Deploying IIS 7.0 in the Enterprise

  • 12/19/2007

Navigating the IIS 7.0 Role Services and Features

As discussed previously, you can deploy IIS 7.0 running on a computer running Windows Server 2008 to support three specific roles: application server, Web server, and Windows SharePoint Services server. You can deploy IIS 7.0 running on a Windows desktop to support designing, building, and testing sites and applications. The components used to support these roles are referred to as either role services or features, depending on which user interface you are working with. In the sections that follow, I discuss each of the server roles and the related role services.

Role Services for Application Servers

You use application servers running on Windows Server 2008 editions to host distributed applications built by using ASP.NET, Enterprise Services, and WCF. Figure 2-1 provides an overview of the related services for application servers.

Figure 2-1

Figure 2-1. Role services for application servers.

When you install an application server, only the Application Server Core and Enterprise Services Network Access services are included as standard core features. In addition to the standard core features, you must install the .NET Framework 3.0 components and the Windows Activation Service components. Other components are optional and should be installed based on the specific requirements of the distributed applications you are hosting.

Application servers can use the following general-purpose role services:

  • Application Server Foundation. Provides the core application server functionality through these .NET Framework 3.0 technologies: Windows CardSpace, WCF, WPF, and WF. These technologies allow you to deliver managed-code applications that model business processes.

  • COM+ Network Access. Enables application servers to invoke applications remotely over the network. Applications being invoked must have been built using Enterprise Services and provide support for hosting COM+ components.

  • TCP Port Sharing. Allows multiple applications to share a single TCP port. By using this feature, many Web applications can coexist on the same server in separate, isolated processes while sharing the network infrastructure required for sending and receiving data over TCP ports.

  • Web Server (IIS) Support. Allows the application server to host Web sites with both static and dynamic content. The Web sites support the standard IIS server extensions and allow you to create Web pages containing dynamic content. This allows an application server to host an internal or external Web site or provide an environment for developers to create Web applications. See Table 2-2 for a complete list of IIS features installed by default when you select this feature.

The Windows Process Activation Service supports distributed Web-based applications that use different protocols to transfer information. You can use the following related components:

  • .NET Environment. Installs the .NET Environment for use with managed code activation.

  • Configuration APIs. Installs the managed code APIs that allow you to configure the process model.

  • Process Model. Installs a process model for developing and running applications.

Windows Process Activation Service Support enables the application server to invoke applications remotely over a network by using protocols such as HTTP, Microsoft Message Queuing (MSMQ), named pipes, and TCP. This allows applications to start and stop dynamically in response to incoming requests, resulting in improved performance and enhanced manageability. To specify which protocols an application server can use with Windows Process Activation, you can use the following related role services:

  • HTTP Activation. Supports process activation over HTTP. This is the standard activation method used by most Web applications. Applications that support HTTP Activation can start and stop dynamically in response to requests that arrive via HTTP. With HTTP, the application and the computers with which it communicates need to be online to pass active communications back and forth without the need for queuing requests.

  • Message Queuing Activation. Supports process activation over Microsoft Message Queue (MSMQ). This activation method is used when the application server runs distributed messaging applications. Applications that support MSMQ Activation and message queuing can start and stop dynamically in response to requests that arrive via MSMQ. With message queuing, source applications send messages to queues, where they are stored temporarily until target applications retrieve them. This queuing technique allows applications to communicate across different types of networks and with computers that may be offline.

  • Named Pipes Activation. Supports process activation over named pipes. Applications that support Named Pipes Activation can start and stop dynamically in response to requests that arrive via named pipes. You use this activation method when Web applications communicate with older versions of the Windows operating system. A named pipe is a portion of memory that one process can use to pass information to another process such that the output from one process is the input of the other process. Named pipes have standard network addresses such as \\.\Pipe\Sql\Query, which a process can reference on a local machine or a remote machine. The Named Pipes protocol is used primarily for local or remote connections by applications written for Microsoft Windows NT, Windows 98, and earlier versions of Windows.

  • TCP Activation. Supports process activation over TCP. Applications that support TCP Activation can start and stop dynamically in response to requests that arrive via TCP. With TCP, the application and the computers with which it communicates need to be online so they can pass active communications back and forth without the need for queuing requests.

When using Windows Process Activation Support, these additional roles services may be required:

  • Non-HTTP Activation. Provides non-HTTP activation support using any of the following: MSMQ, named pipes, and TCP. IIS installs this feature as a WCF Activation component.

  • Message Queuing Server. Provides the necessary server functions for message queuing.

When applications communicate with each other, they may need to perform various types of transactions, such as queries to retrieve data stored in a database or a data submission to update data stored in a database. When the application server hosts the database or needs to query a single database to complete a transaction, transactions are fairly straightforward. Things get complex fast, though, when you are working with multiple databases hosted on multiple computers. A transaction that involves multiple databases hosted on multiple computers is referred to as a distributed transaction. With distributed transactions, you need a way to guarantee that all the data you need is either retrieved or submitted as appropriate, and this is where Distributed Transactions support comes into the picture. Distributed Transactions support provides services that help ensure that distributed transactions are successfully completed.

To enable Distributed Transactions support on an application server, you can use the following related role services:

  • Incoming Remote Transactions. Provides distributed transaction support to help ensure that incoming remote transactions are successfully completed

  • Outgoing Remote Transactions. Provides distributed transaction support to help ensure that outgoing remote transactions are successfully completed

  • WS-Atomic Transactions. Provides distributed transaction support for applications that use two-phase commit transactions with Simple Object Access Protocol (SOAP)—based exchanges. SOAP-based exchanges contain text-based commands that are formatted with XML. If you plan to use SOAP for two-phase commit transactions, you’ll also need to set and configure HTTP endpoints.

In your deployment planning, there is a distinct advantage to deploying an application server with Web Server support. When you deploy an application server with Web Server support, you can configure application services using the APIs provided by ASP.NET and the .NET Framework. Because the server includes IIS configuration and administration components, you’ll have all of the common IIS features available and will be able to configure the server by using the IIS 7.0 modules and the IIS 7.0 administration tools.

Role Services for Windows Desktops and Web Servers

Web servers running on Windows Vista desktop editions or on Windows Server 2008 editions can host Web sites and Web applications. Figure 2-2 provides an overview of the related role services for Web servers.

Figure 2-2

Figure 2-2. Role services for Web servers.

As summarized in Table 2-1, when you install a Web server, several configuration features are installed automatically as part of the server core, and other features are installed by default (if applicable for the operating system version you are using). These features represent core internal components in addition to the recommended minimum and required components for managing a Web server and publishing a Web site. In most installations of IIS 7.0, you will want to install additional features based on the specific requirements of the Web sites and Web applications the server is hosting.

As discussed in Chapter 1, Windows Server editions and Windows Vista editions have different sets of supported features. Table 2-2 provides a feature comparison based on Windows version and edition. The table also lists the related request limitations of Windows versions and editions. Because Windows Server editions have no request limitations, you can use them in live production environments. Because Windows Vista editions have severe request limitations, they are best suited for individual administrator or developer use and use in test and development environments.

