Enhanced configuration options in IIS7

BANGALORE, INDIA: If you have been following the IIS7 series that has been running for the past few months, you'd have seen that there are tons of new configuration options in IIS7. All of these can be managed through multiple ways-IIS Manager, the AppCmd command line, PowerShell scripts and more. This month we take a brief look at the new configuration architecture and the different ways that an administrator can use them.

In IIS6, a new feature was: moving the metabase (the database that holds the configuration data of IIS) from a proprietary binary format to an XML based open format. This allowed admins to change settings by simply writing to a file called Metabase.xml. However, with the advent of .NET, especially ASP.NET, this brought on a new set of issues. ASP.NET has its own set of configuration files, namely machine.config and web.config. Working with different sets of XML files and their individual configurations suddenly started becoming a little bit complicated.Enter IIS7. In this version the IIS7 configuration system has been made compatible with ASP.NET's configuration system. This is how it works:

ApplicationHost.config: This is the IIS7 main configuration file that contains all the settings for the server as well as for the sites on the server. It has the same syntax and schema as the ASP.NET configuration.

Machine.config: This is the full configuration file for .NET that stores all possible values of different configuration directives on this machine.

Web.config: This is the site/application specific configuration file that now stores data for both .NET as well as for IIS7.

Basically, Web.config works like this. It has two sections that deal with two different sets of configuration data. The system.web section stores the configuration that has anything to do with ASP.NET while the system.webServer section stores data for IIS7-both specific to the site or application that the Web.config belongs to. Now that you have an understanding as to how IIS7 stores its configuration data, we can take a look at the different ways an administrator can manage it.

The first way that an administrator can manage the IIS7 server is remotely. In earlier versions of IIS6 you had a few choices-do a remote desktop, connect via the IIS MMC over a binary IP protocol or use the IIS Admin website. In IIS7 the last two have been done away with. Instead an administrator can connect to a site or application remotely over a secure HTTPS connection using IIS Manager. That is, from a remote machine that has the new IIS Manager installed, you can connect to a running IIS7 server over a secure HTTP connection. To do this, one must first install a Windows Server 2008 feature called IIS7 Remote Management Service. Once this is installed, you will get a new icon within the Management Options group on the server. Open this icon and turn the Remote Management option on. You can also change the other settings if you wish. You will need a digital certificate for the HTTPS connection to the service. IIS7 automatically creates a new self-signed certificate for each server, however, if you wish you can also use any other certificate installed on the machine as well. Once the configurations are done, save the setup and start the service. You can now connect from any machine running IIS Manager by giving the name of the server, site or application. Connection options are Windows or IIS credentials. You can set the latter in the same Management section.

The next thing an administrator can do is to delegate the administration of certain configuration options to others. For instance, if you're an ISP running a server with hundreds or thousands of sites, managing each site yourself would be a pain. Instead, you can delegate certain options to owners of the sites themselves and they can go ahead and make whatever changes they want.

For example, you might want owners to take care of simple options like Default Document, Logging and Compression, but not want them to change sensitive ones like SSL, Modules, etc. To do this, at the server level, select Feature Delegation. In this screen, you will get to see a list of all the features available on the server. You can select each feature and turn the feature delegation to one of the following three values:

Not Delegated: The user cannot view or change this particular feature. The value for the feature is stored in the applicationHost.config file and only administrators can change it.

Read Only: The user can view but cannot change the value for this feature. The value is stored within the system.webServer section of the site's web.config file. Attempts to change the value will result in the site throwing an exception to anyone trying to reach it.

Read/Write: The feature is fully delegated and the user can change the value to any valid option. The setting is stored as in the 'Read Only' option but is writable.

Now when a user connects to his site with either Windows or IIS Manager credentials, depending upon the delegations configured on the server, he will be able to see only the last two types of features for his site and make changes only to the last type.

Finally, administrators can quickly scale out their Web server into multiple machines with minimal effort. In earler versions to ensure that servers run the same configuration, one had to setup complicated replication policies. In IIS7, however, administrators can use what is known as Shared Configuration. To do this, simply select the icon from the management section on the server that has the configuration setup as you wish. Now in the context bar, click 'Export Configuration...' In the dialog that pops up, you can select a path to store the configuration to. If this is a UNC network share you can give the credentials to connect to it. You also need to give a strong password for encrypting the exported configuration.

Once the export is done, on all the servers that need to share the configuration-including the one that you just exported the configuration from- turn on the option that says 'Enable Shared Configuration' and give it the path where the files were stored with the appropriate credentials. Now if you make configuration changes on any server, it will immediately apply on all other servers as well since the configuration files are actually being shared.

As you can see, IIS7 has a number of new configuration options that administrators can use to make their life easier and make the management of servers, sites and applications much more efficient and secure.