Windows Firewall degrades IIS performance

firewalliisperformancewindows

(Note: I went through the related questions list and couldn't find one that answers this situation.)

I'm running into an issue whose cause is difficult to spot but is easy to describe: if Windows Firewall and some related services (Windows Firewall, IKE, IPSec Policyagent, Base Filtering Engine) are stopped, then IIS performance doubles (from aprox. 650 to 1300 RPS).

Needless to say, stopping Windows Firewall is not an option.

Repro scenario is plain simple: just create an IIS web site and serve a single image i.e. http://server:9876/image.png. While CPU stays low with and without firewall enabled, CPU Privileged Time % increases in comparison with User Time %.

Has someone seen this before? Are we missing a configuration setting or else?

Environment is Windows Server Enterprise 2008 SP2, II7. Thanks.

Best Answer

Of course the Windows Firewall will degrade performance.

It has to inspect all packets in and out of the server.

That takes CPU.

If you need to increase performance on the server, then you will have to turn off the Windows Firewall and install a hardware firewall instead.

Related Solutions

Windows – How to find what process is holding a file open in Windows

I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.

To find a specific file, use the menu option Find->Find Handle or DLL... Type in part of the path to the file. The list of processes will appear below.

If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.

Examples

c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\" (finds all files opened from drive e:\"
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"

How to Determine the Installed Version of IIS

As a more general answer, not specifically aimed at your question, Microsoft has a support article which lists all old versions and the operating systems that provide each one.

IIS version   Built-in  
5.0           Windows 2000
5.1           Windows XP Pro
6.0           Windows Server 2003
7.0           Windows Vista and Windows Server 2008
7.5           Windows 7 and Windows Server 2008 R2
8.0           Windows 8 and Windows Server 2012

Current versions are on Wikipedia

8.5           Windows 8.1 and Windows Server 2012 R2
10.0 v1607    Windows Server 2016 and Windows 10.*
10.0 v1709    Windows Server 2016 v1709 and Windows 10.*
10.0 v1809    Windows Server 2019  and Windows 10.* October

Best Answer

Related Solutions

Windows – How to find what process is holding a file open in Windows

How to Determine the Installed Version of IIS

Related Topic