Configuring
IIS for maximum performance
Host: Anil Mathur, Lead Technical Specialist, Microsoft India
December
13, 2002
DeepakG_[MS]: Hi Everyone
Anil_MS: Hi Everyone
DeepakG_[MS]: Today we have with us Anil Mathur. Anil heads the team
of Technical Specialists in Bangalore for Microsoft India.
DeepakG_[MS]: He will discuss with us the various configuration options
that we have with IIS to get the best in performance and security.
DeepakG_[MS]: over to you Anil, since I don't have a question yet,
lets start with a brief intro to IIS
Anil_MS: Hi once again to everyone...As most of you are
probably aware, Internet Information Services (or IIS) is a key component
of Windows 2000 web services. IIS is a high performance web server
which provides several mechanisms to host secure and highly available
web applications.
Anil_MS: IIS allows securing applications by controlling
authentication, authorization and access. It leverages Windows 2000
infrastructure effectively for managing both security and performance.
Hence it is important to consider underlying Windows 2000 OS while
setting up the IIS for hosting web applications
DeepakG_[MS]: (Biswajit): Do you have any performance statistics when
COM+ components are configured as library applications rather than
server applications?
Anil_MS: Hi Biswajit, there aren't any statistics that
I am aware of, however depending on the context, out-of-process applications
may require more resources, while there are scenarios where in-process
ISAPI apps can perform better.
DeepakG_[MS]: (Robin): how secure is IIS for publishing web services
Anil_MS: Hi Robin. IIS is very secure for hosting Web
Services. There some best practices that need to be followed to ensure
that security is configured properly. It is necessary to ensure that
you harden the Web Server and Windows 2000. For example, you should
ensure that appropriate Access Control Lists (ACLs) are applied on
NTFS, and also ACLs should ensure that groups such as Everyone group
does not have Write and Executre permissions on same directory.
Anil_MS: A good practice is to reduce the role of Anonymous
access in case Web Services are used for consumption by only authorized
parties
Anil_MS: You may also want to use Computer/Client certificates
for authentication
Anil_MS: There is a good checklist available for securing
IIS on our Security site (http://www.microsoft.com/security). I urge
you to refer to that.
DeepakG_[MS]: (Robin): Can u Load balance two IIS servers across networks?
Anil_MS: Hi Robin, Could you clarify 'across networks'?
DeepakG_[MS]: (Robin): by Across networks, i mean different Domains
Anil_MS: This is an interesting question. NLBS or Network
Load Balancing is the mechanism for Load Balancing Windows 2000 web
servers. It works on the principal of statistical load balancing.
This works at low levels of the network stack. It is necessary for
the Web Servers who are part of a NLBS cluster to be present in the
same physical network since heart beat information needs to flow across
them. The reason that they should belong to the same (security) domain
has to do more with applications than the NLBS cluster, since application
security should be common across the nodes in the cluster.
Anil_MS: BTW, it is not necessary for the servers in
a NLBS cluster to be part of a domain.
DeepakG_[MS]: (LazyApple): Is there any performance penalty for using
host headers for hundreds of virtual servers vs IP addresses?
Anil_MS: Hi LazyApple, that is a great question. If we
analyze how a web server works, there are several components that
impact a web server performance (or response times). There is the
application architecture, the Web server sizing and the network infrastructure.
When we use host headers, there is performance penalty paid by network
infrastructure for DNS lookups. So it is a good idea to take care
of sizing your network infrastructure.
DeepakG_[MS]: (LazyApple): I just need the statistical difference
between both of them (host headers and IP addresses)
Anil_MS: I think it is about 10% difference. However
the focus should be to overcome any performance penalty by designing
proper infrastructure. IP can be an expensive proposition for sure,
especially in India.
DeepakG_[MS]: (Robin): IIS 5.0 has a limitation of 1000 simultaneous
Connections, how do u increase this?
Anil_MS: Hi Robin, as far as I am aware, there is no
theoretical limit for simultaneous connections. You can increase simultaneous
connection capacity of a Web server by designing applications properly,
making use of http compression and buffering, and managing session
timeouts effectively. Also you can size your network and server properly
by analyzing the demands of applications hosted on your network.
DeepakG_[MS]: (LazyApple): 10%...which one is higher host headers
or IP?
Anil_MS: Host headers is just a little more expensive
on performance than IP
DeepakG_[MS]: (Murali): We were load testing simple HTML page with
IIS ..after a few request . we started to see the request_queued counter
(perfmon) climbing up . we had also changed the registry key "ASPMaxThread"..
Anil_MS: Hi Murali, this counter should not increase
at all!
Anil_MS: Probably this server was not capable of handling
the load put up by your load testing tool. You could try using Stress
tool available from Microsoft site. The ideal value for queue size
should be almost zero. Did the counter increase even with non-ASP
pages?
Anil_MS: The best way to test would be to keep things
simple. I suggest you create a basic site first and run your test
against that. Observe the condition till the point where this counter
starts going above zero. At this point you will get an idea as to
what are the requests your server can handle. It is also a good idea
to check other counters at this stage. The disk subsystem might show
up an issue, in case caching and buffering is disabled.
DeepakG_[MS]: (LazyApple): From a performance perspective, is many
small VB COM objs better than a few large ones in IIS?
Anil_MS: Hi LazyApple, could you help me understand this
better. What is the scenario etc?
DeepakG_[MS]: (Robin): We have some applications which are dependant
on IIS, sometimes we get InetInfo.exe Error as a dialog box, what
is this error and how to avoid it.
Anil_MS: Hi Robin, Can you tell me more about the error?
Is it a Dr Watson error, or is there any error number, etc?
DeepakG_[MS]: (LazyApple): Is there a way to predict the actual amount
of processor and memory needed for a web site so a predictable upgrade
path can be planed based on web traffic?
Anil_MS: Hi LazyApple, there is no formula that can help
you predict actual amount of processor and memory needed for a web
site. The best way is to start by having the application you want
to host in your hands. This application can be stress tested to see
how it impacts various subsystems (network, memory, processor, I/O).
If there is a linear relationship of resources with respect to number/rate
of connections, then you can predict how your server would need to
scale according to web requests.
DeepakG_[MS]: This brings us to the end of today's session
DeepakG_[MS]: Thank you Anil for taking out time for this session...
DeepakG_[MS]: Those of you who have your questions unanswered could
please post them to the microsoft.public.in.aspdotnet newsgroup, Anil
will answer them there.
Anil_MS: Thanks to Everyone here, Bye
DeepakG_[MS]: Next week's session is on new features of Active Directory
in Windows.NET server, so do join in!
