設定用於 Database Engine 存取的 Windows 防火牆Configure a Windows Firewall for Database Engine Access

此主題描述如何使用 SQL Server 組態管理員,在 SQL Server 2014SQL Server 2014 中設定用於 Database Engine 存取的 Windows 防火牆。This topic describes how to configure a Windows firewall for Database Engine access in SQL Server 2014SQL Server 2014 by using SQL Server Configuration Manager. 防火牆系統有助於預防未經授權存取電腦資源。Firewall systems help prevent unauthorized access to computer resources. 若要透過防火牆存取 SQL Server Database EngineSQL Server Database Engine 的執行個體,您必須在執行 SQL ServerSQL Server 之電腦上的防火牆設定為允許存取。To access an instance of the SQL Server Database EngineSQL Server Database Engine through a firewall, you must configure the firewall on the computer running SQL ServerSQL Server to allow access.

如需預設 Windows 防火牆設定的詳細資訊以及影響 Database EngineDatabase Engine、Analysis Services、Reporting Services 和 Integration Services 之 TCP 通訊埠的描述,請參閱 設定 Windows 防火牆以允許 SQL Server 存取For more information about the default Windows firewall settings, and a description of the TCP ports that affect the Database EngineDatabase Engine, Analysis Services, Reporting Services, and Integration Services, see Configure the Windows Firewall to Allow SQL Server Access. 有許多防火牆系統可用。There are many firewall systems available. 如需系統專用的資訊,請參閱防火牆文件集。For information specific to your system, see the firewall documentation.

允許存取的主要步驟包括:The principal steps to allow access are:

  1. Database EngineDatabase Engine 設定為使用特定 TCP/IP 通訊埠。Configure the Database EngineDatabase Engine to use a specific TCP/IP port. Database EngineDatabase Engine 的預設執行個體會使用 1433 通訊埠,不過這是可以變更的。The default instance of the Database EngineDatabase Engine uses port 1433, but that can be changed. Database EngineDatabase Engine 所使用的通訊埠列在 SQL ServerSQL Server 錯誤記錄檔中。The port used by the Database EngineDatabase Engine is listed in the SQL ServerSQL Server error log. SQL Server ExpressSQL Server ExpressSQL Server CompactSQL Server Compact 的執行個體及 Database EngineDatabase Engine 的具名執行個體都使用動態通訊埠。Instances of SQL Server ExpressSQL Server Express, SQL Server CompactSQL Server Compact, and named instances of the Database EngineDatabase Engine use dynamic ports. 若要將這些執行個體都設定為使用特定通訊埠,請參閱設定伺服器接聽特定 TCP 通訊埠 (SQL Server 組態管理員)To configure these instances to use a specific port, see Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).

  2. 針對經過授權的使用者或電腦,將防火牆設定為允許存取該通訊埠。Configure the firewall to allow access to that port for authorized users or computers.

注意

SQL ServerSQL Server Browser 服務可讓使用者連接至並未接聽通訊埠 1433 的 Database EngineDatabase Engine 執行個體,而不用知道通訊埠編號。The SQL ServerSQL Server Browser service lets users connect to instances of the Database EngineDatabase Engine that are not listening on port 1433, without knowing the port number. 若要使用 SQL ServerSQL Server Browser,您必須開啟 UDP 通訊埠 1434。To use SQL ServerSQL Server Browser, you must open UDP port 1434. 若要提升至最安全的環境,請將 SQL ServerSQL Server Browser 服務保留在停止狀態,並將用戶端設定為使用此通訊埠編號連接。To promote the most secure environment, leave the SQL ServerSQL Server Browser service stopped, and configure clients to connect using the port number.

注意

根據預設, MicrosoftMicrosoft Windows 會啟用 Windows 防火牆,它會關閉通訊埠 1433 來防止網際網路電腦連接到您電腦上 SQL ServerSQL Server 的預設執行個體。By default, MicrosoftMicrosoft Windows enables the Windows Firewall, which closes port 1433 to prevent Internet computers from connecting to a default instance of SQL ServerSQL Server on your computer. 除非您重新開啟通訊埠 1433,否則無法使用 TCP/IP 連接至預設執行個體。Connections to the default instance using TCP/IP are not possible unless you reopen port 1433. 下列程序將說明設定 Windows 防火牆的基本步驟。The basic steps to configure the Windows firewall are provided in the following procedures. 如需詳細資訊,請參閱 Windows 文件集。For more information, see the Windows documentation.

除了將 SQL ServerSQL Server 設定為接聽固定通訊埠並開啟此通訊埠以外,您也可以列出 SQL ServerSQL Server 可執行檔 (Sqlservr.exe) 做為被封鎖程式的例外。As an alternative to configuring SQL ServerSQL Server to listen on a fixed port and opening the port, you can list the SQL ServerSQL Server executable (Sqlservr.exe) as an exception to the blocked programs. 當您想要繼續使用動態通訊埠時,請使用此方法。Use this method when you want to continue to use dynamic ports. 不過,這個方法只能存取 SQL ServerSQL Server 的其中一個執行個體。Only one instance of SQL ServerSQL Server can be accessed in this way.

