Professional Documents
Culture Documents
SQL Server Endpoints - Soup To Nuts
SQL Server Endpoints - Soup To Nuts
SQLServerEndpoints:SouptoNuts
JoinSimpleTalk
Home
SQL
SQLHome
.NET
Cloud
SysAdmin
DatabaseAdministration
Opinion
Books
Blogs
Forums
Signin
Search
SQLServerEndpoints:SouptoNuts
SQLServerEndpoints:SouptoNuts
06July2007
byWilliamBrewer
Avrating:
Totalvotes:136
Totalcomments:9
sendtoafriend
printerfriendlyversion
ASQLServerendpointisthepointofentryintoSQLServer.ItisimplementedasadatabaseobjectthatdefinesthewaysandmeansinwhichSQLServermay
communicate over the network. SQL Server 2005 routes all interactions with the network via endpoints and each endpoint supports a specific type of
communication.
ASQLServerendpointisausefulpointwhereonecanenhancethesecurityofaSQLServer2005installation.If,forexample,youwanttoallowyourDBAsto
monitoraproductiondatabasefromafarthenyou'llneedtosetupremoteaccesstoaServerviatheinternetthatonlyyoursupportteamcanuse.Thisiswhere
endpointscomein.Endpoints,whichareageneraltermforthepointofconnectionbetweenaclientorserverandthenetwork,canbeusedinSQLServerin
muchthesamewayasafirewall,inordertolimitthetypeoftraffictojustwhatyou,asadministrator,expectandwant.Theadvantageofauserdefinedendpoint
isthattrafficmustbeauthorisedbeforeitevenreachesSQLServer.IfyouareimplementingSOAPbasedservices,mirroringorServiceBroker,thenyouare
probablyalreadyuptoyourelbowsinendpoints.Theyareessentialforsecurity.
WhenSQLServer2005isinstalled,anumberof'systemendpoints'aresetupintheMASTERdatabase.YoucanstartorstoptheseendpointsusingtheSurface
Configurationtool.Ifanendpointisstopped,itlistensfor,butrejectsandclosesnewconnections.Thesesystemendpointsprovideasystemthatworksina
mannersimilartopreviousversionsofSQLServer.Youwillnotseetheadvantagesofendpointsuntilyoucreateyourown.IfyouwishtosetupanHTTPservice
suchasSOAP,thenyouwillneedtosetupanadditionalUserendpointtodoit.ThesameistruewhenyouaresettingupDatabaseMirroringorServiceBroker.
Youcandefine,alter,deleteorreconfigureanynumberofuserendpointsbyusingTSQLstatements:Youcanalsodisableuserendpoints.Ifauserendpointis
disabled,itactsasifitdoesn'texist.
An endpoint has a transport, which will either be HTTP or TCP. You also specify a 'payload', which is one of TSQL, Service_Broker, Database_Mirroring, or
SOAP.SOAPmustuseHTTP,andtheothersmustuseTCP.Theendpoints,otherthanTSQL,haveanumberofspecialpurposepropertiesthatdefinethewaythat
theserviceusingthemcommunicates,andoperates.
ASQLServerloginmusthavepermissiontouseanendpoint.(aCONNECTpermission).Bydefault,allPUBLICgroupshavepermissiontousethedefaultTCP
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
1/10
11/6/2015
SQLServerEndpoints:SouptoNuts
connection.Thereisa'DedicatedAdminConnection'endpointthatcanonlybeusedbymembersoftheSysAdminrole.Inordertotiedownaccesssecurityas
muchaspossible,theDBAwillbeinterestedinreplacingtheimplicitpermissiontoaccesstheotherTDSendpointstoallusers,withsomethingmoreprecise..
SystemEndpoints
WhenSQLServerisinstalled,a'systemendpoint'iscreatedforeachofthefourprotocols(TCP/IP,SharedMemory,NamedPipe,VIA)thatacceptTDS
connections.Thepublicgroupisgivenconnectionrightstoallthese,whichallowsallloginsdefinedontheservertousetheseendpoints..Anadditionalsystem
endpointiscreatedfortheDedicatedAdministratorConnection(DAC),whichcanonlybeusedbymembersofthesysadminfixedserverrole.Theseendpoints
cannotbedroppedordisabled,butyoucancanstopandstartthem.Additionally,thestatecanbechangedviatheTSQL'ALTERENDPOINT'DDL.When
lookingatendpointsviaDMVs,onecandistinguishsystemendpointssincetheyhaveanIDlessthan65536.Becausetheseendpointsarecreatedinternallyby
theserver,theyhavenoownerandyoucannotassociatethemwithaspecificaccount.
TheSQLServerConfigurationManageristheeasiestwaytoalterthepropertiesofthesystemendpoints.ThesettingsfortheTDSendpointsarerecordedinthe
registry.However,oneshouldonlyuseTransactSQLstatementstocreateendpoints,anduseSQLServerConfigurationManagertoenableordisableprotocols,
which,inturn,startsandstopstheendpoints.
CreatingUserEndpoints
EndpointscanbecreatedandmanagedanddroppedwithCREATEENDPOINT,ALTERENDPOINTandDROPENDPOINTstatements.(Not,unfortunatelyin
SQLServerExpress).ThereareotherstatementssuchasGRANTCONNECTthatareusedtocontrolorandtakeownershipofendpoints.Onceyouhavecreated
an endpoint, you will need to give CONNECT permission to the logins that are being used by the client to access SQL Server, and you may need to restore
PUBLICaccesstothedefaultendpointforthepayloadifappropriate.
TCPEndpoints
TheseareconfiguredtolistenonspecificportnumbersandserverIPaddresses.ThesystemendpointforTCPisconfiguredtouseport1433forbackward
compatibility.Otherportscanbeused.TheTCPendpointcanalsobeforcedtolistenforrequestsfromjustoneIPaddressratherthanall.Onceyoucreatea
newendpoint,thepublicpermissionforconnectiontotheTCPsystemendpointisdropped.TocreateaTCPTDSendpointcalledMyFirstUserConnection
onport1680foralltheavailableTCPaddressesontheserver.
CREATEENDPOINT[MyFirstUserConnection]
STATE=STARTED
ASTCP
(LISTENER_PORT=1680,LISTENER_IP=ALL)
FORTSQL();
GO
TograntaccesstothisMyFirstUserConnectionendpointtotheSupportgroupintheMyFirmdomain.
GRANTCONNECTONENDPOINT::[MyFirstUserConnection]TO[MyFirm\Support];
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
2/10
11/6/2015
SQLServerEndpoints:SouptoNuts
IfyouwantasystemendpointtolistenonanadditionalTCPport,youcanuseSQLServerConfigurationManagertodoso.
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
3/10
11/6/2015
SQLServerEndpoints:SouptoNuts
Firstexpand'SQLServer2005NetworkConfiguration'intheleftsidetree
Click'Protocolsfor'.
Expand'Protocolsfor',andrightclickTCP/IP.Select'Properties'
Inthe'IPAddresses'tabofthepropertiesdialogbox,clickeachdisabledIPaddressthatyouwanttoenable,andthenclickEnable.
selecttheIPAllentryinthelist,
Type in a commaseparated list of all the ports that you want the Database
Enginetolistenon,intheTCPPortbox.IfyouwanttospecifyparticularIP
addresses, rather than use all of them, rightclick TCP/IP in the console
pane, click Properties, select the 'protocol tab, and, select No in the 'Listen
All'box
Intheleftpane,click'SQLServer2005Services'.
In the right pane, rightclick 'SQL Server < MyInstance>', and then click
'Restart'.
WhentheDatabaseEnginerestarts,theErrorlogwilllisttheportsonwhich
SQLServerisnowlistening.