Table 2-2. Feature Comparison Based on Windows Version and Edition

Feature

Windows Server 2008

Windows Vista Business & Ultimate

Windows Vista Home Premium

Windows Vista Home Basic

IIS Server Core

Anonymous Authentication

Included

Included

Included

N/A

Configuration Validation

Included

Included

Included

N/A

HTTP Cache

Included

Included

Included

N/A

Protocol Support

Included

Included

Included

N/A

Common HTTP Features

Default Document

Default

Default

Default

N/A

Directory Browsing

Default

Default

Default

N/A

HTTP Errors

Default

Default

Default

Default

HTTP Redirection

Available

Available

Available

Available

Static Content

Default

Default

Default

N/A

Application Development Features

.NET Extensibility

Available

Available

Available

Available

ASP

Available

Available

Available

N/A

ASP.NET

Available

Available

Available

N/A

CGI

Available

Available

Available

N/A

ISAPI Extensions

Available

Available

Available

N/A

ISAPI Filters

Available

Available

Available

N/A

Server-Side Includes

Available

Available

Available

N/A

Health and Diagnostics Features

Custom Logging

Available

Available

Available

N/A

HTTP Logging

Default

Default

Default

Default

Logging Tools

Available

Available

Available

Available

ODBC Logging

Available

Available

N/A

N/A

Request Monitor

Default

Default

Default

Default

Tracing

Available

Available

Available

Available

Security Features

Basic Authentication

Available

Available

Available

N/A

Client Certificate Mapping Authentication

Available

Available

N/A

N/A

Digest Authentication

Available

Available

N/A

N/A

IIS Client Certificate Mapping Authentication

Available

Available

N/A

N/A

IP and Domain Restrictions

Available

Available

Available

Available

Request Filtering

Default

Available

Available

Available

URL Authorization

Available

Available

Available

Available

Windows Authentication

Available

Available

N/A

N/A

Performance Features

Static Content Compression

Default

Default

Default

N/A

Dynamic Content Compression

Available

Available

Available

Available

Web Management Tools

IIS Management Console

Default

Default

Default

N/A

IIS Management Scripts and Tools

Available

Available

Available

Available

IIS Management Service

Available

Available

Available

N/A

IIS 6 Management Compatibility

Available

Available

Available

Available

IIS Metabase compatibility

Available

Available

Available

Available

IIS 6 WMI Compatibility

Available

Available

Available

N/A

IIS 6 Scripting Tools

Available

Available

Available

N/A

IIS 6 Management Console

Available

Available

Available

N/A

FTP Publishing Service

FTP Management Console

Available

Available

N/A

N/A

FTP Server

Available

Available

N/A

N/A

Windows Activation Service

.NET Environment

Available

Available

Available

Available

Configuration APIs

Default

Available

Available

Available

Process Model

Default

Default

Default

Default

Limitations

Request Execution Limit

Unlimited

10

3

3

As the table shows, many different features are available with Web servers. I’ll discuss each of the features I haven’t previously discussed in this section, and you’ll also find detailed information on these features in appropriate chapters throughout this book. In the appendix, Appendix A, you’ll also find a detailed description of features with related configuration modules.

The IIS Server Core features provide the foundation functions for IIS. You can use these features as follows:

  • Anonymous Authentication. Supports anonymous access to a server. With anonymous access, any user can access content without having to provide credentials. Each server has to have at least one authentication mechanism configured, and this is the default mechanism.

  • Configuration Validation. Validates the configuration of a server and its applications. If someone improperly configures a server or application, IIS 7.0 generates errors that can help detect and diagnose the problem.

  • HTTP Cache. Improves performance by returning a processed copy of a requested Web page from cache, resulting in reduced overhead on the server and faster response times. IIS 7.0 supports several levels of caching including output caching in user mode and output caching in kernel mode. When you enable kernel-mode caching, cached responses are served from the kernel rather than from IIS user mode, giving IIS an extra boost in performance and increasing the number of requests IIS can process.

  • Protocol Support. Provides support for common protocols used by Web servers, including HTTP keep-alives, custom headers, and redirect headers. HTTP keep-alives allows clients to maintain open connections with servers, which speeds up the request process once a client has established a connection with a server. Custom headers and redirect headers allow you to optimize the way IIS works to support advanced features of the HTTP 1.1 specification.

The Common HTTP features install the common services required for serving Web content. You can use these features as follows:

  • Default Document. Supports displaying of default documents. When you’ve enabled this feature and a user enters a request with a trailing ‘/,’ such as http://www.adatum.com/, IIS can redirect the request to the default document for the Web server or directory. For best performance, you should list the default document you use the most first and reduce the overall list of default documents to only those necessary.

  • Directory Browsing. Supports directory browsing functionality. When you’ve enabled default documents but there is no current default document, IIS can use this feature to generate a listing of the contents of the specified directory. If you haven’t enabled the default document or directory browsing features, and a client requests a directory-level URL, IIS returns an empty response.

  • HTTP Errors. Supports custom error and detailed error notification. When you enable this feature and the server encounters an error, the server can return a customer error page to all clients regardless of location, a detailed error message to all clients regardless of location, or a detailed error for local clients and a custom error page for remote clients. IIS displays a custom error page based on the type of HTTP error that occurred.

  • HTTP Redirection. Supports redirection of HTTP requests to send users from an old site to a new site. In the default configuration for redirection, all requests for files in the old location are mapped automatically to files in the new location you specify. You can customize this behavior in several ways.

  • Static Content. Supports static Web content, such as HTML documents and GIF or JPEG images. The staticContent/mimeMap configuration collection in the applicationHost.config file determines the list of file extensions supported.

The Application Development features install the features required for developing and hosting Web applications. You can use these features as follows:

  • .NET Extensibility. Enables a Web server to host .NET Framework applications and provides the necessary functionality for IIS integration with ASP.NET and the .NET Framework. When you are working with managed modules, you must also enable the Managed Engine. The Managed Engine is the actual server component that performs the integration functions.

  • ASP. Enables a Web server to host classic Active Server Pages (ASP) applications. Web pages that use ASP are considered to be dynamic because IIS generates them at request time. To use ASP, you must also use ISAPI Extensions.