本主題內容In This Topic

開始之前Before You Begin

SecuritySecurity

在防火牆中開啟通訊埠可能會讓您的伺服器面臨惡意攻擊的威脅。Opening ports in your firewall can leave your server exposed to malicious attacks. 請先確定您已了解防火牆系統,然後再開啟通訊埠。Make sure that you understand firewall systems before you open ports. 如需相關資訊,請參閱 Security Considerations for a SQL Server InstallationFor more information, see Security Considerations for a SQL Server Installation

使用 SQL Server 組態管理員Using SQL Server Configuration Manager

適用於 Windows Vista、Windows 7 和 Windows Server 2008Applies to Windows Vista, Windows 7, and Windows Server 2008

下列程序使用「具有進階安全性的 Windows 防火牆」Microsoft Management Console (MMC) 嵌入式管理單元設定 Windows 防火牆。The following procedures configure the Windows Firewall by using the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in. 「具有進階安全性的 Windows 防火牆」只會設定目前的設定檔。The Windows Firewall with Advanced Security only configures the current profile. 如需 [具有進階安全性的 Windows 防火牆] 的詳細資訊,請參閱 設定 Windows 防火牆以允許 SQL Server 存取For more information about the Windows Firewall with Advanced Security, see Configure the Windows Firewall to Allow SQL Server Access

若要在 Windows 防火牆中開啟通訊埠以便 TCP 存取To open a port in the Windows firewall for TCP access

  1. [開始] 功能表上、按一下 [執行] ,輸入 WF.msc,然後按一下 [確定]On the Start menu, click Run, type WF.msc, and then click OK.

  2. [具有進階安全性的 Windows 防火牆] 的左窗格中,以滑鼠右鍵按一下 [輸入規則] ,然後按一下動作窗格中的 [新增規則]In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule in the action pane.

  3. [規則類型] 對話方塊中,選取 [通訊埠] ,然後按 [下一步]In the Rule Type dialog box, select Port, and then click Next.

  4. [通訊協定及連接埠] 對話方塊中,選取 [TCP]In the Protocol and Ports dialog box, select TCP. 選取 [特定本機埠],然後輸入實例的通訊埠編號Database EngineDatabase Engine,例如1433 [預設實例]。Select Specific local ports, and then type the port number of the instance of the Database EngineDatabase Engine, such as 1433 for the default instance. 按 [下一步] 。Click Next.

  5. [執行動作] 對話方塊中,選取 [允許連線] ,然後按 [下一步]In the Action dialog box, select Allow the connection, and then click Next.

  6. [設定檔] 對話方塊中,選取您想要連線至 Database EngineDatabase Engine時,描述電腦連線環境的設定檔,然後按 [下一步]In the Profile dialog box, select any profiles that describe the computer connection environment when you want to connect to the Database EngineDatabase Engine, and then click Next.

  7. 在 [名稱] 對話方塊中輸入此規則的名稱和描述,然後按一下 [完成] 。In the Name dialog box, type a name and description for this rule, and then click Finish.

若要在使用動態通訊埠時開放 SQL Server 的存取To open access to SQL Server when using dynamic ports

  1. [開始] 功能表上、按一下 [執行] ,輸入 WF.msc,然後按一下 [確定]On the Start menu, click Run, type WF.msc, and then click OK.

  2. [具有進階安全性的 Windows 防火牆] 的左窗格中,以滑鼠右鍵按一下 [輸入規則] ,然後按一下動作窗格中的 [新增規則]In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule in the action pane.

  3. [規則類型] 對話方塊中,選取 [程式] ,然後按 [下一步]In the Rule Type dialog box, select Program, and then click Next.

  4. [程式] 對話方塊中,選取 [這個程式路徑]In the Program dialog box, select This program path. 按一下 [瀏覽] ,並導覽至您想要透過防火牆存取的 SQL ServerSQL Server 執行個體,然後按一下 [開啟]Click Browse, and navigate to the instance of SQL ServerSQL Server that you want to access through the firewall, and then click Open. SQL ServerSQL Server 預設位於 **C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\Sqlservr.exe**。By default, SQL ServerSQL Server is at C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\Sqlservr.exe. 按 [下一步] 。Click Next.

  5. [執行動作] 對話方塊中,選取 [允許連線] ,然後按 [下一步]In the Action dialog box, select Allow the connection, and then click Next.

  6. [設定檔] 對話方塊中,選取您想要連線至 Database EngineDatabase Engine時,描述電腦連線環境的設定檔,然後按 [下一步]In the Profile dialog box, select any profiles that describe the computer connection environment when you want to connect to the Database EngineDatabase Engine, and then click Next.

  7. 在 [名稱] 對話方塊中輸入此規則的名稱和描述,然後按一下 [完成] 。In the Name dialog box, type a name and description for this rule, and then click Finish.