An enterprise network is a network for an organization that has several thousand employees and that operates at multiple sites. Typically, large networks have several different standards in use across the network. Interoperability and communication are constant challenges for the information staffs of enterprise networks.
The diagram inside the back cover of this book illustrates the enterprise network for Terra Flora, a fictitious international floral company.
The Terra Flora enterprise network was created in Microsoft laboratories to demonstrate Windows NT interoperability features for an enterprise network. The Windows NT ServerResource Kit: Windows NT Server Networking Guide contains chapters that show you how Windows NT Server solved the interoperability challenges posed by the Terra Flora enterprise network.
Chapters 4 and 5 in this book show you how to use Windows NT Server Internet Information Server (IIS) to meet business communication needs—from team communication to mission-critical applications. The chapters use scenarios that are presented as if an administrator were implementing a staged rollout of Internet Information Server to the company. See Chapter 4, "Desktop Scenarios," for a complete description of the Terra Flora company and its network.
The scenarios in this chapter use or simulate multiple servers. The scenarios covered are:
-
A single production server using virtual servers to host "multiple" web sites on a single computer.
-
Database access for a mission-critical application.
-
File Transfer Protocol (FTP) and Gopher servers for access to the same set of Human Resources information.
-
Multiple computers running Windows NT Server and Internet Information Server demonstrates a large-scale Internet implementation of IIS.
Creating Virtual Servers by Using Internet Information Server
In this scenario, Terra Flora has successfully deployed Internet Information Server on a department-level server (see Chapter 4) and is setting up an IIS server for each division.
This scenario assumes that dedicated hardware is not available for each division's IIS server. Therefore, Terra Flora installs Internet Information Server on an existing computer running Windows NT Server, then creates a virtual server for each division, as shown in Table 5.1.
Table 5.1 Computer Names for Terra Flora Divisions
| Division | Computer name URL |
| Retail | http://retail |
| Supply and Manufacturing | http://supply |
| Nursery | http://nursery |
These servers will provide information—such as project plans and employee services—to new members or to other division employees. For examples of how Terra Flora will distribute information, see the section "Information Distribution," later in this chapter.
Ideally, each division operates a separate server. Automatic IP address administration by Dynamic Host Configuration Protocol (DHCP) and Windows Internet Name Service (WINS) name resolution works on separate servers that are each addressed with a single Internet Protocol (IP) address. After you install Internet Information Server, name resolution on the network automatically "finds" the IIS server; no additional network configuration is required for name resolution. DHCP and WINS are designed to work together for automatic name resolution on a network, as explained in Chapter 2.
For example scenarios that use automatic DHCP configuration and WINS resolution, see "Peer Web Services on an Intranet Desktop" and "Internet Information Server as a Single Intranet Server" in Chapter 4, "Desktop Scenarios."
Virtual Server Hardware Configuration
The virtual servers are installed on a new file and print server. The new server provides adequate resources for the three IIS servers, in addition to its primary role as a file and print server and a messaging server.
Here is the hardware configuration for the IIS server that will host the virtual servers:
Virtual Server Network Configuration
Terra Flora uses virtual servers for its division-level IIS servers because it does not want the expense of dedicated IIS servers for the initial rollout. The network configuration of a virtual server on an intranet requires multiple IP addresses and name resolution for each IP address assigned. Figure 5.1 highlights the components in the Terra Flora network that are involved in creating enterprise virtual servers by using Internet Information Server.
.gif)
Figure 5.1: Virtual server network overview
The virtual servers are hosted on the computer CANTS40DIV01, which also is a file and print server and a messaging server. Name resolution is provided by CANTS40ENT03. All clients in the network except MS-DOS-based clients can access the virtual servers.
If you use DHCP servers and WINS servers on your network, as Terra Flora does, it is best to avoid using IIS virtual servers.
Virtual servers require you to manually configure Transmission Control Protocol/Internet Protocol (TCP/IP) properties on the computer running Internet Information Server and also to manually configure the name resolution system in use on your network.
DHCP and WINS are designed to work together for automatic name resolution on a network, as explained in Chapter 2. Automatic administration means that name resolution on the network is completely automated. Every time the IIS server starts, it is automatically given an IP address and its name is registered on the WINS servers used throughout the network. This method is demonstrated in "Peer Web Services on an Intranet Desktop" and "Internet Information Server as a Single Intranet Server" in Chapter 4, "Desktop Scenarios."
If you do not use DHCP or WINS servers on your network, installation of Internet Information Server requires manual configuration. Because virtual servers require little additional manual configuration, they are ideal for a network that does not use DHCP or WINS.
Virtual Server TCP/IP Properties
One IP address must be added to the network interface card (NIC) of CANTS40DIV01 for each virtual server. When you assign more than one IP address to a single network interface card , you must disable automatic DCHP configuration. The DHCP server cannot assign multiple IP addresses to the same network interface card.
You enter the IP addresses and all TCP/IP properties for this computer by using the configuration options available when you double-click Network in Control Panel. On the Protocol tab, select TCP/IP protocol and click Properties. Type the first IP address, subnet mask, and the computer's default gateway under Specify an IP Address on the IP Address tab. (See Figure 5.2.)
