proven scale myspace - 23 billion page* views/month microsoft.com - 10k req/sec & 300k...
Post on 19-Dec-2015
213 views
TRANSCRIPT
Introducing IIS7:Microsoft’s Next Generation Web Server
IIS 6 Today : A Proven Platform
Proven ScaleMySpace - 23 Billion Page* Views/MonthMicrosoft.com - 10k Req/sec & 300K ConnectionsMatch.com 30 million page view daily
Proven SecurityNo critical IIS 6 hotfixes since RTM
as of 5/20/07
Proven Trust54% of Fortune 1000 use IIS (port80software.com)
A solid foundation to build on.
Security Progress for IIS
Notes •MS02-011 & 012 not included: updates SMTP service only
•ASP.NET adds: 1 – v 2.0 2 - v 1.1 3 - v 1.0
Two security patches for IIS 6 since RTM (>3 yrs)
= Critical
= Rollup with X updates
X
IIS 6
IIS 5
2002 2003 2004 2005
IIS 4
4/15Server2003 RTM
4/1002-018
6/1102-028
10/3002-062
5/2803-018
10/1204-021
(WebDAV DoS)
7/1304-021
8
8
4
4
4
4
< Critical
200606/1106-034
(ASP)
Internet Information Services (IIS) 7.0More than a Web server, Internet Information Services 7.0 provides an accessible, extensible platform for developing and reliably hosting Web applications and services
Modular Architecture
Manageable
Built in Request Tracing
Extensible Design
Integrated with .NET
IIS 7.0 Enhancements
CreateStreamline
dServersReduced
Attack Surface
Extend/Modify IIS Features
Rapid Application Deployment
FastDiagnostics
Microsoft.com on IIS 7
Beta 3 of Windows Server 2008 since June 12Great Compatibility
99%+ ASP and ASP.NET workedOne application encountered breaking change out of 260
Classic ASP mode and AppCmd
And lovedNew UI, death of metabase, shared config, failed request tracing etc.
http://blogs.technet.com/mscom/archive/2007/09/07/the-tasty-morsels-found-in-dogfood-mscom-ops-top-10-changes-in-iis7-0.aspx
Extensible Design
IIS6 Architecture - Request Processing
Send ResponseLog Compres
s
NTLM Basic
Determine
Handler
CGI
Static File
AuthenticationAnon
Monolithic implementationInstall all or nothing…
Extend server functionality only through ISAPI…
ASP.NET
PHPISAPI
…
…
IIS7 Architecture - Request Processing
Send ResponseLog Compres
s
NTLM Basic
Determine
Handler
CGI
Static File
ISAPI
AuthenticationAnon
SendResponse
Authentication
Authorization
ResolveCache
ExecuteHandler
UpdateCache
…
…
Server functionality is split into ~ 40 modules...
Modules plug into a generic request pipeline…
Modules extend server functionality through a public module API.
…
…
View Default Running Modules
C:\Windows\System32\inetsrv\config
The Many Benefits of IIS7’s Modular Design
IIS 6 IIS 7 Benefits
Architecture Monolithic Modular Customize, Extend,Streamline
Setup Most Features installed (many disabled)
Minimal installation for designated role
Increased Security
Extend Features
ISAPI filters and ISAPI extensions
Add modules and handlers in native or managed code
Easier to develop application and administration features
Customize UI Possible, but not common.
Extensible, modular, based on .NET
Much easier for developers to provide new admin features
Extensibility
IIS 6 IIS 6 extensibility limited to ISAPI filter and extensionsUI modifications in MMC are challengingDifficult to extend IIS 6 SchemaWeb service activation using http only
IIS 7Native or manage code modules and handlersEasy to add your apps to UISimple to extend IIS 7 schemaInstrument apps to integrate with IIS 7 tracingHost web services using non-http protocols
Instantly you can tell it is new...
