为数据库引擎访问配置 Windows 防火墙Configure a Windows Firewall for Database Engine Access

适用对象: yesSQL ServeryesAzure SQL 数据库noAzure SQL 数据仓库no并行数据仓库APPLIES TO: yesSQL Server noAzure SQL Database noAzure SQL Data Warehouse noParallel Data Warehouse

本主题说明如何使用 SQL Server 配置管理器在 SQL Server 2017SQL Server 2017 中为数据库引擎访问配置 Windows 防火墙。This topic describes how to configure a Windows firewall for Database Engine access in SQL Server 2017SQL Server 2017 by using SQL Server Configuration Manager. 防火墙系统有助于阻止对计算机资源进行未经授权的访问。Firewall systems help prevent unauthorized access to computer resources. 若要通过防火墙访问 SQL Server 数据库引擎SQL Server Database Engine 实例,必须在运行 SQL ServerSQL Server 的计算机上配置防火墙以允许访问。To access an instance of the SQL Server 数据库引擎SQL Server Database Engine through a firewall, you must configure the firewall on the computer running SQL ServerSQL Server to allow access.

有关默认 Windows 防火墙设置的详细信息以及有关影响 数据库引擎Database Engine、Analysis Services、Reporting Services 和 Integration Services 的 TCP 端口的说明,请参阅 配置 Windows 防火墙以允许 SQL Server 访问For more information about the default Windows firewall settings, and a description of the TCP ports that affect the 数据库引擎Database Engine, Analysis Services, Reporting Services, and Integration Services, see Configure the Windows Firewall to Allow SQL Server Access. 有很多可用的防火墙系统。There are many firewall systems available. 有关特定于您系统的信息,请参阅防火墙文档。For information specific to your system, see the firewall documentation.

为允许访问而执行的主要步骤如下:The principal steps to allow access are:

  1. 数据库引擎Database Engine 配置为使用特定的 TCP/IP 端口。Configure the 数据库引擎Database Engine to use a specific TCP/IP port. 数据库引擎Database Engine 的默认实例使用端口 1433,但可以更改。The default instance of the 数据库引擎Database Engine uses port 1433, but that can be changed. 数据库引擎Database Engine 所使用的端口在 SQL ServerSQL Server 错误日志中列出。The port used by the 数据库引擎Database Engine is listed in the SQL ServerSQL Server error log. SQL Server ExpressSQL Server Express 实例、SQL Server CompactSQL Server Compact 实例以及数据库引擎Database Engine的命名实例使用动态端口。Instances of SQL Server ExpressSQL Server Express, SQL Server CompactSQL Server Compact, and named instances of the 数据库引擎Database Engine use dynamic ports. 若要配置这些实例以使用特定端口,请参阅配置服务器以侦听特定 TCP 端口(SQL Server 配置管理器)To configure these instances to use a specific port, see Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).

  2. 将防火墙配置为允许授权的用户或计算机访问此端口。Configure the firewall to allow access to that port for authorized users or computers.

备注

使用 SQL ServerSQL Server Browser 服务,用户可以连接到不在侦听端口 1433 的 数据库引擎Database Engine 实例,因而无需知道端口号。The SQL ServerSQL Server Browser service lets users connect to instances of the 数据库引擎Database Engine that are not listening on port 1433, without knowing the port number. 若要使用 SQL ServerSQL Server Browser,必须打开 UDP 端口 1434。To use SQL ServerSQL Server Browser, you must open UDP port 1434. 若要提升最安全的环境,请停止 SQL ServerSQL Server Browser 服务,并将客户端配置为使用端口号进行连接。To promote the most secure environment, leave the SQL ServerSQL Server Browser service stopped, and configure clients to connect using the port number.

备注

默认情况下, MicrosoftMicrosoft Windows 将启用 Windows 防火墙,这会关闭端口 1433,从而防止 Internet 计算机连接到您计算机上的默认 SQL ServerSQL Server 实例。By default, MicrosoftMicrosoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL ServerSQL Server on your computer. 重新打开端口 1433 之后,才可以使用 TCP/IP 连接到默认实例。Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. 以下过程提供了配置 Windows 防火墙的基本步骤。The basic steps to configure the Windows firewall are provided in the following procedures. 有关详细信息,请参阅 Windows 文档。For more information, see the Windows documentation.

除了将 SQL ServerSQL Server 配置为侦听固定端口并打开此端口之外,您还可以将 SQL ServerSQL Server 可执行文件 (Sqlservr.exe) 作为已阻止程序的例外列出。As an alternative to configuring SQL ServerSQL Server to listen on a fixed port and opening the port, you can list the SQL ServerSQL Server executable (Sqlservr.exe) as an exception to the blocked programs. 如果要继续使用动态端口,则使用此方法。Use this method when you want to continue to use dynamic ports. 通过这种方式只能访问一个 SQL ServerSQL Server 实例。Only one instance of SQL ServerSQL Server can be accessed in this way.