.gif)
Figure 5.2: Setting TCP/IP properties for virtual servers
After you type the first IP address, subnet mask, and default gateway, click Advanced to display the Advanced IP Addressing dialog box, as shown in Figure 5.3. To add IP addresses to your network interface card, click the Add button under IP Addresses.
.gif)
Figure 5.3: Adding more than one IP address
Virtual Server Name Resolution
The computer name of the computer hosting the IIS virtual servers is CANTS40DIV01 (see diagram inside the back cover of this book). When you use multiple computer names with multiple IP addresses on the same network interface card, you must configure the WINS server with the computer name/IP address pairs that you will use. Thus, when clients consult a WINS server, the server provides the computer name and IP address for your virtual server. (You can also configure the WINS server to override the default computer name/IP address pair used if only a single IP address is assigned to the network interface card of a computer running Internet Information Server.)
You use the WINS server (CANTS40ENT03 in the Terra Flora diagram) to assign three computer names (NetBIOS computer names) to the three static IP addresses configured on the computer running Internet Information Server. The names in the WINS database will be used by Windows-based clients for name resolution.
Use WINS Manager in the Administrative Tools folder to assign the NetBIOS names to the IP addresses you added to the network interface card of your computer running Internet Information Server. On the WINS Manager Mappings menu, click Static Mappings. In the Static Mappings dialog box, click Add Mappings and add each virtual server's IP address/NetBIOS name pair. After you have added the IP address/NetBIOS name pairs, the mappings appear as shown in Figure 5.4.
.gif)
Figure 5.4: Virtual server WINS mapping
When an Internet Explorer client (or other browser) requests a Uniform Resource Locator (URL) that uses a NetBIOS name—such as http://retail—TCP/IP networking on the client automatically consults the WINS server to discover IP addresses. This is illustrated as step 1 in Figure 5.5. The WINS server notifies the client of the IP address assigned to that NetBIOS name (step 2). The client then uses the IP address to make the request to the computer running Internet Information Server (step 3).
.gif)
Figure 5.5: WINS resolution for URL that uses NetBIOS computer name
Networks that do not use WINS can use an alternative name resolution system, usually Domain Name System (DNS) servers. DNS servers resolve a domain name—such as retail.terraflora.com—to an IP address.
If you use third-party DNS servers, you manually add a DNS A-type resource record to the zone data file for each virtual server IP address/DNS domain name pair. For more information about DNS resource records and their formats see RFC 883 and RFC 973 or the documentation for your DNS server.
Terra Flora uses both Windows NT WINS servers and Windows NT DNS servers. For example, both a WINS server and a DNS server are on CANTS40ENT03 on the Terra Flora network diagram. Because Terra Flora uses both WINS and DNS, there is no need to create actual DNS database entries for the new servers. Instead, you can provide a form of dynamic DNS by directing the Windows NT Server DNS server to query WINS for name resolution of the terraflora.com domain.
In DNS Manager, right-click the zone that will consult the WINS database for name resolution, and then click Properties. Click the WINS Lookup tab and enter the IP address of the WINS server, as shown in Figure 5.6.
.gif)
Figure 5.6: Using WINS with DNS for name resolution
The DNS server automatically consults the WINS server to discover the IP address. For example, a UNIX computer requests the DNS server to resolve retail.terraflora.com to an IP address. Because the DNS server does not have an explicit record for retail.terraflora.com, it queries the WINS server for the name "retail." The WINS server has a static mapping for the NetBIOS name "retail" to the IP address 172.16.32.100 and returns that IP address to the DNS server. The DNS server then resolves the DNS name retail.terraflora.com based on the NetBIOS name mapping in WINS. This NetBIOS-name-to-DNS-name mapping is automatic for all names in the WINS server, including WINS mappings based on automatic IP address assignment by DHCP.
After you finish these configurations, users can then access the Internet Information Server virtual server by using either the NetBIOS name (if WINS is supported on the client) or the domain name (if DNS is supported on the client), as shown in Table 5.2.
Table 5.2 Virtual Server Computer Names Used in URLs
| NetBIOS name | Computer name used in URL with WINS name resolution | Domain name URL used by DNS name resolution |
| RETAIL | http://retail | http://retail.terraflora.com |
| SUPPLY | http://supply | http://supply.terraflora.com |
| NURSERY | http://nursery | http://nursery.terraflora.com |
For more information on WINS and DNS interoperability, see the Windows NT Server Networking Guide.
If your network contains non-Microsoft DNS servers, you must add a record in the DNS database for each IP address/domain name pair you add. The name resolution process is similar to WINS name resolution. For information about adding a computer to a domain, see your DNS server documentation.
You can also use HOSTS or LMHOSTS files on client computers for name resolution. On frequently accessed servers, this is slightly faster that consulting a WINS or DNS server, and also reduces network traffic. For more information on name resolution by using HOSTS and LMHOSTS files, see the Windows NT Server Networking Supplement.
To complete the creation of the virtual servers, you must now create a home directory for each virtual server, as described in the next section.
