configuring and troubleshooting internet information ...€¦ · configuring and troubleshooting...

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6427A Lab Instructions and Lab Answer Keys: Configuring and Troubleshooting Internet Information Services in Windows Server® 2008

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2008Microsoft Corporation. All rights reserved.

Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.

Product Number: 6427A

Part Number: X14-69082

Released: 12/2007

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server 1

Module 1 Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Contents:

Exercise 1: Installing IIS Using Role Manager 2

Exercise 2: Installing IIS Using Unattended Setup 4

Exercise 3: Installing IIS on Server Core from Command Line 5

Exercise 4: Configuring IIS and Validating Functionality 6

2 Lab Instructions: Configuuring an Internet Infoormation Services 7.00 Web Server

LLab: Connfigurinng an IISS 7.0 W

E

ScYositap

Ex

In

Th

1.2.3.

T•

T•

T•

•

xercise 1:

cenario ou receive a setes and Web application that

xercise Ove

n this exercise,

his exercise’s m

. Start the 64

. Turn on Ne

. Install the W

ask 1: Start tStart 6427A

ask 2: Turn oOpen Netwnetworks.

ask 3: InstalUse Server

Test functio

Installing

ervice request applications. Ot needs to be h

erview

you will learn

main tasks are:

427A-NYC-SVRetwork DiscoveWeb server rol

the 6427A-NA-NYC-SVR1,

on Networkwork and Sha

l the Web ser Manager to a

onality by load

IIS Using R

from the EnteOne of the comhosted in IIS7.

how to install

R1 virtual macery. e.

NYC-SVR1 vand log on as

k Discoveryring Center a

erver role add the Web

ding http://loc

Web Servver

Role Manaager

erprise Design mpanies acquir

Team to prepared by Woodg

are three Webrove Bank has

b servers to ho a classic ASP

st Web

IIS 7.0 using RRole Manager..

hine and log oon as LocalAdmmin.

virtual machine and log on as LocalAAdmin s LocalAdmin with the passwword of Pa$$ww0rd.

nd turn on Ne

Server (IIS) ro

calhost in the

etwork Discov

ole and ASP as

browser.

very and File Sharing for alll public

s a required seervice.

http://localhost/


Results: After this exercise, you should have successfully verified that the Web Server (IIS) role is installed and loaded the IIS Welcome page in Internet Explorer.

4 Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Exercise 2: Installing IIS Using Unattended Setup

Scenario

Now you will set up the second IIS Web server to host the new ASP.NET application. You will install IIS by creating an Unattend.XML file based on the example given on the student CD by modifying it to only install the features needed. This will be an ASP.NET application server and will need to have all security, compression and caching features installed so that development can experiment with configuration.

Exercise Overview

In this exercise, you will learn how to install IIS using unattended setup.

This exercise’s main tasks are:

1. Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin. 2. Turn on Network Discovery. 3. Create the Unattend.XML file by copying the default XML file provided and removing unnecessary

features. 4. Install IIS using Pkgmgr with the Unattend.XML file and verify once completed.

Task 1: Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin • Start 6427A-NYC-SVR3, and log on as LocalAdmin with the password of Pa$$w0rd.

Task 2: Turn on Network Discovery • Open Network and Sharing Center and turn on Network Discovery and File Sharing for all public

networks.

Task 3: Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features

1. Open E:\mod01\labfiles\unattend.xml in Notepad and delete the following lines:

<selection name="IIS-HttpRedirect" state="true"/> <selection name="IIS-ASP" state="true"/> <selection name="IIS-CGI" state="true"/> <selection name="IIS-ISAPIExtensions" state="true"/> <selection name="IIS-ISAPIFilter" state="true"/> <selection name="IIS-IIS6ManagementCompatibility" state="true"/> <selection name="IIS-Metabase" state="true"/> <selection name="IIS-WMICompatibility" state="true"/> <selection name="IIS-LegacyScripts" state="true"/> <selection name="IIS-LegacySnapIn" state="true"/>

2. Save the modified file to c:\unattend.xml.

Task 4: Install IIS using Pkgmgr with the Unattend.XML file and verify once completed

1. Start /w pkgmgr /n:unattend.xml to install IIS. 2. Verify installation by using the command echo %errorlevel%. 3. Use Server Manager to verify that the Web server role is installed, and open http://localhost in the

browser.

Results: After this exercise, you should have successfully installed IIS using an unattend file and verified the IIS Welcome page.

http://localhost/


Exercise 3: Installing IIS on Server Core from Command Line

Scenario

The final server you will install is a Server Core Web server that will act primarily as a redirection server to the ASP server.

Exercise Overview

In this exercise, you will learn how to install IIS via the command line in a Server Core environment.


1. Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator. 2. Disable the firewall. 3. Install IIS from the command line.

Task 1: Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator • Start 6427A-NYC-SVR2, and log on as Administrator with the password of Pa$$w0rd.

Task 2: Disable the firewall • On NYC-SVR2, in the command prompt window, type netsh firewall set opmode disable and press

Enter.

Task 3: Install IIS from the command line

1. Type the following and then press Enter. Note that the feature names are case-sensitive:

Start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-HttpErrors;IIS-HttpRedirect;WAS-WindowsActivationService;WAS-ProcessModel

• When the process completes, type echo %errorlevel%, and then press Enter.

2. On NYC-SVR1, in Internet Explorer, browse to http://nyc-svr2 to verify functionality.

Results: After this exercise, you should have successfully installed IIS on Microsoft® Server 2008 Server Core from the command line and verified by loading the IIS Welcome page from another machine running Internet Explorer.

http://nyc-svr2/

6 Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Exercise 4: Configuring IIS and Validating Functionality

Scenario

With the three Web servers installed, configure each as necessary to perform its function.

Exercise Overview

In this exercise, you will configure common IIS features and validate functionality.


1. Configure NYC-SVR1 for ASP debugging, detailed error messages, HTTP compression and SMTP Service.

2. Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression.

3. Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1.

Task 1: Configure NYC-SVR1 for ASP debugging, detailed error messages, and HTTP compression

1. On NYC-SVR1, in Internet Information Services (IIS) Manager, under ASP Compilation settings, enable Client-side and Server-side debugging. Enable Send Errors to Browser.

• Under HTTP Response Headers, set Expire Web Content.

• Under Compression, enable Static Content Compression.

• Under Error Pages, enable Detailed error messages.

2. On NYC-SVR3, in Internet Explorer, browse to a page on NYC-SVR1 that does not exist, such as http://nyc-svr1/default.asp to check error functionality.

Task 2: Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression and SMTP

1. On NYC-SVR3, in Internet Information Services (IIS) Manager, under Failed Request Tracing, enable Failed Request Tracing.

• Add a rule to trace status code 500 for critical errors.

2. Enable Directory Browsing, Windows Authentication, and ASP.NET Impersonation. 3. In Server Manager, add the UDDI Services role and configure it to not require SSL. 4. In IIS Manager, under Output Caching, add a cache rule for the aspx extension to enable User-

mode caching.

• Under ASP.NET, configure SMTP email for email address [email protected], server name SMTP.WoodgroveBank.com.

5. Test the configuration by browsing to http://localhost/uddi.

• Browse to http://localhost/aspnet_client and investigate the failed request log.

Task 3: Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1

1. On NYC-SVR2, in the command prompt window, type cd \windows\system32\inetsrv\config and then press Enter.

http://nyc-svr1/default.asp

mailto:[email protected]

http://localhost/uddi

http://localhost/aspnet_client


• Type edit applicationHost.config and then press Enter.

• Scroll down to <defaultDocument enabled="true"> (approximately line 169), and change "true" to "false".

• Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and modify this line to read:

<httpRedirect enabled="true" exactDestination="false" childOnly="false" destination="http://10.10.0.24/" />

2. On NYC-SVR3, in Internet Explorer, browse to http://nyc-svr2 to test the redirection.

Results: After this exercise, you should have successfully configured and verified the configuration of the three web servers.

http://nyc-svr2/

Lab instructions: Configuring IIS 7.0 Web Sites and Application Pools 1

Module 2 Lab instructions: Configuring IIS 7.0 Web Sites and Application Pools

Contents: Exercise 1: Configuring Authentication Types 2

Exercise 2: Creating a Web Site and Web Application 4

Exercise 3: Creating an Application Pool 5

Exercise 4: Configuring an Existing Application Pool 6

2 Lab

instructions: Configuuring IIS 7.0 Web Sitees and Application Poools

LPLab: ConPools

nfigurinng IIS 7..0 Web

E

ScYoinnere

Ex

In

Th

1.2.3.4.5.

T•

TW•

xercise 1:

cenario ou receive a se

nto virtual direetwork shouldestricted.

xercise Ove

n this exercise,

his exercise’s m

. Start the 64

. Start the 64

. Add Basic, W

. Create a vir

. Configure t


ask 2: Start tWoodgroveb

Start 6427A

Configurin

ervice request ctories by acce be able to ac

erview

you will learn

main tasks are:

427A-NYC-DC427A-NYC-WEWindows Integrtual directory the public virtu

the 6427A-NA-NYC-DC1.

the 6427A-Nbank\AdminA-NYC-WEB-A

ng Authen

from the Enteess level. Therecess the public

how to create

1 virtual machEB-A virtual magrated and Dignamed Public

ual directory fo

NYC-DC1 vi

NYC-WEB-Aistrator A, and log on

Sites annd Application

ntication T

erprise Design e will be two ac content. Onl

e virtual directo

hine. achine and loggest Security fc. or anonymous

rtual

A virtual mac

as LocalAdmi

Types

Team to orgaaccess levels: py authenticate

ories and conf

g on as Woodgfeatures to the

s authenticatio

chine and lo

in with the pa

nize the existinpublic and rested users should

figure anonym

grovebank\Ade IIS Role.

on.

og on as

ssword of Pa$

n

ng NYC-WEB-Aricted. Anyoned be able to ac

A server e on the ccess

mous authenticcation.

ministrator.

$$w0rd.


Task 3: Add Basic, Windows Integrated and Digest Security features to the IIS Role • Use Server Manager to add the Basic Authentication, Windows Authentication, and Digest

Authentication role services to the Web server role.

Task 4: Create a virtual directory named public • Use Internet Information Services Manager to create a virtual directory named public pointing to

the physical directory c:\inetpub\public.

• Copy the contents of c:\inetpub\wwwroot to c:\inetpub\public.

Task 5: Configure the public virtual directory for anonymous authentication

1. Use Internet Information Services Manager to make sure that Anonymous Authentication is enabled for Public.

2. In Server Manager, enable the local Guest account, and allow Guest to log on locally. 3. Use Switch User to logon as NYC-WEB-A\Guest with no password. 4. Open http://localhost/public in the browser to verify that the local guest can browse to the public

directory. 5. Use Switch user to login as local administrator with password of Pa$$w0rd before continuing with

next exercise.

Results: After this exercise, you should have successfully verified that the Public directory is created. and loaded the IIS Welcome page in Internet Explorer with the Guest account.

http://localhost/public

2 Lab instructions: Configuring IIS 7.0 Web Sites and Application Pools

Exercise 2: Creating a Web Site and Web Application

Scenario

Next you will create two web sites, and two web applications, in the employee and restricted virtual directories, named Woodgrove and Exec respectively. Exec will be a .NET 3.0 application. You will also delegate administrative access to ITAdmins_WoodgroveGG.

Exercise Overview In this exercise, you will learn how to create web sites and applications.


1. Create a site named Woodgrove. 2. Copy the Woodgrove application to the appropriate directory. 3. Add the .NET 3.0 Feature to the server. 4. Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG.

Task 1: Create a site named Woodgrove • On NYC-WEB-A, in IIS Manager, add a Web site named Woodgrove and set its physical path to

c:\inetpub\woodgrove, and its http port to 88.

Task 2: Copy the Woodgrove Application to the Appropriate Directory • Copy the Woodgrove application from e:\Mod02\Labfiles\Woodgrove to c:\inetpub\woodgrove.

Task 3: Add the .NET 3.0 Feature and ASP.NET to the server • In Server Manager, add .NET 3.0 Framework and ASP.NET.

Task 4: Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG • In IIS Manager, under Permissions, give Full Control to the security group

ITAdmins_WoodgroveGG.

Results: After this exercise, you should have successfully installed .NET 3.0 Framework, ASP.NET, and created the Woodgrove site and copied its content.


Exercise 3: Creating an Application Pool

Scenario

You will now create a new application pool for temporary applications..

Exercise Overview

In this exercise, you will learn how to create an application pool.

This exercise’s main task is:

1. Create an application pool named TempPool.

Task 1: Create an application pool named TempPool • On NYC-WEB-A, in IIS Manager, add an application pool named TempPool.

Results: After this exercise, you should have successfully added an application pool named TempPool.

2 Lab instructions: Configuring IIS 7.0 Web Sites and Application Pools

Exercise 4: Configuring an Existing Application Pool

Scenario

Next, you will configure the new application pools according to the needs for the new applications. You will also practice starting, stopping, and recycling the application pools and configuring health settings. You will also rename the Exec and Woodgrove pools to ExecPool and WoodgrovePool.

Exercise Overview In this exercise, you will configure the application pools and validate functionality.


1. Rename Woodgrove to WoodgrovePool. 2. Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow

all authenticated users. 3. Configure TempPool to use LocalSystem as worker process identity. 4. Stop, start and recycle WoodgrovePool. 5. Configure TempPool for Classic Pipeline Mode. 6. Remove TempPool. 7. Configure Health and Recycling settings for WoodgrovePool.

Task 1: Rename Woodgrove to WoodgrovePool • On NYC-WEB-A, in IIS Manager, rename the Woodgrove application pool to WoodgrovePool.

Task 2: Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users

1. In IIS Manager, disable Anonymous authentication for the Woodgrove site. 2. On NYC-SVR1, logon as LocalAdmin with password Pa$$w0rd.

Note that this machine is not joined to the domain. Browse to http://nyc-web-a.woodgrovebank.com, then browse to http://nyc-web-a-woodgrovebank.com:88 and compare results.

3. On NYC-WEB-A, browse to http://localhost:88 and compare results.

Task 3: Configure TempPool to use LocalSystem as worker process identity • In IIS Manager, configure the TempPool application pool to use LocalSystem as its worker process

identity.

Task 4: Stop, start and recycle WoodgrovePool

1. In IIS Manager, stop the WoodgrovePool application pool and note the status. 2. Start the WoodgrovePool application pool and note the status. 3. Recycle WoodgrovePool and note the status.

Task 5: Configure TempPool for Classic Pipeline Mode • In IIS Manager, configure the TempPool application pool to use the classic pipeline.

Task 6: Remove TempPool • In IIS Manager, remove the application pool TempPool.

http://nyc-web-a.woodgrovebank.com/

http://nyc-web-a-woodgrovebank.com:88/

http://localhost:88/


Task 7: Configure Health and Recycling settings for WoodgrovePool • In IIS Manager, configure the WoodgrovePool application pool to recycle after every 1000

requests, to log the number of requests, and set the Rapid Fail Failure Interval to 10 minutes.

Results: After this exercise, you should have successfully configured and verified the configuration of the application pools.

Lab Instructions: Configuring IIS 7.0 Application Settings 1

Module 3 Lab Instructions: Configuring IIS 7.0 Application Settings

Contents: Exercise 1: Configuring ASP.NET 2

Exercise 2: Configuring ASP.NET Application Development Settings 4

Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools 5

Exercise 4: Configuring ASP.NET Security 7

2 Lab Instructions: Configuuring IIS 7.0 Application Settings

LLab: Connfigurinng IIS 7.

E

ScYotowpaleus

Ex

InchH

Th

1.2.3.4.5.6.

T•

xercise 1:

cenario ou receive a seo add and con

will be availableassword “supp

evel of securityser to contact

xercise Ove

n this exercise, hoose and conTTP errors.

his exercise’s m

. Start the 64

. Start the 64

. Add ASP.N

. Create the

. Configure B

. Configure c


Configurin

ervice request figure the ASPe from the Inteport” from theiy. If there is an their district s

erview

you will learn nfigure the app

main tasks are:

427A-NYC-DC427A-NYC-WEET and Basic SSalesSupport aBasic Security tcustom error p

the 6427A-NA-NYC-DC1, a

.0 Appliication Settinggs

ng ASP.NEET

from the EnteP.NET role servernet and Salesir client’s sites error, the erroales manager

erprise Design vice, and Applis Associates wto get contact

or message retfor login infor

Team to deplocation Server

will need to logt information fturned to the crmation.

oy an applicatrole, on the W in with the usfor support. Thclient browser

ion server. YouWeb Server. The

ser name “salehis requires a mshould direct

u need e server es” and medium the

how to add thpropriate auth

1 virtual machEB-A virtual maSecurity featureapplication anto allow acces

pages for 401.a

NYC-DC1 viand log on as L

he ASP.NET rohentication mo

hine. achine and loges to the IIS Ro

nd copy the ASs to authenticaaspx for 401 e

rtual machinLocalAdmin w

ole service and odel, and set u

g on as Woodgole. SP.NET applicaated Woodgrorrors, and Oth

ne and log owith the passw

configure ASPp custom erro

P.NET. You wilr pages to han

l ndle

grovebank\Administrator.

tion files. ovebank domaain users. er_Errors.aspx for all other eerrors.

on as LocalAAdmin word of Pa$$ww0rd.


Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator • Start 6427A-NYC-WEB-A, and log on as Administrator with the password of Pa$$w0rd.

Task 3: Add ASP.NET and Basic Security features to the IIS Role • On NYC-WEB-A, use Server Manager to add the ASP.NET and Basic Authentication role services.

Task 4: Create the SalesSupport application and copy the ASP.NET application files

1. On NYC-WEB-A, use IIS Manager to add the SalesSupport application with a physical path of c:\inetpub\wwwroot\SalesSupport.

2. Copy the application files from E:\Mod03\Labfiles\SalesSupport to c:\inetpub\wwwroot\SalesSupport.

Task 5: Configure Basic Security to allow access to authenticated Woodgrovebank domain users

1. On NYC-WEB-A, use IIS Manager to disable Anonymous Authentication and enable Basic Authentication for the domain and realm woodgrovebank.

2. Browse to http://localhost/salessupport. Notice that you are prompted for credentials. Enter user name yvonne with password Pa$$w0rd.

3. Close and reopen the browser, and then browse again to http://localhost/salessupport. Try logging in with credentials that do not have a domain account, such as user name Bob with no password.

4. Close the browser before continuing to the next task.

Task 6: Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors

1. Copy the contents of E:\Mod03\Labfiles\WBErrors to c:\inetpub\custerr \en-US.

2. In IIS Manager, edit the custom error for error 401 so that it redirects to 401.aspx. Edit the custom error code for error 404 so that it redirects to Other_Erros.aspx. Note that you would repeat this for the rest of the error codes if you were doing this in a real world situation.

3. Open Internet Explorer and browse again to http://localhost/salessupport. Try logging in with credentials that do not have a domain account, such as user name Bob with no password.

4. If prompted, assign the site to the allowed list, and then note the custom 404 error.

Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, configured Basic authentication, and verified custom error pages in Internet Explorer.

http://localhost/salessupport



4 Lab Instructions: Configuring IIS 7.0 Application Settings

Exercise 2: Configuring ASP.NET Application Development Settings

Scenario

Next you will configure some test settings for the SalesSupport application. The Enterprise Design team is planning on implementing a database to store the support resource data. You will need to enter the provided connection string. You will also rename the cookie that the page uses to SalesSupport. Next you will create a custom control for testing the new configuration. Finally, you will set some application settings and then verify that the application can read them by loading the custom test page.

Exercise Overview

In this exercise, you will learn how to configure ASP.NET application development settings.


1. Configure ASP.NET Connection Strings to connect to Resources.MDF. 2. Configure ASP.NET Session State settings to rename the cookie to SalesSupport. 3. Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0. 4. Add application settings at Site and Application levels.

Task 1: Configure ASP.NET Connection Strings to connect to Resources.MDF • On NYC-WEB-A, in IIS Manager, modify the Connection Strings for the SalesSupport application

to use the following connection string as LocalResources:

data source=.\SQLEXPRESS;AttachDbFileName=e:\mod03\labfiles\resources.mdf;IntegratedSecurity=True

Task 2: Configure ASP.NET Session State settings to rename the cookie to SalesSupport • Rename the Session State cookie name to SalesSupport_SessionID.

Task 3: Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0 • In IIS Manager, register a new custom control with the tag preface of Woodgrovebank. Set the

Namespace to TestControls and the Assembly to Version=1.0.0.0.

Task 4: Add application settings at site and application levels

1. Open Internet Explorer and browse to http://localhost/salessupport /test.aspx. Enter username yvonne and password Pa$$w0rd. Notice that the test application reports that no application settings are defined.

2. In IIS Manager, add an Application setting named DefaultLocation with the value "New York" to the Default Web Site.

3. In Internet Explorer, refresh the page and compare the results. 4. In IIS Manager, note the inheritance setting for the Application Settings, Add another Application

setting named debug_mode with value "true". 5. In Internet Explorer, refresh the page and compare results. Close Internet Explorer before

continuing.

Results: After this exercise, you should have configured ASP.NET development settings and verified test page functionality.

http://localhost/salessupport/test.aspx



Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools

Scenario You will now deploy the SalesSupport application to two new instances. Once instance will be a test deployment with additional testing configuration. Another instance will be for the German division of Woodgrove and will need to be set for German globalization settings. Additionally, you will disable the debug mode for the production version of SalesSupport.

Exercise Overview



1. Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test. 2. Create the applications SalesSupport_De and SalesSupport_Test. 3. Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and

SalesSupport_Test directories. 4. Assign the applications to the appropriate application pools. 5. Configure application pool recycling for unlimited requests. 6. Configure the SalesSupport_Test application pool to record recycled events. 7. Configure the SalesSupport .NET compilation debug setting to False. 8. Configure the SalesSupport_De application globalization settings for Germany.

Task 1: Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test • On NYC-WEB-A, in IIS Manager, add three application pools named SalesSupport,

SalesSupport_De, and SalesSupport_Test.

Task 2: Create the applications SalesSupport_De and SalesSupport_Test

1. In IIS Manager, create an application named SalesSupport_De with a physical path of c:\inetpub\wwwroot\SalesSupport_De.

2. Create an application named SalesSupport_Test with a physical path of c:\inetpub\wwwroot\SalesSupport_Test.

Task 3: Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories • At the command prompt, change to the c:\inetpub\wwwroot directory and then use XCopy to copy

the files and directory structure from SalesSupport to SalesSupport_De and SalesSupport_Test.

Task 4: Assign the applications to the appropriate application pools

1. In IIS Manager, modify the SalesSupport, SalesSupport_De and SalesSuppot_Test to use their correspondingly named application pools.

2. Disable anonymous authentication and enable basic authentication with the domain and realm of woodgrovebank for both SalesSupport_De and SalesSupport_Test applications.

Task 5: Configure production application pool recycling for unlimited requests • In IIS Manager, modify the SalesSupport and SalesSupport_De application pool recycling so that

they do not recycle on regular intervals.


Task 6: Configure the SalesSupport_Test application pool to record recycled events • In IIS Manager, modify the SalesSupport_Test application pool recycling to recycle every 1024

requests, and modify the Recycling Events to Log to log number of requests, On-Demand, and Configuration Changes.

Task 7: Configure the SalesSupport .NET compilation debug setting to False • In IIS Manager, modify the SalesSupport .NET Compilation behavior settings so that Debug is

False.

Task 8: Configure the SalesSupport_De application globalization settings for Germany

1. In IIS Manager, modify the SalesSupport_De .NET Globalization settings so that culture and UI Culture are set to German (Germany) (de-DE).

2. Start Internet Explorer and browse to http://localhost/salessupport and enter user name yvonne and password Pa$$w0rd. On a second and third tab, browse to http://localhost/salessupport_de and http://localhost /salesupport_test with yvonne's credentials so that all three applications are loaded in the browser.

3. Open Task Manager and note the instances of w3wp.exe. 4. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx and notice the date

format in the page. 5. Close Internet Explorer before continuing.

Results: After this exercise, you should have successfully deployed multiple applications with separate application pools, configured recycling and debug settings, and configured and verified .Net globalization settings.


http://localhost/salessupport_de

http://localhost/salesupport_test

http://localhost/salesupport_test

http://localhost/salessupport_de/test.aspx


Exercise 4: Configuring ASP.NET Security

Scenario

Next, you will configure the machine key, .NET trust level, and File and Folder security.

