DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 839980 - Last Review: January 11, 2006 - Revision: 3.5

INTRODUCTION

Microsoft Windows XP Service Pack 2 (SP2) includes Windows Firewall. Windows Firewall is an enhanced version of Internet Connection Firewall (ICF). By default, Windows Firewall is enabled on computers that are running Windows XP Service Pack 2. Windows Firewall will block some network connections that use TCP/IP, that use Named Pipes, or that use Multiprotocol Remote Procedure Call (RPC). This blocking can affect Microsoft Data Engine (MSDE), Microsoft SQL Server 2000, and Microsoft SQL Server 2005.

If you have an application that requires SQL Server or MSDE to have access to the network by using Named Pipes, by using TCP/IP, or by using RPC, you can use the scripts that are provided in the "More Information" section to open the required ports programmatically instead of using Windows Firewall.

Two scripts are included in this article. The first script programmatically configures Windows Firewall to allow SQL Server to listen on the network on all protocols. The second script programmatically configures Windows Firewall to allow SQL Server to listen on TCP/IP only.

Note We recommend that you open ports on an as-needed basis only.


The scripts that are discussed in this article provide Multiprotocol (RPC) over Named Pipes access only. If you are running RPC over TCP, see the following Microsoft Knowledge Base article for information about using TCP/IP:
841252  (http://support.microsoft.com/kb/841252/ ) How to manually enable TCP/IP on Windows XP Service Pack 2 for SQL Server 2000

MORE INFORMATION

A script that you can use to open all ports

The script that is discussed in this section programmatically configures Windows Firewall to allow SQL Server to listen on the network on all protocols.

Important notes about this script
  • This script should only be run on computers that are running Windows XP Service Pack 2.
  • This script has additional options for enabling Named Pipes and for enabling Multiprotocol (RPC).
  • This script enables Multiprotocol (RPC) only over Named Pipes and only opens port 445.
  • This script does not provide functionality to specify scope.

To create the script, follow these steps:
  1. Start Notepad.
  2. Copy and paste the following code into Notepad:
    echo off
    
    if "%1"=="-np" goto HandleNp
    if "%1"=="-rpc" goto HandleRpc
    if "%1"=="-tcp" goto HandleTcp
    if "%1"=="-browser" goto HandleBrowser
    
    rem Usage
    :Usage
    
    echo "Usage: setupSqlServerPortAll -[np | rpc | tcp | browser] -port [portnum] -[enable | disable]
    echo "-np : Setup SQLServer to listen on Named Pipe connections for local subnet only"
    echo "-rpc : Setup SQLServer to listen on RPC multiprotocol for local subnet only"
    echo "-tcp : Setup SQLServer to listen on TCP connections for local subnet only"
    echo "       Must specify a port if -tcp option is chosen."
    echo "-browser :  Setup SQLServer to provide SSRP service to support named instances"
    echo "-port : Applies only for tcp"
    echo " One of the following options MUST be specified"
    echo "-enable: Enables a port"
    echo "-disable: Disables a port"
    
    goto Exit
    
    :HandleTcp
    echo %2
    if "%2"=="-port" goto cont
    goto Usage
    :cont
    if "%3"=="" goto Usage
    if "%4"=="-enable" goto EnableTcp
    if "%4"=="-disable" goto DisableTcp
    goto Usage
    
    :EnableTcp
    echo "Enabling SQLServer tcp access for port %3 local subnet only"
    netsh firewall set portopening tcp %3 SQL%3 ENABLE subnet
    goto Exit
    
    :DisableTcp
    echo Disabling SQLServer tcp access for port %3 local subnet only"
    netsh firewall set portopening tcp %3 SQL%3 disable subnet 
    goto Exit
    
    :HandleNp
    if "%2"=="-enable" goto EnableNp
    if "%2"=="-disable" goto DisableNp
    goto Usage
    
    :EnableNp
    echo "Enabling SQLServer named pipe access for local subnet only"
    netsh firewall set portopening tcp 445 SQLNP ENABLE subnet
    goto Exit
    
    :DisableNp
    echo Disabling SQLServer named pipe access for local subnet only"
    netsh firewall set portopening tcp 445 SQLNP DISABLE subnet
    goto Exit
    
    :HandleRpc
    if "%2"=="-enable" goto EnableRpc
    if "%2"=="-disable" goto DisableRpc
    goto Usage
    
    :EnableRpc
    echo "Enabling SQLServer multiprotocol access for local subnet only"
    netsh firewall set portopening tcp 445 SQLNP enable subnet
    goto Exit
    
    :DisableRpc
    echo Disabling SQLServer multiprotocol access for local subnet only"
    netsh firewall set portopening tcp 445 SQLNP disable subnet
    goto Exit
    
