Configure the Windows Firewall to Allow SQL Server AccessConfigure the Windows Firewall to Allow SQL Server Access

适用对象: yesSQL Server(仅限 Windows)noAzure SQL 数据库 noAzure SQL 数据仓库 no并行数据仓库APPLIES TO: yesSQL Server (Windows only) noAzure SQL Database noAzure SQL Data Warehouse noParallel Data Warehouse

防火墙系统有助于阻止对计算机资源进行未经授权的访问。Firewall systems help prevent unauthorized access to computer resources. 如果防火墙已打开但却未正确配置,则可能会阻止连接 SQL ServerSQL ServerIf a firewall is turned on but not correctly configured, attempts to connect to SQL ServerSQL Server might be blocked.

若要通过防火墙访问 SQL ServerSQL Server 实例,必须在运行 SQL ServerSQL ServerTo access an instance of the SQL ServerSQL Server through a firewall, you must configure the firewall on the computer that is running SQL ServerSQL Server. 防火墙是 MicrosoftMicrosoft Windows 的一个组件。The firewall is a component of MicrosoftMicrosoft Windows. 也可以安装其他公司的防火墙。You can also install a firewall from another company. 本文讨论如何配置 Windows 防火墙,不过所述基本原理也适用于其他防火墙程序。This article discusses how to configure the Windows firewall, but the basic principles apply to other firewall programs.

备注

本文概述了防火墙配置并汇总了 SQL ServerSQL Server 管理员所需的信息。This article provides an overview of firewall configuration and summarizes information of interest to a SQL ServerSQL Server administrator. 有关防火墙的详细信息以及权威防火墙信息,请参阅 Windows 防火墙安全部署指南等防火墙文档。For more information about the firewall and for authoritative firewall information, see the firewall documentation, such as Windows Firewall security deployment guide.

熟悉如何管理 Windows 防火墙的用户,以及对想要配置的防火墙设置有所了解的用户,可直接转而参阅更高级的文章 :Users familiar with managing the Windows Firewall, and know which firewall settings they want to configure can move directly to the more advanced articles:

基本防火墙信息Basic Firewall Information

防火墙的工作原理是检查传入的数据包并将其与一组规则进行比较。Firewalls work by inspecting incoming packets, and comparing them against a set of rules. 如果数据包符合规则所规定的标准,则防火墙会将该数据包传递给 TCP/IP 协议进行其他处理。If the packet meets the standards dictated by the rules, then the firewall passes the packet to the TCP/IP protocol for additional processing. 如果数据包不符合规则指定的标准,则防火墙将丢弃该数据包,此外,如果已启用日志记录,防火墙还将在防火墙日志文件中创建一个条目。If the packet does not meet the standards specified by the rules, the firewall then discards the packet, and, if logging is enabled, creates an entry in the firewall logging file.

允许的通信的列表采用以下某种方式进行填充:The list of allowed traffic is populated in one of the following ways:

  • 自动:启用了防火墙的计算机开始通信时,防火墙会在列表中创建一个条目以便允许响应。Automatically: When a computer with a firewall enabled initiated communication, the firewall creates an entry in the list so that the response is allowed. 此响应被视为为已请求流量,无需进行任何配置。This response is considered solicited traffic, and there is nothing that needs to be configured.

  • 手动:管理员可配置防火墙例外。Manually: An administrator configures exceptions to the firewall. 这样就可访问计算机上的指定程序或端口。This allows either access to specified programs or ports on your computer. 在此情况下,当计算机充当服务器、侦听器或对等方时,将会接受未经请求的传入通信。In this case, the computer accepts unsolicited incoming traffic when acting as a server, a listener, or a peer. 必须完成此类配置才能连接到 SQL ServerSQL ServerThis is the type of configuration that must be completed to connect to SQL ServerSQL Server.

选择防火墙策略远较只是确定应打开还是关闭给定端口复杂。Choosing a firewall strategy is more complex than just deciding if a given port should be open or closed. 当为企业设计防火墙策略时,请确保考虑所有可供使用的规则和配置选项。When designing a firewall strategy for your enterprise, make sure that you consider all the rules and configuration options available to you. 本文并未完整讨论所有可能的防火墙选项。This article does not review all the possible firewall options. 建议您查看以下文档:We recommend that you review the following documents:

Windows 防火墙部署指南 Windows Firewall Deployment Guide
Windows 防火墙设计指南 Windows Firewall Design Guide
Introduction to Server and Domain Isolation(服务器和域隔离简介)Introduction to Server and Domain Isolation

默认防火墙设置Default Firewall Settings

规划防火墙配置的第一步是确定操作系统的防火墙的当前状态。The first step in planning your firewall configuration is to determine the current status of the firewall for your operating system. 如果操作系统是从早期版本升级而来,则可能已保留以前的防火墙设置。If the operating system was upgraded from a previous version, the earlier firewall settings may have been preserved. 此外,防火墙设置可能已由其他管理员或域中的组策略更改。Also, the firewall settings could have been changed by another administrator or by a Group Policy in your domain.

备注

打开防火墙将影响访问此计算机的其他程序,例如文件和打印共享以及远程桌面连接。Turning on the firewall will affect other programs that access this computer, such as file and print sharing, and remote desktop connections. 在调整防火墙设置之前,管理员应对计算机上运行的所有应用程序加以考虑。Administrators should consider all applications that are running on the computer before adjusting the firewall settings.

用于配置防火墙的程序Programs to Configure the Firewall

通过 Microsoft 管理控制台netsh 配置 Windows 防火墙设置。Configure the Windows Firewall settings with either Microsoft Management Console or netsh.

  • Microsoft 管理控制台 (MMC)Microsoft Management Console (MMC)

    使用高级安全 Windows 防火墙 MMC 管理单元可以配置更高级的防火墙设置。The Windows Firewall with Advanced Security MMC snap-in lets you configure more advanced firewall settings. 此管理单元以一种易于使用的方式呈现大多数防火墙选项,并且会显示所有防火墙配置文件。This snap-in presents most of the firewall options in an easy-to-use manner, and presents all firewall profiles. 有关详细信息,请参阅本文后面的使用高级安全 Windows 防火墙管理单元For more information, see Using the Windows Firewall with Advanced Security Snap-in later in this article.

