11/6/2015

SQLServerEndpoints:SouptoNuts

JoinSimpleTalk
Home

SQL

SQLHome

.NET

Cloud

SysAdmin

DatabaseAdministration

Opinion

Books

Blogs

Forums

Signin

Search

SQLServerEndpoints:SouptoNuts

SQLServerEndpoints:SouptoNuts
06July2007
byWilliamBrewer

Avrating:
Totalvotes:136
Totalcomments:9
sendtoafriend
printerfriendlyversion

ASQLServerendpointisthepointofentryintoSQLServer.ItisimplementedasadatabaseobjectthatdefinesthewaysandmeansinwhichSQLServermay
communicate over the network. SQL Server 2005 routes all interactions with the network via endpoints and each endpoint supports a specific type of
communication.
ASQLServerendpointisausefulpointwhereonecanenhancethesecurityofaSQLServer2005installation.If,forexample,youwanttoallowyourDBAsto
monitoraproductiondatabasefromafarthenyou'llneedtosetupremoteaccesstoaServerviatheinternetthatonlyyoursupportteamcanuse.Thisiswhere
endpointscomein.Endpoints,whichareageneraltermforthepointofconnectionbetweenaclientorserverandthenetwork,canbeusedinSQLServerin
muchthesamewayasafirewall,inordertolimitthetypeoftraffictojustwhatyou,asadministrator,expectandwant.Theadvantageofauserdefinedendpoint
isthattrafficmustbeauthorisedbeforeitevenreachesSQLServer.IfyouareimplementingSOAPbasedservices,mirroringorServiceBroker,thenyouare
probablyalreadyuptoyourelbowsinendpoints.Theyareessentialforsecurity.
WhenSQLServer2005isinstalled,anumberof'systemendpoints'aresetupintheMASTERdatabase.YoucanstartorstoptheseendpointsusingtheSurface
Configurationtool.Ifanendpointisstopped,itlistensfor,butrejectsandclosesnewconnections.Thesesystemendpointsprovideasystemthatworksina
mannersimilartopreviousversionsofSQLServer.Youwillnotseetheadvantagesofendpointsuntilyoucreateyourown.IfyouwishtosetupanHTTPservice
suchasSOAP,thenyouwillneedtosetupanadditionalUserendpointtodoit.ThesameistruewhenyouaresettingupDatabaseMirroringorServiceBroker.
Youcandefine,alter,deleteorreconfigureanynumberofuserendpointsbyusingTSQLstatements:Youcanalsodisableuserendpoints.Ifauserendpointis
disabled,itactsasifitdoesn'texist.
An endpoint has a transport, which will either be HTTP or TCP. You also specify a 'payload', which is one of TSQL, Service_Broker, Database_Mirroring, or
SOAP.SOAPmustuseHTTP,andtheothersmustuseTCP.Theendpoints,otherthanTSQL,haveanumberofspecialpurposepropertiesthatdefinethewaythat
theserviceusingthemcommunicates,andoperates.
ASQLServerloginmusthavepermissiontouseanendpoint.(aCONNECTpermission).Bydefault,allPUBLICgroupshavepermissiontousethedefaultTCP
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

1/10

11/6/2015

SQLServerEndpoints:SouptoNuts

connection.Thereisa'DedicatedAdminConnection'endpointthatcanonlybeusedbymembersoftheSysAdminrole.Inordertotiedownaccesssecurityas
muchaspossible,theDBAwillbeinterestedinreplacingtheimplicitpermissiontoaccesstheotherTDSendpointstoallusers,withsomethingmoreprecise..

