1l02 neuerungen 6.0 decus 2003 · • iis 6.0 • fpse (not enabled) • asp.net (not enabled) •...
TRANSCRIPT
5/19/2003
1
1L02
Neuerungen im
Internet Information Server 6.0
Decus 2003
[email protected] HP-Services
220. März 2003 Internet Information Server 6.0
Agenda
• Architecture– Service / Core– Isolation modes– App. Pools / Webgarden / Recycling– Metabase
• Administration– Installation – Security– Web Interface / Cmdline / WMI– Logging, Ftp ….
• Other Stuff – Programming– MSCS (Cluster Services)– Migration tools
• Resources / Q&A
5/19/2003
2
320. März 2003 Internet Information Server 6.0
Architecture IIS5A Reminder – Process Model for IIS 5.0
INETINFO.exeINETINFO.exe
metabasemetabase ftp, ftp, smtpsmtp, , nntpnntp
W3SVCW3SVC
WinsockWinsock
ISAPI FiltersISAPI Filters
InIn--procproc
AppsAppsASP.NETASP.NET
.Net App .Net App DomainDomain.Net App .Net App
DomainDomain.Net App .Net App DomainDomain
ASPNET_WP.exeASPNET_WP.exe
Pooled Pooled OOP AppsOOP Apps
DLLHOST.exeDLLHOST.exe
Isolated Isolated OOP AppOOP App
DLLHOST.exeDLLHOST.exe
Isolated Isolated OOP AppOOP App
DLLHOST.exeDLLHOST.exe
Isolated Isolated OOP AppOOP App
DLLHOST.exeDLLHOST.exe
User mode
Kernel mode
420. März 2003 Internet Information Server 6.0
Architecture IIS 6IIS 6.0 Worker Process Isolation Mode
INETINFO.exeINETINFO.exe
metabasemetabase
ftp, ftp, smtpsmtp, , nntpnntp
User mode
Kernel mode
HTTP.SYSHTTP.SYS
W3SVCW3SVC
SVCHOST.exeSVCHOST.exe
W3
Con
fig M
grW
3 C
onfig
Mgr
W3
Proc
ess
Mgr
W3
Proc
ess
Mgr
W3CoreW3Core
ISAPI FiltersISAPI Filters
W3WP.exeW3WP.exe
All AppsAll Apps
(no OOP)(no OOP)
Application PoolApplication Pool
W3CoreW3Core
ISAPI FiltersISAPI Filters
W3WP.exeW3WP.exe
All AppsAll Apps
(no OOP)(no OOP)
Application PoolApplication Pool
W3CoreW3Core
W3WP.exeW3WP.exe
Application PoolApplication Pool
ASP.net AppsASP.net Apps
.Net App .Net App DomainDomain
.Net App .Net App DomainDomain
.Net App .Net App DomainDomain
5/19/2003
3
520. März 2003 Internet Information Server 6.0
Isolation Modes
• IIS5.0 Isolation mode– Compatibilty mode – Dependency on Inetinfo.exe– Requires Read Raw Data Filters– Requires Dllhost.exe environment
• Worker Process Isolation Mode– User Code isolated in its own „service“ (w3wp)– No interaction with inetinfo or w3svc– Application pool features !!!
620. März 2003 Internet Information Server 6.0
Application Pools???
