What's
New in Internet Information Services 6.0
Host: Sachin Shridhar, Engineer - Back office Products, Microsoft
India
June
06, 2003
Deepak_MS: Hi Friends!
Deepak_MS: Good evening and welcome to MSDN India weekly chat
Deepak_MS: today we have with us Sachin from Microsoft and he will
discuss with us the new features in IIS 6.0
Sachin_MS: Hi Friends !
Sachin_MS: glad to be with you and hope we all have some
learnings from this session
Deepak_MS: Here is the first question Sachin and I think is a great
way to start the chat...
Sachin_MS: I will start with what is new in IIS 6.0 and
hopefully answer most of the questions you might have.
Deepak_MS: (iamwhatiam): please do explain in brief the new features
of IIS 6.0?
Sachin_MS: sure, exactly what I intended to
Sachin_MS: To start off with, IIS 6.0 has improved manifold
on 1) scalability 2) Security 3) Stability 4) manageability.
Sachin_MS: To understand "how", we must first see the
changes in the IIS internals.. the architecture of the product
Sachin_MS: Earlier IIS 5.0 would have inetinfo.exe as
its main process where request handling, request queuing, IIS services
and ISAPI extensions would be housed.
Sachin_MS: Dllhost.exe would be used for all in-process
application under default application and one dllhost.exe for each
high isolation application
Sachin_MS: The kernel level component would be the tcp/ip
stack which would have the HTTP protocol
Sachin_MS: With IIS 6.0 a new component, http.sys has
been moved into the kernel. This component handles request queuing
and routing of requests to appropriate applications
Sachin_MS: Each application runs in a space different
from the http.sys (which is obvious since it is kernel level) and
the www service.
Sachin_MS: Applications now run under worker processes
hosted by w3wp.exe. depending upon your configuration each application
can run under a different worker process
Sachin_MS: i.e each app has its own w3wp.exe or multiple
w3wp.exe's or apps can share a common w3wp.exe or share multiple w3wp.exe's.
Sachin_MS: This architecture of IIS is in effect when
you run IIS in the "worker process isolation" mode which is the default
Sachin_MS: You can also run IIS 6.0 in the "IIS 5.0 Isolation
mode" where it behaves exactly like IIS 5.0 except that the HTTP.sys
remains in kernel mode
Sachin_MS: The benefits of this architecture is: 1) more
reliability. An app problem will at the max bring the w3wp.exe process
down and will not affect the web service and the http.sys.
Sachin_MS: This is in brief the architecture level changes
in IIS internals
Deepak_MS: (Naga): Sachin what u mean by http.sys in iis6.0?
Sachin_MS: http.sys is the component of the OS which resides
in the kernel .. this listens to the requests from the clients and
then routes them appropriately to the application processes handling
requests for that URL (w3wp.exe). It also handles caching for the
web requests and does queue management.
Deepak_MS: (Naga): could you please give a brief overview of server
security in IIS6.0?
Sachin_MS: Security is enhanced in IIS 6.0 at 2 levels
.. the OS and the application facilities in ASP.net 1.1
Sachin_MS: At the OS level, IIS is not installed by default
and even after installation it does not have all web extensions (ISAPI
extension) enabled by default. This removes the overhead of applying
all patches for on your server and you can be sure that your server
will only respond to the ISAPI's you have configured.
Sachin_MS: Secondly most of the applications (read as
worker process) run under an identity or user account called "network
service". This account has very low privileges, which means the code
in the app cant do much even if it does have a vulnerability.
Sachin_MS: Of course you can change and give it more privileges,
on the ASP.NET 1.1 front:
Sachin_MS: By default you cannot submit html markups in
a form to the ASP.Net application This feature is known as request
validation. It would prevent a lot of the cross scripting attacks.
Sachin_MS: Code Access security is a feature where we
can sandbox an ASP.NET application and restrict it. For example, restrict
that an application cannot access the file system
Deepak_MS: (IndianMahes): We have currently our apps running on IIS
5.0 with 500 ASP pages...can I shift to IIS 6.0 without any changes..?
Deepak_MS: Mahesh, you won't need any changes to your code.
Deepak_MS: You could run into some issues because by default IIS 6.0
is a lot more locked down than IIS 5.0, but then its a matter of enabling
the right settings rather than any code changes. Hope that answers
your question.
Deepak_MS: (Vijay): What are Application Pools in IIS 6. Do I need
to create a separate Application Pool for each web site?
Sachin_MS: Vijay, application pool is a mechanism similar
to applications under web sites in IIS 5.0 ... app pool is a common
set of settings which has common worker processes (w3wp.ex) to serve
a single application or multiple apps. So a single app could be configured
under an app pool which makes it very secure (it can't affect any
other apps)
Sachin_MS: or multiple apps can be configured under the
same app pool.
