Section 8.3. What s New in IIS 6

8.3. What's New in IIS 6

It's fair to presume that everyone involved in computing now has surfed the Web at one point or another. The Web has become integrated into popular culture and many people now consider it a necessary utility, such as power and water. Microsoft recognizes this infiltration of the Web into everyday life and has capitalized on it. Of course, the company also believes web services are the foundation of its revenue base in the future, so one shouldn't find it too hard to believe that Microsoft would improve the product on which it is basing its existence. But no matter the impetus behind the revision, we all benefit from these improvements, as I'll discuss in this section.

In IIS 6 you can create multiple virtual servers on a single physical machine, with each virtual server acting as its own copy of IIS with its own properties and security configuration. The most popular use of this is among commercial web hosting companies that host tens or hundreds of individual web sites on one machine. By configuring multiple virtual servers, these companies can isolate each customer's traffic and configuration.

Although virtual servers are nice, perhaps the most important architectural improvement in IIS 6 is the new web service DLL that is independent from the web serving mechanism. The new DLL is called into memory by worker processes, which you know from the previous section are simply separate "threads" that work on requests from the kernel mode web server driver, HTTP.SYS. These worker processes load dynamic scripts and programs that use ISAPI. By separating the web server driver from the web service DLL, you achieve a more stable environment because a failure (such as a poorly written script, an exception fault, or other problem) that in previous versions of IIS could have brought down an entire web site now is isolated to only one specific application. If an application does break, the web service DLL creates an identical process that can finish service to any remaining requests. However, IIS still keeps track of failures, and if the application is brought down again, the process is ended permanently. (This feature is called rapid-fail protection and you can configure it through the Application Pools property page, which I'll cover in detail in a later section of this chapter.)

IIS uses application pools to manage all these requests. HTTP.SYS acts as a traffic director, sending requests to the individual application pools based on the addresses (URLs, to be specific) of the applications. Because multiple worker processes can serve a single application pool, there's better response time within an individual application. But what happens when you have worker processes that fail? Do all these processes "catch" the failure going down and bring them down, too? Fortunately, this is no longer the case because of worker process isolation mode , which simply isolates a memory segment for each application and its associated worker processes. An added bonus from this isolation is that you can limit CPU and memory use of individual applications to fine-tune once you have a very active server that's hosting sites and web applications.

IIS 6 also introduces the concept of web gardens , which are multiple worker processes serving a single application all on one server. For very basic but highly active applications, this is an effective technique for managing load and increasing speed, but complex applications still will need to be serviced across multiple physical servers (known as a web farm). But IIS 6 actually improves performance and process migration across all machines in a web farm, so there's quality in that arena as well.

Now you might assume that if a clever hacker manages to penetrate HTTP.SYS, he's got control of the entire operating system. You'd be correct in that assumption. However, Microsoft has done a thorough code review of IIS at all levels and assures everyone in the Internet community that IIS will be well-behaved. In fact, IIS is not even installed by default, which takes care of a big problem: previously, users would install a copy of Windows 2000 Server that happened to be connected to the Internet, and before they had a chance to install patches, Code Red and W32.Nimda would infect the machine. Further, even once IIS is installed it is set to serve up only static pages, not any dynamic content or script output. Even servers upgraded from previous versions of Windows server products have IIS disabled if the Setup program detects they are still operating with default settings intact. (This is because normally at least something is changed if IIS is in use on a particular machine, so even the deployment of Windows Server 2003 has a worm and virus "neutralizing" effect, disabling unused web servers that could be vulnerable to attack.)

There's also a laundry list of other minor improvements, some of which include the following:

• Furthering the discussion of isolation, the FTP server component of IIS runs in user isolation mode, so that when users log on they are restricted to their own home directory and cannot view or even realize that other directories on the server exist. If you're familiar with Unix systems, this is much like a CHROOT jail.

• IIS 6 comes prepackaged with a set of administration scripts, written in VBScript, that you can run from the command line. This is excellent if you have a custom program that you need to integrate with IIS to create and delete sites, make configuration changes, and so on.

• You can import configuration information, and export it as well, across the different aspects of IIS operation, from the directory to the site to the server level, so you can now create multiple servers that have identical setups.

• Configuration informationknown as the metabaseis also stored in a set of two XML files, instead of a mysterious binary file that no one could look at. Now Microsoft Product Support Services can't get off easily telling you your problem is a corrupt metabase and that you need to reinstallyou can actually go inside the files and see what the problem might be.

• IIS 6 will now compress responses formed from dynamic content before sending them to the user, resulting in faster transmission times from the server to the client. Static content is stored in a disk cache as well that HTTP.SYS can access directly, which makes for rapid access to commonly requested files.

• IIS 6 supports IPv6 if it's installed on a Windows Server 2003 machine.

8.3.1. New in Windows Server 2003 Service Pack 1

Several enhancements to IIS have been made in Service Pack 1 and, by virtue of that, Windows Server 2003 R2. I'll briefly outline those here:

• There is no longer a default limit on simultaneous connections. In the original release of Windows Server 2003, that limit was 8,000 connections but it could be overridden by creating and setting the MaxConnections registry key. Like other Registry changes, when you install SP1, it won't remove that key if you have added it. If you've already created the key, however, you'll need to remove it to take advantage of the newly removed limit.

• The HTTP.sys "error" logging has also been enhanced; you'll see the headers that allow it to be parsed by standard log parsers, as well as more fields, and the ability to rollover based on date and time (as well as size).

• Service Pack 1 makes available kernel-mode SSL support. If that sounds like Greek to you, it mainly means that you'll see a substantial performance improvement in SSL-based operations. However, there are currently a number of restrictions and limitations that might prevent it from being a sensible choicefor example, there isn't any support for client certificates yet. (This will make more sense as you proceed through the chapter; just tuck that knowledge away for now.)

• There are a few changes to HTTP parsing as well which bring IIS more in line with the HTTP RFC standards.

If you're at all curious and want to go deeper into these changes, you can check out the whitepaper on Microsoft's site at:

http://www.microsoft.com/downloads/details.aspx?FamilyId=A3DA3D7F-18C7-45CE-A47A-ED747DACEF34&displaylang=en

All in all, there are few changes to IIS in Service Pack 1 that make it worth installing if your business depends on IIS.