Automatically Redirect HTTP requests to HTTPS on IIS 7 using URL Rewrite

To automatically redirect HTTP request to HTTPS on a IIS server, you will need to perform the following steps. First make sure that the website has both ports configured in the binding section, just like in the following example:

Now select the website and click on URL Rewrite section from the menu:

Click on Add Rule(s) from the right section of the panel and create a Blank rule:

Set a name for the inbound rule and configure the pattern to (.*)

In the Conditions section press Add and set the following:

Condition input : {HTTPS}

Type: Matches the Pattern

Pattern: ^OFF$

In the Action menu configure the following:

Redirect HTTP requests to HTTPS on IIS using URL Rewrite

Action type: Redirect

Redirect URL: https://{HTTP_HOST}/{R:1}

Redirect type: See Other (303)

You can also simply add the following lines to the website’s configuration file (web.config):

How to bind multiple sites with SSL on one IP address and port

IIS would normally require multiple IP addresses or Ports for sites that bind with SSL. This is because before sending site’s header, the SSL handshake is established which encrypts headers. When a request is received by a web server, it needs to know the header information (because it contains sites name) to be able to use the right certificate to decrypt information. If a request is received and the HTTP.SYS layer cannot read the header to use the right certificate to decrypt information, then it will not be able to redirect request to the right website. For this reason, a web server allows one site per IP and Port for HTTPS connections. To get another website working in parallel you will need to use different IP or Port with SSL connections.

To resolve this issue you will need to purchase a wildcard certificate (for example *.ppscu.com) so you can use all websites that are part of the same domain. Suppose you have two websites named site1.ppscu.com and site2.ppscu.com. You will need to add the following configuration in applicationHost.config:

How to bind multiple sites with SSL on one IP address and port

As you can see from the configuration lines, each website contains a SSL binding that listens on all IPs (*) on port 443 but also contains the host name information. I’ve installed a wildcard certificate that is used for all SSL communications. When a request is received by the IIS server, the certificate will be used to decrypt data and read the header information that contains the host name for a specific site. HTTPS.SYS will then know where to redirect the request.

How to determine what .NET framework is installed on your server

Hy folks,

In this article I will show you how to verify what .NET framework version is installed on your Windows Server. I’ve encountered this problem when upgrading Powershell to version 4.0. In Windows Server 2012, one requirement before upgrading Powershell, is to install the latest .NET framework version (V4.5). The common way to achieve this is to verify what version is installed by checking the Programs and Features section in Control Panel. Note that if .NET framework is not shown here, you must upgrade it before you install Windows Management Framework 4.0.

You can also verify the installed framework version in registry editor. Open regedit from a run prompt and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP:

In this section you will see all the installed .NET framework versions. If V4.5 is installed, this is how the registry key should look like:

You can download the latest framework version from Microsoft’s website. Once you’ve installed this pack, you can safely upgrade Powershell to version 4.

That’s it for this article folks, wish you all the best and stay tuned for the following posts from IT training day.

MsMpEng.exe eating too much CPU

Hy folks,

Today I had a strange problem regarding one of our IIS web servers. I had a complainant about some web applications that were having really bad performance. Note that the IIS was running under Windows Server 2008 R2 and protected with Microsoft Forefront Endpoint Protection. In such situations you would normally establish a RDP connection with the problematic server and check it’s performance. From the beginning I’ve seen that the RDP was working really slow and I could barely open Task Manager.

I then switched to the Performance tab in Task Manager and saw that the CPU was running at 100% capacity. One of the running processes caught my eye because it was constantly eating more than 50% of the processor’s capacity. The name of the executable was MsMpEng.exe which is the Microsoft Antimalware Service:

I know that this service is used by Microsoft FEP for protecting users from malware and other potentially unwanted software but, didn’t knew what was causing this behavior. I’ve tried using Process Explorer utility to analyze the problem but, didn’t helped too much. My salvage came when I used Process Monitor (by Sysinternals) to see what was going on behind this process. The antivirus software was trying to access the ServerManager.log and was locking the file:

This process was done over and over again so the CPU was constantly working at 100 percent. I’ve then added the path of the log file in the excluded file and locations section and the problem was finally fixed:

Now, when I open Task Manager, the overall CPU usage is in good parameters:

I’ve read about this problem over the Internet and some users were suggesting adding the following paths to the excluded files and location section:

C:\ProgramData\Microsoft\Microsoft Forefront Endpoint Protection 2010 Server Management

C:\ProgramData\Microsoft\Microsoft Antimalware

C:\Program Files\Microsoft Security Client\MsMpEng.exe

Note that these solutions didn’t worked in my situation and only adding the ServerManager.log file to the exclusion range fixed my problem. The same fixes can be applied to Microsoft Security Essentials running on Windows Desktop versions.

