Server Name Indication (SNI) is an extension to the TLS protocol that includes the hostname during the handshaking process. This allows for a web server to host multiple SSL-enabled web sites using one IP address. Prior to IIS 8, it was not possible to use this capability in IIS.

Configuration

SNI is enabled in IIS by default. To use this capability, simply provide the appropriate hostname in the configuration of the HTTPS binding for a site.

Each HTTPS binding that you would like to use SNI with should have the host name provided. All bindings should have the option for "Require Server Name Identification" checked except fot the site you would like to act as the "default" HTTPS site. Just as is the case with HTTP bindings, this is the site that will be used when a client does not provide a host header as part of the request. If you do not have at least one HTTPS binding with the option unchecked, IIS Manager will issue a warning informaing you of that fact.

Compatability

Before using SNI with IIS 8, you should be aware of the client requirements for this to work properly. Specifically, the TLS library used by an application must support SNI and the application must pass the hostname to the TLS library when making requests. The following web browsers support SNI:

• Internet Exmplorer 7 or later running on Windows Vista or later
• Google Chrome (6.0 or later requird if running on Windows XP, 5.0.342.1 or later if running on OS X 10.5.7 or later)
• Mozilla Firefox 2.0 or later
• Safari 3.0 or later (Vista or later and OS X 10.5.6 or later)
• MobileSafari running on iOS 4.0 or later
• Opera 8.0 or later

Are you getting the following error when configuring the IIS8 connector for CF10 on Windows Server 2012 or Windows 8?

"Version 8.0 is installed. Supported versions are 4.x, 5.x, 6.x, 7x"

We have some additional guidance that should help you work around it.

1) Please make sure that you are using correct Windows 2012 Server/Windows 8 supported ColdFusion 10 installer (The updated full ColdFusion 10 Installers)

MD5s of the full installer should be as follows:

For Win 64-bit MD5 --> ef74d583a8d069c7138a4ea8da9c5359

For Win 32-Bit MD5 --> ca9363a0a3817533436238b477b88792

2) You can opt to configure IIS 8 while installing or after installation.

     Installer has in-built support for IIS 8 on Win 8/Win 2012.

3) By all means install the latest CF10 updates, but do not apply updates older than Update 8. If you apply any of the older updates like update 7 or 6, you will likely see the following error while trying to run the IIS 8 web server connector:

"Version 8.0 is installed. Supported versions are 4.x, 5.x, 6.x, 7x" 

4) If all the above steps have been followed and if you are still getting the error, please verify that update 8 is installed properly by checking the log file under \cfusion\hf-updates\hf-10- 00008\Adobe_ColdFusion_10_Update_8*.log

And MD5  of the connector jar located at <CF10_Install_Home>\cfusion\runtime\lib\wsconfig.jar should be

     a) If you have applied Update 8 -> ba8f8c8bcd34c266faa0031107bbf948.

     b) If you have NOT applied any Updates -> 35cc2f630325506081f3b29d41e50c3c

Internet Information Services (IIS) 8.0 Express is a free, simple and self-contained version of IIS that is optimized and available for developers. IIS 8.0 Express makes easy to use the most current version of websites tools like Visual Studio and WebMatrix. IIS 8.0 Express has all the core features of IIS as well as additional features for easy website development which includes:

- IIS 8.0 Express doesn't run as a service or require administrative privileges to perform most tasks.
- IIS 8.0 Express allows Multiple Users to work independently on the same computer.
- IIS 8.0 Express works well with ASP.NET and PHP applications.

IIS 8.0 is only available in Windows Server 2012 and Windows 8. It includes Application Initialization, centralized SSL certificate support, multi core scaling and also other new features.

Previously, we have discussed about new features in IIS 8. Now I will show more information about this new features.

1. FTP Logon Attempt Restrictions

This module ensures the security and manageability. Due to this feature you can now use greylisting and access patterns enabling you to smoothly and dynamically manage access for number of sites to the internet and FTP servers.

