| title | description | author | ms.author | ms.date | ms.service | ms.subservice | ms.topic | helpviewer_keywords | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Server Network Configuration |
Become familiar with SQL Server network configuration tasks. View information on enabling protocols, configuring encryption, registering SPNs, and other actions. |
rwestMSFT |
randolphwest |
07/27/2016 |
sql |
configuration |
conceptual |
|
[!INCLUDE SQL Server] Server network configuration tasks include enabling protocols, modifying the port or pipe used by a protocol, configuring encryption, configuring the [!INCLUDEssNoVersion] Browser service, exposing or hiding the [!INCLUDEssDEnoversion] on the network, and registering the Server Principal Name. Most of the time, you do not have to change the server network configuration. Only reconfigure the server network protocols if special network requirements.
Network configuration for [!INCLUDEssNoVersion] is done using [!INCLUDEssNoVersion] Configuration Manager. For earlier versions of [!INCLUDEssNoVersion], use the Server Network Utility that ships with those products.
Use [!INCLUDEssNoVersion] Configuration Manager to enable or disable the protocols used by [!INCLUDEssNoVersion], and to configure the options available for the protocols. More than one protocol can be enabled. You must enable all protocols that you want clients to use. All protocols have equal access to the server. For information about which protocols you should use, see Enable or Disable a Server Network Protocol and Default SQL Server Network Protocol Configuration.
You can configure the TCP/IP protocol to listen on a designated port. By default, the default instance of the [!INCLUDEssDE] listens on TCP port 1433. Named instances of the [!INCLUDEssDE] and [!INCLUDEssEW] are configured for dynamic ports. This means they select an available port when the [!INCLUDEssNoVersion] service is started. The [!INCLUDEssNoVersion] Browser service helps clients identify the port when they connect.
When configured for dynamic ports, the port used by [!INCLUDEssNoVersion] may change each time it is started. When connecting to [!INCLUDEssNoVersion] through a firewall, you must open the port used by [!INCLUDEssNoVersion]. Configure [!INCLUDEssNoVersion] to use a specific port, so you can configure the firewall to allow communication to the server. For more information, see Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).
You can configure the named pipe protocol to listen on a designated named pipe. By default, the default instance of [!INCLUDEssDEnoversion] listens on pipe \\.\pipe\sql\query for the default instance and \\.\pipe\MSSQL$<instancename>\sql\query for a named instance. The [!INCLUDEssDE] can only listen on one named pipe, but you can change the pipe to another name if you wish. The [!INCLUDEssNoVersion] Browser service helps clients identify the pipe when they connect. For more information, see Configure a Server to Listen on an Alternate Pipe (SQL Server Configuration Manager).
The [!INCLUDEssDE] can be configured to require encryption when communicating with client applications. For more information, see Enable Encrypted Connections to the Database Engine (SQL Server Configuration Manager).
Support for Extended Protection for Authentication by using channel binding and service binding is available for operating systems that support Extended Protection. For more information, see Connect to the Database Engine Using Extended Protection.
[!INCLUDEssNoVersion] supports Kerberos authentication. For more information, see Register a Service Principal Name for Kerberos Connections and Microsoft Kerberos Configuration Manager for SQL Server.
The Kerberos authentication service uses an SPN to authenticate a service. For more information, see Register a Service Principal Name for Kerberos Connections.
SPNs may also be used to make client authentication more secure when connecting with NTLM. For more information, see Connect to the Database Engine Using Extended Protection.
The [!INCLUDEssNoVersion] Browser service runs on the server, and helps client computers to find instances of [!INCLUDEssNoVersion]. The [!INCLUDEssNoVersion] Browser service does not need to be configured, but must be running under some connection scenarios. For more information about [!INCLUDEssNoVersion] Browser, see SQL Server Browser Service (Database Engine and SSAS)
When running, [!INCLUDEssNoVersion] Browser responds to queries, with the name, version, and connection information for each installed instance. For [!INCLUDEssNoVersion], the HideInstance flag, indicates that [!INCLUDEssNoVersion] Browser should not respond with information about this server instance. Client applications can still connect, but they must know the required connection information. For more information, see Hide an Instance of SQL Server Database Engine.