  • netshnetsh

    管理员可以在命令提示符下使用 netsh.exe 工具配置和监视基于 Windows 的计算机,也可以使用批处理文件执行此操作 The netsh.exe tool can be used by an administrator to configure and monitor Windows-based computers at a command prompt or using a batch file . 通过使用 netsh 工具,可以将输入的上下文命令定向到相应帮助器,然后由帮助器执行此命令。By using the netsh tool, you can direct the context commands you enter to the appropriate helper, and the helper then performs the command. 帮助器是一个动态链接库 (.dll) 文件,它通过对一种或多种服务、实用工具或协议提供配置、监视和支持来扩展 netsh 工具的功能。A helper is a Dynamic Link Library (.dll) file that extends the functionality of the netsh tool by providing configuration, monitoring, and support for one or more services, utilities, or protocols. 所有支持 SQL ServerSQL Server 的操作系统都具有防火墙帮助器。All operating systems that support SQL ServerSQL Server have a firewall helper. Windows Server 2008(可能为英文页面)Windows Server 2008 也具有称作 advfirewall的高级防火墙帮助器。also has an advanced firewall helper called advfirewall. 本文不讨论有关使用 netsh 的详细信息。The details of using netsh are not discussed in this article. 不过,所述配置选项中的许多选项都可以通过使用 netsh加以配置。However, many of the configuration options described can be configured by using netsh. 例如,在命令提示符下运行以下脚本,以打开 TCP 端口 1433:For example, run the following script at a command prompt to open TCP port 1433:

    netsh firewall set portopening protocol = TCP port = 1433 name = SQLPort mode = ENABLE scope = SUBNET profile = CURRENT  
    

    使用高级安全 Windows 防火墙帮助器的一个类似示例:A similar example using the Windows Firewall for Advanced Security helper:

    netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN  
    

    有关 netsh的详细信息,请参阅以下链接:For more information about netsh, see the following links:

  • 对于 Linux:在 Linux 上,还需要打开与需要访问的服务关联的端口。For Linux: On Linux, you also need to open the ports associated with the services you need access to. 不同的 Linux 分发和不同的防火墙具有各自的过程。Different distributions of Linux and different firewalls have their own procedures. 如需了解两个示例,请参阅 Red Hat 上的 SQL ServerSUSE 上的 SQL ServerFor two examples, see SQL Server on Red Hat, and SQL Server on SUSE.

使用的端口 SQL ServerSQL ServerPorts Used By SQL ServerSQL Server

下面几个表可有助于您确定 SQL ServerSQL Server所使用的端口。The following tables can help you identify the ports being used by SQL ServerSQL Server.

Ports Used By the Database EnginePorts Used By the Database Engine

默认情况下,SQL Server 使用的典型端口和关联的数据库引擎服务是:TCP 143340221351434、UDP 1434By default, the typical ports used by SQL Server and associated database engine services are: TCP 1433, 4022, 135, 1434, UDP 1434. 下表更为详细地介绍了这些端口。The table below explains these ports in greater detail. 命名实例使用动态端口A named instance uses dynamic ports.

下表列出了 数据库引擎Database Engine经常使用的端口。The following table lists the ports that are frequently used by the 数据库引擎Database Engine.

应用场景Scenario 端口Port 注释Comments
通过 TCP 运行的默认实例Default instance running over TCP TCP 端口 1433TCP port 1433 这是允许通过防火墙的最常用端口。This is the most common port allowed through the firewall. 它适用于与默认 数据库引擎Database Engine安装或作为计算机上唯一运行实例的命名实例之间的例行连接。It applies to routine connections to the default installation of the 数据库引擎Database Engine, or a named instance that is the only instance running on the computer. (命名实例具有特殊的注意事项。(Named instances have special considerations. 请参阅本文后面的 动态端口。)See Dynamic Ports later in this article.)
具有默认端口的命名实例Named instances with default port 此 TCP 端口是在启动 数据库引擎Database Engine 时确定的动态端口。The TCP port is a dynamic port determined at the time the 数据库引擎Database Engine starts. 请参阅下面 动态端口部分中的描述。See the discussion below in the section Dynamic Ports. 当使用命名实例时, SQL ServerSQL Server Browser 服务可能需要 UDP 端口 1434。UDP port 1434 might be required for the SQL ServerSQL Server Browser Service when you are using named instances.
具有固定端口的命名实例Named instances with fixed port 由管理员配置的端口号。The port number configured by the administrator. 请参阅下面 动态端口部分中的描述。See the discussion below in the section Dynamic Ports.
专用管理连接Dedicated Admin Connection 对于默认实例,为 TCP 端口 1434。TCP port 1434 for the default instance. 其他端口用于命名实例。Other ports are used for named instances. 有关端口号,请查看错误日志。Check the error log for the port number. 默认情况下,不会启用与专用管理员连接 (DAC) 的远程连接。By default, remote connections to the Dedicated Administrator Connection (DAC) are not enabled. 若要启用远程 DAC,请使用外围应用配置器方面。To enable remote DAC, use the Surface Area Configuration facet. 有关详细信息,请参阅 Surface Area ConfigurationFor more information, see Surface Area Configuration.
SQL ServerSQL Server Browser 服务Browser service UDP 端口 1434UDP port 1434 SQL ServerSQL Server Browser 服务用于侦听指向命名实例的传入连接,并为客户端提供与此命名实例对应的 TCP 端口号。The SQL ServerSQL Server Browser service listens for incoming connections to a named instance and provides the client the TCP port number that corresponds to that named instance. 通常,只要使用 SQL ServerSQL Server 的命名实例,就会启动 数据库引擎Database Engine Browser 服务。Normally the SQL ServerSQL Server Browser service is started whenever named instances of the 数据库引擎Database Engine are used. 如果客户端配置为连接到命名实例的特定端口,则不必启动 SQL ServerSQL Server Browser 服务。The SQL ServerSQL Server Browser service does not have to be started if the client is configured to connect to the specific port of the named instance.
具有 HTTP 终结点的实例。Instance with HTTP endpoint. 可以在创建 HTTP 端点时指定。Can be specified when an HTTP endpoint is created. 对于 CLEAR_PORT 通信,默认端口为 TCP 端口 80,对于 SSL_PORT 通信,默认端口为 443。The default is TCP port 80 for CLEAR_PORT traffic and 443 for SSL_PORT traffic. 用于通过 URL 实现的 HTTP 连接。Used for an HTTP connection through a URL.
具有 HTTPS 终结点的默认实例Default instance with HTTPS endpoint TCP 端口 443TCP port 443 用于通过 URL 实现的 HTTPS 连接。Used for an HTTPS connection through a URL. HTTPS 是使用安全套接字层 (SSL) 的 HTTP 连接。HTTPS is an HTTP connection that uses secure sockets layer (SSL).
Service BrokerService Broker TCP 端口 4022。TCP port 4022. 若要验证使用的端口,请执行下面的查询:To verify the port used, execute the following query:

SELECT name, protocol_desc, port, state_desc

FROM sys.tcp_endpoints

WHERE type_desc = 'SERVICE_BROKER'
对于 SQL ServerSQL ServerService BrokerService Broker,没有默认端口,不过这是联机丛书示例中使用的常规配置。There is no default port for SQL ServerSQL ServerService BrokerService Broker, but this is the conventional configuration used in Books Online examples.
数据库镜像Database Mirroring 管理员选择的端口。Administrator chosen port. 若要确定此端口,请执行以下查询:To determine the port, execute the following query:

SELECT name, protocol_desc, port, state_desc FROM sys.tcp_endpoints

WHERE type_desc = 'DATABASE_MIRRORING'
对于数据库镜像,没有默认端口,不过联机丛书示例使用 TCP 端口 5022 或 7022。There is no default port for database mirroring however Books Online examples use TCP port 5022 or 7022. 请务必不要中断正在使用的镜像终结点,尤其是在处于带有自动故障转移功能的高安全模式下时。It is important to avoid interrupting an in-use mirroring endpoint, especially in high-safety mode with automatic failover. 防火墙配置必须避免破坏仲裁。Your firewall configuration must avoid breaking quorum. 有关详细信息,请参阅 指定服务器网络地址(数据库镜像)For more information, see Specify a Server Network Address (Database Mirroring).
复制Replication SQL ServerSQL Server 的复制连接使用典型的常规 数据库引擎Database Engine 端口(供默认实例使用的 TCP 端口 1433 等)Replication connections to SQL ServerSQL Server use the typical regular 数据库引擎Database Engine ports (TCP port 1433 for the default instance, etc.)

复制快照的 Web 同步和 FTP/UNC 访问要求在防火墙上打开其他端口。Web synchronization and FTP/UNC access for replication snapshot require additional ports to be opened on the firewall. 为了将初始数据和架构从一个位置传输到另一个位置,复制可以使用 FTP(TCP 端口 21)或者通过 HTTP(TCP 端口 80)或文件共享进行的同步。To transfer initial data and schema from one location to another, replication can use FTP (TCP port 21), or sync over HTTP (TCP port 80) or File Sharing. 文件共享使用 UDP 端口 137 和 138,如果使用 NetBIOS,则还有 TCP 端口 139。File sharing uses UDP port 137 and 138, and TCP port 139 if it using NetBIOS. 文件共享使用 TCP 端口 445。File Sharing uses TCP port 445.
对于通过 HTTP 进行的同步,复制使用 IIS 端点(其端口可配置,但默认情况下为端口 80),不过 IIS 进程通过标准端口(对于默认实例为 1433)连接到后端 SQL ServerSQL ServerFor sync over HTTP, replication uses the IIS endpoint (ports for which are configurable but is port 80 by default), but the IIS process connects to the backend SQL ServerSQL Server through the standard ports (1433 for the default instance.

在使用 FTP 进行 Web 同步期间,FTP 传输是在 IIS 和 SQL ServerSQL Server 发布服务器之间进行,而非在订阅服务器和 IIS 之间进行。During Web synchronization using FTP, the FTP transfer is between IIS and the SQL ServerSQL Server publisher, not between subscriber and IIS.
Transact-SQLTransact-SQL 调试器debugger TCP 端口 135TCP port 135

请参阅 端口 135 的特殊注意事项See Special Considerations for Port 135

可能还需要 IPsec 例外。The IPsec exception might also be required.
如果使用 Visual StudioVisual Studio,则在 Visual StudioVisual Studio 主机计算机上,还必须将 Devenv.exe 添加到“例外”列表中并打开 TCP 端口 135。If using Visual StudioVisual Studio, on the Visual StudioVisual Studio host computer, you must also add Devenv.exe to the Exceptions list and open TCP port 135.

如果使用 Management StudioManagement Studio,则在 Management StudioManagement Studio 主机计算机上,还必须将 ssms.exe 添加到“例外”列表中并打开 TCP 端口 135。If using Management StudioManagement Studio, on the Management StudioManagement Studio host computer, you must also add ssms.exe to the Exceptions list and open TCP port 135. 有关详细信息,请参阅 运行 TSQL 调试器之前配置防火墙规则For more information, see Configure firewall rules before running the TSQL Debugger.

有关为 数据库引擎Database Engine配置 Windows 防火墙的分步说明,请参阅 为数据库引擎访问配置 Windows 防火墙For step by step instructions to configure the Windows Firewall for the 数据库引擎Database Engine, see Configure a Windows Firewall for Database Engine Access.

动态端口Dynamic Ports

默认情况下,命名实例(包括 SQL Server ExpressSQL Server Express)使用动态端口。By default, named instances (including SQL Server ExpressSQL Server Express) use dynamic ports. 也就是说,每次启动 数据库引擎Database Engine 时,它都将确定一个可用端口并使用此端口号。That means that every time that the 数据库引擎Database Engine starts, it identifies an available port and uses that port number. 如果命名实例是安装的唯一 数据库引擎Database Engine 实例,则它可能使用 TCP 端口 1433。If the named instance is the only instance of the 数据库引擎Database Engine installed, it will probably use TCP port 1433. 如果还安装了其他 数据库引擎Database Engine 实例,则它可能会使用其他 TCP 端口。If other instances of the 数据库引擎Database Engine are installed, it will probably use a different TCP port. 由于所选端口可能会在每次启动 数据库引擎Database Engine 时更改,因而很难配置防火墙以启用对正确端口号的访问。Because the port selected might change every time that the 数据库引擎Database Engine is started, it is difficult to configure the firewall to enable access to the correct port number. 因此,如果使用防火墙,则建议重新配置 数据库引擎Database Engine 以每次都使用同一端口号。Therefore, if a firewall is used, we recommend reconfiguring the 数据库引擎Database Engine to use the same port number every time. 这称为固定端口或静态端口。This is called a fixed port or a static port. 有关详细信息,请参阅将服务器配置为侦听特定 TCP 端口(SQL Sever 配置管理器)For more information, see Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).

另一种配置命名实例以侦听固定端口的方法是在防火墙中为诸如 sqlservr.exe 之类的 SQL ServerSQL Server 程序创建例外(针对 数据库引擎Database Engine)。An alternative to configuring a named instance to listen on a fixed port is to create an exception in the firewall for a SQL ServerSQL Server program such as sqlservr.exe (for the 数据库引擎Database Engine). 这会非常方便,但当使用高级安全 Windows 防火墙 MMC 管理单元时,端口号将不会显示在“入站规则” 页的“本地端口” 列中。This can be convenient, but the port number will not appear in the Local Port column of the Inbound Rules page when you are using the Windows Firewall with Advanced Security MMC snap-in. 这会使审核哪些端口处于打开状态变得更为困难。This can make it more difficult to audit which ports are open. 另一个注意事项是,Service Pack 或累积更新可能会更改 SQL ServerSQL Server 可执行文件的路径,这将使防火墙规则作废。Another consideration is that a service pack or cumulative update can change the path to the SQL ServerSQL Server executable which will invalidate the firewall rule.

使用高级安全 Windows 防火墙向防火墙添加程序例外To add a program exception to the firewall using Windows Firewall with Advanced Security
  1. 从“开始”菜单键入 wf.msc 。From the start menu, type wf.msc. 选择“高级安全性 Windows 防火墙” 。Select Windows Firewall with Advanced Security.

  2. 在左窗格中,选择“入站规则” 。In the left pane, select Inbound rules.

  3. 在右窗格的“操作”下,选择“新建规则...” 。“新建入站规则向导” 随即打开。In the right pane, under Actions select New rule.... New Inbound Rule Wizard opens.

  4. 在“规则类型”中,选择“程序” 。On Rule type, select Program. 选择“下一步” 。Select Next.

  5. 在“程序”中,选择“此程序路径” 。On Program, select This program path. 选择“浏览”,找到 SQL Server 实例 。Select Browse to locate your instance of SQL Server. 该程序名为 sqlservr.exe。The program is called sqlservr.exe. 通常位于:It is normally located at:

    C:\Program Files\Microsoft SQL Server\MSSQL13.<InstanceName>\MSSQL\Binn\sqlservr.exe

    选择“下一步” 。Select Next.

  6. 在“操作” 上,单击“允许连接” 。On Action, click Allow the connection.

  7. 配置文件,包括所有三个配置文件。Profile, include all three profiles. 选择“下一步” 。Select Next.

  8. 在“名称” 中键入规则的名称。On Name, type a name for the rule. 选择“完成” 。Select Finish.

有关终结点的详细信息,请参阅将数据库引擎配置为侦听多个 TCP 端口终结点目录视图 (Transact-SQL)For more information about endpoints, see Configure the Database Engine to Listen on Multiple TCP Ports and Endpoints Catalog Views (Transact-SQL).

Analysis Services 使用的端口Ports Used By Analysis Services

默认情况下,SQL Server Analysis Services 使用的典型端口和关联的服务是:TCP 2382238380443By default, the typical ports used by SQL Server Analysis Services and associated services are: TCP 2382, 2383, 80, 443. 下表更为详细地介绍了这些端口。The table below explains these ports in greater detail.

下表列出了 Analysis ServicesAnalysis Services经常使用的端口。The following table lists the ports that are frequently used by Analysis ServicesAnalysis Services.

功能Feature 端口Port 注释Comments
Analysis ServicesAnalysis Services 对于默认实例,为 TCP 端口 2383。TCP port 2383 for the default instance 默认 Analysis ServicesAnalysis Services实例的标准端口。The standard port for the default instance of Analysis ServicesAnalysis Services.
SQL ServerSQL Server Browser 服务Browser service Analysis ServicesAnalysis Services 命名实例需要的 TCP 端口 2382TCP port 2382 only needed for an Analysis ServicesAnalysis Services named instance 客户端向 Analysis ServicesAnalysis Services 命名实例发出不指定端口号的连接请求时,该连接请求将被转到端口 2382,即 SQL ServerSQL Server Browser 侦听的端口。Client connection requests for a named instance of Analysis ServicesAnalysis Services that do not specify a port number are directed to port 2382, the port on which SQL ServerSQL Server Browser listens. SQL ServerSQL Server Browser 将此请求重定向到该命名实例所使用的端口。Browser then redirects the request to the port that the named instance uses.
Analysis ServicesAnalysis Services 配置为通过 IIS/HTTP 使用configured for use through IIS/HTTP

(PivotTable® Service 使用 HTTP 或 HTTPS)(The PivotTable® Service uses HTTP or HTTPS)
TCP 端口 80TCP port 80 用于通过 URL 实现的 HTTP 连接。Used for an HTTP connection through a URL.
Analysis ServicesAnalysis Services 配置为通过 IIS/HTTPS 使用configured for use through IIS/HTTPS

(PivotTable® Service 使用 HTTP 或 HTTPS)(The PivotTable® Service uses HTTP or HTTPS)
TCP 端口 443TCP port 443 用于通过 URL 实现的 HTTPS 连接。Used for an HTTPS connection through a URL. HTTPS 是使用安全套接字层 (SSL) 的 HTTP 连接。HTTPS is an HTTP connection that uses secure sockets layer (SSL).

如果用户通过 IIS 和 Internet 访问 Analysis ServicesAnalysis Services ,则必须打开 IIS 侦听的端口,并在客户端连接字符串中指定该端口。If users access Analysis ServicesAnalysis Services through IIS and the Internet, you must open the port on which IIS is listening and specify that port in the client connection string. 在这种情况下,不需要打开任何端口就能直接访问 Analysis ServicesAnalysis ServicesIn this case, no ports have to be open for direct access to Analysis ServicesAnalysis Services. 默认端口 2389 和端口 2382 应当与所有其他并非必需的端口一起受到限制。The default port 2389, and port 2382, should be restricted together with all other ports that are not required.

