The Web Site Properties Tabs

To access the Properties window for a particular web site, right-click the web site name in the left pane of the MMC and choose Properties. The following tabs display information that appears when the BeerBrewers Site properties are accessed.

Web Site Tab

When you open the Properties window for any web site, the Web Site tab opens by default, as shown in Figure 2-2. Here you can set the Internet Protocol (IP) address and port information for the site, as well as configure connection timeouts and logging.

click to expand
Figure 2-2: The Web Site tab

The following options are configurable on this tab.

Creating a Description

What you enter in the Description field shows up in the Description column of the IIS MMC. Here, you can distinguish the web site by typing in a descriptive name. This name is not visible to users of the web site.

Setting up an Address for Your Web Site

Each web site must have a unique address to which traffic associated with that site is sent. You can differentiate your web site from others in three ways: via IP address, TCP port, and host header name. From an addressing perspective, any combination of these can be used to differentiate your site, but at least one of them must be unique for the machine on which the site is located.

IP Address The IP Address editable drop-down box lets you set the primary IP address for this web site. You may either choose an IP address from the drop-drop box or type in one. Choosing (All Unassigned) allows this web site to respond to any IP address on the machine that is not being used by another web site.

Tip 

When you are typing in an IP address manually, the system does not check to see whether this IP address is already assigned on the system. It checks only that the IP address as typed is a valid, real IP and that the address is not being used on another web site. As long as an address is a valid IP address and is not defined on another web site, you can type in any IP you want here. Therefore, it’s possible to type in an IP address that is not even available to the machine. Keep this in mind when you’re troubleshooting connection issues.

TCP Port In the TCP Port field, you set the port number on which this web site will listen. You can choose any port that is not being used by another service. While IIS will not stop you from choosing a port that’s already in use, communications problems with that other service will occur when you try to use the port.

For example, you can set a web site to use port 25, which conflicts with the Simple Mail Transfer Protocol (SMTP) service that’s running on the same box and using the same port. When a packet comes in for port 25, the machine won’t know which service gets that packet. Most likely, since the SMTP service was there first, it would receive the web request and would not know what to do with it. Make sure that if you choose a port other than 80, it is not being used by another service.

By default, web browsers always look for port 80 if no port is specified in the address field in the browser window. If you change the port to something other than 80, clients will need to add the port number after the URL so that the browser knows to ask for the web server at that port. For example, if you changed your web site to listen on port 1500, clients would have to type in http://www.beerbrewers.com:1500 instead of just http://www.beerbrewers.com to get to your web site.

SSL Port In the SSL Port field, you choose which port the Secure Sockets Layer will listen on for this web site. SSL allows you to encrypt and/or authenticate data as it travels between the client and the server—this is described in detail in Chapter 10.

As with the TCP port, if you change this from the default of 443, clients will need to type in the port number along with the URL to access your web site. If you changed the port to 1543, for example, clients would have to type in https://www.beerbrewers .com:1543, instead of just https://www.beerbrewers.com, to access your web site.

Advanced Button

Clicking the Advanced button opens the Advanced Web Site Configuration page, where you can set up multiple addresses and multiple identities for this web site. Multiple identities allow your site to have more than one address so that people can access the site using one of multiple addresses. This is a useful feature if you want to point people typing in the URL for one web site to another site on the same machine, and you don’t want to use Domain Name System (DNS). (You can read more about DNS in Chapter 8.) In this page, you can also enter host header names for this web site, so you can use the same IP address and port for multiple web sites.

About Host Headers Host headers let you differentiate one of your web site addresses from another. Basically, host header names allow you to configure different web sites on the same IP address and port. A host header is the full DNS name that’s typed into the browser’s address bar to access this site. Host headers are extremely handy when you want to use the same IP address for all your web sites to conserve address space, or when you have only one IP address to use. When an Hypertext Transfer Protocol (HTTP) 1.1 web browser requests a web page, the first part of the request looks like this:

GET./.HTTP/1.1 Accept:.image/gif,.image/x- xbitmap,.image/jpeg,.image/pjpeg,.application/vnd.ms- powerpoint,.application/vnd.ms-excel,.application/msword,.*/* Accept-Language:.en-us..Accept-Encoding:.gzip,.deflate.. Use61 r-agent:.Mozilla/4.0.(compatible;.MSIE.6.0;.Windows.NT.5.2) Host: www.mywebsite.com 

The part after Host is the host header name—www.mywebsite.com. IIS will use this header to send the message to the appropriate web site, based on that name.

Host header names were introduced in the HTTP 1.1 protocol, and all browsers that are HTTP 1.1–compliant can use them. Older browsers don’t pass the host header, so they will always reach the default web site for any IP address.

Tip 

If you want to provide support for older browsers, you can make the default page for that IP address include a list of all the web sites and use cookies to direct people to those web sites. Because every release of Internet Explorer after version 3 and every Netscape version after 2 supports host headers, I won’t go into detail about how to do this. The Microsoft web site offers documentation that explains how to accomplish this.

Note 

Because host header names are part of the HTTP 1.1 protocol, you can’t use host headers on FTP, mail, or news sites in IIS. If you want to use multiple sites on the same server, you’ll have to get multiple IP addresses or use different ports. Host headers are also not available on your web page when you use SSL, since the header is in the encrypted request.

Adding Another Identity A web site has the ability to have multiple addresses associated with it. It will respond to requests on any and all of these addresses. Each address that is identified with this web site is called an identity. To add another identity to the web site, click the Add button in the Web Site Identification section on the Web Site tab. The Advanced Web Site Identification dialog box, as shown in Figure 2-3, will open.

click to expand
Figure 2-3: The Advanced Web Site Identification dialog box

Each identity must use one of the three addresses (IP address, TCP port, or Host header value) to be unique; otherwise, you can type in any legal IP addresses, port, or host header name. As with the IP Address field of the Web Site tab, the system does not check to see whether the address you are typing is in use on that machine, so you can type in anything that is legal—though it may not be useful if the machine can’t find the site at that address.

Removing Identities To remove an identity, highlight that identity and click Remove. You will not be allowed to remove all the identities for the site on this page. (Technically, you can remove them all, but the OK button will then be disabled.)

Editing Identities To edit an identity, highlight that identity and click Edit. You can then modify the properties for that identity.

Assigning Multiple SSL Identities You can also assign multiple SSL identities to your web site. Because host headers don’t exist in SSL, you may edit only the IP address and port number. If you don’t have a certificate installed on this site, all the options for SSL identities will be disabled.

Adding Multiple SSL Identities To add another SSL identity to this web site, click the Add button. You can add multiple identities; just remember that SSL certificates are based on the name of the site, not the IP address. Any IP address you type in must be resolvable through a DNS name. If you try to access the site through the IP address, it will be unavailable.

Removing SSL Identities To remove an SSL identity from this web site, highlight it and click the Remove button. You cannot remove all the SSL identities from a site.

Editing SSL Identities To edit an SSL identity for this web site, highlight it and click the Edit button. You can then modify the properties for that identity.

Connection Timeout

The Connection Timeout setting, back in the Web Site tab, lets you configure how long, in seconds, the server will keep open a connection for a client. Normally, the web browser will ask the server to keep a connection open for the client. This is called an HTTP keep-alive. The client can use this connection for multiple requests of elements, and the client and server don’t have to go through all the overhead of establishing a connection for each request. This greatly enhances performance for both the client and the server, especially over high-latency connections. When the client is done with its requests, it lets the server know to close this connection and free up those resources.

If, for some reason, the client fails to close the connection, the connection will stay open indefinitely, unless the server knows to close it. This Connection Timeout value controls that time interval.

Enable HTTP Keep-Alives

The Enable HTTP Keep-Alives box is checked by default. This lets the server know to accept HTTP keep-alive requests from clients. If this box is not checked, performance on both the client and the server will be degraded.

Enable Logging

By default, logging is enabled on web sites. The default log type is the W3C Extended Log File Format. If you wish to disable logging or change the type of logging for this site, you can do that here. Logging is covered in more detail in Chapter 11.

The Performance Tab

On the Performance tab of the Web Site Properties window, shown in Figure 2-4, you can configure bandwidth throttling and the number of connections this site will accept.

click to expand
Figure 2-4: The Performance tab

Bandwidth Throttling

The Bandwidth Throttling setting lets you configure the maximum amount of bandwidth the machine can devote to this web site, in kilobytes per second. For bandwidth throttling to function, IIS needs to install the Windows Packet Scheduler, a Quality Of Service (QOS) application that determines whether a packet can be sent on the network. It queues up data and sends it across the network at a specified rate. IIS will automatically install the Windows Packet Scheduler when you click OK after you set up a maximum bandwidth.

When you configure this setting, it’s important that you keep in mind that although your LAN connection may be 10, 100, or 1000 Megabits per second (Mbps), typical Internet speeds are much slower. For example, a full T1 line is 1.544 Mbps. If you take the default setting of 1024 (that’s kilobytes, folks), that’s much more than the speed of your T1 line.

Note 

A byte is 8 bits. A kilobyte is 8192 bits.

Web Site Connections

The Web Site Connections radio buttons allow you to configure the number of client connections allowed on this site. The default is Unlimited. If you choose Connections Limited To, you can enter in any number between 0 and 2,000,000,000.

The ISAPI Filters Tab

The ISAPI Filters tab, shown in Figure 2-5, is where you add Internet Server Application Programming Interface (ISAPI) filters for this web site. All HTTP traffic to this site will be directed to these ISAPI filters in the order designated here. While an ISAPI extension applies to just the extension for which it’s mapped, an ISAPI filter applies to all the traffic on this site. This can result in huge performance hits to your site, especially if the ISAPI filter isn’t properly written and has memory leaks. (For more about ISAPI technology, see Chapter 17.)

click to expand
Figure 2-5: The ISAPI Filters tab

Each ISAPI filter has a status. A red down arrow means that the filter is currently disabled. A green up arrow means that the filter is currently enabled.

Adding an ISAPI Filter

To add an ISAPI filter, click the Add button. Name the filter, and then choose the executable through which the traffic is to be filtered. The filter name is a friendly name.

Deleting an ISAPI Filter

To delete an ISAPI filter, highlight the filter and click the Remove button.

Editing an ISAPI Filter

To edit an ISAPI filter, highlight the filter and click the Edit button. Note that you may only edit the executable to which the filter is pointing. You may not change the name of the filter.

Enabling/Disabling an ISAPI Filter

If a filter is currently active, you may disable it by highlighting it and clicking the Disable button. If a filter is currently inactive, you may enable it by highlighting it and clicking the Enable button. Disabling a filter allows you to take it out of service without deleting the filter from the list.

Changing the Execution Order

ISAPI filters are executed in order. If multiple filters are used, you will most likely want them to be applied to data in a particular order. You can determine that here. To make a filter higher in the priority list, highlight it and click the Move Up button. To make a filter lower on the priority list, highlight it and click the Move Down button.

The Home Directory Tab

In the Home Directory tab, shown in Figure 2-6, you configure where this site points to and how it handles data.

click to expand
Figure 2-6: The Home Directory tab

Pointing IIS to the Content Location

To tell IIS where to get content, you must choose the appropriate radio button where the data is located.

A Directory Located on This Computer Choose this radio button, and the Local Path text box below it lets you type in any local drive and directory where the content for this site is located. You can click the Browse button to browse to the directory where the content is located, or you can type the path in the box.

A Share Located on Another Computer When you choose this radio button, the text displayed in the Home Directory tab changes, and the Local Path text box changes to be a Network Directory text box. The Browse button also changes to become a Connect As button. Type in the path using the Universal Naming Convention (UNC) path name (\\servername\sharename). Click the Connect As button that appears to enter a username and password that IIS will use to connect to this share in the Network Directory Security Credentials dialog box. This is necessary because when the server is logged off, it does not have a token to be able to access shared network resources. This username/password allows IIS to authenticate to a network share.

You may also configure IIS to use the username and password that the client used to authenticate to the site by checking the box labeled Always Use The Authenticated User’s Credentials When Validating Access To The Network Directory, which appears in the Network Directory Security Credentials dialog box. If the client’s credentials do not allow it to access that remote network share, it will not be able to access that share in IIS either.

A Redirection to a URL Choose this radio button, and in the Redirect To text box that appears below it, you can type in a URL that clients will be sent to when connecting to this resource. Check one of the following three options after you choose this button:

  • The Exact URL Entered Above This option redirects the client to the URL in the Redirect To box, without modifying the URL. Choosing this option means that a fully qualified URL needs to appear in the box.

  • A Directory Below URL Entered This option will send the client to a child directory under the parent that the client entered in their browser. When you choose this option, simply type in a subfolder name, prefixed by a slash (/).

  • A Permanent Redirection For This Resource Use this option when you are moving a site from one URL to another. This option sends the client a “HTTP 301 Permanent Redirect” message. Some clients can then automatically update their bookmarks when receiving this message.

Home Directory Options

When you choose either A Directory Located On This Computer or A Share Located On Another Computer as the option for resource content, the following options become available in the Home Directory tab. Remember that IIS sits on top of the file systems, so for these permissions to work, the logged in (or anonymous) user must have rights at the file-system level to perform these actions.

Script Source Access Checkbox When checked, the Script Source Access checkbox allows clients to access the source code for scripts, such as Active Server Pages (ASP) scripts, if the appropriate read/write permissions are set. Because scripts are processed server-side, there is no need for the client to access the source code for scripts. Therefore, this option should not be checked.

Read Checkbox When checked, allows clients to read files. If unchecked, clients will not be able to read files. If you’re trying to serve up web content with this site, not checking this box is a bad thing. You would want to disable Read only if you’re allowing clients to upload files with the write option, and you don’t want them to be able to read the files they upload (see the corresponding tech note).

Write Checkbox When checked, allows clients with a HTTP 1.1 browser that supports the PUT function to upload files to this directory.

Caution 

If you allow both the Read and the Write options on a directory, anyone will be allowed to upload a file and then execute it. If scripts are enabled, they are processed server-side, so someone could upload a malicious ASP file, execute it, and have your server do bad things to itself.

Directory Browsing Checkbox Checking this box enables directory browsing, which lets the client see all the files in this directory. If a default page is defined and that page exists, the client will see that default page. If no default page is defined, the client sees a listing of all the files and directories on that site. Virtual directories do not show up in this listing, however, since they do not exist on the file system. Enabling directory browsing can be considered a security risk, since it allows anyone to see the files and directory structure on your site.

Log Visits Checkbox When this box is checked, any visits to this directory will be logged, provided IIS logging is enabled.

Index This Resource Checkbox When this box is checked, this directory will be indexed by the Microsoft Indexing Service, provided Indexing Service is installed and enabled.

Application Settings

The Application Settings section configures applications for the purposes of defining application boundaries. When you create an application, you can choose to run it in an application pool that you have created. This allows you to separate applications from each other and configure worker processes for more troublesome applications, scripts, or content to be isolated from the rest of your applications.

Application Name Here, you type in the name of the application you want to create. If the text box is grayed out, and a Create button is visible, no application has been defined. If the text box has text in it and the Remove button is visible, an application has been defined for that directory, and the application name will appear in the Application Name text box.

Execute Permissions The Execute Permissions drop-down box allows you to configure the types of content that will be enabled in this site. There are three settings here:

  • None The default setting for IIS 6, this is a huge change in the way IIS is configured out of the box. Previously, scripts (such as ASP) were enabled in an IIS default installation. This caused problems, especially because IIS was installed in a Windows default installation. So, right out of the box, Windows was configured to run IIS and allow scripts to run in IIS. Now, turning scripts off in a default installation puts IIS in its most secure setting right out of the box.

  • Scripts Only This setting allows scripts, such as ASP, to run on this site. Enabling scripts does open the door so that all kinds of scripting can be run on this site, so enable scripts only if you must.

  • Scripts And Executables This setting allows executables in addition to scripts to run on the site. This includes file types such as executables (.exe), dynamic link libraries (.dll), and Common Gateway Interface (.cgi) scripts. This setting allows any type of file to be accessed or executed. Again, enable this only if you need the functionality.

    Caution 

    Be sure that the NTFS Write permissions and IIS Write access are turned off for any directory that has anything other than None for the Execute Permissions.

Application Pool The Application Pool drop-down box allows you to choose which application pool you wish this content to run in. This list is populated from the Application Pools created in the IIS MMC. If you do not have an application defined for this home directory, this box will be grayed out.

Unload Button

Clicking the Unload button allows you to unload an isolated application from memory. If you have the application loaded into memory, and you make a configuration change, you must unload the application for the change to take effect. If this button is grayed out, the application is not loaded or you are not in the starting point directory for that application.

Configuration Button

Clicking the Configuration button allows you to change the application configuration options for this directory. You can configure several options in the Application Configuration window that appears (shown in Figure 2-7), which concern how this directory deals with scripting and executable content.

click to expand
Figure 2-7: The Application Configuration window

The following tabs appear in the Application Configuration window.

The Mappings Tab Here you configure which file extensions map to which Internet Server API DLLs. By default, all the ASP (.asa, .asp, .cdx, .cer), Database connector (.idc), and server-side include DLLs (.shtm, .shtml, .stm) are mapped. When a request comes in, this list is checked to see which corresponding DLL the content should be sent to, based on the extension of the file being requested.

When the Cache ISAPI Extensions option is checked, the ISAPI DLLs are cached in memory so that IIS can process requests for the associated extensions without loading the DLL again. This results in performance enhancements for most ISAPI applications, including ASP. By default, this option is checked, and it is highly recommended that you leave it that way. If you uncheck this option, IIS will need to load ASP.DLL and create the application and session state objects each time an ASP page is requested. IIS then unloads ASP.DLL immediately after the request is processed. If a client requests an ASP page while the application is being unloaded, an error could occur. Basically, the only time you would need to turn this off is if you are testing an ISAPI DLL and you want it to be reloaded each time because you’re testing code.

You can add your own ISAPI DLLs and map them here. Here’s how to add and configure a DLL for use:

  1. Click the Add button. The Add/Edit Application Extension Mapping dialog box will appear.

  2. Type in the name of or browse to the executable you wish to run this content through.

  3. Type the name of the extension. It is not necessary to include a period before the extension.

  4. Choose whether you want all of the HTTP verbs, or just certain verbs to be passed to the application. To limit the verbs, type in the verbs that you want to enable in comma-separated format.

  5. Leave the Script Engine and Verify That File Exists boxes checked, unless you have a good reason not to. We’ll cover their functionality in a minute.

    • Limiting HTTP Verbs HTTP clients use verbs to request actions of the server. These verbs, or methods, are defined in the W3C Specification for HTTP. The most common methods you will see are GET, HEAD, POST, and TRACE, although others can also be used, such as PUT and DELETE. It is recommended that you limit the HTTP verbs to those that will be used, to reduce vulnerability to attack. For example, the mapping for ASP limits the verbs to GET, HEAD, POST, and TRACE. When you limit verbs, only the verbs in the list will be passed on to the application for processing.

    • Script Engine This box is enabled by default. This instructs IIS to run this content as a script, rather than as an executable. This prevents you from having to enable execute permissions on a directory, since the scripts are mapped to an interpreter.

    • Verify That File Exists When this box is checked, IIS will make sure that the script file does exist, and that the user has access rights to the file before sending that content to the interpreter. Since each script has to be opened twice, once for verification and again for reading and sending to the engine, enabling this option results in a performance hit. This was not enabled by default in IIS 5, and like many other changes from IIS 5 to IIS 6, it’s disabled for security purposes.

      Note 

      Even though you have ISAPI extensions mapped and enabled, they will not run unless you have at least Script Only selected in the execute permissions for this directory. If you are not running these extensions in the script engine, you must have Scripts And Executables enabled for this content to run successfully.

To edit an application mapping, highlight the extension, and click the Edit button. The same screen that appears after clicking the Add button appears. The options are the same as well.

To remove an application extension mapping, highlight the extension and click the Remove button. You will be prompted to confirm the deletion.

Wildcard Application Maps allow you to set an ISAPI application mapping for all file extensions. You may be thinking “Hey, can’t you just use an ISAPI filter?” There are some differences between an ISAPI filter and a wildcard application map, however. At the administration level of ISAPI, the difference between ISAPI filters and ISAPI extension mappings is that ISAPI filters apply to the web site as a whole, while ISAPI extensions can be configured on a per-directory basis. A subdirectory will inherit the wildcard application script mappings from a parent directory if it does not contain its own mappings; otherwise, those mappings configured on the directory override the parent mappings.

To add an application map, click the Insert button. You may then type in or browse to the executable you want content to be run through. The Verify That File Exists option has the same effect as it does for extension mappings and is a security feature.

To edit an application map, highlight the extension and click the Edit button. The same Add screen appears. The options are the same as well.

To remove an application map, highlight the extension and click the Remove button. You will be prompted to confirm the deletion.

The Move Up and Move Down buttons allow you to set priority on the ISAPI application maps. Requests will be run through each of the defined application maps in the order specified here.

The Options Tab The Options tab, shown in Figure 2-8, allows you to set the configuration for this application, determine how sessions are handled, and configure the scripting engine used to process code.

click to expand
Figure 2-8: The Options tab of the Application Configuration window

The Enable Session State option configures ASP to create a server-side session for each client session to the server. This applies only to regular ASPs, since the session state is configured in web.config for ASP.NET applications. In this session, data can be stored about the user that transcends across each page that user accesses. Programmatically, the data is stored in variables in the session object. While powerful, session variables should be used sparingly on high-traffic sites, because misusing that power can result in performance problems, since all those session variables can take up lots of memory.

The Session Timeout setting controls the length of time a session can remain idle before it is terminated. You can enter in any number between 1 and 2,000,000,000 minutes. Who knows, you may need that session variable 3800 years from now.

Tip 

Using session state can be tricky, especially when you have an ASP web farm or you are using worker process recycling. In an ASP web farm, each time the user connects to the web site, they may get a different server. Since the session state was created on a different server than the user is currently logged on to, that session state information is lost. Session state information is also lost when the worker process containing that session information is recycled. For these reasons, it’s a good idea either to find a way around using session state or use ASP.NET.

Click Enable Buffering to configure the server to cache the entire contents of the ASP script output before sending it to the browser. This sends the output all at once, rather than line by line. If, however, you have a long script, and you want the page to draw as the content is processed, disable this option.

Parent paths allow you to reference directories using relative pathnames in your ASP code. A script in the parent directory can be referenced by double dots (..). This applies only to dynamic content, such as include files. Static content can always be referenced by relative pathnames. The Enable Parent Paths checkbox is disabled by default because it is a security risk to allow dynamic content to be run from one page without specifying the directory structure to get there.

Note 

In IIS 6, parent paths are now disabled by default. If you have relative pathnames in your code that previously ran under a previous version of IIS, you will need to modify your code or check the Enable Parent Paths option to get your dynamic content to run in IIS 6.

The Default ASP Language option specifies the language that processes all scripting content. Scripting content is marked by the <% and %> tags. Two languages come with IIS 6 out of the box: Microsoft Visual Basic Scripting Edition (the default) and Microsoft JScript. You may install any ActiveX scripting engine you wish to interpret content on your site.

ASP Script Timeout specifies the maximum time a script can run; without a timeout setting, a poorly written script could run indefinitely, causing issues on the server. When the timeout is reached, the script is stopped, and processed content is sent to the browser with an error message at the end stating that the maximum time was reached. You may specify any value between 1 and 2,000,000,000 seconds (that’s 63 years!).

Choosing Enable Side By Side Assemblies allows your ASP application to use a specific version of an application to run code. This allows you to have the latest version of an application installed on your server, but still run this specific application code in an older version of the DLL or EXE. To configure side by side assemblies, you must first have a manifest file, which is an XML file that has the configuration, location, and COM registration information in it. It points IIS to the correct component to use. You need to add this manifest file to each virtual directory that uses the side-by-side assembly.

The Debugging Tab The Debugging tab of the Application Configuration window, shown in Figure 2-9, helps you troubleshoot ASP scripts—which is very helpful when you are testing code. When enabled, IIS uses the Microsoft Script Debugger to check code. You can configure IIS to debug both server-side and client-side scripts. Enabling server side scripting comes with a performance hit, so you shouldn’t enable it on a production site unless you must. You may also configure the error message sent to clients when a script error occurs.

click to expand
Figure 2-9: Debugging tab

  • Enable ASP Server-Side Script Debugging Checking this box will configure IIS to use the script debugger to check code as it is processed.

  • Enable ASP Client-Side Script Debugging Checking this box will configure IIS to allow the client to debug ASP pages with the Microsoft Script Debugger. When an error occurs, the client will receive a message asking whether the error should be debugged.

  • Send Detailed ASP Error Messages to Client The default setting, this sends the standard error message with the filename and relative path, the specific error message, and the line number where the error occurred. This does give clients some detailed information about the setup of the site, so you may want to choose to send another error message.

  • Send the Following Text Error Message to Client Check this option and type in the specific error message you would like to send to the client when an ASP script error occurs. For example, you can type in a message with an e-mail address to use for reporting errors.

start sidebar
Creating a Side-by-Side Assembly

Let's make a manifest file that allows an application to use an older version of a DLL. The manifest file is the heart of a side-by-side assembly, so we'll start there. This manifest file tells IIS which GUID to use for the COM object that is being loaded. This file, which we'll call Myapp.xml, needs to be included in each virtual directory that will use this DLL.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity publicKeyToken="XXXXXXXXXXXXXX" type="win32" name="MyApp4Testing" version="1.0.0.0" processorArchitecture="x86"/> <file name="MyApp.dll" hash="b654b4565d654a54f65465e645e564" hashalg="SHA1"> <comClass cls prog threadingModel="apartment"/> <typelib tlb version="1.0" helpdir=""/> </file> </assembly>

The next step is to tell IIS to use the side-by-side assembly. In the Options tab, check the box to Enable Side By Side Assemblies. Then type Myapp.xml in the Manifest File Name box. Because the manifest file exists in the same directory, you do not need to provide a path—just the filename.

end sidebar

The Documents Tab

The next tab in the Web Site Properties window is the Documents tab, shown in Figure 2-10. Here, you configure the default pages for the web site and any footer you wish to place on each page.

click to expand
Figure 2-10: The Documents tab

Enable Default Content Page

This check box enables and disables the use of a default page, which is returned if no document is specified in the URL of a request. For example, when a client types http://www.microsoft.com in the browser, the IIS web server checks to see whether a default document is configured for that site. If so, it returns that document. This prevents clients from having to know and specify a document for each site they visit. If the default document is not enabled, and the client does not specify a document, what happens next depends on whether or not directory browsing is enabled.

  • Directory browsing enabled The server sends a listing of the contents of the directory.

  • Directory browsing not enabled The server sends an error message stating “This Virtual Directory does not allow contents to be listed.”

Adding and Removing Default Content Pages

The names of pages listed here are those that IIS looks for if no page is specified in a query. The entire filename must match, so make sure the extension is included, and correct, here as well—Default.htm is not the same thing as Default.html. To add a name to the list, click the Add button and type in the name of the page. To remove a name from the list, highlight the name and click Remove. You are not prompted to confirm the deletion.

Sorting Default Content Page Order

When searching for a default content page, IIS checks this list in the order in which it appears here. IIS uses the first matching page it finds. To modify this list, highlight a page name and use the Move Up and Move Down buttons to change the order.

Enable Document Footer

To enable a document footer, place a checkmark in this box. The document footer is an HTML document that contains code you want to appear at the bottom of each page. This is useful if you want some legal or contact information to appear on your entire web site, for example, without putting the code (or an include file) on each sheet. This HTML document only needs to have the specific code in it that you want to display, and it does not need the opening <HTML> tag; only tags that format the text displayed in the footer need to be used. Unfortunately, document footers can only be used on your static content (HTML) pages.

Once you have enabled the document footer, click the Browse button to select the document you wish to use. While the code in the document has to be HTML compatible (no scripting content), you may use any document you wish (the file does not have to end in .HTM).

The Directory Security Tab

The Directory Security tab, shown in Figure 2-11, allows you to configure the security options for the site. You can configure how IIS authenticates clients, which clients can connect, and how secure the communication between client and server are.

click to expand
Figure 2-11: The Directory Security tab

Editing Authentication and Access Control Settings

This section enables you to choose the type of authentication for this site when security is required. This can be tricky sometimes, because you need to understand the interaction between NTFS security and IIS security, and how they affect which user is authenticated to a web page. To change the Authentication and Access Control settings, click the Edit button. The Authentication Methods dialog box will open, as shown in Figure 2-12.

click to expand
Figure 2-12: The Authentication Methods dialog box

Enable Anonymous Access When the Enable Anonymous Access checkbox is checked, it allows a user to connect to a web page without submitting any logon information. Because everything needs to be run in a security context, the Internet Guest account is used. This account is created when IIS is installed and is named IUSR_<computername>, where <computername> is the name of the computer. This option allows you to set up the security for all anonymous users using this specific user account. If you do not wish to use the Internet Guest account, you may use any account you wish—either local or on a trusted domain.

Tip 

Any account used to access web pages will need to have permission to access the files at the NTFS level. For more information on how to set these permissions, see Chapter 6.

To choose the account you want to use for anonymous access:

  1. Type in the name of the account in the Authentication Methods dialog box. If it is a domain account, use the domainname\username naming convention.

  2. If you want to search for the name instead, click the Browse button. The standard Windows 2003 object selection screen will appear.

  3. Here, you can select the name of the user account and location you wish to use, or you can search for it by clicking the Advanced button.

  4. Once you have chosen the user account, click the OK button.

  5. Then type in the password for that account in the Password text box. When you click OK, you will be prompted to confirm the password.

