Configure the Windows Firewall to Allow SQL Server AccessConfigure the Windows Firewall to Allow SQL Server Access

防火牆系統有助於預防未經授權存取電腦資源。Firewall systems help prevent unauthorized access to computer resources. 如果防火牆已開啟,但是設定不正確,則嘗試連接至 [SQL Server]SQL Server 的行為可能會被封鎖。If a firewall is turned on but not correctly configured, attempts to connect to [SQL Server]SQL Server might be blocked.

若要透過防火牆存取 [SQL Server]SQL Server 的執行個體,您必須在執行 [SQL Server]SQL Server 的電腦上,將防火牆設定成允許存取。To access an instance of the [SQL Server]SQL Server through a firewall, you must configure the firewall on the computer that is running [SQL Server]SQL Server to allow access. 防火牆是 MicrosoftMicrosoft Windows 的元件。The firewall is a component of MicrosoftMicrosoft Windows. 您也可以安裝來自其他公司的防火牆。You can also install a firewall from another company. 雖然本主題將討論如何設定 Windows 防火牆,但是基本原則也適用於其他防火牆程式。This topic discusses how to configure the Windows firewall, but the basic principles apply to other firewall programs.

注意

本主題會提供防火牆組態的概觀,並且摘要列出 [SQL Server]SQL Server 管理員感興趣的資訊。This topic provides an overview of firewall configuration and summarizes information of interest to a [SQL Server]SQL Server administrator. 如需有關防火牆的詳細資訊以及授權的防火牆資訊,請參閱防火牆文件集,例如 具有進階安全性的 Windows 防火牆和 IPsecFor more information about the firewall and for authoritative firewall information, see the firewall documentation, such as Windows Firewall with Advanced Security and IPsec.

熟悉 [控制台] 中 [Windows 防火牆] 項目與 [具有進階安全性的 Windows 防火牆] Microsoft Management Console (MMC) 嵌入式管理單元,以及知道自己想要設定之防火牆設定的使用者,可以直接移至下列清單中的主題:Users familiar with the Windows Firewall item in Control Panel and with the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in and who know which firewall settings they want to configure can move directly to the topics in the following list:

基本防火牆資訊Basic Firewall Information

防火牆的運作方式是檢查內送封包,以及針對一組規則比較這些封包。Firewalls work by inspecting incoming packets, and comparing them against a set of rules. 如果這些規則允許封包,防火牆就會將該封包傳遞給 TCP/IP 通訊協定,進行其他處理。If the rules allow the packet, the firewall passes the packet to the TCP/IP protocol for additional processing. 如果這些規則不允許封包,防火牆就會捨棄該封包,而且如果啟用記錄的話,還會在防火牆記錄檔中建立項目。If the rules do not allow the packet, the firewall discards the packet and, if logging is enabled, creates an entry in the firewall logging file.

允許傳輸的清單是以下列其中一種方式填入:The list of allowed traffic is populated in one of the following ways:

  • 當啟用防火牆的電腦起始通訊時,防火牆就會在清單中建立項目,以便允許回應。When the computer that has the firewall enabled initiates communication, the firewall creates an entry in the list so that the response is allowed. 內送回應會被視為要求的傳輸,而且您不需要設定這個項目。The incoming response is considered solicited traffic and you do not have to configure this.

  • 管理員設定防火牆的例外。An administrator configures exceptions to the firewall. 這樣會允許存取在電腦上執行的指定程式,或存取電腦上的指定連接通訊埠。This allows either access to specified programs running on your computer, or access to specified connection ports on your computer. 在此情況下,當此電腦當做伺服器、接聽程式或對等運作時,它就會接受未經要求的內送傳輸。In this case, the computer accepts unsolicited incoming traffic when acting as a server, a listener, or a peer. 這是必須完成才能連接至 [SQL Server]SQL Server的組態類型。This is the type of configuration that must be completed to connect to [SQL Server]SQL Server.

選擇防火牆策略比單獨決定給定的通訊埠應該開啟或關閉更複雜。Choosing a firewall strategy is more complex than just deciding if a given port should be open or closed. 為企業設計防火牆策略時,請務必考慮所有適用的規則和組態選項。When designing a firewall strategy for your enterprise, make sure that you consider all the rules and configuration options available to you. 本主題不會檢閱所有可能的防火牆選項。This topic does not review all the possible firewall options. 我們建議您檢閱下列文件:We recommend that you review the following documents:

具有進階安全性的 Windows 防火牆入門指南Windows Firewall with Advanced Security Getting Started Guide

具有進階安全性的 Windows 防火牆設計指南Windows Firewall with Advanced Security Design Guide

伺服器及網域隔離簡介Introduction to Server and Domain Isolation

預設防火牆設定Default Firewall Settings

規劃防火牆組態的第一個步驟是判斷作業系統之防火牆的目前狀態。The first step in planning your firewall configuration is to determine the current status of the firewall for your operating system. 如果作業系統是從舊版升級,先前的防火牆設定可能已經保留下來。If the operating system was upgraded from a previous version, the earlier firewall settings may have been preserved. 此外,其他管理員或網域中的「群組原則」可能已經變更了防火牆設定。Also, the firewall settings could have been changed by another administrator or by a Group Policy in your domain.

注意

開啟防火牆將會影響存取此電腦的其他程式,例如檔案及列印共用,以及遠端桌面連接。Turning on the firewall will affect other programs that access this computer, such as file and print sharing, and remote desktop connections. 調整防火牆設定之前,管理員應該考慮在電腦上執行的所有應用程式。Administrators should consider all applications that are running on the computer before adjusting the firewall settings.

設定防火牆的程式Programs to Configure the Firewall

有三種方式可設定 Windows 防火牆設定。There are three ways to configure the Windows Firewall settings.

  • 控制台中的 Windows 防火牆項目Windows Firewall item in Control Panel

    您可以從 [控制台] 開啟 [Windows 防火牆] 項目。The Windows Firewall item can be opened from Control Panel.

    重要

    在 [控制台] 之 [Windows 防火牆] 項目中進行的變更只會影響目前的設定檔。Changes made in the Windows Firewall item in Control Panel only affect the current profile. 筆記型電腦等行動裝置不應該使用 [控制台] 中的 [Windows 防火牆] 項目,因為此設定檔可能會在不同的組態中連接時變更。Mobile devices, for example a laptop, should not use the Windows Firewall item in Control Panel as the profile might change when it is connected in a different configuration. 然後,先前設定的設定檔將不會生效。Then the previously-configured profile will not be in effect. 如需有關設定檔的詳細資訊,請參閱< 具有進階安全性的 Windows 防火牆入門指南>。For more information about profiles, see Windows Firewall with Advanced Security Getting Started Guide.

    [控制台] 中的 [Windows 防火牆] 項目可讓您設定一些基本選項。The Windows Firewall item in Control Panel allows you to configure basic options. 這些選項包括:These include the following:

    • 開啟或關閉 [控制台] 中的 [Windows 防火牆] 項目。Turning the Windows Firewall item in Control Panel on or off

    • 啟用和停用規則Enabling and disabling rules

    • 授與通訊埠和程式的例外Granting exceptions for ports and programs

    • 設定某些範圍限制Setting some scope restrictions

    [控制台] 中的 [Windows 防火牆] 項目最適合沒有防火牆組態設定經驗的使用者,以及針對非行動式電腦設定基本防火牆選項的使用者。The Windows Firewall item in Control Panel is most appropriate for users who are not experienced in firewall configuration, and who are configuring basic firewall options for computers that are not mobile. 您也可以開啟Windows 防火牆控制台 中的項目run命令使用下列程序:You can also open the Windows Firewall item in Control Panel from the run command by using the following procedure:

    開啟 Windows 防火牆項目To open the Windows Firewall item

    1. [開始] 功能表按一下 [執行] ,然後輸入 firewall.cplOn the Start menu, click Run, and then enter firewall.cpl.

    2. 按一下 [確定] 。Click OK.

  • Microsoft Management Console (MMC)Microsoft Management Console (MMC)

    [具有進階安全性的 Windows 防火牆] MMC 嵌入式管理單元可讓您設定更多進階的防火牆設定。The Windows Firewall with Advanced Security MMC snap-in lets you configure more advanced firewall settings. 這個嵌入式管理單元會以容易使用的方式呈現大部分防火牆選項,而且它會呈現所有防火牆設定檔。This snap-in presents most of the firewall options in an easy-to-use manner, and presents all firewall profiles. 如需詳細資訊,請參閱本主題稍後的 Using the Windows Firewall with Advanced Security Snap-in (使用具有進階安全性的 Windows 防火牆嵌入式管理單元)。For more information, see Using the Windows Firewall with Advanced Security Snap-in later in this topic.

  • netshnetsh

    系統管理員可以使用 netsh.exe 工具,在命令提示字元中設定及監視 Windows 電腦,或是利用批次檔執行此作業 The netsh.exe tool can be used by an administrator to configure and monitor Windows-based computers at a command prompt or using a batch file . 藉由使用 netsh 工具,您可以指示輸入適當協助程式的內容命令,讓協助程式執行該命令。By using the netsh tool, you can direct the context commands you enter to the appropriate helper, and the helper then performs the command. 協助程式為一動態連結程式庫 (.dll) 檔案,可為一或多項服務、公用程式或通訊協定提供組態、監視與支援,從而延伸 netsh 工具的功能。A helper is a Dynamic Link Library (.dll) file that extends the functionality of the netsh tool by providing configuration, monitoring, and support for one or more services, utilities, or protocols. 所有支援 [SQL Server]SQL Server 的作業系統都有防火牆協助程式。All operating systems that support [SQL Server]SQL Server have a firewall helper. Windows Server 2008Windows Server 2008 也提供進階防火牆協助程式,稱為 advfirewallalso has an advanced firewall helper called advfirewall. 本主題將不會討論使用 netsh 的詳細資料。The details of using netsh are not discussed in this topic. 不過,您可以使用 netsh設定本文所描述的許多組態選項。However, many of the configuration options described can be configured by using netsh. 例如,在命令提示字元中執行下列指令碼,即可開啟For example, run the following script at a command prompt to open TCP port 1433:

    netsh firewall set portopening protocol = TCP port = 1433 name = SQLPort mode = ENABLE scope = SUBNET profile = CURRENT  
    

    針對進階安全性協助程式使用 Windows 防火牆的類似範例:A similar example using the Windows Firewall for Advanced Security helper:

    netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN  
    

    如需有關 netsh的詳細資訊,請參閱下列連結:For more information about netsh, see the following links:

使用的通訊埠 [SQL Server]SQL ServerPorts Used By [SQL Server]SQL Server

下列表格可以協助您識別 [SQL Server]SQL Server所使用的通訊埠。The following tables can help you identify the ports being used by [SQL Server]SQL Server.

Ports Used By the Database EnginePorts Used By the Database Engine

下表將列出 Database EngineDatabase Engine常用的通訊埠。The following table lists the ports that are frequently used by the Database EngineDatabase Engine.

狀況Scenario 通訊埠Port 註解Comments
[SQL Server]SQL Server 預設執行個體default instance running over TCP TCP 通訊埠 1433TCP port 1433 這是允許通過防火牆最常見的通訊埠。This is the most common port allowed through the firewall. 它適用於 Database EngineDatabase Engine預設安裝的一般連接,或在電腦上唯一執行之執行個體的具名執行個體It applies to routine connections to the default installation of the Database EngineDatabase Engine, or a named instance that is the only instance running on the computer. (具名執行個體具有特殊考量。(Named instances have special considerations. 請參閱本主題稍後的 動態通訊埠 。)See Dynamic Ports later in this topic.)
[SQL Server]SQL Server 具名執行個體named instances in the default configuration 此 TCP 通訊埠是在 Database EngineDatabase Engine 啟動時決定的動態通訊埠。The TCP port is a dynamic port determined at the time the Database EngineDatabase Engine starts. 請參閱下面「 動態通訊埠」一節的討論。See the discussion below in the section Dynamic Ports. 當您使用具名執行個體時, [SQL Server]SQL Server Browser 服務可能會需要 UDP 通訊埠 1434。UDP port 1434 might be required for the [SQL Server]SQL Server Browser Service when you are using named instances.
[SQL Server]SQL Server 具名執行個體named instances when they are configured to use a fixed port 管理員所設定的通訊埠編號。The port number configured by the administrator. 請參閱下面「 動態通訊埠」一節的討論。See the discussion below in the section Dynamic Ports.
專用管理員連接Dedicated Admin Connection TCP 通訊埠 1434 (預設執行個體)。TCP port 1434 for the default instance. 其他通訊埠則用於具名執行個體。Other ports are used for named instances. 請檢查錯誤記錄檔,以取得通訊埠編號。Check the error log for the port number. 根據預設,系統不會啟用專用管理員連接 (DAC) 的遠端連接。By default, remote connections to the Dedicated Administrator Connection (DAC) are not enabled. 若要啟用遠端 DAC,請使用介面區組態 Facet。To enable remote DAC, use the Surface Area Configuration facet. 如需詳細資訊,請參閱< Surface Area Configuration>。For more information, see Surface Area Configuration.
[SQL Server]SQL Server Browser 服務Browser service UDP 通訊埠 1434UDP port 1434 [SQL Server]SQL Server Browser 服務會接聽具名執行個體的內送連接,並且將對應至該具名執行個體的 TCP 通訊埠編號提供給用戶端。The [SQL Server]SQL Server Browser service listens for incoming connections to a named instance and provides the client the TCP port number that corresponds to that named instance. 每當使用 [SQL Server]SQL Server 的具名執行個體時,通常就會啟動 Database EngineDatabase Engine Browser 服務。Normally the [SQL Server]SQL Server Browser service is started whenever named instances of the Database EngineDatabase Engine are used. 如果用戶端設定成連接至具名執行個體的特定通訊埠,就不需要啟動 [SQL Server]SQL Server Browser 服務。The [SQL Server]SQL Server Browser service does not have to be started if the client is configured to connect to the specific port of the named instance.
[SQL Server]SQL Server 執行個體。instance running over an HTTP endpoint. 可以在建立 HTTP 端點時指定。Can be specified when an HTTP endpoint is created. 預設值為 TCP 通訊埠 80 (用於 CLEAR_PORT 傳輸) 和 443 (用於 SSL_PORT 傳輸)。The default is TCP port 80 for CLEAR_PORT traffic and 443 for SSL_PORT traffic. 用於透過 URL 進行 HTTP 連接。Used for an HTTP connection through a URL.
[SQL Server]SQL Server 預設執行個體default instance running over an HTTPS endpoint. TCP 通訊埠 443TCP port 443 用於透過 URL 進行 HTTPS 連接。Used for an HTTPS connection through a URL. HTTPS 是使用安全通訊端層 (SSL) 的 HTTP 連接。HTTPS is an HTTP connection that uses secure sockets layer (SSL).
Service BrokerService Broker TCP 通訊埠 4022。TCP port 4022. 若要確認使用的通訊埠,請執行下列查詢:To verify the port used, execute the following query:

SELECT name, protocol_desc, port, state_desc

FROM sys.tcp_endpoints

WHERE type_desc = 'SERVICE_BROKER'
[SQL Server]SQL ServerService BrokerService Broker沒有預設連接埠,但這是線上叢書範例中的傳統組態。There is no default port for [SQL Server]SQL ServerService BrokerService Broker, but this is the conventional configuration used in Books Online examples.
資料庫鏡像Database Mirroring 管理員所選擇的通訊埠。Administrator chosen port. 若要判斷此通訊埠,請執行下列查詢:To determine the port, execute the following query:

SELECT name, protocol_desc, port, state_desc FROM sys.tcp_endpoints

WHERE type_desc = 'DATABASE_MIRRORING'
雖然資料庫鏡像沒有預設通訊埠,不過線上叢書範例會使用 TCP 通訊埠 7022。There is no default port for database mirroring however Books Online examples use TCP port 7022. 請務必避免中斷使用中的鏡像端點,尤其是在具有自動容錯移轉的高安全性模式中。It is very important to avoid interrupting an in-use mirroring endpoint, especially in high-safety mode with automatic failover. 您的防火牆組態必須避免中斷仲裁。Your firewall configuration must avoid breaking quorum. 如需詳細資訊,請參閱 指定伺服器網路位址 (資料庫鏡像)For more information, see Specify a Server Network Address (Database Mirroring).
複寫Replication [SQL Server]SQL Server 的複寫連接會使用一般的 Database EngineDatabase Engine 通訊埠 (例如,預設執行個體的 TCP 通訊埠 1433)。Replication connections to [SQL Server]SQL Server use the typical regular Database EngineDatabase Engine ports (TCP port 1433 for the default instance, etc.)

複寫快照集的 Web 同步處理和 FTP/UNC 存取需要在防火牆上開啟其他通訊埠。Web synchronization and FTP/UNC access for replication snapshot require additional ports to be opened on the firewall. 為了將初始資料和結構描述從某個位置傳送至另一個位置,複寫可能會使用 FTP (TCP 通訊埠 21)、透過 HTTP 同步處理 (TCP 通訊埠 80) 或檔案共用。To transfer initial data and schema from one location to another, replication can use FTP (TCP port 21), or sync over HTTP (TCP port 80) or File Sharing. 檔案共用會使用 UDP 通訊埠 137 和 138,以及 TCP 通訊埠 139 (如果使用 NetBIOS)。File sharing uses UDP port 137 and 138, and TCP port 139 if it using NetBIOS. 檔案共用使用 TCP 通訊埠 445。File Sharing uses TCP port 445.
若為透過 HTTP 同步處理,複寫會使用 IIS 端點 (其通訊埠可設定,但預設為通訊埠 80),不過 IIS 處理序會透過預設執行個體的標準通訊埠 (1433) 連接至後端 [SQL Server]SQL ServerFor sync over HTTP, replication uses the IIS endpoint (ports for which are configurable but is port 80 by default), but the IIS process connects to the backend [SQL Server]SQL Server through the standard ports (1433 for the default instance.

在使用 FTP 進行 Web 同步處理期間,FTP 傳送是介於 IIS 與 [SQL Server]SQL Server 發行者之間,而非介於訂閱者與 IIS 之間。During Web synchronization using FTP, the FTP transfer is between IIS and the [SQL Server]SQL Server publisher, not between subscriber and IIS.
Transact-SQLTransact-SQL 偵錯工具debugger TCP 通訊埠 135TCP port 135

請參閱「 通訊埠 135 的特殊考量See Special Considerations for Port 135

可能也需要「 IPsec 」例外。The IPsec exception might also be required.
如果您正在使用 Visual StudioVisual Studio,也必須在 Visual StudioVisual Studio 主機電腦上,將 Devenv.exe 加入至「例外」清單並開啟 TCP 通訊埠 135。If using Visual StudioVisual Studio, on the Visual StudioVisual Studio host computer, you must also add Devenv.exe to the Exceptions list and open TCP port 135.

如果您正在使用 Management StudioManagement Studio,也必須在 Management StudioManagement Studio 主機電腦上,將 ssms.exe 加入至「例外」清單並開啟If using Management StudioManagement Studio, on the Management StudioManagement Studio host computer, you must also add ssms.exe to the Exceptions list and open TCP port 135. 如需詳細資訊,請參閱 < TRANSACT-SQL 偵錯工具設定For more information, see Configure the Transact-SQL Debugger.

如需為 Database EngineDatabase Engine設定 Windows 防火牆的逐步解說指示,請參閱 設定用於 Database Engine 存取的 Windows 防火牆For step by step instructions to configure the Windows Firewall for the Database EngineDatabase Engine, see Configure a Windows Firewall for Database Engine Access.

動態通訊埠Dynamic Ports

根據預設,具名執行個體 (包括 SQL Server ExpressSQL Server Express) 會使用動態通訊埠。By default, named instances (including SQL Server ExpressSQL Server Express) use dynamic ports. 這表示每次 Database EngineDatabase Engine 啟動時,它就會識別可用的通訊埠並使用該通訊埠編號。That means that every time that the Database EngineDatabase Engine starts, it identifies an available port and uses that port number. 如果具名執行個體是唯一安裝的 Database EngineDatabase Engine 執行個體,它可能會使用 TCP 通訊埠 1433。If the named instance is the only instance of the Database EngineDatabase Engine installed, it will probably use TCP port 1433. 如果安裝了其他 Database EngineDatabase Engine 執行個體,它可能會使用不同的 TCP 通訊埠。If other instances of the Database EngineDatabase Engine are installed, it will probably use a different TCP port. 由於選取的通訊埠可能會在每次 Database EngineDatabase Engine 啟動時變更,所以很難將防火牆設定成允許存取正確的通訊埠編號。Because the port selected might change every time that the Database EngineDatabase Engine is started, it is difficult to configure the firewall to enable access to the correct port number. 因此,如果已使用防火牆,我們建議您將 Database EngineDatabase Engine 重新設定成每次都使用相同的通訊埠編號。Therefore, if a firewall is used, we recommend reconfiguring the Database EngineDatabase Engine to use the same port number every time. 這個通訊埠就稱為固定通訊埠或靜態通訊埠。This is called a fixed port or a static port. 如需詳細資訊,請參閱設定伺服器接聽特定 TCP 通訊埠 (SQL Server 組態管理員)For more information, see Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).

另一種設定具名執行個體接聽固定通訊埠的方法,是在防火牆中為 sqlservr.exe (適用於Database EngineDatabase Engine) 一類的 [SQL Server]SQL Server 程式建立例外狀況。An alternative to configuring a named instance to listen on a fixed port is to create an exception in the firewall for a [SQL Server]SQL Server program such as sqlservr.exe (for the Database EngineDatabase Engine). 雖然這樣很方便,但當您使用具有進階安全性的 Windows 防火牆 MMC 嵌入式管理單元時,通訊埠編號將不會顯示在 [輸入規則] 頁面的 [本機通訊埠] 資料行中。This can be convenient, but the port number will not appear in the Local Port column of the Inbound Rules page when you are using the Windows Firewall with Advanced Security MMC snap-in. 如此一來可能會讓您更難以稽核哪些通訊埠已開啟。This can make it more difficult to audit which ports are open. 其他考量是 Service Pack 或累積更新可能會變更 [SQL Server]SQL Server 可執行檔的路徑,因而使防火牆規則失效。Another consideration is that a service pack or cumulative update can change the path to the [SQL Server]SQL Server executable which will invalidate the firewall rule.

注意

下列程序會使用 [控制台] 中的 [Windows 防火牆] 項目。The following procedure uses the Windows Firewall item in Control Panel. [具有進階安全性的 Windows 防火牆] MMC 嵌入式管理單元可以設定更複雜的規則。The Windows Firewall with Advanced Security MMC snap-in can configure a more complex rule. 這包括設定服務例外,以便用於提供深度防禦。This includes configuring a service exception which can be useful for providing defense in depth. 請參閱下面的 使用具有進階安全的 Windows 防火牆性嵌入式管理單元See Using the Windows Firewall with Advanced Security Snap-in below.

使用控制台中的 Windows 防火牆項目,將程式例外加入至防火牆To add a program exception to the firewall using the Windows Firewall item in Control Panel.
  1. 在 [控制台] 中,於 [Windows 防火牆] 項目的 [例外] 索引標籤上,按一下 [新增程式]On the Exceptions tab of the Windows Firewall item in Control Panel, click Add a program.

  2. 瀏覽至執行個體的位置[SQL Server]SQL Server想要允許通過防火牆,比方說C:\Program Files\Microsoft SQL Server\MSSQL12.< instance_name > \MSSQL\Binn,選取sqlservr.exe,然後按一下開啟Browse to the location of the instance of [SQL Server]SQL Server that you want to allow through the firewall, for example C:\Program Files\Microsoft SQL Server\MSSQL12.<instance_name>\MSSQL\Binn, select sqlservr.exe, and then click Open.

  3. 按一下 [確定] 。Click OK.

如需端點的詳細資訊,請參閱設定 Database Engine 接聽多個 TCP 通訊埠端點目錄檢視 (Transact-SQL)For more information about endpoints, see Configure the Database Engine to Listen on Multiple TCP Ports and Endpoints Catalog Views (Transact-SQL).

Analysis Services 所使用的通訊埠Ports Used By Analysis Services

下表將列出 Analysis ServicesAnalysis Services常用的通訊埠。The following table lists the ports that are frequently used by Analysis ServicesAnalysis Services.

功能Feature 通訊埠Port 註解Comments
Analysis ServicesAnalysis Services TCP 通訊埠 2383 (預設執行個體)TCP port 2383 for the default instance Analysis ServicesAnalysis Services預設執行個體的標準通訊埠。The standard port for the default instance of Analysis ServicesAnalysis Services.
[SQL Server]SQL Server Browser 服務Browser service TCP 通訊埠 2382 (只有 Analysis ServicesAnalysis Services 具名執行個體需要)TCP port 2382 only needed for an Analysis ServicesAnalysis Services named instance 沒有指定通訊埠編號之 Analysis ServicesAnalysis Services 具名執行個體的用戶端連接要求會被導向至通訊埠 2382,亦即 [SQL Server]SQL Server Browser 所接聽的通訊埠。Client connection requests for a named instance of Analysis ServicesAnalysis Services that do not specify a port number are directed to port 2382, the port on which [SQL Server]SQL Server Browser listens. [SQL Server]SQL Server Browser 會將要求重新導向至具名執行個體所使用的通訊埠。Browser then redirects the request to the port that the named instance uses.
Analysis ServicesAnalysis Services 設定成可透過 IIS/HTTP 使用configured for use through IIS/HTTP

(樞紐分析表??(The PivotTable?? 服務會使用 HTTP 或 HTTPS)Service uses HTTP or HTTPS)
TCP 通訊埠 80TCP port 80 用於透過 URL 進行 HTTP 連接。Used for an HTTP connection through a URL.
Analysis ServicesAnalysis Services 設定成可透過 IIS/HTTPS 使用configured for use through IIS/HTTPS

(樞紐分析表??(The PivotTable?? 服務會使用 HTTP 或 HTTPS)Service uses HTTP or HTTPS)
TCP 通訊埠 443TCP port 443 用於透過 URL 進行 HTTPS 連接。Used for an HTTPS connection through a URL. HTTPS 是使用安全通訊端層 (SSL) 的 HTTP 連接。HTTPS is an HTTP connection that uses secure sockets layer (SSL).

