Windows Server 2012 R2 Firewall help

I have recently set up a small domain consisting of a DC and RDS server. There is also a webserver in a DMZ which talks to a SQL Express database on the DC.

Whilst setting up all of this I have disabled the windows firewall on the DC and RDS servers. I would now like to enable these firewalls to allow only what is needed.

I have always been a little unsure how to setup the windows firewalls. Is there an easy way to see what ports etc need to be left open.

The servers are now in use so I don't really want to start closing ports risking stopping the servers working as they should.
LVL 1
roy_battyDirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
SQL server uses tcp ports 1433 & 1434, but for SQL server Express you probably need to lock that port manually (at least I did).
To access to SQL server through network you need to start SQL browser (by default it does not start automatically) and if you planning to use computer name to connect you need to enable name pipes besides tcp.
Zephyr ICTCloud ArchitectCommented:
Normally when you install roles on a Windows Server it will automatically open the necessary firewall ports, if I'm not mistaking, not sure about SQL Express though... But if you're in doubt you'll have to check the Firewall settings prior to enabling them.

Another thing you could do is make a list of connected ports with something like "netstat -a -b" this way you have a list to which to compare your firewall settings and open any ports that aren't opened yet.

Ports for RDS

Domain Controller ports
roy_battyDirectorAuthor Commented:
I have just checked the SQL configuration manager and under IPALL on the ip adressess tab I see the following.

TCP Dynamic ports = 59749
TCP Port = 1433

I obviously need to open 1433 but do I need to open port 59749 too?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Zephyr ICTCloud ArchitectCommented:
You can disable the Dynamic ports feature and use just static ports, depending on the software you're using you might need to open additional ports, but normally 1433 (TCP) should be enough.

To get some idea about other ports and their use, check this link

To set a static port in SQL Express you should be able to do this via SQL Configuration Manager, some guidance can be found here
roy_battyDirectorAuthor Commented:
Control Panel\System and Security\Windows Firewall\advanced settings\windows firewall properties

Select the tab referring to the network location - in my case its Domain

In the logging section click customize.

Log dropped packets = yes.

Now if you go back to Windows Firewall with advanced security main page under monitoring section click the link to the log file.

There I saw that packets on port 1433 where being dropped. So I then added a rule to allow this.

Issue resolved.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
roy_battyDirectorAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for roy_batty's comment #a40873410

for the following reason:

My question was more of a question about using the firewall logs rather than specifically about SQL ports.
Zephyr ICTCloud ArchitectCommented:
I'm sorry, but there were helpful posts in this question, you can't just close the question and say that it was logging you were after and then mention you opened port 1433 while we posted this as well ...
Zephyr ICTCloud ArchitectCommented:
I'm sorry, but there were helpful posts in this question, you can't just close the question and say that it was logging you were after and then mention you opened port 1433 while we posted this as well ...
roy_battyDirectorAuthor Commented:
I have no objection to giving points to any of the helpful comments posted by yourself and others. I just want to highlight that the only question I asked in my original post was :

"I have always been a little unsure how to setup the windows firewalls. Is there an easy way to see what ports etc need to be left open."

So my final comment is actually the answer to the question I asked.

I am happy to hand out points for the helpful comments however.
roy_battyDirectorAuthor Commented:
Assistance provided by 2 experts.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.