Exercise Overview

In this exercise, you will configure ASP.NET security settings.


1. Set the machine key of SalesSupport_de. 2. Configure the SalesSupport_Test site for medium trust level. 3. Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx

page on SalesSupport. 4. Enable Tracing and Logging for the SalesSupport_Test site. 5. Configure Request Filtering so that only ASPX requests are processed.

Task 1: Set the machine key of SalesSupport_de • On NYC-WEB-A, in IIS Manager, generate a new Machine Key for SalesSupport_De.

Task 2: Configure the SalesSupport_Test site for medium trust level • In IIS Manager, set the .NET Trust Level to Medium for the application SalesSupport_Test.

Task 3: Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page in SalesSupport

1. In IIS Manager, modify the permissions of SalesSupport\test.aspx so that permissions are not inherited and only ITAdmins_WoodgroveGG is allowed.

2. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and try to use the credentials of yvonne as user name and password Pa$$w0rd.

3. Refresh the page and log in with a user account that is a member of ITAdmins_WoodgroveGG, such as user name Betsy and password Pa$$w0rd.

4. Close Internet Explorer before continuing.

Task 4: Enable Tracing and Logging for the SalesSupport_Test site

1. In IIS Manager, add all of the role services for Health and Diagnostics to the Web Server role. 2. In Notepad, open c:\inetpub\wwwroot\SalesSupport_Test\test.aspx.

a. Modify the first line to read:

<@ Page Language="C#" trace="true" %>

b. Modify the fifth line to read:

Response.Write("This message should appear");

c. Save the file and close Notepad.

3. In Internet Explorer, browse to http://localhost/salessupport_test /test.aspx and use credentials of user name Betsy and password Pa$$w0rd if prompted.

4. Examine the page for trace messages and information. Close Internet Explorer.


http://localhost/salessupport_test/test.aspx



5. In IIS Manager, enable Web Site Failed Request Tracing for the Default Web Site, and then add a Failed Request Tracing Rule to trace ASP.NET for Status code 200 with verbose results.

6. Open Internet Explorer, and browse to http://localhost/salessupport_test /test.aspx and use credentials of user name Betsy and password Pa$$w0rd if prompted.

7. In Internet Explorer, open the most recent fr######.xml file from c:\inetpub\logs\failedreqlogfiles\w3svc. Examine the Errors and Warning section.

Task 5: Configure Request Filtering so that only ASPX requests are processed

1. In Internet Explorer, browse to http://localhost/welcome.png, and then browse to http://localhost/iisstart.htm. Notice that this page contains the graphic.

2. Close Internet Explorer. 3. In Notepad, open c:\inetpub\wwwroot\web.config. After the sixth line, add the following security

section:

<security> <requestFiltering> <fileExtensions allowUnlisted="false" > <add fileExtension=".aspx" allowed="true"/> </fileExtensions> </requestFiltering> </security>

• Save the file and close Notepad.

4. Open Internet Explorer, and browse to http://localhost/welcome.png. Notice the error. 5. Browse to http://localhost/iisstart.htm. Notice the error. 6. At the command prompt, change to the c:\inetpub\wwwroot directory and then copy iisstart.htm

to iisstart,aspx. 7. In Internet Explorer, browse to http://localhost/iisstart.aspx. Notice that the page loads without

error, but the graphic does not display.

Results: After this exercise, you should have successfully configured and verified the configuration of the advanced security settings for ASP.NET.



http://localhost/welcome.png

http://localhost/iisstart.htm



http://localhost/iisstart.aspx

Lab Instructions: Configuring IIS 7.0 Modules 1

Module 4 Lab Instructions: Configuring IIS 7.0 Modules

Contents: Exercise 1: Configuring and Editing Native Modules 2

Exercise 2: Configuring and Editing Managed Modules 4

2 Lab Instructions: Configuuring IIS 7.0 Moduless

LLab: Connfigurinng and E

E

ScYorean

Ex

Inan

Th

1.2.3.4.5.6.7.

T•

T•

xercise 1:

cenario ou received a equired to instnd vulnerabilit

xercise Ove

n this exercise, nd reduce the

he main tasks

. Start the 64

. Backup the

. Examine th

. Remove the

. Validate tha

. Restore the

. Validate tha


ask 2: BackuOpen comm

Configurin

service requesall, test, and ruty, you must re

erview

students will lserver footpri

for this exercis

427A-NYC-WEe current Web e modules cure Default Docuat the module

e modules to tat the module

the 6427A-NA-NYC-WEB-B

up the curremand prompt

Editing Modules

ng and Editing Nativve Modulees

st from the appun an applicatemove the unn

plication deveion on the spenecessary mod

lopment teamecified Web sedules.

m specifying theerver. To reduc

e modules thace the server fo

at are ootprint

modules fromearn how to rent.

emove native m a Web serverr to improve seecurity

se are as followws:

EB-B virtual maachine and logg on as Administrator. server configuuration.

server. rrently installed on the Web ctory Listing Mument Modulee and the Dire Module.

es have been reemoved and teest the new seerver configuraation. he Web serverr configurationn.

es have been reestored and teest the server cconfiguration.

NYC-WEB-BB virtual macchine and log on as Admministrator B, and log on as Administraator with the ppassword of Pa$$w0rd.

nt Web servver configurration and use appcmmd to backup the server connfiguration.


Task 3: Examine the modules currently installed on the Web server • Use the IIS Manager to examine the modules.

Task 4: Remove the Default Document Module and the Directory Listing Module

1. Browse the default Web site. 2. Use Notepad to edit the applicationHost.config. 3. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the

<globalModules> tag. 4. Delete the references to the DefaultDocumentModule and the DirectoryListingModule from

within the <handlers accessPolicy="Read, Script"> tag. 5. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the

<modules> tag.

Task 5: Validate that the modules have been removed and test the new server configuration

1. Use IIS Manager to validate that the removed modules entries are missing. 2. Use Internet Explorer to check the default Web site. 3. Use Internet Explorer to retrieve the default Web page.

• Default Web pageURL: http://localhost/default.aspx

Task 6: Restore the modules to the Web server configuration • Open command prompt and use appcmd to restore the server configuration.

Task 7: Validate that the modules have been restored and test the server configuration • Open command prompt and use appcmd to backup the server configuration.

Results: After this exercise, you should have successfully removed native modules from a Web server, and then confirmed that the server operates as expected

4 Lab Instructions: Configuring IIS 7.0 Modules

Exercise 2: Configuring and Editing Managed Modules

Scenario

To increase throughput, it has been determined that output caching would be beneficial on some of the applications on the Web server. You need to make sure that the Output Cache module is installed and configured as specified in the service request. The development team also requested the installation of a new Managed Module that provides an additional level of logging for their application.

Exercise Overview

In this exercise, students will learn how to add new managed modules to a Web server.

The main tasks for this exercise are as follows:

1. Install the logging managed module. 2. Confirm the installation of the logging managed module. 3. Test the Web site’s forms authentication page. 4. Examine the modules currently running on the Web server. 5. Remove the forms authentication managed module. 6. Test the new configuration.

Task 1: Install the logging managed module

1. Create a new folder:

• C:\inetpub\ logging_module\

2. Copy files for logging_module Web site.

• Source: E:\Mod04\Labfiles\logging_module

• Destination: C:\inetpub\ logging_module\

3. Change the security for C:\inetpub\logging_module\logs to allow Users (NYC-WEB-B\Users). 4. Use IIS Manager to add a new Web site:

• Site name: logging_module

• Physical path: C:\inetpub\logging_module

• Port: 8181

Task 2: Confirm the installation of the logging managed module

1. Use Internet Explorer to view the logging_module Web site. 2. Load the Web site's second page. 3. Use IIS Manager to examine the modules for the logging_module Web site. 4. Examine the logs created by the logging_module Web site.

• Location: C:\inetpub\logging_module\logs

Task 3: Test the Web site’s forms authentication page • Use Internet Explorer to log into the default Web site and retrieve a confidential memo.

• Destination: Shared Documents

• Email: [email protected]

• Password: Pa$$w0rd



• Memo: Woodgrove Confidential Memo

Task 4: Examine the modules currently running on the Web server • Use IIS Manager to examine the OutputCache module.

Task 5: Remove the forms authentication managed module • Use IIS Manager to remove the FormsAuthentication module.

Task 6: Test the new configuration • Attempt to view the Shared Documents folder again using Internet Explorer.

Results: After this exercise, you should have successfully added a managed module to the Web server.

Lab Instructions: Securing the IIS 7.0 Web Server and Web Sites 1

Module 5 Lab Instructions: Securing the IIS 7.0 Web Server and Web Sites

Contents: Exercise 1: Configure a Secure Web Server 2

Exercise 2: Configure Authorization, Authentication, and Access 5

Exercise 3: Configure Logging 9

2 Lab Instructions: Securinng the IIS 7.0 Web Server and Web Sites

LLab: Seccuring IIIS 7.0 W

E

ScApr

AauH

Th

1.2.3.4.5.6.7.8.9.

T•

T•

xercise 1:

cenario dditional securotect the Web

dditional ISAPuthorized for aerbert Dorner

he main tasks

. Start the 64

. Start the 64

. Create a se

. Block IP ad

. Examine th

. Install the .

. Set ISAPI an

. Set the righ

. Test and va



Configure

rity measures b server again

PI and CGI resta specific site. .

for this exercis

427A-NYC-DC427A-NYC-WElf-signed servedresses as spee current ISAPNET Framewond CGI restricthts and permisalidate the new

the 6427A-NA-NYC-DC1.

the 6427A-NA-NYC-WEB-B

Web Serrver andd Web SSites

e a Secure Web Serveer

need to be pust unauthorize

ut in place to ped access by sp

protect the Wepecific IP addr

eb server. Thesesses and dom

se measures wmains.

ill

rictions need tYou must give

se are as follow

1 virtual machEB-B virtual maer certificate fo

ecified in the sePI and CGI Restrk 1.1. tions to use ASssions for Activw configuration

NYC-DC1 vi

NYC-WEB-BB, and log on

to be put into e separate acce

place. Then yoess to the IT A

ou are given admin group a

list of accounnd the develo

nts per,

ws:

n as Administrhine and log o rator. achine and logg on as Administrator. or the Web serrver. ervice request.. trictions.

SP.NET versionn 1.1. ve Directory ussers. n.

rtual machinne and log oon as Adminnistrator

B virtual macchine and log on as Admministrator as Administraator with the ppassword of Pa$$w0rd.


Task 3: Create a self-signed server certificate for the Web server

1. On NYC-WEB-B, open the IIS Manager. 2. Open Server Certificates. 3. Create a Self-Signed Certificate:

• Friendly name: woodgrovebank

Task 4: Block IP addresses as specified in the Service Request

1. Using the IIS Manager, set IPv4 Address and Domain Restrictions. 2. Add a deny rule entry:

• Specific IPv4 address: 10.10.20.1

3. Add a deny rule entry:

• IPv4 address: 10.10.10.0

• Mask: 255.255.255.0

Task 5: Examine the current ISAPI and CGI Restrictions • Using the IIS Manager, examine the ISAPI and CGI Restrictions.

Task 6: Install the .NET Framework 1.1

1. Install the .NET Framework 1.1.

• File location: E:\ Mod05\Labfiles

• Installer: dotnetfix.exe

2. Install the .NET Framework 1.1 Service Pack 1.

• File location: E:\ Mod05\Labfiles

• Installer: NDP1.1sp1-KB867460-X86.exe

Task 7: Set ISAPI and CGI restrictions to use ASP.NET version 1.1

1. Using the IIS Manager, set the ISAPI and CGI Restrictions. 2. Allow ASP.NET v1.1.4322.

Task 8: Set the rights and permissions for Active Directory users • Set the rights and permissions for Active Directory users.

• Folder: C:\inetpub\wwwroot\

• Location: WoodgroveBank.com

• Object names to select: ITAdmins_WoodgroveGG

• Object names to select: Herbert

• Allow: Full control

Task 9: Test and validate the new configuration • Validate the new configuration.

• Group or user names: ITAdmins_WoodgroveGG

• Group or user names: Herbert Dorner

4 Lab Instructions: Securing the IIS 7.0 Web Server and Web Sites

Results: After this exercise, you should have successfully set IP restrictions, ISAPI and CGI restrictions, and Active Directory permissions, as specified in a service request document


Exercise 2: Configure Authorization, Authentication, and Access

Scenario

Additional security measures need to be put in place to protect the Web server. An application is protected with forms authentication, but it is discovered that some of the content can bypass forms authentication and still be accessed, such as a jpg, by entering the direct URL path and file name. You must configure the protected content to use the managed forms authentication module.


1. Turn off the Web site cache for the shared documents folder. 2. Sign into the Woodgrove Bank Web site and retrieve the confidential memo. 3. Bypass the Web site forms authentication. 4. Modify the applicationHost.config file to handle forms authentication. 5. Reconfigure the authorization and authentication so that the protected content uses forms

authentication. 6. Test and validate the Web site’s new configuration

Task 1: Turn off the Web site cache for the shared documents folder • Using the IIS Manager, add Custom HTTP Response Header.

• Name: Cache-Control

• Value: no-cache

Task 2: Sign into the Woodgrove Bank Web site and retrieve the confidential memo

1. Use Internet Explorer to log into the default Web site and retrieve a confidential memo.





2. Sign-out of the Web site.

Task 3: Bypass the Web site forms authentication • Use Internet Explorer to retrieve the Confidential Memo.

• Confidential Memo URL: http://localhost/docs/shared/Woodgrove_memo.jpg

Task 4: Modify the applicationHost.config to unlock the URL Authorization <configSections> section by changing the override mode default to allow • Unlock URL Authorization in the applicationHost.config file:

• File location: C:\windows\system32\inetsrv\config

• File name: applicationHost.config

• Section: <configSections>

• Original code:

<section name="authorization" overrideModeDefault="Allow" />

• Replacement code:



<section name="authorization" type="System.WebServer.Configuration.UrlAuthorizationSection, System.ApplicationHost, Version=7.0.0.0, culture=neutral, PublicKeyToken=31bf3856ad364e35" overrideModeDefault="Allow" />

Task 5: Modify the applicationHost.config <applicationPools> section to change the Classic .NET application pool to Integrated mode • Change the Classic .NET application pool to Integrated mode in the applicationHost.config file:



• Section: <applicationPools>

• Original code:

<add name="Classic .NET AppPool" managedPipelineMode="Classic" />


<add name="Classic .NET AppPool" managedPipelineMode="Integrated" />

Task 6: Modify the applicationHost.config file to disable all other authentication types except for anonymous • Disable all other authentication types except for anonymous in the applicationHost.config file:



• Section: <authentication>

• Append enabled="false" to:

• clientCertificateMappingAuthentication

• digestAuthentication

• iisClientCertificateMappingAuthentication

• windowsAuthentication

Task 7: Modify the applicationHost.config file to protect all content by removing the managedHandler precondition from the <system.webServer> section • Protect all content by removing the managedHandler precondition in the applicationHost.config file:



• Section: <system.webServer>

• Original code:

<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />


<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />

• Original code:

<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="managedHandler" />


<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />

Task 8: Reconfigure the authorization and authentication so that the protected content uses forms authentication

1. Reconfigure authorization so that the protected content uses forms authentication in the Web.Config file:

• File location: C:\inetpub\wwwroot

• File name: Web.Config

• Section: <authorization>

• Add the line <allow [email protected] />, above the line 

• Original code:

<


<deny users="?" />

2. Using the IIS Manager, reconfigure authentication so that the protected content uses forms authentication.

• Launch Authentication

• Disable Anonymous Authentication

Task 9: Test and validate the Web site’s new configuration

1. Use Internet Explorer to log into the default Web site and retrieve the confidential memo.





2. Sign-out of the Web site. 3. Use Internet Explorer and attempt to retrieve the Confidential Memo.

• Confidential Memo URL: http://localhost/docs/shared/Woodgrove_memo.jpg


Results: After reconfigure the Web site’s authorization and authentication, so that all content uses forms authentication and thereby protecting the confidential memo, the only way to obtain the memo is by having the correct credentials.


Exercise 3: Configure Logging

Scenario

Additional security measures need to be put in place to protect the Web server. You received a service request to keep a log of all visitors to the Web server for the past 24 hours. You must enable and configure logging and then test and verify the log.


1. Examine and configure logging options. 2. Test the logging operations.

Task 1: Examine and configure logging options • Using the IIS Manager, set the logging options.

• Select: Use local time for file naming and rollover

Task 2: Test the logging operations

1. Using Internet Explorer, refresh the Web site. 2. View the log file:

• Log file location: C:\ inetpub\logs\LogFiles\W3SVC1

Results: After examining the configuration of the Web server’s logging settings, the current log file was examined and proven to successfully track the Web server’s activity.

Lab Instructions: Configuring Delegation and Remote Administration 1

Module 6 Lab Instructions: Configuring Delegation and Remote Administration

Contents: Exercise 1: Configuring Remote Administration 2

Exercise 2: Configuring Delegated Administration 4

Exercise 3: Configuring Feature Delegation 7

2 Lab Instructions: Configuuring Delegation andd Remote Administration

LALab: ConAdminis

nfigurinstration

ng Dele

gation

E

Sc

Yote

A buth

Yoth

In

Th

1.2.

T

1.2.

3.

T

1.

xercise 1:

cenario

ou need to beest it by access

new site has business ownerhe other sites h

ou have been heir site. You m

n this exercise y

his exercise’s m

. Configure N

. Test NYC-W

ask 1: Confi

. Add the IIS

. Configure tCredentials

. Start the IIS

ask 2: Test N

. On NYC-DC

Configurin

able to configsing the admin

been set up an. You will needhosted on the

assigned a sermust unlock th

you will practi

main tasks are:

NYC-WEB-B foWEB-B remote

gure NYC-W

Managementthe IIS Manages. S Managemen

NYC-WEB-B

C1, add the IIS

ng Remote

gure the servenistration featu

nd you have bed to give the bserver.

rvice request te error page f

ce configuring

or remote admadministratio

WEB-B for re

t role service toement service

t service.

remote adm

S Managemen

and Remmote

e Administration

r remotely. Youres from a rem

ou must enablemote compute

e remote admier.

inistration andd then

een asked to dbusiness owner

delegate the ar permission to

dministration o administer th

of the site to their site only, b

the but not

for o allow all sitefeature so that

e owners to ad it can be dele

minister the eegated.

rror messages

g a Web serverr for remote addministration.

ministration. n.

emote adminnistration

o NYC-WEB-BB. IIS Manager to accept bothh Windows Credentials and

ministration

nt Console.


2. On NYC-DC1, use the IIS Management Console to connect to NYC-WEB-B.

• On the NYC-WEB-B Default Web Site, set index.htm at the first default document.

Results: After completing this exercise, you should have configured the IIS Management Service to accept remote connections and you should have tested a remote connection from NYC-DC1.

4 Lab Instructions: Configuring Delegation and Remote Administration

Exercise 2: Configuring Delegated Administration

Scenario

You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer.

A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server.

You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated.

In this exercise you will practice delegating administration of two Web sites to the appropriate business owners.


1. Configure delegated administration for the Human Resources site. 2. Share the Woodgrove sales Web site for Betsy Stadick. 3. Configure delegated administration for the Sales site. 4. Test delegated administration for the Human Resources and Sales sites.

Task 1: Configure delegated administration for the Human Resources site

1. On NYC-WEB-B, share WoodgroveHRSite.

• Location: E:\Mod06\Labfiles

• Site: WoodgroveHRSite

• Administrator: Herber Dorner

• Rights: Co-owner

2. Using IIS Manager, grant the Windows user Herber Dorner access to the HR site.

Task 2: Share the Woodgrove sales Web site for Betsy Stadick • On NYC-WEB-B, share the Woodgrove sales Web site for Betsy Stadick.

• Location: E:\Mod06\Labfiles

• Site: WoodgroveSalesSite

• Administrator: Betsy Stadick

• Rights: Co-owner

Task 3: Configure delegated administration for the Sales site • Allow configuration override for the authentication section of applicationHost.config.

• Use Notepad to open C:\windows\system32\intesrv\config \applicationhost.config.

• Remove the following text:

<anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication /> <clientCertificateMappingAuthentication /> <digestAuthentication />


<iisClientCertificateMappingAuthentication

• Insert the following text on the line before </configuration>:

The text is available in the file: C:\Mod06\Labfiles\EnableAnonymousAuthentication.txt.

<location overrideMode="Allow"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication /> <clientCertificateMappingAuthentication /> <digestAuthentication /> <iisClientCertificateMappingAuthentication /> <windowsAuthentication /> </authentication> </security> </system.webServer> </location>

• Save changes to the applicationHost.config file.

Task 4: Test delegated administration for the Human Resources and Sales sites

1. On NYC-DC1, log in as woodgrovebank\herbert with a password of Pa$$w0rd. 2. Use IIS Manager to connect to the HR site on NYC-WEB-B.


• Server name: NYC-WEB-B

• Site name: HR

• User name: [email protected]

• Connection Name: Human Resources Site

3. Use IIS Manager to connect to the Sales site on NYC-WEB-B.


• Server name: NYC-WEB-B

• Site name: Sales

• User name: [email protected]

Question: Why does an error occur? Answer: This error occurs because Herbert was not granted IIS Manager permission on the Sales site.

4. Log in to NYC-DC1 as woodgrovebank\betsy with a password of Pa$$w0rd. 5. Disable Windows authentication and anonymous authentication in the Web.config file for the Sales

site.

• Use Notepad to open \\NYC-WEB-B\WoodgroveSalesSite\Web.Config.

• Insert the following text on the line before </configuration>:

The text is available in the file: C:\Mod06\Labfiles\DisableAuthentications.txt

<system.webServer> <security> <authentication>



6 Lab Instructions: Configuring Delegation and Remote Administration

<windowsAuthentication enabled=”false” /> <anonymousAuthentication enabled="false" /> </authentication> </security> </system.webServer>

• Save changes to the Web.config file.

6. Use Internet Explorer to access http://sales.woodgrovebank.com.

Question: Why does the server report a 401 error? Answer: The server reports a 401 error because both Anonymous Authentication and Windows Authentication have been disabled. The web server is unable to service a request for a web page if no means for authentication is configured.

7. Attempt to configure \\NYC-WEB-B\WoodgroveHRSite\Web.Config.

Results: After completing this exercise, you should have successfully delegated administration for the Human Resources Web site to Herber Dorner and delegated administration for the Sales Web site to Betsy Stadick.

http://sales.woodgrovebank.com/


Exercise 3: Configuring Feature Delegation

Scenario


A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server


In this exercise you will practice configuring delegated administration so that all site owners can administer the error messages for their site.


1. Configure feature delegation for the Human Resources and Sales sites. 2. Test feature delegation for the Human Resources site.

Task 1: Configure feature delegation for the Human Resources and Sales sites • On NYC-WEB-B, use feature delegation to set Error Pages to Read/Write.

Task 2: Test feature delegation for the Human Resources site

1. On NYC-DC1, log in as woodgrovebank\herbert with a password of Pa$$w0rd. 2. Use IIS Manager to connect to the HR site on NYC-WEB-B with the user name

[email protected]. 3. Set a custom error page of /ErrorPages/custom404.htm for the 404 error page. 4. Use Internet Explorer to open URL: http://hr.woodgrovebank.com/missingpage.htm

Results: After completing this exercise, you should have successfully configured the Human Resources and Sales sites so that the site owners can customize error pages for each site.

http://hr.woodgrovebank.com/missingpage.htm

Lab Instructions: Using Command-line and Scripting for IIS 7.0 Administration 1

Module 7 Lab Instructions: Using Command-line and Scripting for IIS 7.0 Administration

Contents: Exercise 1: Manage IIS Web Sites with PowerShell 2

Exercise 2: Use Microsoft.Web.Administration 4

Exercise 3: Automate IIS Administration using Scripts 5

Exercise 4: Navigating IIS tasks using WMI and AppCmd 7

2 Lab Instructions: Using CCommand-line and Scripting for IIS 7.0 Addministration

LALab: UsiAdminis

ng Comstration

mmand-

-line an

E

ScThthth

In

Th

1.2.3.4.5.6.

