Windows Firewall Rules For SQL Management Studio

Question

The purpose of this post is to find out why I cannot log into a remote SQL Server instance from a Windows 10 system. My Windows 10 system connects just fine, and has fire wall rules that are too many and to un-restrictive.

Therefore, I would like to tighten my Windows 10/Windows Defender inbound and outbound firewall rules that I believe allow SQL Server Management Studio to talk to a SQL Server on a remote node. Both the client and server are on the same domain.

The SQL instance on the remote server uses dynamic port 49365.

I have as an inbound rule, unrestricted TCP for local and remote ports. To which ports should this rule be narrowed?

For my outbound rule, I have a UDP protocol for all local ports and remote port 1434.

I believe this crazy configuration allows SQL Management Studio to talk to a remote SQL server on dynamic port 49365.

Questions 1: What should my firewall rule settings really be?

(I'm going to ask Question 2 as a separate OP.)

Are you asking about the **server** computer or the **client** one? IE, the one running the DB engine or the one running SSMS? — Alejandro, Jun 16 '21 at 20:00
My problem is with the client. I can use the server's management studo just fine, when I'm remoted in. — octopusgrabbus, Jun 16 '21 at 20:39

score 1 · Accepted Answer · answered Aug 20 '21 at 23:19

First the easy part: the client doesn't needs any inbound connection, as it doesn't receive any connection (it makes them), so you can safely block everything inboud.

Now for the outgoing ones. The server itself only needs TCP access in the port it's listening to, so if you have a fixed port, you just open it (by default 1433 for a default instance) and you're good to go.

But since you're using dynamic ports, setup is a bit harder. Basically, "dynamic port" means that the server listen on a "random" port each time it starts, and the SQL Browser service tells clients on which port is listening each instance (this is the default setup for named instances).

So for this, first you need to allow outgoing connections to the SQL Browser, which listens on UDP 1434. Now you'll also need the normal server connection as before, which is still at TCP, but this time the port is unknown (since it's random). So, at most the most restrictive rule you can make is to allow all TCP ports, maybe also filtered by client program (ssms.exe for example) or by any other parameter that your firewall supports.

score 0 · Answer 2 · answered Jun 16 '21 at 19:48

0

i think you have to create an inbound rule in the SQL Server permiting port 1433/ 1433 . The dynamic port its not important for this configuration.

answered Jun 16 '21 at 19:48

Marcel0k1

9
2

I'm going to try this out, and let you know. – octopusgrabbus Jun 16 '21 at 20:40
I disabled the other rules I had, and did make a 1433/1433 rule. Thank you. – octopusgrabbus Jun 16 '21 at 20:50
This is incorrect. As **client** inbound rules are irrelevant (the client doesn't receive any connections). All connections are outgoing. – Alejandro Aug 20 '21 at 23:07

Windows Firewall Rules For SQL Management Studio

2 Answers2