I'm attempting to access a SQL Server which is exposed through an IP NAT mapping. All the ports are open. I don't know the details of the NAT, if it's relevant, since that's somewhere else in the company hidden in a pile of red tape.
Here's what I figured out. When you attempt to access a named instance of SQL Server, the client asks what port the named instance is running on. If I RDP into the SQL Server I can use netstat to find out the port of that instance and can successfully connect through the firewall. However, connecting via the instance name doesn't work. My guess is that the server is responding at some point with it's internal IP address and the client is using that.
Does anyone know if this is true and if there's a way around it?
The instance listening port protocol discovery is subject to the SQL Server Browser Service. This uses UDP on 1434. With a NAT forwarding of UDP 1434 your client should be able to interact with the SQL Server Browser Service (if the SQL Server Browser's UDP response packet can reach back the client, a big if), but even a successful interaction will put your client in a tight spot: now that it knows the SQL Server dynamic listen port, how does it reach it? The NAT would have to dynamically forward the port picked by SQL Server, or it would have to forward all ports.
What I recommend is to have your SQL Server listen on a per-configured, statically assigned, port. See How to configure an instance of SQL Server to listen on a specific TCP port or dynamic port. Have your NAT forward that port. Then in your client use this port explicitly in the connection string. Do not use 1433, the standard port, since I assume that ahead of the NAT is the public internet and 1433 is subject to constant and frequent scans from all sort of bots and vile clusters.
Configure the named instance to run on a static port using SQL Server Configuration Manager. In configuration manager, SQL Server Network Configuration -> Protocols for <named instance> -> TCP/IP -> Properties.
Then supply the hostname and port for the named instance in the connection string. The hostname and port number are specified in the following format (assuming hostname is Test and listen port is 1492):
... Server='Test,1492'; ...
Related
I am trying to open access to my SQL Server from outside my network, but while my ports are open in my Windows Firewall and routed from my router, telnet can't connect.
To explain a bit more I have opened both TCP 1433 and UDP 1434 ports in my Windows Firewall to allow remote access to my SQL Server.
Ports seems to be properly opened in my windows firewall as both a telnet [local_server_ip] 1433 and SSMS can connect from a different computer within my local network.
When trying to connect from outside my network (using my external IP) Telnet can't connect (Connect failed).
In my router, ports are redirected (TCP 1433 and UDP 1434) and I also tried setting my SQL Server IP as DMZ but it did not went through. My other port redirection works properly so I don't think it comes from the router (for instance I have Emby as a media server, and I can access it from outside my network or use telnet to connect to the port opened for this service).
Am I missing a configuration in SQL Server configuration manager? For instance I had to manually set the TCP port in SQL Server Network Configuration > TCP/IP properties > IP Adresses > IPAll and set TCP Port as 1433
Or can it come from either my Windows Firewall (even though the inbound rules has similar characteristics as the inbound rule for my Emby server) or my router?
So locally it all seems to work, but from outside it does not? This does indicate your router NAT setting being an issue.
Just to point out, exposing an SQL Server to public internet is relatively insecure. Ideally you add a VPN to your local network and use that to reach the SQL server instead. Just to point out, I can imagine it could work, but you might want to rethink the setup.
I am trying to mirror a on premise SQL database to Azure ARM VMs running SQL server. One for the mirror and one for the witness. I have setup the mirroring end points on the servers. However, I am getting an error to the effect that the mirror server can not be reached.
Reading through the net pages, I tested the port using telnet. I am able to telnet to the mirroring port on my local server from the Azure VM but unable to telnet from the local server to the VMs.
I am able to telnet on the mirroring port between the VMs using the Private IP Address but unable to do so using the Public IP address.
I have added the port to the Security group being used by these VMs to allow inbound connections as well as outbound connections.
I have tested that the server is listening on ip 0.0.0.0 and my mirroring port.
Any help would be very much appreciated.
For whatever its worth, I was setting the Inbound connections source port range as the port I was going to use for mirroring. I changed this to "*" and it started working.
We have a client that connects to SQL Server using Windows authentication. They connect using the server name and port number (not 1433).
All our software installations thus far connect to SQL Server using SQL Server authentication, connecting with server name, user name and password.
I am trying to setup a test on my computer to see whether I can connect with our software using the setup used by this client, in other words Windows authentication, with server name and port number. The port number is what is new to me here.
The problem I am having is that I can connect successfully regardless of the port number of the SQL Server installation, and what I pass in as a port number from our software. So I am obviously doing something wrong, or misunderstanding how this works. Any help would be appreciated.
My first step was to open SQL Server Configuration Manager > Network configuration > Protocols for my instance > TCP/IP > Properties. I then opened the IP addresses tab, and changed the TCP port to 41000 (I sucked this number out my thumb) on all the IP1 - IPAll sections. The TCP dynamic port setting is blank for all these. I applied, saved and restarted the server.
In the DbExpress TSQLConnection connection parameters, I pass in:
TSQL1connection.Params.Add('OSAuthentication=True');
TSQL1connection.Params.Add('HostName='+SQL_server_name);
TSQL1connection.Params.Add('Port=123');
It doesn't seem to matter what I put in the port number, or whether I leave the port setting out altogether; I always manage to successfully connect.
