IIS on Cloud for windows server

1-click AWS Deployment    1-click Azure Deployment 1-click Google Deployment

Overview

Internet Information Services (IIS): It is a supple web server from Microsoft that runs on Windows systems to assist requested HTML pages or files. It receives requests from remote client computers and returns the proper response. The main functionality allows web servers to share and deliver information across local area networks (LAN), such as corporate intranets, and wide area networks (WAN), such as the internet. A web server can deliver information to users in several forms, such as static webpages coded in HTML; through file exchanges as downloads and uploads; and text documents, image files and more.

It is a Windows Server-based web application used to deliver website content over the internet to an end user. Internet Information Services is an installable server role, and it is bundled with all Microsoft Windows Server products. More recently, Microsoft has bundled IIS components with the professional versions of their desktop operating system products, such as Windows 10 Pro; however, IIS is typically deployed and centrally managed on one or more Microsoft Windows Servers.

There are two commonly used web server applications available: Apache and Internet Information Services. Apache is an open source installable application commonly used on open system platforms such as Linux, whereas IIS is  a licensed copy of Windows Server. As IIS is a Microsoft product, IIS offers several advantages over Apache; arguably the biggest advantage is that the user base, in most circumstances, will already be familiar with the product layout, design and terminology, simply because most are existing Windows operators. This makes the product extremely easy to learn and navigate and allows for other Microsoft products to be directly integrated into IIS, such as SharePoint, PowerShell and Microsoft Office.

Microsoft provides product support for all licensed copies of Windows Server, so there is no need to purchase additional support packages as with most open source web server applications. Because IIS uses C# and .NET web application frameworks like ASP.NET MVC and Entity Framework; additionally, it integrates with Visual Studio, all of which make it a popular choice for enterprises.

As IIS is bundled with Windows Server, updates are usually concurrently released with each OS revision or new release. First released in 1995, IIS was originally developed in-house by Microsoft as an add-on for Windows NT 3.51. It was first bundled with an OS when Windows NT 4.0 was released in 1996; this inclusion of IIS by default caused many system administrators and web developers to first take notice of IIS. It grew rapidly in popularity with the release of Windows Server 2000, and demand grew exponentially when Windows Server 2003 was published. Different versions of IIS have been released with Windows Server 2008, Server 2012 and, more recently, Windows Server 2016, which was released with IIS version 10.

Today, IIS is found widely in data centers across the globe and powers some of the most popular websites online including Comcast.com, Disney.com and Ebay.com. IIS is growing significantly in popularity and usage. It can be centrally managed and scaled to create vast web server farms for high traffic and high demand websites.

Other important features of IIS are its users’ ability to representative control of the administration of the web site or web applications. This is great for creating access controls to different departments. For example, your Web Developers may only need access to the Website front end, and your IT Technical teams only require access to the configuration (or backend). IIS is easily integrated with API technology. This technology lowers the overhead hardware requirements on the host server(s), which can be used to reduce server footprint or can allow extra bandwidth during peak trading or high demand sales events such as Black Friday.

Microsoft has significantly improved the security of IIS since it released NT 4.0. Patching and security updates can be easily managed with seamless load balancing options. This allows servers to be removed from the farm, patched, and then added back to the farm with zero impact on the production website. Websites and web applications can be isolated, as IIS worker processes have a unique secure identity

How IIS works

IIS works over a variability of standard languages and protocols. HTML is used to generate elements such as text, buttons, image placements, direct interactions/behaviors and hyperlinks. The Hypertext Transfer Protocol (HTTP) is the basic communication protocol used to exchange information between web servers and users. HTTPS — HTTP over Secure Sockets Layer (SSL) — uses Transport Layer Security or SSL to encrypt the communication for added data security. The File Transfer Protocol (FTP), or its secure variant, FTPS, can transfer files. Additional supported protocols include the Simple Mail Transfer Protocol (SMTP), to send and receive email, and the Network News Transfer Protocol, to deliver articles on Usenet.