T

T•

T•

xercise 1:

cenario he developmehat PowerShellhe Web service

n this exercise,

he main tasks

. Start the 64

. Use PowerS

. Use PowerS

. Stop the w3

. Start the w3

. List the Pow

ask 1: Start t

ask 2: Use PUse the get

ask 3: Use PUse the get

Manage II

ent team requil will correctly e.

you will learn

for this exercis

427A-NYC-WEShell to identifShell to identif3svc service us3svc service uswershell.exe pr

the 6427A-N

PowerShell tot-service cmd

PowerShell tot-service -inc

IS Web Sit

res additional manage the s

how to use Po

se are as follow

EB-B virtual mafy all services.fy running servsing PowerShesing PowerSherocess using th

NYC-WEB-B

o identify aldlet.

o identify rulude w* | sort

d Scriptting forr IIS 7.0

tes with PoowerShell

tools to manaerver’s service

age their Web es and make su

sites. First youure it can succe

u need to makeessfully stop a

e sure nd start

owerShell to mmanage IIS 7.0..

ws:

achine and logg on as Woodggrovebank\Administrator.

vices that startt with a "w". ell. ell. he get-wmiobjject cmdlet.

B virtual macchine and log on as Admministrator

ll services

ces that starunning servi rt with a w t-object -propperty status ccmdlet.


Task 4: Stop the w3svc service using PowerShell • Use the stop-service cmdlet.

• Use the get-service cmdlet to confirm.

Task 5: Start the w3svc service using PowerShell • Use the start-service cmdlet.

• Use the get-service cmdlet to confirm.

Task 6: List the Powershell.exe process using the get-wmiobject cmdlet • Use the Get-WmiObject -query "Select * From Win32_Process Where Name = 'powershell.exe'"

cmdlet.

Results: After this exercise, you should have successfully identified, stopped and started services using PowerShell.

4 Lab Instructions: Using Command-line and Scripting for IIS 7.0 Administration

Exercise 2: Use Microsoft.Web.Administration

Scenario

You need to verify that a script will effectively stop and start using MWA. Run the script and then check to make sure that the service is stopped. Then restart the service using the script and verify that it is started.

In this exercise, you will learn how to use MWA to execute a script.


1. Load Microsoft.Web.Administration.dll. 2. Get Web site information with MWA. 3. Create a function using MWA to find Web sites. 4. Use the findsite function to list the default Web site, the default Web site ID, and then stop and start

the default Web site.

Task 1: Load Microsoft.Web.Administration.dll • Open PowerShell.

• Use this command: [System.Reflection.Assembly]::LoadFrom(“C:\windows\system32\inetsrv\Microsoft.Web.Administration.dll")

Task 2: Get Web site information with MWA • (New-Object Microsoft.Web.Administration.ServerManager).Sites

• (New-Object Microsoft.Web.Administration.ServerManager).Sites | ForEach-Object {$_.Name}

Task 3: Create a function using MWA to find Web sites • function findsite {$name=$args[0]; ((New-Object

Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name –match $name}); }

Task 4: Use the findsite function to list the default Web site, the default Web site ID, and then stop and start the default Web site

Results: After this exercise, you should have successfully used Microsoft.Web.Administration to gather Web site information and created a function to start and stop the default Web site.


Exercise 3: Automate IIS Administration using Scripts

Scenario

The development team provided you with a script that lists Web sites on the server. You need to test and run the script using PowerShell.

You also need to deploy several identical Web sites using the same default content located on a share. A PowerShell script will be used to automate this task.

In this exercise, you will learn how to use a PowerShell scripts.


1. Create Microsoft.PowerShell profile script to automatically load assemblies. 2. Set execution policy to unrestricted. 3. Add a global variable to profile script. 4. List sites using global variable. 5. Use PowerShell script to find sites. 6. Review and run a script to create a Web site. 7. Use PowerShell script to verify site was created.

Task 1: Create Microsoft.PowerShell profile script to automatically load assemblies • To open profile script: if (test-path $profile) {echo “Path exists.”} else {new-item –path $profile

–itemtype file –force}; notepad $profile

• Profile script:

echo “Microsoft IIS 7.0 Environment Loader” echo “Copyright © 2006 Microsoft Corporation. All rights reserved.” echo “ Loading IIS 7.0 Managed Assemblies” $inetsrvDir = (join-path –path $env:windir –childPath “\system32\inetsrv\”) Get-ChildItem –Path (join-path –path $inetsrvDir –childPath “Microsoft*.dll”) | ForEach-Object {[System.Reflection.Assembly]::LoadFrom( (join-path –path $inetsrvDir –childPath $_.Name)) } echo “ Assemblies loaded.”

Task 2: Set execution policy to unrestricted • View execution policy with get-executionpolicy cmdlet.

• Set execution policy with set-executionpolicy cmdlet.

Task 3: Add a global variable to profile script • Add this line to the profile script:

new-variable iismgr –value (New-Object Microsoft.Web.Administration.ServerManager) –scope “global”

Task 4: List sites using global variable

Task 5: Use PowerShell script to find sites

1. Save the script located in E:\Mod07\Labfiles\scripts\iis.type.ps1.xml to c:\windows\System32\WindowsPowerShell\v1.0.


2. Type the following at the end of the profile script:

new-variable iissites –value (New-Object Microsoft.Web.Administration.ServerManager).Sites –scope “global” new-variable iisapppools –value (New-Object Microsoft.Web.Administration.ServerManager).ApplicationPools –scope “global” update-typedata –append (join-path –path $PSHome –childPath “iis.types.ps1xml”)

3. At the PowerShell Command Prompt run $iissites.Find(“^Default*”).

Task 6: Review and run a script to create a Web site

1. The script is located in E:\Mod07\Labfiles\scripts\CreateWebsite \CreateWebsite\CreateWebsite\Bin\Debug\CreateWebsite.exe.

2. Copy the script to the C:\drive and run it from PowerShell.

Task 7: Use PowerShell script to verify site was created • Use $iissites.Find to locate NewSite.

Results: After this exercise, you should have successfully created a Microsoft.PowerShell profile script. You should have also used a saved script to list Web site. Finally, you should have successfully created a site named NewSite.


Exercise 4: Navigating IIS tasks using WMI and AppCmd

Scenario

You need to verify which tasks are running on the server. Use WMI and AppCmd to display the list of running tasks.

In this exercise, students will use WMI and AppCmd for IIS administration.


1. Use AppCmd to identify tasks running on the Web server. 2. Use AppCmd to identify all running application pools. 3. Use AppCmd to recycle all running application pools. 4. Move all applications in a site to NewAppPool apppool. 5. Store configuration information to file, and then restore the configuration information. 6. Use WMI to list the default Web site on the Web server.

Task 1: Use AppCmd to identify tasks running on the Web server

1. Open a Command Prompt. 2. Navigate to c:\windows\system32\inetsrv to run AppCmd.

Task 2: Use AppCmd to identify all running application pools

Task 3: Use AppCmd to recycle all running application pools • Use this command: appcmd list apppool /xml | appcmd recyle apppool /in

Task 4: Move all applications in a site to NewAppPool apppool • Use this command: appcmd list app /site.name:"NewSite" /xml | appcmd set app /in

/applicationPool:NewAppPool

Task 5: Store configuration information to file, and then restore the configuration information • To store configuration information: appcmd list config “Default Web Site/” /section:caching /xml

/config > config.xml

• To restore configuration information: appcmd set config “Default Web site/” /in < config.xml

Task 6: Use WMI to list the default Web site on the Web server

1. Using Notepad create a file named GetSite.vbs with the following code:

Set oIIS = GetObject("winmgmts:root\WebAdministration") Set oSite = oIIS.Get("Site.Name='Default Web Site'") WScript.Echo "Retrieved an instance of Site " WScript.Echo " Name: " & oSite.Name WScript.Echo " ID: " & oSite.ID

2. Open a Command Prompt and navigate to folder where GetSite.vbs is located 3. Type cscript //h:cscript. 4. Run GetSite.vbs script.


Results: After this exercise, you should have successfully used AppCmd to recycle application pools, move application and store configuration information to a file. You should have also successfully identified the default Web site using WMI.

Lab Instructions: Tuning IIS 7.0 for Improved Performance 1

Module 8 Lab Instructions: Tuning IIS 7.0 for Improved Performance

Contents: Exercise 1: Deploying Applications 2

Exercise 2: Configuring IIS Performance Options 5

Exercise 3: Managing Application Pools to Improve Performance 6

2 Lab Instructions: Tuning IIS 7.0 for Improved Performance

LLab: Tunning IIS 7.0 for

E

ScYone

ExInXc

Th

1.2.3.4.5.6.7.

T•

TW•

xercise 1:

cenario ou receive a reew installation

xercise Oven this exercise, copy.

his exercise’s m

. Start the 64

. Start the 64

. Add ASP.N

. Create the

. Deploy a se

. Deploy the

. Create and



Start 6427A

Deploying

equest to depln so that the En

erview students will l

main tasks are:

427A-NYC-DC427A-NYC-WEET and DynamSalesSupport aecond copy of application uassign an app

the 6427A-DA-NYC-DC1.

the 6427A-Nbank\AdminA-NYC-WEB-A

Improvved Perrformannce

g Applications

oy a second conterprise Desig

opy of an instagn QA team ca

alled applicatioan test the pro

on, and then doposed update

deploy updatees.

es to the

earn how to ddeploy an appllication, as welll as applicatioon updates, witth

1 virtual machhine. EB-A virtual maachine and logg on as Woodggrovebank\Administrator. mic Content Coompression feaatures to the IIIS Role. application annd copy the ASSP.NET application files.

sSupport2 usinthe SalesSuppport applicatioon named Sale ng Xcopy. ng Xcopy. pdates to SaleesSupport2 usi

plication pool ffor SalesSuppoort2 and test fuunctionality.

DC1 virtual machine

NYC-WEB-Aistrator

A virtual macchine and loog on as

A, and log on as LocalAdmiin with the password of Pa$$$w0rd.


Task 3: Add ASP.NET and Dynamic Content Compression features to the IIS Role • On NYC-WEB-A, use Server Manager to add the ASP.NET and Dynamic Content Compression role

services.

Task 4: Create the SalesSupport application and copy the ASP.NET application files

1. On NYC-WEB-A, use IIS Manager to add the SalesSupport application with a physical path of c:\inetpub\wwwroot\SalesSupport.

2. Copy the application files from E:\Mod08\Labfiles\SalesSupport to c:\inetpub\wwwroot\SalesSupport.

Task 5: Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy

1. At the command prompt, change directories to c:\inetpub\wwwroot. 2. Create a new directory named SalesSupport2. 3. Use the xcopy command to copy all of the files and the directory structure from SalesSupport to

SalesSupport2.

Task 6: Deploy the application updates to SalesSupport2 using Xcopy

1. At the command prompt, use Xcopy to copy the updated files from E:\mod08\labfiles\salessupport2 to c:\inetpub\wwwroot\salessupport2.

2. In IIS Manager, add the application SalesSupport2 with the physical path c:\inetpub\wwwroot\salesupport2.

Task 7: Create and assign an application pool for SalesSupport2 and test functionality

1. In IIS Manager, add an application pool named SalesSupport2 and assign it to the SalesSupport2 application.

2. In Internet Explorer, browse to http://localhost/salesupport, and then browse to http://localhost/salessupport2 and compare results.

Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, deployed that SalesSupport2 application, and verified functionality.

http://localhost/salesupport

http://localhost/salessupport2


Exercise 2: Configuring IIS Performance Options

Scenario

Next you will configure performance options for the SalesSupport application. First, you will use Performance Monitor to look at the current machine performance. Then you will configure and test output caching, compression, and throttling.

Exercise Overview In this exercise, students will learn how to configure IIS Performance Options.


1. Use Performance Monitor to measure performance. 2. Configure Output Caching. 3. Configure Compression. 4. Configure connection limit throttling.

Task 1: Use Performance Monitor to measure performance

1. On NYC-WEB-A, open Performance Monitor. 2. Remove all counters, and then add the Web Service counters Bytes Sent/sec for all instances. 3. With Performance Monitor running, in Internet Explorer, browse to

http://localhost/salessupport/test.aspx. 4. After the page loads, click refresh several times rapidly. Notice that the time is dynamically updated

with each refresh. Close Internet Explorer. 5. Examine the throughput in Performance Monitor.

Task 2: Configure Output Caching

1. In IIS Manager, add a cache rule to the SalesSupport application for the extension .aspx.

• Select Kernel-mode caching.

• Click At time intervals, and then delete the existing text and type 00:00:10.

2. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and click refresh several times rapidly for at least 30 seconds. Notice how often the time is updated.

3. Browse to http://localhost/salessupport2/test.aspx, and then click refresh several times rapidly. Notice that the time updates with each refresh.

4. In Reliability and Performance Monitor, compare the graphs for the two pages. You may need to zoom in to see the difference.

Task 3: Configure Compression

1. In Internet Explorer, browse to http://localhost. Click refresh several times rapidly. 2. In Reliability and Performance Monitor examine the throughput. 3. In IIS Manager, enable static content compression for the default web site. 4. In Internet Explorer, browse to http://localhost and click refresh several times rapidly. 5. In Reliability and Performance Monitor examine the throughput. 6. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and click refresh several

times rapidly. 7. In Reliability and Performance Monitor examine the throughput. 8. In IIS Manager, enable dynamic content compression.



http://localhost/salessupport2/test.aspx

http://localhost/

http://localhost/



9. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and click refresh several times rapidly.

10. In Reliability and Performance Monitor examine the throughput and compare results.

Task 4: Configure connection limit throttling

1. Open Internet Explorer and browse to http://localhost. Open two more tabs and browse to http://localhost so that you have three tabs open to http://localhost. Right-click a tab and choose Refresh All. Notice that all of the tabs refresh successfully. Close Internet Explorer.

2. In IIS Manager, set a Web Site Limit for the default web site so that the number of connections is limited to 1.

3. In Internet Explorer, open three tabs to http://localhost. Right-click a tab and choose Refresh All. Notice that one of the tabs now reports an error.

4. Close Internet Explorer before continuing.

Results: After this exercise, you should have configured performance options and verified functionality.


http://localhost/

http://localhost/

http://localhost/

http://localhost/


Exercise 3: Managing Application Pools to Improve Performance

Scenario

You will now modify the application pools to improve resource usage.

Exercise Overview

In this exercise, students will learn how to manage application pools to improve performance.


1. Use Reliability and Performance Monitor to measure resource usage. 2. Recycle an application pool. 3. Assign SalesSupport and SalesSupport2 to the same application pool.

Task 1: Use Reliability and Performance Monitor to measure resource usage

1. On NYC-WEB-A, open Internet Explorer and browse to http://localhost/salessupport. Open a second tab, and browse to http://localhost/salessupport2.

2. Open Reliability and Performance Monitor. Examine the memory usage of w3wp.exe and the number of instances.

Task 2: Recycle an application pool

1. In IIS Manager, recycle the SalesSupport2 application pool. 2. In Reliability and Performance Monitor, examine the memory and number of instances of

w3wp.exe and compare results. 3. Close Internet Explorer before continuing.

Task 3: Assign SalesSupport and SalesSupport2 to the same application pool

1. In IIS Manager, modify the SalesSupport2 application to use the default application pool, and then remove the SalesSupport2 application pool.

2. Open Internet Explorer and browse to http://localhost/salessupport. Open a second tab and browse to http://localhost/salessupport2.

3. In Reliability and Performance Monitor, examine the memory and number of instances of w3wp.exe.

Results: After this exercise, you should have recycled and consolidated application pools, and verified resource usage with Reliability and Performance Monitor.

4. es?





Lab Instructions: Ensuring Web Site Availability with Web Farms 1

Module 9 Lab Instructions: Ensuring Web Site Availability with Web Farms

Contents: Exercise 1: Backing Up an IIS Web Site 2

Exercise 2: Restoring an IIS Web Site 4

Exercise 3: Enabling Shared Configurations 5

Exercise 4: Configuring Network Load Balancing 6

2 Lab Instructions: Ensurinng Web Site Availability with Web Farms

LLab: Enssuring WWeb Site

E

ScThyo

Th

1.2.3.4.

T

TW•

TW•

xercise 1:

cenario he Enterprise Dou begin, you

he main tasks

. Start the 64

. Start the 64

. Start the 64

. Backup the

ask 1: Start t


Log on to N

• User: W

• Passwo


Log on to N

• User: W

• Passwo

Backing U

Design Team hwill back up a

for this exercis

427A-NYC-DC427A-NYC-WE427A-NYC-WEe Web site, We

the 6427A-N

the 6427A-Nbank\AdminNYC-WEB-D.

Woodgroveba

ord: Pa$$w0rd

the 6427A-Nbank\AdminNYC-WEB2.

Woodgroveba

ord: Pa$$w0rd

e Availaability wwith Weeb Farm

Up an IIS W

has asked you n existing site

se are as follow

1 virtual machEB-D virtual maEB2 virtual maceb application,

NYC-DC1 vi

NYC-WEB-Distrator

ank\Administ

d

NYC-WEB2 vistrator

ank\Administ

d

Web Site

to explore opand verify tha

ws:

hine. achine and logchine and log and config fil

rtual machin

D virtual mac

trator

virtual mach

trator

tions for increat it can be res

g on as Woodgon as Woodgres to the E: dr

ne

chine and lo

hine and log

asing Web sitestored properly

grovebank\Adrovebank\Admive.

og on as

g on as

ms

e availability. By.

Before

dministrator. ministrator.


Task 4: Backup the Web site, Web application, and config files to the E: drive

1. Create a new folder:

• E:\Web Site Backup

2. Copy the files:

• Source: C:\inetpub\wwwroot

• Destination: \\NYC-WEB-D\E\Web Site Backup

Results: After this exercise, you should have successfully backed up a Web site. Provide the results of the exercise so students will know when and if they have completed the lab exercise successfully.

4 Lab Instructions: Ensuring Web Site Availability with Web Farms

Exercise 2: Restoring an IIS Web Site

Scenario

The Enterprise Design Team has asked you to verify that the backups can be restored properly. Do this by restoring the Web files to a second server and confirm that the second server functions properly.

The main task for this exercise is:

1. Restore the Web site, Web application, and config files from the shared drive.

Task 1: Restore the Web site, Web application, and config files from the shared drive

1. Open the default Web site in Internet Explorer on NYC-WEB2. 2. Copy the files:

• Source: \\NYC-WEB-D\E\Web Site Backup

• Destination C:\inetpub\wwwroot

3. Refresh the default Web site in Internet Explorer on NYC-WEB2.

Results: After this exercise, you should have successfully restored a Web site to a second server. Provide the results of the exercise so students will know when and if they have completed the lab exercise successfully.


Exercise 3: Enabling Shared Configurations

Scenario

The next step is for increasing Web site availability. Now that you have two identically configured Web servers, implement shared configurations for them.


1. Export and Enable Shared Configuration. 2. Add the second Web server to use the Shared Configuration. 3. Test the Shared Configuration.

Task 1: Export and Enable Shared Configuration

1. Export configuration using IIS Manager.

• Server: NYC-WEB-D

• Physical Path: \\NYC-WEB-D\E

• Encryption keys password: Pa$$w0rd

2. Using IIS Manager, enable shared configuration.


• User name: Woodgrovebank\Administrator


• Encryption key password: Pa$$w0rd

3. Using IIS Manager, start Management Service.

Task 2: Add the second Web server to use the Shared Configuration.

1. Using IIS Manager, enable shared configuration.

• Server: NYC-WEB2


• User name: Woodgrovebank\Administrator


• Encryption key password: Pa$$w0rd

2. Using IIS Manager, start Management Service.

Task 3: Test the Shared Configuration.

1. Using IIS Manager, add the default document for NYC-WEB-D.


• Name: test.html

2. Using IIS Manager, check the default document for NYC-WEB2.

Results: After this exercise, you should have successfully configured a two-server network with an underlying foundation of shared configurations.

6 Lab Instructions: Ensuring Web Site Availability with Web Farms

Exercise 4: Configuring Network Load Balancing

Scenario

With the two Web servers set up with Shared Configurations, configure Network Load Balancing to increase Web site availability.


1. Create a new Network Load Balancing cluster. 2. Add the second host to the Network Load Balancing cluster. 3. Add the second server to the Network Load Balancing cluster. 4. Verify Network Load Balancing using NLB commands.

Task 1: Create a new Network Load Balancing cluster • Using Network Load Balancing Manager, add a new cluster.


• Host: NYC-WEB-D

• Interface IP address: 10.10.0.21

• Cluster IP Addresses, IPv4 address: 10.10.0.27

• Cluster IP Addresses, Subnet mask: 255.255.0.0

• Full Internet name: cluster.woodgrovebank.com

Task 2: Add the second host to the Network Load Balancing cluster • Using Network Load Balancing Manager, add the second host to the cluster.

• Host: NYC-WEB2

• Local Area Connection interface IP address: 10.10.0.26

• Priority (unique host identifier): 2

Task 3: Add the second server to the Network Load Balancing cluster • Using Network Load Balancing Manager, add the second server to the cluster.


Task 4: Verify Network Load Balancing using NLB commands

1. Using the Command Prompt, verify Network Load Balancing.


• Command: NLB query 10.10.0.27



• Command: NLB query 10.10.0.27



• Command: NLB display


Results: After this exercise, you should have successfully restored a Web site to a second server. Provide the results of the exercise so students will know when and if they have completed the lab exercise successfully.

Lab Instructions: Troubleshooting IIS 7.0 Web Servers 1

Module 10 Lab Instructions: Troubleshooting IIS 7.0 Web Servers

Contents: Exercise 1: Troubleshooting Authentication 2

Exercise 2: Troubleshooting Authorization 4

Exercise 3: Troubleshooting Communication 5

Exercise 4: Troubleshooting Configuration 6

2 Lab Instructtions: Troubleshootinng IIS 7.0 Web Serverrs

LLab: Trooubleshoooting IIS 7.0 W

E

ScYoacde

Ex

In

Th

1.2.3.4.5.6.7.

TW•

TW•

xercise 1:

cenario ou receive a seccessed by dometailed error m

xercise Ove

n this exercise,

his exercise’s m

. Start the 64

. Start the 64

. Browse to h

. Examine th

. Enable Deta

. Reproduce

. Resolve the


Start 6427A


Start 6427A

Troublesh

ervice request main users wit

messages, you

erview

you will troub

main tasks are:

427A-NYC-DC427A-NYC-WEhttp://localhose log file. ailed Error Methe issue and

e issue and tes

the 6427A-Nbank\AdminA-NYC-DC1 a

the 6427A-Nbank\AdminA-NYC-WEB-E

hooting Au

asking to resothin the compamust resolve t

bleshoot an au

1 virtual machEB-E virtual mast/salessupport

essages. examine the dt functionality

NYC-DC1 viistrator nd log on as W

NYC-WEB-E istrator E and log on a

Web Seervers

uthenticatiion

olve a user issuany, but is notthe problem.

ue. The passwot allowing acce

ord-protected ess to anyone.

intranet site isUsing logs an

s d

thentication is

hine and log oachine and logt.

detailed error.y.

rtual machin

Woodgroveba

virtual mac

as Woodgrove

ssue using IIS llogs and detailed error messsages.

n as Woodgroovebank\Administrator. g on as Woodggrovebank\Administrator.

ne and log oon as

ank\Administtrator, passwoord Pa$$w0rdd.

chine and logg on as

ebank\Adminnistrator, passsword Pa$$w00rd.


Task 3: Browse to http://localhost/salessupport • On NYC-WEB-E, test functionality by loading http://localhost/salessupport in the browser.

Task 4: Examine the log file • In C:\inetpub\logs\LogFiles\W3SVC1, open the most recent log file and look for the error. Note the

substatus.

Task 5: Enable Detailed Error Messages • In IIS Manager, enable Detailed errors for local requests and custom error pages for remote

requests.

Task 6: Reproduce the issue and examine the detailed error • In Internet Explorer, browse to http://localhost/salessupport.

• Examine the detailed error information.

Task 7: Resolve the issue and test functionality

1. Based on the detailed error, modify the configuration in IIS Manager to correct the issue. 2. In Internet Explorer, browse to http://localhost/salessupport to verify that the issue has been

corrected.

Results: After this exercise, you should have successfully examined the IIS log files, enabled detailed error messages, and resolved the authentication issue.

http://localhost/



4 Lab Instructions: Troubleshooting IIS 7.0 Web Servers

Exercise 2: Troubleshooting Authorization

Scenario

You receive another service request to secure another Web site where all users are able to view the content. You must reproduce the issue, determine the cause, and resolve the issue.

Exercise Overview

In this exercise, you will troubleshoot authorization using Failed Request Tracing.


1. Browse to http://localhost/salessupport2. 2. Enable Failed Request Tracing and add a rule to trace successful requests. 3. Reproduce the issue and examine the Failed Request Tracing log. 4. Resolve the issue and verify functionality.

Task 1: Browse to http://localhost /salessupport2 • On NYC-WEB-E, in Internet Explorer, browse to http://localhost/salessupport2.

Task 2: Enable Failed Request Tracing and add a rule to trace successful requests • In IIS Manager, add a Failed Request Tracing rule to trace successful requests.

Task 3: Reproduce the issue and examine the Failed Request Tracing log

1. In Internet Explorer, browse to http://localhost/salessupport2. 2. Examine the latest failed request tracing log in c:\inetpub\logs

\FailedReqLogFiles\W3SVC1. Examine the authorization information in the log.

Task 4: Resolve the issue and verify functionality • Based on the log, modify the configuration in IIS Manager to correct the issue.

• In Internet Explorer, browse to http://localhost/salessupport2 to verify that the issue has been corrected

Results: After this exercise, you should have successfully enabled failed request tracing, and resolved the authorization issue.





Exercise 3: Troubleshooting Communication

Scenario

Users are reporting that a Web application is returning an error when they try to browse to it. You must troubleshoot why the Web application cannot open the content.

Exercise Overview

In this exercise, you will troubleshoot communication using tools.


1. Reproduce the issue. 2. Use Ping to verify communication with the Web server. 3. Enable detailed errors and examine the detailed error. 4. Correct the problem and verify functionality.

Task 1: Reproduce the issue • On NYC-DC1, in Internet Explorer, browse to http://nyc-web-e/netapp/content.

Task 2: Use Ping to verify communication with the Web server • At the command prompt, type ping NYC-WEB-E, and then press ENTER.

Task 3: Enable detailed errors and examine the detailed error

1. On NYC-WEB-E, in IIS Manager, enable detailed errors. 2. In Internet Explorer, browse to http://localhost/netapp/content.

• Examine the detailed error information.

Task 4: Correct the problem and verify functionality

1. On NYC-WEB-E, in IIS Manager, correct the configuration based on the information from the detailed error.

2. In Internet Explorer, browse to http://localhost/netapp/content to verify that the error has been corrected.

Results: After this exercise, you should used ping to verify communication, enabled detailed error messages, and resolved the error.

http://nyc-web-e/netapp/content.

http://localhost/netapp/content


6 Lab Instructions: Troubleshooting IIS 7.0 Web Servers

Exercise 4: Troubleshooting Configuration

Scenario

Users are reporting they receive multiple errors when trying to view JPG files that previously worked. You know that multiple people have the ability to modify this site including Web.config and related files.

Exercise Overview

In this exercise, you will troubleshoot configuration using detailed error messages.


1. Reproduce the issue and examine the detailed error message. 2. Examine and correct the web.config file. 3. Verify functionality.

Task 1: Reproduce the issue and examine the detailed error message

1. On NYC-WEB-E, in Internet Explorer, browse to http://localhost/pics/logo.jpg 2. Examine the detailed error information.

Task 2: Examine and correct the web.config file • Open the web.config file located in c:\Pics.

• Correct the error and save the file based on the information from the detailed error.

Task 3: Verify functionality • In Internet Explorer, browse to http://localhost/pics/logo.jpg.

Results: After this exercise, you should have reproduced the problem, examined the detailed error message, and resolved the error.

http://localhost/pics/logo.jpg


Lab Answer Key: Configuring an Internet Information Services 7.0 Web Server 1

Module 1 Lab Answer Key: Configuring an Internet Information Services 7.0 Web Server

Contents:

Exercise 1: Installing IIS Using Role Manager 2

Exercise 2: Installing IIS Using Unattended Setup 4

Exercise 3: Installing IIS on Server Core from Command Line 6

Exercise 4: Configuring IIS and Validating Functionality 7

2 Lab Answer Key: Configuring an Internet Information Services 7.0 Web Server

Lab: Configuring an IIS 7.0 Web Server Logon Information: • Virtual Machine: NYC-SVR1, NYC-SVR2, NYC-SVR3

• User Name: LocalAdmin or Administrator


Estimated time: 60 minutes

Exercise 1: Installing IIS using Role Manager

Scenario

You receive a service request from the Enterprise Design Team to prepare three Web servers to host Web sites and Web applications. One of the companies acquired by Woodgrove Bank has a classic ASP application that needs to be hosted in IIS7.

Exercise Overview

In this exercise, you will learn how to install IIS 7.0 using Role Manager.


1. Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin. 2. Turn on Network Discovery. 3. Install the Web server role.

Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine.

Task 1: Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin 1. On the Lab Launcher, next to 6427A-NYC-SVR1, click Launch.

2. Log on to NYC-SVR1 as LocalAdmin with the password of Pa$$w0rd.

Task 2: Turn on Network Discovery

1. On NYC-SVR1, click Start | Network. 2. Click the information bar with the text Network discovery and file sharing are turned off.

Network computers and devices are not visible. Click to change.... 3. Click Turn on network discovery and file sharing. 4. Click Yes, turn on network discovery and file sharing for all public networks. 5. Close Network.

Task 3: Install the Web server role

1. On NYC-SVR1, click Start and click Server Manager. 2. In the details pane, in the Roles Summary section, click Add roles. 3. The Add Roles Wizard dialog box appears. Click Next. 4. In the Roles box, select Web Server (IIS). 5. The Add Roles Wizard dialog box appears. Click Add Required Features. 6. Click Next twice. 7. In the Roles services box, select ASP. 8. The Add Roles Wizard dialog box appears. Click Add Required Role Services.


9. Click Next and then click Install. 10. When the installation is complete, click Close. 11. In the console pane, expand Roles. 12. Notice that the Web Server (IIS) role is installed. 13. Click Start | All Programs | Internet Explorer. 14. The Microsoft® Windows Internet Explorer window opens. Browse to http://localhost. 15. Notice that the IIS7 Welcome page loads, indicating that IIS is successfully installed and running.

Results: After this exercise you should have successfully verified that the Web Server (IIS) role is installed and loaded the IIS Welcome page in Internet Explorer.

http://localhost/


Exercise 2: Installing IIS Using Unattended Setup

Scenario

Now you will set up the second IIS Web server to host the new ASP.NET application. You will install IIS by creating an Unattend.XML file based on the example given on the student CD by modifying it to only install the features needed. This will be an ASP.NET application server and will need to have all security, compression and caching features installed so that development can experiment with configuration.

Exercise Overview

In this exercise, you will learn how to install IIS using unattended setup.


1. Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin. 2. Turn on Network Discovery. 3. Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features. 4. Install IIS using Pkgmgr with the Unattend.XML file and verify once completed.

Task 1: Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin 1. On the Lab Launcher, next to 6427A-NYC-SVR3, click Launch.

2. Log on to NYC-SVR3 as LocalAdmin with the password of Pa$$w0rd.

Task 2: Turn on Network Discovery

1. On NYC-SVR3, click Start | Network. 2. Click the information bar with the text Network discovery and file sharing are turned off.

Network computers and devices are not visible. Click to change.... 3. Click Turn on network discovery and file sharing. 4. Click Yes, turn on network discovery and file sharing for all public networks. 5. Close Network.

Task 3: Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features

1. Click Start, type Notepad, and then press Enter. 2. The Notepad window opens. On the File menu, click Open. 3. The Open dialog box appears. In the Text Documents list, click All Files. 4. Browse E:\Mod01\Labfiles. 5. Click unattend_all.xml and then click Open. 6. Delete the following lines:

<selection name="IIS-HttpRedirect" state="true"/> <selection name="IIS-ASP" state="true"/> <selection name="IIS-CGI" state="true"/> <selection name="IIS-IIS6ManagementCompatibility" state="true"/> <selection name="IIS-Metabase" state="true"/> <selection name="IIS-WMICompatibility" state="true"/> <selection name="IIS-LegacyScripts" state="true"/> <selection name="IIS-LegacySnapIn" state="true"/>

7. The Unattend.Xml file needs to be modified with the correct version number. It should read Version="6.0.6001.18000" (this will match the HAL major and minor version numbers).


To do this, Edit Version=”6.0.6001.16659” to Version="6.0.6001.18000"

8. On the File menu, click Save As. 9. The Save As dialog box appears. Type c:\unattend.xml, and then click Save. 10. Close Notepad.

Task 4: Install IIS using Pkgmgr with the Unattend.XML file and verify once completed

1. Click Start, and then click Command Prompt. 2. Type cd \ and then press Enter. 3. Type start /w pkgmgr /n:unattend.xml and then press Enter. 4. When the process completes, type echo %errorlevel% and then press Enter. Note that it may take

up to four minutes to complete. 5. Notice that the return code is “0” indicating a successful installation. 6. Type exit, and then press Enter. 7. In Server Manager, in the console pane, expand Roles. Note that you may need to refresh the

console. 8. Notice that Web Server (IIS) is installed. 9. Click Start | All Programs | Internet Explorer. 10. The Windows Internet Explorer window opens. Browse to http://localhost. 11. Notice that the IIS Welcome page appears.

Results: After this exercise you should have successfully installed IIS using an unattend file and verified the IIS Welcome page.

http://localhost/


Exercise 3: Installing IIS on Server Core from Command Line

Scenario

The final server you will install is a Server Core Web server that will act primarily as a redirection server to the ASP server.

Exercise Overview

In this exercise, you will learn how to install IIS via the command line in a Server Core environment.


1. Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator. 2. Disable the firewall. 3. Install IIS from the command line.

Task 1: Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator On the Lab Launcher, next to 6427A-NYC-SVR2, click Launch.

Log on to NYC-SVR2 as Administrator with the password of Pa$$w0rd.

Task 2: Disable the firewall • On NYC-SVR2, in the command prompt window, type netsh firewall set opmode disable and press

Enter.

Note: Disabling the firewall should not be done in a real-world environment as it is bad security practice.

Task 3: Install IIS from the command line

1. Type the following and then press Enter. Note that the feature names are case-sensitive: Start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IIS-CommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IIS-HttpErrors;IIS-HttpRedirect;WAS-WindowsActivationService;WAS-ProcessModel

2. When the process completes, type echo %errorlevel%, and then press Enter. Note that it may take up to two minutes to complete.

3. Notice that the return code is “0” indicating a successful installation. 4. On NYC-SVR1, in Internet Explorer, browse to http://nyc-svr2. 5. Notice that the IIS Welcome page loads, indicating that the Web server role on NYC-SVR2 is installed

and functioning.

Results: After this exercise you should have successfully installed IIS on Microsoft® Server 2008 Server Core from the command line and verified by loading the IIS Welcome page from another machine running Internet Explorer.

http://nyc-svr2/


Exercise 4: Configuring IIS and Validating Functionality

Scenario

With the three Web servers installed, configure each as necessary to perform its function.

Exercise Overview

In this exercise, you will configure common IIS features and validate functionality.


1. Configure NYC-SVR1 for ASP debugging, detailed error messages, HTTP compression and SMTP Service. 2. Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and

impersonation, configure UDDI, and enable dynamic output compression. 3. Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1.

Task 1: Configure NYC-SVR1 for ASP debugging, detailed error messages, and HTTP compression 1. On NYC-SVR1, click Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. In the Connections pane, expand NYC-SVR1 | Sites, and then click Default Web Site.

3. In the details pane, double-click ASP.

4. In the Compilation section, expand Debugging Properties.

5. In the Enable Client-side Debugging list, click True.

6. In the Enable Server-side Debugging list, click True.

7. In the Send Errors to Browser list, click True.

8. In the Actions pane, click Apply.

9. In the Connections pane, click Default Web Site.

10. In the details pane, double-click HTTP Response Headers.

11. In the Actions pane, click Set Common Headers.

12. The Set Common HTTP Response Headers dialog box appears. Select Expire Web content, and then click OK.


14. In the details pane, double-click Compression.

15. Notice that Enable static content compression is checked.


17. In the details pane, double-click Error Pages.

18. In the Actions pane, click Edit Feature Settings

19. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click OK.

20. On NYC-SVR3, in the Internet Explorer, browse to http://nyc-svr1/default.asp.

21. Notice that you get a detailed HTTP Error 404 page, indicating that the NYC-SVR1 web server has been configured properly.

Question: How does the Detailed Error page differ from the default Custom error page? Answer: The Detailed Error Page lists trace events and steps for troubleshooting.

http://nyc-svr1/default.asp


Task 2: Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression and SMTP 1. On NYC-SVR3, click Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. In the Connections pane, expand NYC-SVR3 | Sites, and then click Default Web Site.

3. In the Actions pane, click Failed Request Tracing.

4. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable, and then click OK.

5. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.

6. In the Actions pane, click Add.

7. The Add Failed Request Tracing Rule dialog box appears. Click Next.

8. In the Status code(s) field, type 500.

9. Select Event severity, and then in the Event severity list, click Critical Error.

10. Click Next and then click Finish.


12. In the details pane, in the IIS section, double-click Directory Browsing.

13. In the Actions pane, click Enable.


15. In the details pane, in the IIS section, double-click Authentication.

16. In the details pane, click Windows Authentication.


18. In the details pane, click ASP.NET Impersonation.


20. In Server Manager, in the console pane, right-click Roles and then click Add Roles.

21. The Add Roles Wizard dialog box appears. Click Next.

22. Select UDDI Services, and then click Next twice.

23. Select UDDI Services Database and UDDI Services Web Application.

24. The Add Roles Wizard dialog box appears. Click Add Required Role Services, and then click Next.

25. Click Do not require SSL, and then click Next seven times. Click Install.

26. When installation completes, click Close. Note that it may take up to eight minutes to complete.

27. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site.

28. In the details pane, in the IIS section, double-click Output Caching.


30. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx.

31. Select User-mode caching and then click OK.


33. In the details pane, in the ASP.NET section, double-click SMTP E-mail.


34. In the E-mail address field, type [email protected].

35. In SMTP Server field, type SMTP.WoodgroveBank.com.


37. In Internet Explorer, browse to http://localhost/uddi.

38. Notice the UDDI Services page loads.

39. Browse to http://localhost/aspnet_client.

40. Notice that there is a detailed HTTP Error 500.24.

41. Under Detailed Error Information, right-click C:\inetpub\logs\FailedReqLogFiles, and then click Copy Shortcut.

42. Click Start | Run. Right-click the Open field and then click Paste.

43. Click OK.

44. Double-click W3SVC1.

45. Notice that there is a failed request log for the server error: fr00001.xml.

Task 3: Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1

1. On NYC-SVR2, in the command prompt window, type cd \windows\system32\inetsrv\config and then press Enter.

2. Type edit applicationHost.config and then press Enter. 3. Scroll down to <defaultDocument enabled="true"> (approximately line 169), and change "true"

to "false". 4. Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and modify this line to

read: <httpRedirect enabled="true" exactDestination="false" childOnly="false" destination="http://10.10.0.24/" />

5. On the File menu, click Save. 6. On the File menu, click Exit. 7. On NYC-SVR3, in Internet Explorer, browse to http://nyc-svr2. 8. Notice that the IIS 7 Welcome page loads and the address field has changed to http://10.10.0.24.

Question: What would be displayed if redirection was not enabled? Answer: Since there is no default document, an error message would be displayed and the address bar would still display http://nyc-svr2.

9. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.

Results: After this exercise you should have successfully configured and verified the configuration of the three web servers.

Note: After you have completed the lab exercises closing the VM’s and selecting undo disk is not required for hosted labs. Click the Quit button to exit.

http://localhost/uddi

http://localhost/aspnet_client

http://nyc-svr2/

http://10.10.0.24/

http://nyc-svr2/

Lab Answer Key: Configuring IIS 7.0 Web Sites and Application Pools 1

Module 2 Lab Answer Key: Configuring IIS 7.0 Web Sites and Application Pools

Contents: Exercise 1: Configuring Authentication Types 2

Exercise 2: Creating a Web Site and Web Application 5

Exercise 3: Creating an Application Pool 7

Exercise 4: Configuring an Existing Application Pool 8

2 Lab Answer Key: Configuring IIS 7.0 Web Sites and Application Pools

Lab: Configuring IIS 7.0 Web Sites and Application Pools Logon Information: • Virtual Machine: NYC-DC1, NYC-WEB-A, NYC-SVR1

• User Name: Administrator



Exercise 1: Configuring Authentication Types

Scenario

You receive a service request from the Enterprise Design Team to organize the existing NYC-WEB-A server into virtual directories by access level. There will be two access levels: public and restricted. Anyone on the network should be able to access the public content. Only authenticated users should be able to access restricted.

Exercise Overview

In this exercise, you will learn how to create virtual directories and configure anonymous authentication.


Start the 6427A-NYC-DC1 virtual machine.

1. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator.


3. Add Basic, Windows Integrated and Digest Security features to the IIS Role.

4. Create a virtual directory named Public.

5. Configure the public virtual directory for anonymous authentication.


Task 1: Start the 6427A-NYC-DC1 virtual machine • On the Lab Launcher, next to 6427A-NYC-DC1 click Launch.

Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator

1. On the Lab Launcher, next to 6427A-NYC-WEB-A click Launch. 2. Log on to NYC-WEB-A as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Add Basic, Windows Integrated and Digest Security features to the IIS Role

1. On NYC-WEB-A, in Server Manager, in the console pane, expand Roles and then click Web Server (IIS).

2. Right-click Web Server (IIS) and then click Add Role Services. 3. The Add Role Services dialog box appears. In the Role services box, under Security, select Basic

Authentication, Windows Authentication, and Digest Authentication. 4. Click Next and then click Install.


5. When the installation is complete, click Close.

6. In the details pane, in the Role Services section, notice that Basic Authentication, Windows Authentication, and Digest Authentication are listed as Installed.

Task 4: Create a virtual directory named public 1. Click Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. In the Connections pane, expand NYC-WEB-A | Sites and then click Default Web Site.

3. In the Actions pane, click View Virtual Directories.

4. Click Add Virtual Directory.

5. The Add Virtual Directory dialog box appears. In the Alias field, type Public.

6. Next to the Physical path field, click the Browse (...) button.

7. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make New Folder.

8. Type Public, and then click OK.

9. Click OK.

10. Click Start | Computer and then browse to C:\inetpub\wwwroot.

11. Select all, then right-click and then click Copy.

12. Browse to C:\inetpub\public, right-click, and then click Paste.

Task 5: Configure the public virtual directory for anonymous authentication 1. In Internet Information Services (IIS) Manager, in the Connections pane, expand Default Web

Site and then click Public.

2. In the details pane, double-click Authentication.

3. Click Anonymous Authentication. Notice that it is enabled.

4. In the Actions pane, click Edit.

5. The Edit Anonymous Authentication Credentials dialog appears. Notice that Specific user is selected and set to IUSR.

6. Click Cancel.

7. In Server Manager, in the console pane, expand Configuration | Local Users and Groups and then click Users.

8. In the details pane, right-click Guest, and then click Properties.

9. The Guest Properties dialog box appears. Clear Account is disabled, and then click OK.

10.Note: It is a poor security practice and should not be done in a real-world scenario.

Click Start | Administrative Tools | Local Security Policy.

11. The Local Security Policy window opens. In the console pane, expand Local Policies and then click User Rights Assignment.

12. In the details pane, right-click Allow log on locally, and then click Properties.

13. The Allow log on locally Properties dialog appears. Click Add User or Group.

14. The Select Users, Computers, or Groups dialog box appears. Click Locations.

15. The Locations dialog box appears. Click NYC-WEB-A, and then click OK.


16. In the Enter the object names to select field, type Guest, and then click OK twice.

17. Close Local Security Policy.

18. Click Start | Switch User.

19. Logon as NYC-WEB-A\Guest with no password.

20. Click Start | All Programs | Internet Explorer.

21. The Windows Internet Explorer window opens. Browse to http://localhost. Note that we’ve set the default site to the Public virtual directory so there’s no need to use localhost/public.

Notice that the IIS7 Welcome page loads.


23. Log on as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Results: After this exercise, you should have created virtual directories on the Web server and provided both public and restricted access levels to those directories.

http://localhost/


Exercise 2: Creating a Web Site and Web Application

Scenario

Next you will create two web sites, and two web applications, in the employee and restricted virtual directories, named Woodgrove and Exec respectively. Exec will be a .NET 3.0 application. You will also delegate administrative access to ITAdmins_WoodgroveGG.

Exercise Overview In this exercise, you will learn how to create web sites and applications.


1. Create a site named Woodgrove. 2. Copy the Woodgrove application to the appropriate directory. 3. Add the .NET 3.0 Feature to the server. 4. Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG.

Task 1: Create a site named Woodgrove

1. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, click Sites.

2. In the Actions pane, click Add Web Site. 3. The Add Web Site dialog box appears. In the Site name field, type Woodgrove. 4. In Physical path, click the Browse (...) button. 5. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make New Folder. 6. Type woodgrove, and then click OK. 7. In the Port field, type 88, and then click OK.

Task 2: Copy the Woodgrove Application to the Appropriate Directory 1. In Windows Explorer, browse to E:\Mod02\Labfiles\WoodGrove.

2. Select all, then right-click, and then click Copy.

3. Browse to C:\inetpub\woodgrove, right-click, and then click Paste.

Task 3: Add the .NET 3.0 Feature and ASP.NET to the server

1. In Server Manager, in the console pane, click Features. 2. In the details pane, click Add Features. 3. The Add Features Wizard dialog box appears. Select .NET Framework 3.0 Features. 4. The Add Features Wizard dialog box appears. Click Add Required Role Services. 5. Click Next twice. 6. On the Select Role Services page, select ASP.NET. 7. The Add Features Wizard dialog box appears. Click Add Required Role Services. 8. Click Next, and then click Install. 9. When the installation is complete, click Close.

Task 4: Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG 1. Internet Information Services (IIS) Manager, in the Connections pane, expand Sites and then click

Woodgrove.

2. In the Actions pane, click Edit Permissions.

3. The woodgrove Properties dialog box appears. Click the Security tab.


4. Click Edit.

5. The Permissions for woodgrove dialog box appears. Click Add.

6. The Select, Users, Computers, or Groups dialog box appears. In the Enter the object names to select field, type ITAdmins_WoodgroveGG, and then click Check Names.

7. Click OK.

8. Next to Full control, select Allow and then click OK twice.

Results: After this exercise, you should have successfully installed .NET 3.0 Framework, ASP.NET, and created the Woodgrove site and copied its content.


Exercise 3: Creating an Application Pool

Scenario

You will now create a new application pool for temporary applications.

Exercise Overview



• Create an application pool named TempPool.

Task 1: Create an application pool named TempPool 1. On NYC-WEB-A, in Internet Information Services (IIS) Manager, expand NYC-WEB-A and then

click Application Pools.

2. In the Actions pane, click Add Application Pool.

3. The Add Application Pool dialog box appears. In the Name field, type TempPool.

4. Click OK.

5. In the details pane, notice that TempPool appears in the list of application pools.

Results: After this exercise, you should have successfully added an application pool named TempPool.


Exercise 4: Configuring an Existing Application Pool

Scenario

Next, you will configure the new application pools according to the needs for the new applications. You will also practice starting, stopping, and recycling the application pools and configuring health settings. You will also rename the Exec and Woodgrove pools to ExecPool and WoodgrovePool.

Exercise Overview In this exercise, you will configure the application pools and validate functionality.


1. Rename Woodgrove to WoodgrovePool. 2. Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all

authenticated users. 3. Configure TempPool to use LocalSystem as worker process identity. 4. Stop, start and recycle WoodgrovePool. 5. Configure TempPool for Classic Pipeline Mode. 6. Remove TempPool. 7. Configure Health and Recycling settings for WoodgrovePool.

Task 1: Rename Woodgrove to WoodgrovePool 1. On NYC-WEB-A, in Internet Information Services (IIS) Manager, expand Sites and then click

Woodgrove.

2. In the Actions pane, click Basic Settings.

3. The Edit Site dialog box appears. Click Select.

4. The Select Application Pool dialog box appears. In the Application pool list, click TempPool, and then click OK twice.

5. In the Connections pane, click Application Pools.

6. In the details pane, click Woodgrove.

7. In the Actions pane, click Rename.

8. Type WoodgrovePool, and then press Enter.

9. In the Connections pane, click Woodgrove.


11. The Edit Site dialog box appears. Click Select.

12. The Select Application Pool dialog box appears. In the Application pool list, click WoodgrovePool, and then click OK twice.

Task 2: Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users 1. In the Connections pane, expand Sites and then click Woodgrove.