SystemEndpoints
WhenSQLServerisinstalled,a'systemendpoint'iscreatedforeachofthefourprotocols(TCP/IP,SharedMemory,NamedPipe,VIA)thatacceptTDS
connections.Thepublicgroupisgivenconnectionrightstoallthese,whichallowsallloginsdefinedontheservertousetheseendpoints..Anadditionalsystem
endpointiscreatedfortheDedicatedAdministratorConnection(DAC),whichcanonlybeusedbymembersofthesysadminfixedserverrole.Theseendpoints
cannotbedroppedordisabled,butyoucancanstopandstartthem.Additionally,thestatecanbechangedviatheTSQL'ALTERENDPOINT'DDL.When
lookingatendpointsviaDMVs,onecandistinguishsystemendpointssincetheyhaveanIDlessthan65536.Becausetheseendpointsarecreatedinternallyby
theserver,theyhavenoownerandyoucannotassociatethemwithaspecificaccount.
TheSQLServerConfigurationManageristheeasiestwaytoalterthepropertiesofthesystemendpoints.ThesettingsfortheTDSendpointsarerecordedinthe
registry.However,oneshouldonlyuseTransactSQLstatementstocreateendpoints,anduseSQLServerConfigurationManagertoenableordisableprotocols,
which,inturn,startsandstopstheendpoints.

CreatingUserEndpoints
EndpointscanbecreatedandmanagedanddroppedwithCREATEENDPOINT,ALTERENDPOINTandDROPENDPOINTstatements.(Not,unfortunatelyin
SQLServerExpress).ThereareotherstatementssuchasGRANTCONNECTthatareusedtocontrolorandtakeownershipofendpoints.Onceyouhavecreated
an endpoint, you will need to give CONNECT permission to the logins that are being used by the client to access SQL Server, and you may need to restore
PUBLICaccesstothedefaultendpointforthepayloadifappropriate.

TCPEndpoints
TheseareconfiguredtolistenonspecificportnumbersandserverIPaddresses.ThesystemendpointforTCPisconfiguredtouseport1433forbackward
compatibility.Otherportscanbeused.TheTCPendpointcanalsobeforcedtolistenforrequestsfromjustoneIPaddressratherthanall.Onceyoucreatea
newendpoint,thepublicpermissionforconnectiontotheTCPsystemendpointisdropped.TocreateaTCPTDSendpointcalledMyFirstUserConnection
onport1680foralltheavailableTCPaddressesontheserver.
CREATEENDPOINT[MyFirstUserConnection]
STATE=STARTED
ASTCP
(LISTENER_PORT=1680,LISTENER_IP=ALL)
FORTSQL();
GO

TograntaccesstothisMyFirstUserConnectionendpointtotheSupportgroupintheMyFirmdomain.
GRANTCONNECTONENDPOINT::[MyFirstUserConnection]TO[MyFirm\Support];

https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

2/10

11/6/2015

SQLServerEndpoints:SouptoNuts

IfyouwantasystemendpointtolistenonanadditionalTCPport,youcanuseSQLServerConfigurationManagertodoso.

https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

3/10

11/6/2015

SQLServerEndpoints:SouptoNuts

Firstexpand'SQLServer2005NetworkConfiguration'intheleftsidetree
Click'Protocolsfor'.
Expand'Protocolsfor',andrightclickTCP/IP.Select'Properties'
Inthe'IPAddresses'tabofthepropertiesdialogbox,clickeachdisabledIPaddressthatyouwanttoenable,andthenclickEnable.
selecttheIPAllentryinthelist,
Type in a commaseparated list of all the ports that you want the Database
Enginetolistenon,intheTCPPortbox.IfyouwanttospecifyparticularIP
addresses, rather than use all of them, rightclick TCP/IP in the console
pane, click Properties, select the 'protocol tab, and, select No in the 'Listen
All'box
Intheleftpane,click'SQLServer2005Services'.
In the right pane, rightclick 'SQL Server < MyInstance>', and then click
'Restart'.
WhentheDatabaseEnginerestarts,theErrorlogwilllisttheportsonwhich
SQLServerisnowlistening.
ForalteringUserTDSEndpoints,youwillneedtouseTSQLastheydonotshowup
intheConfigurationManager.However,oncetheseareinplace,theyrequirelittleor
nomaintenance.