ForalteringUserTDSEndpoints,youwillneedtouseTSQLastheydonotshowup
intheConfigurationManager.However,oncetheseareinplace,theyrequirelittleor
nomaintenance.
DatabaseMirroringandServiceBrokerEndpoints
SQL Server does not contain a Service Broker or Database Mirroring endpoint until you create one. You can create only one Service Broker, or Database
mirroringendpointonaninstance.TheyuseTransmissionControlProtocol(TCP)tosendandreceivemessages.EachendpointlistensonauniqueTCPport
number.Theendpointofaserverinstancecontrolstheportonwhichthatinstancelistensformessagesfromotherserverinstances.
Youcanspecifytheauthenticationandencryptionmethods.Withinadomain,orbetweentrusteddomains,Windowsauthenticationisbestotherwisecertificate
based authentication should be used. Strong encryption techniques will inevitably affect performance, so the default choice of RC4 is usually better than the
strongerAESalgorithm,unlessyouareoperatinginarelativelyinsecurenetwork.
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
4/10
11/6/2015
SQLServerEndpoints:SouptoNuts
AServiceBrokerendpointconfiguresSQLServertosendandreceiveServiceBrokermessagesoverthenetwork.ServiceBrokerendpointsprovideadditional
optionsformessageforwarding.
The database mirroring endpoint of a server instance controls the port on which that instance listens for database mirroring messages from other server
instances.DatabaseMirroringendpointsmustalsospecifywhethertheendpointshouldbeaPARTNER,WITNESSorALL.SQLServerExpresscanonlybea
witness.
TheeasiestwaytosetupDatabaseMirroringendpointsistousethe'ConfigureDatabaseMirroringSecurity'Wizard,fromthe'ConfigureSecurity'buttononthe
MirroringpageoftheDatabasePropertiesdialoginSSMS.ButyoucanalsoexecutetheCREATEENDPOINTcommandusingTransactSQL.
HereisanexampleofcodetocreateaDatabaseMirroringendpoint
CREATEENDPOINTendpoint_mirroring
STATE=STARTEDASTCP(LISTENER_PORT=7022)
FORDATABASE_MIRRORING
(AUTHENTICATION=WINDOWSKERBEROS,
ENCRYPTION=SUPPORTED,
ROLE=ALL);
GO
HTTPEndpoints
ThesearerequiredforsettingupawebserviceonSQLServer2005.NodefaultHTTPendpointexists,butmustbeexplicitlycreatedandspecified.Theseare
morecomplexthantheothertypesofendpointbecausethereareparametersforsettingupAuthenticationmethod,Encryption,LoginType,WebMethod,WSDL
supportandSOAPpayload.
HTTPendpointsarecreatedwithauniqueURLthattheyusetolistenforincomingHTTPrequests.SOAPrequeststhataresenttothisURLwillberoutedby
HTTP.SYStotheSQLServerinstancethathoststheendpointassociatedwiththeURL.Fromthere,theyaresenttotheSOAPprocessinglayerwithinSQLServer.
A SQL Server instance can have several endpoints, each of which can expose any number of stored procedures, as WebMethods on the endpoint. These
WebMethodscanbeinvokedviaSOAPremoteprocedurecalls.AWebMethodcanhaveadifferentnamethantheactualstoredprocedurethatisbeingexposed.
TheWebMethodnameiswhatisshowntotheuserinWSDLastheoperationname.
Users can be given permission to execute adhoc TransactSQL statements against the endpoints by enabling batches on the endpoint. This results in a
WebMethodnamed"sqlbatch"beingexposedtotheuser.