• Any # of application pools– Each served by one or more
W3WP.exe files– Each W3WP.exe serves only
one pool– Requests routed directly to pool
by HTTP.sys
• Isolate applications based on:– Site/Customer– Functionality– Reliability / Performance
5/19/2003
4
720. März 2003 Internet Information Server 6.0
Application PoolPeriodic Process Recycling
• What is Recycling ?– Periodically restart
applications based on:• [Default] uptime• number of requests• Scheduled time• Memory consumption• On-demand
• Why use it?– Refresh applications to ensure
availability– Prevent bad applications from
taking over the system• Effect on applications
– In-process state or cache lost on recycle
– Possible multi-instance issues
820. März 2003 Internet Information Server 6.0
Application Pool HealthSelf-Healing Architecture
• Health check (pinging) – Designed to detect W3WP.exe
thread deadlock– Will engage if there are no
threads in W3WP.exe available to respond in time
• How does it work?– W3SVC will “ping” each
W3WP.exe– Process has a configured time
limit to respond– If (no response in time limit)
• Default: kill process, publish event, and start new process
• Or: can be configured to take a configured action on process => “Orphaning”
– OrphanWorkerProcess OrphanActionExe/OrphanActionParams
• ASP and ASP.NET uses the ping to request a recycle if they are unhealthy (HSE_REQ_REPORT_UNHEALTHY)
5/19/2003
5
920. März 2003 Internet Information Server 6.0
Application Pool HealthCrash Detection and Recovery
• Crash detection– W3SVC detects
W3WP.exe “crash”– W3SVC will start new
W3WP.exe if there is demand
– Requests queued in HTTP.sys while new W3WP started
– ! no Interruption in service
• Rapid fail protection– Only allow x crashes in y
minutes– Automatically stop pool if
this value is exceeded –503s to requests for this pool
1020. März 2003 Internet Information Server 6.0
Application Pool Security Configurable Worker Process Identity
• Worker process can be started as:– Network service (default)– Local system– Local service– Configured Account
• IIS_WPG– New user group – IIS resources put into an
ACL in this group– Will get 503s if configurable
account is not part of IIS_WPG
• .NET / Passport– Requires localsystem !
5/19/2003
6
1120. März 2003 Internet Information Server 6.0
Application Pool PerformanceIdle Timeout and Demand Start
• Idle timeout– Time out and shut down
idle processes if process is idle for given period of time
– Frees resources for active applications
– Applications still available even if worker process idles out and is shutdown!
• Demand start• Considerations
– Use idle timeout to free resources (state info lost)
– disabling idle timeout if long application startup
1220. März 2003 Internet Information Server 6.0
Performance Web Gardens and Processor Affinity
• Web Gardens– Application pool with >1 Working
processes– Connection-based routing / round-
robined
– Processor affinitizationBind application pool processes to one or more CPUs
• Considerations– Possible multi-instance issues– Recycling – on Demand = all-at-once
W3CoreW3Core
ISAPI FiltersISAPI Filters
W3WP.exeW3WP.exe
All AppsAll Apps
(no OOP)(no OOP)
W3CoreW3Core
ISAPI FiltersISAPI Filters
W3WP.exeW3WP.exe
All AppsAll Apps
(no OOP)(no OOP)
W3CoreW3Core
ISAPI FiltersISAPI Filters
W3WP.exeW3WP.exe
All AppsAll Apps
(no OOP)(no OOP)
Web GardenWeb Garden
Application PoolApplication Pool
5/19/2003
7
1320. März 2003 Internet Information Server 6.0
Application PoolCreation/Assignment
1420. März 2003 Internet Information Server 6.0
ApplicationsConsiderations
• Design applications to be recycled– Persist state/caches external to host process– For ASP.NET, use External session state service or Microsoft® SQL
Server™ to store state• Be aware of multi-instance issues
– May be encountered during:• Recycles – overlap by default, but can disable overlap recycle or
recycling altogether• Two application pools loading the same application code (deadlock)
– If unable to change code, assign all URLs to the same pool• Dependencies on IIS 5.0 behaviors
– LocalSystem vs. Networkservice– No COM+ OOP support in Worker Process Isolation Mode– Global data filters are now local per WP– If the above cannot be worked around, run IIS 6.0 in IIS 5.0 isolation
mode• Loads W3Core into INETINFO, same IIS 5.0 OOP
5/19/2003
8
1520. März 2003 Internet Information Server 6.0
Performance Caching Responses in HTTP.SYS
TCP/IPTCP/IP
HTTP.SYSHTTP.SYS
Send ResponseSend ResponseResponseResponse CacheCache
ListenerListenerNamespace Namespace MapperMapper
HTTP EngineHTTP EngineHTTP ParserHTTP Parser
