I've created a network with the following rules:
I have two virtual machines, both running Windows Server 2012.
Computer 1 (192.168.0.2)
Computer 2 (192.168.0.3)
I can ping between the machines without any problems.
On Computer 1 I have SQL Server 2014 Express installed. These are the firewall rules added to the server:
I am unable to connect to the SQL Server instance from Computer 2. If I disable the firewall it works.
The rules added to the server work ok in Azure and on my Hyper V virtual machines. Do I need to add an other rules for it to work in Google Compute?
I only want to be able to access this SQL instance through machines on the same network.
There seems to be an issue with the way the windows firewall as been configured based on the fact that you can connect when the firewall is disabled. A couple of things to try out, to see if they resolve the issue for you.
Put 1-65535 in their allow internal firewall rule, not 0-65535
Add client internal IP to the firewall rule
For example:
netsh advfirewall firewall add rule name="SQL Access" dir=in action=allow program="%programfiles%\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" remoteip=localsubnet,x.y.z.w
where x.y.z.w should be replaced by your client internal IP, and the program path should match your installation path to sqlservr.exe. It varies based on the version of SQL Server you have installed.
Let us know if you still face this issue and we can take another look.
Related
I have SQL Server Express installed on an Azure Windows Virtual Machine.
Steps I have taken:
updated the default port for SQL server in SQL Server Configuration Manager.
verified sql server is listening on that port (netstat -ano)
Added a Windows firewall rule to accept inbound traffic on that port (Scope of the rule limits to my static IP address)
added an inbound rule in Azure to allow access to that default port (Source IP address same as IP in Windows Firewall)
Verified Remote Connections are enabled in SSMS
Mixed authentication is enabled.
Verified user created is able to access the desired databases by logging in locally with Sql Server Management Studio. This is a sql server user and not a computer account
I am able to telnet and nc to the port.
The name of the SQL Server looks like this when i access it locally on the VM
localhost\SERVER_NAME or
hostname\SERVER_NAME
From a remote machine I am attempting to access this database using SSMS.
I have tried:
mydomain.com\SERVER_NAME -mydomain.com does resolve to the correct IP address
mydomain:1234\SERVER_NAME -1234 represents the default port that was set
I have verified the user name and password are correct. I have also tried turning off the Windows firewall which leads me to believe it might be the inbound rule in Azure but there's really nothing special to that rule, just allows traffic to the sql server port (1234, in this example).
What am i missing?
Can you please have a look to this article, if you did not yet, and ensure that you did all the steps required? To highlight a few important steps, please ensure:
Set the connectivity to publish
Use SQL Server Configuration Manager to manually enable the TCP/IP protocol
Use the SSMS to connect to your DB and use the following server address for your VM
Hope that it helps.
The correct connection string in SSMS is
mydomain,1234\SERVER_NAME
comma before port not colon.
I have a Google Cloud VM running Windows Server 2016 Datacenter with SQL Server 2017 installed.
I am using SSMS 2017 as my client, both locally and remotely.
I can RDP to the VM.
I can ping the IP of the VM.
I disabled the firewall on the VM.
I set the database to allow SQL Server authentication.
The SQLBrowser service is running in the server.
There are firewall settings on the Google Dashboard and I opened ports 1433, 1434 TCP and UDP on the project, nothing changed.
I can connect to the SQL Server instance with the same credentials using the same client running locally on the VM.
When I run PortQry it tells me ports 1434 and 1433 are FILTERED even though the firewall is disabled. That confuses me, maybe I don't understand the output of PortQry.
I get this error when I use the server\instance to connect remotely:
If I just use the server name I get this error:
Here is the firewall setting:
I had same issue and I overcome with following settings with following GCP Firewall rules.
There is no need to disable firewall in GCP VM instance, better keep it on. To access your instance using SQL server management studio within your GCP VM's external IP address, you also need to add it in GCP network firewall rules too.
Name, Type, Targets, Filters, Ports, Action, Priority, Network
rulename1, Ingress, Apply to all, IP ranges: gcp external IP here, all, Allow, 900, default (For GCP VMs External IP Address)
rulename2, Ingress, Apply to all, IP ranges: your remote IP here, tcp:1433, Allow, 900, default (For Remote Server or Development Server IP Address)
There is no need to allow Edge traversal at all.
Hope this will help someone.
I have the same problem with you.
You should use the same Networks tags of your VM machine in the Firewall rules settings.
Your VM machine tags
Firewall rules
Before, I set the targets to "Apply to all" and it didn't work.
A little awkward!
I have a small application that uses a SQL-Server express 2005 database located on a remote machine. This has worked for years. I've not only been able to access it via the application, but also on the development machine. The other day I came in to the server (windows 7 machine) shut down from a power outage. Since then I have not been able to access the database and receive an error 26. I have checked the firewall and it does indeed have the exception for sqlbrowser and UDP 1434 set. I also checked Configuration Manager and SQL Server (SQLEXPRESS) and SQL Server Browser are both running. (Even did a restart on both)
Client Protocols are enabled for Shared Memory, TCP/IP and Named Pipes.
Here is where it gets strange (At least for me). Both the development machine and the machine that uses the application that works with the database were both set to Obtain IP Address. If I set these to a static address they are then able to access the database without issues. I would like to not have to set static IP's and get things running the way they have for the past couple of years. Does this shed any light on what I might need to check to see why I can no longer access this server without a static IP on the remote machines?
The server is 2007 pro along with the development machine. The remote machine that uses the application is Windows 10 pro.
I should also state that I can browse the network and access normal shares via windows network with and without the static ip from both machines.
EDIT: The exact message I get when I don't use a static ip is:
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) (Microsoft SQL Server)
I get this error even when trying to connect using Microsoft SQL Server Management Studio Express.
After many installations I learned that opening the SQL Server port in the firewall works always when using the default instance, but with named instances and SQL Browser opening the ports some times doesn't prevent the firewall for blocking connections, specially in small environments that doesn't have a proper server like the one you describe (I think that it's related to the dynamic port feature that SQL Server use by default with named instances, but I'm not sure).
When I have to use named instances instead of opening the ports I create rules for the programs themselves and it has worked fine until now. Create two rules using New rule > Programs > This program path, one for:
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
and other for:
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (maybe this location is a bit different when using the SQLEXPRESS instance).
I usually create the rules only for private network locations, but maybe you should create the rules for all locations just to be sure (and if this works, try unchecking public locations from the rules).
For future installations note that you can configure Express editions to use the default instance MSSQLSERVER at install time (and only at install time), with that option you just open port 1433 and you are done.
I recently installed SQL Server Express 2014 on a series of machines running Windows Server 2012. Seven machines in total.
All but 1 of them live in the same local domain company.local.
A single rogue machine lives in a different public domain public.company.org.
The installation process on this machine on a separate domain was carried out by someone who was not paying much attention to the process and pretty much selected all defaults (a.k.a. a click-click-click installation.) As such, certain features such as SQL Server authentication and remote connectivity were not enabled by default.
We want to connect remotely, via SQL Server Authentication, using SSMS, from development machines in the same local domain company.local. This we were able to easily turn on.
As for allowing remote connections, we found ourselves in more difficulties.
We ensured that firewall rules have are defined to allow inbound connection on ports 1433 for TCP and 1434 for UDP. We verified that that is the case.
We have set this rule to apply to all profiles: Domain, Public, Private.
We ensured that all protocols for SQLEXPRESS are allowed in the SQL Server Configuration Manager, specifically TCP/IP.
We have enabled SQL Server Browser.
We have restarted all services multiple times after our configuration changes.
We have even restarted the machine.
We have also kicked the box.
We are still not able to the SQLEXPRESS instance using either:
machine-name.public.company.com\SQLEXPRESS
machine-name.public.company.com\SQLEXPRESS,1434
<ip-address>\SQLEXPRESS
<ip-address>\SQLEXPRESS,1434
Using SSMS or SQLCMD
Using SQL Server Authentication, with regular logins or sa.
