The Mole #1: Technical Answers from Inside Microsoft - Firewalls, Disk Management & Terminal Server

January 18, 1999

Editors Note The questions and answers below are from the Inside Microsoft column that appears regularly on the TechNet Web site (https://www.microsoft.com/technet). To find out how to submit questions of your own, see the end of this article or go to https://www.microsoft.com/technet/community/columns/insider/default.mspx.

The TechNet Mole provides expert answers from deep within Microsoft to questions from IT professionals. The first installment focuses on these issues:

• Across the Firewall: Configuring Public Web Servers that Access SQL Server

• Disk Storage, Performance, and Protection

• Mole's Special Guests Talk Terminal Server

On This Page

Across the Firewall: Configuring Public Web Servers that Access SQL Server

Disk Storage, Performance, and Protection

Mole's Special Guests Talk Terminal Server

Got Questions? Mail the Mole

Across the Firewall: Configuring Public Web Servers that Access SQL Server

Dear Mole:

Proper configuration of public web servers that access SQL Server behind a firewall has always been a headache for me. I have not found a white paper that properly addresses what functionality is effected by shutting down services and ports on the firewall.

I also need to know how to properly set up the physical drives to provide the best I/O for NT, SQL,IIS, etc. I find a lot of people do not understand the performance increase they can achieve by separating the logging, data and operating system functions onto separate physical disks, including what type of RAID (preferably hardware) configuration is best for each situation. Please elucidate.

Toby Gosney, Information Services Manager for the Washington State Department of Tourism

Hey, Toby,

When you set up SQL Server, you declare certain Network Libraries for use by the SQL Server. Examples of these are Named Pipes (the default), TCP/IP Sockets, Banyan VINES SPP and IPX/SPX. The port that you need for the firewall to pass from the Web server as incoming data to SQL Server is declared in SQL Server Setup, under Select Network Protocols.

You can change this after installation by running SQL Server Setup and choosing to Change Network Support from the Microsoft SQL Server 6.5—Options screen. For example, you probably communicate from your Web Server to your SQL Server using TCP/IP sockets. You may have decided to change the default port from 1433 to some other value. Whatever the value, you need to open up your firewall or proxy server, using packet filtering, to that particular port. You need only pass incoming data using this port, as it is a listening port for SQL Server.

Microsoft Proxy Server 2.0 uses packet filtering as an option. If you turn it on, most ports are blocked until you choose which ones to open up. Use SQL Server Setup to find or change which port you use and then pass it as incoming data through your proxy server to your backend SQL Server. You can also use IPX/SPX between your IIS Web server, through the firewall to the SQL Server. Internet users will not be able to cross this example of protocol isolation, providing additional security along with the firewall or proxy server.

Good TechNet CD references include **164667:**Replication Setup over a Firewall, MS SQL Server 6.5 Internet Deployment and Planning Guide (especially the Deployment section), as well as the Deployment section of Part 2: Planning and Deploying Your MS SQL Server Solution in the BackOffice Resource Kit 2nd edition. For an overview, tips, and best practices on building Internet security, read Designing and Planning Windows NT External Security.

Disk Storage, Performance, and Protection

You also had some questions about separating functions by disk for enhanced performance, especially when using RAID. In most data centers, you will need to be using a drive array with multiple SCSI drives that can be configured into different RAID configurations depending on your needs. Software RAID available with the Windows NT operating system is not usually chosen in production-level data centers.

The best performance for disk reads comes from RAID 0, striping without parity, but there is no protection from drive failure. The best protection from drive failure is RAID 1, disk mirroring. With a drive array from a hardware vendor, you can configure RAID 0+1, using the best of both worlds, and you might guess that the arrangement is referred to as RAID 10. You should also consider using Microsoft Cluster Server with SQL Server 6.5, Enterprise Edition. Clustering permits a server failure to "failover" to a clustered SQL Server that may be sharing the disk array.

When you want to find out how to divide your SQL Server data, logs, NT operating system, and other applications among members of your drive array, you will need to make a careful study using the NT Performance Monitor tool. While we can suggest some guidelines, it won't likely be perfect for your particular situation. SQL Server transaction logs should be stored on separate drive arrays from the SQL Server data for two main reasons. The first is enhanced recoverability when the logs are on their own device. The second reason is performance. Transaction logging involves mostly sequential writes to the log. This contrasts sharply with the type of disk access done to most SQL Server data, which is much more random. Having the data and logs on different drive arrays allows each type of access to occur without contention.

The question about operating system performance leads to an analysis of the Windows NT use of a storage device. We find that portions of the OS have different storage needs. Putting the virtual memory paging file PAGEFILE.SYS on a separate physical drive and controller from the Windows NT System Partition will give increased performance, because there will be less contention among the tasks requiring disk access.

Good TechNet articles to read about disk performance and monitoring are:

• MS SQL Server 7.0 Performance Tuning Guide

• Chapter 1 - Database Design of MS SQL Server Diagnostics

• Chapter 4 – Performance Tuning and Optimization of IIS 4.0 Resource Kit.

• Network Design Manual—Storage for the Network: Designing an Effective Strategy

Mole's Special Guests Talk Terminal Server

The mail has been full of questions about sharing Microsoft Office applications on mixed NT/UNIX networks. Mole asked his buddies from the NT/UNIX Interoperability Support Team to stop by the burrow and chat about the Terminal Server solution.

Mark Olsen and Patrick Doherty work with top Sun VARs and with corporate clients to ease the pain inherent in today's increasingly frequent mixed-platform marriages. Both are unusual among IT guys for having been certified on Microsoft platforms before earning their UNIX credentials.

Mole: Okay, tell us. What is the best way to have it all?

Mark Olsen: Windows Terminal Server Edition allows you to run applications centrally on one server and display the environment on multiple different desktops, whether Windows or UNIX. There' s a couple different ways of doing that. With the use of terminal server and some 3rd party products, you can actually run an X-session from a UNIX workstation and be able to connect up to the Terminal Server and run applications off Terminal Server. You can run the Terminal Server environment in a window on a UNIX box, and run all your Office applications that way.

Pat Doherty : It gives the user the ability to run those standard Office applications and continue to use their UNIX workstation for whatever they want it for.

Mole: Does the UNIX workstation look like Windows at that point?

Mark Olsen: If you run it in a Windows environment, it makes it look exactly like Windows NT. There are very few limitations to the applications you can run, I can't even think of any offhand. Productivity applications, anyway. If you're running an X-session, it's possible to make the workstation boot up and look exactly like that environment.

Mole: Is it hard to set up?

Pat Doherty: It's not too difficult. You can download client software from the Citrix website. They provide a product called Metaframe, and that client is free. Anyone can download and install--it installs just like any other UNIX app, pretty much an automated install .

Mark Olsen: On the server side, you do need to purchase the Metaframe component to run on the server. That needs to be licensed through Citirix. That's what allows non-Windows clients to connect to Terminal Server via the ICA protocol.

Mole: How many desktops can you run off one Terminal Server?

Mark Olsen: It's really going to depend on the size of the server--memory, processor, hard disk sizes. And it depends on the load. If you have users who are running multiple apps and using all the applications all the time, you're going to want to put maybe fifty users per server on a dual Pentium II with 512 megs of RAM. If you get somebody that just needs access to email or a word processor, single or occasional double use of applications, you're looking at maybe 150 users on same server. You definitely want to test your environment, in a lab environment first.

Mole: How does Terminal Server work in a client-server database environment?

Pat Doherty: Let's take a 3-tier environment. You would almost use it as the first tier. It's going to provide all the client components for connecting to a database. Let's say you had a SQL server database running on a different server and you needed to install a custom Visual Basic application to all of your clients, and you have a number of UNIX clients. One thing you could do is install a Terminal Server and install the custom VB app on there and allow your UNIX clients to run a Terminal Server session with that VB application open to connect to that database

That would be a recommended solution if someone already had a Visual Basic application for the client and they already had a SQL server out there.

Mark Olsen: One thing we recommend is that if someone is developing a database and they have mixed clients, they develop the client applications using Microsoft Transaction Server and actually make the clientside a Web-based client. Then you can actually take advantage of things like dynamic html and other Active X technology Microsoft attaches to the client by using the Internet Explorer for UNIX in HPUX, and also Solaris.

Pat Doherty: From a client support side of things, it makes life very easy. There are other ISVs out there developing applications that work with Transaction Server and Internet Explorer. One example is, McAfee makes a product called Net Tools. One of the components of their next version will be developed using Transaction Server for that purpose, so you can administer your network from anywhere using the browser.

Got Questions? Mail the Mole

Ever wish you had your own Mole to dig out answers? Now you do. Send your questions to [closed account]. And if you think you have a better answer than Mole's, or a different one, send that along, as well. Mole's always looking for new friends. Your name Your title Your company Your email address Your question/solution/compliment

Credits

Mole thanks Mark Wheatley, MCSE. With fifteen years of industry experience, and certification in multiple platforms, Mark is a technical educator with Aris Corporation and a frequent consultant to Microsoft support teams.