如果使用者透過 IIS 和網際網路存取 Analysis ServicesAnalysis Services ,您就必須開啟 IIS 所接聽的通訊埠,並且在用戶端連接字串中指定該通訊埠。If users access Analysis ServicesAnalysis Services through IIS and the Internet, you must open the port on which IIS is listening and specify that port in the client connection string. 在此情況下,針對直接存取 Analysis ServicesAnalysis Services,則不必開啟任何通訊埠。In this case, no ports have to be open for direct access to Analysis ServicesAnalysis Services. 不過,您應該限制預設通訊埠 2389 和通訊埠 2382 與所有不需要的其他通訊埠。The default port 2389, and port 2382, should be restricted together with all other ports that are not required.

如需設定 Analysis ServicesAnalysis Services的 Windows 防火牆之逐步解說指示,請參閱 Configure the Windows Firewall to Allow Analysis Services Access(設定 Windows 防火牆以允許 Analysis Services 存取)。For step by step instructions to configure the Windows Firewall for Analysis ServicesAnalysis Services, see Configure the Windows Firewall to Allow Analysis Services Access.

Reporting Services 所使用的通訊埠Ports Used By Reporting Services

下表將列出 Reporting ServicesReporting Services常用的通訊埠。The following table lists the ports that are frequently used by Reporting ServicesReporting Services.

功能Feature 通訊埠Port 註解Comments
Reporting ServicesReporting Services Web 服務Web Services TCP 通訊埠 80TCP port 80 用於透過 URL 進行 Reporting ServicesReporting Services 的 HTTP 連接。Used for an HTTP connection to Reporting ServicesReporting Services through a URL. 建議您不要使用預先設定的規則 World Wide Web 服務 (HTTP)We recommend that you do not use the preconfigured rule World Wide Web Services (HTTP). 如需詳細資訊,請參閱下面的「 與其他防火牆規則的互動 」一節。For more information, see the Interaction with Other Firewall Rules section below.
Reporting ServicesReporting Services 設定成可透過 HTTPS 使用configured for use through HTTPS TCP 通訊埠 443TCP port 443 用於透過 URL 進行 HTTPS 連接。Used for an HTTPS connection through a URL. HTTPS 是使用安全通訊端層 (SSL) 的 HTTP 連接。HTTPS is an HTTP connection that uses secure sockets layer (SSL). 建議您不要使用預先設定的規則 Secure World Wide Web 服務 (HTTPS)We recommend that you do not use the preconfigured rule Secure World Wide Web Services (HTTPS). 如需詳細資訊,請參閱下面的「 與其他防火牆規則的互動 」一節。For more information, see the Interaction with Other Firewall Rules section below.

Reporting ServicesReporting Services 連接至 Database EngineDatabase EngineAnalysis ServicesAnalysis Services的執行個體時,您也必須針對這些服務開啟適當的通訊埠。When Reporting ServicesReporting Services connects to an instance of the Database EngineDatabase Engine or Analysis ServicesAnalysis Services, you must also open the appropriate ports for those services. 如需設定 Reporting ServicesReporting ServicesWindows 防火牆的逐步指示, Configure a Firewall for Report Server Access(設定報表伺服器存取的防火牆)。For step-by-step instructions to configure the Windows Firewall for Reporting ServicesReporting Services, Configure a Firewall for Report Server Access.

Integration Services 所使用的通訊埠Ports Used By Integration Services

下表將列出 Integration ServicesIntegration Services 服務所使用的通訊埠。The following table lists the ports that are used by the Integration ServicesIntegration Services service.

功能Feature 通訊埠Port 註解Comments
MicrosoftMicrosoft 遠端程序呼叫 (MS RPC)remote procedure calls (MS RPC)

Integration ServicesIntegration Services 執行階段所使用。Used by the Integration ServicesIntegration Services runtime.
TCP 通訊埠 135TCP port 135

請參閱「 通訊埠 135 的特殊考量See Special Considerations for Port 135
Integration ServicesIntegration Services 服務會在通訊埠 135 上使用 DCOM。The Integration ServicesIntegration Services service uses DCOM on port 135. 服務控制管理員會使用通訊埠 135 來執行一些工作,例如啟動和停止 Integration ServicesIntegration Services 服務,以及將控制要求傳送至執行中服務。The Service Control Manager uses port 135 to perform tasks such as starting and stopping the Integration ServicesIntegration Services service and transmitting control requests to the running service. 您無法變更此通訊埠編號。The port number cannot be changed.

只有當您要從 Integration ServicesIntegration Services 或自訂應用程式連接至 Management StudioManagement Studio 服務的遠端執行個體時,才需要開啟這個通訊埠。This port is only required to be open if you are connecting to a remote instance of the Integration ServicesIntegration Services service from Management StudioManagement Studio or a custom application.

如需為 Integration ServicesIntegration Services設定 Windows 防火牆的逐步解說指示,請參閱 設定用於 Database Engine 存取的 Windows 防火牆For step-by-step instructions to configure the Windows Firewall for Integration ServicesIntegration Services, see Configure a Windows Firewall for Access to the SSIS Service.

其他通訊埠和服務Additional Ports and Services

下表將列出 [SQL Server]SQL Server 可能會相依的通訊埠和服務。The following table lists ports and services that [SQL Server]SQL Server might depend on.

狀況Scenario 通訊埠Port 註解Comments
Windows Management InstrumentationWindows Management Instrumentation

如需有關 WMI 的詳細資訊,請參閱< WMI Provider for Configuration Management Concepts>。For more information about WMI, see WMI Provider for Configuration Management Concepts
WMI 會使用透過 DCOM 所指派的通訊埠,當做共用服務主機執行。WMI runs as part of a shared service host with ports assigned through DCOM. WMI 可能正在使用 TCP 通訊埠 135。WMI might be using TCP port 135.

請參閱「 通訊埠 135 的特殊考量See Special Considerations for Port 135
[SQL Server]SQL Server 組態管理員會使用 WMI 來列出並管理服務。Configuration Manager uses WMI to list and manage services. 建議您使用預先設定的規則群組 Windows Management Instrumentation (WMI)We recommend that you use the preconfigured rule group Windows Management Instrumentation (WMI). 如需詳細資訊,請參閱下面的「 與其他防火牆規則的互動 」一節。For more information, see the Interaction with Other Firewall Rules section below.
MicrosoftMicrosoft 分散式交易協調器 (MS DTC)Distributed Transaction Coordinator (MS DTC) TCP 通訊埠 135TCP port 135

請參閱「 通訊埠 135 的特殊考量See Special Considerations for Port 135
如果應用程式使用分散式交易,您可能必須將防火牆設定成允許 MicrosoftMicrosoft 分散式交易協調器 (MS DTC) 傳輸在個別 MS DTC 執行個體之間,以及在 MS DTC 與資源管理員 (例如 [SQL Server]SQL Server) 之間流動。If your application uses distributed transactions, you might have to configure the firewall to allow MicrosoftMicrosoft Distributed Transaction Coordinator (MS DTC) traffic to flow between separate MS DTC instances, and between the MS DTC and resource managers such as [SQL Server]SQL Server. 我們建議您使用預先設定的規則群組 [分散式交易協調器]We recommend that you use the preconfigured Distributed Transaction Coordinator rule group.

