IIS Manager has built in remote administration capabilities Terminal Services or Admin web site not...
-
Upload
maria-cannon -
Category
Documents
-
view
220 -
download
0
Transcript of IIS Manager has built in remote administration capabilities Terminal Services or Admin web site not...
Remote AdministrationIIS Manager has built in remote administration capabilitiesTerminal Services or Admin web site not requiredClients are IIS Manager from XP, 2003, Vista and Longhorn Custom addins are downloaded to remoteUses the WMSVC service (Windows Service)Requires Management
Service be installed in Server Manager
Remote Service by WMSVCEnable in the IIS ManagerTurned off by DefaultEssentially a web application running on a standalone serverRuns as Local Service (NT Service\WMSVC)
If using UNC content, you need to run as identity with UNC access
Startup is set to ManualChange to automatic to enable on rebootsc config WMSVC start= auto
Enforces HTTPS
Remote Configuration OptionsType of User (Windows or IIS Manager)
ConnectionsCan be bound to a specific IPConfigurable port for listening
Set to 8172 by defaultWhen connecting specify port using <machine>:<port> (e.g. myserver:5050)
Logging can be turned on/off and log directory can be modified
Certificate for SSL is preinstalledIP and Domain restrictions
Ability to restrict connections to specific IP address/domainsAbility to block specific IP address/domains
Log files
Logs all HTTP connections to the WMSvc serviceLogs stored at:
<os drive>:\inetpub\logs\wmsvcUseful for auditingW3SVC log file formatService errors visible in event viewer (eventvwr.exe)
Control is Scoped to RoleAdministrators:
Control entire web server remotelyNon-administrators:
Identity stored as Windows Users or “IIS Manager Users”Control of sites/applications
DevelopersSite ownersApplication owners
Administrator decides what the user can view/change with Feature Delegation
Connecting Remotely
Only Administrator can connect to server node
Can see all settings and connect to other nodesDoes not need explicit permissions
If Remote Administration is enabled, a server administrator can log in.
Non-admins can connect to sites and apps
Explicit permission requiredContent can be ACL’d for greater security
Remote IIS Manager UsersCreated in the IIS Manager
Only used by WMSVC and Admin UINot used by any other IIS componentsDOES NOT map to Windows users
Stored in administration.config by defaultUses an IIS Authentication ProviderAuthentication provider be replaced by custom authentication provider, e.g. One which stored authentication info on SQL Server.
Only used for site/application connections
Authorizing Users for Remote Administration
demo
•Creating IIS Manager Users•Site/Application Permissions•Authorizing Access•Connecting to Sites
Remote Admin and Delegation
Remote users can only edit delegated featuresChanges are written to web.configMost features shown by defaultNon-delegated features can be hidden from remote userAllows creation of custom UI for remote users
Connection Scope and ConfigConnection Users who can connect Configuration
Scope(Where config changes go)
Server Windows Administrators applicationHost.config
Site Windows AdministratorsWindows UsersIIS Manager Users
web.config
Application Windows AdministratorsWindows UsersIIS Manager Users
web.config
1. Configure master server
Life Before IIS7
IIS6
IIS6
IIS6
Replication and synchronization are challenging, requiring custom code
XML
Metabase.XML
XML
Metabase.XML
XML
Metabase.XML 2. Replicate config
3. Change configuration
XML
XML
XML
4. Re-replicate config
Shared Configuration
Designed for web farm scenario from the startMultiple servers to share a single configuration fileUNC share is created for master configWhen configured, servers direct config requests to share locationA local or domain user is specified as identify for remote access
Shared Config Setup
Export Settings using IIS Manager Shared Config featureCreate identical local user [Configuser] on all web servers (or use a domain account)
Assign user the right “Log on as a batch job”
Create a share for config filesShare permissions are [Configuser] ChangeACLS are [Configuser] Read
Place config files in UNC pathEdit redirection.config
Staging and Rollback
IIS7
XML
AppHost.config
IIS7
IIS7
UNCStaging New Config
Version 2
Version 1
Easily manage multiple configuration versions for staging and rollback
Shared Config Limits
Designed to work in homogeneous farmMust properly stage and replicate
Adding new components to IISExtending IIS7 configuration
Shared configuration solves one of several web farm issues
Replication tool to be released near RTMMOM pack for web server monitoring
When You Xcopy applicationHost.config• Export the machine keys for encryption• Ensure server configuration is identical• Custom modules exist on all servers
When You Use Code to Enable Shared Configuration• Export the machine keys• Copy configuration files to a share• Edit redirection.config to enable
When You Install Global Filters, Modules or IIS Components• Remove a server from the farm to test• Add any local dependencies BEFORE you change the shared config!
