Automatically Redirect HTTP requests to HTTPS on IIS 7 using URL Rewrite

To automatically redirect HTTP request to HTTPS on a IIS server, you will need to perform the following steps. First make sure that the website has both ports configured in the binding section, just like in the following example:

Now select the website and click on URL Rewrite section from the menu:

Click on Add Rule(s) from the right section of the panel and create a Blank rule:

Set a name for the inbound rule and configure the pattern to (.*)

In the Conditions section press Add and set the following:

Condition input : {HTTPS}

Type: Matches the Pattern

Pattern: ^OFF$

In the Action menu configure the following:

Redirect HTTP requests to HTTPS on IIS using URL Rewrite

Action type: Redirect

Redirect URL: https://{HTTP_HOST}/{R:1}

Redirect type: See Other (303)

You can also simply add the following lines to the website’s configuration file (web.config):

How to bind multiple sites with SSL on one IP address and port

IIS would normally require multiple IP addresses or Ports for sites that bind with SSL. This is because before sending site’s header, the SSL handshake is established which encrypts headers. When a request is received by a web server, it needs to know the header information (because it contains sites name) to be able to use the right certificate to decrypt information. If a request is received and the HTTP.SYS layer cannot read the header to use the right certificate to decrypt information, then it will not be able to redirect request to the right website. For this reason, a web server allows one site per IP and Port for HTTPS connections. To get another website working in parallel you will need to use different IP or Port with SSL connections.

To resolve this issue you will need to purchase a wildcard certificate (for example *.ppscu.com) so you can use all websites that are part of the same domain. Suppose you have two websites named site1.ppscu.com and site2.ppscu.com. You will need to add the following configuration in applicationHost.config:

How to bind multiple sites with SSL on one IP address and port

As you can see from the configuration lines, each website contains a SSL binding that listens on all IPs (*) on port 443 but also contains the host name information. I’ve installed a wildcard certificate that is used for all SSL communications. When a request is received by the IIS server, the certificate will be used to decrypt data and read the header information that contains the host name for a specific site. HTTPS.SYS will then know where to redirect the request.

MsMpEng.exe eating too much CPU

Hy folks,

Today I had a strange problem regarding one of our IIS web servers. I had a complainant about some web applications that were having really bad performance. Note that the IIS was running under Windows Server 2008 R2 and protected with Microsoft Forefront Endpoint Protection. In such situations you would normally establish a RDP connection with the problematic server and check it’s performance. From the beginning I’ve seen that the RDP was working really slow and I could barely open Task Manager.

I then switched to the Performance tab in Task Manager and saw that the CPU was running at 100% capacity. One of the running processes caught my eye because it was constantly eating more than 50% of the processor’s capacity. The name of the executable was MsMpEng.exe which is the Microsoft Antimalware Service:

I know that this service is used by Microsoft FEP for protecting users from malware and other potentially unwanted software but, didn’t knew what was causing this behavior. I’ve tried using Process Explorer utility to analyze the problem but, didn’t helped too much. My salvage came when I used Process Monitor (by Sysinternals) to see what was going on behind this process. The antivirus software was trying to access the ServerManager.log and was locking the file:

This process was done over and over again so the CPU was constantly working at 100 percent. I’ve then added the path of the log file in the excluded file and locations section and the problem was finally fixed:

Now, when I open Task Manager, the overall CPU usage is in good parameters:

I’ve read about this problem over the Internet and some users were suggesting adding the following paths to the excluded files and location section:

C:\ProgramData\Microsoft\Microsoft Forefront Endpoint Protection 2010 Server Management

C:\ProgramData\Microsoft\Microsoft Antimalware

C:\Program Files\Microsoft Security Client\MsMpEng.exe

Note that these solutions didn’t worked in my situation and only adding the ServerManager.log file to the exclusion range fixed my problem. The same fixes can be applied to Microsoft Security Essentials running on Windows Desktop versions.

Hope you’ll find this article useful, for any misunderstandings post a comment in our dedicated section and I will try to respond as soon as possible. Don’t forget to enjoy your day and stay tuned for the following articles from IT training day.

Powershell script to create new IIS application

Hello folks,
I just want to show you a script I’ve created in Powershell for adding a new web application to a IIS server. It’s probably way much easier to configure such app using the IIS Manager console but, using scripting you can make your like much easier and save a lot of time. When deploying a new application on several IIS servers that are load balanced, the workload can be boring so, it’s better to use scripting when performing such operation.
That being stayed, I’ll just paste the code with the description:

#Import the web administration module and create the paths for the new application
import-module webadministration
$SiteName = “test.ppscu.com”
$PathAppPool = “IIS:\AppPools\” + $SiteName
$PathWebSite = “IIS:\Sites\” +$SiteName

#Creating folders in which the application and logs will be stored
New-Item -ItemType directory -name $SiteName -path “C:\inetpub\sites” -Force
New-item -ItemType directory -name $SiteName -Path “C:\inetpub\logs” -Force

#Creating and configuring the App Pool (will be using the nework service, framework 2.0 and Classic pipeline mode)
New-WebAppPool -Name $name -Force
Set-ItemProperty -Path $PathAppPool -Name processmodel.identityType -Value NetworkService
Set-ItemProperty -Path $PathAppPool -Name managedRuntimeVersion -Value v2.0
Set-ItemProperty -Path $PathAppPool -Name managedPipelineMode -Value Classic
Restart-WebItem $PathAppPool

#Create Website, binding and set the physical location
New-WebSite -name $SiteName -port 80 -hostheader $SiteName -PhysicalPath “C:\inetpub\sites\$SiteName” -ApplicationPool $SiteName
Set-ItemProperty -Path $PathWebSite -name applicationPool -value $SiteName
Restart-WebItem $PathWebSite

#Add log file location
Set-ItemProperty -Path $PathWebSite -name logFile.directory -value “C:\inetpub\logs\$SiteName”

That’s it for this short script, I hope you’ll find the code useful when deploying IIS applications. Wish you all the best and have a great day!

How to enable Output Caching in IIS

Hello folks,

In this short article we will talk about the Output Caching feature available with IIS servers. We will see what are the main aspects behind this technology and how to configure it to aid to our web applications functionality.

Before going straight to the configuration part we have to talk about the concepts of caching, what caching actually means in IIS and when it’s recommended to use this feature. Output caching is a method of improving the web server’s performance by storing dynamic content into memory. Caching ca be enabled for classic ASP and ASP.NET, PHP and other dynamic content.

By default, IIS will cache static content such as images or HTML files but, for dynamic content this feature has to be configured and customized manually. I’m saying that the caching feature can be customized because it’s not recommended with some dynamic objects and can even cause problems to your web application. Make sure that your web application requires output caching because it may cause instability to your system. This feature should be configured on dynamic content that is not changed with every request based on the header or URL. In IIS output caching is configured based on two variables: URL (varyByQuerystring) and header information (varybyHeaders).

Because dynamic content changes it’s information frequently, it is necessary that resources are deleted before receiving updated information. This is why the cache memory must be flushed or invalidated. IIS presents two methods of invalidating information:

– a timeout period (CacheForTimePeriod)

– a change detection mechanism (CacheUntilChange)

For a resource to became cached by the IIS server, it must be requested a number of times in a predefined period of time. IIS offers two parameters to configure the timing and number of requests: frequentHitTimePeriod and frequentHitThreshold.

If a number of requests (frequentHitThreshold) are made for the same item in the configured period of time (frequentHitTimePeriod), the resource is cached to allow the IIS server to respond faster for future requests. When a resource has met these two conditions we say that it has become “worthy”.

There are two methods available when configuring Output Caching on your IIS server:
configure Output Caching using the IIS management console

You can enable output caching for the whole IIS server or from each website individually. Open the IIS Manager console and navigate to your web application section and click on Output Caching:

Now click on the Add button from the right section to configure a new caching rule:

Windows Server supports two caching methods:

User-mode caching – uses a local cache stored in the IIS worker process
Kernel-mode caching – uses a cache stored in the Http.sys driver.

Note that even though the Kernel-mode caching is much faster than user-mode caching it does not support features that must run in user mode (authentication and authorization). Which caching method you use depends a lot on the application’s purpose and requirements.

For this example I’ve created a cache rule for .php files to use change notifications:

Note that you can press the Advanced button and enable the cache different version of file based on: query string variable and/or headers feature:

There are some options available in both User-mode and Kernel-mode caching:

Using file change notifications: an item will be removed from the cache once a newer version of the file is added in the web application.

At time intervals (hh:mm:ss): items will be removed from the cache once the period of time has elapsed.

Prevent all caching: this option prevents caching for the specified type of files

Once you’ve configured all these parameters, the application will be configured for caching.

configure Output Caching by modifying the config file of your web applications

Navigate to your web application physical location, open the web.config file and enter the following lines:

 
     <location path="mywebsite.php">     
               
                  
           
             <add varybyquerystring="*"location="Any"
               duration="00:00:01" policy="CacheForTimePeriod"            
               extension=".php">
           
         
       
     
 (Source Microsoft's website)

The policy=”CacheForTimePeriod” parameter can be changed to kernelCachePolicy to enable Kernel-mode caching.

That’s about is for this article folks, hope you’ll find it interesting. Don’t forget to enjoy your day and stay tuned for the following articles from IT training day.

How to determine what IIS worker process is responsible for high resource utilization

The first step you need to take when discovering a high resource consuming web application is to discover the worker process responsible for this. It is hard to determine what web application is responsible for a worker process just by looking in task manager.

Navigate to C:\Windows\System32\inetsrv and run the following command: appcmd list wp. This command will list the current worker processes that are running on the web server. Appcmd is a powerful tool that is used to manage IIS. For a detailed description of this tool type appcmd /?:

By running the app cmd list wp command you will view the worker process for each application among with their PID numbers. Then you can match PID numbers with those shown in task manager:

Another way in which you can achieve this is by using the IIS Manger console. You can open the console from administrative tools menu or from the Roles section in Server Manager. Now, select the host and click on the Worker Processes button in the IIS settings:

Upon opening this menu you will see all active worker processes with their name, process id, state, CPU and memory consumption. By identifying their PID you can then take further steps in resolving the memory consumption issue. This short article will serve well for a future post in which we will troubleshoot some memory leaks in IIS application pools. Have a great day and stay tuned for the following articles.

How to install and configure a new web application

In this article I will show you how to configure and install a new Internet information Services application. IIS is Microsoft’s web-hosting platform and is one of the best on the market, at least from what I know. In terms of popularity, I think IIS comes 2’nd after Apache. Many system administrators interact with this application that’s why I think this article will serve well for those that need guidance with IIS. I’ve been working with IIS for quite a while now and I can definitely say that it’s easy to use and intuitive. There are couple of things needed to know form the beginning, but after a while working with IIS becomes easy. Remember that you can interact with this hosting platform with Powershell or command prompt, this is especially good for those working with automatizations and scripting.
I will show you how to create a new app using the GUI. To open the IIS management console navigate to Administrative tools and double click on Internet Information Services (IIS) Manager:

If you didn’t added the Administrative Tools to your startup menu, you can find these tools in Control Panel. We can open the IIS manager using Microsoft’s management console (mmc.exe), using the run shortcut inetmgr or from the Server Manager console (choose whatever method works for you):

To create a new web application navigate to the Sites section and right click it and press “Add Web Site”:

You will then be redirected to the following window:

As an example, we will configure a website called website1.ittrainingday.com.

Here you will have to set the site’s name, physical path, app pool and bindings. You can specify whatever site name you desire, this is how the site will be displayed in IIS. Application pools are used for separating worker processes for different web applications. A worker process is responsible for executing code, serving requests and so on. By default, when you configure a new web app, the application pool with the same name is created automatically. We have to specify the site’s physical path, I’ve chosen the following location: C:\inetpub\wwwroot\website1.ittrainingday.com.

Next, we have to configure the web binding. A binding is an identification form for our website. In the first field we can select the web protocol that will be used for reaching this application. You can choose either HTTP or HTTPS. In the adjacent field we can enter the IP address for our web app, but we will set it to “All Unassigned”. Next, the port number has to be entered for HTTP this is 80. In the “Host name” section we will enter our website’s name. This is how the IIS server will react to a new request: once it receives the request, it will look for the protocol and port number. If it finds several web apps with the same binding, it will look for the host’s name. When the web app is found, the request is sent directly to it. Remember that you cannot have two apps with the same host name.

One the website is configured, it will appear in the Sites section:

There are many things you can configure to an application. In the following articles we will discover more interesting features of IIS. I thought of making short articles for each section of this web-hosting platform because it’s easier to follow and understand. Enjoy IT training day and enjoy your day!

IIS Security, ISAPI extensions and filters

RXG4RYW5T52F
Hy and welcome back to our 5’th tutorial of IIS,
In this post we will talk about how are the security measures that have to be taken on a IIS server and also about ISAPI extensions and ISAPI filters.

Internet Server Application Programming Interface (ISAPI) is an a N-tier( application processing, and data management functions are logically separated) API (about API http://en.wikipedia.org/wiki/Application_programming_interface) that is build for IIS. ISAPI server extension is a DLL that can be loaded and called by an HTTP server to provide certain functionality. The only two ISAPI application that where developed are filters and extensions. ISAPI extensions can be integrated as modules and are used mainly to execute code when a certain extension is called. ISAPI filters are used to modify and provide more functionality to IIS. I made a drawing of how ISAPI extensions and filters integrate in IIS, I hope it will be helpful for you:

On microsoft’s website:
ISAPI extensions : http://msdn.microsoft.com/en-us/library/ms525282(v=vs.90).aspx
ISAPI filters : http://www.iis.net/configreference/system.webserver/isapifilters
On wikipedia:

http://en.wikipedia.org/wiki/Internet_Server_Application_Programming_Interface

Security features in IIS are used to determine if a user has access to connect to a certain resource on the IIS server. For example imagine you are trying to obtain a fie from a server. When you’re first accessing the server, IIS authenticates you with the options that are enabled. If anonymous authentication is enabled than you will be authenticated as anonymous. After this step, IIS checks if you have any IP or domain restrictions. If the authorization rules permit your access than it’s all to the NTFS permissions (read more about NTFS permissions here http://technet.microsoft.com/en-us/library/cc754178.aspx). After passing this test IIS grants you access to your requested file. Anonymous authentication is used util you encounter or you access something that is not permitted by this type of authentication, at that point you have to authenticate by another authentication method that is active on the web server (Windows, Basic,Digest Authentication etc.). I created a picture of how security is implemented in IIS, I hope it will make you understand all the steps taken:

I hope this post will help you understand better the functionality of ISAPI filters and extensions and also how to enhance IIS security, stay tuned for the next episodes. If you have enjoyed this post please leave a comment, have a nice day.

IIS installation options

I will write all the Web Server (IIS) installation options and a short description:

Web Server – Installs the IIS Web Server. Provides support for HTML Web sites, ASP, ASP.NET and Web server extensions.

Common HTTP Features – This option installs support for html static sites as well as directory browsing, error detection and redirection
– Default Document – this option enables to specify the first page displayed when opening a web page
– Static Content – is used when static .htm, .html and images are used on the web server
– WebDAV (Distributed Authoring and Versioning Publishing – this option enables you to publish files from the web server using http
– Directory Browsing – enables the viewers to see the contents of a directory on your web server
– HTTP Errors – enables you to customize error messages
– HTTP Redirection – grants you the possibility to send a client to a specified location

Performance – uses compression mechanism to reduce the bandwidth utilization
– Static Content Compression – used to compress static content to reduce bandwidth
– Dynamic Content Compression – used to compress dynamic content

Health & Diagnostics – enables the server to monitor server behavior
– HTTP Logging – enables the server to log http activity
– Logging Tools – installs logging tools
– Request Monitor – monitors the server health as well as site and application.
– Tracing – enables tracing applications and requests
– Custom Logging – this options enables the web server to create custom logs
– ODBC Logging – enables logging for databases

Security
– Basic Authentication – enables the authentication with username and password
– Windows Authentication – enables authentication by using NTLM or Kerberos.
– Digest Authentication – enables authentication with a domain controller by sending a hash from the password
– Centralized SSL Certificate Support – simplifies management of SSL certificates by using file sharing
– Client Certificate Mapping Authentication – enables authentication with Active Directory
– IIS Client Certificate Mapping Authentication – enables one-to-one or many-to-one mappings
– URL Authorization – enables authorization rules to the url of a web-site
– Request Filtering – enables the server to create rules to block different requests
– IP and Domain Restrictions – enables the server to create rules based on ip address or domain name

Application Development – enables support for development environment like ASP, ASP.NET, .NET, CGI, ISAPI etc.
– .NET Extensibility 3.5 – enables the web server to host .NET extensions 3.5
– .NET Extensibility 4.5 – enables the web server to host .NET extensions 4.5
– Application Initialization – enables the web server to perform initialization before serving web pages
– ASP – classic ASP support
– ASP.NET 3.5 – offers web server the possibility to host ASP.NET 3.5 applications
– ASP.NET 4.5 – offers web server the possibility to host ASP.NET 4.5 applications
– CGI – enables support for CGI executables
– ISAPI Extensions – enables the isapi extensions
– ISAPI Filters – enables the isapi filters
– Server Sides Includes – enables the SSI to dynamically generate HTML pages.
– WebSocket Protocol – enables the web server to run applications that uses the WebSocket protocol.

FTP Server – enables the web server to host ftp site
– FTP Service – enables FTP publishing
– FTP Extensibility – enables FTP extensibility features

Web Server Management Tools – enables the web server management tools
– IIS Management Console – enables IIS management console
– IIS Management Scripts and Tools – enables IIS management by using scripts or command line tools
– Management Service – enables the IIS web server to be managed remotely by another machine
– IIS 6 Management Compatibility –
– IIS 6 Metabase Compatibility – enables the web server to be able to run earlier versions of IIS
– IIS 6 Management Console – enables the web server to manage remotely IIS version 6 servers
– IIS 6 Scripting Tools – enables the web server to use scripts and tools from IIS version 6 in version 7.
– IIS 6 WMI Compatibility – provides Windows Management Instrumentation to manage a IIS version 8 web-server

IIS Hostable Web Core – enables the administrators the ability to create custom code that will work in the core of the IIS

OK, this is all about the first part of our IIS tutorial. I hope you’ve liked it and if you do please leave a comment. I am opened to any suggestions so don’t hesitate to contact me. Have a nice day and stay tuned for more IIS video tutorials.

ITtrainingday

It's all about IT and much more…

Tag Archives: internet information services