DEV232

IIS 7.0Ronnie SaurenmannPrincipal ArchitectMicrosoft Switzerland

ronnies@microsoft.com

ScaleScale--up/scaleup/scale--outoutKernelKernel--mode cachingmode cachingIntegrated application platformIntegrated application platform

ScalabilityScalability

XMLXML--based configurationbased configurationCommand line administrationCommand line administrationRemote administrationRemote administration

SystemSystemManagementManagement

Fault tolerant architectureFault tolerant architectureHealth monitoringHealth monitoringIntelligent queuingIntelligent queuing

ReliabilityReliability

Secure by defaultSecure by defaultSecure by designSecure by designSecure in deploymentSecure in deployment

SecuritySecurity

IIS 6.0 Pillars: Let’s Review…

To the Next Level, IIS 7.0 Pillars…

Distributed, delegatable configurationDistributed, delegatable configurationRich ExtensibilityRich ExtensibilityIntegrated Configuration for Web PlatformIntegrated Configuration for Web Platform

ConfigConfig

Innovative, BrandInnovative, Brand--new IIS Managernew IIS ManagerAppCmd.exe: Command line administrationAppCmd.exe: Command line administrationHttp & Https Remote administrationHttp & Https Remote administration

SystemSystemManagementManagement

BrandBrand--new State APInew State APIEasyEasy--toto--setup & Use Failed Request Tracingsetup & Use Failed Request TracingIIS & ASP.NET Integrated DiagnosticsIIS & ASP.NET Integrated Diagnostics

DiagnosticsDiagnostics

Customized, Componentized Web ServerCustomized, Componentized Web ServerReduced management of PatchesReduced management of PatchesURLScan builtURLScan built--in Functionalityin Functionality

SecuritySecurity

Brand new Win32 APIBrand new Win32 APIIntegrated support for ASP.NET ModulesIntegrated support for ASP.NET ModulesExtensibilityExtensibility

SecureSecure

ReliableReliable

ScalabilityScalability

IIS 7.0

Security & IIS 7.0

• Custom, Componentized Web Server

• Reduce Patch Management

• Built-in URLScan

IIS7: Modularization

• Slim & Efficient• Install only the components you need

• Reduce attack surface to minimum

• Five times more granular than existing IIS versions

• Servicing and patching on a per component basis• If you don’t install it, you won’t need to patch it

Security & IIS 7.0Security & IIS 7.0

DEV232

• Internet Server API (ISAPI)• ISAPI Filters

• ISAPI Extensions

• Pitfalls:• Big Learning Curve for new & experienced

Developers

• Lacks support for Managed Code Developers

• Locked, static set of API’s not easily expanded from release to release

Extensibility & IIS 7.0Extensibility & IIS 7.0 IIS6 Architecture

Authentication

Basic NTLM Anon

...

DetermineHandler

...

Response Compression

Logging

HTTP Request

HTTP Response

CGI

Static File

ISAPI

•Monolithic server implementation

•Limited customization•Fixed functionality

•Limited ISAPI Filter extensibility

8

Authentication

...

ExecuteHandler

...

SendResponse

HTTP Request

HTTP Response

Authorization

UpdateCache

ResolveCache

IIS7 Architecture

Authentication

...

DetermineHandler

...

SendResponse

HTTP Request

HTTP Response •Componentized

server•Pluggable modular functionality•Small generic request pipeline

•Enables•Lightweight servers•Custom / specialized servers

9

IIS6 ASP.NET Integration

Authentication

Basic NTLM Anon

...

DetermineHandler

...

SendResponse

HTTP Request

HTTP Response

CGI

Static File

ISAPI

CompressionLog

aspnet_isapi.dll

Authentication

MapHandler

Forms Windows

...ASPX

Trace

...

...

•ISAPI Extension•Only processes ASP.NET requests•Runtime limitations•Feature duplication

10

IIS7 ASP.NET Integration

•Two modes:•ISAPI (compat)•Integrated

•Integrated mode•.NET modules plug directly into server•Process all requests•Full runtime fidelity

aspnet_isapi.dll

Authentication

MapHandler

...

...Compre

ssion

Log

11

Forms authentication

DEV232

Handler

• Reacts on Requests• Responsible for building HTTP Response

• Implements IHttpHandler

• Configured in <httpHandlers> in web.config

• ASPX pages implements IHttpHandler

Jpg Handler

Module

• Implements IHttpModule

• Registers for Pipeline Events in Init

• Called for each request

• Configured in <httpModules> in web.config

• Many ASP.NET feature are implemented as Modules• Authentication & Authorization

• Caching

• Profile

Pipeline EventsStep/Event DetailBeginRequest

AuthenticateRequest¹ Identify userAuthorizeRequest¹ Check accessResolveRequestCache¹ Output cache loadedMapRequestHandler¹² Handler createdAcquireRequestState¹ Session loadedPreRequestHandlerExecute

ExecuteHandler² IHttpHandler.ProcessRequest executed

PostRequestHandlerExecute

ReleaseRequestState¹ Session savedUpdateRequestCache¹ Output cache updatedEndRequest

¹ indicates Post event as well (e.g. PostAuthenticateRequest)² indicates a step in the processing without an event

Broken image and URL rewriting

Brand New Configuration in IIS 7.0

• Distributed Configuration for IIS & ASP.NET

• Fully non-administrative delegation

• IIS & ASP.NET Configuration: Side-by-Side

DEV232

• Metabase: Going, going, … GONE!

• Old metabase pushed to new configuration• Property names stay the same

• Central File: ApplicationHost.config• Strongly typed Schema

• Uses ASP.NET semantics for .config files

• Full Distributed Configuration• Use only ApplicationHost.config using IIS 7 defaults

• Unlock: Give application developers control of individual sections, collections, elements, and more!

Configuration & IIS 7.0Configuration & IIS 7.0

Windows Vista & IIS 7

ApplicationHost.config

Website 1 Root

Website 2 Root

Application 1 1 Root

Application 2 Root

web.config

web.config

web.config

web.config

Windows Administrators Only

Configuration & IIS 7.0Configuration & IIS 7.0

Site Administrators

AppAdmins

Configuration Layout

root configuration filesroot configuration files

machine.configmachine.config

root web.configroot web.config

applicationHost.configapplicationHost.config web.configweb.config.NET .NET

Framework Framework

ASP.NETASP.NET

IISIIS

IIS + IIS + ASP.NET + ASP.NET +

.NET Framework.NET Framework

web.config filesweb.config files

InheritanceInheritance……

Configuration & IIS 7.0Configuration & IIS 7.0

• Delegation of config settings to Developers

• XCopy deployment of configuration along with content

• Single configuration API for the entire Web Platform

• Clean, well schematized configuration files

• Rich extensibility

Configuration extensibility

Managing your IIS 7.0 Systems

• Brand new User Interface – IIS Manager

• Completely re-built WMI Provider

• Next generation Command-line administration using AppCmd.exe

• Fully compatible system with IIS 6.0 ADSI & WMI

DEV232

New IIS7 Manager

• Remotes over HTTP, making it firewall friendly(Note: Remote management is not installed by default)

• Supports delegated management of sites and applicationsby non-admins

• Provides managed extensibility for customization

UI extensibility

• AppCmd.exe offers quick access to new IIS 7 configuration

Quick, efficient access to new IIS 7 Quick, efficient access to new IIS 7 configurationconfiguration

Mirrors *.vbs files from IIS 6.0Mirrors *.vbs files from IIS 6.0BuiltBuilt--in in ““pipepipe”” supportsupport

C:C:\\> > appcmd list sitesappcmd list sitesSITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)SITE "Default Web Site" (id:1,bindings:HTTP/*:80:,state:Started)SITE "Site1" (id:2,bindings:http/*:81:,state:Started)SITE "Site1" (id:2,bindings:http/*:81:,state:Started)SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped)SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped)

C:C:\\> > appcmd list requestsappcmd list requestsREQUEST "fb0000008000000e" (url:GET /wait.aspx?time=10000,time:4REQUEST "fb0000008000000e" (url:GET /wait.aspx?time=10000,time:4276 276 msec,client:localhost) msec,client:localhost)

Efficient Server AdministrationCommand-line Admin w/AppCmd.exe

AppCmd.exe

Troubleshooting in IIS 7.0

• Real-time state information available to Administrators & Developers

• Powerful Failed Request Tracing

• Extensive Custom Errors

• New, in-process state information available• Current processes running

• Application Pools Process Id (PID)

• Currently executing requests

• AppDomains loaded

• Real-time starting & stopping of sites

Troubleshooting & Diagnostics in IIS 7.0Troubleshooting & Diagnostics in IIS 7.0

DEV232

Currently executing requests

Microsoft.Web.Administration• First managed code API for administering IIS

• Same objects and functionality as WMI, appcmd

• What about System.Configuration?• System.Configuration:

• Strongly typed ASP.NET and .NET Framework config

• Microsoft.Web.Administration:

• Weakly typed IIS, ASP.NET, and .NET Framework config

• Strongly typed IIS objects like Sites and Application Pools

Managed currently executing requests using LINQ

• Coolest feature of ‘em all…• Failed Request Tracing

traces all requests through IIS pipeline

• Automatically enabled on IIS 7

• Easily identifies requests that are stuck, or failing

• Identifies time taken in each module, helping analyzing long running requests

Begin RequestBegin Request

Read MetadataRead Metadata

AuthenticateAuthenticate

AuthorizeAuthorize

CachedCached

ISAPI FilterISAPI Filter

Determine HandlerDetermine Handler

Troubleshooting & Diagnostics in IIS 7.0: FREBTroubleshooting & Diagnostics in IIS 7.0: FREB

FREB + .NET tracing integration

• Real-time server state information

• Control APIs for managing state

• Detailed event trace events across web platform stack

• Automatic event trace logging on error conditions

• Extensibility for adding traces to application code

Troubleshooting & Diagnostics in IIS 7.0Troubleshooting & Diagnostics in IIS 7.0

DEV232

Output caching

1. Configure master server1. Configure master server

Web Farm: Life Before IIS 7.0

XMLXML

Metabase.XMLMetabase.XML

XMLXML

Metabase.XMLMetabase.XML

XMLXML

Metabase.XMLMetabase.XML 2. Replicate config2. Replicate config

3. Change configuration3. Change configuration

XMLXML

XMLXML

XMLXML 4. Re4. Re--replicate configreplicate config

Replication and synchronization are challenging, requiring custoReplication and synchronization are challenging, requiring custom codem code

New IIS 7.0 Improvements

What’s new for Web farm administrators …

• Ability to share configuration between servers

• Shared config removes need for synchronization

• Computer-independent configuration

• Distributed config down to the application level

• Xcopy deploy an application or entire server

• Manage local or remote apps using IIS Manager

• Detailed error messages provide user account being used for authentication to Universal Naming Convention (UNC)

Portability

XML

AppHost.config

App DeploymentApp DeploymentSite Owner

Internet

Copy Deploy

Copy Deploy

XML

Quickly deploy an entire site from the dev computer to the serveQuickly deploy an entire site from the dev computer to the serverr

Replication and Synchronization

Shared App Hosting

SharedConfig

Configuration is shared between multiple nodes, just stays in syConfiguration is shared between multiple nodes, just stays in syncnc

XML

AppHost.configAppHost.config

Staging and Rollback

XMLAppHost.config

Staging New Config

Version 2

Version 1

Easily manage multiple configuration versions for staging and roEasily manage multiple configuration versions for staging and rollbackllback

DEV232

Shared config

Content Replication

• To achieve high fail-over and scalability:• Store content on a back-end file server, not on the front-ends

• Use Distributed File System Replication (DFSR) to replicate content between remote file servers

• Changes in Windows Server® 2008 to Server Message Block (SMB) …• Enable greater number of connections

• No more setting MaxCmds/MaxMpt registry

Shared Config and Offline Files

• When to use? • If you want to ensure front-ends use a cached copy of

applicationHost.config when file share is down

• Pros• Quick, easy to use

• Ensures simple scenario availability

• Cons• Changes to config aren’t replicated until file share is back online

Shared Config and Windows Clustering

• When to use? • Uptime is critical and you need to ensure config is always

available

• Pros• Great solution for content and config

• Config is always up-to-date

• Relatively easy to configure

• Cons• Needs AD

• Needs dedicated, certified hardware

Shared Config and DFS

• When to use?• Uptime is critical and you need to ensure config is always

available

• Pros• Great solution for content and config

• Config is always up-to-date

• Relatively easy to configure

• Cons• More work to set up than offline files

• Needs AD

Best Practices

• Before you enable shared config!• Make sure that all the servers have the same components

installed

• Verify on each computer using Role Manager or registry query

• Before you install a new component!• If it writes to the applicationHost.config, you can’t install it with

shared config enabled

• Take a server offline and update separately

• Best practice to configure servers as needed before enabling shared config

DEV232

Questions—Outages

• What happens if the file server with the config goes down, but the Web servers are still up?• Config will be cached in memory. If the Web service is restarted,

it will report invalid config.

