DEP320

Deploying IIS 6.0 Tips and Tricks

Vikas MalhotraProgram ManagerInternet Information Services

Agenda

Preparing for IIS 6 Deployments

Hints and Tips

Case Studies

Tools

IIS 6.0 Enhancements

SecuritySecurity

ReliabilityReliability

ScalabilityScalability

SystemSystem

ManagementManagement

SystemSystem

ManagementManagement

Fault tolerant architectureFault tolerant architectureHealth monitoringHealth monitoringIntelligent queuingIntelligent queuing

XML-based configurationXML-based configurationCommand line administrationCommand line administrationRemote administrationRemote administration

Scale-up/scale-outScale-up/scale-outKernel-mode cachingKernel-mode cachingIntegrated application platformIntegrated application platform

Secure by defaultSecure by defaultSecure by designSecure by designSecure in deploymentSecure in deployment

Preparing For IIS 6 Deployments

Planning for deploymentPrepare

IIS Deployment Guidehttp://www.microsoft.com/windowsserver2003/technologies/webapp/IIS Resource Kit

Inventory apps (ASP, ASP.NET, ISAPI, CGI)Determine dependenciesFlag apps requiring special attention

Plan install process Clean install

WP isolation modeUpgrade

IIS 5 isolation mode

BenchmarkBefore and after

Upgrade Recommendations

After upgrading, document everything you did to get things working

E.g., enabling ISAPIs

Setting ACLs

Put box in production and monitor for 500 errors

Compare with known good box that’s not been upgraded

Helps identify anything to tweak on other boxes

IIS ToolsShipping in IIS 6 ResKit

Delegated administration

Log parserSearch for data and patterns in IIS log files

Export data to SQL database

MBExplorerRegEdit and MetaEdit-like tool for easy metabase access

Host helper serviceRegisters sites automatically with WINS and DNS

WCATRuns simulated workloads on client-server configurations

IIS 4/5 to IIS 6 migration

Apache to IIS migration

Out of band releasesURLscan

IIS 6 Resource Kit ToolsIIS 6 Resource Kit Tools

demodemo

Hints And Tips

‘First-time’ user tips

Web service extensionsISAPIs are disabled by default

IIS UI shows Web Service Extensions first time

Mime maps404 returned if file doesn’t have mime map entry

Can override behavior globally or at vdir level Add “*,text/xml” mime map

Careful! Overrides secure setting

ASP and ASP.NET tips

ASP.NET v1.1 May need to point existing Windows Server 2003 Framework applications to v1.0 bits

ASP.NET v1.0 only supports IIS 5 compatibility mode

ASPParent paths disabled by default

E.g., paths using ..\

Can override by setting AspEnableParentPaths

Security tips

Installing IIS on FATSome OEMs build machines first on FAT volumes, then convert to NTFS

Inherently insecure – no way to apply necessary ACLs if IIS is already installed

IIS displays warning message but user can continue

FPSE blocks installation on FAT

IE hardening may break some functionalityFunctionality removed from local intranet zone (e.g., local UNC paths)

Remote administration tipsSupported scenarios

IIS 6 to IIS 6

IIS 6 to IIS 5.1, IIS 5 and IIS 4

Unsupported scenariosIIS 4, IIS 5, IIS 5.1 to IIS 6

Can’t use Windows XP Pro to administer Windows Server 2003

PlansShipping IIS UI snap-in upgrade to XP SP2

FPSE tipsFixed in Windows Server 2003

UNC websFPSE 2002 supports webs on remote file shares

Previous versions blocked configuring web on UNC path

Multiple front-end servers untested

Performance with IIS 6

App pool supportExtensions run in separate app pool but apps can be in their own app pool

FPSE tipsImproving multi-site security

Problem: FPSE permitted browsing other webs via NETWORK/INTERACTIVE ACE on virtual server root

Content viewable by FTP or FSO

Fix: Use group accounts to separate accessEnabled by regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\All Ports\anonusergroupprefix

Associate group account with specific virtual server: HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\Web Server Extensions\Ports\Port <instance number>\anonusergroup