Hope you’ll find this article useful, for any misunderstandings post a comment in our dedicated section and I will try to respond as soon as possible. Don’t forget to enjoy your day and stay tuned for the following articles from IT training day.

Powershell script to create new IIS application

Hello folks,
I just want to show you a script I’ve created in Powershell for adding a new web application to a IIS server. It’s probably way much easier to configure such app using the IIS Manager console but, using scripting you can make your like much easier and save a lot of time. When deploying a new application on several IIS servers that are load balanced, the workload can be boring so, it’s better to use scripting when performing such operation.
That being stayed, I’ll just paste the code with the description:

#Import the web administration module and create the paths for the new application
import-module webadministration
$SiteName = “test.ppscu.com”
$PathAppPool = “IIS:\AppPools\” + $SiteName
$PathWebSite = “IIS:\Sites\” +$SiteName

#Creating folders in which the application and logs will be stored
New-Item -ItemType directory -name $SiteName -path “C:\inetpub\sites” -Force
New-item -ItemType directory -name $SiteName -Path “C:\inetpub\logs” -Force

#Creating and configuring the App Pool (will be using the nework service, framework 2.0 and Classic pipeline mode)
New-WebAppPool -Name $name -Force
Set-ItemProperty -Path $PathAppPool -Name processmodel.identityType -Value NetworkService
Set-ItemProperty -Path $PathAppPool -Name managedRuntimeVersion -Value v2.0
Set-ItemProperty -Path $PathAppPool -Name managedPipelineMode -Value Classic
Restart-WebItem $PathAppPool

#Create Website, binding and set the physical location
New-WebSite -name $SiteName -port 80 -hostheader $SiteName -PhysicalPath “C:\inetpub\sites\$SiteName” -ApplicationPool $SiteName
Set-ItemProperty -Path $PathWebSite -name applicationPool -value $SiteName
Restart-WebItem $PathWebSite

#Add log file location
Set-ItemProperty -Path $PathWebSite -name logFile.directory -value “C:\inetpub\logs\$SiteName”

That’s it for this short script, I hope you’ll find the code useful when deploying IIS applications. Wish you all the best and have a great day!

How to enable Output Caching in IIS

Hello folks,

In this short article we will talk about the Output Caching feature available with IIS servers. We will see what are the main aspects behind this technology and how to configure it to aid to our web applications functionality.

Before going straight to the configuration part we have to talk about the concepts of caching, what caching actually means in IIS and when it’s recommended to use this feature. Output caching is a method of improving the web server’s performance by storing dynamic content into memory. Caching ca be enabled for classic ASP and ASP.NET, PHP and other dynamic content.

By default, IIS will cache static content such as images or HTML files but, for dynamic content this feature has to be configured and customized manually. I’m saying that the caching feature can be customized because it’s not recommended with some dynamic objects and can even cause problems to your web application. Make sure that your web application requires output caching because it may cause instability to your system. This feature should be configured on dynamic content that is not changed with every request based on the header or URL. In IIS output caching is configured based on two variables: URL (varyByQuerystring) and header information (varybyHeaders).

Because dynamic content changes it’s information frequently, it is necessary that resources are deleted before receiving updated information. This is why the cache memory must be flushed or invalidated. IIS presents two methods of invalidating information:

– a timeout period (CacheForTimePeriod)

– a change detection mechanism (CacheUntilChange)

For a resource to became cached by the IIS server, it must be requested a number of times in a predefined period of time. IIS offers two parameters to configure the timing and number of requests: frequentHitTimePeriod and frequentHitThreshold.

If a number of requests (frequentHitThreshold) are made for the same item in the configured period of time (frequentHitTimePeriod), the resource is cached to allow the IIS server to respond faster for future requests. When a resource has met these two conditions we say that it has become “worthy”.

There are two methods available when configuring Output Caching on your IIS server:
configure Output Caching using the IIS management console

You can enable output caching for the whole IIS server or from each website individually. Open the IIS Manager console and navigate to your web application section and click on Output Caching:

Now click on the Add button from the right section to configure a new caching rule:

Windows Server supports two caching methods:

User-mode caching – uses a local cache stored in the IIS worker process
Kernel-mode caching – uses a cache stored in the Http.sys driver.

Note that even though the Kernel-mode caching is much faster than user-mode caching it does not support features that must run in user mode (authentication and authorization). Which caching method you use depends a lot on the application’s purpose and requirements.