When you type in a username and password, IIS does not check to see whether the username/password combination is correct. If it is not, IIS will behave as though anonymous access is disabled, and you will not be able to access the web site anonymously. This can be tricky to detect, because Internet Explorer will automatically fail over to the other types of authentication, if available, and try to authenticate you with your logged-in credentials. As an administrator, you will most likely have rights to access resources that the guest account will not. The way to see which user is being authenticated is to check the IIS log file for this site. If you are being authenticated as anyone other than the anonymous user, it will show up in the log file. If you are not using an account that has access to this resource, you will be prompted for authentication credentials.

Authenticated Access The Authenticated Access section of the Authentication Methods window shows the types of authentication that are enabled for this site. When the IIS guest account does not have access to a resource, IIS checks to see what types of authenticated access are available. Four types of authenticated access are available:

  • Integrated Windows Authentication The most secure means of authentication, this is great if you’re using all Internet Explorer browsers and you’re not using an HTTP proxy. It has been built into all IE browsers since version 2.0. Other types of browsers, such as Netscape, do not support this authentication method. On the back end, Integrated Windows authentication uses NT challenge/ response, or the Kerberos protocol. If the client and server support Kerberos, and a trusted Key Distribution Center (KDC) is available, Kerberos is used; otherwise, IIS falls back to NT challenge/response.

  • Digest Authentication for Windows Domain Servers Digest authentication is available if you are using Active Directory accounts, and although some security risks are associated with it, it is a more secure means of authentication than Basic authentication. It is not intended to be a complete answer to security on the web; it is designed only to avoid the problems of Basic authentication. In addition to Active Directory, Digest authentication requires use of HTTP 1.1, so it will work only with newer browsers that support that protocol. Digest authentication requires that the domain controller keep a plaintext copy of each password, so it can check that password against the hash sent by the client. Therein lies the security risk. Having plaintext passwords stored anywhere is a security risk, so if you choose this form of authentication, you will need to make sure that the domain controller is secure from intrusion, or passwords can be compromised. The upside to using Digest authentication is that the password is not sent across the network in plaintext, unlike Basic authentication.

    Because digest authentication is a simple hash, it works across firewalls and proxy servers. It is also available on Web-based Distributed Authoring and Versioning (WebDAV) directories. Since Digest authentication requires a domain, when you choose this type of authentication, the Realm box becomes available. If Digest (or Basic) authentication is not enabled, the Realm box is grayed out. Otherwise, in this box you can select which user account database to authenticate against. To choose the realm, type in the realm name in the box, or use the Select button to choose from a list of realms.

  • Basic Authentication This is the simplest (and most universal) type of authentication; the username and password are sent across the network in clear text. Since there is no encryption, this is easy to crack. The benefit of using Basic authentication is that it is pretty much universally accepted. As with Digest authentication, you can select which user account database to authenticate against. Type in the realm name in the Realm text box, or use the Select button to choose from a list of realms.

  • .NET Passport Authentication This is a new form of authentication used by Microsoft technologies. It allows clients to use a single sign-in to Passport-enabled web sites. To have Passport-enabled sites, you must have a .NET Passport central server running. You can download the .NET Passport server from Microsoft’s MSDN web site (http://msdn.microsoft.com). When you select .NET Passport authentication, the Default Domain box becomes active. In order for Passport authentication to work, the IIS server must be a member of a domain, and a default domain for authentication must be specified. To choose the default domain, type in the domain name in the box, or use the Select button to choose from a list of domains.

Restricting Access by IP or Domain Name

In IIS, you can restrict who has access to a site without using a username and password. By restricting access through IP address, you can target a certain population to have access or be denied access to your site. This can be useful if you have specific needs, such as the following:

  • You want a certain target audience to be able to access content.

  • You know exactly who the audience is, IP address-wise.

  • You want to prevent other people from accessing the site.

  • You don’t necessarily want to use authentication as a means of controlling access, or you want to use another restriction on top of authentication.

If you decide IP address restrictions are a good idea for your site, you need to set up some restrictions. Click the Edit button in the Directory Security tab’s IP Address And Domain Name Restrictions area. When you click on the Edit button, the IP Address and Domain Name Restrictions dialog box, shown in Figure 2-13, will open. Here, you need to decide whether you want to start from a restrictive perspective and grant specific people access, or start from a permissive perspective and deny specific people access. If you choose the Granted Access radio button, you will be permissive, and if you choose the Denied Access radio button, you will be restrictive.

click to expand
Figure 2-13: The IP Address and Domain Name Restrictions dialog box

Modifying IP Address Restrictions To add an IP address to the list, click the Add button. The Grant Access or Deny Access box will appear, depending on which radio button you chose.

Choosing to grant or deny access is an all-encompassing action. You cannot choose to deny some IPs and grant access to others. It’s all or nothing. You can choose from among three types of access:

  • Single Computer Allows you to input an IP address into the access list. You may enter multiple computers, one at a time, in this fashion. If you do not know the IP address of a machine, you can click the DNS Lookup button to obtain the IP address using the name.

  • Group Of Computers Allows you to enter a network ID and subnet mask to add computers to the list. Using variable length subnet masks, you can get fairly granular with the IPs in the list.

  • Domain Name Allows you to enter a domain name to deny access to. Be cautious of using this, because it will cause the server to do a reverse lookup on each client that connects to the server to see if it is a member of that domain. This is a performance hit, and using it will cause delays in the client getting authenticated while the server performs the reverse lookup. Reverse lookups are generally not speedy operations.

Once you have selected and configured the type of access, click OK to cause that entry to appear in the list.

To remove an entry, highlight it and click Remove. To modify an entry, highlight it and click Edit.

Secure Communications

The Secure Communications section of the Directory Security tab allows you to set up how the server will use certificates for authentication and encryption. Here, you can create certificate requests; assign, export, import, and back up certificates; and set up how the server will interact with client certificates.

To set up a server certificate on this server, click the Server Certificate button. The Web Server Certificate Wizard will appear. Click Next, and you’ll see the options for assigning a certificate for this site:

  • Create A New Certificate Allows you to set up a request to send to a certificate authority (CA—covered in detail in Chapter 10). When you create a request, you have the option of sending it to an online CA or saving it to a file and sending that file to a CA through its registration process. To send a request to an online CA, you must have Certificate Services installed on a server.

    Tip 

    Enterprise CAs are located in Active Directory and will have an SRV record in DNS, so you can find them. For more information on SRV records and DNS, see Chapter 8. If you have a standalone CA installed on this same computer, IIS will not recognize it. This is not necessarily a problem because you can manually approve and install the certificate, as detailed in Chapter 19. It’s also a good idea to have your CA in a secure location, and an exposed web server probably isn’t the best place for that.

To create a request for sending to a CA later:

  1. Choose Create A New Certificate, and click Next.

  2. Choose Prepare The Request Now, But Send It Later, and click Next.

  3. Type the name you wish to use for this certificate. You may use any name.

  4. Choose the bit length of the certificate. You can choose 512, 1024, 2048, 4096, 8192, or 16384 bits for the complexity of the hash.

  5. If you want to choose which cryptographic service provider (CSP) is used to generate this certificate, check the box provided. A CSP is an algorithm that is used to generate the certificate.

  6. Type the name of your organization and the organizational unit. Remember that if you are using a commercial CA, this will need to be your official business name. Click Next.

  7. Type in the common name of the site. This must match the DNS or NetBIOS name that you will be using for this site. Since certificates are name-specific, the certificate is good for that name only. If you use a different DNS or NetBIOS name for your site, you will need to get a new certificate. Click Next.

  8. Type in your City, State, and Country. You must not abbreviate anything. Click Next.

  9. Type in the name and location of the file where you wish to place this request. Remember this, because you will be using it to request the certificate. Click Next.

