SQL Server – Configure to Associate User Login with Specific Port

configurationlistenersql server

We have SQL Server instances that sit in our DMZ, and associated firewall rules to allow access to them from our corporate network.

The server is correctly listening on the configured ports, but now I need to configure the RDBMS to grant access to specific users on a specific port.

Apparently there is a T-SQL script that will do what I need, but I can't find it anywhere. Can anyone point me in the right direction or alternatively, show me how to do this using Management Studio's GUI?

Best Answer

See the instructions at:

Configure the Database Engine to Listen on Multiple TCP Ports

To set up a new TDS endpoint a code sample is:

USE master;
GO
CREATE ENDPOINT [CustomConnection]
STATE = STARTED
AS TCP
   (LISTENER_PORT = 1500, LISTENER_IP =ALL)
FOR TSQL() ;
GO

The side-effect of creating a Custom Connection is that you will need to reestablish the Default Connection:

GRANT CONNECT ON ENDPOINT::[TSQL Default TCP] to [public];

Then to grant access to the CustomConnection endpoint to the SQLSupport group (as an example), you could use something like this:

GRANT CONNECT ON ENDPOINT::[CustomConnection] to [corp\SQLSupport] ;
GO

Read the other details in that post that may need configuring.

Related Solutions

SQL Server MaxDop Settings – Multi-instance Standard Edition Configuration

1. Should I have at least one logical processor per instance, given that I currently only have 4 logical processors for 6 instances and MAX_DOP set to 0?

That depends, how much CPU usage is each instance using on average? You can get this information from the default health session extended event that is running (assuming 2008+).

Four logical processors may be perfectly adequate for this workload - we won't know until we have data. Having said that, since each instance of SQL Server acts on its' own and has no idea of the other instances installed, I'm sure Windows isn't too happy about swapping threads.

I'd take a look at my wait stats dmv and see if we have a higher percentage of wait time on the signal_wait part which would indicate scheduling issues and possible contention between instances. Additionally I'd trend this with the cpu context switches to see if there is a weak or direct correlation with "bad times" and "good times" of instance health.

My gut, though, tells me that unless these are woefully underutilized instances that this server is bound for issues - whether they are happening now or in a few months from now.

2. If I had one logical processor per instance, should I leave MAX_DOP at 0 or limit each instance to MAX_DOP = 1?

MAXDOP just limits the number of logical processors ('schedulers') that a single parallel query may use during execution. There is nothing stopping SQL Server from running multiple parallel queries; in fact I've diagnosed and fixed this very issue a multitude of times for places that didn't even know they had a scheduling problem (it was looked at as a "blocking" problem).

Setting MAXDOP to 1 essentially makes all user queries single threaded. This, again, doesn't stop SQL Server from executing more than a single task at a time as it merely forces serial executions. This means each instance has four (4) visible online schedulers for a total of 4*x number of instances possible concurrent queries. Setting MAXDOP here doesn't solve the issue of being logically overburdened, not taking into account the actual setting of the virtual server as to whether or not it can run on hyper threaded (if enabled) cores. Yikes.

I'm not saying forcing MAXDOP to 1 is good or bad, just that we have no data to go on. Thus we won't know the impact of the setting. Again, though, I'd DEFINITELY not have it set to four (4)!

3. Seeing as it is a Standard Edition should I limit MAX_DOP to 4 as an alternative?

Well, it can't be higher than four (4), so it's already limited. This question, I believe, is closely coupled with the question above. Hopefully I've explained it to a satisfactory level of understanding.

If you want to get an idea (due to the small threshold for parallelism) of how many queries are being parallelized, you can check the execution plans dmv. This is a fairly expensive operation, so please do it off hours or times of little to no usage between ALL of the instances. Remember, what you do to one instance is going to be (roughly) done to all because of the shared nature of the server.

Valid Connection Strings for SSMS Login Box

There are various possibilities and I will try to answer them according to the numbered questions.

Valid connection strings for the SSMS login box are:

1st instance

Using the host name
- SERVERNAME
- SERVERNAME,1433
Using the CNAME/Alias
- SERVERNAME-I01
- SERVERNAME-I01,1433
Using the IP address
- 123.1.2.3
- 123.1.2.3,1433
For the Dedicated Admin Connection (DAC); depends on Browser Service status

a) Browser Service ON
- ADMIN:SERVERNAME
- ADMIN:SERVERNAME-I01
- ADMIN:123.1.2.3
b) Browser Service OFF
- SERVERNAME,1434
- SERVERNAME-I01,1434
- 123.1.2.3,1434

2nd instance

Because the 2nd instance has a dynamic port for the SQL Server instance and a dynamic port for DAC, the ports have to be retrieved from the ERROR log file in advance before connecting to the SQL Server. See 7 for more information. In this example I will assume port 63390 is used for the SQL Server instance and port 63389 is used for the Dedicated Admin Connection. Microsoft recommends to fix the IP port, thus allowing you to properly configure a firewall 6.

Using the host name
- SERVERNAME\Instance2 (Browser Service ON)
- SERVERNAME,63390 (Browser Service OFF)
Using the CNAME\Alias
- SERVERNAME-I02 (Browser Service ON)
- SERVERNAME-I02,63390 (Browser Service OFF)
Using the IP address
- 123.1.2.3,63390 (Browser Service is ON or OFF)
  Using the IP address without port, would connect you to the default instance
For the Dedicated Admin Connection (DAC); really depends on Browser Service status

a) Browser Service ON
- ADMIN:SERVERNAME\Instance2
- ADMIN:SERVERNAME-I02\Instance2
- ADMIN:123.1.2.3\Instance2
  Always requires instance name, because the CNAME or IP address references the same IP address as the default standard instance
b) Browser Service OFF
- SERVERNAME,63389
- SERVERNAME-I01,63389
- 123.1.2.3,63389

3rd instance

Using the host name
- SERVERNAME\Instance3
  Because this instance is using the same SQL Server port as the default instance, but a different IP address, the SERVERNAME,1433 notation would not work. You would be connected to the default instance.
Using the CNAME/Alias
- SERVERNAME-I03 (Browser Service ON)
- SERVERNAME-I03,1433 (Browser Service OFF)
Using the IP address
- 123.1.2.4
- 123.1.2.4,1435
For the Dedicated Admin Connection (DAC); depends on Browser Service status

a) Browser Service ON
- ADMIN:SERVERNAME\Instance3
- ADMIN:SERVERNAME-I03 (works because the CNAME references a dedicated IP address)
- ADMIN:123.1.2.4
b) Browser Service OFF
- SERVERNAME,63389 (works because the port references a dedicated port for DAC)
- SERVERNAME-I01,63389 (works because the CNAME and port reference a dedicated instance/DAC)
- 123.1.2.4,63389

Browser Service

If the browser service is DISABLED or has not been started, then connections cannot be routed to the relevant port. In this case the DAC port has to be retrieved from the ERRORLOG file of the instance. You should find a line with something like Dedicated admin connection support was established for listening remotely on port 63389. for the DAC port. This port number is the port the DAC will listen on. You are required to supply the relevant port for the Dedicated Admin connection and the corresponding port for the SQL Server connection if your Browser Service is turned off. You do not have to add the instance name to the connection string when using the port, because the port is reserved for the instance.

In short the Browser Service is responsible for converting instance names to ports. If the Browser Service is not running, then you have to supply the port instead of the instance name.

Reference Material

Logging In to SQL Server (Microsoft | Docs | SQL Server)