For this example I’ve created a cache rule for .php files to use change notifications:

Note that you can press the Advanced button and enable the cache different version of file based on: query string variable and/or headers feature:

There are some options available in both User-mode and Kernel-mode caching:

Using file change notifications: an item will be removed from the cache once a newer version of the file is added in the web application.

At time intervals (hh:mm:ss): items will be removed from the cache once the period of time has elapsed.

Prevent all caching: this option prevents caching for the specified type of files

Once you’ve configured all these parameters, the application will be configured for caching.

configure Output Caching by modifying the config file of your web applications

Navigate to your web application physical location, open the web.config file and enter the following lines:

 
     <location path="mywebsite.php">     
               
                  
           
             <add varybyquerystring="*"location="Any"
               duration="00:00:01" policy="CacheForTimePeriod"            
               extension=".php">
           
         
       
     
 (Source Microsoft's website)

The policy=”CacheForTimePeriod” parameter can be changed to kernelCachePolicy to enable Kernel-mode caching.

That’s about is for this article folks, hope you’ll find it interesting. Don’t forget to enjoy your day and stay tuned for the following articles from IT training day.

How to determine what IIS worker process is responsible for high resource utilization

The first step you need to take when discovering a high resource consuming web application is to discover the worker process responsible for this. It is hard to determine what web application is responsible for a worker process just by looking in task manager.

Navigate to C:\Windows\System32\inetsrv and run the following command: appcmd list wp. This command will list the current worker processes that are running on the web server. Appcmd is a powerful tool that is used to manage IIS. For a detailed description of this tool type appcmd /?:

By running the app cmd list wp command you will view the worker process for each application among with their PID numbers. Then you can match PID numbers with those shown in task manager:

Another way in which you can achieve this is by using the IIS Manger console. You can open the console from administrative tools menu or from the Roles section in Server Manager. Now, select the host and click on the Worker Processes button in the IIS settings:

Upon opening this menu you will see all active worker processes with their name, process id, state, CPU and memory consumption. By identifying their PID you can then take further steps in resolving the memory consumption issue. This short article will serve well for a future post in which we will troubleshoot some memory leaks in IIS application pools. Have a great day and stay tuned for the following articles.

Windows Server 2008 IIS performance counters problem

Hello folks,
In this article I want to talk about a problem that I have encountered with a Microsoft Windows Server 2008 running IIS (Internet Information Services). For those that do not know what IIS is, it’s a service used by Microsoft servers to host websites. I’ve worked with IIS for a while now and I can tell you that it’s getting better and better. I’ve also worked with IIS 8 on Windows Server 2012 and I can definitely say that it has some real improvements. If you want to learn more about IIS, check out the IIS articles from IT training day.
I’ve discovered this problem when some clients complained of poor performance from an IIS application. Immediately I checked the system performance for hardware usage. Everything looked in order so I’ve checked Event Viewer, Task Manager and also added some perf counters in the Performance Monitor tool to see what’s going on. Since everything looked OK, I’ve opened the IIS Manager console and clicked on the Worker Processes button to check for the active requests (I thought that there were some requests that the worker process couldn’t fetch). If you don’t know how to open the Worker Processes check out the next image:

After clicking the Worker Processes button, I have received the following error:

After acknowledged this error, I’ve checked the Event Viewer to see if something’s going on with IIS or any services associated with it. What I’ve discovered was that a critical error was getting reported by Event Viewer over and over again. The following image displays that particular error, you can even see a short description of it:

There was something wrong with worker processes performance counters. To check the status of the performance counters, use the lodctr command. To see a short description of this command type lodctr /? from the command prompt:

The next thing I did was to run the lodctr /q:PerfProc command to see the performance counters status:

As you can see from the image, the Performance Counter status was Disabled. To enable them, I used the same command but with different parameters, lodctr /e:PerfProc. After running this command, I’ve rechecked the performance counters status using the lodctr /q:PerfProc command:

Because the status have changed, I had only one thing to do, restart the World Wide Web Publishing Service. I’ve entered the Services console (services.msc from the run prompt) and restarted the service:

When I rechecked the worker processes tab from the IIS Manager console, the problem was still there. I’ve discovered that you have to STOP/START the World Wide Web Publishing Service so that the changes can have effect. You can achieve this by using the Services console or the following commands using command prompt: NET STOP W3SVC and then NET START W3SVC. After running these two commands, the problem was fixed and I was able to see the active requests. That particular application was requesting for some files that did not existed so the IIS got stuck for a while. After fixing the code, the application worked perfectly and I didn’t received any complains since then.

I don’t know how many of you encountered this problem, but for those that didn’t stumbled upon this, I hope this will serve you well. Leave any comment or post any question that you have regarding this article. Have a wonderful day and stay tuned for more articles from IT training day.