Sachin_MS: configuring app pool also allows you to have
a WEB GARDEN where you can have multiple woker processes for a single
app. An app pool also helps you manage the health of the worker processes.
Deepak_MS: (iamwhatiam): what are the issues related to integrating
exchange server with IIS 6.0?
Sachin_MS: Currently exchange services don't have an issue
with IIS 6.0, you could check www.microsoft.com/exchange for the supported
configuration
Sachin_MS: moreover, the http.sys cache maintained in
the kernel mode caches only unauthenticated pages...hence OWA pages
are not cached in http.sys. Exchange titanium (next version) will
have maximum compatibility with IIS 6.0
Deepak_MS: (IndianMahesh): Is there any SSL improvement in IIS 6.0
?
Sachin_MS: There are enhancements in the SSL protocol
handling for example, it supports SSL 3.0 and TLS, plus the authentication
process for SSL is now handled by the Lsass.exe. It was earlier handled
by inetinfo.exe. This helps increase the performance for SSL by about
50% per request
Deepak_MS: (Naga): IF my objects pool filled by the time what happens
to running object ?
Sachin_MS: Naga, this is about handling app health . .
in case your app cannot handle more requests or is bogged down, you
can configure IIS 6.0 to start a new worker process or you can terminate
an unhealthy or unresponsive worker process and start a new one in
its place the user requests are handled / queued by the kernel level
https.sys component till the time the new worker process can handle
it.
Sachin_MS: The old worker process can continue handling
the request till it drains out and then the new worker process takes
over
Sachin_MS: one thing you need to be careful about is ..
you will lose your session states if they were in-process, the recommendation
is to store them externally
Deepak_MS: (Naga): My experience says that when I submit a invalid
char. in the submit it is through run time error?
Deepak_MS: This is a new feature introduced by .NET Framework 1.1's
ASP.NET runtime
Deepak_MS: it actually helps you avoid malicious data and cross site
scripting attack in pages that accept user input. You can trap the
error via regular exception handling mechanisms or turn it off via
web.config on a per application basis
Deepak_MS: Hope this helps.
Deepak_MS: (IndianMahesh): it's ok..But, I have a issue on this that
I am using ASPscripting object handle...Is any similar object that
avlb in ASP.NET to handle my case?
Deepak_MS: Again Mahesh, this is more of a ASP -> ASP.NET migration
issue rather than IIS 5.0 -> IIS 6.0 issue...
Deepak_MS: Ideally, you should re-write the functionality that ASPScripting
object provides as managed code... or use inter-op
Deepak_MS: Hope this helps
Deepak_MS: (IndianMahesh): How does a worker process acts in IIS 6.0
,...as a services or as application ?
Sachin_MS: Mahesh, the worker process is a usermode component.
It runs as a process under the OS .. its not present as a service.
Deepak_MS: (Naga): could you brief about clustering, processor support,
NLB?
Sachin_MS: Naga, the clustering support for IIS 6.0 continues
as it was in IIS 5.0 .. we support IIS on Microsoft Clustering services
in an active/active configuration.
Sachin_MS: IIS can also support multi proc machines to
an extent where you can lock down application pools to certain processors.
For example, you can have app pool1 bound to processor 1 and app pool2
bound to processor 2
Sachin_MS: IIS 6.0 has support to communicate back with
Level 7 hardware load balancers. NLB is considered a Level 3 load
balancer.... so much more support for hardware load balancers also.
On a single processor box, you could control how much proc inetinfo
and other processes can use .. however that is a pure OS feature ..you
can check that tool at
Sachin_MS: we have some good new features to support ISPs
in terms of making the product secure, easily manageable and easier
for troubleshooting.
Sachin_MS: we have new functions and new tools (iiscnfg)
which allow you to copy the settings from one web site / server to
another site /server on a diff machine. This allows ISP to replicate
exact settings from a machine to another ... allowing them to set
up new server fasters and recovering from wrong changes. The new security
model in which all web extensions are not allowed, will help ISP's
to reduce patch management and security auditing overheads since one
single app cannot bring the web services down since it is isolated
from all other app pools, it prevents corrupt apps from bringing the
server down
Sachin_MS: It is easier to debug apps, for example, I
can configure when an app becomes unhealthy (does not responsd) we
can ask it to be orphaned, and then attach a debugger to the process
Sachin_MS: It is easier to recover from a change in the
metabase or rollback changes, since IIS maintains an history of metabases
i.e it backs up metabase on the HDD and you can always revert back
without having to have a backup of the metabase
Sachin_MS: and ISP could also use HTTP Compression to
reduce the amount of data travelling between compression enabled clients
Deepak_MS: (Joe): Could you explain the HTTP pipeline in the IIS 6
context?
Sachin_MS: The Hypertext Transfer Protocol (HTTP) listener
is implemented as a kernel-mode device driver named HTTP.sys.
