Sunday, June 15, 2008

Core IIS 7.0 Architecture

You can think of IIS as a layer over the operating system where, in most cases, you might need to perform an operating system–level task before you perform an IIS task. Web sites, Web applications, and virtual directories are the core building blocks of IIS servers. Every IIS server installation has these core building blocks. As you set out to work with IIS servers and these basic building blocks, you'll also want to consider what access and administrative controls are available.


Working with Web Sites

You can use a single IIS server to host multiple Web sites. Web sites are containers that have their own configuration information, which includes one or more unique bindings. A Web site binding is a combination of an Internet Protocol (IP) address, port number, and optional host headers on which HTTP.sys listens for requests. Many Web sites have two bindings: one for standard requests and one for secure requests. For example, you could configure a Web site to listen for standard HTTP requests on IP address 192.168.10.52 and TCP port 80. If you've also configured the server for Secure Sockets Layer (SSL), you also could configure a Web site to listen for Secure HTTP (HTTPS) requests on IP address 192.168.10.52 and TCP port 443.

When you install IIS on a server, Setup creates a default Web site and configures the bindings for this site so that HTTP.sys listens for requests on TCP port 80 for all IP addresses you've configured on the server. Thus if the server has multiple IP addresses, HTTP.sys would accept requests from any of these IP addresses, provided that the requests are made on TCP port 80. Increasingly, modern Web sites use host headers. Host headers allow you to assign multiple host names to the same IP address and TCP port combination. Here, IIS uses the host name passed in the HTTP header to determine the site that a client is requesting. For example, a single server could use host headers to host catalog.adatum.com, sales.adatum.com, and www.adatum.com on IP address 192.168.15.68 and TCP port 80.


Working with Web Applications and Virtual Directories

IIS handles every incoming request to a Web site within the context of a Web application. A Web application is a software program that delivers Web content to users over HTTP or HTTPS. Each Web site has a default Web application and one or more additional Web applications associated with it. The default Web application handles incoming requests that you haven't assigned to other Web applications. Additional Web applications handle incoming requests that specifically reference the application.

Each Web application must have a root virtual directory associated with it. The root virtual directory sets the application name and maps the application to the physical directory that contains the application's content. Typically, the default Web application is associated with the root virtual directory of the Web site and any additional virtual directories you've created but haven't mapped to other applications. Following this, in the default configuration, the default applications handles an incoming request for the / directory of a Web site in addition to other named virtual directories, such as /images or /data. IIS maps references to /, /images, /data, or other virtual directories to the physical directory that contains the related content. For the / directory of the default Web site, the default physical directory is %SystemRoot%/Inetpub/Wwwroot.

When you create a Web application, the application's name sets the name of the root virtual directory. Therefore, if you create a Web application called Sales, the related root virtual directory is called Sales, and this virtual directory in turn maps to the physical directory that contains the application's content, such as %SystemRoot%/Inetpub/Wwwroot/Sales.


Controlling Access to Servers, Sites, and Applications

By default, IIS is configured to allow anyone to anonymously access the Web sites and applications configured on an IIS server. You can control access to Web sites and Web applications by requiring users to authenticate themselves. IIS supports a number of authentication methods for Web sites, including Basic authentication, Digest authentication, Client Certificate authentication, and Windows authentication. When working with Microsoft ASP.NET and Web applications, you also can use ASP.NET impersonation and Forms authentication.

Regardless of the authentication techniques you use, however, Windows Server 2008 permissions ultimately determine if users can access files and directories. Before users can access files and directories, you must ensure that the appropriate users and groups have access at the operating system level. After you set operating system–level permissions, you must set IIS-specific security permissions.

As an administrator, you can manage the configuration of IIS from the command prompt or within IIS Manager. For administration of Web servers, Web sites, and Web applications using the command line, Windows Management Instrumentation (WMI), or direct editing of the configuration files, you must have write permissions on the target configuration files. For administration of Web servers, Web sites, and Web applications using IIS Manager, IIS 7.0 specifies three administrative roles:

Web server administrator A Web server administrator is a top-level administrator who has complete control over an IIS server and can delegate administration of features to Web site administrators and Web application administrators. A Web server administrator is a member of the Administrators group on the local server or a domain administrator group in the domain of which the server is a member.

Web site administrator A Web site administrator is an administrator who has been delegated control of a specific Web site and any applications related to that Web site. A Web site administrator can delegate control of a Web application to a Web application administrator.

Web application administrator A Web application administrator is an administrator who has been delegated control of a specific Web application. A Web site administrator can delegate control of a Web application to a Web application administrator.

The settings that administrators can configure depend on their administrative role on a particular server. Table 3-2 summarizes the areas of administration for each administrative role.


Table 3-2. Areas of Administration for Administrative Roles

Administrator Area

Web Server Administrator

Web Site Administrator

Web Application Administrator

Web server

Yes, no restrictions

No server-level permissions

No server-level permissions

Web sites on a Web server

Yes, no restrictions

Yes, for site delegated

No site-level permissions

Web applications on a Web site

Yes, no restrictions

Yes, within delegated sites

Yes, for delegated applications

Virtual directories used by sites and applications

Yes, no restrictions

Yes, within delegated sites

Yes, for delegated applications

Physical directories used by sites and applications

Yes, no restrictions

Yes, within delegated sites

Yes, for delegated applications

Files in virtual and physical directories

Yes, no restrictions

Yes, for site delegated

No site-level permissions

Designate Web application administrators

Yes, no restrictions

Yes, within delegated sites

Yes, for delegated applications


*.* Source of Information : Microsoft Press Internet Information Services (IIS) 7.0 Administrator's Pocket Consultant

No comments: