This article contains brief information about CPU Throttling in the IIS 8. What the differences approach between CPU Throttling in IIS 7 and IIS 8.

CPU Throttling in IIS 7 (and 7.5)

IIS 7 introduced support for CPU Throttling at an Application Pool level.  You could specify a limit of CPU usage and a corresponding action to take when that limit was exceeded.  The two available options were NoAction or KillW3wp.  The names accurately reflect what each option does: Doing nothing in the case of NoAction, or killing the worker process for KillW3wp. 

Let’s take a look at what the KillW3wp option looks like in practice. 

First, I will configure the DefaultAppPool with a limit of 10% CPU.  I have also set the Limit Interval to 1 minute to make it easier to demonstrate how the process is killed and then allowed to restart.

Next, I will apply load to the server using a load generation tool (WCAT, available for download here). 

Here is how things look in the Performance Monitor:

As you can see, the CPU usage is high when the process starts, then the line goes away.  What is happening is that the process is using a high amount of CPU, and after some time IIS realizes that they would use more than their 10% limit within 1 minute (the Limit Interval we configured earlier), so it kills the process for the remainder of the Limit Interval.  The process is prevented from restarting until the Limit Interval expires.  During this time, any user requests will fail with a HTTP 500 error.  After the Limit Interval is reached, the process is allowed to restart, it uses a high amount of CPU again, and it gets killed again.  This cycle will continue to repeat for this application that uses high CPU.

CPU Throttling in IIS 8.0

In IIS 8.0, we’ve worked closely with the Windows Kernel team to deliver a much better CPU throttling experience.  Unlike IIS 7 where the only solution was killing W3WP, in Windows 8 we have two additional throttling options: Throttle and ThrottleUnderLoad.  The Throttle option will always restrict the application to the specified amount of CPU utilization, while the ThrottleUnderLoad option will allow the process to use more than the specified amount of CPU, provided that there is no contention for CPU resources.

The CPU throttling settings are made on the Application Pool.  So if you use the recommended configuration of having each application use its own App Pool, each application will have its own setting for maximum CPU utilization. 

For this example we will use the Throttle option:

As with the IIS 7 scenario, I am using WCAT to apply load to the server.  Here is the CPU graph during the test:

As you can see from the graph, the CPU utilization stays around 10% all the time, instead of climbing higher and having the process be killed like IIS 7. 

Let’s try another example, using PHP this time.  As you know, PHP will use multiple processes for serving requests.  We will see that the CPU utilization stays near 10% even when multiple processes are running.  The sum of CPU usage for all of these processes will be limited to 10%.  Here is a view of Task Manager showing the FastCGI processes running when I put load on the system.  Note how the sum of all 5 processes is 10.4%.

Conclusion

In this post you’ve seen a comparison between the CPU throttling approaches in IIS 7 and IIS 8.  The investments in CPU throttling in IIS 8 provide a much better sandbox that you can use to limit CPU use by an application.

With IIS 7 url rewriting and redirecting has never been easier thanks to Microsoft’s Url Rewrite module. The rewriting is done by rules which are specified in the web.config under <system.webserver> element. Using IIS Manager you can use the Url Rewrite gui to create and maintain your rules.

You can also just put the rules directly into the web.config without using the gui. For example:

<system.webserver>
 <rewrite>
 <rules>
 <rule name="xyz">...blah...</rule>
 </rules>
 <rewrite>
</system.webserver>

IIS 7 Url Rewrite WWW

One of the most common needs for SEO is to force your site to use www for all page requests so that search engines will go to www.mydomain.com instead of domain.com. This is very easy to do with IIS 7′s Url Rewrite. Here is the rule:

<rewrite>
<rules>
<rule name=”Redirect to www” patternSyntax=”Wildcard” stopProcessing=”true”>  
<match url=”*” />
<conditions>
<add input=”{HTTP_HOST}” pattern=”abc.com” />
  </conditions>
 <action type=”Redirect” url=”http://www.abc.com/{R:0}” />
</rule>
</rules>
<rewrite>

This works really well and it is a completely seamless experience for your web site visitors.  Here is how the rule looks in the IIS Manager gui.

IIS 7 Url Rewrite HTTP to HTTPS

Probably the 2nd most common use of Url Rewrite is for sites that have SSL certificates installed and need to seamlessly redirect page requests using the certificate for either the entire site or a particular folder. Here is the Url Rewrite rule for redirecting requests on the entire site. You simply detect if the request is not secure and then redirect to the secure channel:

<rewrite>
 <rules>
 <rule name="HTTP Redirect to HTTPS" enabled="true" stopProcessing="true">
 <match url="(.*)" ignoreCase="false" />
 <conditions>
 <add input="{HTTPS}" pattern="off" />
 </conditions>
 <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
 </rule>
 </rules>
 </rewrite>

IIS 7 Url Rewrite HTTP to HTTPS on Subfolder

The example above is great but running your entire site in HTTPS will have a performance impact so you don’t need to do it unless there is a specific business requirement for it. So then we need a rule to redirect requests to HTTPS for just one folder. In this example we’ll use a folder called “/secure”. In this instance we use the same rule as above however now we only want page requests for the “secure” folder. This is done by modifying the “match url” element.

<rewrite>
 <rules>
  <rule name="HTTPS on subfolder" enabled="true">
         <match url="(^secure/.*)" ignoreCase="false" />
         <conditions>
             <add input="{HTTPS}" pattern="off" />
         </conditions>
         <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
     </rule>
 <rules>
 <rewrite>

We’ve covered 3 of the most common uses of IIS 7 Url Rewrite but if you notice the rules above are really for redirecting and not url rewriting.

With the beta release of Windows Server 8 today, Internet Information server (IIS) 8 is available to the public for testing and even production workload testing.  Many system administrators have been anxious to kick the tires and to find out which features are coming.

Real CPU Throttling

Previous versions of IIS have CPU throttling but it doesn’t do what most of us want.  When a site reaches the CPU threshold the site is turned off for a period of time before it is allowed to run again.  This protects the other sites on the server but it isn’t a welcome action for the site in question since the site breaks rather than just slowing down. 

Finally in version IIS 8 there are kernel level changes to support real CPU Throttling.  Now there are two new actions for sites that reach the CPU threshold.  They are Throttle and Throttle under load.  If you used WSRM to achieve this in the past, you no longer need to do so, and the functionality is improved over what is available with WSRM.

The throttle feature will keep the CPU for a particular worker process at the level specified.  Throttling isn’t applied to just the primary worker process, but it also includes all child processes, if they happen to exist.

The Throttle under load feature will allow a site to use all possible CPU if it’s available while throttling the worker process if the server is under load.

The throttling is based on the user and not specifically on the application pool. This means that if you use dedicated users on more than one app pool then it throttles for all of app pools sharing the same user identity. Note that the application pool identity user is unique so if you use the app pool identity user—which is common—then each app pool will be throttled individually.

This is a welcome new feature and is nicely implemented.

SSL Scalability

Unless you deal with large scale site hosting with many SSL certificates you may not have realized that there is room for improvement in this area. 

Previous versions of IIS have limited secure site density.  Each SSL site requires its own IP address and after adding a few SSL sites, startup performance becomes slow and the memory demand is high.  Every certificate is loaded into memory on the first visit to an SSL site which creates a large memory footprint and a long delay on the first load. 

In IIS 8 the SSL certificate count is easily scalable to thousands of secure sites per machine with almost instantaneous first-loads.  Only the certificate that is needed is loaded and it will unload after a configurable idle period.  Additionally, enumerating or loading huge numbers of certificates is substantially improved.

SNI / SSL Host Header Support

IIS 8 now offers Server Name Indication (SNI) support which allows many SSL sites to share the same IP.  SNI is a fairly new feature (within the last few years) which allows host headers to work with SSL. It does this by carrying the target host name in the TLS handshake rather than the encrypted part of the packet.

IIS 8 makes SNI support a first class citizen in the site bindings.

