Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Windows Firewall Service on MSCS

3 views
Skip to first unread message

Peter Lindberg

unread,
Feb 9, 2010, 10:42:42 AM2/9/10
to

I've set up our first sql2k8 cluster on w2k8 r2 and it works as
expected.

Now I got a funny experience with the firewall. As I want it the
firewall is started and the proper ports is open.

For a reason on helping a co-worker I stopped the windows firewall
service on one node and what is happening is that the opened ports is
disabled and no SQL (1433), RDP (3389) or ICMP traffic is allowed.
That's fine but as I can't connect to my instance my wonder is, should
it not initiate a failover? I can manually move the group between the
nodes and where the firewall service is on I can connect.

I also moved the cluster group back and forward,

I get it that the heartbeat is working even with the firewall service
stopped and that's why the groups not fail.

Of course I will keep the firewall service running, but shouldn't
there not be a failover if the firewall service of any reason stops?

/Peter

Geoff N. Hiten

unread,
Feb 9, 2010, 11:10:14 AM2/9/10
to
Windows 2008 (and R2) doesn't open specific ports. It allows applications
to access network resources. Thesea pplications correspond to specific,
signed binaries.

Here is an enumeration of the binaries for SQL Server 2005. SQL 2008
binaries are similarly located but with "100" instead of "90" in the path.

http://weblogs.sqlteam.com/geoffh/archive/2008/06/11/Secure--Unusable.aspx

--
Geoff N. Hiten
Principal SQL Infrastructure Consultant
Microsoft SQL Server MVP


"Peter Lindberg" <plT...@AWAYlg.se> wrote in message
news:4b716dc4....@msnews.microsoft.com...

Peter Lindberg

unread,
Feb 15, 2010, 5:32:33 AM2/15/10
to
Geoff, I'm sorry but I don't understand your answer.

OK, I opened ports due to http://support.microsoft.com/kb/968872. Is
it a better practice to setup a rule for for sqlservr.exe and
sqlbrowser.exe instead of that KB?


What I still don't get is why I don't get a group fail of the
sqlserver group when the sqlserver is not availibale because the
firewall service is stopped? For this to be recreated it doesn't
mather wich way I chose to open the firewall.

Here is what I expect to get and also get:
I get a fail if I lose the public network
I get no fail if I lose the heartbeat network. (internal thru public)
I get a fail if the server reboots or BSOD.

But if the windows firewall service has failed or been stopped I just
get an unaccessable SQL instance. Why can't the cluster identify it as
an error and fail the group?

/Peter

On Tue, 9 Feb 2010 11:10:14 -0500, "Geoff N. Hiten"
<SQLCra...@gmail.com> wrotc:

Geoff N. Hiten

unread,
Feb 15, 2010, 9:47:08 AM2/15/10
to
Stopping the Windows firewall service often breaks windows networking. You
can set the firewall to OFF and it will work. No network means no IP
address, which is one of the SQL dependencies so SQL will not come online.
In addition, something breaks hte network resource DLL so it doesn't
recognize the failure correctly. You cannot turn off the firewall service,
you must either set specific ports or turn off the firewall via control
panel/computer manager.

Windows firewall does not work like an external firewall. External
firewalls block ports and IP addresses. Windows firewall allows (or denies)
access to the network for specific signed executables. The blog post shows
how to add the the key SQL Executables to the allowed list.

--
Geoff N. Hiten
Principal SQL Infrastructure Consultant
Microsoft SQL Server MVP


"Peter Lindberg" <plT...@AWAYlg.se> wrote in message

news:4b75c98e....@msnews.microsoft.com...

Peter Lindberg

unread,
Feb 16, 2010, 2:00:32 AM2/16/10
to
I understand that the FW should be on, I also wrote that it's intended
to be on in my first message.

My question has nothing to do with external FW.

My opinion is that high availability should mean that the SQL group
fail when it's inaccessable from outside. When the FW service is off
(doesn't matter why), SQL is inaccessable from outside and as I read
your answer it's meant to be so.

Thank you for trying to explain, but I don't think it's high
availability!

It's very easy to recreate, set up a W2K8 R2 cluster with SQL2K8 and
connect to sql via SSMS from outside. Stop FW on the cluster node
owning the SQL group and SSMS can no longer can access SQL. If you
move the group to the other node SSMS can connect again.

In my setup I have one public nic and one internal nic.

/Peter


On Mon, 15 Feb 2010 09:47:08 -0500, "Geoff N. Hiten"

0 new messages