FPSE tipsWhat to watch out for

Two versions of FPSE 2002Download lacks functionality needed by IIS 6

Latest version installable by Configure Your Server

Dropped support for lightweight extensions

Upgrade from Windows 2000Multiple vservers aren’t upgraded automatically

FPSE 2000 not supported

Removed WAIS search engineIndex Server is recommended replacement

Only local content searching supported

Improved indexing functionality in SP1

App Pool TipsConfigure app pools for each unique application or web siteLarge apps with many pages

Different parts of app have different impacts on perf and resource useOptimize by splitting app into multiple vdirsAssign each vdir to its own app pool

AppPoolQueueLengthSets size of HTTP request queue4000 is default Need more with more req/sec & slower bandwidthRequests remain in NPP until final ACK received from client

Things to avoidISAPI filters using SF_NOTIFY_READ_RAW_DATA

Can’t run in worker process isolation modeUse HSE_REQ_EXEC_URL instead to:

Rewrite URLModify request entity bodyCall another ISAPI Extension

Problematic ISAPIs in IIS 6Global filters Singleton ISAPIs don’t scale well across multiple worker processesISAPIs that don’t play well with others

IISReset & rebootsTools that kill/start IIS processes directlyExtensive metabase schema modificationsADSI scripts

Supported for compatibilityStart using WMI

Things to work around

CDONTS doesn’t ship on Windows Server 2003

Replace references to use CDOSYS

Superset of CDONTS

Troubleshooting & tracing Try orphaning bad worker process & set orphan action to launch AD+ or debugger

Use app pools to isolate bad apps

Case Studies

In production with IIS 6.0 since RC1

100k current connections during the day

Over 470 million hits per day for www

Highest availability among peers in industry

No security failures

Case Study: Microsoft.com

Source: KeyNote

Top Domains

Daily 30 Day History 90 Day History 2002 Year-To-Date

Rank SiteAvail. % Rank Site

Avail. % Rank Site

Avail. % Rank Site Avail. %

#1 MSFT 99.93 #1 MSFT 99.87 #1 MSFT 99.85 #1 MSFT 99.79

2 Sun 99.80 2 Sun 99.85 2 Sun 99.75 2 MSN 99.59

2 Yahoo 99.80 3 Oracle 99.75 3 Oracle 99.76 3 Yahoo 99.53

3 Oracle 99.73 4 Yahoo 99.67 4 Yahoo 99.48 4 Sun 99.25

4 MSN 99.60 5 AOL 99.44 5 AOL 99.45 5 AOL 99.05

5 AOL 99.14 6 MSN 99.30 6 MSN 99.35 6 Oracle 94.75

Case Study: Qwest

Strategic decision to switch to XML Web services platform

Detailed case study available on http://ww.microsoft.com Significant performance improvements for ASP.NET

At same CPU usage, approx 450 req/sec on IIS 5, 750 req/sec on IIS 6.0

Application pools used for process isolation25 LOB apps per serverReduced problems with debugging and rogue apps

Switching some apps from J2EE to ASP.NET75% reduction in project cycle time

Case Study: Schlund (1 & 1)

Summer 2002 – Launched IIS 6 shared hosting

October 2002 – Launched service in UK

Benefits of IIS 6Scalability/site density – 3000 IIS 6.0 sites per box

App pools – isolation from failures

Stability/reliability – iisreset not needed

Quote: “Microsoft FTP is rock solid!”

Next StepsNext StepsPlan your IIS 6 deployment or upgrade

‘Must-have’ upgrade for NT4/IIS 4 systems

Read whitepapers for unique scenariosUpgrades and Migrations

Application Isolation and Consolidation

NAS/UNC-based content and multi-server farms

Find help from others in the IIS community

Ask The ExpertsGet Your Questions Answered

I will be in the ATE after this session and throughout the week

Other Program Managers are here and will be also working in the ATE to help you out

Community Resources

IIS Community Portalhttp://www.microsoft.com/windowsserver2003/community/centers/iis/

IIS Portalhttp://www.microsoft.com/iis

IIS NewsgroupsMicrosoft.public.inetserver.iisMicrosoft.public.inetserver.iis.ftpMicrosoft.public.inetserver.iis.security

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Questions?Questions?Product Feedback?Product Feedback?

vmalhot@microsoft.comvmalhot@microsoft.com

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.