DEV232
IIS 7.0Ronnie SaurenmannPrincipal ArchitectMicrosoft Switzerland
ScaleScale--up/scaleup/scale--outoutKernelKernel--mode cachingmode cachingIntegrated application platformIntegrated application platform
ScalabilityScalability
XMLXML--based configurationbased configurationCommand line administrationCommand line administrationRemote administrationRemote administration
SystemSystemManagementManagement
Fault tolerant architectureFault tolerant architectureHealth monitoringHealth monitoringIntelligent queuingIntelligent queuing
ReliabilityReliability
Secure by defaultSecure by defaultSecure by designSecure by designSecure in deploymentSecure in deployment
SecuritySecurity
IIS 6.0 Pillars: Let’s Review…
To the Next Level, IIS 7.0 Pillars…
Distributed, delegatable configurationDistributed, delegatable configurationRich ExtensibilityRich ExtensibilityIntegrated Configuration for Web PlatformIntegrated Configuration for Web Platform
ConfigConfig
Innovative, BrandInnovative, Brand--new IIS Managernew IIS ManagerAppCmd.exe: Command line administrationAppCmd.exe: Command line administrationHttp & Https Remote administrationHttp & Https Remote administration
SystemSystemManagementManagement
BrandBrand--new State APInew State APIEasyEasy--toto--setup & Use Failed Request Tracingsetup & Use Failed Request TracingIIS & ASP.NET Integrated DiagnosticsIIS & ASP.NET Integrated Diagnostics
DiagnosticsDiagnostics
Customized, Componentized Web ServerCustomized, Componentized Web ServerReduced management of PatchesReduced management of PatchesURLScan builtURLScan built--in Functionalityin Functionality
SecuritySecurity
Brand new Win32 APIBrand new Win32 APIIntegrated support for ASP.NET ModulesIntegrated support for ASP.NET ModulesExtensibilityExtensibility
SecureSecure
ReliableReliable
ScalabilityScalability
IIS 7.0
Security & IIS 7.0
• Custom, Componentized Web Server
• Reduce Patch Management
• Built-in URLScan
IIS7: Modularization
• Slim & Efficient• Install only the components you need
• Reduce attack surface to minimum
• Five times more granular than existing IIS versions
• Servicing and patching on a per component basis• If you don’t install it, you won’t need to patch it
Security & IIS 7.0Security & IIS 7.0
DEV232
• Internet Server API (ISAPI)• ISAPI Filters
• ISAPI Extensions
• Pitfalls:• Big Learning Curve for new & experienced
Developers
• Lacks support for Managed Code Developers
• Locked, static set of API’s not easily expanded from release to release
Extensibility & IIS 7.0Extensibility & IIS 7.0 IIS6 Architecture
Authentication
Basic NTLM Anon
...
DetermineHandler
...
Response Compression
Logging
HTTP Request
HTTP Response
CGI
Static File
ISAPI
•Monolithic server implementation
•Limited customization•Fixed functionality
•Limited ISAPI Filter extensibility
8
Authentication
...
ExecuteHandler
...
SendResponse
HTTP Request
HTTP Response
Authorization
UpdateCache
ResolveCache
IIS7 Architecture
Authentication
...
DetermineHandler
...
SendResponse
HTTP Request
HTTP Response •Componentized
server•Pluggable modular functionality•Small generic request pipeline
•Enables•Lightweight servers•Custom / specialized servers
9
IIS6 ASP.NET Integration
Authentication
Basic NTLM Anon
...
DetermineHandler
...
SendResponse
HTTP Request
HTTP Response
CGI
Static File
ISAPI
CompressionLog
aspnet_isapi.dll
Authentication
MapHandler
Forms Windows
...ASPX
Trace
...
...
•ISAPI Extension•Only processes ASP.NET requests•Runtime limitations•Feature duplication
10
IIS7 ASP.NET Integration
•Two modes:•ISAPI (compat)•Integrated
•Integrated mode•.NET modules plug directly into server•Process all requests•Full runtime fidelity
aspnet_isapi.dll
Authentication
MapHandler
...