• Mitigation: Use a redundant solution like DFSR for both content and configuration

• How do we cache config on each local computer?• Use offline files, or client-side caching, just for the shared config

files

• Files are copied locally and used until file server is back online

Questions—Performance

• What is the impact to performance when any server changes are made to the farm?• Changes are written to the shared config. If you change a global

setting, all active worker processes will restart.

• Mitigation: Perform global changes during non-peak times

• Note: Only global-level changes cause the restart, changes to individual pools/sites will only affect that pool/site

• Does using shared config cause less throughput for sites?• Not a significant decrease and the IIS team is recommending it

for Web farms

More Questions

• What if I have a different IP address on each node (I’m not using a single, virtual IP–like Network Load Balancing [NLB])?• Configure multiple bindings for each site

• Does the new, out-of-band FTP server work with shared config?• Yes! But per the best practices, you need to either install it prior

to enabling shared config … or you need to stage the deployment one node at a time.

WAS – Windows Process Activation Services

• IIS <7 knows only HTTP Requests

• IIS7 can be extended through Listener Adapter• Out of the box we ship with TCP, MSMQ and NamedPipes

• Used by WCF

Service.svc

tcp

http

pipes

msmq

w3wp.exe

WCF WAS TCP/Binary

IIS 7 Compression (gzip)

• Save bandwidth• But cost more CPU

• Static (.htm) compression is enabled by default

• You can enable it for ASP.NET content• Easier with IIS 7.0 through UI

• On the fly compression shutoff/resume depending on CPU load• system.webServer/httpCompression section

• dynamicCompressionDisableCpuUsage

• dynamicCompressionEnableCpuUsage

DEV232

gzip

IIS 7 ExtensibilityIIS 7 ExtensibilityMaximum extensibilityMaximum extensibilityNative & Managed Native & Managed Code supportCode supportPlatform extensibility in Platform extensibility in Core Server, WMI, Core Server, WMI, User Interface, and User Interface, and DiagnosticsDiagnostics

Putting it all Together…SummaryIIS 7.0IIS 7.0

SecuritySecurity

ReliabilityReliability

ScalableScalable

ExtensibleExtensible

ConfigConfig

SystemSystemManagementManagement

DiagnosticDiagnostic IIS 7 ManagementIIS 7 Management•• IIS Manager rebuilt from IIS Manager rebuilt from

ground upground up•• Built in delegation supportBuilt in delegation support•• Support Windows & nonSupport Windows & non--

Windows accountsWindows accounts•• Remote admin supportRemote admin support•• Fully extensibleFully extensible

IIS 7 Security:IIS 7 Security:Very strong customized Very strong customized web serversweb serversLightweight processes Lightweight processes for minimum footprintfor minimum footprintStrong Request Strong Request Filtering to push Filtering to push URLScan into productURLScan into product

IIS 7 DiagnosticsIIS 7 DiagnosticsRealReal--time state time state information exposed via information exposed via script & managed codescript & managed codeView currently executing View currently executing requests in IIS Manager requests in IIS Manager or Scriptor ScriptFailed Request Tracing: Failed Request Tracing: ZeroZero--repro diagnosticsrepro diagnostics

IIS 7 ConfigurationIIS 7 ConfigurationMetabaseMetabase……GONE!GONE!Strongly SchematizedStrongly Schematized

ConfigurationConfigurationDistributed & Distributed & Delegation built Delegation built directly into new directly into new configurationconfigurationFull support for Full support for previous versions previous versions usage of ABOusage of ABO

TechDays'08 – The Launch Event

• Major Swiss Launch-Event (Windows Server 2008, Visual Studio 2008, SQL Server 2008)

• 1’200 customers and 20 associated companies on site• 2 days, 50 sessions with international top-speakers• 5 tracks for IT Pros, Developers & Software-Architects • Final software of all 3 Launch-products for every participant• Big Launch-Party• 2 Days-Pass: CHF 490.– (VAT included)

19.-20. March 2008 St. Jakobshalle, Basel

IIS’s new home for the community…

© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.