有关为 Analysis ServicesAnalysis Services配置 Windows 防火墙的分步说明,请参阅 将 Windows 防火墙配置为允许 Analysis Services 访问For step by step instructions to configure the Windows Firewall for Analysis ServicesAnalysis Services, see Configure the Windows Firewall to Allow Analysis Services Access.

Reporting Services 使用的端口Ports Used By Reporting Services

默认情况下,SQL Server Reporting Services 使用的典型端口和关联的服务是:TCP 80443By default, the typical ports used by SQL Server Reporting SErvices and associated services are: TCP 80, 443. 下表更为详细地介绍了这些端口。The table below explains these ports in greater detail.

下表列出了 Reporting ServicesReporting Services经常使用的端口。The following table lists the ports that are frequently used by Reporting ServicesReporting Services.

功能Feature 端口Port 注释Comments
Reporting ServicesReporting Services Web 服务Web Services TCP 端口 80TCP port 80 用于通过 URL 实现的与 Reporting ServicesReporting Services 之间的 HTTP 连接。Used for an HTTP connection to Reporting ServicesReporting Services through a URL. 建议不要使用预配置规则 万维网服务(HTTP)We recommend that you do not use the preconfigured rule World Wide Web Services (HTTP). 有关详细信息,请参阅下面的 与其他防火墙规则的交互 部分。For more information, see the Interaction with Other Firewall Rules section below.
Reporting ServicesReporting Services 配置为通过 HTTPS 使用configured for use through HTTPS TCP 端口 443TCP port 443 用于通过 URL 实现的 HTTPS 连接。Used for an HTTPS connection through a URL. HTTPS 是使用安全套接字层 (SSL) 的 HTTP 连接。HTTPS is an HTTP connection that uses secure sockets layer (SSL). 建议不要使用预配置规则“安全万维网服务(HTTPS)” 。We recommend that you do not use the preconfigured rule Secure World Wide Web Services (HTTPS). 有关详细信息,请参阅下面的 与其他防火墙规则的交互 部分。For more information, see the Interaction with Other Firewall Rules section below.

Reporting ServicesReporting Services 连接到 数据库引擎Database EngineAnalysis ServicesAnalysis Services实例时,还必须为这些服务打开相应的端口。When Reporting ServicesReporting Services connects to an instance of the 数据库引擎Database Engine or Analysis ServicesAnalysis Services, you must also open the appropriate ports for those services. 有关为 Reporting ServicesReporting Services配置 Windows 防火墙的分步说明,请参阅 将防火墙配置为允许报表服务器访问For step-by-step instructions to configure the Windows Firewall for Reporting ServicesReporting Services, Configure a Firewall for Report Server Access.

Integration Services 使用的端口Ports Used By Integration Services

下表列出了 Integration ServicesIntegration Services 服务经常使用的端口。The following table lists the ports that are used by the Integration ServicesIntegration Services service.

功能Feature 端口Port 注释Comments
MicrosoftMicrosoft 远程过程调用 (MS RPC)remote procedure calls (MS RPC)

Integration ServicesIntegration Services 运行时使用。Used by the Integration ServicesIntegration Services runtime.
TCP 端口 135TCP port 135

请参阅 端口 135 的特殊注意事项See Special Considerations for Port 135
Integration ServicesIntegration Services 服务在端口 135 上使用 DCOM。The Integration ServicesIntegration Services service uses DCOM on port 135. 服务控制管理器使用端口 135 执行诸如启动和停止 Integration ServicesIntegration Services 服务以及将控制请求传送到正在运行的服务等任务。The Service Control Manager uses port 135 to perform tasks such as starting and stopping the Integration ServicesIntegration Services service and transmitting control requests to the running service. 此端口号无法更改。The port number cannot be changed.

仅当从 Integration ServicesIntegration Services 或自定义应用程序连接到远程 Management StudioManagement Studio 服务实例时,才需要打开此端口。This port is only required to be open if you are connecting to a remote instance of the Integration ServicesIntegration Services service from Management StudioManagement Studio or a custom application.

有关为 Integration ServicesIntegration Services 配置 Windows 防火墙的分步说明,请参阅 Integration Services 服务 (SSIS 服务)For step-by-step instructions to configure the Windows Firewall for Integration ServicesIntegration Services, see Integration Services Service (SSIS Service).

其他端口和服务Additional Ports and Services

下表列出了 SQL ServerSQL Server 可能依赖的一些端口和服务。The following table lists ports and services that SQL ServerSQL Server might depend on.

应用场景Scenario 端口Port 注释Comments
Windows Management InstrumentationWindows Management Instrumentation

有关 WMI 的详细信息,请参阅 WMI Provider for Configuration Management ConceptsFor more information about WMI, see WMI Provider for Configuration Management Concepts
WMI 作为共享服务主机的一部分使用通过 DCOM 分配的端口运行。WMI runs as part of a shared service host with ports assigned through DCOM. WMI 可能使用 TCP 端口 135。WMI might be using TCP port 135.

请参阅 端口 135 的特殊注意事项See Special Considerations for Port 135
SQL ServerSQL Server 配置管理器使用 WMI 列出和管理各个服务。Configuration Manager uses WMI to list and manage services. 建议使用预配置规则组 Windows 管理规范 (WMI)We recommend that you use the preconfigured rule group Windows Management Instrumentation (WMI). 有关详细信息,请参阅下面的 与其他防火墙规则的交互 部分。For more information, see the Interaction with Other Firewall Rules section below.
MicrosoftMicrosoft 分布式事务处理协调器 (MS DTC)Distributed Transaction Coordinator (MS DTC) TCP 端口 135TCP port 135

请参阅 端口 135 的特殊注意事项See Special Considerations for Port 135
如果应用程序使用分布式事务处理,可能必须要将防火墙配置为允许 MicrosoftMicrosoft 分布式事务处理协调器 (MS DTC) 在不同的 MS DTC 实例之间以及在 MS DTC 和资源管理器(如 SQL ServerSQL Server)之间进行通信。If your application uses distributed transactions, you might have to configure the firewall to allow MicrosoftMicrosoft Distributed Transaction Coordinator (MS DTC) traffic to flow between separate MS DTC instances, and between the MS DTC and resource managers such as SQL ServerSQL Server. 建议使用预配置的 “分布式事务处理协调器” 规则组。We recommend that you use the preconfigured Distributed Transaction Coordinator rule group.

当在单独的资源组中为整个群集配置单个共享 MS DTC 时,应当将 sqlservr.exe 作为异常添加到防火墙。When a single shared MS DTC is configured for the entire cluster in a separate resource group, you should add sqlservr.exe as an exception to the firewall.
Management StudioManagement Studio 中的浏览按钮使用 UDP 连接到 SQL ServerSQL Server Browser 服务。The browse button in Management StudioManagement Studio uses UDP to connect to the SQL ServerSQL Server Browser Service. 有关详细信息,请参阅 SQL Server Browser 服务(数据库引擎和 SSAS)For more information, see SQL Server Browser Service (Database Engine and SSAS). UDP 端口 1434UDP port 1434 UDP 是一种无连接协议。UDP is a connectionless protocol.

防火墙具有一个名为 INetFwProfile 接口的 UnicastResponsesToMulticastBroadcastDisabled 属性 的设置,用于控制防火墙在对广播(或多播)UDP 请求的单播响应方面的行为。The firewall has a setting (UnicastResponsesToMulticastBroadcastDisabled Property of the INetFwProfile Interface) which controls the behavior of the firewall with respect to unicast responses to a broadcast (or multicast) UDP request. 它有以下两种行为:It has two behaviors:

如果此设置为 TRUE,则根本不允许对广播进行任何单播响应。If the setting is TRUE, no unicast responses to a broadcast are permitted at all. 枚举服务将失败。Enumerating services will fail.

如果此设置为 FALSE(默认值),则允许单播响应 3 秒钟。If the setting is FALSE (default), unicast responses are permitted for 3 seconds. 此时间长度不可配置。The length of time is not configurable. 在堵塞或长时间滞后的网络中,或者对于负载很重的服务器,尝试枚举 SQL ServerSQL Server 实例可能会返回部分列表,这可能会误导用户。In a congested or high-latency network, or for heavily loaded servers, tries to enumerate instances of SQL ServerSQL Server might return a partial list, which might mislead users.
IPsec 通信IPsec traffic UDP 端口 500 和 UDP 端口 4500UDP port 500 and UDP port 4500 如果域策略要求通过 IPSec 进行网络通信,还必须将 UDP 端口 4500 和 UDP 端口 500 添加到例外列表。If the domain policy requires network communications to be done through IPsec, you must also add UDP port 4500 and UDP port 500 to the exception list. 使用 Windows 防火墙管理单元中的“新建入站规则向导” 可以选择 IPsec。IPsec is an option using the New Inbound Rule Wizard in the Windows Firewall snap-in. 有关详细信息,请参阅下面的使用高级安全 Windows 防火墙管理单元For more information, see Using the Windows Firewall with Advanced Security Snap-in below.
将 Windows 身份验证用于可信域Using Windows Authentication with Trusted Domains 必须将防火墙配置为允许身份验证请求。Firewalls must be configured to allow authentication requests. 有关详细信息,请参阅 如何为域和信任关系配置防火墙For more information, see How to configure a firewall for domains and trusts.
SQL ServerSQL Server 和 Windows 群集and Windows Clustering 群集需要与 SQL ServerSQL Server不直接相关的其他端口。Clustering requires additional ports that are not directly related to SQL ServerSQL Server. 有关详细信息,请参阅 Enable a network for cluster use(启用网络以供群集使用)。For more information, see Enable a network for cluster use.
HTTP 服务器 API (HTTP.SYS) 中保留的 URL 命名空间URL namespaces reserved in the HTTP Server API (HTTP.SYS) 很可能为 TCP 端口 80,但可以配置为其他端口。Probably TCP port 80, but can be configured to other ports. 有关常规信息,请参阅 配置 HTTP 和 HTTPSFor general information, see Configuring HTTP and HTTPS. 有关使用 HttpCfg.exe 预留 HTTP.SYS 端点的 SQL ServerSQL Server 特定信息,请参阅关于 URL 预留和注册(SSRS 配置管理器)For SQL ServerSQL Server specific information about reserving an HTTP.SYS endpoint using HttpCfg.exe, see About URL Reservations and Registration (SSRS Configuration Manager).

端口 135 的特殊注意事项Special Considerations for Port 135

将 RPC 与 TCP/IP 或 UDP/IP 一起用作传输方式时,通常会根据需要为系统服务动态分配入站端口。将使用端口号大于 1024 的 TCP/IP 和 UDP/IP 端口。When you use RPC with TCP/IP or with UDP/IP as the transport, inbound ports are frequently dynamically assigned to system services as required; TCP/IP and UDP/IP ports that are larger than port 1024 are used. 这些端口通常被不正式地称为“随机 RPC 端口”。These are frequently informally referred to as "random RPC ports." 在这些情况下,RPC 客户端依赖 RPC 端点映射程序来通知它们为服务器分配了哪些动态端口。In these cases, RPC clients rely on the RPC endpoint mapper to tell them which dynamic ports were assigned to the server. 对于一些基于 RPC 的服务,可以配置特定端口,而非让 RPC 动态分配一个端口。For some RPC-based services, you can configure a specific port instead of letting RPC assign one dynamically. 此外,还可以将 RPC 动态分配的端口范围限制为一个较小的范围,不管何种服务均可如此。You can also restrict the range of ports that RPC dynamically assigns to a small range, regardless of the service. 由于许多服务都使用端口 135,它经常受到恶意用户的攻击。Because port 135 is used for many services, it is frequently attacked by malicious users. 当打开端口 135 时,请考虑限制防火墙规则的作用范围。When opening port 135, consider restricting the scope of the firewall rule.