Tips and Tricks
Code to Enable Shared Configvar config =
WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager"); config.CommitPath = "MACHINE/REDIRECTION"; var section = config.GetAdminSection("configurationRedirection", "MACHINE/REDIRECTION"); section.Properties.Item("enabled").Value = true; section.Properties.Item("path").Value = "\\\\somemachine\\share\\folder"; section.Properties.Item("userName").Value = "user"; section.Properties.Item( "password" ).Value = “pass"; config.CommitChanges();
Automating IIS 7 Adminsitration
ADSI: IIS 6 CompatibilityAPPCMD: General purpose command line utilityWMI: Improved for Longhorn and IIS7. Microsoft.Web.Administration – Managed API to control state and configurationPowershell: Use with Microsoft.Web.Administraiton and WMI
Scripting: IIS6 WMI Provider
Create Site
Create Virtual Directory
Create Application
NOT CONSISTENTSet oIIS = GetObject("winmgmts:root\MicrosoftIISv2")
' Create binding for new siteSet oBinding = oIIS.Get("ServerBinding").SpawnInstance_oBinding.IP = ""oBinding.Port = "80"oBinding.Hostname = "www.site.com"
' Create site and extract site name from return valueSet oService = oIIS.Get("IIsWebService.Name='W3SVC'")
strSiteName = oService.CreateNewSite("NewSite", array(oBinding), "C:\inetpub\wwwroot")
Set objPath = CreateObject("WbemScripting.SWbemObjectPath") objPath.Path = strSiteNamestrSitePath = objPath.Keys.Item("")
Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'")oSite.Start
' Create the vdir for our application
Set oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting").SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar" oVDirSetting.Path = "C:\inetpub\bar" oVDirSetting.Put_
' Make the VDir an applicationSet oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")
oVDir.AppCreate2
Scripting: new WMI Provider
Set oService = GetObject("winmgmts:root\WebAdministration")
' Create binding for siteSet oBinding = oService.Get("BindingElement").SpawnInstance_oBinding.BindingInformation = "*:80:www.site.com"oBinding.Protocol = "http"
' Create site oService.Get("Site").Create _ "NewSite", array(oBinding), "C:\inetpub\wwwroot"
' Create application oService.Get("Application").Create _ "/foo", "NewSite", "C:\inetpub\wwwroot\foo"
Static Create methods
CONSISTENT
Coding: Microsoft.Web.AdministrationServerManager iisManager = new ServerManager();
foreach(WorkerProcess w3wp in iisManager.WorkerProcesses) { Console.WriteLine("W3WP ({0})", w3wp.ProcessId); foreach(Request request in w3wp.GetRequests(0)) { Console.WriteLine("{0} - {1},{2},{3}", request.Url, request.ClientIPAddr, request.TimeElapsed, request.TimeInState); }}
Compatibility: ABO MapperProvides compatibility for:
scriptscommand line toolsnative calls into ABO
Not installed by defaultInstall IIS 6 Compatibility
Can only do what IIS6 could do…Can’t read/write new IIS properties
Application Pools: managedPipelineMode, managedRuntimeVersionRequest Filtering Failed Request Tracing
Can’t read/write ASP.NET propertiesCan’t read/write web.config filesCan’t access new runtime data, e.g. worker processes, executing requests
applicationHost.config
IISADMIN
ABOMapper
IIS6 ADSI Script
SummaryRemote Administration
Built in remote administrationAccess is scoped to roles and delegationUse HTTPS to connect to remote serversChoice of client operating systems
Shared Configuration for web farmsAutomated administration tasks with
WMI: for enterprise wide managementAPPCMD: local, general purposeMicrosoft.Web.Administration: integrate into deployment and management programsADSI: IIS6 compat
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Replicating applicationHost.config
Will cause all application pools to recycle:changes to default settings for all application poolschanges to the <globalModules> list
Will cause one application pool to recycle:application pool settings
Use only RSA machine-encryption (default), replicate RSA machine key
http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx
Gotcha's:Machine specific data, like IP addresses or drive lettersServers must have same set of modules installed (reference to non-existent module in <globalModules> causes 503's)Assemblies in GAC, certificates, COM+ and other local items
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date
of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.