3. Click Windows Authentication.



5. In the details pane, click Anonymous Authentication.

6. In the Actions pane, click Disable.

7. On the Lab Launcher, next to 6427A-NYC-SVR1 click Launch.

8. Log on to NYC-SVR1 as LocalAdmin with the password of Pa$$w0rd. Note that this machine is not joined to the domain.


10. The Windows Internet Explorer window opens. Browse to http://nyc-web-a.woodgrovebank.com.

Notice that the IIS Welcome page appears indicating that the previous anonymous public site configuration is correct.

11. Browse to http://nyc-web-a.woodgrovebank.com:88.

Notice that there is an error message and the page will not load. Windows authentication has failed for this user/machine. Question: Why does Windows authentication fail? Answer: Because NYC-SVR1 is not joined to the Woodgrovebank domain, the user account cannot be authenticated.

12. On NYC-WEB-A, click Start | All Programs | Internet Explorer.

13. The Windows Internet Explorer window opens. Browse to http://localhost:88.

Notice that the Woodgrove Bank page appears. Windows authentication is successful.

Task 3: Configure TempPool to use LocalSystem as worker process identity 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools.

2. In the details pane, click TempPool.

3. In the Actions pane, click Advanced Settings.

4. The Advanced Settings dialog box appears. Under the Process Model section, click Identity.

5. Next to NetworkService, click the Browse (...) button.

6. The Application Pool Identity dialog box appears. In the Built-in account list, click LocalSystem.

7. Click OK twice.

Task 4: Stop, start and recycle WoodgrovePool 1. In the Connections pane, click Application Pools.

2. In the details pane, click WoodgrovePool.

3. In the Actions pane, click Stop.

4. In the details pane, notice that the status of WoodgrovePool changes to Stopped.

5. In the Actions pane, click Start.

6. In the details pane, notice that the status of WoodgrovePool changes to Started.

7. In the Actions pane, click Recycle.

WoodgrovePool recycles, however the results may not be visible.

http://nyc-web-a.woodgrovebank.com./

http://nyc-web-a.woodgrovebank.com./

http://nyc-web-a.woodgrovebank.com:88/

http://localhost:88/


Task 5: Configure TempPool for Classic Pipeline Mode

1. In the Connections pane, click Application Pools. 2. In the details pane, click TempPool. 3. In the Actions pane, click Basic Settings. 4. The Edit Application Pool dialog box appears. In the Managed pipeline mode list, click Classic. 5. Click OK.

Task 6: Remove TempPool

1. In the Connections pane, click Application Pools. 2. In the details pane, click TempPool. 3. In the Actions pane, click Remove. 4. The Confirm Remove dialog box appears. Click Yes.

Task 7: Configure Health and Recycling settings for WoodgrovePool

1. In the Connections pane, click Application Pools. 2. In the details pane, click WoodgrovePool. 3. In the Actions pane, click Recycling. 4. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number of

requests. 5. In the Fixed Number of requests field, type 1000. 6. Click Next. 7. On the Recycling Events to Log page, select Number of requests. 8. Click Finish. 9. In the Actions pane, click Advanced Settings. 10. The Advanced Settings dialog box appears. In the Rapid-Fail Protection section, click Failure

Interval (minutes). 11. In the value column, type 10 and then click OK.

Close each of the running virtual machines. Do not save changes so they are reset to defaults for the next lab.

Results: After this exercise, you should have successfully configured and verified the configuration of the application pools.


Lab Answer Key: Configuring IIS 7.0 Application Settings 1

Module 3 Lab Answer Key: Configuring IIS 7.0 Application Settings

Contents: Exercise 1: Configuring ASP.NET 2

Exercise 2: Configuring ASP.NET Application Development Settings 6

Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools 8

Exercise 4: Configuring ASP.NET Security 13

2 Lab Answer Key: Configuring IIS 7.0 Application Settings

Lab: Configuring IIS 7.0 Application Settings Logon Information: • Virtual Machine: NYC-DC1, NYC-WEB-A

• User Name: Administrator




Exercise 1: Configuring ASP.NET

Scenario You receive a service request from the Enterprise Design Team to deploy an application server. You need to add and configure the ASP.NET role service, and Application Server role, on the Web Server. The server will be available from the Internet and Sales Associates will need to log in with the user name “sales” and password “support” from their client’s sites to get contact information for support (This is a very poor security practice and all authenticated connections should use individual user names and you do not have appropriate permissions to set the username and password). This requires a medium level of security. If there is an error, the error message returned to the client browser should direct the user to contact their district sales manager for login information.

Exercise Overview

In this exercise, you will learn how to add the ASP.NET role service and configure ASP.NET. You will choose and configure the appropriate authentication model, and set up custom error pages to handle HTTP errors.


1. Start the 6427A-NYC-DC1 virtual machine.


3. Add ASP.NET and Basic Security features to the IIS Role.

4. Create the SalesSupport application and copy the ASP.NET application files.

5. Configure Basic Security to allow access to authenticated Woodgrovebank domain users.

6. Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors.


Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator 1. On the Lab Launcher, next to 6427A-NYC-WEB-A click Launch.

2. Log on to NYC-WEB-A as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Add ASP.NET and Basic Security features to the IIS Role 1. On NYC-WEB-A, in Server Manager, in the console pane, expand Roles and then click Web Server

(IIS).

2. Right-click Web Server (IIS), and then click Add Role Services.


3. The Add Role Services dialog box appears. In the Role services box, under Application Development, select ASP.NET.

4. The Add Role Services box appears. Click Add Required Role Services.

5. In the Role Services box, under Security, select Basic Authentication.

6. Click Next, and then click Install.

7. When the installation is complete, click Close.

8. In the details pane, in the Role Services section, notice that ASP.NET and Basic Authentication are listed as Installed.

Task 4: Create the SalesSupport application and copy the ASP.NET application files 1. Click Start | Administrative Tools | Internet Information Services (IIS) Manager.


3. In the Actions pane, click View Applications.

4. Click Add Application.

5. The Add Application dialog box appears. In the Alias field, type SalesSupport.


7. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then click Make New Folder.

8. Type SalesSupport and then click OK.

9. Click OK.

10. Click Start | Computer and then browse to E:\Mod03\Labfiles\SalesSupport.


12. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.

Task 5: Configure Basic Security to allow access to authenticated Woodgrovebank domain users 1. In Internet Information Services (IIS) Manager, in the Connections pane, expand Default Web

Site and then click SalesSupport.


3. Click Anonymous Authentication.


5. In the details pane, click Basic Authentication.


7. Click Edit.

8. The Edit Basic Authentication Settings dialog appears. In the Default domain and Realm fields, type woodgrovebank.

9. Click OK.


11. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport.



12. The Connect to localhost dialog box appears. Notice that there is a warning about basic authentication and insecure credentials.

13. In the User name field, type yvonne. Note that Yvonne is a marketing account manager with a domain account in the Woodgrovebank domain.

14. In the Password field, type Pa$$w0rd and then click OK.

Notice that the Sales Support Resources page loads successfully.

15. Close Internet Explorer. Note that you must close the browser to reset the session so you can try logging in as a different user.



18. The Connect to localhost dialog box appears. In the User name field, type bob. Note that Bob does not have a domain account in the Woodgrovebank domain.

19. Leave the Password field blank and then click OK.

20. Click OK two more times.

Notice that you get an HTTP 401.1 Unauthorized error. Note that detailed error messages show up locally by default.

21. Close Internet Explorer.

Task 6: Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors 1. In Windows Explorer, browse to E:\Mod03\Labfiles\WBErrors.

2. Select all, right-click and then click Copy.

3. Browse to C:\inetpub\custerr\en-US, right-click, and then click Paste.

4. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport.

5. In the details pane, double-click Error Pages.

6. In the Actions pane, click Edit Feature Settings.

7. The Edit Error Pages Settings box appears. Click Custom error pages.

8. Click OK.

9. In the details pane, under the Status Code column, click 401.


11. The Edit Custom Error Page dialog box appears. Click Set.

12. The Set Localized Custom Error Path dialog box appears. In the Relative file path field, delete the existing text and then type 401.aspx.

13. Click OK twice.

14. In the details pane, under the Status Code column click 404.


16. The Edit Custom Error Page dialog box appears. Click Set.

17. The Set Localized Custom Error Path dialog box appears. In the Relative file path field, delete the existing text and then type Other_Errors.aspx.



18. Click OK twice. Note that in a real world situation, you would repeat these steps for each error that you wanted to assign to a custom error message.



21. The Connect to localhost dialog box appears. In the User name field, type bob.

22. Leave the Password field blank and then click OK three times.

Notice that there is now a custom error message directing you to contact your district sales manager.



25. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport/brokenlink.

26. The Connect to localhost dialog box appears. In the User name field, type yvonne.


If you are prompted, add the site to the allowed list. Notice that you get a custom error that is slightly different. Since the path “brokenlink” doesn’t exist, this is a custom 404 error.


Tip: If you are having problems verifying your custom error settings, and changes don’t seem to be taking effect, be sure to clear the browser cache.

Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, configured Basic authentication, and verified custom error pages in Internet Explorer.


http://localhost/salessupport/brokenlink


Exercise 2: Configuring ASP.NET Application Development Settings

Scenario

Next you will configure some test settings for the SalesSupport application. The Enterprise Design team is planning on implementing a database to store the support resource data. You will need to enter the provided connection string. You will also rename the cookie that the page uses to SalesSupport. Next you will create a custom control for testing the new configuration. Finally, you will set some application settings and then verify that the application can read them by loading the custom test page.

Exercise Overview

In this exercise, you will learn how to configure ASP.NET application development settings.


1. Configure ASP.NET Connection Strings to connect to Resources.MDF.

2. Configure ASP.NET Session State settings to rename the cookie to SalesSupport.

3. Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0

4. Add application settings at Site and Application levels.

Task 1: Configure ASP.NET Connection Strings to connect to Resources.MDF 1. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, expand

Sites | Default Web Site and then click SalesSupport.

2. In the details pane, double-click Connection Strings.


4. The Add Connection String dialog box appears. In the Name field, type LocalResources.

5. Click Custom.

6. In the Custom field delete the existing text and then type data source=.\SQLEXPRESS;AttachDbFileName=e:\mod03\labfiles\resources.mdf;IntegratedSecurity=True

7. Click OK.

Task 2: Configure ASP.NET Session State settings to rename the cookie to SalesSupport 1. In the Connections pane, click SalesSupport.

2. In the details pane, double-click Session State.

3. In the Cookie Settings section, in the Name field, delete the existing text and then type SalesSupport_SessionID.


Task 3: Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0 1. In the Connections pane, click SalesSupport.

2. In the details pane, double-click Pages and Controls.

3. In the Action pane, click Register Controls.

4. Click Add Custom Control.

5. The Add Custom Control dialog box appears. In the Tag prefix field type Woodgrovebank.


6. In the Namespace field, type TestControls.

7. In the Assembly field, type Version=1.0.0.0.

8. Click OK.

Task 4: Add application settings at site and application levels 1. Click Start | All Programs | Internet Explorer.

2. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport/test.aspx.



Notice that the Woodgrove Bank Sales Application Settings Test Page opens. It should report “No Application Settings defined.”


6. In the details pane, double-click Application Settings.


8. The Add Application Setting dialog box appears. In the Name field, type DefaultLocation.

9. In the Value field, type New York.

10. Click OK.

11. In Internet Explorer, click the Refresh button.

Notice that it now reports “DefaultLocation = New York”.

12. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport.

13. In the details pane, double-click Application Settings.

14. Notice in the details pane that DefaultLocation is inherited.


16. The Add Application Setting dialog appears. In the Name field, type debug_mode.

17. In the Value field, type true.

18. Click OK.


Notice that it now reports “DefaultLocation = New York” and “debug_mode = true”. Question: How might the application settings be used in real world Web applications? Answer: The application can customize content or actions based on the settings. This gives flexibility to the administrator to customize the application at deployment time.


Results: After this exercise, you should have configured ASP.NET development settings and verified test page functionality.



Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools

Scenario You will now deploy the SalesSupport application to two new instances. Once instance will be a test deployment with additional testing configuration. Another instance will be for the German division of Woodgrove and will need to be set for German globalization settings. Additionally, you will disable the debug mode for the production version of SalesSupport.

Exercise Overview



1. Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test.

2. Create the applications SalesSupport_De and SalesSupport_Test.

3. Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories.

4. Assign the applications to the appropriate application pools.

5. Configure application pool recycling for unlimited requests.

6. Configure the SalesSupport_Test application pool to record recycled events.

7. Configure the SalesSupport .NET compilation debug setting to False.

8. Configure the SalesSupport_De application globalization settings for Germany.

Task 1: Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test 1. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, click

Application Pools.


3. The Add Application Pool dialog box appears. In the Name field, type SalesSupport.

4. Click OK.


6. The Add Application Pool dialog box appears. In the Name field, type SalesSupport_De.

7. Click OK.


9. The Add Application Pool dialog box appears. In the Name field, type SalesSupport_Test.

10. Click OK.

11. In the details pane, notice that SalesSupport, SalesSupport_DE, and SalesSupport_Test appear in the list of application pools.

Task 2: Create the applications SalesSupport_De and SalesSupport_Test 1. In the Connections pane, click Default Web Site.




4. The Add Application dialog box appears. In the Alias field, type SalesSupport_De.

5. Next to the Physical path field, click the Browse (…) button.


7. Type SalesSupport_De and then click OK twice.


9. The Add Application dialog box appears. In the Alias field, type SalesSupport_Test.

10. Next to the Physical path field, click the Browse (…) button.


12. Type SalesSupport_Test and then click OK twice.

13. In the details pane, notice that SalesSupport, SalesSupport_DE, and SalesSupport_Test appear in the list of applications.

Task 3: Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories 1. Click Start | Command Prompt.

2. Type cd \inetpub\wwwroot and then press Enter.

3. Type xcopy /e SalesSupport\*.* SalesSupport_De and then press Enter.

4. Type dir SalesSupport_De and then press Enter to confirm that the files were copied.

5. Type xcopy /e SalesSupport\*.* SalesSupport_Test and then press Enter.

Shortcut: Press Up Arrow twice, and then Backspace and change the last few characters of the previous command line to _Test, and then press Enter.

6. Type dir SalesSupport_Test and then press Enter to confirm that the files were copied.

Task 4: Assign the applications to the appropriate application pools 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site.


3. In the details pane, click /SalesSupport.


5. The Edit Application dialog box appears. Click Select.

6. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport, and then click OK twice.

7. In the details pane, click /SalesSupport_De.




10. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport_De, and then click OK twice.

11. In the details pane, click /SalesSupport_Test.



14. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport_Test, and then click OK twice.

15. In the Connections pane, click SalesSupport_De.






21. Click Edit.


23. Click OK.

24. In the Connections pane, click SalesSupport_Test.






30. Click Edit.


32. Click OK.

Task 5: Configure production application pool recycling for unlimited requests 1. In the Connections pane, click Application Pools.

2. In the details pane, click SalesSupport.

3. In the Actions pane, click Recycling.

4. The Edit Application Pool Recycling Settings dialog box appears. Clear the Regular time intervals check box, and then click Next.

5. Click Finish.

6. In the details pane, click SalesSupport_De.


8. The Edit Application Pool Recycling Settings dialog box appears. Clear Regular time intervals check box, and then click Next.


9. Click Finish.

Task 6: Configure the SalesSupport_Test application pool to record recycled events 1. In the details pane, click SalesSupport_Test.


3. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number of requests.

4. In the Fixed number of requests field, type 1024 and then click Next.

5. On the Recycling Events to Log page, select Number of requests, On-demand, and Configuration changes.

6. Click Finish.

Task 7: Configure the SalesSupport .NET compilation debug setting to False 1. In the Connections pane, click SalesSupport.

2. In the details pane, double-click .NET Compilation.

3. Under Behavior, in the Debug list, click False.


Question: What is the advantage of disabling the debug setting in .NET compilation? Answer: The compiled code will be smaller and faster without debug code. It is a good idea to use this setting when an application is fully tested and deployed to final production.

Task 8: Configure the SalesSupport_De application globalization settings for Germany 1. In the Connections pane, click SalesSupport_De.

2. In the details pane, double-click .NET Globalization.

3. In the Culture list, click German (Germany) (de-DE).

4. In the UI Culture list, click German (Germany) (de-DE).






10. Open a second tab in Internet Explorer and then browse to http://localhost/salessupport_test.

11. Open a third tab and then browse to http://localhost/salessupport_de.

12. Right-click the notification area and then click Task Manager.

13. The Task Manager window opens. Click the Processes tab.

14. Under the Image Name column, notice that there are at least three instances of w3wp.exe running, indicating at least three separate application pools.

15. Close Task Manager.

16. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx.

Notice that the date is now in dd.mm.yyyy format, the cultural default for Germany.


http://localhost/salessupport_test.

http://localhost/salessupport_de

http://localhost/salessupport_de/test.aspx


17. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.

Results: After this exercise, you should have successfully deployed multiple applications with separate application pools, configured recycling and debug settings, and configured and verified .Net globalization settings.


Exercise 4: Configuring ASP.NET Security

Scenario

Next, you will configure the machine key, .NET trust level, and File and Folder security.

Exercise Overview

In this exercise, you will configure ASP.NET security settings.


1. Set the machine key of SalesSupport_de.

2. Configure the SalesSupport_Test site for medium trust level.

3. Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page on SalesSupport.

4. Enable Tracing and Logging for the SalesSupport_Test site.

5. Configure Request Filtering so that only ASPX requests are processed.

Task 1: Set the machine key of SalesSupport_de 1. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, click

SalesSupport_De.

2. In the details pane, double-click Machine Key.

3. In the Actions pane, click Generate Keys.

4. Click Apply.

Task 2: Configure the SalesSupport_Test site for medium trust level 1. In the Connections pane, click SalesSupport_Test.

2. In the details pane, double-click .NET Trust Levels.

3. In the Trust level list, click Medium (web_mediumtrust.config).


Task 3: Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page in SalesSupport 1. In the Connections pane, click SalesSupport.

2. In the details pane, click the Content View tab at the bottom of the window.

3. Click test.aspx.

4. In the Actions pane, click Edit Permissions.

5. The test.aspx Properties dialog box appears. Click the Security tab.

6. Click Advanced.

7. The Advanced Security Settings for test.aspx dialog box appears. Click Edit.

8. Clear the Include inheritable permissions from this object’s parent check box.

9. The Windows Security dialog box appears asking if you want to copy the inherited permissions. Click Copy.

10. Click Users (NYC-WEB-A\Users), and then click Remove.


11. Click Add.

12. The Select User, Computer, or Group dialog box appears. In the Enter the object name to select field, type Network Service. Note that since we have removed Users, we need to specifically allow the Network Service account. The SalesSupport application pool is running under the Network Service account with pass-through authentication.

13. Click Check Names, and then click OK.

14. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next to Full control, select Allow.

15. Click OK.

16. Click Add.

17. The Select User, Computer, or Group dialog box appears. In the Enter the object name to select field, type ITAdmins_WoodgroveGG.

18. Click Check Names, and then click OK.

19. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next to Full control, select Allow.

20. Click OK four times.

21. In Internet Explorer, browse to http://localhost/salessupport/test.aspx.



24. Click OK two more times. Notice that Yvonne no longer has access to test.aspx.

25. Click the Refresh button.

26. The Connect to localhost dialog box appears. In the User name field, type betsy. Note that Betsy is a member of the ITAdmins_WoodgroveGG security group.


Notice that Betsy has access to the page.


Task 4: Enable Tracing and Logging for the SalesSupport_Test site 1. In Server Manager, in the console pane, expand Roles and then click Web Server (IIS).

2. Right click Web Server (IIS), and then click Add Role Services.

3. The Add Role Services dialog box appears. Select Health and Diagnostics to select all of the Health and Diagnostics services.


5. When the installation completes, click Close.

6. Click Start, type Notepad and then press Enter.

7. The Notepad window opens. On the File menu, click Open.

8. The Open dialog box appears. In the Text Documents list, click All Files.

9. Browse to C:\inetpub\wwwroot\SalesSupport_Test.

10. Click test.aspx, and then click Open.



11. In the first line of the file, modify the trace=”false” attribute to read trace=”true” so that the line reads:

<@ Page Language=”C#” trace=”true” %>

12. On the fifth line of the file, type This message should appear between the double quotes, so that the line reads:

Response.Write(“This message should appear”);

Question: How would an application use tracing? Answer: A developer can add trace commands to the Web application code to record information that can be used for debugging and monitoring. The administrator has the ability to enable or disable tracing as needed.

13. On the File menu, click Save.

14. Close Notepad.

15. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.

16. If the Connect to localhost dialog box appears, in the User name field, type betsy.


18. Notice that This message should appear appears at the top of the page.

Scroll down and notice that the trace information appears at the bottom of the page.

19. In the Trace Information section, the next to last lines contain the trace messages from the test.aspx file. Notice that the warning message is red.



22. In the Actions pane, click Failed Request Tracing. If Failed Request Tracing does not appear, close and reopen IIS Manager for the added Health and Diagnostics features to appear.


24. In the details pane, double-click Failed Request Tracing Rules.


26. The Add Failed Request Tracing Rule wizard appears. On the Specify Content to Trace page, click ASP.NET (*.aspx), and then click Next.

27. On the Define Trace Conditions page, in the Status code(s) field, type 200 and then click Next.

28. On the Select Trace Providers page, under Providers, clear all check boxes except ASPNET.

29. Click ASPNET.

30. Under Areas, clear all check boxes except Page.

31. Under Verbosity, notice that it is set to Verbose.

32. Click Finish.

33. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx.

34. If the Connect to localhost dialog box appears, in the User name field, type betsy.





36. Press CTRL + O.

37. The Open dialog box appears. Click Browse.

38. Browse to C:\inetpub\logs\FailedReqLogFiles\W3SVC1.

39. In the HTML Files list, click All Files.

40. If there is more than one, click the most recent fr######.xml file, and then click Open.

41. Click OK.

42. The failed request log opens. Notice in the Request Summary section the details of the request: App Pool is SalesSupport_Test, Authentication is Basic, User from token is WOODGROVEBANK\betsy.

43. In the Errors and Warnings section, click Expand All.

44. Notice that the warning “This is a warning.” appears.

Task 5: Configure Request Filtering so that only ASPX requests are processed 1. In Internet Explorer, browse to http://localhost/welcome.png.

Notice that the IIS7 graphic appears.

2. Browse to http://localhost/iisstart.htm.

Notice that the IIS7 Welcome page appears.


4. Click Start, type Notepad and then press Enter.

5. The Notepad window opens. On the File menu click Open.


7. Browse to C:\inetpub\wwwroot.

8. Click web.config, and then click Open.

9. After the sixth line, <system.webServer>, press Enter and then add the following security section:

<security> <requestFiltering> <fileExtensions allowUnlisted="false" > <add fileExtension=".aspx" allowed="true"/> </fileExtensions> </requestFiltering> </security>

Question: How could you disable only certain extensions, such as .MP3 and .WMA? Answer: Set the allowUnlisted property to “true”. Add the unallowed file extensions and set their allowed properties to “false”.


11. Close Notepad.


13. The Windows Internet Explorer window opens. Browse to http://localhost/welcome.png.

14. Notice that HTTP Error 404.7 appears. Detailed error messaging states that “The request filtering module is configured to deny the file extension”.



http://localhost/welcome.png.


15. Browse to http://localhost/iisstart.htm.

Notice the same error.

16. Click Start | Command Prompt.


18. Type copy iisstart.htm *.aspx and then press Enter.

19. Type dir, and then press Enter and notice that the file was copied it iisstart.aspx.

20. In Internet Explorer, browse to http://localhost/iisstart.aspx.

Notice that the page with the aspx extension loads without error but the image still does not display.


Results: After this exercise, you should have successfully configured and verified the configuration of the advanced security settings for ASP.NET.



http://localhost/iisstart.aspx

Lab Answer Key: Configuring IIS 7.0 Modules 1

Module 4 Lab Answer Key: Configuring IIS 7.0 Modules

Contents: Exercise 1: Configuring and Editing Native Modules 2

Exercise 2: Configuring and Editing Managed Modules 5

2 Lab Answer Key: Configuring IIS 7.0 Modules

Lab: Configuring and Editing Modules Logon Information: • Virtual Machine: NYC-WEB-B

• User Name: Woodgrovebank\Administrator



Exercise 1: Configuring and Editing Native Modules

Scenario

You received a service request from the application development team specifying the modules that are required to install, test, and run an application on the specified web server. To reduce the server footprint and vulnerability, you must remove the unnecessary modules.