有关端口 135 的详细信息,请参阅以下参考内容:For more information about port 135, see the following references:

与其他防火墙规则的交互Interaction with Other Firewall Rules

Windows 防火墙使用规则和规则组建立其配置。The Windows Firewall uses rules and rule groups to establish its configuration. 每个规则或规则组通常与特定程序或服务相关,并且该程序和服务可以在您不知道的情况下修改或删除相应规则。Each rule or rule group is generally associated with a particular program or service, and that program or service might modify or delete that rule without your knowledge. 例如,规则组“万维网服务 (HTTP)” 和“万维网服务 (HTTPS)” 与 IIS 相关。For example, the rule groups World Wide Web Services (HTTP) and World Wide Web Services (HTTPS) are associated with IIS. 启用这些规则将打开端口 80 和 443,并且如果启用这些规则,则依赖端口 80 和 443 的 SQL ServerSQL Server 功能将能正常工作。Enabling those rules will open ports 80 and 443, and SQL ServerSQL Server features that depend on ports 80 and 443 will function if those rules are enabled. 不过,配置 IIS 的管理员可能会修改或禁用这些规则。However, administrators configuring IIS might modify or disable those rules. 因此,如果您为 SQL ServerSQL Server使用端口 80 或端口 443,则应创建您自己的规则或规则组,这样可以独立于其他 IIS 规则之外维护您的所需端口配置。Therefore, if you are using port 80 or port 443 for SQL ServerSQL Server, you should create your own rule or rule group that maintains your desired port configuration independently of the other IIS rules.

高级安全 Windows 防火墙 MMC 管理单元允许符合任何适用允许规则的所有通信。The Windows Firewall with Advanced Security MMC snap-in allows any traffic that matches any applicable allow rule. 因此,如果有两个均应用于端口 80 的规则(具有不同的参数),则符合任一规则的通信都将得到允许。So if there are two rules that both apply to port 80 (with different parameters), traffic that matches either rule will be permitted. 因此,如果一个规则允许来自本地子网的通过端口 80 的通信而另一个规则允许来自任意地址的通信,则实际结果是不管通信来源是什么,所有通向端口 80 的通信都将得到允许。So if one rule allows traffic over port 80 from local subnet and one rule allows traffic from any address, the net effect is that all traffic to port 80 is permitted regardless of the source. 若要有效地管理对 SQL ServerSQL Server的访问,管理员应定期查看服务器上启用的所有防火墙规则。To effectively manage access to SQL ServerSQL Server, administrators should periodically review all firewall rules enabled on the server.

防火墙配置文件概述Overview of Firewall Profiles

操作系统使用防火墙配置文件按照连接性、连接数和类别来识别并记住与它们连接的每个网络。Firewall profiles are used by the operating systems to identify and remember each of the networks to which they connect with regard to connectivity, connections, and category.

在高级安全 Windows 防火墙中有三种网络位置类型:There are three network location types in Windows Firewall with Advanced Security:

  • :Windows 可以验证对计算机所联接域的域控制器的访问。Domain: Windows can authenticate access to the domain controller for the domain to which the computer is joined.
  • 公共:除域网络之外,其他所有网络最初都归为公共网络一类。Public: Other than domain networks, all networks are initially categorized as public. 直接连到 Internet 的网络或者位于公共场所(如机场和咖啡店)的网络应保留为公共网络。Networks that represent direct connections to the Internet or are in public locations, such as airports and coffee shops should be left public.
  • 专用:由用户或应用程序标识为专用的网络。Private: A network identified by a user or application as private. 只应将可信网络标识为专用网络。Only trusted networks should be identified as private networks. 用户很可能希望将家庭网络或小型企业网络标识为专用网络。Users will likely want to identify home or small business networks as private.

管理员可以为每种网络位置类型创建一个配置文件,每个配置文件均包含不同的防火墙策略。The administrator can create a profile for each network location type, with each profile containing different firewall policies. 在任何时候只能应用一个配置文件。Only one profile is applied at any time. 应用配置文件的顺序如下:Profile order is applied as follows:

  1. 如果要向计算机所属域的域控制器验证所有接口,则应用域配置文件。If all interfaces are authenticated to the domain controller for the domain of which the computer is a member, the domain profile is applied.
  2. 如果要向域控制器验证所有接口或者所有接口均连接到归为专用网络位置一类的网络,则应用专用配置文件。If all interfaces are either authenticated to the domain controller or are connected to networks that are classified as private network locations, the private profile is applied.
  3. 否则,应用公共配置文件。Otherwise, the public profile is applied.

使用高级安全 Windows 防火墙 MMC 管理单元查看和配置所有防火墙配置文件。Use the Windows Firewall with Advanced Security MMC snap-in to view and configure all firewall profiles. “控制面板”中的 “Windows 防火墙” 项仅可配置当前配置文件。The Windows Firewall item in Control Panel only configures the current profile.

使用“控制面板”中的“Windows 防火墙”项进行其他防火墙设置Additional Firewall Settings Using the Windows Firewall Item in Control Panel

添加到防火墙的例外可以限制端口仅对来自特定计算机或本地子网的传入连接打开。Exceptions that you add to the firewall can restrict the opening of the port to incoming connections from specific computers or the local subnet. 这种对端口打开范围的限制可以大大减少计算机对恶意用户的暴露程度,因此建议采用此类限制。This restriction of the scope of the port opening can reduce how much your computer is exposed to malicious users, and is recommended.

备注

使用控制面板中的“Windows 防火墙” 项仅可配置当前防火墙配置文件。Using the Windows Firewall item in Control Panel only configures the current firewall profile.

使用“控制面板”中的“Windows 防火墙”项更改防火墙例外的范围To change the scope of a firewall exception using the Windows Firewall item in Control Panel

  1. 在“控制面板”中的 “Windows 防火墙” 项的 “例外” 选项卡上,选择一个程序或端口,然后单击 “属性”“编辑”In the Windows Firewall item in Control Panel, select a program or port on the Exceptions tab, and then click Properties or Edit.

  2. “编辑程序”“编辑端口” 对话框中,单击 “更改范围”In the Edit a Program or Edit a Port dialog box, click Change Scope.