The New IIS 7 ManagerCompletely redesigned IIS Manager
Task-oriented Context sensitive ‘Actions’ paneTabs are replaced with Icons
Allows IIS & and ASP.NET configurationIcons instead of tabsProvides managed extensibility
Add new management and IIS featuresApplication configuration can integrate into UI
View health and diagnostics within the UIBuilt in remote administration over httpsManage 1 or 1000’s of sites
Introducing the IIS Manager
demo
.NET Integration
Integrated Application Pool Application Pool architecture based on IIS 6
Familiar settings for recycling, health monitoring, and process identity are unchanged
Two pool types in IIS 7Integrated (default)
Allows use of managed code to provide pipeline services for all requests
Example: .NET Forms authentication for PerlIntegrated is the default for new pools
Classic Works same as IIS 6Ensures .NET compatibility
.NET IntegrationSimplifies security and administration
Leverage the power of .NET for all content with managed global modules
Forms Authentication
URL Authorization
.NET Caching
.NET Role and Membership Providers
New APIs manage both IIS 7 and .NET
Enables Xcopy deployment scenarios
IIS6 ASP.NET IntegrationISAPI-based Implementation
Only sees ASP.NET requests
Feature duplication
Send ResponseLog Compres
s
NTLM Basic
Determine
Handler
CGI
Static File
ISAPI
AuthenticationAnon
…
…
AuthenticationForm
sWindow
s
Map Handl
er
ASPX
Trace
……
…
aspnet_isapi.dll
IIS7 ASP.NET IntegrationTwo App Pool Modes
Classic (IIS 6)
Integrated Mode
.NET modules / handlers plug directly into pipeline
Process all requests
Full runtime fidelity
Log
Compress
Basic
Static File
ISAPI
Anon
SendResponse
Authentication
Authorization
ResolveCache
ExecuteHandler
UpdateCache
…
…AuthenticationForm
sWindo
ws
Map Handl
er
ASPX
Trace
……
…
aspnet_isapi.dll
Migrating to Integrated ASP.NETHandler and module configuration settings have moved:
system.web/httpHandlers → system.webServer\handlerssystem.web/httpModules → system.webServer\modules
Setting the “managedHandler” precondition for a module means “execute only for ASP.NET requests”
Better Management
Built in Remote AdministrationUse IIS Manager from
XP, Vista, Windows Server 2003/2008
No administration website required!Secure, firewall-friendly connection over HTTP/SSLFully customizable
Supports auto-deployment of new Administration features from server->clientCan hide features remote user cannot edit
IIS 7 Configuration SystemMoved from Metabase.xml (and .bin) to Applicationhost.configFile based configuration improves manageability
XML – integrate with XML readers and APIsConfig can be copied to other serversEasier to read Facilitates backup, restore and editing
You now have choices about how to manage IIS configuration
Centralized ConfigurationDelegated Administration Shared Configuration
Configuration System.NET + IIS7
NET global settings
ASP.net global settings
Global settings and location tags
Contoso.com \ Orders
.NET Framework Global web.config
Machine.config
IIS 7Applicationhost.config
Site RootWeb.config
<system.web>.NET settings
..
..
..
<system.webServer>IIS7 Delegated settings
..
Contso.com root
Delegated AdministrationDelegate control to site ownersSite owners control designated settings without elevated server privilegesDelegated settings written to Web.config files
Site and/or application levelShared with ASP.net configurationXCopy deploy configuration and content
Granular control over delegated settings allows precise locking
Example:Require Windows Authentication - let site owner control turn on/off Basic.