    :HandleBrowser
    if "%2"=="-enable" goto EnableBrowser
    if "%2"=="-disable" goto DisableBrowser
    goto Usage
    
    :EnableBrowser
    echo "Enabling SQLServer SSRP service for local subnet only"
    netsh firewall set portopening udp 1434 SQLBrowser enable subnet
    goto Exit
    
    :DisableBrowser
    echo "Enabling SQLServer SSRP service for local subnet only"
    netsh firewall set portopening udp 1434 SQLBrowser disable subnet
    goto Exit
    
    :Exit
    endlocal
    
    
  3. Save the file as a .txt file, and name the file ConfigSQLPorts.txt.
  4. Rename the ConfigSQLPorts.txt file to ConfigSQLPorts.bat.

When you run the script in the ConfigSQLPorts.bat file, you must use the computer that the script is saved on. To run the script, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. In the command window, use the "cd" command to change folders until you are in the same folder that the ConfigSQLPorts.bat file is saved in. For example, if the ConfigSQLPorts.bat file is saved in C:\Myfiles, you would type CD myfiles at the command prompt, and then press ENTER. This will change your folder to C:\Myfiles.
  3. To run the ConfigSQLPorts.bat script, type ConfigSQLPorts.bat at the command prompt, and then press ENTER.




A script that you can use to open only TCP/IP ports

The script that is discussed in this section configures Windows Firewall to allow SQL Server to listen on TCP/IP only.

To create the script, follow these steps:
  1. Start Notepad.
  2. Copy and paste the following code into Notepad:

    echo off
    setlocal
    
    if "%1"=="-port" goto HandleTcp
    
    rem Usage
    :Usage
    
    echo "Usage: setupSqlServerPort -port [portnum] -[enable | disable] [ALL | SUBNET]"
    echo -port : Specifies the port to be enabled or disabled. Port is not optional.
    echo -enable: Enables a port
    echo -enable ALL:  enables access for ALL
    echo -enable SUBNET:  enables access for SUBNET
    echo -disable: Disables a port
    echo  one of -enable or -disable must be specified
    echo  the default scope is SUBNET only
    
    goto Exit
    
    :HandleTcp
    if "%2"=="" goto Usage
    if "%3"=="-enable" goto EnableTcp
    if "%3"=="-disable" goto DisableTcp
    goto Usage
    
    
    :EnableTcp
    set SCOPE="%4"
    if "%4"=="ALL" echo "Enabling SQLServer tcp access for port %2 ALL access" 
    if "%4"=="SUBNET" echo "Enabling SQLServer tcp access for port %2 subnet only access"
    if "%4"=="" set SCOPE="SUBNET"
    
    netsh firewall set portopening tcp %2 SQL_PORT_%2 ENABLE %SCOPE%
    goto Exit
    
    :DisableTcp
    echo Disabling SQLServer tcp access for port %2"
    netsh firewall set portopening tcp %2 SQL_PORT_%2 disable 
    goto Exit
    
    :Exit
    endlocal
    
    
  3. Save the file as a .txt file, and name the file SetupSqlServerPort.txt.
  4. Rename the SetupSqlServerPort.txt file to SetupSqlServerPort.bat.


When you run the SetupSqlServerPort.bat script, you must use the computer that the script is saved on. To run the script, follow these steps:
  1. Click Start, click Run, type cmd, and then click OK.
  2. In the command window, use the "cd" command to change folders until you are in the same folder that the SetupSqlServerPort.bat file is saved in. For example, if the SetupSqlServerPort.bat file is saved in C:\Myfiles, you would type CD myfiles at the command prompt, and then press ENTER. This will change your folder to C:\Myfiles.
  3. To run the SetupSqlServerPort.bat script, at the command prompt type setupSqlServerPort.bat, and then press ENTER.


REFERENCES

For additional information about configuring SQL Server 2000 and Windows XP Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:
841249  (http://support.microsoft.com/kb/841249/ ) How to configure Windows XP Service Pack 2 (S) for use with SQL Server

APPLIES TO
  • Microsoft SQL Server 2000 Desktop Engine (Windows)
  • Microsoft SQL Server 7.0 Standard Edition
  • Microsoft SQL Server, Desktop Edition
  • Windows XP Embedded
  • Microsoft SQL Server 2005 Standard Edition
  • Microsoft SQL Server 2005 Developer Edition
  • Microsoft SQL Server 2005 Enterprise Edition
  • Microsoft SQL Server 2005 Express Edition
  • Microsoft SQL Server 2005 Workgroup Edition
  • Microsoft SQL Server 2000 Standard Edition
Keywords: 
kbfirewall kbinfo KB839980
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support