March 4, 2002 at 8:22 am
Hello,
My firm is developing an Active Server Pages application that connects to SQL Server 2000(SP1) from an IIS web server through a firewall using ADO. My client wishes to block port 137 at the firewall for security reasons. However, this causes performance to degrade dramatically. In this configuration, it takes 5 seconds just to establish an ADO connection from web server to database server.
Named Pipes is disabled from the SQL client utility at the web server and the ADO connect string explicitly specifies the IP address, port (1433) and preferred network library (network=dbmssocn) -- also using standard security to login. Despite this attempt to force use of TCP/IP, monitoring of the firewall shows a lot of blocked traffic on port 137 when the application tries to connect.
On the database server, Named Pipes is enabled in the Server Network Utility and "NetBIOS over TCP/IP" is also enabled. I'm told the latter is needed for ARCServe backup to function properly. If "NetBIOS over TCP/IP" is disabled on the database server, then the performance seems better even with port 137 blocked but apparently this causes problems with ARCServe.
Has anyone else experienced this problem and how did you solve it?
Many thanks in advance
March 4, 2002 at 9:14 am
I did a quick netmon trace and here's what I saw...
After specifying the IP address in Query Analyzer (2K), the first thing that the client did was make a call to the DNS server to do a reverse lookup. Then after that, it did use port 137 to the server in question to query for NetBIOS services from <00...(15)>. The server responded with all available services within that range (talking to an internal server, not blocking ports). So even with TCP and an IP address, it does indeed look like it will try and gather a list of NetBIOS resources from said server. Looks like it's time to hit the MS Knowledge Base...
K. Brian Kelley
http://www.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley
March 4, 2002 at 10:28 am
I believe if I remember correctly that you cannot disable netbios requests and that it is always check first as this is the provider that will tell about shares and other available resources on the machine. Then it will attempt to negotiate, if no response, without it assuming the defined request is correct until it the timeout period at which time it will fail. I will see if I can find the information on this again and hope I made this understandable.
"Don't roll your eyes at me. I will tape them in place." (Teacher on Boston Public)
March 4, 2002 at 1:12 pm
What's "a lot" of traffic. Have done this and not seen substantial overhead.
Steve Jones
March 4, 2002 at 1:48 pm
quote:
What's "a lot" of traffic. Have done this and not seen substantial overhead.Steve Jones
Hi Steve, thanks for responding.
"A lot" was a poor description - I should know better 🙂
The gist is that when port 137 is blocked it's taking about 5 seconds to establish a connection from the web server to the SQL server through the firewall.
When port 137 is opened, it takes less than 1 second to establish the connection.
To measure, we've created a very simple ASP page that simply opens and closes a connection to the database, recording the time before and after.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply