DEV232
IIS 7.0: End to End Overview
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
Today’s Agenda…
•
•
•
•
•
•
•
•
IIS 6.0 Pillars: Let’s review…
To the next level, IIS 7.0 Pillars
Security & IIS 7.0
Extensibility: What to know
Brand new Configuration
Managing your IIS 7.0 Systems
Troubleshooting & Diagnostics
Summary
IIS 6.0 Pillars: Let’s Review…
Security
Reliability
Secure by default
Secure by design
Secure in deployment
Fault tolerant architecture
Health monitoring
Intelligent queuing
Scalability
Scale-up/scale-out
Kernel-mode caching
Integrated application platform
System
Management
XML-based configuration
Command line administration
Remote administration
To the Next Level, IIS 7.0 Pillars…
Security
Extensibility
Customized, Componentized Web Server
Reduced management of Patches
URLScan built-in Functionality
Brand new Win32 API
Integrated support for ASP.NET Modules
Distributed, delegatable configuration
Rich Extensibility
Integrated Configuration for Web Platform
IIS 7.0
Config
Scalability
System
Management
Innovative, Brand-new IIS Manager
AppCmd.exe: Command line administration
Http & Https Remote administration
Diagnostics
Brand-new State API
Easy-to-setup & Use Failed Request Tracing
IIS & ASP.NET Integrated Diagnostics
Reliable
Secure
Security & IIS 7.0
•
•
•
Custom, Componentized
Web Server
Reduce Patch
Management
Built-in URLScan
A View of the Past
IIS 5.1 Setup Components
FTP Service
Admin Tool
WWW Service
Scripts Directory
Remote Desktop ActiveX
Printers Virtual Directory
FrontPage 2000 Srv Ext
Common Files
A Modular View of the Future
IIS 7’s 40 Setup Components
Security
BasicAuthModule
Application
Development
DigestAuthModule
NetFxExtensibility
WindowsAuthModule
ISAPIModule
CertificateAuthModule
ISAPIFilterModule
Health and
Diagnostics
HttpLoggingModule
CustomLoggingModule
RequestMonitorModule
AnonymousAuthModule
CGIModule
IPSecurityModule
ServerSideIncludeModule
UrlAuthorizationModule
ASP
RequestFilteringModule
ASP.NET
HTTPTracingModule
FTP Publishing
FTP Server
FTP Management
Performance
Static Compression
Dynamic Compression
ODBCLogging
LoggingLibraries
Management
ManagementConsole
Common HTTP Web Server Components
StaticFileModule
HttpRedirect
DefaultDocumentModule
DirectoryListingModule
CustomErrorModule
ManagementScripting
ManagementService
Metabase
WMICompatibility
Windows Process Activation Service
ProcessModel
NetFxEnvironment
ConfigurationAPI
LegacyScripts
LegacySnap-in
IIS7: Modularization
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
Security & IIS 7.0
• Slim & Efficient
• Install only the components you need
• Reduce attack surface to minimum
• Five times more granular than existing IIS
versions
• Servicing and patching on a per component
basis
• If you don’t install it, you won’t need to patch it
Extensibility in IIS 7.0
•
•
•
A review: Extensibility in
IIS 6
Re-built Core Server with
new Win32 API
Full IIS Pipeline support
for ASP.NET 2.0
Extensibility & IIS 7.0
• Internet Server API (ISAPI)
• ISAPI Filters
• ISAPI Extensions
• Pitfalls:
• Big Learning Curve for new & experienced
Developers
• Lacks support for Managed Code Developers
• Locked, static set of API’s not easily expanded from
release to release
Extensibility in IIS7
IIS 6’s “Request Pipeline”
w3wp.exe
aspnet_isapi.dll
handlers
cgi
static
file
Isapi
exts
IHttpModule Events
url map
determine handler
begin req
logging
auth’c req
custom errors
auth’z req
compression
resolve cache
end req
authentication
handler map
update req cache
handler exec
rel req state
ISAPI Filter Notifications
w3svc
url map
auth’c req
log
IHttpHandlers
Pre-proc headers End net session
http.sys
Trace.axd
PageHandler
Extensibility in IIS7
The New Merged IIS7 Pipeline
Native Handler
static file
IHttpHandler
isapi ext
Native Module
*.aspx
end
trace.axd
IHttpModule
log
update cache
native modules
release state
managed modules
execute handler
pre-execute handler
was
basic auth
acquire state
digest auth
map handler
resolve cache
windows auth
authorize
authenticate
begin
http.sys
url auth’z
role mgr
forms auth
Extending IIS7
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
Extensibility & IIS 7.0
•
•
•
•
Core Server
•
Brand new Win32 Native Interface
•
•
ALL IIS modules written using this interface
Unlike ISAPI, IIS team uses this very API just like you will
•
Full ASP.NET 2.0 Support
•
Fully extensible using XML schema files
• iHttpModule Interface available TODAY supported
• ASP.NET 2.0 Handlers run exactly as they do today
Configuration
IIS Manager (User Interface)
•
Using .NET 2.0, extend IIS Manager capabilities
Diagnostics
•
Add your events directly into our pipeline
Brand New Configuration in IIS 7.0
•
•
•
Distributed Configuration
for IIS & ASP.NET
Fully non-administrative
delegation
IIS & ASP.NET
Configuration: Side-bySide
Configuration & IIS 7.0
•
•
Metabase: Going, going, … GONE!
