dev232 iis 7.0: end to end overview thomas deml lead program manager internet information services...
TRANSCRIPT
DEV232IIS 7.0: End to End Overview
Thomas DemlLead Program Manager
Internet Information Services
Microsoft Corporation
Today’s Agenda…
• IIS 6.0 Pillars: Let’s review…
• To the next level, IIS 7.0 Pillars
• Security & IIS 7.0
• Extensibility: What to know
• Brand new Configuration
• Managing your IIS 7.0 Systems
• Troubleshooting & Diagnostics
• Summary
Scale-up/scale-outScale-up/scale-outKernel-mode cachingKernel-mode cachingIntegrated application platformIntegrated application platform
ScalabilityScalability
XML-based configurationXML-based configurationCommand line administrationCommand line administrationRemote administrationRemote administration
SystemSystemManagementManagement
Fault tolerant architectureFault tolerant architectureHealth monitoringHealth monitoringIntelligent queuingIntelligent queuing
ReliabilityReliability
Secure by defaultSecure by defaultSecure by designSecure by designSecure in deploymentSecure in deployment
SecuritySecurity
IIS 6.0 Pillars: Let’s Review…
To the Next Level, IIS 7.0 Pillars…
Distributed, delegatable configurationDistributed, delegatable configurationRich ExtensibilityRich ExtensibilityIntegrated Configuration for Web PlatformIntegrated Configuration for Web Platform
ConfigConfig
Innovative, Brand-new IIS ManagerInnovative, Brand-new IIS ManagerAppCmd.exe: Command line administrationAppCmd.exe: Command line administrationHttp & Https Remote administrationHttp & Https Remote administration
SystemSystemManagementManagement
Brand-new State APIBrand-new State APIEasy-to-setup & Use Failed Request TracingEasy-to-setup & Use Failed Request TracingIIS & ASP.NET Integrated DiagnosticsIIS & ASP.NET Integrated Diagnostics
DiagnosticsDiagnostics
Customized, Componentized Web ServerCustomized, Componentized Web ServerReduced management of PatchesReduced management of PatchesURLScan built-in FunctionalityURLScan built-in Functionality
SecuritySecurity
Brand new Win32 APIBrand new Win32 APIIntegrated support for ASP.NET ModulesIntegrated support for ASP.NET ModulesExtensibilityExtensibility
SecureSecure
ReliableReliable
ScalabilityScalability
IIS 7.0
WWW WWW ServiceService
Printers Virtual DirectoryPrinters Virtual Directory
FrontPage 2000 Srv ExtFrontPage 2000 Srv Ext
Scripts DirectoryScripts Directory
Remote Desktop ActiveXRemote Desktop ActiveX
FTP ServiceFTP Service Admin ToolAdmin Tool Common Common FilesFiles
A View of the PastIIS 5.1 Setup Components
Common HTTP Web Server Common HTTP Web Server ComponentsComponents DirectoryListingModuleDirectoryListingModule
CustomErrorModuleCustomErrorModule
StaticFileModuleStaticFileModule DefaultDocumentModuleDefaultDocumentModule
HttpRedirectHttpRedirect
SecuritySecurity
CertificateAuthModuleCertificateAuthModule
AnonymousAuthModuleAnonymousAuthModule
IPSecurityModuleIPSecurityModule
UrlAuthorizationModuleUrlAuthorizationModule
RequestFilteringModuleRequestFilteringModule
Health and Health and DiagnosticsDiagnostics
Application Application DevelopmentDevelopment
ISAPIModuleISAPIModule
ISAPIFilterModuleISAPIFilterModule
CGIModuleCGIModule
ServerSideIncludeModuleServerSideIncludeModule
NetFxExtensibilityNetFxExtensibility
PerformancePerformance
HttpLoggingModuleHttpLoggingModule
CustomLoggingModuleCustomLoggingModule
ODBCLoggingODBCLogging
LoggingLibrariesLoggingLibrariesASP.NETASP.NET
Static CompressionStatic Compression
WindowsAuthModuleWindowsAuthModule
RequestMonitorModuleRequestMonitorModule
HTTPTracingModuleHTTPTracingModule
ASPASP
Dynamic CompressionDynamic Compression
ManagemenManagementtManagementConsoleManagementConsole
ManagementServiceManagementService
ManagementScriptingManagementScripting
MetabaseMetabase
WMICompatibilityWMICompatibility
