Although I can now blissfully say I'm out of the business, for several years I owned and ran an ISP. In addition to using Exchange Server for client mail, we also used Internet Information Services (IIS) to host client Web sites. I've spent a lot of time in IIS Manager in the last six years or so, managing Web sites, virtual SMTP servers, and FTP sites. In this Guided Tour, I'll take you through the ins and outs of the IIS Manager in Windows Server 2003. Even if you're familiar with the IIS Manager in Windows NT or Windows 2000 Server, you'll find some unfamiliar territory in the 2003 version.
What is the IIS Manager?
The IIS Manager is the MMC console snap-in that enables you to manage virtual Web services on a Windows Server 2003 computer. You can manage the following with the IIS Manager:
- Application pools—An application pool links one or more applications to a set of one or more worker processes. Application pools provide process isolation for Web services, resulting in improved performance and reliability. You use the IIS Manager to create application pools and configure their properties, such as process recycling, virtual memory limits, shutdown, and CPU monitoring.
- Virtual Web servers—IIS can host multiple virtual Web servers. The IIS Manager provides the interface through which you create virtual server instances, create virtual directories for virtual servers, and set all of the properties for the site and its virtual directory, such as security, authentication, home directory, and permissions.
- Web service extensions—In a move toward better security, Microsoft essentially locked down IIS in a default installation. You use the IIS manager to configure whether Web services such as Active Server Pages, WebDAV, and unknown CGI extensions are allowed to run on the server. A default installation includes several extensions, and you can add other Web service extensions as needed.
- Virtual FTP servers—IIS can host multiple FTP virtual servers. You use the IIS Manager to create FTP virtual servers and configure all of their properties, including folder location, virtual directories, and authentication and security.
- Virtual SMTP servers—Windows Server 2003 includes an SMTP service that enables a Windows Server 2003 computer to function as an SMTP server. The SMTP service can be used to send outgoing mail or to receive mail locally. The SMTP service works in conjunction with the POP3 service or Exchange Server to provide full mail server capability for Window Server 2003. You use the IIS Manager to create SMTP virtual servers and configure their settings, such as port, access restrictions, authentication, and relay restrictions. Note that on an Exchange Server, you manage SMTP virtual servers with the Exchange Server Manager rather than the IIS Manager.
- Virtual NNTP servers—The Network News Transport Protocol (NNTP) service in Windows Server 2003 enables you to host public or private newsgroups. You might host support newsgroups for your customers, for example, or pull from public news servers to provide a local cache of certain newsgroups for your users.
By default, the IIS Manager provides access to the local IIS services, but you can use it to manage IIS services on remote servers, as well. For the purposes of this Daily Drill Down, we'll focus on the basic Web site administration duties and look at virtual servers in a later article.
How is IIS different in Windows Server 2003?
Microsoft completely reworked IIS in Windows Server 2003, and the IIS Manager exposes those differences. First, the Application Pools container is new and gives you access to existing application pools and the capability to create new application pools. The IIS Manager also offers commands for recycling a pool and starting or stopping a pool. The Web Service Extensions branch is also new, giving you the capability to easily specify which Web service extensions are allowed or prohibited.
The other major difference in the IIS Manager in Windows Server 2003 is the capability to export configuration data as a structured XML file. This provides a means for backing up multiple metabase configurations to XML, the capability to make configuration changes without restarting services, and the capability to easily import a configuration from another server.
There are lots of other significant changes in the way IIS works in Windows Server 2003. Check the IIS 6.0 Features\What's Changed section of the IIS Manager Help content for a complete list of architectural and functional changes in IIS 6.0.
A quick tour of the IIS Manager
When you open the IIS Manager, you'll find that it's a typical MMC console with a console tree pane on the left and a details pane on the right (Figure A). The console tree pane includes a hierarchical tree with several branches. The contents of the tree depend on the components you've installed on the server. For example, the FTP Sites branch is missing if you haven't installed the FTP service. Likewise, NNTP appears only if you've installed the NNTP service.
|IIS Manager is a standard MMC console snap-in that enables you to manage all IIS properties and virtual servers.|
There is nothing remarkable about the IIS Manager's menus, with menu options falling pretty much along the lines of a standard console snap-in. The Action menu really is where most of the action happens. You can start, stop, pause, and resume existing virtual servers and create new ones. You can also open the properties for an object with the Action menu.
The toolbar includes common buttons for navigating within the console, refreshing the display, and opening the properties for the selected item. The three buttons at the right of the toolbar enable you to start, stop, and pause the selected virtual server. As with other MMC console snap-ins, you can right-click objects in the console tree pane to open a context menu with access to the most commonly used commands and tasks.
Menus and toolbars
The IIS Manager is a standard MMC console snap-in and includes rather typical menus and toolbars. The Action menu's contents change depending on what you've selected. In general, it enables you to stop, start, or pause a virtual server; start a wizard to create a new site or virtual directory; access the properties for the selected item; and save the selected object's configuration to an XML file that you can use to import the object to another server.
The toolbar also changes somewhat depending on which branch or item you've selected. Of particular use are the buttons that open the selected item's property sheet and enable you to start, stop, or pause a virtual server. Now, let's take a look at the individual branches in the IIS Manager.
The FTP Sites branch contains all of the FTP virtual servers (sites) hosted by the server. IIS includes a single site initially called the Default FTP Site. This FTP site uses the standard port 21 and is assigned to all unassigned addresses. This means that the FTP service will respond on all IP addresses bound to the server for FTP traffic not handled by another virtual FTP server. The Default FTP Site is configured to allow read access but not write access, and supports anonymous as well as authenticated access. The default site is also configured to log connections to the site. The default root folder for the site is \Inetpub\Ftproot.
To view or change the properties for an FTP site, click the site and click the Properties toolbar button. Figure B shows the FTP Site tab, the first of five tabs that define the FTP site.
|The FTP Site tab defines the site's address, port, connections, and logging.|
The tabs for an FTP site include the following:
- FTP Site—This tab specifies the site's IP address, port, description (as it appears in the IIS Manager), connection limits, and logging. You can click Current Sessions to view a list of current connections to the virtual server and optionally disconnect them individually or as a whole.
- Security Accounts—Use this tab to configure site authentication. You can use anonymous and authenticated access, only authenticated access, or only anonymous access. You can also use this tab to specify the account used by IIS for anonymous FTP access, but it's best to use the default IUSR_machine account instead.
- Messages—Add text on this tab for the site banner, welcome message, logoff (exit) message, and the message IIS displays when the maximum number of connections has been reached.
- Home Directory—Specify whether the root folder for the site is located on the local server or on another computer on the network; also specify the path to the folder, general access permissions, and the directory listing style (UNIX or DOS).
- Directory Security—This tab allows you to configure the site to allow or deny connections from specific IP addresses. You can specify individual IPs or subnets.
The FTP Site Creation Wizard
The IIS Manager provides a wizard to help you set up an FTP site. Right-click the FTP Sites folder and choose New, FTP Site. In the wizard, you specify the site description, IP address, and port. The wizard also offers three options for user isolation (Figure C).
|You can specify an isolation mode for an FTP site.|
These options, which enable administrators to restrict user access to specific folders, include the following:
- Do Not Isolate Users—Isolation is disabled, and users can access any folder under the root, subject to individual permissions set through NTFS ACLs. This behavior is the same as in previous versions of IIS. If a user logs on with an account for which there is a matching physical or virtual directory, the user's session starts in that folder. If not, the session starts in the FTP root folder.
- Isolate Users—Use this option to restrict users to a folder under the FTP root that matches the user's account name. Users are authenticated against local or domain accounts. Users can't navigate away from their home directory.
- Isolate Users Using Active Directory—This option causes IIS to search the Active Directory for the credentials specified by the user. The specified AD account must have the msIIS-FTPRoot and msIIS-FTPDir properties set to specify the UNC file share and home folder, respectively, that define the path to the user's FTP folder. The AD must be running Windows Server 2003 or, if running Windows 2000 Server, must have the schema updated.
If you choose either of the first two options, the wizard prompts for the path to the FTP site's root folder.
Virtual Directory Creation Wizard
An IIS FTP site can include one or more virtual directories. These virtual directories can be located on other volumes or servers but appear as subfolders under the FTP root. Right-click an FTP site and choose New, Virtual Directory to start the wizard, which prompts for the following:
- Alias—This is the name for the folder in the FTP virtual hierarchy and the name by which the user sees the folder.
- Path—Specify a local path or a UNC share.
- Security credentials—If you specify a UNC share, you must also specify how IIS will connect to the specified share. You can enter an explicit account and password for the resource or specify that IIS use the client's logon account to authenticate in the remote share.
The Application Pools branch in the IIS Manager lets you view and configure existing application pools and create new ones. Application pools provide worker process isolation for Web applications for reliability and recoverability. The server must be running in IIS worker process isolation mode to support application pooling.
|You configure pool recycling, performance, and other settings in the properties for an application pool.|
The property sheet for an application pool (Figure D) offers the following tabs:
- Recycling—This tab configures the frequency at which IIS recycles the application pool, including when the pool has consumed a specified amount of memory.
- Performance—Use this tab to configure when idle worker processes are shut down; set a limit on the kernel request queue; enable and configure CPU monitoring; and set the maximum number of worker processes.
- Health—This tab configures whether and how frequently IIS checks worker processes to determine if they are alive; sets limits to disable the application pool if it experiences excessive failures; and sets the amount of time allowed for worker processes to start and stop before being considered hung.
- Identity—Use this tab to set the security context under which the application pool runs.
You assign Web services to application pools through the properties for each Web site or virtual directory.
The Web Sites branch contains all of the virtual Web server instances hosted by the server. IIS sets up a Default Web Site automatically. You can configure properties for existing sites, create new sites, and control a site (start, stop, or pause the site) through this branch. Each virtual server appears in this branch as a subbranch that lists each of the physical and virtual directories that comprise the site.
To set the properties for an existing Web site, click the site and then click the Properties toolbar button. You'll then see the screen shown in Figure E.
|You configure all of the properties for a virtual Web server through the site properties.|
The site property sheet offers 10 tabs:
- Web Site—Each virtual server is identified by three properties, one of which must be unique for all running sites. These properties are IP address, port, and host header. A combination of IP address, port, and host header constitutes a single identity. A single site can have multiple identities, for example, responding to different host headers. Use the Web Site Identification group to set these (click Advanced to specify host headers). The Web Site tab also configures connection timeout and logging.
- Performance—The Performance tab enables you to apply bandwidth throttling to the site to manage bandwidth. You can also limit the number of allowed concurrent connections.
- ISAPI Filters—ISAPI filters are programs that respond to events during HTTP request processing. This tab lists the ISAPI filters that apply to the virtual server and enables you to add or remove filters and set their priority.
- Home Directory—This tab sets the location of the site's root folder, which can be a local folder, network share, or other URL. You can set permissions for local folders and shares (read, write, etc.) and set execute permissions for the site. The Application Settings group is where you set the application pool for the virtual server and configure the Web service. Click Configuration to open the Application Configuration dialog box (Figure F), where you configure extension mapping and how Active Server Pages run.
|Configure file extensions and ASP behavior with the Application Configuration dialog box.|
- Documents—A site can have one or more default documents that can be served to clients if the user does not specify a document but instead only enters the URL for the virtual server itself. Use the Documents tab to specify the default document(s) and optionally append an HTML-formatted footer to each document served by the virtual server. The footer might include banner ads, copyright information, or any other type of information.
- BITS Server Extension—Background Intelligent Transfer Service (BITS) provides a framework for file transfer between client and server that offers bandwidth management to reduce the impact on both server and client performance. With this tab, you enable BITS uploads; set file transfer limits; specify how files are transferred; and set notification, which determines how data is passed to the file server. In most situations, you'll configure BITS at the virtual directory level rather than at the virtual server level.
- Server Extensions 2002—This tab indicates the version of SharePoint Services (FrontPage Server Extensions) installed on the virtual server and provides a single button you can click to access the administration Web page for the virtual server. This tab is empty if you haven't enabled SharePoint Services/FPSE on the virtual server. You do that through the All Tasks command on the virtual server's context menu (right-click the site).
- Directory Security—Use this tab to enable/disable anonymous access to the site and configure authentication methods; grant or deny access based on client IP address, subnet, or domain name; and assign and configure a server certificate for SSL. The IIS Manager provides a wizard to help you request and install a server certificate for the virtual server.
- HTTP Headers—With this tab, configure the values returned to the client browser in the HTTP headers for served pages. You can configure content expiration settings, create custom headers, enable and configure RSACi ratings for the site, and register new MIME types.
- Custom Errors—This tab defines the error information returned by the server for specific HTTP errors. You can specify a URL, a pointer to a file, or use default text for the error message. For example, you might create a page of links and other useful information to replace the default 404 error page that is displayed when the client requests a page that doesn't exist.
Web site wizards
The IIS Manager offers a handful of wizards to help you create new Web sites and virtual directories. A virtual directory appears as a subfolder under the Web site's root folder but is located in a different folder, volume, or even another server. The Web Site Creation Wizard prompts for the Web site description (which appears as its name in the console tree pane), IP address, port, host header, root folder path, and permissions. The Virtual Directory Creation Wizard prompts for the directory's alias (its virtual folder name), actual path, and permissions. You can also add a site or virtual directory by importing an XML file that was exported from the local server or from another server (or less likely, created manually).
Web Service Extensions
The Web Service Extensions branch (Figure G) enables you to configure existing Web service extensions on the server and add new Web service extensions. Web service extensions support various types of dynamic Web content. Windows Server 2003 installs several extensions by default, some of which are Active Server Pages, ASP.NET, Server Side Includes, and WebDAV. In a default IIS installation, only static content is allowed, and the Web service extensions are configured as prohibited.
|Use the Web Service Extensions branch to add and allow/prohibit Web service extensions.|
The Extended view, shown in Figure G, includes buttons and links for common tasks such as adding an extension, allowing or prohibiting the selected extension, and setting its properties. You can also right-click an extension to allow or prohibit the extension or set its properties. Through an extension's property sheet (Figure H), you can view the files associated with the extension and allow or prohibit individual files.
|You can allow or prohibit individual components, but in most cases doing so will prevent the extension from working properly.|
Performing common tasks for IIS
Now that you're familiar with the IIS Manager, you’re ready to start creating and managing virtual Web servers. Table A lists common IIS management tasks and explains how to accomplish them.