All requests, including requests for WSDL, are authenticated. Clients must authenticate against SQL Server principals in order to submit any request. When
settingupanHTTPendpoint,youwillneedtodecidebetweenBasic,Digest,Integrated(NTLM,Kerberos),andSQLAuthentication.Anyclientcanconnecttoa
SQLServerWebServicebyusingeitherBASICorSQLAuth.However,asBASICrequiresthepasswordstobesentoverincleartext,userscanconnectonlyon
secureportsthatalsohaveSSLenabled.(usingthecommandhttpcfgwhichshipswiththesupporttools)
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
5/10
11/6/2015
SQLServerEndpoints:SouptoNuts
AconnectionfirstlyauthenticatesattheHTTPtransportlevel.Ifsuccessful,theuser'sSIDisusedtoauthenticatewithSQL.TheexceptionisSQLAuth.TheSQL
AuthcredentialsaresentaspartoftheSOAPpacketusingWsSecurityUsernametokenheaders.OnecanalsorestrictaccesstoonlyspecifiedIPsorrangesof
IPs.Evenifastoredprocedureismapped,itcanonlybeexecutediftheuserhasCONNECTpermissionsontheendpointaswellasEXECUTEpermissionson
thestoredprocedure.
Whenanendpointiscreated,onlymembersofthesysadminroleandtheowneroftheendpointcanconnecttotheendpoint.Youmustgrantconnectpermission
foruserstoaccessyourendpointthisisaccomplishedbyexecutingthefollowingstatement:
GRANTCONNECTONHTTPENDPOINT::MyLittleEndpointTO[DOMAIN\USER]
SecuringaUserEndpoint
ToconnecttoaninstanceofSQLServerusingTransactSQLendpoints,usersmusthaveCONNECTpermissiontoanendpointandglobalpermissiononSQL
Servertologin.WhenSQLServerissetupthiswillnotbeapparentbecausepermissiontoconnecttothedefaultSystemendpointsisimplicitlygrantedtousers
whenloginsarecreated.
WhenanewTCPendpointiscreated,SQLServerautomaticallyrevokesallexistingpermissionsontheTSQLDefaultTCPendpoint.
Torestrictaccesstoanendpoint,theadministratorcandenypermissiontotheEVERYONEgroup,usingtheDENYCONNECTstatement.Then,hecangrant
permissiontospecificindividualsorroles,usingtheGRANTCONNECTstatement.
Ifonemustreturnpermissionstotheiroriginalstate,thenGRANTCONNECTpermissiontothePUBLICgroup.
Toprovideanendpointexclusivelyforaspecificapplication,DENYCONNECTpermissionstoallusers,excepttheusersforthatapplication.
AlteringaUserEndpoint
The best and easiest way of inspecting or altering a simple system TDS endpoint is with the SQL Server Configuration Manager. You can use the ALTER
ENDPOINTStatementinTSQLtoalterthepropertiesofanyendpoint.Youneedspecifyonlythoseparametersthatyouwanttoupdate,andallotherpropertiesof
anexistingendpointstaythesame.TheENDPOINTDDLstatementscannotbeexecutedinsideausertransaction.
Lookingatendpoints
Endpointscanbeinspectedinoneofthecatalogviews(seeEndpointsCatalogViews(TransactSQL))
e.g.
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
6/10
11/6/2015
SQLServerEndpoints:SouptoNuts
SELECT*FROMsys.endpoints
Thesecatalogviewsare:
sys.endpoints
Allendpointsandallgenericproperties
sys.database_mirroring_endpoints
TheDatabaseMirroringendpoints
sys.service_broker_endpoints
TheServiceBrokerendpoints
sys.soap_endpoints
HTTPendpointsthatcarryaSOAPtypepayload
sys.endpoint_webmethods
SOAPmethodsdefinedonendpoints
sys.tcp_endpoints
AllTCPendpointsandproperties
sys.http_endpoints
AllhttpendpointsandHTTPproperties
sys.via_endpoints
AllVIAendpointsandproperties
Furtherreading
BooksonLinehaveplentyofexamplesofTSQLconfigurationofendpointsandaregoodonthesyntaxoftheCREATEENDPOINTstatement.
CREATEENDPOINT(TransactSQL)
ALTERENDPOINT(TransactSQL)
ENDPOINT(TransactSQL)
Howto:ConfiguretheDatabaseEnginetoListenonMultipleTCPPorts
Thisarticlehasbeenviewed96637times.