本主题内容In This Topic

开始之前Before You Begin

SecuritySecurity

打开防火墙的端口可能会使服务器受到恶意攻击。Opening ports in your firewall can leave your server exposed to malicious attacks. 请确保在打开端口之前了解防火墙系统。Make sure that you understand firewall systems before you open ports. 有关详细信息,请参阅 Security Considerations for a SQL Server InstallationFor more information, see Security Considerations for a SQL Server Installation

使用 SQL Server 配置管理器Using SQL Server Configuration Manager

适用于 Windows Vista、Windows 7 和 Windows Server 2008Applies to Windows Vista, Windows 7, and Windows Server 2008

以下过程通过使用具有高级安全 Microsoft 管理控制台 (MMC) 管理单元的 Windows 防火墙来配置该 Windows 防火墙。The following procedures configure the Windows Firewall by using the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in. 高级安全 Windows 防火墙仅配置当前配置文件。The Windows Firewall with Advanced Security only configures the current profile. 有关高级安全 Windows 防火墙的详细信息,请参阅 配置 Windows 防火墙以允许 SQL Server 访问For more information about the Windows Firewall with Advanced Security, see Configure the Windows Firewall to Allow SQL Server Access

打开 Windows 防火墙的端口以进行 TCP 访问To open a port in the Windows firewall for TCP access

  1. “开始” 菜单上,单击 “运行”,键入 WF.msc,然后单击 “确定”On the Start menu, click Run, type WF.msc, and then click OK.

  2. 在“高级安全 Windows 防火墙”的左窗格中,右键单击“入站规则”,然后在操作窗格中单击“新建规则”。In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule in the action pane.

  3. “规则类型” 对话框中,选择 “端口”,然后单击 “下一步”In the Rule Type dialog box, select Port, and then click Next.

  4. “协议和端口” 对话框中,选择 TCPIn the Protocol and Ports dialog box, select TCP. 选择“特定本地端口”,然后键入 数据库引擎Database Engine 实例的端口号,例如默认实例的端口号 1433Select Specific local ports, and then type the port number of the instance of the 数据库引擎Database Engine, such as 1433 for the default instance. 单击“下一步” 。Click Next.

  5. “操作” 对话框中,选择 “允许连接”,然后单击 “下一步”In the Action dialog box, select Allow the connection, and then click Next.

  6. “配置文件” 对话框中,选择在您想要连接到 数据库引擎Database Engine时描述计算机连接环境的任何配置文件,然后单击 “下一步”In the Profile dialog box, select any profiles that describe the computer connection environment when you want to connect to the 数据库引擎Database Engine, and then click Next.

  7. “名称” 对话框中,输入此规则的名称和说明,再单击 “完成”In the Name dialog box, type a name and description for this rule, and then click Finish.

在使用动态端口时打开对 SQL Server 的访问To open access to SQL Server when using dynamic ports

  1. “开始” 菜单上,单击 “运行”,键入 WF.msc,然后单击 “确定”On the Start menu, click Run, type WF.msc, and then click OK.

  2. 在“高级安全 Windows 防火墙”的左窗格中,右键单击“入站规则”,然后在操作窗格中单击“新建规则”。In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule in the action pane.

  3. “规则类型” 对话框中,选择 “程序”,然后单击 “下一步”In the Rule Type dialog box, select Program, and then click Next.

  4. “程序” 对话框中,选择 “此程序路径”In the Program dialog box, select This program path. 单击 “浏览”,导航到要通过防火墙访问的 SQL ServerSQL Server 实例,再单击 “打开”Click Browse, and navigate to the instance of SQL ServerSQL Server that you want to access through the firewall, and then click Open. 默认情况下, SQL ServerSQL Server 位于 C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Binn\Sqlservr.exeBy default, SQL ServerSQL Server is at C:\Program Files\Microsoft SQL Server\MSSQL13.MSSQLSERVER\MSSQL\Binn\Sqlservr.exe. 单击“下一步” 。Click Next.

  5. “操作” 对话框中,选择 “允许连接”,然后单击 “下一步”In the Action dialog box, select Allow the connection, and then click Next.

  6. “配置文件” 对话框中,选择在您想要连接到 数据库引擎Database Engine时描述计算机连接环境的任何配置文件,然后单击 “下一步”In the Profile dialog box, select any profiles that describe the computer connection environment when you want to connect to the 数据库引擎Database Engine, and then click Next.

  7. “名称” 对话框中,输入此规则的名称和说明,再单击 “完成”In the Name dialog box, type a name and description for this rule, and then click Finish.

另请参阅See Also

如何:配置防火墙设置(Azure SQL 数据库)How to: Configure Firewall Settings (Azure SQL Database)