  10. The next screen is the summary screen. Make sure that all the information is correct. If so, click Next.

  11. Click Finish to exit the wizard.

    • Assign An Existing Certificate Allows you to take a valid certificate on this machine and assign it to a resource. The resource in this case is the web site. When you select this option, you will be presented with a list of the valid certificates on this machine. Click one of the certificates to select it, and then click Next. You will then need to choose the SSL port for this site. The default (443) is listed here. Don’t change this port unless you have a good reason to, because clients will look for SSL communications on port 443 by default as well. After you have chosen the port number, go through the summary screens and finish the wizard. At this point, you have a certificate installed for your web site. It will be available for immediate use by clients.

    • Import A Certificate From A Key Manager Backup File This option allows you to import a certificate that you have exported using the Windows NT 4.0 Key Manager. When you choose this option, you browse to the location at which the .key file is stored and select it. After you have chosen the .key backup file, choose the SSL port for this site, go through the summary screens, and finish the wizard.

    • Import A Certificate From A .pfx File This option allows you to import a certificate file that uses the Personal Information Exchange Syntax Standard, otherwise known as PKSC #12. This is a standard for storing or transporting certificates in a portable format. If you want to be able to back up or export this certificate after you import it here, you will need to check the Mark Cert As Exportable box. After you choose the .pfx file, you will need to provide the password used to secure the file when it was exported. Then you will choose the SSL port for this site, go through the summary screens, and finish the wizard.

    • Copy Or Move A Certificate From A Remote Server Site To This Site You can now get certificates from another web site. This prevents you from having to export the certificate to a file, which can be a security risk. To copy or move a certificate from a remote web server:

      1. In the IIS Certificate Wizard, choose the Copy Or Move A Certificate From A Remote Server Site To This Site option, and click Next.

      2. In the Copy/Move Certificate dialog box, choose whether to copy or to move a certificate to this web site.

      3. Choose whether you want the certificate to be exportable from this web site. Click Next.

      4. Type in or browse to the computer from which you wish to import the certificate.

      5. Type in the credentials of a user with sufficient permissions to access this certificate, and then click Next.

      6. Enter the instance of the site from which you want to import the certificate. Clicking the Browse button allows you to select an instance from a list. Click Next.

      7. Check the summary screen to make sure you have imported the correct certificate.

      8. Click Next, and then click Finish.

Processing a Certificate After you’ve received the certificate response from a CA, you can then process that pending certificate request. To process the request:

  1. Start the Web Server Certificate Wizard again by clicking on the Server Certificate button in the Directory Security tab.

  2. In the Server Certificate dialog box, choose Process The Pending Request and install the certificate. Click Next.

  3. Type in or browse to the location of the response file from the CA, and then click Next.

  4. Type in the SSL port this site should use. Click Next.

  5. View the summary screen and make sure the information is correct.

  6. Click Next, and then click Finish.

You now have a valid certificate for this site, and can start using it on the port number you specified when installing the certificate response file. If you don’t get a response, you’ll need to delete the pending request.

To delete the pending request:

  1. Select Delete The Pending Request in the Web Server Certificate Wizard. The next dialog box in the wizard lets you know that you will not be able to process any future responses regarding this request if you continue, and gives you a chance to back out.

  2. Click Next to delete the request.

  3. Click Finish to complete the wizard.

Viewing the Details of an Installed Certificate When you have an installed certificate, you can view the certificate information by clicking on the View Certificate button in the Directory Security tab.

  • General tab This tab includes the information about the certificate. It contains the intended purpose of the certificate, the issuer of the certificate, who the certificate was issued to, and the valid dates of the certificates.

  • Details tab Includes the nitty-gritty details of the certificate. Here you can see all the properties of the certificate, and you can start the Certificate Export Wizard, enable/disable purposes for this certificate, and set up cross-certificate downloads, which allow you to specify multiple download locations from different CAs. This is what allows unrelated CAs to “trust” each other.

  • Certification Path tab Allows you to view the CA certification hierarchy for this certificate. It also displays whether or not the certificate is valid.

Editing Secure Communications Clicking the Edit button allows you to edit certificate mappings and trust lists, as shown in Figure 2-14. You can also force SSL usage here.

click to expand
Figure 2-14: The Secure Communications window

In the Secure Communications window, checking the Require Secure Channel checkbox allows you to force the use of SSL on this site. Any browser that does not “speak” SSL will not be able to access this site.

Checking the Require 128-Bit Encryption checkbox allows you to force the use of strong encryption. Forcing this will prevent browsers with weaker encryption from accessing this site. Internet Explorer 128-bit upgrades are available from the Microsoft web site (http://www.microsoft.com/ie), and they can be downloaded by anyone except in a U.S.-embargoed country (since Microsoft is a U.S.-based company).

The use of client certificates allows the site to identify the users connecting to this site. The client certificates can be used as a means of access control. You can choose from three settings:

  • Ignore The default option. Any client certificate presented will not be used.

  • Accept Allows the certificate, and you can set up client certificate maps, but they are not mandatory. Any browser without a client certificate will still be able to access the site.

  • Require Forces the use of certificates. Any client without a certificate will not be allowed access to the site. To choose this option, you will need to check the Require Secure Channel checkbox.

Client certificate mapping is used to authenticate a client machine to a Windows user account. There are two types of mappings: one-to-one and many-to-one.

  • One-to-one mappings Used when each user account has its own certificate. A user account can have more than one certificate, but each account has to have at least one unique certificate to use this feature. You import the certificate and tie it to a user account, and then the certificate can be used to authenticate the user.

  • Many-to-one mappings Used when multiple certificates are tied to a user account. You provide the wildcard client certificate matching criteria, in which you provide some information about that certificate, like an organizational unit or organization name. If it matches, the specified account is used.

The HTTP Headers Tab

The HTTP Headers tab of the web site Properties window, shown in Figure 2-15, allows you to configure content expiration, content ratings, and MIME types in addition to adding HTTP headers.

click to expand
Figure 2-15: The HTTP Headers tab

Enable Content Expiration

This option sets an expiration date on the files on a web site and is used when you want to make sure time-sensitive content doesn’t stay cached after a certain period of time. The expiration date is given along with the content when it is requested. You can use the RESPONSE object with the CACHECONTROL or EXPIRES property to set the caching and expiration time on ASP pages, but that doesn’t help you much with graphics. This option can do it all via the following three settings:

Expire Immediately Expire Immediately tells the requester not to cache the data— period. This is great to use on a test or development site, since you can make code changes and you know the old code isn’t stuck in the IE cache somewhere. This is also useful when your site has a page with dynamically changing content, when each time the user will get a different result and you want to make sure it’s not cached somewhere down the line.

Expire After Choosing Expire After will allow you to set a timeout period in minutes, hours, or days. You can choose any value between 1 minute and 32,767 days (that’s just shy of 90 years).

Expire On Expire On will set the content to expire at a specific time and date. You can’t choose an expiration date before today’s date. You can, however, choose any date up to December 31, 2035. Since the expiration data is processed by the client, it’s driven by the client’s time zone, so there can be some variation in exactly when the content is expired, based on where the client is located.

Custom HTTP Headers

This section allows you to configure a custom HTTP header to be sent to the client. This header supplements the header that the client normally receives from the server. This header can be used for additional custom data that you want to send to the client that it will find useful. You can also use it to add additional functionality to HTTP—for example, to support a new HTTP standard that IIS 6 doesn’t natively support.

To add a custom header:

  1. Click the Add button. The Add/Edit Custom HTTP Header dialog box appears.

  2. Type in the custom header name in the box provided.

  3. Type in the custom header value in the box provided.

  4. Click OK.

You can modify the header by clicking the Edit button and delete it by clicking the Remove button. You are not prompted when choosing to remove a custom header.