IIS Express for testing

Microsoft provides a self-contained version of IIS, called IIS Express, for developers to test websites. IIS Express offers all the major capabilities of the full IIS web server, but allows many tasks to be performed without administrative privileges.

Security

Organizations need to take security measures to ensure a website is secure  to protect the web server from security breaches. Companies can use features built into IIS to harden the IIS.

Few ways to harden Windows IIS include:

  • Ensure the Windows operating system is updated with all security patches.
  • Disable any features of IIS not in use to reduce potential attacks.
  • Use firewalls to ensure the server is only receiving valid packets.
  • Control which IP addresses and domains can access the web server.
  • Use URL authorization to apply rules for specific requests, such as dealing with particular URLs. A company can use URL authorization to only authorize certain users to view the requested pages.
  • Use logging to view the visitors accessing the web server.
  • Configure the error page to display only relevant information about an issue. Make certain that error pages don’t display too much information, such as usernames, passwords, the IP address of the server or any information that hackers could use to exploit the web server.

 How does IIS handle web requests?

The two main process models for web servers are to either handle all requests on a single thread, or to spawn a new thread for each request. Although the single-thread model has some worker threads available, it typically only uses them for certain kinds of work, such as file system access. The thread-per-request model that IIS uses will grab a thread from a thread pool for each request. Web servers typically handle requests using a request-response pattern. The client sends a request and receives a response if all goes well. HTTP protocol is the ubiquitous choice when communicating between a client and web server over the internet

What is IIS ?

IIS (Internet Information Services) is one of the most powerful web servers from Microsoft that is used to host your ASP.NET Web application. IIS has its own ASP.NET Process Engine to handle the ASP.NET request. So, when a request comes from client to server, IIS takes that request and process it and send the response back to clients.

Request Processing :

Hope, till now it’s clear to you that what is the Web server and IIS is and what is the use of them. Now let’s have a look how they do things internally. Before we move ahead, you have to know about two main concepts

1.    Worker Process
2.   Application Pool

Worker Process:  Worker Process (w3wp.exe) runs the ASP.Net application in IIS. This process is responsible for managing all the request and response that are coming from the client system.  All the ASP.Net functionality runs under the scope of the worker process.  When a request comes to the server from a client worker process is responsible for generating the request and response. In a single word, we can say worker process is the heart of ASP.NET Web Application which runs on IIS.
Application Pool: Application pool is the container of the worker process.  Application pools are used to separate sets of IIS worker processes that share the same configuration.  Application pools enable a better security, reliability, and availability for any web application.  The worker process serves as the process boundary that separates each application pool so that when one worker process or application is having an issue or recycles, other applications or worker processes are not affected. This makes sure that a particular web application doesn’t impact other web application as they are configured into different application pools.

Application Pool with multiple worker processes is called “Web Garden.”
Now let’s have a look how IIS process the request when a new request comes up from a client.
If we look into the IIS 6.0 Architecture, we can divide them into Two Layer

1.    Kernel Mode
2.    User Mode

Now, Kernel mode is introduced with IIS 6.0, which contains the HTTP.SYS.  So whenever a request comes from Client to Server, it will hit HTTP.SYS First.

Now, HTTP.SYS is Responsible for pass the request to the particular Application pool. Now here is one question, How HTTP.SYS does come to know where to send the request?  This is not a random pickup. Whenever we create a new Application Pool, the ID of the Application Pool is being generated, and it’s registered with the HTTP.SYS. So whenever HTTP.SYS Received the request from any web application, it checked for the Application Pool and based on the application pool it sends the request.

So, this was the first steps of IIS Request Processing.
Till now, Client Requested for some information and request came to the Kernel level of IIS means at HTTP.SYS. HTTP.SYS has been identified the name of the application pool where to send. Now, let’s see how this request moves from HTTP.SYS to Application Pool.

In User Level of IIS, we have Web Admin Services (WAS) which takes the request from HTTP.SYS and pass it to the respective application pool.

