Firewall rules to allow remote connection to SQL Server in a different domain

问题

1. I recently installed SQL Server Express 2014 on a series of machines running Windows Server 2012. Seven machines in total.

2. All but 1 of them live in the same local domain company.local.

3. A single rogue machine lives in a different public domain public.company.org.

   1. The installation process on this machine on a separate domain was carried out by someone who was not paying much attention to the process and pretty much selected all defaults (a.k.a. a click-click-click installation.) As such, certain features such as SQL Server authentication and remote connectivity were not enabled by default.

4. We want to connect remotely, via SQL Server Authentication, using SSMS, from development machines in the same local domain company.local. This we were able to easily turn on.

5. As for allowing remote connections, we found ourselves in more difficulties.

   1. We ensured that firewall rules have are defined to allow inbound connection on ports 1433 for TCP and 1434 for UDP. We verified that that is the case.

   2. We have set this rule to apply to all profiles: Domain, Public, Private.

   3. We ensured that all protocols for SQLEXPRESS are allowed in the SQL Server Configuration Manager, specifically TCP/IP.

   4. We have enabled SQL Server Browser.

   5. We have restarted all services multiple times after our configuration changes. We have even restarted the machine.

      • We have also kicked the box.

   6. We are still not able to the SQLEXPRESS instance using either:

      • machine-name.public.company.com\SQLEXPRESS
      • machine-name.public.company.com\SQLEXPRESS,1434
      • <ip-address>\SQLEXPRESS
      • <ip-address>\SQLEXPRESS,1434
      • Using SSMS or SQLCMD
      • Using SQL Server Authentication, with regular logins or sa.
      • Using windows authentication, with credentials on the remote machine.

   7. Pinging the server shows it is responsive. And we have verified that the ports are indeed open.

   8. As far as we are aware of, we've revised, compared and match all configuration/environment settings from the 6 local machines to the one on the different domain.

   9. When disabling firewall all together at all levels, we are able to connect.

   10. Of course we don't want to leave the door open, so we added a inbound rule to the firewall to allow all sorts of connections to the SQL Server (SQLEXPRESS) service.

QUESTION

So the QUESTION is if what we did is the correct approach?

How come adding this firewall exception for the SQL Server process itself is not required in the other local machines???

回答1:

I've checked your post twice, but I can't find anything about whether you've allowed remote connections to that SQL Express instance. You've allowed all protocols, sure, but that's not enough.

By default, all remote connections to Express instances are disabled (that includes DAC, too). To check this setting, restart the machine (or SQL instance) and look into SQL Server logs. Specifically, you will be interested in entries started with "SQL Server is listening on ..." - there, you'll find all protocols, ports and addresses the instance is listening on. If the only IP you're see there is 127.0.0.1, then instance rejects all remote connections, regardless of firewall or anything else.

I don't have 2014 Express to check it, but in 2012 this setting is configured via Configuration Manager, in the "SQL Server Network Configuration" section.

来源：https://stackoverflow.com/questions/25208032/firewall-rules-to-allow-remote-connection-to-sql-server-in-a-different-domain