Accessing a Named Instance with UDP Port 1434 Closed

In the May Q&A "Checking Port Numbers" (InstantDoc ID 38444), I responded to the following reader question: "I created a server alias that uses the TCP/IP network library. The client-side server alias is configured to Dynamically determine port. How can I find out which port the client is using so that I can lock down our firewall?"

I said that you must keep UDP port 1434 open in the firewall so that you could communicate with the named instance. That's not true.

UDP port 1434 needs to be open if you have to determine the TCP/IP port that a named instance is using or if you connect to the server by using only the name of the instance. However, you can easily use the Client Network Utility to create a client-side alias for a named instance that includes the IP address and port that the instance uses. You can then use the alias to access the named instance through a firewall without exposing UDP port 1434. With this approach, each client connecting to the server must know its TCP/IP port number in advance, so you'll have to change the client-side settings if you ever change the port that the named instance uses.

Several attacks have exploited well-known vulnerabilities related to UDP port 1434, so having the option of keeping UDP port 1434 closed is valuable. This technique is also useful for letting pre-SQL Server 2000 client tools connect to a named instance of SQL Server 2000. Thanks to Chip Andrews, who runs SQLSecurity.com (http://www.sqlsecurity.com), for sharing this security tip.