I want to have it successfully connect only to the port number specified.
I am using SQL Server 2014 and Delphi XE8.
I don't know TSQLConnection, but I do know a bit about TCP/IP, and I suspect that the issue here is just a misunderstanding about ports. There are always two ports involved in a connection, in this case the server port and the client port. They are not the same. The 41000 is the server port in this case, and I assume that 123 is the client port. That is perfectly fine to establish a connection, and that is why it doesn't matter what port number you put in.
In terms of solving your problem, you need to reject the connection at the SQL Server end. The server will know the client port after the connection, but whether you can access that data and force a rejection, I am afraid I do not know.
I am working on a system whereby I can update a small database from several locations. I wish to host the database on my home computer and allow connections to be made to the database from two other locations through tcp/ip.
I have done the following thus far:
Enabled TCP/IP for SQLEXPRESS
Allowed port 1433 tcp on my firewall
Allowed port 1434 udp on my firewall
Enabled SQLEXPRESS server to allow remote connections
I was hoping to be able to connect to the database by opening sql management studio on the other pcs and using the following format [ExternalIP]\SQLEXPRESS but as of yet I have been unable to do so. I have looked at what my external IP might be and i am getting two different values:
86.XX.X.XXX
66.XXX.XX.XX
Should I be using either of these values with this format to connect from the other sql management studios when everything has been correctly configured? Are there any steps that I am missing?
Named instances of SQL Server don't listen by default on port 1433, but instead on a random port determined at each service startup. It's the function of the sql browser service to provide clients with actual ports of each running instance (and that's done using the fixed 1434 udp port).
The necesary steps would be to configure the server to use a fixed port, then setup the firewall and router to allow that port. When connecting, just use the external IP address with the port but not the instance name (as that would invoke the browser service, which is unneeded with fixed ports).
To resume, necesary steps would be these:
Enable remote connections on the server.
Setup users and permissions as needed (Windows authentication is a pain over internet, so SQL authentication is strongly recommended)
Enable TCP/IP for the instance.
Configure the server to use a fixed port for connections (1433 being the standard). Look here for instructions.
Restart the database server.
Give permissions on the firewall to allow the server executable incoming connections on your selected port. At this point other computers in the LAN should connect.
On your router forward the port you opened to your local machine private IP (note that in Windows you must configure your computer to use a fixed local IP instead of DHCP).
Test with a client over internet or just using your external IP.
Note that for the connection from the remote client, as server name you must use 86.XX.X.113,1433 (the port number is separated with a comma, optional if it's 1433). Notice that there is NO instance name, even if you installed it as SQLEXPRESS or whatever. This is due having a fixed listening port (like the default instance by default). That eliminates the need of the browser service and udp 1434, and the pain of a dynamic port forwarding.
You should also check that your ISP most likely will give you a dynamic external IP, so clients might be reconfigured when that changes. Or you can use some dynamic DNS service.
Config MSSQL Express 2014 connect remoto PC or PHP, etc..
View Video Tutorial Easy Config Server to MSSQL Express:
https://www.youtube.com/watch?v=5UkHYNwUtCo
Code Test Cliente Remote PHP:
$serverName = '192.168.1.64,49170'; //only the server name and ip MSSQL SERVER EXPRESS
$connectionInfo = array( "Database"=>"mydbName", "UID"=>"myUserId", "PWD"=>"myPass");
$conn = sqlsrv_connect( $serverName, $connectionInfo);
if( $conn ) {
echo "Connection established";
}else{
echo "Connection could not be established.";
die( print_r( sqlsrv_errors(), true));
}
I am attempting to connect to a SQL Server 2008 R2 instance from another machine using the TCP protocol over port 1433.
On the server side:
SQL Server is running.
SQL Server has had its "Allow remote connections to this server"
checkbox checked.
SQL Server has the TCP protocol enabled.
At least one of the IP addresses in the list of IP addresses that SQL
Server claims to be listening on is the correct one. None of the
items in this list are Enabled, but that is not anything that I
have touched. All are Active. All have their port set to 1433
(I never touched it). I have also set all of them to Enabled at various points; this made no difference. I have not been able to track down any documentation on why both an active status and an enabled status need to be maintained.
TCP dynamic ports is set to blank (I never touched it) for all IP
addresses. As I understand it, this is what you want to do for connections that should specify the TCP port explicitly in their connection information (which is what I want).
TCP port is set to 1433 for all IP addresses, including IPAll.
The firewall is off.
SQL Server authentication is set to SQL Server Authentication
(followed by Windows Authentication).
I am able to ping the box remotely.
The symptoms of not being able to connect are basically my client (a JDBC client) hangs. The URL is analogous to this: jdbc:sqlserver://my.host.here:1433;databaseName=frob and I specify a valid user and password (and in any event do not get a login/security error).
The URL is valid and well-formed.
I can telnet to port 1433 on the box without a connection refusal error so the port is open.
Thanks for any help you can provide.
And the answer is: it's a regression in the JDK, version 1.6.0 update 29 (you know, the version that is current on the Mac). See this: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7105007