Internet Information Server Configuration to Create Virtual Servers
You use Internet Service Manager to create virtual servers. You will not see virtual server names in the main Internet Service Manager window. Virtual servers are created on the Directories tab of the WWW Service Properties dialog box, as shown in Figure 5.7.
.gif)
Figure 5.7: Virtual server directories listed
To create a virtual server, click Add and, in the Directory Properties dialog box, specify a directory for each IP address configured on your server. (See Figure 5.8.) A virtual server is not "created" until a directory is created that uses the IP address of that virtual server.
.gif)
Figure 5.8: Specifying the IP address for a virtual server directory
If a single IP address is used on a computer running Internet Information Server, all directories created apply to that IP address. If two or more IP addresses are added to a computer running Internet Information Server, you must then select the Virtual Server check box and type an IP address in the Virtual Server IP Address box for each IIS directory you create. If you fail to select the Virtual Server check box and to specify an IP address, that directory will be available through all IP addresses assigned to the computer.
The default home directory (wwwroot) and the /Scripts directory created during installation are not assigned to a specific IP address. Because no IP address is assigned to the directories, the default home directory becomes the default home directory for all TCP/IP addresses assigned to that server.
The /Scripts directory is a good example of a case that calls for using a common directory between virtual servers by not specifying an IP address. You can locate the scripts for all virtual servers on the computer in the same common directory. For example, http://retail/scripts/order.dll and http://supply/scripts/update.exe both use files in the same physical directory.
Using Groups for Selective Access
This section discusses how Internet Information Server authentication and Windows NT user accounts and global groups are used at Terra Flora to provide selective access to files served through Internet Information Server.
An overview of Terra Flora's use of Windows NT groups to provide selective access is shown in Figure 5.9.
.gif)
Figure 5.9: Controlling access to files by using Windows NT groups
Although Figure 5.9 depicts a single directory structure for simplicity, directories can reside on other disks or even on other network shares.
Domainwide Anonymous Access
The Anonymous access layer of Figure 5.9 demonstrates anonymous access to the root directories provided by using the anonymous account specified on the Service tab in the WWW Service Properties dialog box.
In this Terra Flora scenario, Internet Information Server is installed on a stand-alone member server, CANTS40DIV01. The default anonymous account, IUSR_CANTS40DIV01, is a local user account. Because the server will access directories on network computers in the California domain, the account is added to the California domain by using User Manager for Domains, as shown in Figure 5.10. Adding the local account IUSR_CANTS40DIV01 to the California domain enables computers in that domain to authenticate access by Internet Information Server.
.gif)
Figure 5.10: Accounts and global groups used at Terra Flora in User Manager
Alternatively, you can create a new account in the California domain for anonymous access and specify that account in Internet Service Manager on the Service tab in the WWW Service Properties dialog box.
Basic Authentication and Global Groups
The Basic authentication layer of Figure 5.9 demonstrates using Basic authentication and Windows NT groups to control access to subdirectories.
In Terra Flora, each department provides some information to the entire company, such as current project plans or an employee directory. However, each division or department also uses material that only its members should have access to.
To provide selective access, global groups are created for each division (Nursery, Retail, and Supply) by using User Manager on the primary domain controller, CANTS40ENT03. The Log On Locally user right is added to every user or group that will use the IIS server, as shown in Figure 5.11.
.gif)
Figure 5.11: Assigning rights to groups in User Manager
You must also give the division groups read access to the directories. To do this, right-click the folder in Windows NT Explorer, then click Properties to specify group permissions in the Directory Permissions dialog box shown in Figure 5.12.
.gif)
Figure 5.12: Designating the security properties for a directory
To complete the security configuration, Terra Flora appoints a webmaster in each division to control content on the servers. The Webmasters group is created and populated with the three division webmasters. Only the Webmaster group is given full control to the entire directory structure.
For more information about adding global groups to a domain and adding user rights to user accounts and groups, see Windows NT Server Concepts and Planning.
Challenge/Response Authentication and Global Groups
The Challenge/response authentication layer in Figure 5.9 demonstrates access that is granted to managers only by using Windows NT challenge/response authentication. A global group named Managers is created and populated with the user accounts of individual managers.
Read permission on all the budget information files is granted to the group named Managers. Full Control permission on individual files is granted to the individual manager responsible for the file.
The use of Windows NT groups demonstrated in this section is scalable and can be expanded to suit your business.
For more information about domain user accounts, local accounts, and the IUSR_computername account, see Chapter 3, "Server Security on the Internet."
Information Distribution
This section shows how to handle typical content on a division server and presents useful strategies for your business.
The division servers provide all employees access to process documents (how-to documents), current project plans, employee home pages, and links to related pages on other division servers, as shown in Figure 5.13.
.gif)
Figure 5.13: Retail Division home page for entire company
Only employees in the division have access to that division's project templates, plans in development, and budgets. The Retail Division home page (Figure 5.14) shows what the employees in that division have access to.
.gif)
Figure 5.14: Retail Division home page for Retail Division employees only
Retail employees collaborate on files in the \Division\Plans directory to create final project plans. When the plans are complete and approved, the webmaster copies the plan files to the root directory and creates links on the appropriate Hypertext Markup Language (HTML) pages so that all Terra Flora employees can read the plans.