針對個別資源群組中的整個叢集設定了單一共用 MS DTC 時,您應該將 sqlservr.exe 當做例外加入至防火牆。When a single shared MS DTC is configured for the entire cluster in a separate resource group you should add sqlservr.exe as an exception to the firewall.
Management StudioManagement Studio 中的瀏覽按鈕會使用 UDP 來連接至 [SQL Server]SQL Server Browser 服務。The browse button in Management StudioManagement Studio uses UDP to connect to the [SQL Server]SQL Server Browser Service. 如需詳細資訊,請參閱 SQL Server Browser 服務 (Database Engine and SSAS)For more information, see SQL Server Browser Service (Database Engine and SSAS). UDP 通訊埠 1434UDP port 1434 UDP 是一種無連接的通訊協定。UDP is a connectionless protocol.

防火牆具有一項名為 INetFwProfile 介面的 UnicastResponsesToMulticastBroadcastDisabled 屬性 的設定,可在廣播 (或多點傳送) UDP 要求的單點傳送回應方面控制防火牆的行為。The firewall has a setting, which is named UnicastResponsesToMulticastBroadcastDisabled Property of the INetFwProfile Interface which controls the behavior of the firewall with respect to unicast responses to a broadcast (or multicast) UDP request. 它有兩種行為:It has two behaviors:

如果此設定為 TRUE,就完全不允許廣播的任何單點傳送回應。If the setting is TRUE, no unicast responses to a broadcast are permitted at all. 列舉服務將會失敗。Enumerating services will fail.

如果此設定為 FALSE (預設值),就允許單點傳送回應 3 秒。If the setting is FALSE (default), unicast responses are permitted for 3 seconds. 您無法設定時間的長度。The length of time is not configurable. 在擁塞或高延遲的網路中,或是負載繁重的伺服器上,嘗試列舉 [SQL Server]SQL Server 的執行個體可能會傳回部分清單,因而誤導使用者。in a congested or high-latency network, or for heavily loaded servers, tries to enumerate instances of [SQL Server]SQL Server might return a partial list, which might mislead users.
IPsec 傳輸IPsec traffic UDP 通訊埠 500 和 UDP 通訊埠 4500UDP port 500 and UDP port 4500 如果網域原則要求透過 IPsec 完成網路通訊,您也必須將 UDP 通訊埠 4500 和 UDP 通訊埠 500 加入至例外清單。If the domain policy requires network communications to be done through IPsec, you must also add UDP port 4500 and UDP port 500 to the exception list. IPsec 是在 Windows 防火牆嵌入式管理單元中使用 [新增輸入規則精靈] 的選項。IPsec is an option using the New Inbound Rule Wizard in the Windows Firewall snap-in. 如需詳細資訊,請參閱稍後的 使用具有進階安全性嵌入式管理單元的 Windows 防火牆For more information, see Using the Windows Firewall with Advanced Security Snap-in below.
使用 Windows 驗證搭配信任的網域Using Windows Authentication with Trusted Domains 防火牆必須設定成允許驗證要求。Firewalls must be configured to allow authentication requests. 如需詳細資訊,請參閱< 如何設定網域和信任的防火牆>。For more information, see How to configure a firewall for domains and trusts.
[SQL Server]SQL Server 和 Windows 叢集and Windows Clustering 叢集需要與 [SQL Server]SQL Server沒有直接相關的其他通訊埠。Clustering requires additional ports that are not directly related to [SQL Server]SQL Server. 如需詳細資訊,請參閱< 啟用可供叢集使用的網路>。For more information, see Enable a network for cluster use.
保留在 HTTP 伺服器 API (HTTP.SYS) 中的 URL 命名空間URL namespaces reserved in the HTTP Server API (HTTP.SYS) 可能是 TCP 通訊埠 80,但是可以設定成其他通訊埠。Probably TCP port 80, but can be configured to other ports. 如需一般資訊,請參閱< 設定 HTTP 和 HTTPS>。For general information, see Configuring HTTP and HTTPS. 如需有關使用 HttpCfg.exe 保留 HTTP.SYS 端點的 [SQL Server]SQL Server 特定資訊,請參閱關於 URL 保留項目和註冊 (SSRS 組態管理員)For [SQL Server]SQL Server specific information about reserving an HTTP.SYS endpoint using HttpCfg.exe, see About URL Reservations and Registration (SSRS Configuration Manager).

通訊埠 135 的特殊考量Special Considerations for Port 135

當您使用 RPC 搭配 TCP/IP 或 UDP/IP 當做傳輸時,系統通常會視需要以動態方式將傳入通訊埠指派給系統服務。所使用的是大於通訊埠 1024 的 TCP/IP 和 UDP/IP 通訊埠。When you use RPC with TCP/IP or with UDP/IP as the transport, inbound ports are frequently dynamically assigned to system services as required; TCP/IP and UDP/IP ports that are larger than port 1024 are used. 這些通訊埠通常非正式地稱為「隨機 RPC 通訊埠」。These are frequently informally referred to as "random RPC ports." 在這些情況下,RPC 用戶端會仰賴 RPC 端點對應程式來告知它們哪些動態通訊埠已經指派給伺服器。In these cases, RPC clients rely on the RPC endpoint mapper to tell them which dynamic ports were assigned to the server. 對於某些以 RPC 為基礎的服務而言,您可以設定特定通訊埠,而非讓 RPC 以動態方式指派通訊埠。For some RPC-based services, you can configure a specific port instead of letting RPC assign one dynamically. 不論服務為何,您都可以將 RPC 以動態方式指派的通訊埠範圍限制成小範圍。You can also restrict the range of ports that RPC dynamically assigns to a small range, regardless of the service. 由於通訊埠 135 用於許多服務,所以它經常會受到惡意使用者的攻擊。Because port 135 is used for many services it is frequently attacked by malicious users. 開啟通訊埠When opening port 135, consider restricting the scope of the firewall rule.

