1l02 neuerungen 6.0 decus 2003 · • iis 6.0 • fpse (not enabled) • asp.net (not enabled) •...

5/19/2003

1

1L02

Neuerungen im

Internet Information Server 6.0

Decus 2003

[email protected] HP-Services

220. März 2003 Internet Information Server 6.0

Agenda

• Architecture– Service / Core– Isolation modes– App. Pools / Webgarden / Recycling– Metabase

• Administration– Installation – Security– Web Interface / Cmdline / WMI– Logging, Ftp ….

• Other Stuff – Programming– MSCS (Cluster Services)– Migration tools

• Resources / Q&A

5/19/2003

2


Architecture IIS5A Reminder – Process Model for IIS 5.0

INETINFO.exeINETINFO.exe

metabasemetabase ftp, ftp, smtpsmtp, , nntpnntp

W3SVCW3SVC

WinsockWinsock

ISAPI FiltersISAPI Filters

InIn--procproc

AppsAppsASP.NETASP.NET

.Net App .Net App DomainDomain.Net App .Net App

DomainDomain.Net App .Net App DomainDomain

ASPNET_WP.exeASPNET_WP.exe

Pooled Pooled OOP AppsOOP Apps

DLLHOST.exeDLLHOST.exe

Isolated Isolated OOP AppOOP App






User mode

Kernel mode


Architecture IIS 6IIS 6.0 Worker Process Isolation Mode

INETINFO.exeINETINFO.exe

metabasemetabase

ftp, ftp, smtpsmtp, , nntpnntp

User mode

Kernel mode

HTTP.SYSHTTP.SYS

W3SVCW3SVC

SVCHOST.exeSVCHOST.exe

W3

Con

fig M

grW

3 C

onfig

Mgr

W3

Proc

ess

Mgr

W3

Proc

ess

Mgr

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)

Application PoolApplication Pool

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)


W3CoreW3Core

W3WP.exeW3WP.exe


ASP.net AppsASP.net Apps

.Net App .Net App DomainDomain



5/19/2003

3


Isolation Modes

• IIS5.0 Isolation mode– Compatibilty mode – Dependency on Inetinfo.exe– Requires Read Raw Data Filters– Requires Dllhost.exe environment

• Worker Process Isolation Mode– User Code isolated in its own „service“ (w3wp)– No interaction with inetinfo or w3svc– Application pool features !!!


Application Pools???

• Any # of application pools– Each served by one or more

W3WP.exe files– Each W3WP.exe serves only

one pool– Requests routed directly to pool

by HTTP.sys

• Isolate applications based on:– Site/Customer– Functionality– Reliability / Performance

5/19/2003

4


Application PoolPeriodic Process Recycling

• What is Recycling ?– Periodically restart

applications based on:• [Default] uptime• number of requests• Scheduled time• Memory consumption• On-demand

• Why use it?– Refresh applications to ensure

availability– Prevent bad applications from

taking over the system• Effect on applications

– In-process state or cache lost on recycle

– Possible multi-instance issues


Application Pool HealthSelf-Healing Architecture

• Health check (pinging) – Designed to detect W3WP.exe

thread deadlock– Will engage if there are no

threads in W3WP.exe available to respond in time

• How does it work?– W3SVC will “ping” each

W3WP.exe– Process has a configured time

limit to respond– If (no response in time limit)

• Default: kill process, publish event, and start new process

• Or: can be configured to take a configured action on process => “Orphaning”

– OrphanWorkerProcess OrphanActionExe/OrphanActionParams

• ASP and ASP.NET uses the ping to request a recycle if they are unhealthy (HSE_REQ_REPORT_UNHEALTHY)

5/19/2003

5


Application Pool HealthCrash Detection and Recovery

• Crash detection– W3SVC detects

W3WP.exe “crash”– W3SVC will start new

W3WP.exe if there is demand

– Requests queued in HTTP.sys while new W3WP started

– ! no Interruption in service

• Rapid fail protection– Only allow x crashes in y

minutes– Automatically stop pool if

this value is exceeded –503s to requests for this pool


Application Pool Security Configurable Worker Process Identity

• Worker process can be started as:– Network service (default)– Local system– Local service– Configured Account

• IIS_WPG– New user group – IIS resources put into an

ACL in this group– Will get 503s if configurable

account is not part of IIS_WPG

• .NET / Passport– Requires localsystem !

5/19/2003

6


Application Pool PerformanceIdle Timeout and Demand Start

• Idle timeout– Time out and shut down

idle processes if process is idle for given period of time

– Frees resources for active applications

– Applications still available even if worker process idles out and is shutdown!