When Application pool receives the request, it just passes the request to worker process (w3wp.exe). The worker process “w3wp.exe” looks up the URL of the request to load the correct ISAPI extension. ISAPI extensions are the IIS way to handle requests for different resources. Once ASP.NET is installed, it installs its own ISAPI extension (aspnet_isapi.dll) and adds the mapping into IIS.
Note: Sometimes if we install IIS after installing asp.net, we need to register the extension with IIS using an aspnet_regiis command.

When Worker process loads the aspnet_isapi.dll, it starts an HTTPRuntime, which is the entry point of an application. HTTPRuntime is a class which calls the ProcessRequest method to start Processing.

When this method called, a new instance of HTTPContext is created.  Which is accessible using HTTPContext.Current  Properties. This object remains alive during the life time of object request.  Using HttpContext.Current we can access some other objects like Request, Response, Session, etc.

After that HttpRuntime load, an HttpApplication object with the help of  HttpApplicationFactory class. Every request should pass through the corresponding HTTPModule to reach to HTTPHandler, this list of a module is configured by the HTTPApplication.
Now, the concept comes called “HTTPPipeline.” It is called a pipeline because it contains a set of HttpModules ( For Both Web.config and Machine.config level) that intercept the request on its way to the HttpHandler. HTTPModules are classes that have access to the incoming request. We can also create our HTTPModule if we need to handle anything during upcoming request and response.

HTTP Handlers are the endpoints in the HTTP pipeline. All request that is passing through the HTTPModule should reach to HTTPHandler.  The  HTTP Handler generates the output for the requested resource. So, when we were requesting for any aspx web pages,   it returns the corresponding HTML output.
All the request now passes from httpModule to respective HTTPHandler then the method and the ASP.NET Page life cycle starts.  This ends the IIS Request processing and starts the ASP.NET Page Lifecycle.

When the client request for some information from a web server, request first reaches to HTTP.SYS of IIS. HTTP.SYS then send the request to particular  Application Pool. Application Pool then forwards the request to worker process to load the ISAPI Extension which will create an HTTPRuntime Object to Process the request via HTTPModule and HTTP handler. After that, the ASP.NET Page LifeCycle events start.

Installing IIS on Windows:

Keeping with Microsoft modular design of, uhm, everything these days, IIS in Windows is still an optional “Windows Feature”. To install it, press the Windows + R key combination to bring up a run box, then type appwiz.cpl and press enter.

image

This will open the Program and Features part of Control Panel, on the left hand side click on the “Turn Windows features on or off” link.

image

Now click on the Internet Information Services check box.

image

If you’re a developer you are going to want to expand it and explore the sub-components as well. By default it installs all the stuff needed to host a website, and you are probably going to need some of the more developer centric components as well.

image

After clicking OK, this dialog will appear on your screen for a while.

image

When its done, fire up your browser and navigate to localhost.

image

The Applications Of IIS

  • The IIS Manager is used for configuring the features of the IIS
  • The File Transfer Protocol allows the user to upload and download files
  • Webpage isolation is used to prevent one website from interfering with other websites on the user’s server
  • It is also used to configure web applications that are developed using a wide range of programming languages PHP, Python, and ASP.NET
  • The Windows PowerShell can be used for undertaking a majority of administrative tasks for your web server

The Advantages Of IIS Are As Follows

  • The cost of the deployment / user gets reduced with the use of IIS. The final users (end users) of an IIS application can run it via a browser. A user doesn’t require to install a specialized software on his computer in order to run the application
  • IIS applications work with a multitude of browsers and Operating Systems (OS). It gives the user an opportunity to reach a wide audience
  • The framework of active server pages gives the user an object model which enables the user to manipulate forming the core of the IIS. Furthermore, it allows the user to undertake data retrieval from a browser
  • Once a web class has been created, it can easily be accessed in a separate web class
  • Unlike scripting, your code isn’t embedded in the HTML document. The process of developing and designing the application or website’s User Interface can be separated from writing and debugging its code
  • The state  between a client and the server can be managed using a database or an object

 

–Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by Microsoft for use with Windows NT family.IIS supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions (e.g. Windows XP Home edition), and is not active by default.

