What's new in IIS 8?

With the release of the beta version of Windows 8, the Internet Information Services (IIS) 8 server has become available for public testing and testing in an industrial environment. Many system administrators can not wait to find out what changes have been made and what's new.

This article provides a cursory description of what we will see in the IIS 8 release. The main focus of this version of the server was on highly scalable hosting scenarios. The new version contains significant improvements in performance in order to be able (and with ease) to serve thousands of sites on a single server farm. Everything about what is written in this article today can be used and is available for download .
')

Full CPU load control (CPU Throttling)

Previous versions of IIS already contained the function of controlling the CPU load, but they did not work as you would like. When the site reaches the CPU usage limit, it is turned off for a certain period of time. This behavior protects other sites on the server, but is not preferred because instead of the site simply slowing down it is disabled.

Finally, kernel-level enhancements have been made in IIS 8 to support the function of true CPU load control . And now for sites that have reached the threshold for using CPU, there are two scenarios. They can go into Throttle or Throttle under load modes. If earlier you used WSRM , then today you will not need it anymore, since in IIS 8 you will find even more functionality than in WSRM.

Throttle mode allows you to set a certain level of CPU resources for the workflow. In this case, load control is applied not only to the primary workflow, but also to all generated processes, if they exist (Figure 1).


Fig.1. Load Control Settings in IIS 8

Throttle under load mode will allow the site to use all possible CPU resources during normal operation, but when the server is under load, use workload load control (Figure 1).

Load handling in IIS 8 is based on the user and not necessarily on the application pool. This means that if you use dedicated accounts for more than one application pool, the load management settings will be applied to all pools using the same account. Please note that by default the application pool account is unique, so if you use it, then the load of each application pool will be adjusted separately.

SSL Scalability

Until you come across a large website that hosts many SSL certificates, you may not even know that there are many things to improve.

Previous versions of IIS had restrictions on hosting secure sites. Each SSL site required its own IP address and after adding multiple SSL sites, the cold start speed decreased and memory consumption increased. Each certificate was loaded into memory at the first access to the SSL site, which increased the memory consumption and created a delay at the first boot.

In IIS 8, the number of SSL certificates can easily be scaled to thousands of sites on a single machine with almost instant start. Certificates are loaded only on demand and are unloaded after a certain period of time defined in the settings. In addition, the functions of enumerating and loading a huge number of certificates are greatly accelerated.

SNI / SSL Host Header support

The use of host headers and public IP addresses along with SSL certificates has always been difficult . IIS 8 now offers Server Name Indication (SNI) support , which allows multiple SSL sites to use the same IP address. SNI is a fairly new mechanism (only a few years old) that allows host headers to work with SSL.

IIS 8 fully supports SNI for host headers.

Please note that SNI is not supported in older browsers, for example, Internet Explorer 6. More information about SNI support can be found at http://en.wikipedia.org/wiki/Server_Name_Indication .

This new IP sharing feature is very important in the context that IPv4 addresses are coming to an end, and consolidating IP addresses is becoming a trend.

SSL Management (SSL Management) - Central Certificate Store (CCS)

In IIS 7, managing SSL was a daunting task, especially for server farms. All certificates had to be imported on every machine in the farm. When scaling even small server farms and adding new servers, you had to take into account the time it took to import certificates. In previous versions, managing certificate synchronization was a difficult task, which often required manual work.

In IIS 8, a new functionality is introduced - Central Certificate Store (CCS, central certificate store). The CCS mechanism allows you to store certificates in a central file repository instead of placing them on each server. You can point servers to a single network share or use replication, like DFS-R, to synchronize folders between machines.

Upgrading and synchronization is simple and is a regular copying of pfx files to a specific location that you specify when you enable CCS on the server. Enabling CCS is also an easy task, which is very similar to enabling Shared Configuration.

The CSS engine uses SNI functionality to support sites with multiple certificates on a single IP address.

Mapping certificate bindings contains a bit of magic ... and allows you to use conventions instead of manual configuration. This is very important for extremely large lists of certificates. Now you do not need to choose certificates from a giant list. The value of the host headers must match the name of the certificate. Your CCS folder will contain many pxf files whose names match the certificate names. Simply put, the name of the pfx file in the certificate store is the primary key.

If you use a certificate for domains of the third level and above (wildcard), then all you need to call it in the form of _. domain . com . pfx .