  • ASP.NET. Enables a Web server to host ASP.NET applications. Web pages that use ASP.NET are considered to be dynamic because they are generated at request time. To use ASP.NET, you must also use .NET Extensibility, ISAPI Extensions and ISAPI Filters.

  • CGI. Enables a Web server to host Common Gateway Interface (CGI) executables. CGI describes how executables specified in Web addresses, also known as gateway scripts, pass information to Web servers. By default, IIS handles all files with the .exe extension as CGI scripts.

  • ISAPI Extensions. Allows ISAPI Extensions to handle client requests. In the IIS server core, several components rely on handlers that are based on ISAPI Extensions, including ASP and ASP.NET. By default, IIS handles all files with the .dll extension as ISAPI Extensions.

  • ISAPI Filters. Allows ISAPI Filters to modify Web server behavior. IIS uses ISAPI Filters to provide additional functionality. When you select ASP.NET as part of the initial setup, Setup configures an ASP.NET filter to provide this functionality. In applicationHost.config, each version of ASP.NET installed on the Web server must have a filter definition that identifies the version and path to the related filter.

  • Server-Side Includes. Allows a Web server to parse files with Server-Side Includes (SSI). SSI is a technology that allows IIS to insert data into a document when a client requests it. When this feature is enabled, files with the .stm, .shtm, and .shtml extension are parsed to see if they have includes that should be substituted for actual values. If this feature is disabled, IIS handles .stm, .shtm, and .shtml files as static content, resulting in the actual include command being returned in the request.

Health and Diagnostics features enable you to monitor your servers, sites, and applications and to diagnose problems if they occur. You can use these features as follows:

  • Custom Logging. Enables support for custom logging. Typically, custom logging uses the ILogPlugin interface of the Component Object Model (COM). Rather than using this feature, Microsoft recommends that you create a managed module and subscribe to the RQ_LOG_REQUEST notification.

  • HTTP Logging. Enables support for logging Web site activity. You can configure IIS 7.0 to use one log file per server or one log file per site. Use per-server logging when you want all Web sites running on a server to write log data to a single log file. Use per-site logging when you want to track access separately for each site on a server.

  • Logging Tools. Allows you to manage server activity logs and automate common logging tasks using scripts.

  • ODBC Logging. Enables support for logging Web site activity to ODBC-compliant databases. In IIS 7.0, ODBC logging is implemented as a type of custom logging.

  • Request Monitor. Allows you to view details on currently executing requests, the run state of a Web site or the currently executing application domains, and more.

  • Tracing. Supports tracing of failed requests. Another type of tracing that you can enable after configuration is HTTP tracing, which allows you to trace events and warnings to their sources through the IIS server core.

Security features make it possible to control access to a server and its content. You can use these features as follows:

  • Basic Authentication. Requires a user to provide a valid user name and password to access content. All browsers support this authentication mechanism, but they transmit the password without encryption, making it possible for a malicious individual to intercept the password as the browser is transmitting it. If you want to require Basic Authentication for a site or directory, you should disable Anonymous Authentication for the site or directory.

  • Client Certificate Mapping Authentication. Maps client certificates to Active Directory accounts for the purposes of authentication. When you enable certificate mapping, this feature performs the necessary Active Directory certificate mapping for authentication of authorized clients.

  • Digest Authentication. Uses a Windows domain controller to authenticate user requests for content. Digest Authentication can be used through firewalls and proxies.

  • IIS Client Certificate Mapping Authentication. Maps SSL client certificates to a Windows account for authentication. With this method of authentication, user credentials and mapping rules are stored within the IIS configuration store.

  • IP and Domain Restrictions. Allows you to grant or deny access to a server by IP address, network ID, or domain. Granting access allows a computer to make requests for resources but doesn’t necessarily allow users to work with resources. If you require authentication, users still need to authenticate themselves. Denying access to resources prevents a computer from accessing those resources, meaning that denied users can’t access resources even if they could have authenticated themselves.

  • Request Filtering. Allows you to reject suspicious requests by scanning URLs sent to a server and filtering out unwanted requests. By default, IIS blocks requests for file extensions that could be misused and also blocks browsing of critical code segments.

  • URL Authorization. Supports authorization based on configuration rules. This allows you to require logon and to allow or deny access to specific URLs based on user names, .NET roles, and HTTP request method.