The Administration API for IIS was developed as an ASP.Net Core application. This allowed us to take advantage of the Web API conventions that the MVC framework offered. This application has to be accessible at all times to allow users to be able to configure IIS whenever necessary, therefore we needed it to run as a service. Hostable Web Core (HWC) is a technology that allows a consumer to have an in-process version of IIS available to them. When HWC gets loaded in, the process has access to all the capabilities that the full IIS offers. We took advantage of HWC to enable behavior quintessential to the success of the API such as windows authentication, logging, and SSL bindings.

IIS is owned by IIS (https://www.iis.net/) and they own all related trademarks and IP rights for this software

Cognosys provides hardened images of IIS on all public cloud i.e. AWS marketplace and Azure.

Click on the respective cloud provider tab for technical information.

Hardened IIS on Windows Server 2016-

The architecture that we use allows the API to be self hosted as a windows service.

IIS on Cloud for windows server

Features

IIS is full of various features. Most commonly, IIS is used to host ASP.NET web applications and static websites. It can also be used as an FTP server, host WCF services, and be extended to host web applications built on other platforms such as PHP.There are built-in substantiation options such as Basic, ASP.NET, and Windows auth. The latter is useful if you have a Windows Active Directory environment—users can be automatically signed into web applications using their domain account. Other built-in security features include TLS certificate management and binding for enabling HTTPS and SFTP on your sites, request filtering for whitelisting or blacklisting traffic, authorization rules, request logging, and a rich set of FTP-specific security options.One key feature of IIS is the application pool. We’ll have to take a closer look at the application pool, as it’s a critical component of the IIS process model.An irreplaceable feature is remote management. IIS can also be managed via the CLI or using PowerShell. You can script everything, which is great if you like the power that comes with being able to do so.It can be extended to serve  many purposes besides hosting ASP.NET apps. Through extension, IIS becomes a highly versatile and stable web server for the Windows platform. Let’s take a look at how to install IIS on Windows 10.

New Features Introduced in IIS 10.0

IIS 10.0 is the latest version of Internet Information Services (IIS) which shipped with Windows 10 and Windows Server 2016. This article describes the new functionality of IIS on Windows 10 and Windows Server 2016 and provides links to resources to learn more about these features.

HTTP/2

IIS 10.0 adds support for the HTTP/2 protocol, which allows for numerous enhancements over HTTP 1.1 and results in an efficient reuse of connections and a reduction in latency. HTTP/2 support was added to Windows Server 2016 and Windows 10 as part of the kernel-mode device driver, HTTP.sys, and all your existing IIS 10.0 websites can benefit from this. (The latest versions of most modern browsers already support HTTP/2 over TLS so you may already be using HTTP/2.)

IIS on Nano Server

Nano Server is a new headless, 64-bit-only installation option for Windows 10 and Windows Server 2016 which installs “just enough OS” thereby resulting in a smaller footprint. Nano Server provides higher density, increased uptime, and a smaller attack surface making it suitable for running web workloads.

IIS in Containers

Windows Server 2016 and Windows 10 with the Anniversary Update add support for containers which are isolated, resource controlled, and portable operating environments. Windows Server 2016 and Windows 10 support two different container runtimes with a different degree of isolation: Windows containers achieve isolation through process and namespace isolation, while Hyper-V containers achieve isolation through lightweight virtual machines. IIS 10.0 runs in both container runtimes as well as on both base OS images, Server Core and Nano Server, allowing you to choose the best Windows container environment for your web workloads.

Managing IIS

With the advent of Nano Server and Windows Containers, IIS now provides a better management story for all environments running (including those without a GUI).This browser-based application consumes the IIS Administration API to provide a familiar management experience. Microsoft IIS Administration supports IIS 7.5 and above.

