Connections to SQL Server Over the Internet

Administering SQL Server

Administering SQL Server

Connections to SQL Server Over the Internet

You can connect to an instance of Microsoft® SQL Server™ over the Internet using SQL Query Analyzer or a client application based on ODBC or DB-Library.

To share data over the Internet, the client and server must be connected to the Internet. In addition, you must use the TCP/IP or Multiprotocol Net-Libraries. If you use the Multiprotocol Net-Library, ensure that TCP/IP support is enabled. If the server is registered with Domain Name System (DNS), you can connect using its registered name.

Although this connection is less secure than a Microsoft Proxy Server connection, using a firewall or an encrypted connection will help keep sensitive data secure.

Using a Firewall System with SQL Server

Many companies use a firewall system to isolate their networks from unplanned access from the Internet. A firewall can be used to restrict Internet applications access to your network by forwarding only requests targeted at specific TCP/IP addresses in the local network. Requests for all other network addresses are blocked by the firewall. You can allow Internet applications to access an instance of SQL Server in the local network by configuring the firewall to forward network requests that specify the network address of the instance of SQL Server.

To work effectively with a firewall, you must ensure that the instance of SQL Server always listens on the network address that the firewall is configured to forward. The TCP/IP network addresses for SQL Server are comprised of two parts: an IP address associated with one or more network cards in a computer, and a TCP port address specific to an instance of SQL Server. Default instances of SQL Server use TCP port 1433 by default. Named instances, however, dynamically assign an unused TCP port number the first time the instance is started. The named instance can also dynamically change it's TCP port address on a subsequent startup if the original TCP port number is being used by another application. SQL Server only dynamically changes to an unused TCP port if the port it is currently listening on was dynamically selected. That is, if the port was statically selected (manually), SQL Server will display an error and continue to listen on other ports. It is unlikely another application would attempt to use 1433 since that port is registered as a well-known address for SQL Server.

When using a named instance of SQL Server with a firewall, use the Server Network Utility to configure the named instance to listen on a specific TCP port. You must pick a TCP port that is not used by another application running on the same computer or cluster. For a list of well-known ports registered for use by various applications, see http://www.ise.edu/in-notes/iana/assignments/port-numbers.

Have the network administrator configure the firewall to forward the IP address and TCP port the instance of SQL Server is listening on (using either 1433 for a default instance, or the TCP port you configured a named instance to listen on). Also configure the firewall to forward requests for UDP port 1434 on the same IP address. SQL Server 2000 uses UDP port 1434 to establish communications links from applications.

For example, consider a computer running one default instance and two named instances of SQL Server. The computer is configured such that the network addresses that the three instances listen on all have the same IP address. The default instance would listen on TCP port 1433, one named instance could be assigned TCP port 1434, and the other named instance TCP port 1954. You would then configure the firewall to forward network requests for UDP port 1434 and TCP ports 1433, 1434, and 1954 on that IP address.

Establishing an Encrypted Connection

If you want users to be able to establish an encrypted connection to an instance of SQL Server, you can do so by enabling encryption for the Multiprotocol Net-Library.

To enable encryption after SQL Server has been installed