SSL Manageability - Central Certificate Store (CCS)

In IIS 7 managing SSL is labor intensive, particularly for server farms.  All certificate must be imported on every machine in the farm.  When setting up new servers you must account for time needed to import certificates when scaling out, and even on small server farms.  In previous versions keeping certificates in sync between servers is difficult to manage and often requires manual steps.

In IIS8 there is a new Central Certificate Store (CCS).  Central Certificate Store allows storing certificates on a central file share instead of each machine.  You can point the servers to a single network share, or use replication like DFS-R to sync the folders between machines.

Renewal and syncing is as simple as xcopying pfx files to the location that you specify when enabling CCS on the web server.  Enabling CCS is straight forward too.  It works very similar to enabling Shared Configuration.

CCS compliments the SNI functionality to support sites with multiple certs and a single IP.

The mapping of bindings to certificates uses a bit of magic … by convention rather than configuration. This is important for extremely large lists of certificates. Now you don't need to select them from a huge list. The value of the host header needs to match the name of the cert. Your CCS folder will have many .pfx files with names that match the domain name.  Basically the name of the .pfx files in the certificate store is the primary key.

If you use a wildcard cert then it needs to be named _.domain.com.pfx.

As you would assume, there is support for Multiple Domain Certificates (Unified Communications Certificate [UCC]). If you use multiple domain certificates using the subjectAltName feature of the certificate then you just create multiple copies of the pfx, one for each subjectAltName.

Note that you can use the old method which binds to by certificate identifier and it works the same as it did in the past.

Furthermore there is a neat feature for the central repository that allows grouping by expiration date, which groups by "Today / This Week / Next Week / Next Month / Later" which is handy for seeing which certificates are ready to expire.

With these changes to the certificates, it makes for a powerful solution for large scale webfarm hosting with multiple tenants.

Dynamic IP Restrictions

Information about this is already available on the web, but it's moving along and getting closer for the final release.

FTP Logon Restriction

A new FTP IP Restrictions module is coming! This is similar in concept to Dynamic IP Restrictions for HTTP. One of the key differences is that it does gray listing rather than black listing. When someone is blocked, they are only blocked for the sample period (e.g. 30 seconds). This is nice because it's enough to thwart or slow brute force and common name password attacks, but legit invalid attempts can continue to attempt to log in without waiting for long periods of time.

What's extra nice about having this feature is that you can set it slightly more sensitive than your domain username lockout policy so that brute force attacks don't cause your username to be locked out from too many invalid attempts. The FTP IP Restrictions can throttle the hack attempts without locking out your domain users.

Application Initialization Module

Previously known as the application warm-up module which was pulled for a time, now it's ready in full force as Application Initialization Module.

This allows spinning up sites and pages before traffic arrives and handling of requests in a friendly way while the application first loads. It's not uncommon for a site to take a minute or longer on the first load (yes SharePoint admins, we feel your pain).  This allows you to protect the end user from being the person that triggers this.

It's possible to set a warm-up page at the server level as a single setting, or you can use powerful URL Rewrite rules for more flexibility.

You can also ensure that your load balancer’s health test page doesn’t serve up a valid response until the site is fully initialized according to your preferences.  Then the load balancer will bring a node into rotation only after the entire warm-up has completed.

Configuration Scale

The IIS configuration files (e.g. applicationHost.config) can handle very large files with ease now.  There are substantial performance improvements in the upcoming version. Only administrators with large numbers of sites on the same server or server farm (think thousands) would have noticed before, but for large scale performance the new changes are paving the way for huge scale.

Web Sockets

While previous versions of IIS already did a great job of handling massive amounts of traffic, IIS 8 now can handle thousands (or tens of thousands) of sites and their extensive configurations on a single server farm.  With HTTP and FTP logon restrictions, CPU throttling, the Application Initialization Module, and large scale SSL and configuration improvements, IIS 8 brings a number of welcome improvements.

Hope you’ll like the newest IIS 8. If you want to give a test drive on IIS 8, please check our site at http://www.hostforlife.eu

IIS 8 gets released along with Windows Server 2012. This comes with several interesting features such as NUMA-support, WebSockets, security improvements and better web deployment tools.