Shared ConfigurationAll web servers can share a single applicationhost.configEliminates configuration replication in a web farmEasily stage and rollback config changesAll administration tools are redirected to a common UNC pathDoes not replicate contentFirst appearance in Longhorn Beta 3
Staging and Rollback
IIS7
XML
AppHost.config
IIS7
IIS7
UNCStaging New Config
Version 2
Version 1
Easily manage multiple configuration versions for staging and rollback
A lap around administration
demo
Automating IIS 7 ManagementAPPCMD
General purpose command line toolQuery and control state, change settings, add sites and vdirs
Managed Code APIMicrosoft.Web.Administration
WMIImproved namespace for IIS7
ADSI compatibilityPowershell
use with Managed API and WMI
IIS7 Administration Toolssimple
cmd-linesyntax
powerfulmgmt
objects
inline help& multiple
outputs
Appcmd – Listing and FilteringC:\> appcmd list sites
SITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)SITE "Site1" (id:2,bindings:http/*:81:,state:Started)SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped)
C:\> appcmd list requests
REQUEST "fb0000008000000e" (url:GET /wait.aspx?time=10000,time:4276 msec,client:localhost)
C:\> appcmd list requests /apppool.name:DefaultAppPool
C:\> appcmd list requests /wp.name:3567
C:\> appcmd list requests /site.id:1
Filter results by application pool, worker process, or site
Scripting: IIS6 WMI Provider
Create Site
Create Virtual Directory
Create Application
NOT CONSISTENTSet oIIS = GetObject("winmgmts:root\MicrosoftIISv2")
' Create binding for new siteSet oBinding = oIIS.Get("ServerBinding").SpawnInstance_oBinding.IP = ""oBinding.Port = "80"oBinding.Hostname = "www.site.com"
' Create site and extract site name from return valueSet oService = oIIS.Get("IIsWebService.Name='W3SVC'")
strSiteName = oService.CreateNewSite("NewSite", array(oBinding), "C:\inetpub\wwwroot")
Set objPath = CreateObject("WbemScripting.SWbemObjectPath") objPath.Path = strSiteNamestrSitePath = objPath.Keys.Item("")
Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'")oSite.Start
' Create the vdir for our application
Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting").SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar" oVDirSetting.Path = "C:\inetpub\bar" oVDirSetting.Put_
' Make the VDir an applicationSet oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")
oVDir.AppCreate2
Scripting: new WMI Provider
Set oService = GetObject("winmgmts:root\WebAdministration")
' Create binding for siteSet oBinding = oService.Get("BindingElement").SpawnInstance_oBinding.BindingInformation = "*:80:www.site.com"oBinding.Protocol = "http"
' Create site oService.Get("Site").Create _ "NewSite", array(oBinding), "C:\inetpub\wwwroot"
' Create application oService.Get("Application").Create _ "/foo", "NewSite", "C:\inetpub\wwwroot\foo"
Static Create methods
CONSISTENT
Compatibility: ABO MapperProvides compatibility for:
scripts
command line tools
native calls into ABO
Not installed by default
Install IIS 6 Compatibility
Can only do what IIS6 could do…Can’t read/write new IIS properties
Application Pools: managedPipelineMode, managedRuntimeVersion
Request Filtering
Failed Request Tracing
Can’t read/write ASP.NET properties
Can’t read/write web.config files
Can’t access new runtime data, e.g. worker processes, executing requests
applicationHost.config
IISADMIN
ABOMapper
IIS6 ADSI Script
Built in Request Tracing
Tracing and DiagnosticsView Detailed Errors in the Browser
New errors provide prescriptive guidance
Access Runtime State Info in Real-TimeNew APIs expose all runtime diagnostic information
Ex. See all currently executing requests
Rapidly Troubleshoot Faulty ApplicationsRules define ‘failures’ that triggers report of pipeline events
Define by http result code and/or time taken
Configurable per application or URLQuickly identify bottlenecks Developers can add custom events
Tracing and Diagnostics
demo
Summary: The ISV Opportunity
Managed code everywhereIntegrated PipelineIIS 7 Managed module starter kithttp://www.iis.net/downloads/
Add application specific UI to IIS Managerhttp://www.iis.net/articles/view.aspx/IIS7/Extending-IIS7/Extending-IIS-Manager/How-to-Create-a-Simple-IIS-Manager-Module
Simplified deployment, server farmsXcopy of config files, shared config, appcmdReduced surface area
Manage with delegate administrationDiagnose with built in / extensible tracingProvide high availability host for web services
http://IIS.net - new home for IIS Community!
Go Live License available to publicDownload Center – Download IIS 7 Extensions such as new FTP serverTechCenter to easily find the info you needAdvice and assistance in ForumsWalkthroughs, examples, and code samplesOnline labs – test IIS7 in your browser!
Best webcasts
http://www.microsoft.com/emea/itsshowtime/result_search.aspx?event=69
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date
of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Changes from IIS 6
DeprecatedNNTPIIS 5 Worker Process Isolation ModeFPSE (compatible alternative on IIS.net)Metabase.bin/Metabase.xmlIUSR_<servername> IWAM_ <servername> and IIS_WPGPOP3No administration website