Exercise Overview

In this exercise, you will learn how to remove native modules from a Web server to improve security and reduce the server footprint.


1. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. 2. Backup the current Web server configuration. 3. Examine the modules currently installed on the Web server. 4. Remove the Default Document Module and the Directory Listing Module. 5. Validate that the modules have been removed and test the new server configuration. 6. Restore the modules to the Web server configuration. 7. Validate that the modules have been restored and test the server configuration.


Task 1: Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator

1. On the Lab Launcher, next to 6427A-NYC-WEB-B, click Launch. 2. Log on to NYC-WEB-B as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 2: Backup the current Web server configuration. 1. On NYC-WEB-B, if Server Manager opens, Close the Server Manager and click Start | Command

Prompt.

2. Type cd \windows\system32\inetsrv\ and then press Enter. 3. Type appcmd add backup original and then press Enter. 4. Notice that the AppCmd completes the backup and reports BACKUP object "original" added.

5. Question: When using the appcmd add backup command, where are the backup configuration file placed?

Answer: In a new folder, in the C:\Windows\System32\inetserv\backup\ folder.

Task 3: Examine the modules currently installed on the Web server 1. Click Start | Administrative Tools | Internet Information Services (IIS) Manager.


2. In the Connections pane, click NYC-WEB-B.

3. In the details pane, in the Group by list, click Category.

4. In the details pane, in the Server Components section, double-click Modules.

5. In the Group by list, click Module Type.

6. Notice that the DefaultDocumentModule and the DirectoryListingModule entries are listed in the Native Modules section.

Question: What do the DefaultDocumentModule and DirectoryListingModules do? Answer: The DefaultDocumentModule offers the functionality of offering the Web browser a default file when a specified folder or directory is specified by the URL. The DirectoryListingModule will supply the Web client with a list of the folder contents, when a folder or directory is specified by the URL.

Task 4: Remove the Default Document Module and the Directory Listing Module

1. In the Connections pane, expand NYC-WEB-B | Sites, and then click Default Web Site. 2. In the Actions pane, click Browse *:80(http). 3. The Windows Internet Explorer window opens. Notice that the Woodgrove Bank page opens as

expected. 4. Click Start | Computer and then browse to C:\windows\system32\inetsrv\config\. 5. In the details pane, double-click applicationHost.config. 6. The Notepad window opens. Find the <globalModules> section. 7. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the

<globalModules> tag by deleting these two lines:

<add name="DefaultDocumentModule" image= "%windir%\System32\inetsrv\defdoc.dll" /> <add name="DirectoryListingModule" image= "%windir%\System32\inetsrv\dirlist.dll" />

8. Scroll down to the bottom of the file and find the <system.webServer> section. 9. Delete the references to the DefaultDocumentModule and the DirectoryListingModule from within

the <handlers accessPolicy="Read, Script"> tag by replacing:

<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" resourceType="Either" requireAccess="Read" />

With the line:

<add name="StaticFile" path="*" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" />

10. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the <modules> tag. Delete the two lines:

<add name="DefaultDocumentModule" lockItem="true" /> <add name="DirectoryListingModule" lockItem="true" />

11. On the File menu, click Save. 12. Close Notepad.


Task 5: Validate that the modules have been removed and test the new server configuration 1. In Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-B.


3. In the Native Modules section, notice that the DefaultDocumentModule and the DirectoryListingModule entries are gone.


Notice that the Web page is now blank, even though Internet Explorer indicates that it is done loading.

5. In Internet Explorer, browse to http://localhost/default.aspx.

Notice that the Web page loads after you specify the default document. Question: Why did the Web page get restored after the file name, default.aspx was added to the URL? Answer: The Web server is still completely operational, but no longer offers default documents or directory browsing. So if a full URL is specified, complete with a file name, then the Web server will return that file to the Web client, if available.

Task 6: Restore the modules to the Web server configuration • In the Command Prompt, type appcmd restore backup original and then press Enter.

Notice that the AppCmd completes the restore and reports that the original configuration has been restored. Question: After the AppCmd completes the restore, where does it restore the configure files to? Answer: The files are restored to the C:\Windows\System32\inetsrv\config folder.

Task 7: Validate that the modules have been restored and test the server configuration 1. Use IE to browse to http://localhost/, and then click Refresh

Notice that the page once again loads properly from the default document.


Results: After this exercise, you should have successfully removed native modules from a Web server, and then confirmed that the server operates as expected.


Exercise 2: Configuring and Editing Managed Modules

Scenario

To increase throughput, it has been determined that output caching would be beneficial on some of the applications on the web server. You need to make sure that the Output Cache module is installed and configured as specified in the service request. The development team also requested the installation of a new Managed Module that provides an additional level of logging for their application.

Exercise Overview

In this exercise, you will learn how to add new managed modules to a Web server.


1. Install the logging managed module.

2. Confirm the installation of the logging managed module.

3. Test the Web site forms authentication functionality.

4. Examine the modules currently running on the Web server.

5. Remove the forms authentication managed module.

6. Test the new configuration.

Task 1: Install the logging managed module 1. In Windows Explorer, browse to C:\inetpub\.

2. Right-click inetpub, and then click New | Folder.

3. Type logging_module and then press Enter.

4. Browse to E:\Mod04\Labfiles\logging_module.


6. Browse to C:\inetpub\logging_module, right-click, and then click Paste.

7. Browse to C:\inetpub\logging_module\logs\.

8. Right-click logs, and then click Properties.

9. The logs Properties dialog box appears. Click the Security tab.

10. Click Edit.

11. The Permissions for logs dialog box appears. In the Group or user names section, click Users (NYC-WEB-B\Users).

12. In the Permissions for Users box, next to Modify, select Allow.

13. Click OK twice.

14. In Internet Information Services (IIS) Manager, in the Connections pane, click Sites.

15. In the Actions pane, click Add Web Site.

16. The Add Web Site dialog box appears. In the Site name field, type logging_module.

17. In the Physical path field, type C:\inetpub\logging_module.

18. In the Port field, type 8181.

19. Click OK.


Task 2: Confirm the installation of the logging managed module 1. In the Actions pane, click Browse *:8181 (http).

2. The Windows Internet Explorer window opens. Click Go on to Second Page.

3. Notice that the second page loads. Close Internet Explorer.

4. In Internet Information Services (IIS) Manager, in the Connections pane, click logging_module.


6. In the Managed Modules section, click Logger.


8. The Edit Managed Module dialog box appears. Notice that the type is listed as HttpLogger.

9. Click Cancel.

10. In Windows Explorer, browse to C:\inetpub\logging_module\logs.

11. Double-click [yyyymmdd].txt.

12. The Notepad window opens. Notice the log entries for http://localhost:8181/default.aspx and http://localhost:8181/second_page.htm.

Question: Why does the log file entries have the numbers 8181 listed? Answer: The logging module records the complete URL of the requested Web site files. The logging_module web site was configured to use port number 8181, which is a secondary Web site port.

13. Close Notepad.

Task 3: Test the Web site forms authentication functionality 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site.

2. In the Actions pane, click Browse *:80 (http).

3. The Windows Internet Explorer window opens. Click Shared Documents.

4. In the Email field, type [email protected].

5. In the Password field, type Pa$$w0rd.

6. Click Login.

7. If you get the AutoComplete Passwords dialog box, click No.

8. Click Woodgrove Confidential Memo.

Notice that the image representing the Woodgrove Confidential Memo appears.

9. Click the Back button.

10. Click Signout.

11. Click Home.

Task 4: Examine the modules currently running on the Web server 1. In the Internet Information Services (IIS) Manager window, in the Connections pane, click NYC-

WEB-B.


3. In the Managed Modules section, click OutputCache.

http://localhost:8181/default.aspx

http://localhost:8181/second_page.htm



5. The Edit Managed Module dialog box appears. Notice that the module is configured properly and is set to run normally.

6. Click Cancel.

Task 5: Remove the forms authentication managed module 1. In the Connections pane, click Default Web Site.


3. In the Managed Modules section, click FormsAuthentication.

4. In the Actions pane, click Remove.

5. The Confirm Remove dialog box appears. Click Yes.

Task 6: Test the new configuration 1. In the Internet Explorer window, click Shared Documents.

Notice that you now get Access is denied error message, indicating that the logon failed because the forms authentication module has been removed. Question: Why is the Access denied error message displayed at this point? Answer: The Access is denied error message indicates that the logon failed because the forms authentication module has been removed.


Results: After this exercise, you should have successfully added a managed module to the Web server.


Lab Answer Key: Securing the IIS 7.0 Web Server and Web Sites 1

Module 5 Lab Answer Key: Securing the IIS 7.0 Web Server and Web Sites

Contents: Exercise 1: Configure a Secure Web Server 2

Exercise 2: Configure Authorization, Authentication and Access 6

Exercise 3: Configure Logging 10

2 Lab Answer Key: Securing the IIS 7.0 Web Server and Web Sites

Lab: Securing the IIS 7.0 Web Server and Web Sites Logon Information: • Virtual Machine: NYC-DC1, NYC-WEB-B




Exercise 1: Configure a Secure Web Server

Scenario

Additional security measures need to be put in place to protect the Web server. These measures will protect the web server against unauthorized access by specific IP addresses and domains.

Additional ISAPI and CGI restrictions need to be put into place. Then you are given a list of accounts authorized for a specific site. You must give separate access to the IT Admin group and the developer, Herbert Dorner.

Exercise Overview In this exercise, you will be supplied the service request document and the Active Directory account list. Start the exercise by creating a self-signed server certificate. You will then need to set the IP restrictions as outlined in the service request.

Then set ISAPI and CGI restrictions. You must run the .NET Framework 1.1 Aspnet_isapi.dll on your Web server. You can follow these steps to set the ASP.NET ISAPI to Allowed in the ISAPI and CGI Restrictions list. Finally, you have to create an application pool that uses .NET Framework 1.1 and that is configured to use ISAPI mode to process requests made to applications in the application pool.

Finally, set the Active Directory permissions, as specified in the service request document.


1. Start the 6427A-NYC-DC1 virtual machine. 2. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator.

3. Create a self-signed server certificate for the Web server.

4. Block IP addresses as specified in the service request.

5. Examine the current ISAPI and CGI Restrictions.

6. Install the .NET Framework 1.1.

7. Set ISAPI and CGI restrictions to use ASP.NET version 1.1.

8. Set the rights and permissions for Active Directory users.

9. Validate the new configuration.


Task 1: Start the 6427A-NYC-DC1 virtual machine • On the Lab Launcher, next to 6427A-NYC-DC1, click Launch.


Task 2: Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. 1. On the Lab Launcher, next to 6427A-NYC-WEB-B, click Launch.

2. Log on to NYC-WEB-B as Woodgrovebank\Administrator with the password of Pa$$word.

Task 3: Create a self-signed server certificate for the Web server 1. On NYC-WEB-B, click Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. In the Connections pane, click NYC-WEB-B.

3. In the details pane, in the Group by list, click Category.

4. In the details pane, in the Security section, double-click Server Certificates.

5. In the Actions pane, click Create Self-Signed Certificate.

6. The Create Self-Signed Certificate dialog box appears. In the Specify a friendly name for the certificate field, type woodgrovebank.

7. Click OK.

Notice that the new self-signed certificate has been added to the certificate list. Question: What are the advantages and disadvantages of using self-signed certificates? Answer: The primary advantages of using a self-signed certificate are that it provides a secure method of transferring data. Unlike certificates offered by 3rd parties, self-signed certificates have no financial cost associated with them. They provide a good solution for securing Web data transfer or personal information, i.e. if used for personal use. The primary disadvantage of using self-signed certificates is that when used for public access, the user has no way to validate the authenticity of the certificate owner. This implies that there is no reputable 3rd party verifying the certificate owner. So, although the data is secure, you may not be able to trust the source.

Task 4: Block IP addresses as specified in the service request 1. In the Connections pane, click NYC-WEB-B.

2. In the details pane, in the Security section, double-click IPv4 Address and Domain Restrictions.

3. In the Actions pane, click Add Deny Entry.

4. The Add Deny Restrictions Rule dialog box appears. In the Specific IPv4 address field, type 10.10.20.1.

5. Click OK.

6. In the Actions pane, click Add Deny Entry.

7. The Add Deny Restrictions Rule dialog box appears. Click IPv4 address range.

8. In the IPv4 address range field, type 10.10.10.0.

9. In the Mask field, type 255.255.255.0.

10. Click OK.

Notice that the new IP restrictions have been added to the list. Question: When would you want to use this feature to block IP addresses? Answer: An organization may want to block malicious users or restrict access from a certain domain or location.


Task 5: Examine the current ISAPI and CGI Restrictions 1. In the Connections pane, click NYC-WEB-B.

2. In the details pane, in the Security section, double-click ISAPI and CGI Restrictions.

Notice that Active Server Pages and ASP.NET v2.0.50727 are the only applications currently listed.

3. In the details pane, click Active Server Pages.


5. The Edit ISAPI or CGI Restriction dialog box appears. Notice that you can easily edit the ISAPI or CGI path, description, and execution allow.

6. Click Cancel.

7. In the Action pane, click Edit Feature Settings.

8. The Edit ISAPI or CGI Restrictions Settings dialog box appears. While it’s not a recommended practice, you can easily allow unspecified CGI and ISAPI modules.

9. Click Cancel.

Task 6: Install the .NET Framework 1.1 1. Click Start | Computer and then browse to E:\ Mod05\Labfiles.

2. Double-click dotnetfix.exe.

3. The Microsoft .NET Framework 1.1 Setup dialog box appears, confirming if you want to install the .NET Framework package. Click Yes.

4. The Microsoft .NET Framework 1.1 Setup dialog box appears, asking you to agree to the license agreement. Click I agree.

5. Click Install.

6. When the installation is complete, click OK. Note that it may take about four minutes to complete.

7. In the Windows Explorer window, in the details pane, double-click NDP1.1sp1-KB867460-X86.exe.

8. The Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) dialog box appears, confirming if you want to install the Service Pack. Click OK.

9. The Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) License Agreement dialog box appears, asking you to agree to the license agreement. Click I accept.

10. When the installation is complete, click OK. Note that it may take about two minutes to complete.

Task 7: Set ISAPI and CGI restrictions to use ASP.NET version 1.1 1. In Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-B.

2. In the details pane, in the Security section, double-click ISAPI and CGI Restrictions.

Notice that the ASP.NET v1.1.4322 has been added.

3. In the details pane, click ASP.NET v1.1.4322.


5. The Edit ISAPI or CGI Restriction dialog box appears. Select Allow extension path to execute, and then click OK.

6. In the Connections pane, ensure that NYC-WEB-B is already expanded, and then click Application Pools.


Notice that the ASP.NET v1.1 application pool has been added and started.

Task 8: Set the rights and permissions for Active Directory users 1. In Windows Explorer, browse to C:\inetpub\.

2. Right-click wwwroot and then click Properties.

3. The wwwroot Properties dialog box appears. Click the Security tab.

4. Click Edit.

5. The Permissions for wwwroot dialog box appears. Click Add.

6. The Select Users, Computers, or Groups dialog box appears. Click Locations.

7. The Locations dialog box appears. If WoodgroveBank.com is not already highlighted, then in the Location tree, click WoodgroveBank.com.

8. Click OK.

9. In the Enter the object names to select field, type ITAdmins_WoodgroveGG and then click Check Names.

10. Click OK.

Notice that the Read & execute, List folder contents, and Read options are allowed.

11. Click Add.

12. The Select Users, Computers, or Groups dialog box appears. In the Enter the object names to select field, type Herbert and then click Check Names.

13. Click OK.

14. Next to Full control, select Allow.

15. Click OK.

Task 9: Test and validate the new configuration 1. In the Group or user names field click ITAdmins_WoodgroveGG.

Notice that the Read & execute, List folder contents, and Read options are allowed.

2. In the Group or user names field click Herbert Dorner.

Notice that the all the options are allowed.

3. Click OK.

Results: After this exercise, you should have successfully set IP restrictions, ISAPI and CGI restrictions, and Active Directory permissions, as specified in a service request document


Exercise 2: Configure Authorization, Authentication and Access

Scenario

Additional security measures need to be put in place to protect the Web server. An application is protected with forms authentication, but it is discovered that some of the content can bypass forms authentication and still be accessed, such as a jpg, by entering the direct URL path and file name. You must configure the protected content to use the managed forms authentication module.

Exercise Overview

In this exercise, you must reconfigure authentication and authorization so that shared documents folder on the Web server is fully protected by forms authentication.


1. Turn off the Web site cache for the shared documents folder.

2. Sign into the Woodgrove Bank Web site and retrieve the confidential memo.

3. Bypass the Web site forms authentication.

4. Modify the applicationHost.config to unlock the URL Authorization <configSections> section by changing the override mode default to allow.

5. Modify the applicationHost.config <applicationPools> section to change the Classic .NET application pool to Integrated mode.

6. Modify the applicationHost.config file to disable all other authentication types except for anonymous.

7. Modify the applicationHost.config file to protect all content by removing the managedHandler precondition from the <system.webServer> section.

8. Reconfigure the authorization and authentication so that the protected content uses forms authentication.

9. Test and validate the new Web site configuration.

Task 1: Turn off the Web site cache for the shared documents folder 1. On NYC-WEB-B, in Internet Information Services (IIS) Manager, in the Connections pane, ensure

NYC-WEB-B | Sites | Default Web Site | docs is expanded, and then click shared.

2. In the details pane, in the HTTP Features section, double-click HTTP Response Headers.


4. The Add Custom HTTP Response Header dialog box appears. In the Name field, type Cache-Control.

5. In the Value field, type no-cache and then click OK.

Task 2: Sign into the Woodgrove Bank Web site and retrieve the confidential memo

1. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. 2. In the Actions pane, click Browse *:80 (http). 3. The Windows Internet Explorer window opens. Click Shared Documents. 4. In the Email field, type [email protected]. 5. In the Password field, type Pa$$w0rd. 6. Click Login. 7. If you get the AutoComplete Passwords dialog box, click No. 8. Click Woodgrove Confidential Memo.

Notice that the image representing the Woodgrove Confidential Memo appears.


9. Click the Back button. 10. Click Signout.

Task 3: Bypass the Web site forms authentication 1. In Internet Explorer, browse to http://localhost/docs/shared/Woodgrove_memo.jpg.

Notice that the image representing the Woodgrove Confidential Memo appears. Question: Why is the confidential memo being displayed even after the user logs out? Answer: The Web site and directory are not fully protected by forms authentication.


Task 4: Modify the applicationHost.config to unlock the URL Authorization <configSections> section by changing the override mode default to allow 1. In Windows Explorer, browse to C:\windows\system32\inetsrv\config.

2. In the details pane, double-click applicationHost.config.

Unlock the URL Authorization section by changing the override mode default to 'allow'. Do this by modifying the authorization section indicated on the next step.

3. Find the <configSections> section. Find:

<section name="authorization" overrideModeDefault="Allow" />

And replace it with:

<section name="authorization" type="System.WebServer.Configuration.UrlAuthorizationSection, System.ApplicationHost, Version=7.0.0.0, culture=neutral, PublicKeyToken=31bf3856ad364e35" overrideModeDefault="Allow" />

Task 5: Modify the applicationHost.config <applicationPools> section to change the Classic .NET application pool to Integrated mode • Change the Classic .NET application pool to Integrated mode by finding the <applicationPools>

section and replacing:

<add name="Classic .NET AppPool" managedPipelineMode="Classic" />

With:

<add name="Classic .NET AppPool" managedPipelineMode="Integrated" />

Task 6: Modify the applicationHost.config file to disable all other authentication types except for anonymous 1. Find the <authentication> section.

2. Append:

enabled="false"

To:

clientCertificateMappingAuthentication, digestAuthentication, iisClientCertificateMappingAuthentication, and windowsAuthentication.

http://localhost/docs/shared/Woodgrove_memo.jpg

Task 7: Modify the applicationHost.config file to protect all content by removing the managedHandler precondition from the <system.webServer> section 1. Remove the preconditions for FormsAuthentication and DefaultAuthentication from the modules

section. Do this by finding the <system.webServer> section, and then modifying the lines indicated on the next steps.

2. Replace:

<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />

With:

<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />

3. Replace

<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="managedHandler" />

With:

<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />


5. Close Notepad.

Task 8: Reconfigure the authorization and authentication so that the protected content uses forms authentication 1. In Windows Explorer, browse to C:\inetpub\wwwroot.

2. In the details pane, double-click Web.Config.

3. The Notepad window opens. Find the line <authorization> section.

4. Add the line <allow users="[email protected]" />, above the line .

5. Remove the commenting brackets from the line , changing it to <deny users="?" />.


7. Close Notepad.

8. In Internet Information Services (IIS) Manager, in the Connections pane, click shared.

9. In the details pane, in the Security section, double-click Authentication.



Task 9: Test and validate the new Web site configuration 1. In Internet Explorer, in the Email field, type [email protected].


2. In the Password field, type Pa$$w0rd.

3. Click Login.

4. Click Woodgrove Confidential Memo.


6. Click Signout.

7. In Internet Explorer, browse to http://localhost/docs/shared/Woodgrove_memo.jpg.

Notice that you are redirected to the login page and that proper authentication is now required to access the Woodgrove Memo file.

Results: After reconfigure the Web site’s authorization and authentication, so that all content uses forms authentication and thereby protecting the confidential memo, the only way to obtain the memo is by having the correct credentials.

http://localhost/docs/shared/Woodgrove_memo.jpg


Exercise 3: Configure Logging

Scenario

Additional security measures need to be put in place to protect the Web server. You received a service request to keep a log of all visitors to the web server for the past 24 hours. You must enable and configure logging and then test and verify the log.

Exercise Overview In this exercise, you must configure and test Web site logging operations.


1. Examine and configure logging options.

2. Test the logging operations.

Task 1: Examine and configure logging options 1. On NYC-WEB-B, in Internet Information Services (IIS) Manager, in the Connections pane, click

NYC-WEB-B.

2. In the details pane, in the Health and Diagnostics section, double-click Logging.

3. Notice that the Log File Rollover Schedule is set for Daily.

4. Select Use local time for file naming and rollover.


Task 2: Test the logging operations 1. In Internet Explorer, click the Refresh button.

2. In Windows Explorer, browse to C:\ inetpub\logs\LogFiles\W3SVC1.

3. In the details pane, double-click the newest log file.

Notice the most recent log entries at the bottom of the log. Notice that the log entries include a number of lines with the word “GET.” Question: What does the word “GET” mean in this log file? Answer: The GET commands indicate requests from the client to the Web server to retrieve the Web pages and images.


Results: After examining the configuration of the Web server’s logging settings, the current log file was examined and proven to successfully track the Web server’s activity.


Lab Answer Key: Configuring Delegation and Remote Administration 1

Module 6 Lab Answer Key: Configuring Delegation and Remote Administration

Contents: Exercise 1: Configuring Remote Administration 2

Exercise 2: Configuring Delegated Administration 4

Exercise 3: Configuring Feature Delegation 8

2 Lab Answer Key: Configuring Delegation and Remote Administration

Lab: Configuring Delegation and Remote Administration Logon Information: • Virtual Machine: NYC-DC1, NYC-WEB-B





Exercise 1: Configuring Remote Administration

Scenario You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer.



Exercise Overview

In this exercise you will practice configuring a Web server for remote administration.


1. Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator. 2. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator.

3. Configure NYC-WEB-B for remote administration.

4. Test NYC-WEB-B remote administration.

Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator

1. On the Lab Launcher, next to 6427A-NYC-DC1, click Launch. 2. Log on to NYC-DC1 as Woodgrovebank\Administrator with the password of Pa$$w0rd.



Task 3: Configure NYC-WEB-B for remote administration 1. On NYC-WEB-B, click Start | Administrative Tools | Internet Information Services (IIS) Manager.

In the Internet Information Services (IIS) Manager connections pane, click NYC-WEB-B(WOODGROVEBANK\Administrator).


2. In the details pane, in the Management section, double-click Management Service. 3. Select Enable remote connections.

4. Click Windows credentials or IIS Manager credentials.


6. Click Start.

Task 4: Test NYC-WEB-B remote administration 1. On NYC-DC1, click Start and click Server Manager. In the Server Manager console pane, click

Roles.