An interesting improvement in IIS 8 is NUMA-aware multi-core scalability -

To take advantage of this multi-core processors, IIS can be setup to work in two different modes depending on your expected workload – run multiple worker processes in one application pool (ideally one worker for each NUMA node) or run multiple application pools in a single workload/site. There are other configurations as well which deal with responsibility for node optimization and soft or hard thread affinity. You can read more about NUMA-aware scalability in IIS and how Windows Server 2012 works with NUMA hardware in an eBook called “Introducing Windows Server 2012” (as well as some of the below features in detail).

IIS 8 also features

- Web Sockets support for ASP.NET – .NET developers can leverage System.Web.WebSockets introduced in .NET 4.5
- Throttling improvements for multi-tenant environments
- Improvements in the way SSL is handled.

There are also some other security enhancements such as

- Dynamic IP restrictions, which can not only deny connection to IPs that break certain rules, but can also be set to return a 401, 403, 404 or just terminate connection altogether without a response
- Ability to enable FTP logon restrictions (by number of tries)

 The IIS team also announced Web Deploy 3.0 RTW which supports deployment to IIS 8 and comes with several features to make deployments easier for system administrators. Some of these are -

- dbDacFx Provider for Incremental Database publishing – with support for SQL Server and SQL Azure
- Ability to take an Application Offline before Deploy
- Parameterization improvements – such as ability to add/delete/replace xml elements,
- Automatic Backups
- Ability to change Authentication mode for the site
- Several PowerShell cmdlets

You can read an introduction to Web Deploy for more information about the tool.

HostForLIFE.eu was established to cater to an under served market in the hosting industry; web hosting for customers who want excellent service. HostForLIFE.eu – a cheap, constant uptime, excellent customer service, quality, and also reliable hosting provider in advanced Windows and ASP.NET technology. We proudly announces the availability of the SQL 2012 hosting in our entire servers environment. HostForLife customer can choose SQL 2012 when creating a database from inside HostForLife hosting control panel.

The first new option is Windows SQL Server 2012, which is available to customers from today. With the public release just last week of Microsoft’s latest version of their premier database product, HostForLife has been quick to respond with updated their shared server configurations. SQL Server 2012 Web Edition is available for the same low monthly rental price as the previous SQL 2008, as well as Express Edition, which is a basic version of Microsoft’s SQL Database product, available for free.

“We’re proud to be at the cutting edge for new technologies. With these additions, customers have the option to explore these new products in the safe environment of their own shared server. Developers and IT Managers can research the potential impact of next-generation software without risking current infrastructure. With Microsoft’s announcement of the general availability of their new SQL server, we are proud to launch SQL 2012 hosting along with a suite of SQL 2012 management tools." Said John Curtis, VP Marketing and Business Development at HostForLIFE.eu.

John added, “It’s very important to our customers that we support their current deployments; we want to make sure that our customers have their good opportunity to test this new technology."

“HostForLIFE customers can now take advantage of SQL Server 2012’s advanced BI capabilities, We’re excited to see the benefits of this release add value to the energy management and manufacturing arena. Ensuring compatibility with Microsoft’s new SQL Server 2012 demonstrates how HostForLife and Microsoft remain committed together to providing leading edge technology for the benefit of our shared customers." Said CEO of HostForLIFE.eu, Anthony Johnson.

For more information about this new product, please visit http://www.hostforlife.eu/SQL-2012-European-Hosting.aspx.

About us:

We are European Windows Hosting Provider which FOCUS in Windows Platform ONLY. We support Microsoft technology, such as the latest ASP.NET 4, ASP.NET MVC 3, SQL 2008/2008 R2, and much more.

Our number one goal is constant uptime. Our data center uses cutting edge technology, processes, and equipment. We have one of the best up time reputations in the industry.

Our second goal is providing excellent customer service. Our technical management structure is headed by professionals who have been in the industry since it's inception. We have customers from around the globe, spread across every continent. We serve the hosting needs of the business and professional, government and nonprofit, entertainment and personal use market segments.