Thankthisauthorbysharing:
Authorprofile:WilliamBrewer
WilliamBrewerisaSQLServerdeveloperwhohasworkedasaDatabaseconsultantandBusinessAnalystforseveralFinancialServices
organisationsintheCityofLondon.Truetohisname,heisalsoanexpertonrealale.
SearchforotherarticlesbyWilliamBrewer
Ratethisarticle:Avgrating:
Poor
OK
fromatotalof136votes.
Good
Great
Mustread
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
7/10
11/6/2015
SQLServerEndpoints:SouptoNuts
HaveYourSay
Doyouhaveanopiniononthisarticle?Thenaddyourcommentbelow:
Youmustbeloggedintoposttothisforum
Clickheretologin.
Subject:
Postedby:
Postedon:
Message:
Mirroring
Anonymous(notsignedin)
Monday,July23,2007at1:30AM
DearWillam
ifoundmanythingsinurarticlereallyitwasoutstanding
Great!
Regards
SyedNaveed
Naveed_shah15@hotmail.com
Subject:
Postedby:
Postedon:
Message:
Re:Mirroring
WBrewer(viewprofile)
Tuesday,July24,2007at3:01PM
BlessyouSyed,andthankyou.Ineededthat!
Subject:
Postedby:
Postedon:
Message:
yes,buthowdoyoumakeendpointspublic?
Anonymous(notsignedin)
Wednesday,July25,2007at8:11AM
yes,buthowdoyoumakeendpointspublic?
Subject:
Postedby:
Postedon:
Message:
Mirroring
Anonymous(notsignedin)
Friday,August3,2007at4:02AM
ThankyouWilliamforasimplenonconfusingoverviewofendpoints.
Atlastsomeonerealisesthatthisisthetypeofarticlethatisneeded
whennewtechnologyisreleased.
JaneHowell
Subject:
Postedby:
Postedon:
Message:
publicendpoints
Anonymous(notsignedin)
Monday,December24,2007at4:58PM
yes,buthowdoyoumakeendpointspublic?iwanttoaccessit
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
8/10
11/6/2015
SQLServerEndpoints:SouptoNuts
publically..
mailme:jatin.purba@gmail.com
Subject:
Postedby:
Postedon:
Message:
Andthen...?
Anonymous(notsignedin)
Wednesday,April2,2008at2:43PM
Whatnext?>Canyougoonestepfurtherandshowsomeone
connectingtoanendpointinasimplemanner?like,withIEor
something?
Subject:
Postedby:
Postedon:
Message:
Mirroring
JamesBlueBlood(viewprofile)
Tuesday,August4,2009at1:54AM
Hi,
cananyonegivethecompletematerialonMirroring..anyvideos..any
URLtodownloadtheMirroringmaterialinsqlserver..
thankyou
BlueBlood
Subject:
Postedby:
Postedon:
Message:
GreatArticle!!!
Devashish(viewprofile)
Saturday,June26,2010at6:56AM
SQLServerendpointsmadereallyeasy!!
Subject:
Postedby:
Postedon:
Message:
.
Cody(viewprofile)
Thursday,June18,2015at12:34AM
Thearticlestates"onceyoucreateanewendpoint,thepublic
permissionforconnectiontotheTCPsystemendpointisdropped".
Itwasn'tcleartomewhatexactlyconstituteda"user"endpoint,for
exampleiftheservicebrokerendpointiscreatedthenwillthepublic
permissionsonthedefaultTCPTSQLendpointbedropped?
Theanswerisno,Ijusttesteditout.Theconnectpermissiononly
getsdroppedifyoucreateanotherFORTSQL()endpoint.
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
9/10
11/6/2015
About
SQLServerEndpoints:SouptoNuts
Sitemap
Privacypolicy
Becomeanauthor
Termsandconditions
Newsletters
Contactus
Help
20052015RedGateSoftwareLtd
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/
10/10