Windows Server Failover Clustering/SQL Server Firewall Access Rule

출처 : http://dsfnet.blogspot.kr/2013/04/windows-server-clustering-sql-server.html

 

Windows Server Failover Clustering/SQL Server Firewall Access Rule

This document identifies the firewall access rules that need to be requested for Windows Server Clustering/SQL Server.  Many of these rules are setup for access across a Windows Server 2012 Multi-Subnet Cluster.

NOTE:  It is recommended you specify the specific IP addresses [or subnet mask] for all Windows Server Cluster and SQL Server nodes/hosts [including Availability Group Listeners] so the firewall rules will work properly.

SPECIAL NOTE:  You need to review and modify, if needed, the dynamic port ranges on each Windows Server Cluster nodes/hosts to a company/policy acceptable range for certain dynamic TCP/UDP traffic.  The default range for Windows 2003 Server is 1025-5000 but has been changed for Windows 2008 à 2012 Server to 49152–65535.

Refer to the following articles regarding the firewall port requirements.

Active Directory & Domain Services Port Requirements

Restricting Active Directory & RPC Traffic

Modifying Dynamic Port Ranges [Windows 2008 R2 or higher]

SQL Server Frequently Used Ports

Windows Server Clustering –

TCP/UDP	Port	Description
TCP/UDP	53	User & Computer Authentication [DNS]
TCP/UDP	88	User & Computer Authentication [Kerberos]
UDP	123	Windows Time [NTP]
TCP	135	Cluster DCOM Traffic [RPC, EPM]
UDP	137	User & Computer Authentication [NetLogon, NetBIOS]
UDP	138	DSF, Group Policy [DFSN, NetLogon, NetBIOS Datagram Service]
TCP	139	DSF, Group Policy [DFSN, NetLogon, NetBIOS Datagram Service]
UDP	161	SNMP
TCP/UDP	162	SNMP Traps
TCP/UDP	389	User & Computer Authentication [LDAP]
TCP/UDP	445	User & Computer Authentication [SMB, SMB2, CIFS]
TCP/UDP	464	User & Computer Authentication [Kerberos Change/Set Password]
TCP	636	User & Computer Authentication [LDAP SSL]
TCP	3268	Microsoft Global Catalog
TCP	3269	Microsoft Global Catalog [SSL]
TCP/UDP	3343	Cluster Network Communication
TCP	5985	WinRM 2.0 [Remote PowerShell]
TCP	5986	WinRM 2.0 HTTPS [Remote PowerShell SECURE]
TCP/UDP	49152-65535	Dynamic TCP/UDP [Defined Company/Policy {CAN BE CHANGED}]

SQL Server –

TCP/UDP	Port	Description
TCP	1433	SQL Server/Availability Group Listener [Default Port {CAN BE CHANGED}]
UDP	1434	SQL Server Browser
UDP	2382	SQL Server Analysis Services Browser
TCP	2383	SQL Server Analysis Services Listener
TCP	5022	SQL Server DBM/AG Endpoint [Default Port {CAN BE CHANGED}]
UDP	49152-65535	Dynamic TCP/UDP [Defined Company/Policy {CAN BE CHANGED}]

Example [Multi-Subnet Setup]:

Subnet #1 – 10.10.33.192/26

Subnet #2 – 10.11.33.192/26

Active Directory Traffic:

Source IP Range	10.10.33.192/26, 10.11.33.192/26
Destination IP Range	[Active Directory Servers]
TCP Ports	53,88,389,464,636,3268,3269
UDP Ports	53,88,389,464

<!--[if !supportLineBreakNewLine]-->
<!--[endif]-->

SCOM/SNMP Traffic:

Source IP Range	[SCOM/SNMP Servers]
Destination IP Range	10.10.33.192/26, 10.11.33.192/26
TCP Ports	162
UDP Ports	161,162

Windows Server Failover Clustering Traffic:

Source IP Range	10.10.33.192/26, 10.11.33.192/26
Destination IP Range	10.11.33.192/26, 10.10.33.192/26
TCP Ports	135,139,445,1433,2383,3343,5022,5985,5986
UDP Ports	137,138,445,1434,2382,3343,49152-65535

Windows Time Traffic:

Source IP Range	10.10.33.192/26, 10.11.33.192/26
Destination IP Range	[NTP Servers]
TCP Ports	N/A
UDP Ports	123

Client SQL Server Access Traffic:

Source IP Range	[Client Application Servers]
Destination IP Range	10.10.33.192/26, 10.11.33.192/26
TCP Ports	1433,2383
UDP Ports	1434,2382