Download - SEMANA 2 IIS 7
-
8/9/2019 SEMANA 2 IIS 7
1/39
MSc. Carlos Peña
CICLO 2014-II Módulo:1Unidad: 1 Semana: 2
TECNOLOGIA e-BUSINESS
-
8/9/2019 SEMANA 2 IIS 7
2/39
IIS 7: The Administrator’s Guide
-
8/9/2019 SEMANA 2 IIS 7
3/39
-
8/9/2019 SEMANA 2 IIS 7
4/39
IIS6 Request Processing
Send ResponseLog Compress
NTLM Basic
DetermineHandler
CGIStaticFile
Authentication Anon
Monolithic implementationInstall all or nothing …
Extend server functionality onlythrough ISAPI …
ASP.NET
PHPISAPI
…
…
-
8/9/2019 SEMANA 2 IIS 7
5/39
IIS7 Request Processing
Send ResponseLog Compress
NTLM Basic
DetermineHandler
CGIStaticFile
ISAPI
Authentication Anon
SendResponse
Authentication
Authorization
ResolveCache
ExecuteHandler
UpdateCache
…
…
Server functionality is splitinto ~ 40 modules ...
Modules plug into ageneric request pipeline…
Modules extend server functionalitythrough a public module API.
…
…
-
8/9/2019 SEMANA 2 IIS 7
6/39
Many, Many Modules
Install, manage, and patch only the modules you use…• Reduces attack surface• Reduces in-memory footprint• Provides fine grained control
… replace core server components with customcomponents…
-
8/9/2019 SEMANA 2 IIS 7
7/39
Consistently install the same set of modules…
Avoid: – 503 “Service Unavailable”
[m odu le is enabled but n ot ins ta l led]
– Application doesn’t work as expected [web.conf ig references a module that isn’t installed] [unexpec ted mo dule conf l ic t s wi th cus tom m odule ]
-
8/9/2019 SEMANA 2 IIS 7
8/39
IIS6 ASP.NET Integration
• Runtime limitations• Only sees ASP.NET
requests• Feature duplication
Send ResponseLog Compress
NTLM Basic
DetermineHandler
CGIStaticFile
ISAPI
Authentication Anon
…
…
AuthenticationForms Windows
Map
Handler
ASPX
Trace…
…
…
aspnet_isapi.dll
-
8/9/2019 SEMANA 2 IIS 7
9/39
-
8/9/2019 SEMANA 2 IIS 7
10/39
Replicate Content and Config
• Main IIS configuration file (applicationHost.config) – Built- in “IUSR” account, no more machine specific SID’s – Simple file copy, no command line tools required – …watch for machine specific data like IP’s and drive letters
• IIS config web.config, XCOPY with application
-
8/9/2019 SEMANA 2 IIS 7
11/39
Centralize Content and Config
• IIS config web.config, centralize on file server
• File System: – Client Side Caching (CSC)
• provides a local disk cache – Distributed File System Replication (DFSR)
• abstracts multiple file servers to one share name• provides content replication
-
8/9/2019 SEMANA 2 IIS 7
12/39
Configuration moves to .configfiles…
• Configure IIS and ASP.NET properties in the same file• Use locking to provide delegation• Built for simple, schema-based extensibility
… welcome to a world of xcopy deployment…
-
8/9/2019 SEMANA 2 IIS 7
13/39
Configuration Layout
root configuration files
machine.config
root web.config
applicationHost.config web.config.NETFramework
ASP.NET
IIS
IIS +
ASP.NET +.NET Framework
web.config files
Inheritance…
-
8/9/2019 SEMANA 2 IIS 7
14/39
Configuration Delegation• Delegation is: – Configuration locking, “overrideMode” – ACL’s on configuration files
• By default…
– All IIS sections locked except:• Default Document• Directory Browsing• HTTP Header• HTTP Redirects
– All .NET Framework / ASP.NET sections are unlocked
-
8/9/2019 SEMANA 2 IIS 7
15/39
Determine your configuration lockdown policy…
– Be conservative at first – Unlock as necessary (locking later could break apps)
-
8/9/2019 SEMANA 2 IIS 7
16/39
Compatibility: ABO Mapper• Provides compatibility for:
– scripts – command line tools – native calls into ABO
• Not installed by default
• Can only do what IIS6 could do… – Can’t read/write new IIS properties
• Application Pools: managedPipelineMode,managedRuntimeVersion
• Request Filtering• Failed Request Tracing
– Can’t read/write ASP.NET properties – Can’t read/write web.config files – Can’t access new runtime data, e.g. worker
processes, executing requests
applicationHost.config
IISADMIN
ABOMapper
IIS6 ADSI Script
-
8/9/2019 SEMANA 2 IIS 7
17/39
Management Tools
• Manage IIS and ASP.NET• View enhanced runtime data
– worker processes, appdomains, executing requests• Manage delegation• Use whichever management tool suits your
needs…
GUICommand Line
Script
Managed Code
IIS Managerappcmd
WMI (root\WebAdministration)
Microsoft.Web.Administration
-
8/9/2019 SEMANA 2 IIS 7
18/39
IIS Manager
• Remotes over HTTP, making it firewall friendly(remoting is not installed by default)
• Provides managed extensibility• Supports non-admin management of sites and
applications
-
8/9/2019 SEMANA 2 IIS 7
19/39
Educate end users who publish their application anduse IIS Manager configure it…
Scenario:
– User publishes application – User changes app’s web.config using IIS Manager – User copies updated web.config to his local version of the
application – Several days later, user re-publishes application** modifications make to the app’s web.config using IIS Manager
have just been blown away**
-
8/9/2019 SEMANA 2 IIS 7
20/39
-
8/9/2019 SEMANA 2 IIS 7
21/39
Scripting: IIS6 WMI ProviderSet oIIS = GetObject("winmgmts:root\MicrosoftIISv2")
' Create binding for new site
Set oBinding = oIIS.Get("ServerBinding").SpawnInstance_oBinding.IP = ""oBinding.Port = "80"oBinding.Hostname = "www.site.com"
' Create site and extract site name from return valueSet oService = oIIS.Get("IIsWebService.Name='W3SVC'")strSiteName = oService. CreateNewSite ("NewSite", array (oBinding), "C:\inetpub\wwwroot")
Set objPath = CreateObject("WbemScripting.SWbemObjectPath")objPath.Path = strSiteNamestrSitePath = objPath.Keys.Item("")
Set oSite = oIIS.Get("IIsWebServer.Name='" & strSitePath & "'")oSite.Start
' Create the vdir for our applicationSet oVDirSetting = oIIS.Get("IIsWebVirtualDirSetting"). SpawnInstance_ oVDirSetting.Name = strSitePath & "/ROOT/bar"oVDirSetting.Path = "C:\inetpub\bar"oVDirSetting.Put_
' Make the VDir an applicationSet oVDir = oIIS.Get("IIsWebVirtualDir.Name='" & strSitePath & "/ROOT/bar'")oVDir. AppCreate2 1
Create Site
Create Virtual Directory
Create Application
NOT CONSISTENT
-
8/9/2019 SEMANA 2 IIS 7
22/39
Scripting: new WMI Provider
Set oService = GetObject("winmgmts:root\WebAdministration")
' Create binding for siteSet oBinding = oService.Get("BindingElement").SpawnInstance_oBinding.BindingInformation = "*:80:www.site.com"oBinding.Protocol = "http"
' Create site
oService.Get("Site").Create _"NewSite", array (oBinding), "C:\inetpub\wwwroot"
' Create applicationoService.Get("Application").Create _
"/foo", "NewSite", "C:\inetpub\wwwroot\foo"
Static Create methods
CONSISTENT
-
8/9/2019 SEMANA 2 IIS 7
23/39
Coding:Microsoft.Web.Administration
ServerManager iisManager = new ServerManager();
foreach (WorkerProcess w3wp in iisManager.WorkerProcesses ) {Console.WriteLine("W3WP ({0})", w3wp.ProcessId);
foreach (Request request in w3wp.GetRequests (0)) {
Console.WriteLine("{0} - {1},{2},{3}",request.Url,request.ClientIPAddr,request.TimeElapsed,request.TimeInState);
}}
-
8/9/2019 SEMANA 2 IIS 7
24/39
New Troubleshooting Features
• Detailed custom errors, just like ASP.NET• Failed Request Tracing
– No more ETW tracing and waiting for a repro…
• New runtime data: – worker processes – appdomains – currently executing requests
-
8/9/2019 SEMANA 2 IIS 7
25/39
Failed Request Tracing• No- repro tracing for “failed requests” • Configure custom failure definitions per URL
– Time taken – Status/substatus codes – Error level
• Persist failure log files
• Will it tell me what’s wrong? – Sometimes… for example, ACL issues – Look for clues
• Can use for all requests to see what’s going on
-
8/9/2019 SEMANA 2 IIS 7
26/39
Summary
Troubleshoot… – Use: Detailed Errors, Failed Request Tracing, Currently
Executing requests
Manage… Manage IIS and ASP.NET through the same toolsUse ABO Mapper compatibility (not installed by default)
Determine configuration lockdown policy
Deploy… ~ 40 modules, install only what you needMigrate to ASP.NET Integrated ModeEasier centralization/replication
-
8/9/2019 SEMANA 2 IIS 7
27/39
• TechCenter to easily find the info you need• Advice and assistance in Forums• Insider info on new technology (IIS7!)
– Online labs, play with IIS7 in your browser
New home for IIS Community!