  3. 选择下列选项之一:Choose one of the following options:

    • 任何计算机(包括 Internet 上的计算机) :建议不要使用。Any computer (including those on the Internet): Not recommended. 这将使任何可寻址到您计算机的计算机都可以连接到指定程序或端口。This will allow any computer that can address your computer to connect to the specified program or port. 如果要允许向 Internet 上的匿名用户呈现信息,则此设置可能是必需的,不过这会增加您对于恶意用户的暴露程度。This setting might be necessary to allow information to be presented to anonymous users on the internet, but increases your exposure to malicious users. 如果启用此设置,同时还允许网络地址转换 (NAT) 遍历(例如“允许边缘遍历”选项),则会进一步增加您的暴露程度。Your exposure can be further increased if you enable this setting and also allow Network Address Translation (NAT) traversal, such as the Allow edge traversal option.

    • 仅我的网络(子网) :这是比 “任何计算机” 更安全的设置。My network (subnet) only: This is a more secure setting than Any computer. 只有网络的本地子网中的计算机可以连接到相应程序或端口。Only computers on the local subnet of your network can connect to the program or port.

    • 自定义列表:只有具有列表中的 IP 地址的计算机可以连接。Custom list: Only computers that have the IP addresses listed can connect. 这是比“仅我的网络(子网)” 更安全的设置,不过,使用 DHCP 的客户端计算机有时候会更改它们的 IP 地址。This can be a more secure setting than My network (subnet) only, however, client computers using DHCP can occasionally change their IP address. 这样的话,目标计算机将无法连接。Then the intended computer will not be able to connect. 另一台您未打算授权的计算机可能接受这一列出的 IP 地址,从而能够连接。Another computer, which you had not intended to authorize, might accept the listed IP address and then be able to connect. 如果希望列出其他配置为使用固定 IP 地址的服务器,则可能最好选择“自定义列表”选项;不过,入侵者可能会假冒 IP 地址 。The Custom list option might be appropriate for listing other servers that are configured to use a fixed IP address; however, IP addresses might be spoofed by an intruder. 限制防火墙规则的作用大小取决于网络基础结构的优劣。Restricting firewall rules are only as strong as your network infrastructure.

使用高级安全 Windows 防火墙管理单元Using the Windows Firewall with Advanced Security Snap-in

可以通过使用高级安全 Windows 防火墙 MMC 管理单元来配置其他高级防火墙设置。Additional advanced firewall settings can be configured by using the Windows Firewall with Advanced Security MMC snap-in. 此管理单元包括规则向导,并提供“控制面板”中的“Windows 防火墙” 项中未提供的附加设置。The snap-in includes a rule wizard and exposes additional settings that are not available in the Windows Firewall item in Control Panel. 这些设置包括:These settings include the following:

  • 加密设置Encryption settings
  • 服务限制Services restrictions
  • 按名称限制计算机的连接Restricting connections for computers by name
  • 限制连接到特定用户或配置文件Restricting connections to specific users or profiles
  • 边缘遍历允许通信绕过网络地址转换 (NAT) 路由器Edge traversal allowing traffic to bypass Network Address Translation (NAT) routers
  • 配置出站规则Configuring outbound rules
  • 配置安全规则Configuring security rules
  • 传入连接需要 IPsecRequiring IPsec for incoming connections

使用新建规则向导创建新防火墙规则To create a new firewall rule using the New Rule wizard

  1. 在“开始”菜单上,选择“运行”,键入 WF.msc,然后选择“确定” 。On the Start menu, select Run, type WF.msc, and then select OK.
  2. 在“高级安全 Windows 防火墙”的左窗格中,右键单击“入站规则”,然后选择“新建规则” 。In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then select New Rule.
  3. 使用所需设置完成 “新建入站规则向导”Complete the New Inbound Rule Wizard using the settings that you want.

解决防火墙设置问题Troubleshooting Firewall Settings

以下工具和方法对于解决防火墙问题会非常有用:The following tools and techniques can be useful in troubleshooting firewall issues:

  • 有效端口状态是与端口相关的所有规则的总体作用结果。The effective port status is the union of all rules related to the port. 试图禁止通过某一端口访问时,查看引用该端口号的所有规则将会非常有用。When trying to block access through a port, it can be helpful to review all the rules that cite the port number. 为此,请使用高级安全 Windows 防火墙 MMC 管理单元,并按端口号对入站和出站规则进行排序。To do this, use the Windows Firewall with Advanced Security MMC snap-in and sort the inbound and outbound rules by port number.

  • 查看在运行 SQL ServerSQL Server 的计算机上处于活动状态的端口。Review the ports that are active on the computer on which SQL ServerSQL Server is running. 此检查过程包括确认正在侦听的 TCP/IP 端口,同时确认这些端口的状态。This review process includes verifying which TCP/IP ports are listening and also verifying the status of the ports.

    若要验证哪些端口正在侦听,请使用 netstat 命令行实用工具。To verify which ports are listening, use the netstat command-line utility. 除了显示活动 TCP 连接以外, netstat 实用工具还将显示多种 IP 统计信息和其他信息。In addition to displaying active TCP connections, the netstat utility also displays a variety of IP statistics and information.

    列出正在侦听的 TCP/IP 端口To list which TCP/IP ports are listening

    1. 打开命令提示符窗口。Open the Command Prompt window.

    2. 在命令提示符下,键入 netstat -n -aAt the command prompt, type netstat -n -a.

      -n 开关指示 netstat 以数字方式显示活动 TCP 连接的地址和端口号。The -n switch instructs netstat to numerically display the address and port number of active TCP connections. -a 开关指示 netstat 显示计算机正在侦听的 TCP 和 UDP 端口。The -a switch instructs netstat to display the TCP and UDP ports on which the computer is listening.

  • PortQry 实用工具可用于报告 TCP/IP 端口的状态(正在侦听、未在侦听或已筛选)。The PortQry utility can be used to report the status of TCP/IP ports as listening, not listening, or filtered. (对于已筛选状态,端口可能正在侦听,也可能未在侦听;此状态指示实用工具没有收到端口的响应。)PortQry 实用工具可以从 Microsoft 下载中心下载。(With a filtered status, the port might or might not be listening; this status indicates that the utility did not receive a response from the port.) The PortQry utility is available for download from the Microsoft Download Center.

另请参阅See Also

Windows Server 系统的服务概述和网络端口要求 Service overview and network port requirements for the Windows Server system
如何:配置防火墙设置(Azure SQL 数据库)How to: Configure Firewall Settings (Azure SQL Database)