DatabaseMirroringandServiceBrokerEndpoints
SQL Server does not contain a Service Broker or Database Mirroring endpoint until you create one. You can create only one Service Broker, or Database
mirroringendpointonaninstance.TheyuseTransmissionControlProtocol(TCP)tosendandreceivemessages.EachendpointlistensonauniqueTCPport
number.Theendpointofaserverinstancecontrolstheportonwhichthatinstancelistensformessagesfromotherserverinstances.
Youcanspecifytheauthenticationandencryptionmethods.Withinadomain,orbetweentrusteddomains,Windowsauthenticationisbestotherwisecertificate
based authentication should be used. Strong encryption techniques will inevitably affect performance, so the default choice of RC4 is usually better than the
strongerAESalgorithm,unlessyouareoperatinginarelativelyinsecurenetwork.
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

4/10

11/6/2015

SQLServerEndpoints:SouptoNuts

AServiceBrokerendpointconfiguresSQLServertosendandreceiveServiceBrokermessagesoverthenetwork.ServiceBrokerendpointsprovideadditional
optionsformessageforwarding.
The database mirroring endpoint of a server instance controls the port on which that instance listens for database mirroring messages from other server
instances.DatabaseMirroringendpointsmustalsospecifywhethertheendpointshouldbeaPARTNER,WITNESSorALL.SQLServerExpresscanonlybea
witness.
TheeasiestwaytosetupDatabaseMirroringendpointsistousethe'ConfigureDatabaseMirroringSecurity'Wizard,fromthe'ConfigureSecurity'buttononthe
MirroringpageoftheDatabasePropertiesdialoginSSMS.ButyoucanalsoexecutetheCREATEENDPOINTcommandusingTransactSQL.
HereisanexampleofcodetocreateaDatabaseMirroringendpoint
CREATEENDPOINTendpoint_mirroring
STATE=STARTEDASTCP(LISTENER_PORT=7022)

FORDATABASE_MIRRORING
(AUTHENTICATION=WINDOWSKERBEROS,
ENCRYPTION=SUPPORTED,
ROLE=ALL);
GO

HTTPEndpoints
ThesearerequiredforsettingupawebserviceonSQLServer2005.NodefaultHTTPendpointexists,butmustbeexplicitlycreatedandspecified.Theseare
morecomplexthantheothertypesofendpointbecausethereareparametersforsettingupAuthenticationmethod,Encryption,LoginType,WebMethod,WSDL
supportandSOAPpayload.
HTTPendpointsarecreatedwithauniqueURLthattheyusetolistenforincomingHTTPrequests.SOAPrequeststhataresenttothisURLwillberoutedby
HTTP.SYStotheSQLServerinstancethathoststheendpointassociatedwiththeURL.Fromthere,theyaresenttotheSOAPprocessinglayerwithinSQLServer.
A SQL Server instance can have several endpoints, each of which can expose any number of stored procedures, as WebMethods on the endpoint. These
WebMethodscanbeinvokedviaSOAPremoteprocedurecalls.AWebMethodcanhaveadifferentnamethantheactualstoredprocedurethatisbeingexposed.
TheWebMethodnameiswhatisshowntotheuserinWSDLastheoperationname.
Users can be given permission to execute adhoc TransactSQL statements against the endpoints by enabling batches on the endpoint. This results in a
WebMethodnamed"sqlbatch"beingexposedtotheuser.
All requests, including requests for WSDL, are authenticated. Clients must authenticate against SQL Server principals in order to submit any request. When
settingupanHTTPendpoint,youwillneedtodecidebetweenBasic,Digest,Integrated(NTLM,Kerberos),andSQLAuthentication.Anyclientcanconnecttoa
SQLServerWebServicebyusingeitherBASICorSQLAuth.However,asBASICrequiresthepasswordstobesentoverincleartext,userscanconnectonlyon
secureportsthatalsohaveSSLenabled.(usingthecommandhttpcfgwhichshipswiththesupporttools)
https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