-
8/9/2019 SEMANA 2 IIS 7
28/39
Some upcoming IIS sessions… Today
3:15 – 4:30 Chalktalk: Configuration Management of Web Platform
Tomorrow8:30 – 9:45 IIS 7: Under the Hood for Web Request Tracing
10:15 – 11:30 Chalktalk: Using Managed Code to Administer IIS 7
1:00 – 2:15 Chalktalk: Introducing the New and Improved IIS Manager in IIS 72:45 – 4:00 IIS 6: Effective Management of Web Farms
4:30 – 5:45 IIS 6: Everything the Web Administrator Needs to Know about MOM
Wednesday8:30 – 9:45 Chalktalk: Extending the IIS Manager Tool in IIS 7
2:00 – 3:15 Chalktalk: IIS 6.0 Security: Setting the Record Straight
4:45 – 5:00 Chalktalk: IIS and Microsoft.com Operations: Migrating IIS 6.0 to 64 bit
5:30 – 6:45 Chalktalk: IIS 7 Q&A
-
8/9/2019 SEMANA 2 IIS 7
29/39
Fill out a sessionevaluation onCommNet and
Win an XBOX 360!
-
8/9/2019 SEMANA 2 IIS 7
30/39
Additional Information
-
8/9/2019 SEMANA 2 IIS 7
31/39
Installation Options
• Lots of components• Static server by default• [client] Use Windows
Features
• Replaces sysocmgr
• File format iscompletely different
• [client] Pick components,cannot set configuration
-
8/9/2019 SEMANA 2 IIS 7
32/39
Install, Migration, Upgrade• Install log: \Windows\IIS7.log• Uninstall
– Stop services to avoid a reboot – Deletes configuration files, backup before uninstall
• Migration: none for Vista, LH Server TBD… • Upgrade
– All web and/or FTP components are installed, uninstallunnecessary components afterwards…
– Application pools will be ISAPI mode, configured for no
managed code => all ASP.NET requests will fail
-
8/9/2019 SEMANA 2 IIS 7
33/39
ASP.NET: Migration• Application Pools
– ASP.NET Integrated mode by default – Configure to load a specific version of the .NET Framework
• Integrated Mode
– Different server environment for some pipeline notifications• e.g. request is not authenticated for BeginRequest
– Handler and module configuration integrated with IIS• system.webServer/handlers, system.webServer/modules
– Validation warns on httpHandlers, httpModules, or identity
config – Remove “managedHandler” precondition on an ASP.NET
module to have it execute for all content
• ISAPI Mode
– Can’t configure HTTP handlers and modules from the UI
-
8/9/2019 SEMANA 2 IIS 7
34/39
Replicating applicationHost.config• Will cause all application pools to recycle:
– changes to default settings for all application pools – changes to the list
• Will cause one application pool to recycle: – application pool settings
• Use only RSA machine-encryption (default), replicateRSA machine key – http://msdn2.microsoft.com/en-
us/library/yxw286t2(VS.80).aspx
• Gotcha's: – Machine specific data, like IP addresses or drive letters – Servers must have same set of modules installed (reference
to non-existent module in causes 503's)
http://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspxhttp://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspxhttp://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspxhttp://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspxhttp://msdn2.microsoft.com/en-us/library/yxw286t2(VS.80).aspx
-
8/9/2019 SEMANA 2 IIS 7
35/39
Configuration Delegation
• Two kinds of configuration locking: – overrideMode (similar to "allowOverride") – granular locking, e.g. lockItem, lockElements
• By default…
– All IIS sections locked (overrideMode =“Deny”) except: • Default Document, Directory Browsing, HTTP Header, HTTP
Redirects, Validation
– All .NET Framework / ASP.NET sections are unlocked
• Determine your configuration lockdown policy – be conservative at first – unlock as necessary (locking later could break apps)
-
8/9/2019 SEMANA 2 IIS 7
36/39
Configuration Schema
• Use the schema file to see all config settings:windir \system32\inetsrv\config\schema\IIS_schema.xml
• Schema describes: – property types
– default values – validation – encrypted by default?
note : con f ig i s case sens i t ive
-
8/9/2019 SEMANA 2 IIS 7
37/39
Appcmd – Viewing Config SchemaC:\> appcmd list config /section:? | findstr system.webServersystem.webServer/globalModulessystem.webServer/serverSideIncludesystem.webServer/httpTracing...
C:\> appcmd list config /section:directoryBrowse
C:\> appcmd list config /section:directoryBrowse /config:*
C:\> appcmd list config /section:directoryBrowse /text:*CONFIG
CONFIG.SECTION: system.webServer/directoryBrowsepath: MACHINE/WEBROOT/APPHOSToverrideMode: Inherit[system.webServer/directoryBrowse]
enabled:"true"showFlags:"Extension, Size, Time, Date"
C:\>
C:\>
IIS sections – also try“system.web” and“system.applicationHost”
C:\>
C:\>Shows attributes thataren’t set explicitly
-
8/9/2019 SEMANA 2 IIS 7
38/39
Coding:Microsoft.Web.Administration
• First managed code API for administering IIS – Same objects and functionality as WMI, appcmd
• What about System.Configuration? – System.Configuration:
• Strongly typed ASP.NET and .NET Framework config
– Microsoft.Web.Administration:• Weakly typed IIS, ASP.NET, and .NET Framework config• Strongly typed IIS objects like Sites and Application Pools
-
8/9/2019 SEMANA 2 IIS 7
39/39
GRACIAS