Old metabase pushed to new configuration
•
•
Central File: ApplicationHost.config
•
•
•
Property names stay the same
Strongly typed Schema
Uses ASP.NET semantics for .config files
Full Distributed Configuration
•
•
Use only ApplicationHost.config using IIS 7 defaults
Unlock: Give application developers control of individual sections,
collections, elements, and more!
Configuration & IIS 7.0
•
Metabase Inheritence
•
•
Repetitive
Large collections of Multistrings (multi-sz) & Flags
IIS 7 Distributed
Configuration
Clear actions: Add,
Remove, Clear, etc.
Only modify what you
don’t want inherited
<!-- ApplicationHost.config
Metabase.xml file -->
<!–
-->
<IIsWebService
Location ="/LM/W3SVC"
<handlers>
ScriptMaps=".asp,D:\WINDOWS\sys
<add path=“*.asp"
tem32\inetsrv\asp.dll,5,GET,HEAD,POS
T,TRACE
modules=“Asp“
checkPathInfo=“true“
.idc,D:\WINDOWS\sys
tem32\inetsrv\httpodbc.dll,5,GET,POS
verb="GET,HEAD,POST"
/>
T
<add path=“*.stm"
.shtml,D:\WINDOWS\s
ystem32\inetsrv\ssinc.dll,5,GET,POST
modules=“ServerSideIncludeModule
””
… (other
checkPathInfo=“true"
properties
here)
verb="GET,POST"
/>
>
<add path=“*.exe"
</IIsWebService>
modules=“CGIModule“
checkPathInfo=“true"
<IIsWebVirtualDir Location
verb="GET,POST" />
="/LM/W3SVC/1/ROOT“
</handlers>
ScriptMaps=".asp,D:\WINDOWS\system32
\inetsrv\asp.dll,5,GET,HEAD,POST,TRA
CE
<!-- Web.Config
in Application Root
.idc,D:\WINDOWS\sys
-->
tem32\inetsrv\httpodbc.dll,5,GET,POS
T
.shtml,D:\WINDOWS\s
<handlers>
ystem32\inetsrv\ssinc.dll,5,GET,POST
<add path=“*.aspx“
.aspx,D:\WINDOWS\Mi
modules=“aspnet”
crosoft.NET\Framework\v2.0.x86chk\as
checkPathInfo="false”
pnet_isapi.dll,1,GET,HEAD,POST,DEBUG
”
verb="GET,POST"
/>
… (other
<handlers>
properties here)
>
</IIsWebVirtualDir>
Configuration & IIS 7.0
Windows
Vista & IIS 7
Website 1 Root
web.config
Website 2 Root
Site Administrators
web.config
Windows
Application 1 Root
Administrators
Only
ApplicationHost
.config
web.config
App
Application 2 Root
web.config
Admins
Delegated Control, Distributed
Configuration and Output Caching
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
Configuration & IIS 7.0
•
Delegation of config settings to Developers
•
XCopy deployment of configuration along with content
•
Single configuration API for the entire Web Platform
•
Clean, well schematized configuration files
•
Rich extensibility
Managing your IIS 7.0 Systems
•
•
•
•
Brand new User Interface
– IIS Manager
Completely re-built WMI
Provider
Next generation
Command-line
administration using
AppCmd.exe
Fully compatible system
with IIS 6.0 ADSI & WMI
System Management & IIS 7.0: User Interface
•
•
•
•
Wizards that
fully-complete
common tasks
Fully delegable
support to
Windows/NonWindows
accounts
Enhanced
support for
common
ASP.NET
configuration
Wizard-based
support for IIS
Troubleshooting
features
Efficient Server Administration
Command-line Admin w/AppCmd.exe
•
AppCmd.exe offers quick access to new IIS 7
configuration
C:\>
requests
C:\>appcmd
appcmdlist
list
sites
REQUEST
"fb0000008000000e"
(url:GET /wait.aspx?time=10000,time:4276
SITE "Default
Web Site" (id:1,bindings:HTTP/*:80:,state:Started)
msec,client:localhost)
SITE "Site1" (id:2,bindings:http/*:81:,state:Started)
SITE "Site2" (id:3,bindings:http/*:82:,state:Stopped)
Quick, efficient access to new IIS 7
configuration
Mirrors *.vbs files from IIS 6.0
Built-in “pipe” support