...Compre
ssion
Log
11
Forms authentication
DEV232
Handler
• Reacts on Requests• Responsible for building HTTP Response
• Implements IHttpHandler
• Configured in <httpHandlers> in web.config
• ASPX pages implements IHttpHandler
Jpg Handler
Module
• Implements IHttpModule
• Registers for Pipeline Events in Init
• Called for each request
• Configured in <httpModules> in web.config
• Many ASP.NET feature are implemented as Modules• Authentication & Authorization
• Caching
• Profile
Pipeline EventsStep/Event DetailBeginRequest
AuthenticateRequest¹ Identify userAuthorizeRequest¹ Check accessResolveRequestCache¹ Output cache loadedMapRequestHandler¹² Handler createdAcquireRequestState¹ Session loadedPreRequestHandlerExecute
ExecuteHandler² IHttpHandler.ProcessRequest executed
PostRequestHandlerExecute
ReleaseRequestState¹ Session savedUpdateRequestCache¹ Output cache updatedEndRequest
¹ indicates Post event as well (e.g. PostAuthenticateRequest)² indicates a step in the processing without an event
Broken image and URL rewriting
Brand New Configuration in IIS 7.0
• Distributed Configuration for IIS & ASP.NET
• Fully non-administrative delegation
• IIS & ASP.NET Configuration: Side-by-Side
DEV232
• Metabase: Going, going, … GONE!
• Old metabase pushed to new configuration• Property names stay the same
• Central File: ApplicationHost.config• Strongly typed Schema
• Uses ASP.NET semantics for .config files
• Full Distributed Configuration• Use only ApplicationHost.config using IIS 7 defaults
• Unlock: Give application developers control of individual sections, collections, elements, and more!
Configuration & IIS 7.0Configuration & IIS 7.0
Windows Vista & IIS 7
ApplicationHost.config
Website 1 Root
Website 2 Root
Application 1 1 Root
Application 2 Root
web.config
web.config
web.config
web.config
Windows Administrators Only
Configuration & IIS 7.0Configuration & IIS 7.0
Site Administrators
AppAdmins
Configuration Layout
root configuration filesroot configuration files
machine.configmachine.config
root web.configroot web.config
applicationHost.configapplicationHost.config web.configweb.config.NET .NET
Framework Framework
ASP.NETASP.NET
IISIIS
IIS + IIS + ASP.NET + ASP.NET +
.NET Framework.NET Framework
web.config filesweb.config files
InheritanceInheritance……
Configuration & IIS 7.0Configuration & IIS 7.0
• Delegation of config settings to Developers
• XCopy deployment of configuration along with content
• Single configuration API for the entire Web Platform
• Clean, well schematized configuration files
• Rich extensibility
Configuration extensibility
Managing your IIS 7.0 Systems
• Brand new User Interface – IIS Manager
• Completely re-built WMI Provider
• Next generation Command-line administration using AppCmd.exe
• Fully compatible system with IIS 6.0 ADSI & WMI
DEV232
New IIS7 Manager
• Remotes over HTTP, making it firewall friendly(Note: Remote management is not installed by default)
• Supports delegated management of sites and applicationsby non-admins
• Provides managed extensibility for customization
UI extensibility
• AppCmd.exe offers quick access to new IIS 7 configuration
Quick, efficient access to new IIS 7 Quick, efficient access to new IIS 7 configurationconfiguration
Mirrors *.vbs files from IIS 6.0Mirrors *.vbs files from IIS 6.0BuiltBuilt--in in ““pipepipe”” supportsupport
C:C:\\> > appcmd list sitesappcmd list sitesSITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)SITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)SITE "Site1" (id:2,bindings:http/*:81:,state:Started)SITE "Site1" (id:2,bindings:http/*:81:,state:Started)SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped)SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped)
C:C:\\> > appcmd list requestsappcmd list requestsREQUEST "fb0000008000000e" (url:GET /wait.aspx?time=10000,time:4REQUEST "fb0000008000000e" (url:GET /wait.aspx?time=10000,time:4276 276 msec,client:localhost) msec,client:localhost)
Efficient Server AdministrationCommand-line Admin w/AppCmd.exe
AppCmd.exe
Troubleshooting in IIS 7.0
• Real-time state information available to Administrators & Developers
• Powerful Failed Request Tracing
• Extensive Custom Errors
• New, in-process state information available• Current processes running
• Application Pools Process Id (PID)
• Currently executing requests
• AppDomains loaded
• Real-time starting & stopping of sites
Troubleshooting & Diagnostics in IIS 7.0Troubleshooting & Diagnostics in IIS 7.0
DEV232
Currently executing requests
Microsoft.Web.Administration• First managed code API for administering IIS
• Same objects and functionality as WMI, appcmd
• What about System.Configuration?• System.Configuration:
• Strongly typed ASP.NET and .NET Framework config
• Microsoft.Web.Administration:
• Weakly typed IIS, ASP.NET, and .NET Framework config
• Strongly typed IIS objects like Sites and Application Pools
Managed currently executing requests using LINQ
• Coolest feature of ‘em all…• Failed Request Tracing
traces all requests through IIS pipeline
• Automatically enabled on IIS 7
• Easily identifies requests that are stuck, or failing
• Identifies time taken in each module, helping analyzing long running requests
Begin RequestBegin Request
Read MetadataRead Metadata
AuthenticateAuthenticate
AuthorizeAuthorize
CachedCached
ISAPI FilterISAPI Filter
Determine HandlerDetermine Handler
Troubleshooting & Diagnostics in IIS 7.0: FREBTroubleshooting & Diagnostics in IIS 7.0: FREB
FREB + .NET tracing integration
• Real-time server state information
• Control APIs for managing state
• Detailed event trace events across web platform stack
• Automatic event trace logging on error conditions
• Extensibility for adding traces to application code
Troubleshooting & Diagnostics in IIS 7.0Troubleshooting & Diagnostics in IIS 7.0
DEV232
Output caching
1. Configure master server1. Configure master server
Web Farm: Life Before IIS 7.0
XMLXML
Metabase.XMLMetabase.XML
XMLXML
Metabase.XMLMetabase.XML
XMLXML
Metabase.XMLMetabase.XML 2. Replicate config2. Replicate config
3. Change configuration3. Change configuration
XMLXML
XMLXML
XMLXML 4. Re4. Re--replicate configreplicate config
Replication and synchronization are challenging, requiring custoReplication and synchronization are challenging, requiring custom codem code
New IIS 7.0 Improvements
What’s new for Web farm administrators …
• Ability to share configuration between servers
• Shared config removes need for synchronization
• Computer-independent configuration
• Distributed config down to the application level
• Xcopy deploy an application or entire server
• Manage local or remote apps using IIS Manager
• Detailed error messages provide user account being used for authentication to Universal Naming Convention (UNC)
Portability
XML
AppHost.config
App DeploymentApp DeploymentSite Owner
Internet
Copy Deploy
Copy Deploy
XML
Quickly deploy an entire site from the dev computer to the serveQuickly deploy an entire site from the dev computer to the serverr
Replication and Synchronization
Shared App Hosting
SharedConfig
Configuration is shared between multiple nodes, just stays in syConfiguration is shared between multiple nodes, just stays in syncnc
XML
AppHost.configAppHost.config
Staging and Rollback
XMLAppHost.config
Staging New Config
Version 2
Version 1
Easily manage multiple configuration versions for staging and roEasily manage multiple configuration versions for staging and rollbackllback
DEV232
Shared config
Content Replication
• To achieve high fail-over and scalability:• Store content on a back-end file server, not on the front-ends
• Use Distributed File System Replication (DFSR) to replicate content between remote file servers
• Changes in Windows Server® 2008 to Server Message Block (SMB) …• Enable greater number of connections
• No more setting MaxCmds/MaxMpt registry
Shared Config and Offline Files
• When to use? • If you want to ensure front-ends use a cached copy of
applicationHost.config when file share is down
• Pros• Quick, easy to use
• Ensures simple scenario availability
• Cons• Changes to config aren’t replicated until file share is back online
Shared Config and Windows Clustering
• When to use? • Uptime is critical and you need to ensure config is always
available
• Pros• Great solution for content and config
• Config is always up-to-date
• Relatively easy to configure
• Cons• Needs AD
• Needs dedicated, certified hardware
Shared Config and DFS
• When to use?• Uptime is critical and you need to ensure config is always
available
• Pros• Great solution for content and config
• Config is always up-to-date
• Relatively easy to configure
• Cons• More work to set up than offline files
• Needs AD
Best Practices
• Before you enable shared config!• Make sure that all the servers have the same components
installed
• Verify on each computer using Role Manager or registry query
• Before you install a new component!• If it writes to the applicationHost.config, you can’t install it with
shared config enabled
• Take a server offline and update separately
• Best practice to configure servers as needed before enabling shared config
DEV232
Questions—Outages
• What happens if the file server with the config goes down, but the Web servers are still up?• Config will be cached in memory. If the Web service is restarted,
it will report invalid config.
