{ accelerate it! }
Jorke OdolphiWeb Platform Architect EvangelistMicrosoft Australia
IIS yesterday and today
PHP and FastCGI
Configuration
Security
Management
Performance
Send Response
Log Compress
NTLM Basic
Determine
Handler
CGI
Static File
Authentication
Anon
Monolithic implementation
Install all or nothing
Extend server functionality
only through ISAPI
ASP.NET
PHPISAPI
Send Response
Log Compress
NTLM Basic
Determine
Handler
CGI
Static File
ISAPI
Authentication
Anon
SendResponse
Authentication
Authorization
ResolveCache
ExecuteHandler
UpdateCache
Server functionality is
split into ~ 40
modules...Modules plug into a generic
Modules extend server functionality through a public module API
• Runtime limitations
• Only sees ASP.NET requests
• Feature duplication
Send Response
Log Compress
NTLM Basic
Determine
Handler
CGI
Static File
ISAPI
Authentication
Anon
Authentication
Forms Windows
Map Handler
ASPX
Trace
aspnet_isapi.dll
Classic Mode• runs as ISAPI
Integrated Mode• .NET modules / handlers
plug directly into pipeline
• Process all requests
• Full runtime fidelity
Log
Compress
Basic
Static File
ISAPI
Anon
SendResponse
Authentication
Authorization
ResolveCache
ExecuteHandler
UpdateCache
Authentication
Forms Windows
Map Handler
ASPX
Trace
aspnet_isapi.dll
Collaboration with Zend
Develop and deploy on the same platform
Built in support for FastCGI
Reuse of CGI processes, PHP, PERL, Ruby
much faster than standard CGI
Integrated Fast CGI Module part of IIS 7.0
NET
global settings
.NET Framework
Global web.configmachine.config
IIS 7applicationHost.config
Site Root web.config
<system.web>
.NET settings
..
<system.webServer>
IIS 7 Delegated settings
ASP.NET
global settings
Global settings
and location tags
{configuring Windows 2008 for web workloads }
appcmd set config
/section:system.webServer/fastCGI
/+[fullpath='c:\php\php-cgi.exe']
appcmd set config /section:handlers
/+[name='PHP5',path='*.php',verb='GET,HEAD,PO
ST',modules='FastCgiModule',scriptProcessor='
c:\php\php-cgi.exe',resourceType='File']
Secure by default
Modular thus smaller attack surface
.NET integration
Forms + .NET role membership providers
Application Pool Isolation by default
Ultimate low footprint web server Lower memory requirement
Lean OS configuration
Minimize attack and maintenance surface
architecture
Powerful IIS command-line management interface
AppCmd scripts and batch files
IIS 7 integrates URLScan style rules
config
Rules stored in web.config for portability
User access to sites, folders, or files without using NTFS
URL auth inspired by ASP.NET URL authorization, but designed for admins
Rules are stored in .config files for portability
All applications can use due to integrated pipeline
Each pool with unique identity
Anon user assumes pool identity
Application Pool SandboxConfiguration Isolation: secure config for pool
SID Injection: unique SID for each pool
Easier configuration and management
App pool ID auto joins IIS_USR (was IIS_WPG)
Worker Process
(W3WP.EXE)Service Host (SVCHost.EXE)
Windows
Process
Activation
Service
(WAS)
World Wide
Web Service
(W3SVC)
applicationhost.config
SID Injection
AppPool: newPool
username:
newPoolUser
password:
<password>
Active Directory
Token
Token
UsersDomain
Users
EveryoneLOGON_
BATCH
HRGroup <others>
IIS_
IUSRS newPoolNewPool\
Wwwroot\
default.htm
ACLAdministrator:F
System:F
SiteOwner:F
newPool:F
OK
Otherpool\
Wwwroot\
default.htm
ACLAdministrator:F
System:F
SiteOwner:F
otherPool:F
Denied
{ server core + forms auth }
APPCMDCommand line
Managed CodeMicrosoft.Web.Administration
WMIIIS Namespace
Powershell with managed API and WMI
View detailed errors in the browser with prescriptive guidance
New APIs expose runtime diagnostic informationE.g. See all currently executing requests
Rapidly troubleshoot faulty applications
Configurable per application or URL
Failed request log chronicles events for trigger
Extensible eventing system
{ management + troubleshooting }
appcmd list requests
appcmd list requests /site.id:1
[system.reflection.assembly]::LoadFrom(“c:\windows\system32\i
netsrv\Microsoft.Web.Administration.dll”)
$rq = new-object Microsoft.Web.Administration.ServerManager
$rq.workerprocesses | foreach-object {$._GetRequests(0)}
Better compression for static and dynamic
Output caching a module
Per URL / query string / request headers
Huge improvements to allow for high density or high availability
Multiple servers sharing the same config
Updates to config occur in one place
No config sync required
Config cached in case of disconnect
Generally for homogeneous farms
installs,modules, certs
{ performance + scaling }
Enable Output Caching for semi-dynamic pages
Low bandwidth Branch Offices?
Enable Dynamic Compression (~ 5% CPU overhead)
Need to run many web apps on a single box?
Run IIS worker processes in Wow64 mode
Room for the OS, scalability for your web apps
-AppPool setting now: Enable32BitAppOnWow64
Thinking about buying new Web Server hardware?
W2K8 scales extremely well on new multi-proc boxes (4 and 8 core)
ASP.NET op caching vs. IIS op caching vs. KM output caching
1000s of requests per second?
-investigate
You * script-mapped all requests to ASP.NET in IIS6? Integrated Pipeline is much faster than an IIS6 * scriptmapsolution
Try together with IIS7 URL Authorization.
PHP applications?PHP on top of FastCGI is much faster than traditional CGI
The majority of your requests go to your Default Document?
Put it on top of the list
Otherwise IIS7 has to check every time
Static default documents will be cached in kernel-mode
Looking for tools to measures web server performance? Try WCAT 6.3 from www.iis.net/downloads
Supports more web application scenarios
Fully featured Web server supporting IIS7,SharePoint and the .NET framework
Windows Media Services 2008
SQL Server allowed for local web applications
Enhanced hardware specification
Up to 4 processors
Up to 32GB RAM on x64 Servers
Streamlined server with small footprint
Only includes Web components and role
Server Core installation for minimal footprint
{ Jorke Odolphi}
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the
U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this
presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft,
and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Common HTTP Web Server Components
DirectoryListingModule
CustomErrorModule
StaticFileModule DefaultDocumentModule
HttpRedirect
Security
BasicAuthModule
DigestAuthModule
WindowsAuthModule
CertificateAuthModule
AnonymousAuthModule
IPSecurityModule
UrlAuthorizationModule
RequestFilteringModule
Health and
Diagnostics
HttpLoggingModule
CustomLoggingModule
RequestMonitorModule
HTTPTracingModule
ODBCLogging
LoggingLibraries
Application
Development
ISAPIModule
ISAPIFilterModule
CGIModule
ServerSideIncludeModule
NetFxExtensibility
ASP
ASP.NET
Performance
HTTPStaticCompression
HTTPDynamicCompression
Management
ManagementConsole
ManagementService
ManagementScripting
Metabase
WMICompatibility
LegacyScripts
LegacySnap-in
FTP Publishing
FTPServer
FTPManagement
Windows Process Activation Service
ConfigurationAPIProcessModel NetFxEnvironment