• Demand start• Considerations

– Use idle timeout to free resources (state info lost)

– disabling idle timeout if long application startup


Performance Web Gardens and Processor Affinity

• Web Gardens– Application pool with >1 Working

processes– Connection-based routing / round-

robined

– Processor affinitizationBind application pool processes to one or more CPUs

• Considerations– Possible multi-instance issues– Recycling – on Demand = all-at-once

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)

W3CoreW3Core


W3WP.exeW3WP.exe

All AppsAll Apps

(no OOP)(no OOP)

Web GardenWeb Garden


5/19/2003

7


Application PoolCreation/Assignment


ApplicationsConsiderations

• Design applications to be recycled– Persist state/caches external to host process– For ASP.NET, use External session state service or Microsoft® SQL

Server™ to store state• Be aware of multi-instance issues

– May be encountered during:• Recycles – overlap by default, but can disable overlap recycle or

recycling altogether• Two application pools loading the same application code (deadlock)

– If unable to change code, assign all URLs to the same pool• Dependencies on IIS 5.0 behaviors

– LocalSystem vs. Networkservice– No COM+ OOP support in Worker Process Isolation Mode– Global data filters are now local per WP– If the above cannot be worked around, run IIS 6.0 in IIS 5.0 isolation

mode• Loads W3Core into INETINFO, same IIS 5.0 OOP

5/19/2003

8


Performance Caching Responses in HTTP.SYS

TCP/IPTCP/IP

HTTP.SYSHTTP.SYS

Send ResponseSend ResponseResponseResponse CacheCache

ListenerListenerNamespace Namespace MapperMapper

HTTP EngineHTTP EngineHTTP ParserHTTP Parser

Req.QueueReq.QueueReq.QueueReq.QueueReq.QueueReq.Queue

• Dynamic & static content served straight from HTTP.SYS– highspeed, no user-mode transition

– applications will not see requests if served from cache

–Static files cached by default (Smart caching - only “hot” static content cached )

• Control Cache with “Expires” header (timeout)

• ASP.NET => use OutputCache Location=“Server” to mark response as cacheable

•Lessens load on Web server


MetabaseImprovements

• XML Metabase– Metabase now stored in XML– Auto-versioning: like an

automatic backup( …\inetsrv\history\…)

• Edit while running– Make changes directly to the

Metabase.xml file while IIS is running

– Any editor (Notepad)

• Note: – Metabase.bin still exists, but

only as a stub file for legacy backup applications

5/19/2003

9


AdministrationInstallation / Upgrade

• New installation– IIS not installed on a clean

install by default– Use Configure Your Server

Wizard to install application server role – installs:• IIS 6.0• FPSE (not enabled)• ASP.NET (not enabled)

• Upgrade installation– W3SVC disabled unless

URLScan is installed before upgrade


AdministrationSecurity

• Restriction list– Only execute requests for “allowed”

extensions and CGIs (404)– No extensions or CGIs allowed by

default– 404.2 returned if request for

“prohibited” extension or CGI– Use Web Service Extensions node

in MMC to “allow” and “prohibit” extensions and CGIs

• Known file extensions– Only serve requests that are

defined in MIMEMAP– 404.3 for requests not in MIMEMAP

• Considerations– If using Visual Studio® .NET /

frontpage – define .tmp files in MIMEMAP

– Visual Studio .NET to fix this in SP1

5/19/2003

10


AdministrationSecurity Changes

• Sub authentication is not installed by default on clean installations (iissuba.dll)– IIS was allowed to control passwords (override)– Now passwords might expire for IWAM and IUSR accounts– Must install SubAuth or come up with own synchronization scheme

• URLs restricted to maximum length of 16 KB with more restrictiveparsing– No special chars, etc.

• Content in Inetpub is now overwrite protected • Command-line tools limited to the administrators

group only(CGI apps.)


Security Microsofts Recommendations

• Do a clean installation vs. upgrade – more secure by default– No lockdown tool yet for IIS 6.0 to handle upgrade case

• Run application pool W3WP.exe files as Network Service (default)

• Only “allow” extensions that are vital to all applications– Prohibit everything else to reduce attack surface

• Check IIS hit logs and HTTPERR log– IIS hit logs – substatus codes logged for W3C and binary-

formatted files– HTTPERR – detail on reason for 503s and connection

terminations

5/19/2003

11


AdministrationWMI Provider and New Command Line Tools

• Namespace: winmgmts:/root/MicrosoftIISv2 (IIS://localhost/w3svc)

– Query support– Associations– Scriptable

• New command-line tools– WMI Based– Supported tools – currently in %windir%\system32

• iisapp.vbs list IIS worker processes• iisback.vbs backup/restore/list IIS configuration• IIsCnfg.vbs Import and export IIS configuration• iisext.vbs Manages Web Service Extensions• IIsFtp.vbs Manage FTP Site (Start,Stop ..)• IIsFtpdr.vbs Manage FTP Directory• iisvdir.vbs Manage Web Directory• iisweb.vbs Manage Website


AdministrationSave to / load from (xml)-File

5/19/2003

12


Webbased (remote) Administrationhttps://localhost:8098


AdministrationNew Logging Feature

• Centralized binary logging– per server (not per site) – disables all other logging/formats– binary, unformatted datalog in central file– not customizable– HTTP.sys automatically creates a log file directory – Filename: rawyymmddhh.ibl

• Enabled via commandlinecscript.exe adsutil.vbs SET W3SVC/CentralBinaryLoggingEnabled true

• Analyzing ?– Parsing tool ships with the IIS 6.0 Resource Kit.