• Mitigation: Use a redundant solution like DFSR for both content and configuration
• How do we cache config on each local computer?• Use offline files, or client-side caching, just for the shared config
files
• Files are copied locally and used until file server is back online
Questions—Performance
• What is the impact to performance when any server changes are made to the farm?• Changes are written to the shared config. If you change a global
setting, all active worker processes will restart.
• Mitigation: Perform global changes during non-peak times
• Note: Only global-level changes cause the restart, changes to individual pools/sites will only affect that pool/site
• Does using shared config cause less throughput for sites?• Not a significant decrease and the IIS team is recommending it
for Web farms
More Questions
• What if I have a different IP address on each node (I’m not using a single, virtual IP–like Network Load Balancing [NLB])?• Configure multiple bindings for each site
• Does the new, out-of-band FTP server work with shared config?• Yes! But per the best practices, you need to either install it prior
to enabling shared config … or you need to stage the deployment one node at a time.
WAS – Windows Process Activation Services
• IIS <7 knows only HTTP Requests
• IIS7 can be extended through Listener Adapter• Out of the box we ship with TCP, MSMQ and NamedPipes
• Used by WCF
Service.svc
tcp
http
pipes
msmq
w3wp.exe
WCF WAS TCP/Binary
IIS 7 Compression (gzip)
• Save bandwidth• But cost more CPU
• Static (.htm) compression is enabled by default
• You can enable it for ASP.NET content• Easier with IIS 7.0 through UI
• On the fly compression shutoff/resume depending on CPU load• system.webServer/httpCompression section
• dynamicCompressionDisableCpuUsage
• dynamicCompressionEnableCpuUsage
DEV232
gzip
IIS 7 ExtensibilityIIS 7 ExtensibilityMaximum extensibilityMaximum extensibilityNative & Managed Native & Managed Code supportCode supportPlatform extensibility in Platform extensibility in Core Server, WMI, Core Server, WMI, User Interface, and User Interface, and DiagnosticsDiagnostics
Putting it all Together…SummaryIIS 7.0IIS 7.0
SecuritySecurity
ReliabilityReliability
ScalableScalable
ExtensibleExtensible
ConfigConfig
SystemSystemManagementManagement
DiagnosticDiagnostic IIS 7 ManagementIIS 7 Management•• IIS Manager rebuilt from IIS Manager rebuilt from
ground upground up•• Built in delegation supportBuilt in delegation support•• Support Windows & nonSupport Windows & non--
Windows accountsWindows accounts•• Remote admin supportRemote admin support•• Fully extensibleFully extensible
IIS 7 Security:IIS 7 Security:Very strong customized Very strong customized web serversweb serversLightweight processes Lightweight processes for minimum footprintfor minimum footprintStrong Request Strong Request Filtering to push Filtering to push URLScan into productURLScan into product
IIS 7 DiagnosticsIIS 7 DiagnosticsRealReal--time state time state information exposed via information exposed via script & managed codescript & managed codeView currently executing View currently executing requests in IIS Manager requests in IIS Manager or Scriptor ScriptFailed Request Tracing: Failed Request Tracing: ZeroZero--repro diagnosticsrepro diagnostics
IIS 7 ConfigurationIIS 7 ConfigurationMetabaseMetabase……GONE!GONE!Strongly SchematizedStrongly Schematized
ConfigurationConfigurationDistributed & Distributed & Delegation built Delegation built directly into new directly into new configurationconfigurationFull support for Full support for previous versions previous versions usage of ABOusage of ABO
TechDays'08 – The Launch Event
• Major Swiss Launch-Event (Windows Server 2008, Visual Studio 2008, SQL Server 2008)
• 1’200 customers and 20 associated companies on site• 2 days, 50 sessions with international top-speakers• 5 tracks for IT Pros, Developers & Software-Architects • Final software of all 3 Launch-products for every participant• Big Launch-Party• 2 Days-Pass: CHF 490.– (VAT included)
19.-20. March 2008 St. Jakobshalle, Basel
IIS’s new home for the community…
© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.