5/10

11/6/2015

SQLServerEndpoints:SouptoNuts

AconnectionfirstlyauthenticatesattheHTTPtransportlevel.Ifsuccessful,theuser'sSIDisusedtoauthenticatewithSQL.TheexceptionisSQLAuth.TheSQL
AuthcredentialsaresentaspartoftheSOAPpacketusingWsSecurityUsernametokenheaders.OnecanalsorestrictaccesstoonlyspecifiedIPsorrangesof
IPs.Evenifastoredprocedureismapped,itcanonlybeexecutediftheuserhasCONNECTpermissionsontheendpointaswellasEXECUTEpermissionson
thestoredprocedure.
Whenanendpointiscreated,onlymembersofthesysadminroleandtheowneroftheendpointcanconnecttotheendpoint.Youmustgrantconnectpermission
foruserstoaccessyourendpointthisisaccomplishedbyexecutingthefollowingstatement:
GRANTCONNECTONHTTPENDPOINT::MyLittleEndpointTO[DOMAIN\USER]

SecuringaUserEndpoint
ToconnecttoaninstanceofSQLServerusingTransactSQLendpoints,usersmusthaveCONNECTpermissiontoanendpointandglobalpermissiononSQL
Servertologin.WhenSQLServerissetupthiswillnotbeapparentbecausepermissiontoconnecttothedefaultSystemendpointsisimplicitlygrantedtousers
whenloginsarecreated.
WhenanewTCPendpointiscreated,SQLServerautomaticallyrevokesallexistingpermissionsontheTSQLDefaultTCPendpoint.
Torestrictaccesstoanendpoint,theadministratorcandenypermissiontotheEVERYONEgroup,usingtheDENYCONNECTstatement.Then,hecangrant
permissiontospecificindividualsorroles,usingtheGRANTCONNECTstatement.
Ifonemustreturnpermissionstotheiroriginalstate,thenGRANTCONNECTpermissiontothePUBLICgroup.
Toprovideanendpointexclusivelyforaspecificapplication,DENYCONNECTpermissionstoallusers,excepttheusersforthatapplication.

AlteringaUserEndpoint
The best and easiest way of inspecting or altering a simple system TDS endpoint is with the SQL Server Configuration Manager. You can use the ALTER
ENDPOINTStatementinTSQLtoalterthepropertiesofanyendpoint.Youneedspecifyonlythoseparametersthatyouwanttoupdate,andallotherpropertiesof
anexistingendpointstaythesame.TheENDPOINTDDLstatementscannotbeexecutedinsideausertransaction.

Lookingatendpoints
Endpointscanbeinspectedinoneofthecatalogviews(seeEndpointsCatalogViews(TransactSQL))
e.g.

https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

6/10

11/6/2015

SQLServerEndpoints:SouptoNuts

SELECT*FROMsys.endpoints

Thesecatalogviewsare:
sys.endpoints

Allendpointsandallgenericproperties

sys.database_mirroring_endpoints

TheDatabaseMirroringendpoints

sys.service_broker_endpoints

TheServiceBrokerendpoints

sys.soap_endpoints

HTTPendpointsthatcarryaSOAPtypepayload

sys.endpoint_webmethods

SOAPmethodsdefinedonendpoints

sys.tcp_endpoints

AllTCPendpointsandproperties

sys.http_endpoints

AllhttpendpointsandHTTPproperties

sys.via_endpoints

AllVIAendpointsandproperties

Furtherreading
BooksonLinehaveplentyofexamplesofTSQLconfigurationofendpointsandaregoodonthesyntaxoftheCREATEENDPOINTstatement.
CREATEENDPOINT(TransactSQL)
ALTERENDPOINT(TransactSQL)
ENDPOINT(TransactSQL)
Howto:ConfiguretheDatabaseEnginetoListenonMultipleTCPPorts
Thisarticlehasbeenviewed96637times.