  • Windows Authentication. Supports Windows-based authentication using NTLM, Kerberos, or both. You’ll use Windows Authentication primarily in internal networks.

For enhancing performance, IIS supports both static compression and dynamic compression. With static compression, IIS performs an in-memory compression of static content upon first request and then saves the compressed results to disk for subsequent use. With dynamic content, IIS performs in-memory compression every time a client requests dynamic content. IIS must compress dynamic content every time it is requested because dynamic content changes.

When you are trying to improve server performance and interoperability, don’t overlook the value of these extended features:

  • File Cache. Caches file handles for files opened by the server engine and related server modules. If IIS does not cache file handles, IIS has to open the files for every request, which can result in performance loss.

  • Managed Engine. Enables IIS integration with the ASP.NET runtime engine. When you do not configure this feature, ASP.NET integration also is disabled, and no managed modules or ASP.NET handlers will be called when pooled applications run in Integrated mode.

  • Token Cache. Caches Windows security tokens for password based authentication schemes, including Anonymous Authentication, Basic Authentication, and Digest Authentication. Once IIS has cached a user’s security token, IIS can use the cached security token for subsequent requests by that user. If you disable or remove this feature, a user must be logged on for every request, which can result in multiple logon user calls that could substantially reduce overall performance.

  • HTTP Trace. Supports request tracing for whenever a client requests one of the traced URLs. The way IIS handles tracing for a particular file is determined by the trace rules that you create.

  • URI Cache. Caches the Uniform Resource Identifier (URI)–specific server state, such as configuration details. When you enable this feature, the server will read configuration information only for the first request for a particular URI. For subsequent requests, the server will use the cached information if the configuration does not change.

You use Web management tools for administration and can divide the available tools into two general categories: those required for managing IIS 7.0 and those required for backward compatibility with IIS 6. You can use the related setup features as follows:

  • IIS Management Console. Installs the Internet Information Services (IIS) Manager, the primary management tool for working with IIS 7.0.

  • IIS Management Scripts and Tools. Installs the IIS command line administration tool and related features for managing Web servers from the command prompt.

  • IIS Management Service. Installs the Web Management Service (WMSVC), which provides a hostable Web core that acts as a standalone Web server for remote administration.

  • IIS Metabase Compatibility. Provides the necessary functionality for backward compatibility with servers running IIS 6 Web sites by installing a component that translates IIS 6 metabase changes to the IIS 7.0 configuration store.

  • IIS 6 WMI Compatibility. Provides the necessary functionality for scripting servers running IIS 6 Web sites by installing the IIS 6 Windows Management Instrumentation (WMI) scripting interfaces.

  • IIS 6 Scripting Tools. Provides the necessary functionality for scripting servers running IIS 6 Web sites by installing the IIS 6 Scripting Tools.

  • IIS 6 Management Console. Installs the Internet Information Services (IIS) 6.0 Manager, which is required to remotely manage servers running IIS 6 sites and to manage FTP servers for IIS 6.

Role Services for Servers Running SharePoint Services

You use servers running Windows SharePoint Services to enable team collaboration by connecting people and information. A server running SharePoint Services is essentially a Web server running a full installation of IIS and using managed applications that provide the necessary collaboration functionality. When you deploy SharePoint Services on a server, you can manage the server by using IIS 7.0 modules and administration tools and several SharePoint-specific tools, including SharePoint Central Administration and the SharePoint Products And Technologies Configuration Wizard. After installation, both management tools will be available on the Administrative Tools menu.

On a SharePoint site, you can host lists and libraries. A list is a collection of information on a site that you share with team members, including announcements, contacts, discussion boards, tasks, and team calendars. A library is a location on a site where you can create, store, and manage the files used by a team. SharePoint sites can host Web pages in addition to lists and libraries, and your Web pages can use static content, dynamic content, or both.

In your deployment planning for servers running SharePoint Services, you must consider several additional issues including the additional security and connectivity requirements that may be necessary for team collaboration. You’ll want to ensure that you carefully protect access to a server running SharePoint Services. You’ll also want to ensure that team members can access the server from remote locations as appropriate for the potential sensitivity of the information they are sharing.

As part of your planning, you’ll need to consider the additional workload produced by SharePoint applications running on the server in addition to resources used by user connections. Windows SharePoint Services has a number of standard applications that run on a server running SharePoint Services, and these applications place an additional burden on the server’s physical resources. Each user connection to a server will place an additional workload on the server, as will the requests and modifications users make.