As you might have guessed, IIS 8 also supports Multiple Domain Certificates (Unified Communications Certificate [UCC]). If you use multiple domain certificates using the subjectAltName certificate field, then you only need to create multiple copies of the pfx files, one for each subjectAltName .

Note that you can also use the old method, which is based on a binding by identifier and which will work in the same way as in previous versions of IIS.

I would also like to tell you about the pleasant functionality of the central certificate repository, which allows grouping them by expiration date in the “Today / This Week / Next Week / Next Month / Late” section. This feature is very useful for finding certificates that will expire soon.

With all these changes in certificate functions, IIS 8 becomes a powerful solution for hosting a large, scalable web farm with many separate sites.

Dynamic IP Restrictions

Information about this functionality is already available on the network , but it is still being developed and will be improved for release.

FTP login restrictions

Yes! New FTP IP Restrictions module will be added to IIS 8! His work resembles the concept of Dynamic IP Restrictions for HTTP. One of the key differences is that FTP IP Restrictions uses gray lists instead of black lists. When someone is blocked, they are blocked only for a certain period of time (for example, 30 seconds). And this is good, because it is enough to prevent or slow down the search for passwords and other attacks. However, if you enter the password incorrectly several times, it remains possible to repeat the entry after some time without blocking.

And what is even more enjoyable, you can set this protection to be more sensitive compared to your domain account blocking policy so that the brute-force attack does not lead to blocking your own account. FTP IP Restrictions allows you to block hacking attempts without blocking your domain users.

Application Initialization Module

The previously known module warm -up module , which was temporarily excluded from the server, is now represented as an Application Initialization Module.

This module allows you to promote sites and pages before the first traffic arrives to them. In addition, it handles requests to the application that is still being launched in a friendly way. The initial download of the application in one minute or more is not such a rarity (yes, SharePoint admins are about you). The new module will avoid the situation where the user accesses a working but not heated server.

The new module offers the ability to specify individual pages on the server to warm up or to take advantage of the powerful URL Rewrite features for greater flexibility.

You can also set up your load balancer so that it does not serve requests to the site until it is initialized according to your rules (show a special page instead). Then the balancer will add a node to the work only when its heating is completed.

Configuration scaling

Now IIS 8 can work very effectively with large IIS configuration files (applicationHost.config). The server has made significant improvements to achieve high performance processing configuration files. The first changes will be noticed by administrators with a large number of sites on the server farm (I mean thousands of sites). But for the scaling process, new changes will also be in demand with a significant increase in scale.

Web Sockets (Web Sockets)

It is very important to include in the list of innovations and support for web sockets. You can get a full description of Web Sockets support in this great article by Paul Batum (Paul Batum). The web socket feature will require Windows 8 on the server side.

Conclusion

All these changes are very useful. While much work has already been done on previous versions of IIS to handle massive traffic, the changes in IIS 8 now allow thousands of (and tens of thousands) sites and their huge configurations to be processed on a single server farm. Other significant innovations include the implementation of the HTTP and FTP logon restrictions mechanism, the regulation of CPU usage, the application initialization module, the ability to significantly scale SSL, and the efficient processing of configurations of a large number of sites.

From translator

For completeness, I would like to add an article with useful links that more fully reveal many of the new features of IIS 8. Especially pay attention to the NUMA support feature that is not mentioned in this article:

• Installing IIS 8 on Windows Server 8
• IIS 8.0 Using ASP.NET 3.5 and ASP.NET 4.5
• IIS 8.0 ASP.NET Configuration Management
• IIS 8.0 Application Initialization
• IIS 8.0 Dynamic IP Address Restrictions
• IIS 8.0 FTP Logon Attempt Restrictions
• IIS 8.0 CPU Throttling: Sand-boxing Sites and Applications
• IIS 8.0 Server Name Indication (SNI): SSL Scalability
• IIS 8.0 Centralized SSL Certificate Support: SSL Scalability and Manageability
• IIS 8.0 Multicore Scaling on NUMA Hardware

Another useful thing is the release of a free, lightweight IIS 8 Express server for developers, which you can already download and install. Details on the link .

On April 3, a free WebProfessionals conference will be held in Samara, where IIS 8 and other elements of the Microsoft web platform will be discussed. Registration is now open .