When deploying SQL Server in enterprise environments, one of the most common networking challenges is knowing exactly which ports need to be open for each service to function correctly. Misconfigured firewall rules are a leading cause of connectivity failures — and over-opening ports creates unnecessary security exposure.
Below is a complete reference table of the ports you need to open to allow communication with specific SQL Server services and components. The guiding principle: keep all ports closed by default, and only open a port when a specific service actually requires it.
Security best practice: It is highly recommended to have all ports closed by default and to open each port only when it is actually required by a specific service. This follows the principle of least privilege and reduces your attack surface.
SQL Server Port Reference Table
| Service / Feature / Component | Port |
|---|---|
| Default SQL Server Instance | TCP 1433 |
| SQL Browser Service | UDP 1434 |
| T-SQL Debugger | TCP 135 |
| Analysis Services (SSAS) | TCP 2382 |
| Integration Services Runtime (SSIS) | TCP 135 |
| WMI (Windows Management Instrumentation) | TCP 135 |
| MSDTC (Microsoft Distributed Transaction Coordinator) | TCP 135 |
Key Notes on Specific Ports
TCP 1433 is the well-known default port for the SQL Server Database Engine. If you are running named instances (rather than the default instance), SQL Server will typically use a dynamic port unless you configure a static one. In that case, the SQL Browser service on UDP 1434 helps clients discover which port the named instance is listening on.
TCP 135 appears for multiple services — T-SQL Debugger, SSIS Runtime, WMI, and MSDTC. This is the RPC Endpoint Mapper port. When a client connects to TCP 135, Windows uses it to negotiate which higher-numbered dynamic port the actual service will use. This means that in addition to port 135, you may also need to open a range of dynamic RPC ports (typically 49152–65535 on modern Windows systems) or configure fixed RPC ports for tighter firewall control.
TCP 2382 is used by Analysis Services (SSAS) for client connections when the SQL Browser service is running. If the browser service is not running, clients must connect directly to the configured SSAS port (default TCP 2383 for a default SSAS instance).
Additional Ports to Know
Depending on your SQL Server configuration, you may also encounter these additional ports in enterprise environments:
| Service / Feature | Port |
|---|---|
| Default SSAS Instance (direct connection) | TCP 2383 |
| Reporting Services (SSRS) — HTTP | TCP 80 |
| Reporting Services (SSRS) — HTTPS | TCP 443 |
| Always On / Database Mirroring Endpoint | TCP 5022 |
| Dedicated Admin Connection (DAC) | TCP 1434 |
Conclusion
Understanding SQL Server port requirements is fundamental to building both secure and functional database environments. By opening only the ports your specific services require, you minimize your attack surface while ensuring connectivity. Always document your firewall rules and review them as part of your regular security audits.
If you are managing named instances, Azure SQL environments, or Always On Availability Groups, make sure to also account for their specific port requirements — which I will cover in upcoming articles.