This project has moved. For the latest updates, please go here.

Previous Setup Windows Audit Manual Install Setup Network Adaptors Next

Setup Firewall Port Exceptions

FineBuild can set up Firewall Port Exceptions needed for SQL Server.

It is now standard practice to use the Windows Firewall facilities as one of the lines of defence around a server. FineBuild can open the ports needed in the Firewall to allow SQL Server to function correctly.

The following ports will be used by SQL Server. It is recommended that site-specific ports are used in place of the default values and that the SQL Server standard port 1433 remains blocked. The port values that are used will need to be configured into the firewall, so that client machines in different subnets can communicate with the SQL instance.

The ports used by SQL Server database engine are shown below. Replace MSSQLSERVER with the instance name actually installed and replace 1433 with the port number used for the instance. The Direction value is not relevant when installing on Windows 2003 or XP.

The ports used by SQL Server DB Engine are shown below:
Name Default Port Type Direction
SQL Server (MSSQLSERVER) 1433 TCP In
SQL DAC 1434 TCP In
SQL DB Mirroring 5022 TCP In
SQL Browser 1434 UDP In
SQL Service Broker 4022 TCP In

If Filestream is enabled, then the following ports are also opened:
SQL Filestream 139 TCP In
SQL Filestream 145 TCP In

If PolyBase is enabled, then the following ports are also opened:
PolyBase 16450-16460 TCP In

The ports used by Analysis Services are shown below:
Name Default Port Type Direction
SQL Analysis Server 2383 TCP In
SQL Browser 2382 TCP In

The ports used by Integration Services are shown below:
Name Default Port Type Direction
SQL RPC 135 TCP In

If SSIS Scaleout Master is installed, then the following ports are also opened:
SSIS Scaleout Master 8391 TCP In

The ports used by Reporting Services are shown below:
Name Default Port Type Direction
HTTP 80 TCP In

Security Compliance

Firewall Port Exceptions configuration helps to reduce the network surface area available for attack. If you setup Security Compliance then Firewall Port Exceptions configuration will always be implemented.

FineBuild Firewall Port Exceptions Processing

Processing of Firewall Port Exceptions relates to Process Id 1DA in the FineBuild1Preparation script, and is controlled by the parameter below:
Parameter Build SQL2005 SQL2008 SQL2008 R2 SQL2012 SQL2014 SQL2016
SetupFirewall FULL Yes Yes Yes Yes Yes Yes
SetupFirewall WORKSTATION Yes Yes Yes Yes Yes Yes
SetupFirewall CLIENT Yes Yes Yes Yes Yes Yes

FineBuild also uses the following parameters to help Configure the Firewall Port Exceptions:
Parameter Default Value Description
TCPPort 1433 TCP Port for default SQL instance
TCPPortAS 2383 See Configure AS Instance General Properties
TCPPortDAC 1434 TCP Port for Dedicated Administrator Connection
TCPPortISMaster 8391 TCP Port for SSIS Scaleout Master

SQL FineBuild will set up the Firewall Port exceptions as shown above, using the port numbers specified by the parameters. Only the ports for the components being installed will be opened.
Top

Manual Setup Firewall Port Exceptions Processing

The following steps show what you would have to do to setup Firewall Port Exceptions manually. FineBuild does all of this work for you automatically.

1) Use the following syntax to open the ports in the Firewall.
Use the port details from the above table and replace MSSQLSERVER with the instance name being installed. Only the ports for the components being installed should be opened. For example, if Analysis Services is not being installed, do not open the ports for Analysis Services.
The ports for SQLBrowser only need to be opened if a named instance is being installed.
For Windows 2003 and XP:
NETSH FIREWALL ADD PORTOPENING NAME="name" PORT=port PROTOCOL=type ^
	MODE=ENABLE SCOPE=ALL PROFILE=DOMAIN

For Windows 2008 and above:
NETSH ADVFIREWALL FIREWALL ADD RULE NAME="name" LOCALPORT=port PROTOCOL=type ^
	ACTION=ALLOW PROFILE=DOMAIN DIR=direction

Copyright FineBuild Team © 2014 - 2017. License and Acknowledgements
Previous Setup Windows Audit Top Setup Network Adaptors Next

Last edited Mar 18 at 12:54 PM by EdVassie, version 8