Content Rating

You can enable content ratings for your site in this area. Content ratings are a voluntary system developed by the Internet Content Rating Association (ICRA). ICRA is a nonprofit, independent organization that aims to give parents data to make informed decisions about what their children see in electronic media. This system comprises two parts: part one occurs when the webmaster gives the site a rating (ICRA does not do the actual rating), and part two is when the end user sets the browser settings to block certain sites based on ratings content.

Two standards for content ratings are used: the older RSACi standard and the newer ICRA system. IIS 6 supports the legacy RSACi system, which rates content by four categories.

  • Violence

  • Sex

  • Nudity

  • Language

After you rate your system, you also provide an e-mail address of the person rating the content, so you can get feedback on perceptions of ratings. You can also set an expiration date for ratings. Once the expiration date has passed, the ratings will no longer apply.

Enabling Content Ratings for Your Site Here’s how to set up content ratings:

  1. Open the Content Ratings dialog box by clicking the Edit Ratings button in the HTTP Headers tab.

  2. In the Content Ratings window, click the Enable Ratings For This Content checkbox.

  3. Click the rating you wish to set.

  4. Use the sliding bar to set that rating to level 0–4.

  5. Set any or all of the other ratings if so desired.

  6. Type an e-mail address into the box provided. A generic role-based account is usually best (something like webmaster@thisdomain.com).

  7. Add an expiration date on this data. You can’t choose anything before today, but you can choose any date up to December 31, 2035.

  8. Click OK.

MIME Types

The Multipurpose Internet Mail Extensions (MIME) are the definitions of the file types that IIS will serve to clients. IIS 6 will serve only file types that are either script mapped or have a MIME type defined. If IIS encounters an extension for which it has no MIME mapping, the client will get a 404 not found error, and the server will log a substatus code of 3.

Note 

There’s one exception to the MIME rule: Text files with a .txt extension, while not MIME or script mapped, will still be served by IIS.

You can set up MIME types on a global, web site, or directory level, and those types are inherited down the chain. Let’s go through an example of adding a MIME map.

Let’s say you want to web publish a logfile directory. All the log files have a .log extension and are in plaintext format. IIS does not have a MIME mapping for .log files out of the box, so we’ll have to add one.

  1. Click the MIME Types button in the HTTP Headers tab at the appropriate level (globally, site, or at the directory level, per your choice in the MMC).

  2. Click New.

  3. In the MIME Type dialog box, type the extension of the file you wish to add in the Extension box. In this case, type .log.

  4. Type the MIME type in the text box provided. Since we’re dealing with a plaintext file, the appropriate MIME type would be text/plain.

  5. Click OK. You will see your extension has been added.

  6. Click OK again, and then once more.

Your server/site/directory is now configured to serve out .log files. Clients choosing a file in that directory will now see it in their browsers. You can edit and remove MIME type mappings here as well.

If you don’t set up the MIME type properly, IIS will still serve up the file, but it won’t know what to do with it. IE users will be prompted to choose which program to use to open this file.

Note 

Where do we find out what is the proper MIME type to put in for our file? RFC2045 and RFC2046 specify the fields for MIME types and that they are assigned and listed by IANA. (Yup, the same people who determine IP addresses.) The full list with subtypes is on their web site at http://www.iana.org.

The Custom Errors Tab

The Custom Errors tab, shown in Figure 2-16, allows you to change the default error messages sent out by IIS. A mapping for each HTTP error and substatus code appears here. This allows you to have custom errors or scripts run when clients encounter an error.

click to expand
Figure 2-16: The Custom Errors tab

When you modify the custom errors, you can then use them for error reporting and to help you resolve issues. For example, you can make the message type be an ASP script that alerts the webmaster, logs the incident, shows a message on the screen for the end user that lets them know an issue occurred, and redirects the user to the default page. Or you can take the user back to the previous page they were viewing. Since you can use scripts, you can actually make the error messages useful, and the messages can actually help you to diagnose issues with your web site.

You can choose from three types of messages:

  • Default The default error that IIS has programmed. This allows you to reset a custom error quickly if you don’t want to use it anymore.

  • File Allows you to choose a file using the fully qualified filename (such as C:\Windows\help\errors\iiserror404.asp).

  • URL Allows you to direct the client to a page on this site using the absolute URL pathname (from the top of the site). So the HTTP error pages have to be on the same site, although they can be on a virtual directory. If you try to type in a URL that’s not in the proper format, you will get a pop-up error.

Modifying the Custom Error Properties

To modify the custom error properties:

  1. Highlight the HTTP error that you want to modify, and click Edit. The Edit Custom Error Properties window appears.

  2. From the drop-down box, choose the message type you would like to use for this error.

  3. If using a file, type in or browse to the file location.

  4. If using a URL, type in that absolute pathname.

  5. If choosing Default, there is nothing to configure.

  6. After you have selected and configured the option, click OK.

  7. Click OK again.

start sidebar
Some Error Messages Can't Be Mapped to URLs

Some error messages cannot be mapped to URLs, because if an error of this type exists, that URL might not exist either. The following error messages can't be assigned to URLs:

  • 401.1 Unauthorized: Access is denied due to invalid credentials

  • 401.2 Unauthorized: Access is denied due to server configuration favoring an alternate authentication method

  • 401.3 Unauthorized: Access is denied due to an ACL set on the requested resource

  • 401.4 Unauthorized: Authorization failed by a filter installed on the Web server

  • 401.5 Unauthorized: Authorization failed by an ISAPI/CGI application

  • 407: Proxy Authentication Required

  • 502: Bad Gateway

end sidebar

The BITS Server Extension Tab

The Background Intelligent Transfer Service (BITS) allows you to transfer a large amount of data slowly over a long period of time. It transfers data when the network is not being used, so it doesn’t impact network performance. The BITS Server Extension tab (Figure 2-17) is available only when that component is installed. (This option is in Add/Remove Windows Components. See Chapter 1 for more information.) IIS uses the BITS server extensions to receive client uploads to a virtual directory. The client must have the software that allows them to upload using bits; IIS just configures the server to accept the BITS transfers. When a transfer is initiated, BITS will manage that transfer as long as a network connection exists. If a network connection is dropped, BITS will suspend the transfer and pick up right where it left off when the connection is re-established. So the data can be transferred over multiple disconnects and reboots. BITS will monitor the network usage on the client, and it will only transfer when excess bandwidth allows.

click to expand
Figure 2-17: The BITS Server Extension tab

Allow Clients to Transfer Data to This Virtual Directory

This option configures this virtual directory to accept BITS transfers. If you choose Use Default Settings, you cannot configure any of the options in this tab. The Customize Settings option allows you to modify the settings. These settings are inherited from the web site level to the virtual directories that are enabled for BITS transfers. Likewise, a subvirtual directory will inherit settings from its parent virtual directory.

Custom Settings

In the Custom Settings area, you can configure the Maximum File Size that BITS can accept. This is the maximum size of a single file, and you can choose a value between 1 byte and 16,777,215 terabytes. (So this will hold you until those new 16 exabyte hard drives come out.) You can also configure how long to keep incomplete transfers until they can be deleted by the cleanup process. You can choose any time between 1 second, which will delete any incomplete job when the cleanup process is run, and 49,710 days, at which time that 16 exabyte hard drive will be old news.

Enable Server Farm Support

A BITS server farm is a group of servers to which a client can upload. You can configure file storage for a server farm in two ways:

  • The servers can all share a single network share for the virtual directory. Since they are all virtual directories, you can point them all to the same network share.