LegacyScriptsLegacyScripts
LegacySnap-inLegacySnap-in
FTP PublishingFTP PublishingFTP ServerFTP Server
FTP ManagementFTP Management
Windows Process Activation ServiceWindows Process Activation Service
ConfigurationAPIConfigurationAPIProcessModelProcessModel NetFxEnvironmentNetFxEnvironment
DigestAuthModuleDigestAuthModule
BasicAuthModuleBasicAuthModule
A Modular View of the FutureIIS 7’s 40 Setup Components
IIS7: Modularization
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
• Slim & Efficient
• Install only the components you need
• Reduce attack surface to minimum
• Five times more granular than existing IIS versions
• Servicing and patching on a per component basis
• If you don’t install it, you won’t need to patch it
Security & IIS 7.0Security & IIS 7.0
Extensibility in IIS 7.0
• A review: Extensibility in IIS 6
• Re-built Core Server with new Win32 API
• Full IIS Pipeline support for ASP.NET 2.0
• Internet Server API (ISAPI)
• ISAPI Filters
• ISAPI Extensions
• Pitfalls:
• Big Learning Curve for new & experienced Developers
• Lacks support for Managed Code Developers
• Locked, static set of API’s not easily expanded from release to release
Extensibility & IIS 7.0Extensibility & IIS 7.0
Extensibility in IIS7IIS 6’s “Request Pipeline”
w3svc
http.sys
cgicgi staticstaticfilefile
IsapiIsapiextsexts
handlershandlers
Pre-proc headersPre-proc headers
auth’c reqauth’c req
url mapurl map
loglog
End net sessionEnd net session
ISAPI Filter ISAPI Filter NotificationsNotifications
aspnet_isapi.aspnet_isapi.dlldll
IHttpModule EventsIHttpModule Events
url mapurl map
begin reqbegin req
auth’c reqauth’c req
auth’z reqauth’z req
resolve cacheresolve cache
handler maphandler map
handler exechandler exec
update req cacheupdate req cache
rel req staterel req state
end reqend req
IHttpHandlersIHttpHandlers
Trace.axdTrace.axd PageHandlerPageHandler
w3wp.exew3wp.exe
custom errorscustom errors
authenticationauthentication
logginglogging
compressioncompression
determine handlerdetermine handler
beginbegin
authenticateauthenticate
authorizeauthorize
resolve cacheresolve cache
map handlermap handler
acquire stateacquire state
pre-execute handlerpre-execute handler
executeexecute handlerhandler
release staterelease state
update cacheupdate cache
loglog
endend
forms authforms authwindowswindows authauth
digest authdigest auth
basic authbasic auth
IHttpModuleIHttpModule
*.aspx*.aspx trace.axdtrace.axd
IHttpHandlerIHttpHandler
isapi extisapi extstatic filestatic file
Native ModuleNative Module
Native HandlerNative Handler
native modulesnative modulesmanaged modulesmanaged modules
role mgrrole mgr
url auth’zurl auth’z
Extensibility in IIS7The New Merged IIS7 Pipeline
was
http.sys
• Core Server• Brand new Win32 Native Interface
• ALL IIS modules written using this interface
• Unlike ISAPI, IIS team uses this very API just like you will
• Full ASP.NET 2.0 Support
• iHttpModule Interface available TODAY supported
• ASP.NET 2.0 Handlers run exactly as they do today
• Configuration• Fully extensible using XML schema files
• IIS Manager (User Interface)• Using .NET 2.0, extend IIS Manager capabilities
• Diagnostics• Add your events directly into our pipeline
Extensibility & IIS 7.0Extensibility & IIS 7.0
Brand New Configuration in IIS 7.0
• Distributed Configuration for IIS & ASP.NET
• Fully non-administrative delegation
• IIS & ASP.NET Configuration: Side-by-Side
• Metabase: Going, going, … GONE!
• Old metabase pushed to new configuration
• Property names stay the same
• Central File: ApplicationHost.config
• Strongly typed Schema
• Uses ASP.NET semantics for .config files
• Full Distributed Configuration
• Use only ApplicationHost.config using IIS 7 defaults
• Unlock: Give application developers control of individual sections, collections, elements, and more!
