Changing the Default Communication Ports
PSQL communicates through three ports. Your firewall(s) and routers need to allow access to the following ports for remote access with the Server database engine:
3351 for the MicroKernel Engine
1583 for the Relational Engine
139 for named pipes (see note)
Typically, you do not need to modify the ports unless you have a conflict with them.
*Note: The Windows operating system uses port 139 for authentication to the operating system. An alternative to allowing access to port 139 through a firewall is to enable security on the PSQL database. Once security is enabled, users such as “Master” are authenticated to the database through the database’s own security features. See To turn on security using PSQL Explorer and To create a new user using PSQL Explorer, both in Advanced Operations Guide.
For the Relational Engine, port assignment 1583 is configurable on the server through the PSQL utilities. This port is manually configurable for clients. See TCP/IP Port in Advanced Operations Guide.
It is recommended that port assignment 3351 not be changed. If you must change it, contact PSQL Support.
Ensure that the port configurations match on both the server machine and all clients.
After changing your server listening port, you must stop and restart your PSQL engine for the port assignment changes to take effect. See the chapter Using PSQL in PSQL User's Guide.
Services File
The services file is a text file used by the operating system for network communications. In the services files, you can manually assign the ports used by PSQL Server and its clients. Be sure that the applicable ports listed in the services file are in agreement with the ports set by PSQL in the utilities and with the associated Windows Firewall rules.
After changing port assignments in the services file, you must stop then start the PSQL database engine for the changes to take effect.See Starting and Stopping the Database Engine in PSQL User's Guide.
Windows FireWalls
The installation of PSQL Server and PSQL Workstation performs certain actions pertaining to firewalls. Starting with Vista, Windows operating systems include Windows Firewall with Advanced Security, which provides firewall profiles (a group of security settings). These operating system enable the firewall by default. The following table summarizes the PSQL installation actions pertaining to the active profile(s).
Table 7
Installation Actions for Windows Operating Systems
Active Firewall Profile1
Rules Added for PSQL Services
State of Rules After Installation2
Multiple, such as
Domain
Private
Public
 
Domain—Yes
Private—Yes
Public—Yes
 
Domain—Enabled
Private—Enabled
Public—Disabled
Public only
Yes
Enabled
1 “Active” means that the profile is monitoring network connections.
2 An “enabled” rule means that inbound TCP and UDP traffic can communicate with the PSQL service on all ports for any network connection managed by that firewall profile.
As the table shows, if the Public profile is active with one or more other active profiles, the PSQL rules are added for the Public profile but disabled. Neither the interactive nor the silent installation of PSQL Server or Workgroup can be modified to change this behavior. If you want to enable the rules for the Public profile, you must do so manually. See To enable PSQL rules for the Public profile.
To enable PSQL rules for the Public profile
1
Open the console for Windows Firewall with Advanced Security.
2
Click Inbound Rules in the left pane.
3
Locate the desired PSQL rule in the list in the center pane.
Note that the rules are listed twice. The enabled rules (indicated by a check mark on a green circle) apply to profiles other than Public. The disabled rules apply to the Public profile.
4
Right-click on the disabled rule you want then click Properties.
5
Click the Advanced tab. Ensure that the Public profile is selected. If not, select it.
6
Click the General tab, then click the Enabled option.
7
Click OK.
8
Exit the console for Windows Firewall with Advanced Security.
Profile Changes After Installation
If you change a network profile after installation of PSQL, PSQL may no longer be able to accept communications. For example, assume that only the Private network profile was active during installation. At some point after installation, the active profile is changed to Domain (assume its settings are very different from those of Private). The database engine will no longer be able to communicate across the network.
If you change profiles or firewall rules in a way that prevents PSQL communications, refer to the steps in To enable PSQL rules for the Public profile. Use the steps as a general guideline for how to enable the PSQL rules for the active profile(s). This will allow the database engine to communicate again across the network.
Notes About Policies
A corporate policy may prevent a local administrator from modifying the firewall profiles on a particular machine (that is, the profile is “locked”). If so, the PSQL installation cannot add or enable the firewall rules required for the database engine to communicate across a network connection monitored by a locked profile. For such a situation, you should contact a corporate systems administrator and request that the firewall policy be modified to allow inbound TCP and UDP traffic on all ports to communicate with all installed PSQL services.
Also be aware that a Group Policy only prevents the installation from adding and enabling rules on firewall profiles controlled by the Group Policy when the target system is joined to the domain. If the user installing PSQL is logged into the target system as a local user instead of as a domain user, the installation does add and enable the rules on the firewall profiles. However, the rules are disabled if the target system is later joined to the domain controlling the Group Policy.