Thankthisauthorbysharing:

Authorprofile:WilliamBrewer
WilliamBrewerisaSQLServerdeveloperwhohasworkedasaDatabaseconsultantandBusinessAnalystforseveralFinancialServices
organisationsintheCityofLondon.Truetohisname,heisalsoanexpertonrealale.
SearchforotherarticlesbyWilliamBrewer

Ratethisarticle:Avgrating:
Poor

OK

fromatotalof136votes.
Good

Great

Mustread

https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

7/10

11/6/2015

SQLServerEndpoints:SouptoNuts

HaveYourSay
Doyouhaveanopiniononthisarticle?Thenaddyourcommentbelow:

Youmustbeloggedintoposttothisforum
Clickheretologin.
Subject:
Postedby:
Postedon:
Message:

Mirroring
Anonymous(notsignedin)
Monday,July23,2007at1:30AM
DearWillam
ifoundmanythingsinurarticlereallyitwasoutstanding
Great!
Regards
SyedNaveed
Naveed_shah15@hotmail.com

Subject:
Postedby:
Postedon:
Message:

Re:Mirroring
WBrewer(viewprofile)
Tuesday,July24,2007at3:01PM
BlessyouSyed,andthankyou.Ineededthat!

Subject:
Postedby:
Postedon:
Message:

yes,buthowdoyoumakeendpointspublic?
Anonymous(notsignedin)
Wednesday,July25,2007at8:11AM
yes,buthowdoyoumakeendpointspublic?

Subject:
Postedby:
Postedon:
Message:

Mirroring
Anonymous(notsignedin)
Friday,August3,2007at4:02AM
ThankyouWilliamforasimplenonconfusingoverviewofendpoints.
Atlastsomeonerealisesthatthisisthetypeofarticlethatisneeded
whennewtechnologyisreleased.
JaneHowell

Subject:
Postedby:
Postedon:
Message:

publicendpoints
Anonymous(notsignedin)
Monday,December24,2007at4:58PM
yes,buthowdoyoumakeendpointspublic?iwanttoaccessit

https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

8/10

11/6/2015

SQLServerEndpoints:SouptoNuts

publically..
mailme:jatin.purba@gmail.com
Subject:
Postedby:
Postedon:
Message:

Andthen...?
Anonymous(notsignedin)
Wednesday,April2,2008at2:43PM
Whatnext?>Canyougoonestepfurtherandshowsomeone
connectingtoanendpointinasimplemanner?like,withIEor
something?

Subject:
Postedby:
Postedon:
Message:

Mirroring
JamesBlueBlood(viewprofile)
Tuesday,August4,2009at1:54AM
Hi,
cananyonegivethecompletematerialonMirroring..anyvideos..any
URLtodownloadtheMirroringmaterialinsqlserver..
thankyou
BlueBlood

Subject:
Postedby:
Postedon:
Message:

GreatArticle!!!
Devashish(viewprofile)
Saturday,June26,2010at6:56AM
SQLServerendpointsmadereallyeasy!!

Subject:
Postedby:
Postedon:
Message:

.
Cody(viewprofile)
Thursday,June18,2015at12:34AM
Thearticlestates"onceyoucreateanewendpoint,thepublic
permissionforconnectiontotheTCPsystemendpointisdropped".
Itwasn'tcleartomewhatexactlyconstituteda"user"endpoint,for
exampleiftheservicebrokerendpointiscreatedthenwillthepublic
permissionsonthedefaultTCPTSQLendpointbedropped?
Theanswerisno,Ijusttesteditout.Theconnectpermissiononly
getsdroppedifyoucreateanotherFORTSQL()endpoint.

https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

9/10

11/6/2015

About

SQLServerEndpoints:SouptoNuts

Sitemap

Privacypolicy

Becomeanauthor

Termsandconditions

Newsletters

Contactus

Help

20052015RedGateSoftwareLtd

https://www.simpletalk.com/sql/databaseadministration/sqlserverendpointssouptonuts/

10/10