Req.QueueReq.QueueReq.QueueReq.QueueReq.QueueReq.Queue
• Dynamic & static content served straight from HTTP.SYS– highspeed, no user-mode transition
– applications will not see requests if served from cache
–Static files cached by default (Smart caching - only “hot” static content cached )
• Control Cache with “Expires” header (timeout)
• ASP.NET => use OutputCache Location=“Server” to mark response as cacheable
•Lessens load on Web server
1620. März 2003 Internet Information Server 6.0
MetabaseImprovements
• XML Metabase– Metabase now stored in XML– Auto-versioning: like an
automatic backup( …\inetsrv\history\…)
• Edit while running– Make changes directly to the
Metabase.xml file while IIS is running
– Any editor (Notepad)
• Note: – Metabase.bin still exists, but
only as a stub file for legacy backup applications
5/19/2003
9
1720. März 2003 Internet Information Server 6.0
AdministrationInstallation / Upgrade
• New installation– IIS not installed on a clean
install by default– Use Configure Your Server
Wizard to install application server role – installs:• IIS 6.0• FPSE (not enabled)• ASP.NET (not enabled)
• Upgrade installation– W3SVC disabled unless
URLScan is installed before upgrade
1820. März 2003 Internet Information Server 6.0
AdministrationSecurity
• Restriction list– Only execute requests for “allowed”
extensions and CGIs (404)– No extensions or CGIs allowed by
default– 404.2 returned if request for
“prohibited” extension or CGI– Use Web Service Extensions node
in MMC to “allow” and “prohibit” extensions and CGIs
• Known file extensions– Only serve requests that are
defined in MIMEMAP– 404.3 for requests not in MIMEMAP
• Considerations– If using Visual Studio® .NET /
frontpage – define .tmp files in MIMEMAP
– Visual Studio .NET to fix this in SP1
5/19/2003
10
1920. März 2003 Internet Information Server 6.0
AdministrationSecurity Changes
• Sub authentication is not installed by default on clean installations (iissuba.dll)– IIS was allowed to control passwords (override)– Now passwords might expire for IWAM and IUSR accounts– Must install SubAuth or come up with own synchronization scheme
• URLs restricted to maximum length of 16 KB with more restrictiveparsing– No special chars, etc.
• Content in Inetpub is now overwrite protected • Command-line tools limited to the administrators
group only(CGI apps.)
2020. März 2003 Internet Information Server 6.0
Security Microsofts Recommendations
• Do a clean installation vs. upgrade – more secure by default– No lockdown tool yet for IIS 6.0 to handle upgrade case
• Run application pool W3WP.exe files as Network Service (default)
• Only “allow” extensions that are vital to all applications– Prohibit everything else to reduce attack surface
• Check IIS hit logs and HTTPERR log– IIS hit logs – substatus codes logged for W3C and binary-
formatted files– HTTPERR – detail on reason for 503s and connection
terminations
5/19/2003
11
2120. März 2003 Internet Information Server 6.0
AdministrationWMI Provider and New Command Line Tools
• Namespace: winmgmts:/root/MicrosoftIISv2 (IIS://localhost/w3svc)
– Query support– Associations– Scriptable
• New command-line tools– WMI Based– Supported tools – currently in %windir%\system32
• iisapp.vbs list IIS worker processes• iisback.vbs backup/restore/list IIS configuration• IIsCnfg.vbs Import and export IIS configuration• iisext.vbs Manages Web Service Extensions• IIsFtp.vbs Manage FTP Site (Start,Stop ..)• IIsFtpdr.vbs Manage FTP Directory• iisvdir.vbs Manage Web Directory• iisweb.vbs Manage Website
2220. März 2003 Internet Information Server 6.0
AdministrationSave to / load from (xml)-File
5/19/2003
12
2320. März 2003 Internet Information Server 6.0
Webbased (remote) Administrationhttps://localhost:8098
2420. März 2003 Internet Information Server 6.0
AdministrationNew Logging Feature
• Centralized binary logging– per server (not per site) – disables all other logging/formats– binary, unformatted datalog in central file– not customizable– HTTP.sys automatically creates a log file directory – Filename: rawyymmddhh.ibl
• Enabled via commandlinecscript.exe adsutil.vbs SET W3SVC/CentralBinaryLoggingEnabled true
• Analyzing ?– Parsing tool ships with the IIS 6.0 Resource Kit.
5/19/2003
13
2520. März 2003 Internet Information Server 6.0
FTP
• User Isolation feature– lets you restrict users to their own
FTP directory (no cd..)
– Isolation needs structure
– New AD-Attribs FTPRoot & FTPDiriisftp /SetADProp jk FTProot c:\tempiisftp /SetADProp jk FTPdir jksdirissftp /GetADProp
• IIS now supports multiple character sets for FTP.
2620. März 2003 Internet Information Server 6.0
URL Authorization
• Allows URL to assume application Role– role–based access control
• Website configuration – Add ISAPI interceptor (Urlauth.dll) for wildcard application– Set properties
var objVDir = GetObject("IIS://localhost/w3svc/1/root");objVDir.AzEnable = true;objVDir.AZStoreName = "MSXML://d:\MyAZStore.xml";objVDir.AzScopeName = "MyAZScope";objVDir.AZImpersonationLevel = 0;objVDir.SetInfo();
• Azman.msc „authorization manager“– Create roles, scopes, tasks ...
5/19/2003
14
2720. März 2003 Internet Information Server 6.0
Cluster Support
• No „IIS Server Instance“• Use „generic Script“ instead
– clusweb & clusftp.vbs( ...system32\inetsrv (EE,DC) )
• IIS Bindings– configure FTP and WEB sites to
listen on IP of Virtual Server– Use virtual Name as Host Header– Synchronize nodes (iiscnfg /copy)
( no iissync util )
2820. März 2003 Internet Information Server 6.0
MigrationIIS Migration Toolkit
• IIS Toolkit (beta 0.1)• Install on IIS6 (Target)• Commandline Utility• Supports IIS4/5/6 "6• Migrates
– Sites only !– Content (files+security)– Metabase configuratiom– OOP " Application Pool
• Watch out– Dependencies (dll,com,user..)
C:\>iismt benelea "webtest" /user Administrator /password x
IIS Web Site Migration Utility v1.0 BETA b12Copyright (C) 2002 Microsoft Corporation. All rights reserved.
Connecting to the local IIS Server...Connecting to server BENELEA...Resolving the site by name 'webtest'...Backing up the current IIS configuration...
Replicating the metabase properties...
Migrating the site content...
Failed to connect to \\BENELEA\C$\test with the supplied credentials. Do you want to try again? [Y/N]: y
Connect to \\BENELEA\C$\test
Username:benelea\administrator
Password:
The site has migrated successfully.
5/19/2003
15
2920. März 2003 Internet Information Server 6.0
Others ...
• DisableSocketPooling– Same port via different IP addresses (IIS 5) – No effect in IIS 6 if set via Adsutil (metabase)– Need to use HTTPcfg.exe from Support Tools (supTools.msi) to configure „IP
inclusion list“ – Restart
• UNC/NAS Support with Passthrough Authentication
• SSL / Cryptography – remotable certification object and selectable crypto-service provider.– CAPI store not remotable in IIS5 but CertObject in IIS6 !– Use your own CAPI provider (i.e. Accelerator cards)
• CDONTS removed (use CDO instead )
• IIS utitliy components– Ad Rotator, Content Linker/Rotator, Counters, etc not installed (but remain on upgrade)– Available in IIS6 Resource kit
3020. März 2003 Internet Information Server 6.0
Resources
• What's New in Internet Information Services 6.0http://www.microsoft.com/windows.netserver/evaluation/overview/technologies/iis.mspx
• IIS 6.0 Technical Overviewhttp://www.microsoft.com/windows.netserver/docs/IISOverview.doc
• Webcasts http://support.microsoft.com/webcasts– IIS 6.0 Isolating and Securing Web Applications – IIS 6.0, UNC, and Remote Storage– IIS 4.0, IIS 5.0, and Apache Applications: Migrating to IIS 6.0 – IIS 6.0: Best Practices for Transitioning to 6.0 from Earlier Version
• IIS 6.0 Resource Kit (8/2003)
5/19/2003
16
HP Invent
3220. März 2003 Internet Information Server 6.0
VersionsDifferences
5/19/2003
17
3320. März 2003 Internet Information Server 6.0
.Net Server Editions
Editions.jpg
http://www.microsoft.com/windowsserver2003/evaluation/features/compareeditions.mspx
3420. März 2003 Internet Information Server 6.0
Performance in IIS 6.0 ??Capacity Planning Tracing
• Hooks at key positions during request lifetime, from start of request to final send of response:
– HTTP Start, Route, Cache Hit, End– ISAPI Filter Start/Stop (filter name, notification)– ISAPI Extension Start/Stop– ASP Start/Stop– ASP.net Start/Stop
• Useful in debugging as well – Where is my request blocked? • Customer example – MS.COM
– Uses this to find high CPU-usage pages– Also used to diagnose where the delay is