Home ยป Computers ยป Servers ยป SQL Server Firewall and performance tweaks
Servers

SQL Server Firewall and performance tweaks

SQL Server Firewall and performance tweaks
Brandon LeeJune 20, 2014Last Updated: June 20, 2014
2 minutes read
autotunefeat1
autotunefeat1

Everyone, I wanted to pass along a few Windows firewall tweaks that I have found useful with building a SQL server on Windows 2008 server or higher. ย The following simple tweaks can really help with issues you may see involving general connectivity as well as performance issues that may happen due to TCP autotuning.

For a general SQL Server build on Windows 2008 server or higher, the following Windows Firewall tweaks can be made toย allow proper communication with the server as well as communication between a server and other SQL servers or failover cluster servers running SQL. ย Make sure to run these from an elevated command prompt.

  • Add the following rule to allow SQL communication from domain scope with management studio: ย netsh advfirewall firewall add rule name = SQLPort dir = in protocol = tcp action = allow localport = 1433 remoteip = localsubnet profile = DOMAIN
  • Configure the TCP autotuning. ย Starting withย Windows Vista/7 and newer OS’s, they have the ability to automatically change their own TCP Window auto-tuning behavior to a more conservative state regardless of any user settings. ย To disable autotuning which can cause some issues with SQL connectivity at times, you can use the commandย netsh int tcp set global autotuninglevel=disabled
  • Configure RSS tuning. ย The receive-side scaling setting enables parallelized processing of received packets on multiple processors, while avoiding packet reordering. It avoids packet reordering y separating packets into โ€œflowsโ€, and using a single processor for processing all the packets for a given flow. ย This may be one that you want to play around with as well, however to enable rss use the following command. ย Disabling is as simple as replacing the enabled with disabled- netsh int tcp set global rss=enabled
  • If DB Mail is needed, make sure your AV client is set to allow port 25 as many filter this due to mass mailing worms. ย McAfee in particular has an access protection module that needs to be set to allow port 25 traffic to send email from the box which is disabled by default
  • Failover cluster connectivityย can be allowed to internal cluster servers by addingย an internal custom DOMAIN scope rule that allows the IP Address of the Cluster node name as well as the individual IPs of each node themselves. ย You can simply set this rule to allow All Programs to those internal IPs. 
Brandon LeeJune 20, 2014Last Updated: June 20, 2014
2 minutes read

Subscribe to VirtualizationHowto via Email ๐Ÿ””

Enter your email address to subscribe to this blog and receive notifications of new posts by email.



Photo of Brandon Lee

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com, and a 7-time VMware vExpert, with over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, He has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family. Also, he goes through the effort of testing and troubleshooting issues, so you don't have to.

Related Articles

profilesthumb

Moving User Profiles to a new server

September 30, 2011

Exporting a Godaddy wildcard certificate from IIS to Tomcat

June 29, 2011
binderror1

IIS Edit Bindings error 80 is an invalid IP address

June 11, 2013

Styling of New Dell Servers and Racks

April 8, 2011

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.