| title | Server Network Configuration | |||||||
|---|---|---|---|---|---|---|---|---|
| description | Become familiar with SQL Server network configuration tasks. View information on enabling protocols, configuring encryption, registering SPNs, and other actions. | |||||||
| author | rwestMSFT | |||||||
| ms.author | randolphwest | |||||||
| ms.date | 08/26/2025 | |||||||
| ms.service | sql | |||||||
| ms.subservice | configuration | |||||||
| ms.topic | conceptual | |||||||
| helpviewer_keywords |
|
[!INCLUDE SQL Server]
Server network configuration tasks include enabling protocols, modifying the port or pipe used by a protocol, configuring encryption, configuring the [!INCLUDE ssNoVersion] Browser service, exposing or hiding the [!INCLUDE ssDEnoversion] on the network, and registering the Server Principal Name. Most of the time, you don't have to change the server network configuration. Only reconfigure the server network protocols if special network requirements.
Network configuration for [!INCLUDE ssNoVersion] is done using [!INCLUDE ssNoVersion] Configuration Manager. For earlier versions of [!INCLUDE ssNoVersion], use the Server Network Utility that ships with those products.
Use [!INCLUDE ssNoVersion] Configuration Manager to enable or disable the protocols used by [!INCLUDE ssNoVersion], and to configure the options available for the protocols. More than one protocol can be enabled. You must enable all protocols that you want clients to use. All protocols have equal access to the server. For information about which protocols you should use, see Enable or disable a server network protocol and Default SQL Server network protocol configuration.
You can configure the TCP/IP protocol to listen on a designated port. By default, the default instance of the [!INCLUDE ssDE] listens on TCP port 1433. Named instances of the [!INCLUDE ssDE] and [!INCLUDE ssEW] are configured for dynamic ports. This means they select an available port when the [!INCLUDE ssNoVersion] service is started. The [!INCLUDE ssNoVersion] Browser service helps clients identify the port when they connect.
When configured for dynamic ports, the port used by [!INCLUDE ssNoVersion] might change each time it's started. When connecting to [!INCLUDE ssNoVersion] through a firewall, you must open the port used by [!INCLUDE ssNoVersion]. Configure [!INCLUDE ssNoVersion] to use a specific port, so you can configure the firewall to allow communication to the server. For more information, see Configure SQL Server to listen on a specific TCP port.
You can configure the named pipe protocol to listen on a designated named pipe. By default, the default instance of [!INCLUDE ssDEnoversion] listens on pipe \\.\pipe\sql\query for the default instance and \\.\pipe\MSSQL$<instancename>\sql\query for a named instance. The [!INCLUDE ssDE] can only listen on one named pipe, but you can change the pipe to another name if you wish. The [!INCLUDE ssNoVersion] Browser service helps clients identify the pipe when they connect. For more information, see Configure a server to listen on an alternate pipe.
The [!INCLUDE ssDE] can be configured to require encryption when communicating with client applications. For more information, see Encrypt connections to SQL Server by importing a certificate.
Support for Extended Protection for Authentication by using channel binding and service binding is available for operating systems that support Extended Protection. For more information, see Connect to the database engine with Extended Protection.
[!INCLUDE ssNoVersion] supports Kerberos authentication. For more information, see Register a Service Principal Name for Kerberos connections and Microsoft Kerberos Configuration Manager for SQL Server.
The Kerberos authentication service uses an SPN to authenticate a service. For more information, see Register a Service Principal Name for Kerberos connections.
SPNs might also be used to make client authentication more secure when connecting with NTLM. For more information, see Connect to the database engine with Extended Protection.
The [!INCLUDE ssNoVersion] Browser service runs on the server, and helps client computers to find instances of [!INCLUDE ssNoVersion]. The [!INCLUDE ssNoVersion] Browser service doesn't need to be configured, but must be running under some connection scenarios. For more information about [!INCLUDE ssNoVersion] Browser, see SQL Server Browser service (Database Engine and SSAS).
When running, [!INCLUDE ssNoVersion] Browser responds to queries, with the name, version, and connection information for each installed instance. For [!INCLUDE ssNoVersion], the HideInstance flag, indicates that [!INCLUDE ssNoVersion] Browser shouldn't respond with information about this server instance. Client applications can still connect, but they must know the required connection information. For more information, see Hide an instance of SQL Server Database Engine.