Microsoft Internet Information Services (IIS) – Other IIS options

Welcome again to out IIS video tutorials,
In this episode I will talk about other IIS options that we haven’t discussed like IIS default document and directory browsing, IIS limits, error pages and how you can customize them, how can you view the worker processes that run on the web server and also the requests, compression mechanisms and other options with whom you can customize the web server behavior. This tutorial takes you deeper into Internet Information Services features, I hope you will enjoy it.
Before you start watching the video tutorial, I will note and describe a little bit some things that we will talk about:
Default document – This is basically the first page that is displayed when you access a page. IIS lets you customize for what basic documents to look for and also in which order.
appcmd.exe set config “Website1” /section:defaultDocument /enabled:true /+files.[value=’Web.html’]
This command sets the default document of the Website1 to be Web.html.
Directory browsing it is used when you allow users to view the contents of your website directory when no default webpage is found. In the video I have changed the properties of this option by using the IIS management console but this option can also be changed in command prompt by typing the following:
appcmd.exe set config /section:directoryBrowse /enabled:true|false
By default this option is set to true which means that directory browsing is enabled, if this is changed to false than this option becomes unavailable.
Compression mechanisms are used to use the bandwidth more efficient. There are two compression methods in IIS, static and dynamic compression:
Static compression – If you select this option IIS will compress the static content and will keep it in a directory specified. This is helpful when you have multiple users requesting the same static elements because IIS will give the the copy of the compressed file that is already cached and so reducing the bandwidth. Use this option with static files like html, .doc , pdf, .txt etc.

Dynamic Compression – This feature is different then static compression because IIS will perform a dynamic compression on every request. Dynamic compression is used with pages that can change in time like .ASP and the compression is not cached.

Error pages are used when a user encounters a problem when accessing a web page. There are many error pages by default in IIS , in the video you can see them. You can add a custom error page by using the appcmd.exe command:

Look in the following link: http://www.iis.net/configreference/system.webserver/httperrors

appcmd.exe set config -section:system.webServer/httpErrors /+”[statusCode=’404′,subStatusCode=’5′,prefixLanguageFilePath=’%SystemDrive%\inetpub\custerr’,path=’404.5.htm’]” /commit:apphost

Limits are used to configure some features like connection timeout, maximum bandwidth used by a website and maximum connections.

Have a wonderful day.

IIS Security, ISAPI extensions and filters

RXG4RYW5T52F
Hy and welcome back to our 5’th tutorial of IIS,
In this post we will talk about how are the security measures that have to be taken on a IIS server and also about ISAPI extensions and ISAPI filters.

Internet Server Application Programming Interface (ISAPI) is an a N-tier( application processing, and data management functions are logically separated) API (about API http://en.wikipedia.org/wiki/Application_programming_interface) that is build for IIS. ISAPI server extension is a DLL that can be loaded and called by an HTTP server to provide certain functionality. The only two ISAPI application that where developed are filters and extensions. ISAPI extensions can be integrated as modules and are used mainly to execute code when a certain extension is called. ISAPI filters are used to modify and provide more functionality to IIS. I made a drawing of how ISAPI extensions and filters integrate in IIS, I hope it will be helpful for you:

On microsoft’s website:
ISAPI extensions : http://msdn.microsoft.com/en-us/library/ms525282(v=vs.90).aspx
ISAPI filters : http://www.iis.net/configreference/system.webserver/isapifilters
On wikipedia:

http://en.wikipedia.org/wiki/Internet_Server_Application_Programming_Interface

Security features in IIS are used to determine if a user has access to connect to a certain resource on the IIS server. For example imagine you are trying to obtain a fie from a server. When you’re first accessing the server, IIS authenticates you with the options that are enabled. If anonymous authentication is enabled than you will be authenticated as anonymous. After this step, IIS checks if you have any IP or domain restrictions. If the authorization rules permit your access than it’s all to the NTFS permissions (read more about NTFS permissions here http://technet.microsoft.com/en-us/library/cc754178.aspx). After passing this test IIS grants you access to your requested file. Anonymous authentication is used util you encounter or you access something that is not permitted by this type of authentication, at that point you have to authenticate by another authentication method that is active on the web server (Windows, Basic,Digest Authentication etc.). I created a picture of how security is implemented in IIS, I hope it will make you understand all the steps taken:

I hope this post will help you understand better the functionality of ISAPI filters and extensions and also how to enhance IIS security, stay tuned for the next episodes. If you have enjoyed this post please leave a comment, have a nice day.

ITtrainingday

It's all about IT and much more…

Tag Archives: IIS