Server (over the network) and make sure there aren’t any firewalls blocking access along the way.

总结Conclusion

一旦配置了 SQL Server 别名,便可使用它在拓扑生成器工具中创建 Lync Server 2013 拓扑。Once the SQL Server alias has been configured, you can use it to create a Lync Server 2013 topology in the Topology Builder tool. 有关拓扑的详细信息,请参阅 在 Lync Server 2013 中定义和配置拓扑For more information about topologies, see Defining and configuring the topology in Lync Server 2013.