  • The servers can all use their own local storage for the upload directory.

If you choose the second option, these server farm support options come into play:

  • Reconnect To IP Address Lets the client know which IP address to reconnect to when resuming transfers. If your servers use local storage, the client is going to want to reconnect to the same server so that it can resume the existing file, rather than creating a new one on a different server. You can use DNS names here, but only if there is a single A record for that name (round-robin DNS will send the client to multiple servers, defeating the purpose of the reconnect).

  • Use Original IP Address After Configures the timeout for reconnection. This setting is usually in sync with the cleanup time period. If the incomplete transfer file has been cleaned, reconnecting to the same server doesn’t help. The client will have to reconnect using the original URL after this time period has been reached. You can configure any time period between 1 second and 49,710 days.

Allow Notifications

This option, when checked, enables notifications for this virtual directory. Notifications allow you to send a message or data to a URL so that an application can be alerted that a transfer has completed. Two settings appear here:

  • Notification Type Configures what to send. If you choose to send the filename, the server sends the full path for the file to the notification URL. If you choose to send the data, the file is sent by the server to the notification URL using the HTTP POST method.

  • Notification URL This is where you type in the URL that you wish to use to send notifications when a transfer occurs. You can use a fully-qualified URL or a relative URL here.

Cleanup of Incomplete Files

Sometimes, a transfer won’t complete, and the client never finishes the file. Rather than leaving the file there forever, IIS can “scrub” the directories periodically to make sure those incomplete files don’t take up space. The trick is to leave the time period long enough that infrequently connected clients can finish their upload, but short enough so that the drive doesn’t fill up with incomplete files that will never be finished.

  • Schedule Cleanup Allows you to create a scheduled task that runs periodically to check the incomplete files. If an incomplete file is found, the date on the file is compared to the timeout value that you configured in the Delete Incomplete Jobs After boxes. If the file is older than the timeout value, the file is deleted, and the job is canceled.

  • Run Cleanup Now Starts the cleanup task immediately. It behaves exactly like a scheduled cleanup otherwise.

The Server Extensions 2002 Tab

This tab, shown in Figure 2-18, is available only at the web site level, and only if the FrontPage 2002 Server Extensions have been loaded with the Add/Remove Windows Components wizard. By default, when you open this tab, a message tells you that server extensions have not been enabled for this web site.

  1. In the IIS MMC, choose Action | All Tasks | Configure Server Extensions 2002.

  2. Internet Explorer pops up and asks for login information. You’ll need to provide credentials with Administrator rights.

  3. The web site to enable FrontPage Server Extensions 2002 opens.

  4. Make sure the account that appears in the Administrator box is the one you want to use, and then click Submit.

  5. In the Server Administration web site that opens, you can configure FrontPage Server Extensions.

    click to expand
    Figure 2-18: The Server Extensions 2002 tab

After Server Extensions have been enabled, the Server Extensions 2002 tab displays a Settings button that you can click to open the Server Administration web site.

The Server Administration Web Site

In the Server Administration web site, you configure the FrontPage server extensions. When you open the Server Extensions 2002 tab shown in Figure 2-18, you will see a Settings button, and no configuration options are available in the IIS MMC. Press the Settings button to go to the FrontPage Server Administration site, shown in Figure 2-19. The first page you will see is the Change Configuration Settings page. At the top of the page, there are hyperlinks for Administration, which take you to the site administration page, and Help.

click to expand
Figure 2-19: The FrontPage Server Administration site Change Configuration Settings page

The Change Configuration Settings Page

In the Change Configuration Settings page, you can configure the general settings for all the sites on this server. You must be a member of the local Administrators group on the server to make these changes.

The Enable Authoring Checkbox Click the Enable Authoring checkbox to configure whether or not clients can use FrontPage to upload content to their respective web sites. This is enabled by default when you install Server Extensions 2002. Removing the checkmark will prevent authors from publishing new content. This is useful when you are performing maintenance or upgrades, and you don’t want any new content published while you’re working. Or, from a more secure perspective, this should not be turned on at all in production except during scheduled maintenance periods when content is going to be uploaded.

Mail Settings In the Mail Settings area, you configure FrontPage’s use of e-mail services for this server. When you configure the SMTP settings, you specify the SMTP server name or IP address. There is no option to provide a username and password, so make sure the server you’re using accepts messages without that. You can also set the From and Reply-to addresses. That way, clients can reply to the messages. Lastly, you can configure the mail encoding and character set if you’re using an e-mail server that has different settings.

Performance Tuning The FrontPage Server Extensions 2002 allow you to configure caching for your web sites. When you have a large number of pages and documents on your site, caching can help improve the overall response time of the site. Changing one of the following settings in this area lets you configure the size of the cache:

  • < 100 pages

  • 100–1000 pages

  • 1000 pages

  • Custom

If none of these choices fits your site’s needs, or you want to modify the caching settings, you can choose Custom and provide your own values.

Client Scripting The Client Scripting section lets you choose the language you will allow for client scripting on this server:

  • No scripting

  • JavaScript

  • VBScript

If you choose no scripting, client scripting will be disabled for this server.

Security Settings In the Security Settings section, you configure the security for the FrontPage Server Extensions for this server.

  • Log Authoring Actions Sets up logging for all authors publishing content to this server. That way, you can track who uploads what, and if someone overwrites files on a server, you can find out who did it.

  • Require SSL For Authoring And Administration Mandates that the client use an SSL channel. This will encrypt the traffic and make it more difficult for a third party to “listen in” on the traffic between the client and the server.

  • Allow Authors To Upload Executables Enables publishing of executable programs to the server. By default, this is disabled, because someone could upload a destructive executable to the server and then run it at the server.

The Server Administration Page

The Server Administration page, shown in Figure 2-20, shows you the list of virtual servers and lets you set user information.

click to expand
Figure 2-20: The Server Administration page

Set List Of Available Rights Clicking this hyperlink takes you to a page that allows you to configure the permissions for this server, which are in two categories: web design rights and web administration rights. With these rights, you can granularly control how authors can access this site.

Set Installation Defaults Click this hyperlink to set the default settings for all new web sites on this server. You can configure the mail settings and the security settings. This page is the same as the Configuration Settings page, except you cannot set the mail encoding and character set here. The security settings are the same.

Reset User Password Click this hyperlink to access the page that allows you to change an author’s password for a site.

  1. In the Virtual Server drop-down list, choose the site that contains the user account.

  2. In the Web Name box, type in the name of the web site of which the user is a member.

  3. In the User Name text box, type in the username for which you wish to reset the password.

  4. In the New Password and Confirm New Password text boxes, type in the new password.

    Note 

    You do not need to know the old password in order to change it.

Virtual Servers The Virtual Servers section shows you a list of all the web sites on this server. If the FrontPage Server Extensions have been enabled on this site, you will see the URL and the version number of the extensions. If not, the word Extend will appear, and you can click it to enable the FrontPage Server Extensions on this site.

Administering a Virtual Server

When you click a site name in the Virtual Servers section, the Site Administration page opens, where you can administer that site. You can perform various tasks related to site administration:

  • Change whether or not anonymous access is allowed

  • Manage user accounts

  • Manage roles for those user accounts

  • Send an invitation to a user (only if SMTP has been set up)

  • Check the health and security settings for this site

  • Check the hyperlinks in a site to make sure they are valid

  • Configure whether this site uses version control, to be able to roll back changes

  • Create a subweb




IIS 6(c) The Complete Reference
IIS 6: The Complete Reference
ISBN: 0072224959
EAN: 2147483647
Year: 2005
Pages: 193

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net