Command-line Administration
with APPCMD
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
Command-line Administration with
APPCMD
Thomas Deml
Lead Program Manager
IIS Product Unit
System Management & IIS 7.0: Compatibility
•
WMIv2 & ADSI Support
•
•
•
•
Existing Scripts will “just
work”
Installing Metabase
support is easy
Low-level interface to “reroute” Admin Base Object
(ABO) calls to new
configuration
Relies on Inetinfo.exe
service be presented and
loaded
System Management & IIS 7.0
•
•
•
•
•
•
Delegated management of sites and applications using IIS
Manager
Remote management over HTTP/S
Support for Windows and non-Windows credentials
AppCmd.exe offers direct, command-line access to brandnew configuration
Complete extensibility across IIS Manager, WMI
Full backwards compatibility with Metabase support
Troubleshooting in IIS 7.0
•
•
•
Real-time state information
available to Administrators
& Developers
Powerful Failed Request
Tracing
Extensive Custom Errors
Troubleshooting & Diagnostics in IIS 7.0: RSCA
•
New, in-process state information available
•
•
•
•
•
Current processes running
Application Pools Process Id (PID)
Currently executing requests
AppDomains loaded
Real-time starting & stopping of sites
Troubleshooting & Diagnostics in IIS 7.0: FREB
•
Coolest feature of ‘em
all…
•
•
•
•
Failed Request Tracing
traces all requests
through IIS pipeline
Automatically enabled on
IIS 7
Easily identifies requests
that are stuck, or failing
Identifies time taken in
each module, helping
analyzing long running
requests
Begin Request
Read Metadata
Authenticate
Authorize
Cached
ISAPI Filter
Determine Handler
Troubleshooting & Diagnostics in IIS 7.0: Custom Errors
•
Re-built Custom Errors
•
•
•
Language specific (Accept-Encoding)
Experience different for external clients than “Localhost”
Detailed information
•
•
•
•
•
Time
URL
Current Module
Response Status, Sub-Status
More Information (i.e. Steps to fix problem)
IIS7: Locating Failures
Thomas Deml
Lead Program Manager
Internet Information Services
Microsoft Corporation
Troubleshooting & Diagnostics in IIS 7.0
•
Real-time server state information
•
Control APIs for managing state
•
Detailed event trace events across web platform stack
•
Automatic event trace logging on error conditions
•
Extensibility for adding traces to application code
Putting it all Together…Summary
IIS 7.0
Diagnostic
System
Management
Config
Extensible
Scalable
Reliability
Security
Extensibility
Management
IIS 7 Configuration
Security:
Diagnostics
• IIS
Manager
rebuilt
from
Real-time
Very
Metabase…GONE!
strong
state
customized
Maximum
extensibility
ground
up Schematized
information
web
servers
exposed via
Strongly
Native
& Managed
script
&
managed
code
• Built
in
delegation
support
Lightweight
Configuration
processes
Code support
View
for
minimum
currently
footprint
• Support
Windows
& nonDistributed
&executing
Platform
extensibility
requests
in
IIS Manager
Windows
accounts
Delegation
Strong
Request
built in
Core
Server,
WMI, User
or
Script
Filtering
directly
into
to
push
new
• Remote
admin
support
Interface,
andTracing:
Failed
URLScan
configuration
Request
into
product
• Fully
extensible
Diagnostics
Zero-repro
diagnostics
Full support
for
previous versions usage
of ABO
IIS’s new home for the community…
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.