如需有關通訊埠 135 的詳細資訊,請參閱下列參考:For more information about port 135, see the following references:

與其他防火牆規則的互動Interaction with Other Firewall Rules

[Windows 防火牆] 會使用規則和規則群組來建立其組態。The Windows Firewall uses rules and rule groups to establish its configuration. 每個規則或規則群組通常會與特定的程式或服務相關聯,而且該程式或服務可能會不經通知而修改或刪除該項規則。Each rule or rule group is generally associated with a particular program or service, and that program or service might modify or delete that rule without your knowledge. 例如,規則群組 World Wide Web 服務 (HTTP)World Wide Web 服務 (HTTPS) 會與 IIS 相關聯。For example, the rule groups World Wide Web Services (HTTP) and World Wide Web Services (HTTPS) are associated with IIS. 啟用這些規則將會開啟通訊埠 80 和 443,而且如果您啟用了這些規則,相依於通訊埠 80 和 443 的 [SQL Server]SQL Server 功能將會正常運作。Enabling those rules will open ports 80 and 443, and [SQL Server]SQL Server features that depend on ports 80 and 443 will function if those rules are enabled. 不過,設定 IIS 的管理員可能會修改或停用這些規則。However, administrators configuring IIS might modify or disable those rules. 因此,如果您要針對 [SQL Server]SQL Server使用通訊埠 80 或通訊埠 443,就應該建立維護所需通訊埠組態的自訂規則或規則群組 (獨立於其他 IIS 規則)。Therefore, if you are using port 80 or port 443 for [SQL Server]SQL Server, you should create your own rule or rule group that maintains your desired port configuration independently of the other IIS rules.

[具有進階安全性的 Windows 防火牆] MMC 嵌入式管理單元允許符合任何適用允許規則的任何傳輸。The Windows Firewall with Advanced Security MMC snap-in allows any traffic that matches any applicable allow rule. 因此,如果有兩項同時套用至通訊埠 80 的規則 (具有不同的參數),系統就會允許符合任何一項規則的傳輸。So if there are two rules that both apply to port 80 (with different parameters), traffic that matches either rule will be permitted. 所以,如果其中一項規則允許來自區域子網路而且透過通訊埠 80 的傳輸,而另一項規則允許來自任何位址的傳輸,其結果就是允許通訊埠 80 的所有傳輸,不論來源為何。So if one rule allows traffic over port 80 from local subnet and one rule allows traffic from any address, the net effect is that all traffic to port 80 is permitted regardless of the source. 若要有效管理 [SQL Server]SQL Server的存取權,管理員應該定期檢閱在伺服器上啟用的所有防火牆規則。To effectively manage access to [SQL Server]SQL Server, administrators should periodically review all firewall rules enabled on the server.

防火牆設定檔的概觀Overview of Firewall Profiles

具有進階安全性的 Windows 防火牆入門指南 中的 網路位置感知主機防火牆一節會討論防火牆設定檔。Firewall profiles are discussed in Windows Firewall with Advanced Security Getting Started Guide in the section Network location-aware host firewall. 簡而言之,作業系統會在連接性、連接和類別方面識別並記憶它們所連接的每個網路。To summarize, the operating systems identify and remember each of the networks to which they connect with regard to connectivity, connections, and category.

[具有進階安全性的 Windows 防火牆] 具有三種網路位置類型:There are three network location types in Windows Firewall with Advanced Security:

  • 網域。Domain. Windows 可以針對電腦所加入的網域,驗證網域控制站的存取權。Windows can authenticate access to the domain controller for the domain to which the computer is joined.

  • 公用。Public. 除了網域網路以外,所有網路一開始都會分類成公用。Other than domain networks, all networks are initially categorized as public. 代表直接連接至網際網路或位於公共場所 (例如機場和咖啡店) 的網路應該會保持公用。Networks that represent direct connections to the Internet or are in public locations, such as airports and coffee shops should be left public.

  • 私人。Private. 由使用者或應用程式識別成私人的網路。A network identified by a user or application as private. 只有受信任的網路才應該識別成私人網路。Only trusted networks should be identified as private networks. 使用者可能會想要將家庭或小型企業網路識別成私人。Users will likely want to identify home or small business networks as private.

管理員可以針對每種網路位置類型建立設定檔,而且每個設定檔都含有不同的防火牆原則。The administrator can create a profile for each network location type, with each profile containing different firewall policies. 不過,一次只會套用一個設定檔。Only one profile is applied at any time. 設定檔的套用順序如下所示:Profile order is applied as follows:

  1. 如果所有介面都經過電腦屬於其成員之網域的網域控制站驗證,就會套用網域設定檔。If all interfaces are authenticated to the domain controller for the domain of which the computer is a member, the domain profile is applied.

  2. 如果所有介面都經過網域控制站驗證或連接至分類成私人網路位置的網路,就會套用私人設定檔。If all interfaces are either authenticated to the domain controller or are connected to networks that are classified as private network locations, the private profile is applied.

  3. 否則,就會套用公用設定檔。Otherwise, the public profile is applied.

您可以使用 [具有進階安全性的 Windows 防火牆] MMC 嵌入式管理單元來檢視和設定所有防火牆設定檔。Use the Windows Firewall with Advanced Security MMC snap-in to view and configure all firewall profiles. [控制台] 中的 [Windows 防火牆] 項目只會設定目前的設定檔。The Windows Firewall item in Control Panel only configures the current profile.

使用控制台中的 Windows 防火牆項目進行其他防火牆設定Additional Firewall Settings Using the Windows Firewall Item in Control Panel

您加入至防火牆的例外可以限制針對來自特定電腦或區域子網路的內送連接開啟通訊埠。Exceptions that you add to the firewall can restrict the opening of the port to incoming connections from specific computers or the local subnet. 這種通訊埠開啟範圍的限制可以減少電腦遭受惡意使用者攻擊的風險,而且建議使用這種限制。This restriction of the scope of the port opening can reduce how much your computer is exposed to malicious users, and is recommended.

注意

使用 [控制台] 中的 [Windows 防火牆] 項目只會設定目前的防火牆設定檔。Using the Windows Firewall item in Control Panel only configures the current firewall profile.

使用控制台中的 Windows 防火牆項目來變更防火牆例外的範圍To change the scope of a firewall exception using the Windows Firewall item in Control Panel

  1. 在 [控制台] 的 [Windows 防火牆] 中,選取 [例外] 索引標籤上的程式或通訊埠,然後按一下 [內容][編輯]In the Windows Firewall item in Control Panel, select a program or port on the Exceptions tab, and then click Properties or Edit.

  2. [編輯程式][編輯連接埠] 對話方塊中,按一下 [變更領域]In the Edit a Program or Edit a Port dialog box, click Change Scope.