2) Improved CPU Throttling

In IIS8 there are kernel level changes to support real CPU throttling. There are two actions possible for sites that reach the CPU threshold. These are:

• Throttling is based on the user and not specifically on the application pool. The throttle feature will keep the CPU for a particular worker process at the specified level.
• Throttle under load will allow a site to use all possible CPU, while throttling the worker process if the server is under load. If you used WSRM (Windows System Resource Manager) in the past, you no longer need to do so.

3. Application Initialization Module

Priorly known as the application warm-up module which was used for a time, and now it is completely ready as Application Initialization Module. This allows loading sites and pages before the traffic arrives and handling of requests in a friendly and more smoother way while the application first loads. It is possible to set up home page or use URL rewrites.

4. SSL scalability

In previous versions of IIS each SSL (Secure Socket Layer) site required its own IP address, and since each certificate was loaded into the memory on the first visit to an SSL site, startup performance can be slow. In IIS8 the SSL certificate is easily scalable to thousands of secure sites per system because only the certificate that is needed is loaded. Additionally, also loading of large numbers of certificates is essentially improved.

5. SNI / SSL host header support

Using host headers and a shared IP address with SSL certificate has always been ambiguous. IIS8 now offers Server Name Indication (SNI) support through which many SSL sites can share the same IP. SNI is a pretty new feature which allows host headers to work with SSL. The most recent browsers are supporting SNI.

6. Use ASP.NET 3.5 and 4.5

IIS 8.0 on Windows Server 2012 runs ASP.NET applications on all .NET Framework versions supported on Windows Server 2012. This means ASP.NET applications can run on IIS 8.0 using either .NET Framework 3.5, or .NET Framework 4.5. IIS 8.0 hosts versions of the .NET Framework in different application pools, thus allowing multiple ASP.NET applications with different .NET Framework versions to run simultaneously on Windows Server 2012.

7. Web Sockets

Allows you to build more interactive and powerful web applications because of a continuous and bidirectional communication between the web browser and the web server. Web Sockets require Windows Server 2012 or higher versions.

8. Dynamic IP Restriction (DIPR)

With DIPR we can Customize IIS reply like Unauthorized (HTTP 401), Forbidden (HTTP 403), Not Found (HTTP 404), or Abort (IIS terminates the HTTP connection). Also we can allow or deny specific IP address or a range of IP addresses, even if they violate a dynamic restriction setting. We can block dynamic IPs based on the number of concurrent requests or the number of requests over a period of time.Finally it is a very useful feature for web servers behind firewall, because of the proxy mode property that enables IIS to cross checks the values in the X-Forwarded-For HTTP header. So it can verify the IP address of the client who initially made the request.

9. Multicore Scaling on NUMA hardware

Internet Information Services (IIS) on Windows Server 2012 supports Multicore Scalling on NUMA hardware and provides the optimal configuration for the IT administrators. Following options describes the different configuration options to achieve the best performance with IIS 8.0 on NUMA hardware.IIS supports following two ways of partitioning the workload:

• Run multiple worker processes in one application pool: If you are using this mode, by default, the application pool is configured to run one worker process. For maximum performance, you should consider running the same number of worker processes as there are NUMA nodes, so that there is 1:1 affinity between the worker processes and NUMA nodes. This can be done by setting "Maximum Worker Processes" AppPool setting to 0. Due to this setting, IIS determines how many NUMA nodes are available on the hardware and starts the same number of worker processes.
• Run multiple applications pools in single workload/site: In this configuration, the workload/site is divided into multiple application pools. For example, the site may contain several applications that are configured to run in separate application pools. Effectively, this configuration results in running multiple IIS worker processes for the workload/site and IIS intelligently distributes the processes for maximum performance.

Hello all, sometimes I find in forum that people complain about Error 404.3 – Not Found. I decided to write the post about this issue and hope it will solve your problem.

Hmm… I assume that you have installed Windows Server 2012. When you upload your files, try to browse your site, you see this error:

One of the issues might be :

It complaints about missing handler mappings for the created web site. this is obvious when you look at it closely as follows

Go to the Desired web application listed under "Default web site" under IIS 8 and open "handler mappings"

Here most of the handler mappings are not listed. As a remedy to this click "Revert to Parent" and you will see the all handler mappings are inherited from the parent node.

This might solve the 404.3 error that you get

This blog cover brief information how to host your WCF service in IIS8 (Windows Server 2012).

Here is the solution.

Server Roles

1. First make sure you have enabled IIS function and .net 3.5 in Features.
For the IIS features, please remember to enable ASP.NET3.5 and ASP.NET 4.5

2. Second, check the IIS Hostable WebCore
3. Finally, I think the most important is this:

Check Application Sever->Web Server (IIS) Support

I have also check the HTTP Activation in Windows Process Activation Service Support, but I do not know if it is required.

For the freatures,

1. Check all items in .NET 3.5
2. Check WCF Service in .NET 4.5

That’s it.

Last but not least, I have register the WCF Service from

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe –i

Run the above in command line.

This article discuss brief information about the improvements in IIS 8. Internet Information Services (IIS) 8 includes many new and improved features that make moving to Windows Server 2012 compelling for organizations that rely on Windows Servers as their web server.

Improvement 1: Centralized SSL Certificate Management

With IIS on Windows 8 or Windows Server 2012, you can take advantage of the SSL certificate management console. This is a central management console that is able to install certificates and work with certificates across all IIS 8 web servers.

This includes the ability to more rapidly bring new servers online by being able to import all certificates that are needed. If a certificate needs to be renewed on multiple systems, it can be done through the IIS 8 certificate management console. You no longer have to log onto each system to update the certificate.

Note: Centralized SSL Certificate management is installed as a separate feature. You can install IIS without Centralized SSL Certificate Support. Centralized SSL Certificate Support is in the security section of “Windows Features.”

Improvement 2: Application Initialization

One frustrating problem that many web server admins face is the problem of slow-responding sites as web applications are initializing. A common workaround is to use tools and scripts to “cold start” the applications early in the morning so that the sites are ready to perform: The in-memory cache is loaded, and in some cases the content must be generated, before the IIS server is ready to respond to HTTP requests.

With IIS 8, Application Initialization lets you establish rules for “warming up” sites. For example, you can have larger applications begin the initialization process earlier than smaller applications. You can also configure through application initialization a new splash screen to be displayed in case people find themselves waiting while the application is initializing.

I can see a much better user experience by logging onto a SharePoint site early in the morning and having the first page displayed being a simple “Please wait while this application is being prepared for use” splash screen instead of just a blank page and a spinning circle.

Improvement 3: Dynamic IP Address Restrictions

Restricting access to a website by its IP address is nothing new -- admins have long been able to do that. You can even restrict by a block of IPs in an address range.

The problem that persists is tracking down all of the IP addresses to block. This would usually take a long time of parsing through logs, and even if going through the logs and filtering out the IP addressed were scripted, it is done in a reactive manner.

Instead, using the Dynamic IP Address Restrictions feature in IIS 8 for Windows 8 and Windows Server 2012, you can specify on a per web application level the maximum number of connections that an IP address can create within a certain time frame. And you can also specify the maximum number of attempts that can be made into the IIS 8 server from an IP address within a specific time. Any attempts beyond what is allowed are automatically filtered out, making your web applications and your web server much more resistant to malicious activity.

Dynamic IP Address Restrictions is added as an additional feature of IIS that is not installed by default. To install the feature, open Windows Features, then place a check in the box to select Web Server (IIS) -> Web Server -> Security -> IP and Domain Restrictions. After all that, click Finish.

This article contains brief information about CPU Throttling in the IIS 8. What the differences approach between CPU Throttling in IIS 7 and IIS 8.

CPU Throttling in IIS 7 (and 7.5)

IIS 7 introduced support for CPU Throttling at an Application Pool level.  You could specify a limit of CPU usage and a corresponding action to take when that limit was exceeded.  The two available options were NoAction or KillW3wp.  The names accurately reflect what each option does: Doing nothing in the case of NoAction, or killing the worker process for KillW3wp. 

Let’s take a look at what the KillW3wp option looks like in practice. 

First, I will configure the DefaultAppPool with a limit of 10% CPU.  I have also set the Limit Interval to 1 minute to make it easier to demonstrate how the process is killed and then allowed to restart.

Next, I will apply load to the server using a load generation tool (WCAT, available for download here). 

Here is how things look in the Performance Monitor:

As you can see, the CPU usage is high when the process starts, then the line goes away.  What is happening is that the process is using a high amount of CPU, and after some time IIS realizes that they would use more than their 10% limit within 1 minute (the Limit Interval we configured earlier), so it kills the process for the remainder of the Limit Interval.  The process is prevented from restarting until the Limit Interval expires.  During this time, any user requests will fail with a HTTP 500 error.  After the Limit Interval is reached, the process is allowed to restart, it uses a high amount of CPU again, and it gets killed again.  This cycle will continue to repeat for this application that uses high CPU.

CPU Throttling in IIS 8.0

In IIS 8.0, we’ve worked closely with the Windows Kernel team to deliver a much better CPU throttling experience.  Unlike IIS 7 where the only solution was killing W3WP, in Windows 8 we have two additional throttling options: Throttle and ThrottleUnderLoad.  The Throttle option will always restrict the application to the specified amount of CPU utilization, while the ThrottleUnderLoad option will allow the process to use more than the specified amount of CPU, provided that there is no contention for CPU resources.

The CPU throttling settings are made on the Application Pool.  So if you use the recommended configuration of having each application use its own App Pool, each application will have its own setting for maximum CPU utilization. 

For this example we will use the Throttle option:

As with the IIS 7 scenario, I am using WCAT to apply load to the server.  Here is the CPU graph during the test:

As you can see from the graph, the CPU utilization stays around 10% all the time, instead of climbing higher and having the process be killed like IIS 7. 

Let’s try another example, using PHP this time.  As you know, PHP will use multiple processes for serving requests.  We will see that the CPU utilization stays near 10% even when multiple processes are running.  The sum of CPU usage for all of these processes will be limited to 10%.  Here is a view of Task Manager showing the FastCGI processes running when I put load on the system.  Note how the sum of all 5 processes is 10.4%.

Conclusion

In this post you’ve seen a comparison between the CPU throttling approaches in IIS 7 and IIS 8.  The investments in CPU throttling in IIS 8 provide a much better sandbox that you can use to limit CPU use by an application.

With IIS 7 url rewriting and redirecting has never been easier thanks to Microsoft’s Url Rewrite module. The rewriting is done by rules which are specified in the web.config under <system.webserver> element. Using IIS Manager you can use the Url Rewrite gui to create and maintain your rules.

You can also just put the rules directly into the web.config without using the gui. For example:

<system.webserver>
 <rewrite>
 <rules>
 <rule name="xyz">...blah...</rule>
 </rules>
 <rewrite>
</system.webserver>

IIS 7 Url Rewrite WWW

One of the most common needs for SEO is to force your site to use www for all page requests so that search engines will go to www.mydomain.com instead of domain.com. This is very easy to do with IIS 7′s Url Rewrite. Here is the rule:

<rewrite>
<rules>
<rule name=”Redirect to www” patternSyntax=”Wildcard” stopProcessing=”true”>  
<match url=”*” />
<conditions>
<add input=”{HTTP_HOST}” pattern=”abc.com” />
  </conditions>
 <action type=”Redirect” url=”http://www.abc.com/{R:0}” />
</rule>
</rules>
<rewrite>

This works really well and it is a completely seamless experience for your web site visitors.  Here is how the rule looks in the IIS Manager gui.

IIS 7 Url Rewrite HTTP to HTTPS

Probably the 2nd most common use of Url Rewrite is for sites that have SSL certificates installed and need to seamlessly redirect page requests using the certificate for either the entire site or a particular folder. Here is the Url Rewrite rule for redirecting requests on the entire site. You simply detect if the request is not secure and then redirect to the secure channel:

<rewrite>
 <rules>
 <rule name="HTTP Redirect to HTTPS" enabled="true" stopProcessing="true">
 <match url="(.*)" ignoreCase="false" />
 <conditions>
 <add input="{HTTPS}" pattern="off" />
 </conditions>
 <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
 </rule>
 </rules>
 </rewrite>

IIS 7 Url Rewrite HTTP to HTTPS on Subfolder

The example above is great but running your entire site in HTTPS will have a performance impact so you don’t need to do it unless there is a specific business requirement for it. So then we need a rule to redirect requests to HTTPS for just one folder. In this example we’ll use a folder called “/secure”. In this instance we use the same rule as above however now we only want page requests for the “secure” folder. This is done by modifying the “match url” element.

<rewrite>
 <rules>
  <rule name="HTTPS on subfolder" enabled="true">
         <match url="(^secure/.*)" ignoreCase="false" />
         <conditions>
             <add input="{HTTPS}" pattern="off" />
         </conditions>
         <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
     </rule>
 <rules>
 <rewrite>

We’ve covered 3 of the most common uses of IIS 7 Url Rewrite but if you notice the rules above are really for redirecting and not url rewriting.

With the beta release of Windows Server 8 today, Internet Information server (IIS) 8 is available to the public for testing and even production workload testing.  Many system administrators have been anxious to kick the tires and to find out which features are coming.

Real CPU Throttling

Previous versions of IIS have CPU throttling but it doesn’t do what most of us want.  When a site reaches the CPU threshold the site is turned off for a period of time before it is allowed to run again.  This protects the other sites on the server but it isn’t a welcome action for the site in question since the site breaks rather than just slowing down. 

Finally in version IIS 8 there are kernel level changes to support real CPU Throttling.  Now there are two new actions for sites that reach the CPU threshold.  They are Throttle and Throttle under load.  If you used WSRM to achieve this in the past, you no longer need to do so, and the functionality is improved over what is available with WSRM.

The throttle feature will keep the CPU for a particular worker process at the level specified.  Throttling isn’t applied to just the primary worker process, but it also includes all child processes, if they happen to exist.

The Throttle under load feature will allow a site to use all possible CPU if it’s available while throttling the worker process if the server is under load.

The throttling is based on the user and not specifically on the application pool. This means that if you use dedicated users on more than one app pool then it throttles for all of app pools sharing the same user identity. Note that the application pool identity user is unique so if you use the app pool identity user—which is common—then each app pool will be throttled individually.

This is a welcome new feature and is nicely implemented.

SSL Scalability

Unless you deal with large scale site hosting with many SSL certificates you may not have realized that there is room for improvement in this area. 

Previous versions of IIS have limited secure site density.  Each SSL site requires its own IP address and after adding a few SSL sites, startup performance becomes slow and the memory demand is high.  Every certificate is loaded into memory on the first visit to an SSL site which creates a large memory footprint and a long delay on the first load. 

In IIS 8 the SSL certificate count is easily scalable to thousands of secure sites per machine with almost instantaneous first-loads.  Only the certificate that is needed is loaded and it will unload after a configurable idle period.  Additionally, enumerating or loading huge numbers of certificates is substantially improved.

SNI / SSL Host Header Support

IIS 8 now offers Server Name Indication (SNI) support which allows many SSL sites to share the same IP.  SNI is a fairly new feature (within the last few years) which allows host headers to work with SSL. It does this by carrying the target host name in the TLS handshake rather than the encrypted part of the packet.

IIS 8 makes SNI support a first class citizen in the site bindings.

SSL Manageability - Central Certificate Store (CCS)

In IIS 7 managing SSL is labor intensive, particularly for server farms.  All certificate must be imported on every machine in the farm.  When setting up new servers you must account for time needed to import certificates when scaling out, and even on small server farms.  In previous versions keeping certificates in sync between servers is difficult to manage and often requires manual steps.

In IIS8 there is a new Central Certificate Store (CCS).  Central Certificate Store allows storing certificates on a central file share instead of each machine.  You can point the servers to a single network share, or use replication like DFS-R to sync the folders between machines.

Renewal and syncing is as simple as xcopying pfx files to the location that you specify when enabling CCS on the web server.  Enabling CCS is straight forward too.  It works very similar to enabling Shared Configuration.

CCS compliments the SNI functionality to support sites with multiple certs and a single IP.

The mapping of bindings to certificates uses a bit of magic … by convention rather than configuration. This is important for extremely large lists of certificates. Now you don't need to select them from a huge list. The value of the host header needs to match the name of the cert. Your CCS folder will have many .pfx files with names that match the domain name.  Basically the name of the .pfx files in the certificate store is the primary key.

If you use a wildcard cert then it needs to be named _.domain.com.pfx.

As you would assume, there is support for Multiple Domain Certificates (Unified Communications Certificate [UCC]). If you use multiple domain certificates using the subjectAltName feature of the certificate then you just create multiple copies of the pfx, one for each subjectAltName.

Note that you can use the old method which binds to by certificate identifier and it works the same as it did in the past.

Furthermore there is a neat feature for the central repository that allows grouping by expiration date, which groups by "Today / This Week / Next Week / Next Month / Later" which is handy for seeing which certificates are ready to expire.

With these changes to the certificates, it makes for a powerful solution for large scale webfarm hosting with multiple tenants.

Dynamic IP Restrictions

Information about this is already available on the web, but it's moving along and getting closer for the final release.

FTP Logon Restriction

A new FTP IP Restrictions module is coming! This is similar in concept to Dynamic IP Restrictions for HTTP. One of the key differences is that it does gray listing rather than black listing. When someone is blocked, they are only blocked for the sample period (e.g. 30 seconds). This is nice because it's enough to thwart or slow brute force and common name password attacks, but legit invalid attempts can continue to attempt to log in without waiting for long periods of time.

What's extra nice about having this feature is that you can set it slightly more sensitive than your domain username lockout policy so that brute force attacks don't cause your username to be locked out from too many invalid attempts. The FTP IP Restrictions can throttle the hack attempts without locking out your domain users.

Application Initialization Module

Previously known as the application warm-up module which was pulled for a time, now it's ready in full force as Application Initialization Module.

This allows spinning up sites and pages before traffic arrives and handling of requests in a friendly way while the application first loads. It's not uncommon for a site to take a minute or longer on the first load (yes SharePoint admins, we feel your pain).  This allows you to protect the end user from being the person that triggers this.

It's possible to set a warm-up page at the server level as a single setting, or you can use powerful URL Rewrite rules for more flexibility.

You can also ensure that your load balancer’s health test page doesn’t serve up a valid response until the site is fully initialized according to your preferences.  Then the load balancer will bring a node into rotation only after the entire warm-up has completed.

Configuration Scale

The IIS configuration files (e.g. applicationHost.config) can handle very large files with ease now.  There are substantial performance improvements in the upcoming version. Only administrators with large numbers of sites on the same server or server farm (think thousands) would have noticed before, but for large scale performance the new changes are paving the way for huge scale.

Web Sockets

While previous versions of IIS already did a great job of handling massive amounts of traffic, IIS 8 now can handle thousands (or tens of thousands) of sites and their extensive configurations on a single server farm.  With HTTP and FTP logon restrictions, CPU throttling, the Application Initialization Module, and large scale SSL and configuration improvements, IIS 8 brings a number of welcome improvements.

Hope you’ll like the newest IIS 8. If you want to give a test drive on IIS 8, please check our site at http://www.hostforlife.eu