Parallel directory structures enable you to copy entire directory structures to other servers without changing hard-coded relative links within the files. Parallel directory structures also simplify navigation, as shown in Figure 5.15.
.gif)
Figure 5.15: Directory structure for Retail Division
Creating Virtual Servers on the Internet
Virtual servers on the Internet are the same as virtual servers on an intranet. You must register your domain names in the worldwide Domain Name System through the InterNIC. The InterNIC is a cooperative activity between the National Science Foundation, Network Solutions, Inc., and AT&T to provide DNS registration services to the worldwide Internet community. You can reach the InterNIC at http://internic.net. Some Internet service providers register domain names with the InterNIC for you.
If your Internet clients use Internet Explorer version 2.0 or later, you can use Windows NT groups for secure authentication by using challenge/response authentication. Netscape Navigator and other browsers do not support secure authentication by using challenge/response. They use Basic authentication, which transmits user names and passwords by using base-64 encoding. Base-64 encoding can be decoded easily. Because anyone monitoring the network can decode these user names and passwords, using Basic authentication on public networks is not recommended.
Once authenticated, either by challenge/response or Basic authentication, all data is transmitted in clear text. You can use Secure Sockets Layer (SSL) to encrypt all data, but SSL uses a lot of processor time to encode and decode every shred of data passed through Internet Information Server. Therefore, SSL is usually reserved for small amounts of private information, such as credit card numbers or addresses.
For more information about SSL, see Chapter 3, "Server Security on the Internet."
Database Application Using Internet Information Server
This scenario explains how the Internet Database Connector is used to create a core-business application that streamlines Terra Flora's internal processes and eventually will accommodate an expanded customer base.
The flower arrangement order desk is the heart of Terra Flora's business. By using Internet Information Server to post to and query the retail order Oracle database, anyone in the company can use the data. This scenario establishes an internal ordering system that uses Hypertext Transport Protocol (HTTP). The internal system will serve as a pilot for an Internet ordering system, which will expand Terra Flora's market to the entire world.
This section assumes that an Oracle database already exists.
For more details on using the Internet Database Connector and related control files (.idc and .htx), see the Windows NT Server Microsoft Internet Information Server Installation and Administration Guide.
Database Connector Hardware Configuration
Two computers—the computer running Internet Information Server and the computer running the Oracle database—must be configured for the network.
The computer running Internet Information Server has the following hardware configuration:
Database Connector Network Configuration
As the previous section mentioned, you must configure two computers for the network. Figure 5.16 highlights the components in the Terra Flora network that are involved in using the IIS Internet Database Connector.
.gif)
Figure 5.16: Database connector network overview
TCP/IP Properties of the Computer Running the Database Connector
The IP address and all TCP/IP properties for the computer named ORDERDESK are dynamically assigned by the network DHCP server CANTS40ENT03 during computer startup. The WINS server, also on CANTS40ENT03, is also notified of the IP address and the computer name of ORDERDESK.
Name Resolution of the Computer Running the Database Connector
The NetBIOS computer name of the computer hosting the IIS server is ORDERDESK. All Internet Information Server clients will use this NetBIOS computer name.
Internet Explorer clients automatically query the WINS server when a request uses the name of a computer, for example, http://orderdesk. The WINS server provides the IP address currently assigned by DHCP to that computer name. The DHCP assignment and WINS registration process is dynamic. Therefore, regardless of the IP address currently assigned to ORDERDESK, Internet Explorer users can always resolve http://orderdesk to the current IP address by using the WINS server.
Networks that do not use WINS can use an alternative name resolution system, usually DNS servers. DNS servers resolve a domain name—such as orderdesk.terraflora.com—to an IP address.
Typically, you add the IP address and domain name to your local DNS server. On Terra Flora's network, the DNS server is CANTS40ENT03. For information about configuring the DNS server, see the section "Virtual Server Name Resolution" earlier in this chapter.
After the DNS server is configured, users can then access the IIS server by using either the NetBIOS computer name (if WINS is supported on the client) or the domain name (if DNS is supported on the client), as shown in Table 5.3.
Table 5.3 ORDERDESK Computer Name Used in URLs
| NetBIOS name | Computer name used in URL with WINS name resolution | Domain name URL used by DNS name resolution |
| ORDERDESK | http://orderdesk | http://orderdesk.terraflora.com |
For more information on WINS and DNS interoperability, see the Windows NT ServerNetworking Guide.
Creating a System Data Source
You need no special configuration in Internet Service Manager to implement database connectivity by using Internet Database Connector. The Httpodbc.dll module supplies database connectivity. Httpodbc.dll is automatically loaded when Internet Information Server starts. To install Httpodbc.dll, you select the ODBC option during Internet Information Server setup.
Prior to using the database, you must create a system Data Source Name(DSN). The Data Source Name is a logical name used by Windows NT Open Database Connectivity (ODBC) to refer to the driver and any other information required to access the data, such as the actual server name or location of the database. You specify the Data Source Name in Internet Database Connector files to tell Internet Information Server where to access the data. For more information about using the DSN in .idc files, see "Accessing the Database," later in this section.
The simplest method to create a DSN is to use the sample pages provided with Internet Information Server. To access the sample pages, first make sure your World Wide Web (WWW) service is running. Then use Internet Explorer to access your own IIS server. For example, type http://orderdesk in the location box. The Database page contains a hyperlink to create the system data source. The manual method for creating a data source follows.
To create a system data source
-
Double-click ODBC in Control Panel.
The Data Sources dialog box appears. Other data sources appear in the list if you previously installed other ODBC drivers.
-
Click System DSN. In the System Data Sources dialog box, click Add.
Important: Be sure to click System DSN. The Internet Database Connector works only with system DSNs.
-
In the Add Data Source dialog box, select an ODBC driver in the list box, then click OK.
A dialog box specific to your driver appears. To install third-party ODBC drivers, see your third-party database documentation.
-
In the dialog box specific to your driver, enter the name of the data source and any other required information, then click OK.
The System Data Sources dialog box appears again, but now it has the name of the data source displayed.
If you do not know what to enter in the dialog box specific to your driver, accept the defaults. To find out the details, click Help and find the section that describes your network.
-
To close the System Data Sources dialog box, click Close. To close the Data Sources dialog box, click Close again.
-
To complete the ODBC and DSN setup, click OK.
Placing the .idc and .htx Files
After the Data Source Name is created, you can begin to create the Internet Database Connector (.idc) files that will be used to post and query data from the database, and the .htx files that will be used to format the results returned from it.
Place the .idc and .htx files in the /Scripts directory or another Internet Information Server directory configured with the Execute property. You mark a directory with the Execute property when you add or edit the directory on the Directory property sheet.
For details on creating the .idc and .htx files, see the section "Accessing the Database" later in this chapter, or the Windows NT Server Microsoft Internet Information Server Installation and Administration Guide.
Database Connectivity Security
Security for database connectivity consists of configuring access to:
You use Windows NT and Internet Information Server security when accessing the .idc and .htx files. Users must have permission to access these files in the same way as any other file made available through Internet Information Server. The Terra Flora intranet uses anonymous access. Therefore, the properties of the .idc and .htx files must permit access by the IUSR_computername account or by the account specified for anonymous access.
Also, the .idc file lists a user name and (optionally) a password, which must be valid on the ODBC data source. If the .idc file does not list a user name and password, the user name and password used by Internet Information Server are presented to the ODBC data source.
If you use anonymous access or Basic authentication, the password used by Internet Information Server works on any remote data source if the user name and password are valid for logon to that data source. Windows NT challenge/response authentication works only when a computer is running both Windows NT Internet Information Server and Microsoft SQL Server. For more information, see the next section, "Using Windows NT Challenge/Response for Microsoft SQL Server Access."
Using Windows NT Challenge/Response for Microsoft SQL Server Access
If you are running Microsoft SQL Server and Internet Information Server on the same computer, you can use integrated SQL Server security to pass encrypted user names and passwords for database access. SQL Server must be configured for integrated security. Integrated SQL Server security enables you to use the encrypted user name and password given by an Internet Information Server user for access to SQL Server.
If you use integrated SQL Server security, you do not provide a user name and password in the .idc file. For more information about configuring integrated security, see your SQL Server documentation.
Before you can set up Internet Information Server and SQL Server with integrated Windows NT security, you must install both on the same computer.
To set up integrated Windows NT security, select the Windows NT Challenge/Response check box on the Service property sheet. Clients must use Internet Explorer version 2.0 or later. Specify Local Server as the System Data Source in your .idc file.
Windows NT user names must adhere to SQL Server integrated security name rules. Underscores, dollar signs, and pound signs are not allowed. The default account IUSR_computername cannot be used.
Accessing the Database
Terra Flora has an existing table in its order database. This table is used to process retail orders. The ability to access existing stores of information is the primary benefit of using Internet Information Server at Terra Flora.
Users enter data into the database by using an HTML form, as shown in the .htm file in Figure 5.17.
<HTML>
<HEAD>
<TITLE>Terra Flora</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<H1 Align = "Center"><CENTER><FONT SIZE=6 COLOR=#000000 FACE="Arial">Terra
Flora Order Desk</FONT><FONT SIZE=6> </FONT></CENTER></H1>
<FORM ACTION="/secure/Order.idc" METHOD = "POST">
<P>
<TABLE BORDER=2 BORDER BGCOLOR="#FFFFFF">
<TR><TD>FirstName</TD><TD><INPUT NAME="FirstName" VALUE="" </TD>
</TD><TD><BR>
Address1</TD><TD><A NAME="UQHTML0"></A><INPUT NAME="Address1" VALUE="" </TD>
</TD></TR>
<TR><TD>LastName</TD><TD>
<INPUT NAME="LastName" VALUE="" </TD>
</TD><TD><BR>
Address2</TD><TD><INPUT NAME="Address2" VALUE="" </TD>
</TD></TR>
<TR><TD>ProductId1</TD><TD><INPUT NAME="ProductId1" VALUE="" </TD>
</TD><TD>
<BR>
City</TD><TD><INPUT NAME="City" VALUE="" </TD>
</TD></TR>
<TR><TD>ProductId2</TD><TD><INPUT NAME="ProductId2" VALUE="" </TD>
</TD><TD>
<BR>
State</TD><TD><INPUT NAME="State" VALUE="" </TD>
</TD></TR>
<TR><TD>ProductId3</TD><TD><INPUT NAME="ProductId3" VALUE="" </TD>
</TD><TD>
<BR>
Country</TD><TD><INPUT NAME="Country" VALUE="" </TD>
</TD></TR>
<TR><TD>Comment</TD><TD><INPUT NAME="Comment" VALUE="" </TD>
</TD><TD>PhoneNumber</TD><TD>
<INPUT NAME="PhoneNumber" VALUE="" </TD>
</TD></TR>
<TR><TD>DeliveryDate</TD><TD><INPUT NAME="DeliveryDate" VALUE="" </TD>
</TD><TD>Email</TD><TD>
<INPUT NAME="Email" VALUE="" </TD>
</TD></TR>
<TR><TD>CreditCardNumber</TD><TD><INPUT NAME="CreditCardNumber"
VALUE="" </TD>
</TD><TD>
<INPUT TYPE="SUBMIT" VALUE="Place Order" ALIGN="MIDDLE"></P>
</TD><TD><INPUT TYPE="RESET" NAME="reset"
VALUE="Clear" ALIGN="MIDDLE">
</TD></TR>
</TABLE>
<P>
</FORM>
<P>
<HR=2>
</BODY>
</HTML>
Figure 5.17 Sample .htm file for Terra Flora order desk
Figure 5.18 shows the results of this .htm file in Internet Explorer.
.gif)
Figure 5.18: Terra Flora order desk file displayed by Internet Explorer
When a user clicks the Place Order button, the data is processed by using the .idc file shown in Figure 5.19.
Datasource: OrderDB
Template: Order.htx
SQLStatement:
+INSERT INTO "OrderDB"
("FirstName", "LastName", "Email",
"PhoneNumber", "CreditCardNumber",
+"Address1", "Address2", "City",
"State", "Country", "ProductId1", "ProductId2",
+"ProductId3", "Comment", "DeliveryDate")
+VALUES ('%FirstName%', '%LastName%', '%Email%',
'%PhoneNumber%', '%CreditCardNumber%',
+'%Address1%', '%Address2%', '%City%', '%State%',
'%Country%', '%ProductId1%', '%ProductId2%',
+'%ProductId3%', '%Comment%', '%DeliveryDate%');
#IDC-Insert FrontHTM-default.htm ReportHTX-Order.htx
Figure 5.19 Sample .idc file for Terra Flora order desk
The .idc file then posts the information to the database and results are formatted by using the .htx file specified in the .idc file, Order.idc, as shown in Figure 5.20.
<HTML>
<HEAD>
<TITLE>Submitted Order</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<P>
<B>Verify this posted information with the customer.<BR>
</B>
<P>
<TABLE BORDER=2 BORDER BGCOLOR="#FFFFFF">
<TR><TD ALIGN="RIGHT"><B>FirstName</B></TD><TD><%IDC.FIRSTNAME%>
</TD><TD ALIGN="RIGHT"><B>Address1</B></TD><TD><%IDC.ADDRESS1%>
</TD></TR>
<TR><TD ALIGN="RIGHT"><B>LastName</B></TD><TD><%IDC.LASTNAME%>
</TD><TD ALIGN="RIGHT"><B>Address2</B></TD><TD><%IDC.ADDRESS2%>
</TD></TR>
<TR><TD ALIGN="RIGHT"><B>ProductId1</B></TD><TD><%IDC.PRODUCTID1%>
</TD><TD ALIGN="RIGHT"><B>City</B></TD><TD><%IDC.CITY%></TD></TR>
<TR><TD ALIGN="RIGHT"><B>ProductId2</B></TD><TD><%IDC.PRODUCTID2%>
</TD><TD ALIGN="RIGHT"><B>State</B></TD><TD><%IDC.STATE%></TD>
</TR>
<TR><TD ALIGN="RIGHT"><B>ProductId3</B></TD><TD><%IDC.PRODUCTID3%>
</TD><TD ALIGN="RIGHT"><B>Country</B></TD><TD><%IDC.COUNTRY%>
</TD></TR>
<TR><TD ALIGN="RIGHT"><B>Comment</B></TD><TD><%IDC.COMMENT%></TD><TD
ALIGN="RIGHT"><B>PhoneNumber</B>
</TD><TD><%IDC.PHONENUMBER%></TD></TR>
<TR><TD ALIGN="RIGHT"><B>DeliveryDate</B></TD><TD><%IDC.DELIVERYDATE%>
</TD><TD ALIGN="RIGHT"><B>Email</B></TD><TD><%IDC.EMAIL%></TD>
</TR>
<TR><TD ALIGN="RIGHT"><B>
CreditCardNumber</B></TD><TD><%IDC.CREDITCARDNUMBER%>
</TD><TD></TD><TD></TD></TR>
</TABLE>
<P>
<P>
<A HREF="/default.htm">Return To Data Entry Page</A>
<P>
</BODY>
</HTML>
Figure 5.20 Sample .htx file for Terra Flora order desk
The process is complete when the database returns confirmation through the .htx file, as shown in Figure 5.21.
.gif)
Figure 5.21: Terra Flora order desk confirmation .htx file in Internet Explorer
Internet Considerations for Database Connectivity
When you use database connectivity over the Internet, you must use the Secure Sockets Layer protocol to confidentially obtain credit card numbers, addresses, or any other information that should not be divulged to others.
The SSL protocol provides communication privacy over networks by using a combination of public key cryptography and bulk data encryption for data privacy. By using this protocol, clients and servers can communicate in a way that prevents eavesdropping, tampering, or message forgery.
For optimum efficiency, store the form requesting confidential information in a directory not enabled for SSL, but set the confidential information to return to an SSL-enabled directory. This directory is specified in the button used to submit the form, as illustrated in Figure 5.22.
.gif)
Figure 5.22: SSL process and directory configuration
Step 1 shows the order form sent to the client from a directory that is not enabled for SSL. Step 2 demonstrates that the completed form, with address and credit card information, is sent back to an SSL-enabled directory by clicking Submit order, which runs the request https://orderdesk/secure/order.idc?parameters. Step 3 shows that the response is returned to the client through Order.htx.
For more information about SSL, see Chapter 3, "Server Security on the Internet."
Internet Information Server FTP and Gopher Services
In this scenario, the Terra Flora Human Resources department is setting up methods to ensure that all employees have access to Human Resources information currently provided through the WWW service. Some employees still use computers that run the MS-DOS or UNIX operating system; they cannot use Internet Explorer. And in addition to reading files, some Human Resources employees need to add and delete files by using the File Transfer Protocol (FTP) service.
Terra Flora adds the FTP and Gopher services to the same computer running the WWW service that was installed in the scenario described in "Internet Information Server as a Single Intranet Server" in Chapter 4. Human Resources employees will use the FTP service to maintain the files. All other employees can use the FTP or Gopher service to view the files.
Internet Information Server FTP and Gopher Services Hardware Configuration
The existing file and print server is two years old. The low system demands of Internet Information Server, including FTP and Gopher, will not significantly impact file and print server performance. Therefore, it is practical to run all three Internet Information Server services on this older hardware:
Internet Information Server FTP and Gopher Services Network Configuration
The computer used for the intranet server is the same computer running the WWW service that was installed in the scenario described in "Internet Information Server as a Single Intranet Server" in Chapter 4. For a complete description of the network configuration for the FTP and Gopher services, see that section of Chapter 4.
The computer used is similar to the computer CANTS40DPT01 in the Terra Flora network diagram. See Figure 5.23 for a diagram of the network configuration.
.gif)
Figure 5.23: FTP and Gopher services network overview
Name Resolution for FTP and Gopher Services
After name resolution is configured as described in Chapter 4, users can then access the Internet Information Server FTP and Gopher services by using either the NetBIOS name if WINS is supported on the client) or the domain name (if DNS is supported on the client), as shown in Table 5.4.
Table 5.4 Computer Names in URLs for FTP and Gopher Services
| NetBIOS name | Computer name used in URL with WINS name resolution | Domain name URL used by DNS name resolution |
| HR | ftp://hr
gopher://hr | ftp://hr.terraflora.com
gopher://hr.terraflora.com |
Control Files and Related Configuration
The FTP and Gopher services are configured to have the same home directory as the WWW service (wwwroot). Therefore, the same set of information is available through all services. Although no additional configuration is necessary, some additional configuration enhancements are described in the following two sections. They describe files and settings used to enhance the FTP and Gopher services that are not part of the default installation of Internet Information Server.
FTP Service Configuration
The FTP service allows you to use directory annotations, that is, comments about each directory. Because virtual directories do not appear in FTP listings, you use directory annotations to display additional virtual directories that can be traversed by the employees.
To annotate files, first use Registry Editor (run Regedt32.exe or Regedit.exe) to enable annotated directories by adding the AnnotateDirectories value to the HKEY_LOCAL_MACHINE/System key, as shown in Figure 5.24.
.gif)
Figure 5.24: Adding the FTP service's AnnotateDirectories value to the Registry
AnnotateDirectories is added to:
HKEY_LOCAL_MACHINE
\System
\CurrentControlSet
\Services
\MSFTPSVC
\Parameters
Entry syntax is:
AnnotateDirectories REG_DWORD 0x0 | 0x1
The default value for AnnotateDirectories is 0x0 (false—that is, directory annotation is off).
This Registry value defines the default behavior of directory annotation for newly connected users. When this value is 0x1 (true), directory annotation is enabled. This Registry entry does not appear by default, so you must add this entry to the Registry if you want to change its default value.
The directory annotations are stored in each directory in a text file named ~ftpsvc~.ckm. This is usually a hidden file, so directory listings do not display this file. Because some browsers display only the first line, you should keep the annonotation text to one line. For example,
See ftp://eunts40dpt05/seville for Seville's HR records.