  3. 選擇下列其中一個選項:Choose one of the following options:

    • 任何電腦 (包括在網際網路上的)Any computer (including those on the Internet)

      不建議使用。Not recommended. 這個選項會允許可設定您電腦位址的任何電腦連接至指定的程式或通訊埠。This will allow any computer that can address your computer to connect to the specified program or port. 雖然您可能需要這項設定才能將資訊呈現給網際網路上的匿名使用者,不過這樣做會增加遭受惡意使用者攻擊的風險。This setting might be necessary to allow information to be presented to anonymous users on the internet, but increases your exposure to malicious users. 如果您啟用了這項設定,而且也允許網路位址轉譯 (NAT) 周遊 (例如 [允許邊緣周遊] 選項),就會進一步增加遭受攻擊的風險。Your exposure can be further increased if you enable this setting and also allow Network Address Translation (NAT) traversal, such as the Allow edge traversal option.

    • 只有我的網路 (子網路)My network (subnet) only

      這是比 [任何電腦] 更安全的設定。This is a more secure setting than Any computer. 只有位於網路之區域子網路的電腦才能連接至程式或通訊埠。Only computers on the local subnet of your network can connect to the program or port.

    • 自訂清單:Custom list:

    只有具備您所列出之 IP 位址的電腦才能連接。Only computers that have the IP addresses you list can connect. 這可能是比 [只有我的網路 (子網路)] 更安全的設定。不過,使用 DHCP 的用戶端電腦可能偶爾會變更其 IP 位址。This can be a more secure setting than My network (subnet) only, however, client computers using DHCP can occasionally change their IP address. 接著,預期的電腦將無法連接。Then the intended computer will not be able to connect. 您不想要授權的其他電腦可能會接受列出的 IP 位址,然後就能夠連接。Another computer, which you had not intended to authorize, might accept the listed IP address and then be able to connect. [自訂清單] 選項可能適用於列出設定成使用固定 IP 位址的其他伺服器。不過,入侵者可能會假冒這些 IP 位址。The Custom list option might be appropriate for listing other servers which are configured to use a fixed IP address; however, IP addresses might be spoofed by an intruder. 限制性防火牆規則只會與您的網路基礎結構同樣強固。Restricting firewall rules are only as strong as your network infrastructure.

使用具有進階安全性的 Windows 防火牆嵌入式管理單元Using the Windows Firewall with Advanced Security Snap-in

您可以使用具有進階安全性的 Windows 防火牆 MMC 嵌入式管理單元來設定其他進階的防火牆設定。Additional advanced firewall settings can be configured by using the Windows Firewall with Advanced Security MMC snap-in. 此嵌入式管理單元包含規則精靈,而且它會公開 [控制台] 中 [Windows 防火牆] 項目無法使用的額外設定。The snap-in includes a rule wizard and exposes additional settings that are not available in the Windows Firewall item in Control Panel. 這些設定包括:These settings include the following:

  • 加密設定Encryption settings

  • 服務限制Services restrictions

  • 依據名稱限制電腦的連接Restricting connections for computers by name

  • 限制特定使用者或設定檔的連接Restricting connections to specific users or profiles

  • 允許傳輸通過網路位址轉譯 (NAT) 路由器的邊緣周遊Edge traversal allowing traffic to bypass Network Address Translation (NAT) routers

  • 設定輸出規則Configuring outbound rules

  • 設定安全性規則Configuring security rules

  • 針對內送連接要求 IPsecRequiring IPsec for incoming connections

使用新增規則精靈來建立新的防火牆規則To create a new firewall rule using the New Rule wizard

  1. 在 [開始] 功能表上、按一下 [執行] 輸入 WF.msc,然後按一下 [確定]On the Start menu, click Run, type WF.msc, and then click OK.

  2. 在 [具有進階安全性的 Windows 防火牆] 的左窗格中,以滑鼠右鍵按一下 [輸入規則] ,然後按一下 [新增規則] 。In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then click New Rule.

  3. 使用您想要的設定來完成 [新增輸入規則精靈]Complete the New Inbound Rule Wizard using the settings that you want.

疑難排解防火牆設定Troubleshooting Firewall Settings

下列工具和技巧可用於疑難排解防火牆問題:The following tools and techniques can be useful in troubleshooting firewall issues:

  • 有效的通訊埠狀態是與該通訊埠相關之所有規則的聯集。The effective port status is the union of all rules related to the port. 嘗試封鎖透過某個通訊埠的存取時,檢閱描述通訊埠編號的所有規則可能會很有用。When trying to block access through a port, it can be helpful to review all the rules which cite the port number. 若要這樣做,請使用 [具有進階安全性的 Windows 防火牆] MMC 嵌入式管理單元,然後依據通訊埠編號來排序輸入和輸出規則。To do this, use the Windows Firewall with Advanced Security MMC snap-in and sort the inbound and outbound rules by port number.

  • 檢閱在執行 [SQL Server]SQL Server 之電腦上作用中的通訊埠。Review the ports that are active on the computer on which [SQL Server]SQL Server is running. 此檢閱程序包括確認哪些是接聽的 TCP/IP 通訊埠,並確認通訊埠的狀態。This review process includes verifying which TCP/IP ports are listening and also verifying the status of the ports.

    若要驗證接聽的通訊埠,請使用 netstat 命令列公用程式。To verify which ports are listening, use the netstat command-line utility. 除了顯示使用中的 TCP 連接之外, netstat 公用程式也會顯示各種 IP 統計資料與資訊。In addition to displaying active TCP connections, the netstat utility also displays a variety of IP statistics and information.

    列出哪些是接聽的 TCP/IP 通訊埠To list which TCP/IP ports are listening

    1. 開啟命令提示字元視窗。Open the Command Prompt window.

    2. 在命令提示字元中,輸入 netstat -n -aAt the command prompt, type netstat -n -a.

      -n 參數會指示 netstat 以數值方式顯示使用中 TCP 連線的位址與通訊埠號碼。The -n switch instructs netstat to numerically display the address and port number of active TCP connections. -a 參數會指示 netstat 顯示電腦所接聽之電腦上的 TCP 與 UDP 通訊埠。The -a switch instructs netstat to display the TCP and UDP ports on which the computer is listening.

  • PortQry 公用程式可用於將 TCP/IP 通訊埠的狀態回報為接聽中、未接聽或已篩選。The PortQry utility can be used to report the status of TCP/IP ports as listening, not listening, or filtered. (若為已篩選狀態,表示通訊埠不一定是接聽中。此狀態會指出公用程式未接收到通訊埠的回應)。PortQry 公用程式可從 Microsoft 下載中心下載。(With a filtered status, the port might or might not be listening; this status indicates that the utility did not receive a response from the port.) The PortQry utility is available for download from the Microsoft Download Center.

另請參閱See Also

Windows Server 系統的服務概觀和網路通訊埠需求 (機器翻譯)Service overview and network port requirements for the Windows Server system