Using windows authentication, with credentials on the remote machine.
Pinging the server shows it is responsive. And we have verified that the ports are indeed open.
As far as we are aware of, we've revised, compared and match all configuration/environment settings from the 6 local machines to the one on the different domain.
When disabling firewall all together at all levels, we are able to connect.
Of course we don't want to leave the door open, so we added a inbound rule to the firewall to allow all sorts of connections to the SQL Server (SQLEXPRESS) service.
QUESTION
So the QUESTION is if what we did is the correct approach?
How come adding this firewall exception for the SQL Server process itself is not required in the other local machines???
I've checked your post twice, but I can't find anything about whether you've allowed remote connections to that SQL Express instance. You've allowed all protocols, sure, but that's not enough.
By default, all remote connections to Express instances are disabled (that includes DAC, too). To check this setting, restart the machine (or SQL instance) and look into SQL Server logs. Specifically, you will be interested in entries started with "SQL Server is listening on ..." - there, you'll find all protocols, ports and addresses the instance is listening on.
If the only IP you're see there is 127.0.0.1, then instance rejects all remote connections, regardless of firewall or anything else.
I don't have 2014 Express to check it, but in 2012 this setting is configured via Configuration Manager, in the "SQL Server Network Configuration" section.
I have read a number of articles on how to configure mirroring on SQL Server 2012. I went through the steps and everything worked until hitting the final step, which didn't work.
When I run this on the Principal:
ALTER DATABASE MyDBName SET PARTNER = 'TCP://1.2.3.4:5022';
I get this error:
The server network address "TCP://1.2.3.4:5022" can not be
reached or does not exist.
When I run the counterpart ALTER statement shown above, but on the Mirror, it works fine.
I have tried all the steps in this troubleshooting article.
Important points:
The Primary and Mirror servers are in different datacenters, not on the same network at all. Not connected by VPN. Completely untrusted by each other.
I can connect to the Mirror via SSMS on the Primary and run queries. And vice versa.
I configured certificates on each server to establish the trust relationship. Everything worked during the setup and config, no errors.
I configured the endpoints on both servers and verified they're active/enabled.
I opened port 5022 on both servers by configuring incoming and outgoing windows firewall rules. I can telnet to the Mirror from the Principal and vice versa - ports appear open, no problems.
In the troubleshooting guide mentioned above, I tried steps 1-6. I didn't try 7, deleting the endpoints and re-creating, because they look perfectly valid and active to me.
Looking for some ideas on this one.
If you can telnet that port from the principal machine everything is fine with TCP/IP and firewall settings.
I can remember that I had a similar issue in the past. Unfortunatly I dont remember the exact solution but it was related to security/authentication of the endpoints and the SQL Server service account not having enough permission on the mirror machine. Unfortunatly the error message is pretty misleading in this case. Script the endpoints and verify their settings, SSMS has no UI for that.
Another thing that you could check is that you have the possibility to also connect to port 5022 from the mirror to the principal machine. You will get the same error message if the connection is not possible from both instances.
Sorry that I cant provide you a proper solution, but maybe that points you to the right direction.
Unfortunately there are quite non-informative error messages in MS SQL. The problem might be an authorization issue and the server still will be saying "network address can not be reached".
Considering "servers are in different datacenters", how the authentication is performed? A MSSQL service (on server1) itself must be runned as a valid db user (on server2, and vice versa) in order to make the mirroring work.
There can be multiple reasons for this to happen.
In your SQL Server Management Studio, if you see a White bubble next to the server instance name, instead of the Green bubble, then you can try the following:
"Allow an app through firewall" and add "Windows Management Instrumentation (WMI)" for Windows Server 2012. If it is Windows Server 2008, you can allow "Remote Administration" through firewall.
Is it meant to be a semi colon?
ALTER DATABASE MyDBName SET PARTNER = 'TCP://1.2.3.4;5022'
The semi colon is used when connecting to IP / Port when using management studio.