Gopher Service Configuration
All information about a Gopher item that is sent to a client comes from tag files. This information includes the name of a file displayed for the client. Typical tag files contain:
The Gdsset program is a simple command-line tool that is used to create and set tags. In the following example, you see how to use it to add a link to Terra Flora's Gopher server in Seville.
First, create a tag file to make a link to the home directory on a Gopher server at the Seville site. Add an empty text file called link1 to the Gopher home directory. Issue the following command at the command prompt:
gdsset -l -g1 -f "Link to Seville HR Gopher Server" -s "
" -h eunts40div05.terraflora.com link1
For more examples of using Gdsset, see the Internet Information Server Installation and Administration Guide.
Tag files are stored as hidden .gtg or .lnk files on File Allocation Table (FAT) partitions. On Window NT File System (NTFS) partitions, they are stored in a data fork of the tag file. When you move data files, you must remember to manually move the corresponding tag files if they exist on FAT partitions. When you move data files on NTFS partitions, use Windows NT Explorer and not the command-prompt copy command because copy does not copy the data forks.
If disk space is critical, do not forget to include the hidden tag files when you calculate the space the files will require. The size of the file depends on the size of the friendly name, host name, selector, and other information.
If you use Gopher+ clients, you can add more information to each tag file, such as the server administrator's name and e-mail address, and the file's date of creation and date of last modification.
Note: The Internet Information Server Gopher service supports some Gopher+ additions: Info, Admin, and URL attribute blocks. But it does not support the Abstract or Ask Form attributes. For more information about Internet Information Server and Gopher, see the Internet Information Server Installation and Administration Guide.
Using Security with the FTP and Gopher Services
FTP and Gopher use anonymous access. In addition, FTP uses Basic authentication in conjunction with Windows NT groups for restricted administration of the files.
Anonymous FTP Access
MS-DOS clients and some UNIX clients do not have or cannot use an HTTP or Gopher browser such as Internet Explorer. These clients can use any FTP client to browse the files on HR. To accomplish this, the IUSR_CANTS40DIV01 user account was granted read-only access to the files.
Anonymous Gopher Access
The Human Resources department must provide information to the entire company, such as benefits summaries and company policies. All Gopher access is anonymous through the IUSR_HR user account. This local user account was added to the California domain database on CANTS40ENT03 and was granted the Log On Locally user right.
If Internet Information Server were installed on a primary domain controller (PDC) or a backup domain controller (BDC), the IUSR_computername account would automatically be added to the domain database it supports and the steps above would be unnecessary.
For more information about server roles and accounts used with Internet Information Server, see Chapter 3, "Server Security on the Internet."
FTP Site Administrative Access
You use Windows NT groups to provide selective access for remote division employees who must maintain (create and delete) files on the HR server.
The Gopher and FTP site primarily uses a single directory structure for simplicity, although some directories reside on network drives.
Only clear-text authentication is supported with the FTP server. Because it has been determined that there is low risk of an employee sniffing Terra Flora's private intranet for user names and passwords, FTP administrators can log on to the FTP server by using their network user name and password. After they are authenticated, the FTP administrators can use FTP commands to create, move, and delete files or directories.
Using groups for selective access in FTP is similar to the process described earlier in this chapter in the section, "Using Groups for Selective Access." See that section for more discussion about using groups with Internet Information Server.
Content Provided
The Human Resources server provides information to the entire company, such as the employee handbook, training documents, personnel review documents, and company forms. Since directory names and filenames help provide the structure, the HR department kept this in mind when creating filenames, directory names, and directory structure, as shown in Figure 5.25.
.gif)
Figure 5.25: FTP and Gopher directory structure and filenames
In addition, Gopher tag files are used with the Gopher service to provide additional information about files and directories and to provide links to other computers. For more information about using Gopher tag files and an example of the tag files used on the Terra Flora Gopher server, see the section in this chapter, "Gopher Service Configuration."
FTP and Gopher on the Internet
The FTP logon is in clear text. Because of this, having an FTP site on the Internet that uses valid network user names and passwords could compromise your intranet's security. FTP sites on the Internet usually allow anonymous access only.
Gopher logon is anonymous only. Secure Gopher access is not possible.
Some client browsers do not display FTP directory listings that use the FTP service's default MS-DOS style. You can change the default listing style by using options on the Service property sheet for the FTP service.
Using and Upgrading the Windows NT 3.x FTP Server
If the FTP Server service from Windows NT version 3.51 or earlier is installed and running on your system, it will continue to run without modification under Windows NT 4.0.
However, if you install the Internet Information Server FTP service, the FTP Server service from Windows NT version 3.51 or earlier will be disabled. Both FTP services cannot run simultaneously.
You can upgrade your Windows NT 3.51 or earlier FTP service to Internet Information Server version 2.0. You must change the Internet Information Server FTP service home directory to the previous location. The FTP service continues to operate in the same way as the Windows NT 3.51 or earlier version of the FTP service.
Note: The Windows NT 3.51 or earlier FTP service permitted users to traverse the directory structure above the specified FTP root. Internet Information Server removes this capability.