IIS Administration PowerShell cmdlets

IIS 10.0 adds a new, simplified PowerShell module for managing IIS which scales better and offers superior pipelining support than existing Web Administration cmdlets. The new module gives you direct access to the Server Manager object allowing for greater control over the configuration system.

Wildcard Host Headers

IIS 10.0 adds support for Wildcard Host Headers; you can now set up bindings to serve requests for any subdomain within a given domain.

IIS Thread Pool Ideal CPU Optimization for NUMA hardware

IIS 10.0 provides better performance on NUMA hardware through the IIS thread pool ideal CPU optimization.

Windows Server 2012 R2, Windows Server 2012

IIS Manager is the IIS 8 UI that helps you perform the following tasks:

  • Manage IIS and ASP.NET in one tool.
  • View health and diagnostic information that includes the ability to view currently running requests in real time.
  • Configure user and role authorization for websites and web applications.
  • Connect to a web server, site, or application remotely using HTTP.

Enhanced features in IIS 8.0 for Windows Server 2012

1) FTP Logon Attempt Restrictions

This module ensures the security and manageability. Due to this feature you can now use greylisting and access patterns enabling you to smoothly and dynamically manage access for number of sites to the internet and FTP servers.

2) Improved CPU Throttling

In IIS8 there are kernel level changes to support real CPU throttling. There are two actions possible for sites that reach the CPU threshold. These are:

  1. Throttle

  2. Throttle Under Load

Throttling is based on the user and not specifically on the application pool. The throttle feature will keep the CPU for a particular worker process at the specified level.

Throttle under load will allow a site to use all possible CPU, while throttling the worker process if the server is under load. If you used WSRM (Windows System Resource Manager) in the past, you no longer need to do so.

3) Application Initialization Module

Priorly known as the application warm-up module which was used for a time, and now it is completely ready as Application Initialization Module. This allows loading sites and pages before the traffic arrives and handling of requests in a friendly and more smoother way while the application first loads. It is possible to set up home page or use URL rewrites.

4) SSL Scalability

In previous versions of IIS each SSL (Secure Socket Layer) site required its own IP address, and since each certificate was loaded into the memory on the first visit to an SSL site, startup performance can be slow. In IIS8 the SSL certificate is easily scalable to thousands of secure sites per system because only the certificate that is needed is loaded. Additionally, also loading of large numbers of certificates is essentially improved. 

5) SNI / SSL Host Header Support

Using host headers and a shared IP address with SSL certificate has always been ambiguous. IIS8 now offers Server Name Indication (SNI) support through which many SSL sites can share the same IP. SNI is a pretty new feature which allows host headers to work with SSL. The most recent browsers are supporting SNI.

6) Use ASP.NET 3.5 And 4.5

IIS 8.0 on Windows Server 2012 runs ASP.NET applications on all .NET Framework versions supported on Windows Server 2012. This means ASP.NET applications can run on IIS 8.0 using either .NET Framework 3.5, or .NET Framework 4.5. IIS 8.0 hosts versions of the .NET Framework in different application pools, thus allowing multiple ASP.NET applications with different .NET Framework versions to run simultaneously on Windows Server 2012.

7) Web Sockets

Allows you to build more interactive and powerful web applications because of a continuous and bidirectional communication between the web browser and the web server. Web Sockets require Windows Server 2012 or higher versions.

8) Dynamic IP Restriction (DIPR)

With DIPR we can Customize IIS reply like Unauthorized (HTTP 401), Forbidden (HTTP 403), Not Found (HTTP 404), or Abort (IIS terminates the HTTP connection). Also we can allow or deny specific IP address or a range of IP addresses, even if they violate a dynamic restriction setting. We can block dynamic IP addresses based on the number of concurrent requests or the number of requests over a period of time.Finally it is a very useful feature for web servers behind firewall, because of the proxy mode property that enables IIS to cross checks the values in the X-Forwarded-For HTTP header. So it can verify the IP address of the client who initially made the request.