5/19/2003

13


FTP

• User Isolation feature– lets you restrict users to their own

FTP directory (no cd..)

– Isolation needs structure

– New AD-Attribs FTPRoot & FTPDiriisftp /SetADProp jk FTProot c:\tempiisftp /SetADProp jk FTPdir jksdirissftp /GetADProp

• IIS now supports multiple character sets for FTP.


URL Authorization

• Allows URL to assume application Role– role–based access control

• Website configuration – Add ISAPI interceptor (Urlauth.dll) for wildcard application– Set properties

var objVDir = GetObject("IIS://localhost/w3svc/1/root");objVDir.AzEnable = true;objVDir.AZStoreName = "MSXML://d:\MyAZStore.xml";objVDir.AzScopeName = "MyAZScope";objVDir.AZImpersonationLevel = 0;objVDir.SetInfo();

• Azman.msc „authorization manager“– Create roles, scopes, tasks ...

5/19/2003

14


Cluster Support

• No „IIS Server Instance“• Use „generic Script“ instead

– clusweb & clusftp.vbs( ...system32\inetsrv (EE,DC) )

• IIS Bindings– configure FTP and WEB sites to

listen on IP of Virtual Server– Use virtual Name as Host Header– Synchronize nodes (iiscnfg /copy)

( no iissync util )


MigrationIIS Migration Toolkit

• IIS Toolkit (beta 0.1)• Install on IIS6 (Target)• Commandline Utility• Supports IIS4/5/6 "6• Migrates

– Sites only !– Content (files+security)– Metabase configuratiom– OOP " Application Pool

• Watch out– Dependencies (dll,com,user..)

C:\>iismt benelea "webtest" /user Administrator /password x

IIS Web Site Migration Utility v1.0 BETA b12Copyright (C) 2002 Microsoft Corporation. All rights reserved.

Connecting to the local IIS Server...Connecting to server BENELEA...Resolving the site by name 'webtest'...Backing up the current IIS configuration...

Replicating the metabase properties...

Migrating the site content...

Failed to connect to \\BENELEA\C$\test with the supplied credentials. Do you want to try again? [Y/N]: y

Connect to \\BENELEA\C$\test

Username:benelea\administrator

Password:

The site has migrated successfully.

5/19/2003

15


Others ...

• DisableSocketPooling– Same port via different IP addresses (IIS 5) – No effect in IIS 6 if set via Adsutil (metabase)– Need to use HTTPcfg.exe from Support Tools (supTools.msi) to configure „IP

inclusion list“ – Restart

• UNC/NAS Support with Passthrough Authentication

• SSL / Cryptography – remotable certification object and selectable crypto-service provider.– CAPI store not remotable in IIS5 but CertObject in IIS6 !– Use your own CAPI provider (i.e. Accelerator cards)

• CDONTS removed (use CDO instead )

• IIS utitliy components– Ad Rotator, Content Linker/Rotator, Counters, etc not installed (but remain on upgrade)– Available in IIS6 Resource kit


Resources

• What's New in Internet Information Services 6.0http://www.microsoft.com/windows.netserver/evaluation/overview/technologies/iis.mspx

• IIS 6.0 Technical Overviewhttp://www.microsoft.com/windows.netserver/docs/IISOverview.doc

• Webcasts http://support.microsoft.com/webcasts– IIS 6.0 Isolating and Securing Web Applications – IIS 6.0, UNC, and Remote Storage– IIS 4.0, IIS 5.0, and Apache Applications: Migrating to IIS 6.0 – IIS 6.0: Best Practices for Transitioning to 6.0 from Earlier Version

• IIS 6.0 Resource Kit (8/2003)

5/19/2003

16

HP Invent


VersionsDifferences

5/19/2003

17


.Net Server Editions

Editions.jpg

http://www.microsoft.com/windowsserver2003/evaluation/features/compareeditions.mspx


Performance in IIS 6.0 ??Capacity Planning Tracing

• Hooks at key positions during request lifetime, from start of request to final send of response:

– HTTP Start, Route, Cache Hit, End– ISAPI Filter Start/Stop (filter name, notification)– ISAPI Extension Start/Stop– ASP Start/Stop– ASP.net Start/Stop

• Useful in debugging as well – Where is my request blocked? • Customer example – MS.COM

– Uses this to find high CPU-usage pages– Also used to diagnose where the delay is

1l02 neuerungen 6.0 decus 2003 · • iis 6.0 • fpse (not enabled) • asp.net (not enabled) •...

Documents