Configuration & IIS 7.0Configuration & IIS 7.0
• Metabase Inheritence
• Repetitive
• Large collections of Multi-strings (multi-sz) & Flags
<!-- Metabase.xml file --><!-- Metabase.xml file -->
<IIsWebService Location ="/LM/W3SVC"<IIsWebService Location ="/LM/W3SVC" ScriptMaps=".asp,D:\WINDOWS\ScriptMaps=".asp,D:\WINDOWS\
system32\inetsrv\system32\inetsrv\asp.dll,asp.dll,55,GET,HEAD,POST,TRACE,GET,HEAD,POST,TRACE
.idc,D:\WINDOWS\.idc,D:\WINDOWS\system32\inetsrv\system32\inetsrv\httpodbc.dll,httpodbc.dll,55,GET,POST,GET,POST
.shtml,D:\WINDOWS\.shtml,D:\WINDOWS\system32\inetsrv\system32\inetsrv\ssinc.dll,ssinc.dll,55,GET,POST”,GET,POST”
… … (other (other properties here)properties here)
>></IIsWebService></IIsWebService>
<IIsWebVirtualDir Location <IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT“="/LM/W3SVC/1/ROOT“
ScriptMaps=".asp,D:\WINDOWS\ScriptMaps=".asp,D:\WINDOWS\system32\inetsrv\system32\inetsrv\asp.dll,asp.dll,55,GET,HEAD,POST,TRACE,GET,HEAD,POST,TRACE
.idc,D:\WINDOWS\.idc,D:\WINDOWS\system32\inetsrv\system32\inetsrv\httpodbc.dll,httpodbc.dll,55,GET,POST,GET,POST
.shtml,D:\WINDOWS\.shtml,D:\WINDOWS\system32\inetsrv\system32\inetsrv\ssinc.dll,ssinc.dll,55,GET,POST,GET,POST
.aspx,D:\WINDOWS\.aspx,D:\WINDOWS\Microsoft.NET\Framework\v2.0.x86chk\Microsoft.NET\Framework\v2.0.x86chk\aspnet_isapi.dll,aspnet_isapi.dll,11,GET,HEAD,POST,DEB,GET,HEAD,POST,DEBUG”UG”
… … (other (other properties here)properties here)
>></IIsWebVirtualDir></IIsWebVirtualDir>
IIS 7 Distributed IIS 7 Distributed ConfigurationConfiguration
Clear actions: Add, Clear actions: Add, Remove, Clear, etc.Remove, Clear, etc.
Only modify what Only modify what you don’t want you don’t want inheritedinherited
<!– ApplicationHost.config --><!– ApplicationHost.config -->
<handlers><handlers> <add path=“*.asp" <add path=“*.asp"
modules=“Asp“ modules=“Asp“ checkPathInfo=“true“checkPathInfo=“true“
verb="GET,HEAD,POST" />verb="GET,HEAD,POST" /> <add path=“*.stm" <add path=“*.stm"
modules=“ServerSideIncludeModulemodules=“ServerSideIncludeModule” ”
checkPathInfo=“true" checkPathInfo=“true" verb="GET,POST" />verb="GET,POST" />
<add path=“*.exe" <add path=“*.exe" modules=“CGIModule“ modules=“CGIModule“ checkPathInfo=“true"checkPathInfo=“true"
verb="GET,POST" />verb="GET,POST" /></handlers></handlers>
<!-- Web.Config in Application Root <!-- Web.Config in Application Root -->-->
<handlers><handlers> <add path=“*.aspx“ <add path=“*.aspx“
modules=“aspnet” modules=“aspnet” checkPathInfo="false”checkPathInfo="false” verb="GET,POST" />verb="GET,POST" />
<handlers><handlers>
Configuration & IIS 7.0Configuration & IIS 7.0
Windows Windows Vista & IIS 7Vista & IIS 7
ApplicationHostApplicationHost
.config.config
Website 1 RootWebsite 1 Root
Website 2 RootWebsite 2 Root
Application 1 RootApplication 1 Root
Application 2 RootApplication 2 Root
web.confiweb.configg
web.confiweb.configg
web.confiweb.configg
web.confiweb.configg
Windows Windows Administrators Administrators
OnlyOnly
Configuration & IIS 7.0Configuration & IIS 7.0
Site AdministratorsSite Administrators
AppApp
AdminsAdmins
Delegated Control, Distributed Configuration and Output Caching
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
Configuration & IIS 7.0Configuration & IIS 7.0
• Delegation of config settings to Developers
• XCopy deployment of configuration along with content
• Single configuration API for the entire Web Platform
• Clean, well schematized configuration files
• Rich extensibility
Managing your IIS 7.0 Systems
• Brand new User Interface – IIS Manager
• Completely re-built WMI Provider
• Next generation Command-line administration using AppCmd.exe
• Fully compatible system with IIS 6.0 ADSI & WMI
• Wizards that fully-complete common tasks
• Fully delegable support to Windows/Non-Windows accounts
• Enhanced support for common ASP.NET configuration
• Wizard-based support for IIS Troubleshooting features
System Management & IIS 7.0: User InterfaceSystem Management & IIS 7.0: User Interface
• AppCmd.exe offers quick access to new IIS 7 configuration
Quick, efficient access to new IIS 7 Quick, efficient access to new IIS 7 configurationconfiguration
Mirrors *.vbs files from IIS 6.0Mirrors *.vbs files from IIS 6.0
Built-in “pipe” supportBuilt-in “pipe” support
C:\> C:\> appcmd list sitesappcmd list sitesSITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)SITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)SITE "Site1" (id:2,bindings:http/*:81:,state:Started)SITE "Site1" (id:2,bindings:http/*:81:,state:Started)SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped)SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped)