9) Multicore Scaling On NUMA Hardware

Internet Information Services (IIS) on Windows Server 2012 supports Multicore Scalling on NUMA hardware and provides the optimal configuration for the IT administrators. Following options describes the different configuration options to achieve the best performance with IIS 8.0 on NUMA hardware.IIS supports following two ways of partitioning the workload:

I. Run Multiple Worker Processes In One Application Pool

If you are using this mode, by default, the application pool is configured to run one worker process. For maximum performance, you should consider running the same number of worker processes as there are NUMA nodes, so that there is 1:1 affinity between the worker processes and NUMA nodes. This can be done by setting “Maximum Worker Processes” AppPool setting to 0. Due to this setting, IIS determines how many NUMA nodes are available on the hardware and starts the same number of worker processes.

II. Run Multiple Applications Pools In Single Workload/Site

In this configuration, the workload/site is divided into multiple application pools. For example, the site may contain several applications that are configured to run in separate application pools. Effectively, this configuration results in running multiple IIS worker processes for the workload/site and IIS intelligently distributes the processes for maximum performance.

–Major Features of  IIS 

IIS 8.5 has several improvements related to performance in large-scale scenarios, such as those used by commercial hosting providers and Microsoft’s own cloud offerings. It also has several added features related to logging and troubleshooting. The new features are:

  • Idle worker-Process page-out: a function to suspend idle site to reduce the memory footprint of idle sites.
  • Dynamic Site Activation: a feature that registers listening queues only to sites that have received requests.
  • Enhanced Logging: a feature to allow collection of Server variables, request headers and response headers in the IIS logs.
  • ETW logging: an ETW provider which allows collecting real-time logs using various Event-tracing tool.
  • Automatic Certificate Rebind: a feature that detects when a site certificate has been renewed, and automatically rebinds the site to it.

IIS 8.0 offers new features targeted at performance and easier administration. The new features are:

  • Application Initialization: a feature that allows an administrator to configure certain applications to start automatically with server startup. This reduces the wait time experienced by users who access the site for the first time after a server reboot.
  • Splash page during application initialization: the administrator can configure a splash page to be displayed to the site visitor during an application initialization.
  • ASP.net 4.5 support: With IIS 8.0, ASP.net 4.5 is included by default, and IIS also offers several configuration options for running it side-by-side with ASP.net 3.5.
  • Centralized SSL certificate support: a feature that makes managing certificates easier by allowing the administrator to store and access the certificates on a file share.
  • Multicore scaling on NUMA hardware: IIS 8.0 provides several configuration options that optimize performance on systems that run NUMA, such as running several worker processes under one application pool, using soft or hard affinity and more.
  • WebSocket Protocol Support.
  • Server Name Indication (SNI): SNI is an extension to Transport Layer Security, which allows binding of multiple websites with different hostnames to one IP address (similar to how Host Headers are used for non-SSL sites).
  • Dynamic IP Address Restrictions: a feature that enables an administrator to dynamically block IPs or IP ranges that hit the server with a large number of requests.
  • CPU Throttling: a set of controls that allow the server administrator to control CPU usage by each application pool in order to optimize performance in a multi-tenant environment.

Azure

Note: How to find PublicDNS in Azure

Step1 ) RDP Connection: To connect to the deployed instance, Please follow Instructions to Connect to Windows instance on Azure Cloud

Connect to virtual machine using following RDP credentials:

  • Hostname: PublicDNS  / IP of machine
  • Port : 3389

Username: Your chosen username when you created the machine ( For example:  Azureuser)
Password : Your Chosen Password when you created the machine ( How to reset the password if you do not remember)

Step 2) Choose Start, expand All Programs, and then expand IIS with Application Server

Step 3) Other Information:

1.Default ports:

  • Windows Machines:  RDP Port – 3389
  • Http: 80
  • Https: 443

Configure custom inbound and outbound rules using this link

Videos

IIS on Cloud for windows server

Introduction

Basic configuration

IIS on Cloud for windows server

Related Posts