I was about to blog how we can redirect domain.com to www.domain.com (redirecting can improve SEO ranking, tune to next post for more detail) in IIS 7. But before that I thought let me first blog how to connect with remote website through IIS manager. Before proceeding with this tutorial we need to download IIS Manager for Remote Administration and of course windows hosting account which allow remote IIS management. After installing IIS Manager for Remote Administration open IIS Manager by typing inetmgr in Run window. In connection pane of IIS manager click on Create New Connection button. There are three different options. Click on Connect to a Site…

It will open new dialog box for connecting to remote website. In that dialog box enter server name and website name (which can be obtained from hosting control panel or contact hosting provider).



Clicking on next will ask for credentials for connecting to website.



After providing credentials when you click next, you might get server certificate alert depends on connecting server certificate. If you get one then click on connect if you trust connecting server.



On successful connection, it will ask for connection name. Provide connection name and click on finish button.



On connection, you might get following dialog asking to install server feature. This is the list of server feature which is not available on your local machine. If you want to manage / configure that feature through remote IIS then you must install it on your local machine.



After that you can see list of IIS feature available. Now you can configure it.



Done. Great job.

This is the error message that sometimes you can find on IIS:

Server Error in ‘/’ Application.

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: It is an error to use a section registered as allowDefinition=’MachineToApplication’ beyond application level.  This error can be caused by a virtual directory not being configured as an application in IIS.

I will gonna show you how to fix this issue. What is the issue?

1. When you create an new web application using visual studio.net, it automatically creates the virtual directory and configures it as an application. However, if you manually create the virtual directory and it is not configured as an application, then you will not be able to browse the application and may get the above error. The debug information you get as mentioned above, is applicable to this scenario.

To resolve it, Right Click on the virtual directory - select properties and then click on "Create" next to the "Application" Label and the textbox. It will automatically create the "application" using the virtual directory's name. Now the application can be accessed.

2. When you have sub-directories in your application, you can have web.config file for the sub-directory. However, there are certain properties which cannot be set in the web.config of the sub-directory such as authentication, session state (you may see that the error message shows the line number where the
authentication or sessionstate is declared in the web.config of the sub-directory). The reason is, these settings cannot be overridden at the sub-directory level unless the sub-directory is also configured as an application (as mentioned in the above point).

Mostly we have the practice of adding web.config in the sub-directory if we want to protect access to the sub-directory files (say, the directory is admin and we wish to protect the admin pages from unathorized users).

But actually, this can be achieved in the web.config at the application's root level itself, by specifing the location path tags and authorization, as follows:-

<location path="Admin">
<system.web>
<authorization>
<allow roles="administrators" />
<deny users="*" />
</authorization>
</system.web>
</location>

However, if you wish to have a web.config at the sub-directory level and protect the sub-directory, you can just specify the Authorization mode as follows:-

<configuration>
<system.web>
<authorization>
<allow roles="administrators" />
<deny users="*" />
</authorization>
</system.web>
</configuration>

Thus you can protect the sub-directory from unauthorized access.

The cool thing to do these days is extensionless Urls, meaning there is no .aspx, .html, etc. Instead you just reference the resource by the name, which makes things like Restful interfaces and SEO better. For security reasons IIS disables this feature by default.

Recently I was working with some code where extensionless Urls were being used by the original developer. Since I typically do not work against the local IIS 7.5 installation when writing code I was stuck because I kept getting 404 responses for an oData resource. At first I did not realize the site was using IIS 7.5 as the web server, I honestly thought it was using the development server, which is the standard option when using Visual Studio to develop a web site.

Once I realized the site was actually being deployed locally I was able to trace the issue and solve it. turns out you need to turn on Http Redirection. To do this you need to go into control panel and select ‘Programs’. This will display multiple options, you need to look at the top group, “Programs and Features”. In this group select “Turn Windows features on or off”.



Now the “Windows Features” dialog is displayed. This shows a tree view containing various components, but for this we want to drill into the Internet Information Services > World Wide Web Services > Common Http Features. By checking HTTP Redirection and the OK button you will enable extensionless Urls in IIS.



Good luck and hope it helps.