When SQL Server is installed on a machine behind a firewall, remote clients cannot connect until the correct ports are opened. This article provides a complete reference of every port SQL Server uses, how to configure static ports for named instances, and how to create the necessary Windows Firewall rules.
Core SQL Server Ports
The following table lists the ports used by the SQL Server Database Engine and its related services.
| Service | Protocol | Port | Notes |
|---|---|---|---|
| SQL Server (default instance) | TCP | 1433 | The standard port for the default instance |
| SQL Server Browser | UDP | 1434 | Used for named instance discovery |
| SQL Server (named instance) | TCP | Dynamic | Assigned at startup; can be set to a static port |
| Dedicated Admin Connection (DAC) | TCP | 1434 | For the default instance; named instances use a dynamic port |
| SQL Server Integration Services | TCP | 135 | Uses DCOM/RPC |
Additional Service Ports
If you use other SQL Server components, you may need to open these as well:
| Service | Protocol | Port |
|---|---|---|
| Analysis Services (default instance) | TCP | 2383 |
| Analysis Services (Browser/discovery) | TCP | 2382 |
| Reporting Services (HTTP) | TCP | 80 |
| Reporting Services (HTTPS) | TCP | 443 |
| Service Broker | TCP | 4022 (default, configurable) |
| Database Mirroring | TCP | 5022 (default, configurable) |
| Transact-SQL Debugger | TCP | 135 |
Understanding Default vs. Named Instances
Default Instance
A default instance always listens on TCP 1433 (unless you changed it). Clients connect by specifying just the server name:
Server=myserver;Database=mydb;Trusted_Connection=True;Named Instances and Dynamic Ports
A named instance does not use port 1433 by default. Instead, each time the SQL Server service starts, the operating system assigns a random available TCP port. The SQL Server Browser service (UDP 1434) acts as a directory. When a client connects to a named instance, the following happens:
- The client sends a UDP packet to port 1434 on the server asking: “What port is instance
INSTANCENAMElistening on?” - The SQL Server Browser replies with the TCP port number.
- The client opens a TCP connection to that port.
This means you need to open both UDP 1434 and the dynamic TCP port. Since the dynamic port can change on every restart, this is impractical in firewalled environments. The solution is to assign a static port.
How to Configure a Static Port for a Named Instance
- Open SQL Server Configuración Manager.
- Expand SQL Server Network Configuración.
- Click Protocols for [InstanceName].
- Double-click TCP/IP to open its properties.
- Go to the IP Addresses tab.
- Scroll to the bottom and find the IPAll section.
- Clear the TCP Dynamic Ports field (set it to blank — do not set it to 0).
- Set TCP Port to your desired static port (for example,
1435). - Click OK.
- Restart the SQL Server service for the change to take effect.
After this, your connection string becomes:
Server=myserver\INSTANCENAME,1435;Database=mydb;Trusted_Connection=True;Note the comma before the port number — this is the correct syntax for specifying a port in a SQL Server connection string.
Windows Firewall Configuración
Using the GUI (Windows Defender Firewall with Advanced Seguridad)
Create a Port Rule for TCP 1433
- Open Windows Defender Firewall with Advanced Seguridad (
wf.msc). - Click Inbound Rules in the left pane.
- Click New Rule in the right pane.
- Select Port, click Next.
- Select TCP, enter 1433 in “Specific local ports”, click Next.
- Select Allow the connection, click Next.
- Choose the profiles (Domain, Private, Public) that apply to your environment.
- Name the rule (e.g., “SQL Server - TCP 1433”), click Finish.
Create a Port Rule for UDP 1434 (SQL Server Browser)
Repeat the steps above, but select UDP and enter 1434.
Using PowerShell
For scripted or headless deployments, use PowerShell:
# Allow SQL Server default instance (TCP 1433)
New-NetFirewallRule -DisplayName "SQL Server - TCP 1433" `
-Direction Inbound -Protocol TCP -LocalPort 1433 `
-Action Allow -Profile Domain,Private
# Allow SQL Server Browser (UDP 1434)
New-NetFirewallRule -DisplayName "SQL Server Browser - UDP 1434" `
-Direction Inbound -Protocol UDP -LocalPort 1434 `
-Action Allow -Profile Domain,Private
# Allow named instance on static port (example: 1435)
New-NetFirewallRule -DisplayName "SQL Server Named Instance - TCP 1435" `
-Direction Inbound -Protocol TCP -LocalPort 1435 `
-Action Allow -Profile Domain,PrivateUsing netsh (Legacy / Windows Server Core)
netsh advfirewall firewall add rule name="SQL Server - TCP 1433" ^
dir=in action=allow protocol=TCP localport=1433
netsh advfirewall firewall add rule name="SQL Server Browser - UDP 1434" ^
dir=in action=allow protocol=UDP localport=1434Program-Based Rules (Alternative Approach)
Instead of opening specific ports, you can create a rule that allows the SQL Server executable itself. This is useful when using dynamic ports:
# Find the path to sqlservr.exe for the default instance
# Typical path:
# C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
New-NetFirewallRule -DisplayName "SQL Server Engine" `
-Direction Inbound -Program "C:\Program Files\Microsoft SQL Server\MSSQL16.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" `
-Action Allow -Profile Domain,PrivateAdjust the path to match your SQL Server version and instance name. The MSSQL16 portion corresponds to SQL Server 2022. Earlier versions use MSSQL15 (2019), MSSQL14 (2017), MSSQL13 (2016), MSSQL12 (2014), MSSQL11 (2012), MSSQL10_50 (2008 R2), and MSSQL10 (2008).
Verifying Connectivity
After opening the ports, verify that remote clients can connect.
Test with telnet
telnet myserver 1433If the screen goes blank (black), the connection succeeded. If you get a “Could not open connection” error, the port is still blocked.
Test with PowerShell
Test-NetConnection -ComputerName myserver -Port 1433Look for TcpTestSucceeded : True in the output.
Test with sqlcmd
sqlcmd -S myserver -U sa -P YourPassword -Q "SELECT @@VERSION"SQL Server and IPsec / Corporate Firewalls
If there is a hardware firewall or IPsec policy between the client and the SQL Server, the same ports apply. Provide your network team with this summary:
| Rule | Protocol | Port | Direction |
|---|---|---|---|
| SQL Server Database Engine | TCP | 1433 (or your static port) | Inbound to SQL Server |
| SQL Server Browser | UDP | 1434 | Inbound to SQL Server |
| Analysis Services | TCP | 2383 | Inbound to SQL Server |
| Reporting Services | TCP | 80 / 443 | Inbound to SQL Server |
For named instances with dynamic ports, either configure a static port (recommended) or open a range of ports, which is less secure.
Seguridad Mejores Prácticas
- Use static ports for named instances. Dynamic ports are unpredictable and force you to open wide port ranges or use program-based rules.
- Restrict firewall rules by source IP. Do not open SQL Server ports to “Any” source. Limit them to application server subnets or specific client IPs.
- Disable SQL Server Browser if not needed. If all your instances use static ports and connection strings include the port number, the Browser service is unnecessary.
- Use encrypted connections. Configure SQL Server to require SSL/TLS encryption to protect data in transit, especially over untrusted networks.
- Do not expose SQL Server directly to the internet. Use a VPN, Azure Private Link, or similar mechanism for remote access. SQL Server should never listen on a public IP address without strong justification and additional security layers.
- Change the default port for the default instance if the server must be partially exposed. While this is security through obscurity, it does reduce noise from automated scanners targeting port 1433.