C:\> C:\> appcmd list requestsappcmd list requestsREQUEST "fb0000008000000e" (url:GET /wait.aspx?time=10000,time:4276 REQUEST "fb0000008000000e" (url:GET /wait.aspx?time=10000,time:4276 msec,client:localhost) msec,client:localhost)
Efficient Server AdministrationCommand-line Admin w/AppCmd.exe
Command-line Administration with APPCMD
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
• WMIv2 & ADSI Support
• Existing Scripts will “just work”
• Installing Metabase support is easy
• Low-level interface to “re-route” Admin Base Object (ABO) calls to new configuration
• Relies on Inetinfo.exe service be presented and loaded
System Management & IIS 7.0: CompatibilitySystem Management & IIS 7.0: Compatibility
System Management & IIS 7.0System Management & IIS 7.0
• Delegated management of sites and applications using IIS Manager
• Remote management over HTTP/S
• Support for Windows and non-Windows credentials
• AppCmd.exe offers direct, command-line access to brand-new configuration
• Complete extensibility across IIS Manager, WMI
• Full backwards compatibility with Metabase support
Troubleshooting in IIS 7.0
• Real-time state information available to Administrators & Developers
• Powerful Failed Request Tracing
• Extensive Custom Errors
• New, in-process state information available
• Current processes running
• Application Pools Process Id (PID)
• Currently executing requests
• AppDomains loaded
• Real-time starting & stopping of sites
Troubleshooting & Diagnostics in IIS 7.0: RSCATroubleshooting & Diagnostics in IIS 7.0: RSCA
• Coolest feature of ‘em all…• Failed Request Tracing
traces all requests through IIS pipeline
• Automatically enabled on IIS 7
• Easily identifies requests that are stuck, or failing
• Identifies time taken in each module, helping analyzing long running requests
Begin RequestBegin Request
Read MetadataRead Metadata
AuthenticateAuthenticate
AuthorizeAuthorize
CachedCached
ISAPI FilterISAPI Filter
Determine Determine HandlerHandler
Troubleshooting & Diagnostics in IIS 7.0: FREBTroubleshooting & Diagnostics in IIS 7.0: FREB
• Re-built Custom Errors
• Language specific (Accept-Encoding)
• Experience different for external clients than “Localhost”
• Detailed information
• Time
• URL
• Current Module
• Response Status, Sub-Status
• More Information (i.e. Steps to fix problem)
Troubleshooting & Diagnostics in IIS 7.0: Custom ErrorsTroubleshooting & Diagnostics in IIS 7.0: Custom Errors
IIS7: Locating Failures
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
• Real-time server state information
• Control APIs for managing state
• Detailed event trace events across web platform stack
• Automatic event trace logging on error conditions
• Extensibility for adding traces to application code
Troubleshooting & Diagnostics in IIS 7.0Troubleshooting & Diagnostics in IIS 7.0
IIS 7 ExtensibilityIIS 7 Extensibility
Maximum Maximum extensibilityextensibility
Native & Managed Native & Managed Code supportCode support
Platform extensibility Platform extensibility in Core Server, WMI, in Core Server, WMI, User Interface, and User Interface, and DiagnosticsDiagnostics
Putting it all Together…SummaryIIS 7.0IIS 7.0
SecuritySecurity
ReliabilityReliability
ScalableScalable
ExtensibleExtensible
ConfigConfig
SystemSystemManagementManagement
DiagnosticDiagnostic IIS 7 ManagementIIS 7 Management• IIS Manager rebuilt IIS Manager rebuilt
from ground upfrom ground up• Built in delegation Built in delegation
supportsupport• Support Windows & Support Windows &
non-Windows accountsnon-Windows accounts• Remote admin supportRemote admin support• Fully extensibleFully extensible
IIS 7 Security:IIS 7 Security:Very strong Very strong customized web customized web serversserversLightweight Lightweight processes for processes for minimum footprintminimum footprintStrong Request Strong Request Filtering to push Filtering to push URLScan into URLScan into productproduct
IIS 7 DiagnosticsIIS 7 DiagnosticsReal-time state Real-time state information exposed information exposed via script & managed via script & managed codecodeView currently View currently executing requests in executing requests in IIS Manager or ScriptIIS Manager or ScriptFailed Request Failed Request Tracing: Zero-repro Tracing: Zero-repro diagnosticsdiagnostics
IIS 7 ConfigurationIIS 7 ConfigurationMetabase…GONE!Metabase…GONE!Strongly Strongly SchematizedSchematized Configuration ConfigurationDistributed & Distributed & Delegation built Delegation built directly into new directly into new configurationconfigurationFull support for Full support for previous versions previous versions usage of ABOusage of ABO