Sachin_MS: HTTP.sys is part of the networking subsystem
of Windows. When you create a Web site in IIS, the site is registered
with HTTP.sys, which then routes Web requests to the user-mode process
that is running the Web site. HTTP.sys also sends responses back to
the client. HTTP.sys provides other services that IIS uses for example
managing TCP connections, logging requests, managing QOS and managing
caching. By running HTTP.sys as a kernel-mode component, IIS 6.0 delivers
2 performance benefits.
Sachin_MS: By dispatching directly to the correct process
from the kernel, requests are served with less context-switching overhead
Sachin_MS: By dispatching directly to the correct process
from the kernel, requests are served with less context-switching overhead
Sachin_MS: By enabling the kernel-mode cache, requests
for cached returns can be served without switching to user mode
Deepak_MS: (Bhas): How to reduce the HTTP headers while transferring
the data?
Sachin_MS: You could enable HTTP transmission compressions
which would reduce the amount of data to be transferred. There is
no new feature in IIS 6.0 specifically to REDUCE headers.
Deepak_MS: to add to that.. goto Web Site -> Properties -> HTTP Headers
tab and you will see "Custom Headers". You might want to remove any
custom headers that you see there (e.g. X-Powered-By: ASP.NET).
Deepak_MS: (Naga): I am have an ActiveX based report generation component
which uses MSWord Component to generate report.. It is running on
iis5.. will it run without any modification in iis 6
Deepak_MS: Well... it should work, but is certainly not the recommended
way to do things... Office applications were mean to run on desktops
and though COM automation is allowed to make your application talk
to them, it should not be used in any server side scenario, as this
has serious implications on scalability...
Deepak_MS: Two simple workarounds that you can try
Deepak_MS: a.) Emit plain HTML: with the correct content-type, word
should pick it up and render nicely.
Deepak_MS: b.) Emit XML: All office applications allow you to save
documents as XML - so you can emit XML that word understands.
Deepak_MS: (aravind): Any info about SOAP support?
Deepak_MS: Well soap is supported as part of the ASPNET extension.
.NET Framework 1.1 ships with Windows Server 2003 (out of the box)..
so you are pretty much ready to go with IIS 6.0
Deepak_MS: Done
Deepak_MS: (Naga): As win2003 supports IPv6 is win2003 basically communicates
with IPv6 or any other http clients are there for IPv6.. ?
Sachin_MS: IPV6 allows 2 machines running the IPv6 protocol
to access each others services ... it is also essential that the service
/ application supports IPv6.
Sachin_MS: IIS 6.0 has support for IPv6, so your web sites
can listen to ...and register the ipv6 address. You just have to install
the protocol stack on the IIS, and then issue a restart to the web
sites for it to pickup the new protocol and addressing. Then you assign
an IPv6 address to the site and you are ready !
Sachin_MS: You cannot configure IPv6 support at the machine
level. In other words, you cannot configure individual sites to respond
to IPv6 traffic while other sites on the same server respond to IPv4
traffic.
Sachin_MS: NOTE: only one SSL site is supported on an
IPv6 address per machine
Deepak_MS: (Naga): How to convert Old index server catalogs to new
IIS 6.. or Do I need to rebuild it again .. as I am installing on
the new system how to switch from old to new one automatically ...?
Sachin_MS: you would not be able to re-use the same catalog
from previous versions of IIS to this version ... we however have
a great tool that migrate web sites from IIS 4.0/5.0 to IIS 6.0. It
migrates contents, NTFS settings for groups , it migrates your app
isolation settings ... it also migrates your metabase configuration.
It can also be used as a one time metabase migration tool ...and a
replication tool from IIS 6.0 to another iis 6.0 box
Sachin_MS: Just as a note, compared to IIS 5.0 which has
the metabase as a binary file, we have the metabase in IIS 6.0 as
a .XML File. This metabase.xml can be openend with a notepad or any
XML reading tool and edited while your services are online (you just
have to make one setting for it in the IIS manager).
Sachin_MS: IIS services can apply the changes on the fly
in hardly a matter of minutes or you could force a save to the hard
disk copy from the in memory copy using the Savedata() ADSI and WMI
function
Sachin_MS: for any question you might have left unaswered
post them to news.microsoft.com.inetsrv.iis
Sachin_MS: thank you friends !
Deepak_MS: folks we come to an end of this very informative (and comprehensive)
session
Deepak_MS: for all you web-services fans out there, we have an exciting
chat coming up next week
Deepak_MS: that explains the new Web Services Extension WSE
Deepak_MS: next Thursday (12th June) from 4:00 PM to 5:00 PM
Deepak_MS: so mark your calendars!!!
Deepak_MS: Till then, Good Bye and have a fantastic weekend