2. Right-click Roles, and then click Add Roles.

3. The Add Roles Wizard appears. Click Next.

4. In the Roles box, select Web Server (IIS).

5. The Add Roles Wizard dialog box appears. Click Add Required Features.

6. Click Next twice.

7. In the Role services box, clear all check boxes except for IIS Management Console.



10. Click Start | Administrative Tools | Internet Information Services (IIS) Manager.

11. In the details pane, click Connect to a server.

12. The Connect to Server wizard appears. In the Server name field, type NYC-WEB-B, and then click Next.

13. On the Provide Credentials page, in the User name field, type [email protected].

14. In the Password field, type Pa$$w0rd, and then click Next.

15. The Server Certificate Alert dialog box appears. Click Connect.

16. The Specify a Connection Name dialog box appears. Click Finish.

17. In the Connections pane, expand NYC-WEB-B | Sites and then click Default Web Site.

Question: Is the IIS Management Service available for configuration remotely? Answer: No, this service can only be configured locally

18. In the details pane, in the IIS section, double-click Default Document.

19. Click index.htm.

20. In the Actions pane, click Move Up.

21. The Default Document dialog box appears. Click Yes.

22. In the Actions pane, click Move Up.

Results: After completing this exercise, you should have configured the IIS Management Service to accept remote connections and you should have tested a remote connection from NYC-DC1.


Exercise 2: Configuring Delegated Administration

Scenario




Exercise Overview

In this exercise you will practice delegating administration of two web sites to the appropriate business owners.


1. Configure delegated administration for the Human Resources site.

2. Share the Woodgrove sales Web site for Betsy Stadick.

3. Configure delegated administration for the Sales site.

4. Test delegated administration for the Human Resources and Sales sites.

Task 1: Configure delegated administration for the Human Resources site 1. On NYC-WEB-B, click Start | Computer and then browse to Allfiles(E:)\Mod06\Labfiles.

2. Right-click WoodgroveHRSite, and then click Share.

3. The File Sharing dialog box appears. Type Herbert and then click Add.

4. Next to Herber Dorner, click Reader, and then click Co-owner.

5. Click Share.

6. The Your folder is shared page appears. Click Done.

7. In the Internet Information Services (IIS) Manger Connections pane, expand Sites, and then click HR.

8. In the details pane, in the Management section, double-click IIS Manager Permissions.

9. In the Actions pane, click Allow User.

10. The Allow User dialog box appears. In the Windows field, type Herbert and then click OK.

Task 2: Share the Woodgrove Sales Web Site for Betsy Stadick 1. In Windows Explorer, browse to E:\Mod06\Labfiles.

2. Right-click WoodgroveSalesSite, and then click Share.

3. The File Sharing dialog box appears. Type Betsy and then click Add.

4. Next to Betsy Stadick, click Reader and then click Co-owner.

5. Click Share.

6. The Your folder is shared page appears. Click Done.


Task 3: Configure delegated administration for the Sales site 1. Click Start, and click Run, then type Notepad, and then press ENTER.



4. Browse to C:\windows\system32\intesrv\config.

5. Click applicationHost.config, and then click Open.

6. Scroll down to the <authentication> tag and delete the following text:

<anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication enabled="false" /> <clientCertificateMappingAuthentication /> <digestAuthentication /> <iisClientCertificateMappingAuthentication /> <windowsAuthentication />


8. On the File menu, click Open.

9. The Open dialog box appears. Browse to E:\Mod06\Labfiles.

10. Click EnableAnonymousAuthentication.txt, and then click Open.

11. On the Edit menu, click Select All.

12. On the Edit menu, click Copy.



15. Browse to C:\windows\system32\intesrv\config.

16. Click applicationHost.config, and then click Open.

17. Scroll to the end of the applicationhost.config file and put the cursor on the line before </configuration>.

18. On the Edit menu, click Paste.


20. Close Notepad.

Task 4: Test delegated administration for the Human Resources and Sales sites 1. On NYC-DC1, click Start | Switch User.

2. Log on as woodgrovebank\herbert with a password of Pa$$w0rd.


4. The User Account Control dialog box appears. In the Password field, type Pa$$w0rd, and then click OK.

5. In the details pane, click Connect to a site.

6. The Connect to Site dialog box appears. In the Server name field, type NYC-WEB-B.

7. In the Site name field, type HR, and then click Next.


8. The Provide Credentials page appears. In the User name field, type [email protected].

9. In the Password field, type Pa$$w0rd and then click Next.


11. The Specify a Connection Name dialog box appears. In the Connection Name field, type Human Resources Site and then click Finish.

12. In the Connections pane, click Start Page.



15. In the Site name dialog box, type Sales, and then click Next.

16. The Provide Credentials page appears. In the User name field, type [email protected].


18. The Connect to Site dialog box appears with an error stating that the user is not authorized to connect to the specified computer.

Question: Why does this error occur? Answer: This error occurs because Herbert was not granted IIS Manager permission on the Sales site.

19. Click OK.

20. Click Cancel.

21. Close Internet Information Service (IIS) Manager.

22. The Internet Information Service (IIS) Manager dialog box appears, asking if you want to save changes. Click No.


24. Log on as woodgrovebank\betsy with a password of Pa$$w0rd.

25. Click Start, and click Run, then type Notepad, and then press Enter.


27. The Open dialog box appears. Browse to E:\Mod06\Labfiles.

28. Click DisableAuthentications, and then click Open.

29. On the Edit menu, click Select All.

30. On the Edit menu, click Copy.


32. The Open dialog box appears. In the File name field, type \\NYC-WEB-B\WoodgroveSalesSite\Web.Config and then click Open.

33. Scroll to the end of the Web.Config file and put the cursor on the line before </configuration>.

34. On the Edit menu, click Paste.


36. Close Notepad.

37. Click Start | Internet Explorer.


38. The Windows Internet Explorer window opens. Browse to http://sales.woodgrovebank.com.

39. Notice error 401 indicating that the user does not have permission to view this page.

Question: Why does the server report this error? Answer: The server reports a 401 error because both Anonymous Authentication and Windows Authentication have been disabled. The web server is unable to service a request for a web page if no means for authentication is configured.

40. Click Start, and click Run, then type Notepad, and then press Enter.

41. The Notepad window opens.


43. The Open dialog box appears. In the File name field, type \\NYC-WEB-B\WoodgroveHRSite\Web.Config and then click Open.

44. The Network Error dialog box appears. Click See details and note the resulting error and notice that it says access is denied.

45. Click Cancel twice and then close Notepad.

Results: After completing this exercise, you should have successfully delegated administration for the Human Resources web site to Herbert Dorner and delegated administration for the Sales web site to Betsy Stadick.

http://sales.woodgrovebank.com/


Exercise 3: Configuring Feature Delegation

Scenario




Exercise Overview In this exercise you will practice configuring delegated administration so that all site owners can administer the error messages for their site.


1. Configure feature delegation for the Human Resources and Sales sites.

2. Test feature delegation for the Human Resources site.

Task 1: Configure feature delegation for the Human Resources and Sales sites 1. On NYC-WEB-B, in the Internet Information Services (IIS) Manger Connections pane, click NYC-

WEB-B.

2. In the details pane, in the Management section, double-click Feature Delegation.

3. Click Error Pages.

4. In the Actions pane, click Read/Write.

Task 2: Test feature delegation for the Human Resources site 1. On NYC-DC1, click Start | Switch User,

2. Log on as woodgrovebank\herbert with a password of Pa$$w0rd.


4. The User Account Control dialog box appears. In the Password field, type Pa$$w0rd, and then click OK.



7. In the Site name dialog box, type HR, and then click Next.

8. The Provide Credentials page appears. In the User name file, type [email protected].



11. The Specify a Connection Name dialog box appears. In the Connection Name field, type Human Resources Site and then click Finish.

12. In the Connections pane, click Human Resources Site.

13. In the details pane, in the IIS section, double-click Error Pages.


14. Right-click the line beginning with 404, and then click Edit.

15. The Edit Custom Error Page dialog box appears. Click Execute a URL on this site.

16. In the URL (relative to site root) field, type /ErrorPages/custom404.htm and then click OK.

17. Click Start | Internet Explorer.

18. The Internet Explorer window opens. Browse to http://hr.woodgrovebank.com/missingpage.htm.

19. Note that the custom error page is displayed.


Results: After completing this exercise, you should have successfully configured the Human Resources and Sales sites so that the site owners can customize error pages for each site.


http://hr.woodgrovebank.com/missingpage.htm

Lab Answer Key: Using Command-line and Scripting for IIS 7.0 Administration 1

Module 7 Lab Answer Key: Using Command-line and Scripting for IIS 7.0 Administration

Contents: Exercise 1: Manage IIS Web Sites with PowerShell 2

Exercise 2: Use Microsoft.Web.Administration 4

Exercise 3: Automate IIS Administration using Scripts 6

Exercise 4: Manage IIS tasks using WMI and AppCmd 9

2 Lab Answer Key: Using Command-line and Scripting for IIS 7.0 Administration

Lab: Using Command-line and Scripting for IIS 7.0 Logon Information: • Virtual Machine: NYC-WEB-B




Exercise 1: Manage IIS Web Sites with PowerShell

Scenario

The development team requires additional tools to manage their Websites. First you need to make sure that PowerShell will correctly manage the server’s services and make sure it can successfully stop and start the Web service.

Exercise Overview

In this exercise, you will learn how to use PowerShell to manage IIS 7.0.


1. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. 2. Use PowerShell to identify all services. 3. Use PowerShell to identify running services that start with a “w”. 4. Stop the w3svc service using PowerShell. 5. Start the w3svc service using PowerShell. 6. List PowerShell.exe process using the get-wmiobject cmdlet.




Task 2: Use PowerShell to identify all services 1. On NYC-WEB-B, if Server Manager opens, Close the Server Manager and click Start | All

Programs | Windows PowerShell 1.0 | Windows PowerShell.

2. At the Windows PowerShell prompt, type get-service and then press Enter.

Notice the status, name, and display name of each service.

Task 3: Use PowerShell to identify running services that start with a “w” 1. Type get-service -include w* | sort-object -property status and then press Enter.

2. Notice the list of services that begin with a “w” with the “stopped” services listed first.

Task 4: Stop the w3svc service using PowerShell 1. Type stop-service -servicename w3svc and then press Enter.


2. Type get-service -servicename w3svc and then press Enter

Task 5: Start the w3svc service using PowerShell. 1. Type start-service -servicename w3svc and then press Enter.

2. Type get-service -servicename w3svc and then press Enter.

Task 6: List PowerShell.exe process using the get-wmiobject cmdlet 1. Type Get-WmiObject -query "Select * From Win32_Process Where Name = 'powershell.exe'"

and then press Enter.

2. Notice the detailed information for the powershell.exe process.

Question: What operating system is listed in the details? Answer: Microsoft Windows Server 2008 Enterprise.

Results: After this exercise, you should have successfully identified, stopped and started services using PowerShell.


Exercise 2: Use Microsoft.Web.Administration

Scenario

You need to verify that a script will effectively stop and start using MWA. Run the script and then check to make sure that the service is stopped. Then restart the service using the script and verify that it is started.

Exercise Overview

In this exercise, you will learn how to use MWA to execute a script.


1. Load Microsoft.Web.Administration.dll.

2. Get Website information with MWA.

3. Create a function using MWA to find Websites.

4. Use the findsite function to list the default Website, the default Website ID, and then stop and start the default Website.

Task 1: Load Microsoft.Web.Administration.dll 1. On NYC-WEB-B, in PowerShell, type

[System.Reflection.Assembly]::LoadFrom("C:\windows\system32\inetsrv\Microsoft.Web.Administration.dll") and then press Enter.

2. Notice the GAC, version and location for the Microsoft.Web.Administration.dll, which signifies the DLL file was loaded.

Task 2: Get Website information with MWA 1. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites and then press Enter.

2. Notice the detailed information for the sites on the server.

3. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites | ForEach-Object {$_.Name} and then press Enter.

4. Notice the names of the Websites on the server.

Task 3: Create a function using MWA to find Websites • Type function findsite {$name=$args[0]; ((New-Object

Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name -match $name}); } and then press Enter.

Question: This command line didn't return any values. What did it do? Answer: This command line created the command findsite, which integrates the Microsoft.Web.Administration module into an easy-to-use single command.

Task 4: Use the findsite function to list the default Website, the default Website ID, and then stop and start the default Website 1. Type findsite default* and then press Enter.

2. Notice the detailed information for the default Website.

3. Type (findsite default*).ID and then press Enter.

4. Notice the ID for the default Website: 1.

5. Type (findsite default*).Stop() and then press Enter.


6. Notice the status for the default Website is now “stopped”.

7. Type (findsite default*).Start() and then press Enter.

8. Notice the output is “unknown”.

Question: Why does the command return an output value of “unknown”? Answer: Because it attempted to start the default Web site without first checking to see if it was stopped or checking the result.

9. Type (findsite default*).State and then press Enter.

10. Notice the status for the default Website is now “started”.

Results: After this exercise, you should have successfully used Microsoft.Web.Administration to gather Website information and created a function to start and stop the default Website.


Exercise 3: Automate IIS Administration using Scripts

Scenario

The development team provided you with a script that lists Websites on the server. You need to test and run the script using PowerShell.

You also need to deploy several identical Websites using the same default content located on a share. A PowerShell script will be used to automate this task.

Exercise Overview

In this exercise, you will learn how to use a PowerShell scripts.


1. Create Microsoft.PowerShell profile script to automatically load assemblies. 2. Set execution policy to unrestricted. 3. Add a global variable to profile script. 4. List sites using global variable. 5. Use PowerShell script to find sites. 6. Review and run a script to create a Website. 7. Use PowerShell script to verify site was created.

Task 1: Create Microsoft.PowerShell profile script to automatically load assemblies 1. On NYC-WEB-B, in PowerShell, type if (test-path $profile) {echo "Path exists."} else {new-item -

path $profile -itemtype file -force}; notepad $profile and then press Enter.

2. The Notepad window opens. Type the following:

echo "Microsoft IIS 7.0 Environment Loader" echo "Copyright 2006 Microsoft Corporation. All rights reserved." echo "Loading IIS 7.0 Managed Assemblies" $inetsrvDir = (join-path -path $env:windir -childPath "\system32\inetsrv\") Get-ChildItem -Path (join-path -path $inetsrvDir -childPath "Microsoft*.dll") | ForEach-Object {[System.Reflection.Assembly]::LoadFrom((join-path -path $inetsrvDir -childPath $_.Name))} echo "Assemblies loaded."


Task 2: Set execution policy to unrestricted 1. Minimize but do not close Notepad.

2. In Windows PowerShell, type get-executionpolicy and then press Enter.

3. Notice the executionpolicy is set to “restricted”.

4. Type set-ExecutionPolicy Unrestricted and then press Enter.

Task 3: Add a global variable to profile script 1. In Notepad, at the end of the script, type, new-variable iismgr -value (New-Object

Microsoft.Web.Administration.ServerManager) -scope "global".


3. Minimize but do not close Notepad.


Task 4: List sites using global variable

1. Close Windows PowerShell and then reopen it. 2. Notice the script information that now executes when you open PowerShell. 3. Type $iismgr.Sites and then press Enter. 4. Notice the site information that is displayed.

Task 5: Use PowerShell script to find sites 1. Close Windows PowerShell.

2. Click Start | Computer, and then browse to E:\Mod07\Labfiles\Scripts.

3. Right-click iis.type.ps1xml, and then click Edit.

4. The Notepad window opens. Review the code.

5. On the File menu, click Save As.

6. The Save As dialog box appears. In the Save as type list, click All Files.

7. Browse to C:\windows\System32\WindowsPowerShell\v1.0 and then click Save.

8. Close Notepad.

9. Restore Notepad, at the end of the script, type the following:

new-variable iissites -value (New-Object Microsoft.Web.Administration.ServerManager).Sites -scope "global" new-variable iisapppools -value (New-Object Microsoft.Web.Administration.ServerManager).ApplicationPools -scope "global" update-typedata -append (join-path -path $PSHome -childPath "iis.types.ps1xml")


11. Close Notepad.

12. Click Start | All Programs | Windows PowerShell 1.0 | Windows PowerShell.

13. The Windows PowerShell window opens. Type $iissites.Find("^Default*") and then press Enter.

14. Notice the details for the default Website are listed.

Task 6: Review and run a script to create a default Website in PowerShell 1. In Windows Explorer, browse to

E:\Mod07\Labfiles\Scripts\CreateWebsite\CreateWebsite\CreateWebsite.

2. Double-click CreateWebsite.cs.

3. The Notepad window opens. Review the code, and then close Notepad.

4. In Windows Explorer, browse to E:\Mod07\Labfiles\Scripts\CreateWebsite\CreateWebsite\CreateWebsite \bin\Debug.

5. Right-click CreateWebsite.exe, and then click Copy.

6. Browse to C:\ and then click Paste.

7. In Windows PowerShell, type c:\CreateWebsite.exe and then press Enter.

Task 7: Use PowerShell script to verify Website was created 1. Type $iissites.Find("^NewSite*") and then press Enter.


2. Notice the details for the new Website are listed.

Results: After this exercise, you should have successfully created a Microsoft.PowerShell profile script. You should have also used a saved script to list Website. Finally, you should have successfully created a site named NewSite.


Exercise 4: Manage IIS tasks using WMI and AppCmd

Scenario

You need to verify which tasks are running on the server. Use WMI and AppCmd to display the list of running tasks.

Exercise Overview

In this exercise, you will use WMI and AppCmd for IIS administration.


1. Use AppCmd to identify tasks running on the Web server. 2. Use AppCmd to identify all running application pools. 3. Use AppCmd to recycle all running application pools. 4. Move all applications in a site to NewAppPool application pool. 5. Store configuration information to file, and then restore the configuration information. 6. Use WMI to list the Default Web Site on the Web server.

Task 1: Use AppCmd to identify tasks running on the Web server

1. On NYC-WEB-B, click Start | Command Prompt. 2. Type cd \windows\system32\inetsrv and then press Enter. 3. Type appcmd list wp and then press Enter. 4. Notice this command lists the current running worker processes. If the command doesn’t list any

results, there aren’t any worker processes running.

Task 2: Use AppCmd to identify all running application pools 1. Type appcmd list apppool and then press Enter.

2. Notice the currently running application pools are listed.

Task 3: Use AppCmd to recycle all running application pools 1. Type appcmd list apppool /xml | appcmd recycle apppool /in and then press Enter.

2. Notice the message is displayed ““DefaultAppPool” successfully recycled”.

Task 4: Move all applications in a site to NewAppPool application pool 1. Type appcmd list app /site.name:"NewSite" /xml | appcmd set app /in

/applicationPool:NewAppPool and then press Enter

2. Notice the following is displayed “APP object “NewSite/” changed”.

Task 5: Store configuration information to file, and then restore the configuration information 1. Type appcmd list config "Default Web Site/" /section:caching /xml /config > config.xml and

then press Enter.

2. Type appcmd set config "Default Web Site/" /in < config.xml and then press Enter.

3. Notice the configuration changes were applied to the Default Web Site.

Task 6: Use WMI to list the Default Web Site on the Web server 1. Click Start, type Notepad and then press Enter.


2. The Notepad window opens. Type:

Set oIIS = GetObject("winmgmts:root\WebAdministration") Set oSite = oIIS.Get("Site.Name='Default Web Site'") WScript.Echo "Retrieved an instance of Site" WScript.Echo "Name: " & oSite.Name WScript.Echo "ID: " & oSite.ID


4. The Save As dialog box appears. In the File name field, type C:\GetSite.vbs.

5. In the Save as type list, click All Files, and then click Save.

6. Close Notepad.

7. From the command prompt, type cd \, and then press Enter.

8. Type cscript //h:cscript, and then press Enter.

9. Notice the default script has been set to “cscript.exe”.

10. Type getsite.vbs, and then press Enter.

11. Notice the Web site name and ID are displayed.


Results: After this exercise, you should have successfully used AppCmd to recycle application pools, move application and store configuration information to a file. You should have also successfully identified the default Website using WMI.


Lab Answer Key: Tuning IIS 7.0 for Improved Performance 1

Module 8 Lab Answer Key: Tuning IIS 7.0 for Improved Performance

Contents: Exercise 1: Deploying Applications 2

Exercise 2: Configuring IIS Performance Options 5

Exercise 3: Managing Application Pools to Improve Performance 8

2 Lab Answer Key: Tuning IIS 7.0 for Improved Performance

Lab: Tuning IIS 7.0 for Improved Performance Logon Information: • Virtual Machine: NYC-DC1, NYC-WEB-A




Exercise 1: Deploying Applications

Scenario

You receive a request to deploy a second copy of an installed application, and then deploy updates to the new installation so that the Enterprise Design QA team can test the proposed updates.

Exercise Overview

In this exercise, students will learn how to deploy an application, as well as application updates, with Xcopy.


1. Start the 6427A-NYC-DC1 virtual machine. 2. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator.

3. Add ASP.NET and Dynamic Content Compression features to the IIS Role.

4. Create the SalesSupport application and copy the ASP.NET application files.

5. Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy.

6. Deploy the application updates to SalesSupport2 using Xcopy.

7. Create and assign an application pool for SalesSupport2 and test functionality.



Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator

1. On the Lab Launcher, next to 6427A-NYC-WEB-A click Launch. 2. Log on to NYC-WEB-A as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Add ASP.NET and Dynamic Content Compression features to the IIS Role 1. On NYC-WEB-A, click Start and click Server Manager. In Server Manager console pane, expand

Roles and then click Web Server (IIS).

2. Right-click Web Server (IIS), and then click Add Role Services. 3. The Add Role Services dialog box appears. In the Role services box, select ASP.NET.

4. The Add Role Services box appears. Click Add Required Role Services.

5. In the Performance section, select Dynamic Content Compression.

6. Click Next and then click Install.



8. In the details pane, in the Role Services section, notice that ASP.NET and Dynamic Content Compression are listed as Installed.

Task 4: Create the SalesSupport application and copy the ASP.NET application files 1. Click Start | Administrative Tools | Internet Information Services (IIS) Manager.




5. The Add Application dialog box appears. In the Alias field, type SalesSupport.



8. Type SalesSupport and then click OK.

9. Click OK.

10. Click Start | Computer and then browse to E:\Mod08\Labfiles\SalesSupport.

11. Select all, then right-click and click Copy.

12. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.

Task 5: Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy 1. Click Start | Command Prompt.


3. Type md SalesSupport2 and then press Enter.

4. Type xcopy /e SalesSupport\*.* SalesSupport2.

5. Notice that 36 files are copied.

Task 6: Deploy the application updates to SalesSupport2 using Xcopy 1. At the command prompt, type E: and then press Enter.

2. Type cd \Mod08\Labfiles\SalesSupport2 and then press Enter.

3. Type xcopy /e *.* c:\inetpub\wwwroot\salessupport2 and then press Enter.

4. When prompted to overwrite files, press A for all.



7. lick Add Application.

8. The Add Application dialog box appears. In the Alias field, type SalesSupport2.


10. The Browse For Folder dialog box appears. Browse to C:\inetput\wwwroot\SalesSupport2, and then click OK twice.


Task 7: Create and assign an application pool for SalesSupport2 and test functionality 1. In the Connections pane, click Application Pools.


3. The Add Application Pool dialog box appears. In the Name field, type SalesSupport2 and then click OK.

4. In the Connections pane, expand Default Web Site and then click SalesSupport2.



7. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport2, and then click OK twice.



10. Notice that the Woodgrove Bank Sales Support page loads successfully.

11. In Internet Explorer, browse to http://localhost/salessupport2.

12. Notice that the Woodgrove Bank Sales Support page version 2.0 loads successfully.

Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, deployed that SalesSupport2 application, and verified functionality.




Exercise 2: Configuring IIS Performance Options

Scenario

Next you will configure performance options for the SalesSupport application. First, you will use Performance Monitor to look at the current machine performance. Then you will configure and test output caching, compression, and throttling.

Exercise Overview In this exercise, students will learn how to configure IIS Performance Options.


1. Use Performance Monitor to measure performance.

2. Configure Output Caching.

3. Configure Compression.

4. Configure connection limit throttling.

Task 1: Use Performance Monitor to measure performance 1. On NYC-WEB-A, click Start | Administrative Tools | Reliability and Performance Monitor.

2. In the console pane, click Performance Monitor.

3. In the details pane, right-click the graph, and then click Remove All Counters.

4. The Performance Monitor Control dialog box appears. Click OK.

5. Above the graph, click the Add button (green plus).

6. The Add Counters dialog box appears. In the Available counters list, scroll down, and then expand Web Service.

7. Click Bytes Sent/sec.

8. In the Instances of selected object field, click <All instances>.

9. Click Add, and then click OK.

10. With Reliability and Performance monitor running, in Internet Explorer, browse to http://localhost/salessupport/test.aspx.

11. After the page loads, click Refresh several times rapidly. Notice that the dynamically generated time updates each time you refresh.


13. In Reliability and Performance Monitor, notice that the graph reflects the throughput. Note that you can right-click the graph and then click Scale Selected Counters to get a better representation. You may need to do this a couple of times to get a zoomed in view of the data.

Task 2: Configure Output Caching 1. In Internet Information Services (IIS) Manager, in the Connections pane, expand NYC-WEB-

A(WOODGROVEBANK)| Sites | Default Web Site and then click SalesSupport.

2. In the details pane, in the IIS section, double-click Output Caching.


4. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx.



5. Select Kernel-mode caching.

6. Click At time intervals, and then delete the existing text and type 00:00:10.

7. Click OK.

8. Open Internet Explorer, and browse to http://localhost/salessupport/test.aspx.

9. Click Refresh several times rapidly for at least 30 seconds.

10. Notice that the time updates only every 10 seconds after the first couple of loads and that the subsequent loads are much faster.

11. In Internet Explorer, browse to http://localhost/salessupport2/test.aspx.

12. Click Refresh several times rapidly.

13. Notice that the time updates with each load.

14. In Reliability and Performance monitor, compare the two peaks for throughput on the graph. Notice that the first peak has higher throughput than the second.

Task 3: Configure Compression 1. In Internet Explorer, browse to http://localhost.


3. In Reliability and Performance Monitor, note the throughput on the graph.


5. In the details pane, in the IIS section, double-click Compression.

6. Clear the Enable static content compression check box.


8. In Internet Explorer, browse to http://localhost.


10. In Reliability and Performance Monitor, note the throughput on the graph. There should not be much change for static compression.

Question: Why does the graph show little or no change? Answer: Static compression is cached. Only the first page load requires processing the compression.

11. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.


13. In Reliability and Performance Monitor, note the throughput on the graph.

14. In Internet Information Services (IIS) Manager, in the details pane, select Enable dynamic content compression.


16. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx.



19. In Reliability and Performance Monitor, note the throughput on the graph. The throughput has decreased because dynamic compression negates dynamic output caching.


http://localhost/salessupport2/test.aspx

http://localhost/

http://localhost/

http://localhost/SalesSupport/test.aspx

http://localhost/SalesSupport/test.aspx


Task 4: Configure connection limit throttling 1. Open Internet Explorer, and browse to http://localhost.

2. Right click the IIS7 tab, and then click New Tab.

3. In the new tab, browse to http://localhost.

4. Repeat to create another new tab, and then browse to http://localhost.

5. You should have three tabs open. Right-click one of the tabs, and then click Refresh All.

6. Notice that all of the tabs refresh successfully.



9. In the Actions pane, click Limits.

10. The Edit Web Site Limits dialog box appears. Select Limit number of connections.

11. In the Limit number of connections field, type 1.

12. Click OK.

13. Open Internet Explorer, and browse to http://localhost in three tabs.

14. In Internet Explorer, right-click one of the tabs, and then click Refresh All.

15. Notice that at least one of the tabs now reports Service Unavailable.


Results: After this exercise, you should have configured performance options and verified functionality.

http://localhost/

http://localhost/

http://localhost/

http://localhost/


Exercise 3: Managing Application Pools to Improve Performance

Scenario

You will now modify the application pools to improve resource usage.

Exercise Overview

In this exercise, students will learn how to manage application pools to improve performance.


1. Use Reliability and Performance Monitor to measure resource usage.

2. Recycle an application pool.

3. Assign SalesSupport and SalesSupport2 to the same application pool.

Task 1: Use Reliability and Performance Monitor to measure resource usage 1. On NYC-WEB-A, open Internet Explorer, and browse to http://localhost/salessupport.

2. Open a second tab and browse to http://localhost/salessupport2.

3. In Reliability and Performance Monitor, in the console pane, click Reliability and Performance.

4. In the details pane, expand Memory.

5. Click the Image column heading to sort by image name, and then scroll down to w3wp.exe.

6. Notice that there are two instances running. Note the amount of memory being used by each in the Commit (KB) and Working Set (KB) columns.

Task 2: Recycle an application pool 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools.

2. In the details pane, click SalesSupport2.

3. In the Actions pane, click Recycle.

4. In Reliability and Performance Monitor, notice that one of the w3wp.exe processes consumes less memory.


Task 3: Assign SalesSupport and SalesSupport2 to the same application pool 1. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport2.



4. The Select Application Pool dialog box appears. In the Application pool list, click DefaultAppPool.

5. Click OK twice.

6. In the Connections pane, click Application Pools.

7. In the details pane, click SalesSupport2.



10. Open Internet Explorer, and browse to http://localhost/salessupport.





11. Open a second tab and browse to http://localhost/salessupport2.

12. In Reliability and Performance Monitor, notice that is now only one w3wp.exe process and less total memory consumed.


Results: After this exercise, you should have recycled and consolidated application pools, and verified resource usage with Reliability and Performance Monitor.



Lab Answer Key: Ensuring Web Site Availability with Web Farms 1

Module 9 Lab Answer Key: Ensuring Web Site Availability with Web Farms

Contents: Exercise 1: Backing Up an IIS Web Site 2

Exercise 2: Restoring an IIS Web Site 4

Exercise 3: Enabling Shared Configurations 5

Exercise 4: Configuring Network Load Balancing 8

2 Lab Answer Key: Ensuring Web Site Availability with Web Farms

Lab: Ensuring Web Site Availability with Web Farms Logon Information: • Virtual Machine: NYC-DC1, NYC-WEB-D, NYC-WEB2




Exercise 1: Backing Up an IIS Web Site

Scenario

The Enterprise Design Team has asked you to explore options for increasing Web site availability. Before you begin, you will back up an existing site and verify that it can be restored properly.

Exercise Overview

In this exercise, students will learn how to back up a Web site. Use the virtual disk drive E: for the backup drive, as a stand-in for a remote storage device.


1. Start the 6427A-NYC-DC1 virtual machine. 2. Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator.

3. Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator.

4. Backup the Web site, Web application, and config files to the E: drive.


Task 1: Start the 6427A-NYC-DC1 virtual machine • On the Lab Launcher, next to 6427A-NYC-DC1, click Launch.

Task 2: Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator 1. On the Lab Launcher, next to 6427A-NYC-WEB-D, click Launch.

2. Log on to NYC-WEB-D as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator 1. On the Lab Launcher, next to 6427A-NYC-WEB2, click Launch.

2. Log on to NYC-WEB2 as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 4: Backup the Web site, Web application, and config files to the E: drive 1. On NYC-WEB-D, click Start | Computer, and then browse to E:.

2. In the File menu, click New | Folder.


3. Type Web Site Backup, and then press Enter.

4. Browse to\\NYC-WEB-D\E\Web Site Backup.

5. Browse to C:\inetpub\wwwroot.

6. In the details pane, select all, right-click, and then click Copy.

7. Browse to \\NYC-WEB-D\E\Web Site Backup, right-click and then click Paste.

8. Notice that the Web site files are now backed up to this shared folder.

Results: After this exercise, you should have successfully backed up a web site.


Exercise 2: Restoring an IIS Web Site

Scenario

The Enterprise Design Team has asked you to verify that the backups can be restored properly. Do this by restoring the Web files to a second server and confirm that the second server functions properly.

Exercise Overview

In this exercise, students will learn how to restore a Web site.

This exercise’s main task is:

• Restore the Web site, Web application, and config files from the shared drive.

Task 1: Restore the Web site, Web application, and config files from the shared drive 1. On NYC-WEB2, on the desktop, click Start | Administrative Tools | Internet Information Services

(IIS) Manager.

2. In the Connections pane, expand NYC-WEB2 | Sites, and then click Default Web Site.

3. In the Actions pane, click Browse *:80 (http).

4. The Microsoft Internet Explorer window opens. Notice that the IIS 7.0 default page is displayed.

5. Click Start | Computer, and then browse to C:\inetpub\wwwroot.

6. Notice that the folder contains the two IIS 7.0 default Web site files, iisstart.htm and welcome.png, and the aspnet_client folder.

7. Browse to the networked computer NYC-WEB-D.

8. If the NYC-WEB-D computer is not displayed in the details pane, network discovery may be turned off. Click the notice bar, and then click Turn on network discovery and file sharing.

9. Browse to\\NYC-WEB-D\E\Web Site Backup.

10. In the details pane, select all, right-click and then click Copy.

11. Browse to C:\inetpub\wwwroot, right-click and then click Paste.

12. If a Copy File dialog box appears, indicating that you are about to overwrite any files or folders, click Copy and Replace.

13. If a Confirm Folder Replace dialog box appears, indicating that you are about to overwrite a folder, click Yes.

14. Notice that the new Web site files are now copied to this location.


16. Notice that the Woodgrove Bank Web site has been deployed on the second Web server.

Question: What process on the Web server led to the Woodgrove Bank Web site being displayed instead of the IIS 7.0 default Web site? Answer: After the Woodgrove Bank Web site files were copied to the second Web server, the default file default.aspx superseded the file iisstart.htm.

Results: After this exercise, you should have successfully restored a web site to a second server.


Exercise 3: Enabling Shared Configurations

Scenario

The next step is for increasing Web site availability. Now that you have two identically configured Web servers, implement shared configurations for them.

Exercise Overview

In this exercise, students will learn how to enable shared configuration.


1. Export and Enable Shared Configuration.

2. Add the second Web server to use the Shared Configuration.

3. Test the Shared Configuration.

Task 1: Export and Enable Shared Configuration 1. On NYC-WEB-D, click Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. In the Connections pane, click NYC-WEB-D.

3. In the details pane, in the Management section, double-click Shared Configuration.

4. In the Actions pane, click Export Configuration.

5. The Export Configuration dialog box appears, allowing you to export the local configuration files, settings, and encryption keys. In the Physical path field, type \\NYC-WEB-D\E.

6. In the Encryption keys password and Confirm password fields, type Pa$$w0rd.

7. Click OK.

8. The Export Configuration dialog box appears indicating that the files were exported successfully. Click OK.

9. In the details pane, select Enable shared configuration.

10. In the Physical Path field, type \\NYC-WEB-D\E.

11. In the User name field, type Woodgrovebank\Administrator.

12. In the Password and Confirm password fields, type Pa$$w0rd.


14. The Encryption Keys Password dialog box appears for you to enter the encryption key. In the Enter encryption key password field, type Pa$$w0rd.

15. Click OK.

16. The Shared Configuration dialog box appears, indicating that the current encryption keys were backed up. Click OK.

17. The Shared Configuration dialog box appears, indicating that IIS Manager and Management service must be restarted for these changes to be completed. Click OK.

18. Close Internet Information Services (IIS) Manager.

19. Click Start | Administrative Tools Internet Information Services (IIS) Manager.

20. In the Connections pane, click NYC-WEB-D.

21. In the details pane, in the Management section, double-click Management Service.



Task 2: Add the second Web server to use the Shared Configuration 1. On NYC-WEB2, in Internet Information Services (IIS) Manager, in the Connections pane, click

NYC-WEB2.

2. In the details pane, in the Management section, double-click Shared Configuration.

3. Select Enable shared configuration.

4. In the Physical Path field, type \\NYC-WEB-D\E.

5. In the User name field, type Woodgrovebank\Administrator.

6. In the Password and Confirm password fields, type Pa$$w0rd.


8. The Encryption Keys Password dialog box appears. In the Enter encryption key password field, type Pa$$w0rd.

9. Click OK.

10. The Shared Configuration dialog box appears, indicating that the current encryption keys were backed up. Click OK.

11. The Shared Configuration dialog box appears, indicating that IIS Manager and Management service must be restarted for these changes to be completed. Click OK.

12. Close Internet Information Services (IIS) Manager.


14. In the Connections pane, click NYC-WEB2.

15. In the details pane, in the Management section, double-click Management Service.


Task 3: Test the Shared Configuration 1. On NYC-WEB-D, in Internet Information Services (IIS) Manager, in the Connections pane, click

NYC-WEB-D.



4. The Add Default Document dialog box appears to allow us to add a default document to test the shared configuration. In the Name field, type test.html and then click OK.

5. On NYC-WEB2, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB2.


7. Notice that the default document test.html has been added to the top of the list for the second Web server as well,

Question: Why has the default document test.html has been added to the top of the list for the second Web server as well? Answer: The default document test.html has been added to the top of the list for the second Web because both servers are using shared configuration.


Results: After this exercise, you should have successfully configured a two-server network with an underlying foundation of shared configurations.


Exercise 4: Configuring Network Load Balancing

Scenario

With the two Web servers set up with Shared Configurations, configure Network Load Balancing to increase Web site availability.

Exercise Overview

In this exercise, students will ensure Web site availability by implementing Network Load Balancing.


Create a new Network Load Balancing cluster.

Add the second host to the Network Load Balancing cluster.

Add the second server to the Network Load Balancing cluster.

Verify Network Load Balancing using NLB commands.

Task 1: Create a new Network Load Balancing cluster 1. On NYC-WEB-D, click Start | Administrative Tools | Network Load Balancing Manager.

2. In the console pane, right-click Network Load Balancing Clusters and then click New Cluster.

3. The New Cluster: Connect dialog box appears. Start the process by connecting to the Network Load Balance host computer. In the Host field, Type NYC-WEB-D, and then click Connect.

4. Make sure the Local Area Connection interface with Interface IP address 10.10.0.21 is highlighted, and then click Next.

5. The New Clusters: Host Parameter page shows the dedicated IP addresses and the initial host state. Click Next.

6. The New Clusters: Cluster IP Addresses page allows you to add cluster IP addresses that are shared by every member of the cluster. Click Add.

7. The Add IP Address dialog box appears, allowing you to add IPv4 or IPv6 addresses to the cluster. In the Add IPv4 address field, type 10.10.0.27.

8. In the Subnet mask field, type 255.255.0.0, and then click OK.

9. Make sure the newly added cluster IP address is highlighted. Click Next.

10. The New Clusters: Cluster Parameters page allows you to modify the operation mode of the cluster IP addresses. In the Full Internet name field, type cluster.woodgrovebank.com.

11. Click Multicast.

12. Click Next.

13. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP address port rules. Click Finish. Wait for the operation to complete before continuing.

Task 2: Add the second host to the Network Load Balancing cluster 1. In the console pane, right-click cluster.woodgrovebank.com and then click Add Host to Cluster.

2. The Add Host to Cluster: Connect dialog box appears. Add the second host computer. In the Host field, Type NYC-WEB2, and then click Connect. Wait for the operation to complete before continuing.


3. Make sure the Local Area Connection interface with Interface IP address 10.10.0.26 is highlighted, and then click Next.

4. The New Clusters: Host Parameter page shows the dedicated IP addresses and the initial host state. Make sure that the Priority (unique host identifier) is 2, and then click Next.

5. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP address port rules. Click Finish. Wait for the operation to complete before continuing.

Task 3: Add the second server to the Network Load Balancing cluster 1. On NYC-WEB2, Click Start, click Administrative Tools, and then click Network Load Balancing

Manager.

2. The Network Load Balancing Manager window opens and loads the current cluster. The Warning dialog box appears, presenting a warning about running NLB in Unicast mode. Click OK.

Task 4: Verify Network Load Balancing using NLB commands 1. Click Start | Command Prompt.

2. Type NLB query 10.10.0.27 and then press Enter.

3. Notice that the NLB command indicates that host 2 has entered a converging state with the cluster.

4. On NYC-WEB-D, click Start | Command Prompt.

5. Type NLB query 10.10.0.27 and then press Enter.

6. Notice that the NLB command indicates that host 1 has entered a converging state with the cluster.

7. Type NLB display and then press Enter.

8. The results show very detailed information about the cluster and its current state. Scroll to the top of the displayed information to examine the Configuration section.


Results: After this exercise, you should have successfully configured network load balancing on a two-server network, with an underlying foundation of shared configurations.


Lab Answer Key: Troubleshooting IIS 7.0 Web Servers 1

Module 10 Lab Answer Key: Troubleshooting IIS 7.0 Web Servers

Contents: Exercise 1: Troubleshooting Authentication 2

Exercise 2: Troubleshooting Authorization 4

Exercise 3: Troubleshooting Communication 6

Exercise 4: Troubleshooting Configuration 8

2 Lab Answer Key: Troubleshooting IIS 7.0 Web Servers

Lab: Troubleshooting IIS 7.0 Web Servers Logon Information: • Virtual Machine: NYC-DC1, NYC-WEB-E




Exercise 1: Troubleshooting Authentication

Scenario

You receive a service request asking to resolve a user issue. The password-protected intranet site is accessed by domain users within the company, but is not allowing access to anyone. Using logs and detailed error messages, you must resolve the problem.

Exercise Overview

In this exercise, you will troubleshoot an authentication issue using IIS logs and detailed error messages.


1. Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator. 2. Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator.

3. Browse to http://localhost/salessupport.

4. Examine the log file.

5. Enable Detailed Error Messages.

6. Reproduce the issue and examine the detailed error.

7. Resolve the issue and test functionality.


Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator 1. On the Lab Launcher, next to 6427A-NYC-DC1, click Launch.

2. Log on to NYC-DC1 as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 2: Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator 1. On the Lab Launcher, next to 6427A-NYC-WEB-E, click Launch.

2. Log on to NYC-WEB-E as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Browse to http://localhost/salessupport 1. On NYC-WEB-E, click Start | All Programs | Internet Explorer.


3. Notice the Server Error: 401 – Unauthorized message.


Task 4: Examine the log file 1. Click Start | Computer and then browse to C:\inetpub\logs\LogFiles\W3SVC1.

2. Double-click the most recent log file.

3. The Notepad window opens. Scroll to the far right and examine the last entries in the log file. Notice that the status is 401 and substatus is 2.

4. Close Notepad.

Task 5: Enable Detailed Error Messages 1. Click Start | Administrative Tools | Internet Information Services (IIS Manager).

2. In the Connections pane, expand NYC-WEB-E | Sites | Default Web Site and then click SalesSupport.



5. The Edit Error Pages Settings dialog box appears. Click Detailed errors for local requests and custom error pages for remote requests, and then click OK.

Task 6: Reproduce the issue and examine the detailed error 1. In Internet Explorer, browse to http://localhost/salessupport.

2. Notice the detailed error message reports HTTP Error 401.2 - Unauthorized.

3. Scroll down to Most likely causes. Notice the first cause is No authentication protocol (including anonymous) is selected in IIS.

Task 7: Resolve the issue and test functionality 1. In Internet Information Services (IIS) Manager, click SalesSupport.


3. Notice that all authentication methods are Disabled.



6. In the details pane, notice that Basic Authentication is Enabled, and all other authentication methods are Disabled.

7. In Internet Explorer, browse to http://localhost/salessupport.

8. Notice that you are prompted for credentials. For User name, type Yvonne.

9. For Password type Pa$$w0rd and then click OK.

10. Notice that the SalesSupport application now loads without error.


Results: After this exercise, you should have successfully examined the IIS log files, enabled detailed error messages, and resolved the authentication issue.




Exercise 2: Troubleshooting Authorization

Scenario

You receive another service request to secure another Web site where all users are able to view the content. You must reproduce the issue, determine the cause, and resolve the issue.

Exercise Overview

In this exercise, you will troubleshoot authorization using Failed Request Tracing.


1. Browse to http://localhost/salessupport2.

2. Enable Failed Request Tracing and add a rule to trace successful requests.

3. Reproduce the issue and examine the Failed Request Tracing log.

4. Resolve the issue and verify functionality.

Task 1: Browse to http://localhost /salessupport2 1. On NYC-WEB-E, in Internet Explorer, browse to http://localhost/salessupport2.

2. Notice that you are not prompted for credentials and the page loads without error.


Task 2: Enable Failed Request Tracing and add a rule to trace successful requests 1. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site.

2. In the Actions pane, click Failed Request Tracing.


4. In the Connections pane, click SalesSupport2.

5. In the details pane, in the IIS section, double-click Failed Request Tracing Rules.


7. The Add Failed Request Tracing Rule dialog box appears. Click Next.

8. Under Status code(s), type 200, and then click Next.

Question: Why do we use status code 200 for this issue? Answer: Status code 200 is used for a successful page load in IIS. Since the page is loading without error, we must use the status code 200 to trace the issue.

9. Under Providers, clear ASP and ISAPI Extension. Leave ASPNET and WWW Server checked.

10. Click Finish.

Task 3: Reproduce the issue and examine the Failed Request Tracing log 1. In Internet Explorer, browse to http://localhost/SalesSupport2.

2. In Windows Explorer, browse to c:\inetpub\logs\FailedReqLogFiles\W3SVC1.

3. Double-click fr000001.xml.

4. If prompted to add the site to the Trusted sites zone, click Add twice and then click Close.

5. Under Request Summary, notice that Authentication is anonymous.


http://localhost/SalesSupport2


6. Click the Compact View tab.

7. Scroll down and examine the lines that begin with AUTH_SUCCEEDED and USER_SET. Notice that the authorized user is “”.

Question: What did we learn from the Failed Request Tracing log? Answer: Anonymous users are being allowed to access the site. Since anonymous authentication happens successfully, users are not being prompted to enter credentials.


Task 4: Resolve the issue and verify functionality 1. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport2.

2. In the details pane, double-click Authorization Rules.

3. Notice that Anonymous Users are Allowed.

4. In the details pane, in the IIS section, click Anonymous Users.



7. In the Connections pane, click SalesSupport2.


9. Notice that both Anonymous Authentication and Basic Authentication are Enabled.



12. In Internet Explorer, browse to http://localhost/salessupport2.

13. Notice that you are prompted for credentials. For User name, type Yvonne.

14. For Password, type Pa$$w0rd and then click OK.

15. Notice that the SalesSupport2 application loads without error.

16. Close Internet Explorer and open it again to create a new session.

17. Browse to http://localhost/salessupport2.

18. When prompted for credentials, leave both fields blank and click OK three times.

19. Notice that you get a 401 – Unauthorized message.

Results: After this exercise, you should have successfully enabled failed request tracing, and resolved the authorization issue.




Exercise 3: Troubleshooting Communication

Scenario

Users are reporting that a Web application is returning an error when they try to browse to it. You must troubleshoot why the Web application cannot open the content.

Exercise Overview

In this exercise, you will troubleshoot communication using tools.


1. Reproduce the issue.

2. Use Ping to verify communication with the Web server.

3. Enable detailed errors and examine the detailed error.

4. Correct the problem and verify functionality.

Task 1: Reproduce the issue 1. On NYC-DC1, click Start | All Programs | Internet Explorer.

5. The Windows Internet Explorer window opens. Browse to http://nyc-web-e/netapp/content.

6. Notice the 500 – Internal server error message.

Task 2: Use Ping to verify communication with the Web server 1. Click Start | Command Prompt.

2. Type ping NYC-WEB-E and then press Enter.

3. Notice that the ping succeeds indicating that NYC-DC1 and NYC-WEB-E are communicating.

Task 3: Enable detailed errors and examine the detailed error 1. On NYC-WEB-E, in Internet Information Services (IIS) Manager, in the Connections pane, click

NYC-WEB-E.



4. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click OK.

5. In Internet Explorer, browse to http://localhost/netapp/content.

6. Notice the 500.19 error.

7. Next to Config Error, notice the message Cannot read configuration file because the network path is not found.

8. Next to Config File, notice the path has nyc-weeb-e for the server name.

Task 4: Correct the problem and verify functionality 1. Internet Information Services (IIS) Manager, in the Connections pane, expand NetApp and then

click Content.

2. In the Actions pane, click Advanced Settings.

3. The Advanced Settings dialog box appears. In the Physical Path field, modify the path to read \\nyc-web-e\content, and then click OK.

http://nyc-web-e/netapp/content



4. In Internet Explorer, browse to http://localhost/netapp/content.

5. Notice that the IIS Welcome page appears and there is no error message.

Results: After this exercise, you should used ping to verify communication, enabled detailed error messages, and resolved the error.


Exercise 4: Troubleshooting Configuration

Scenario

Users are reporting they receive multiple errors when trying to view JPG files that previously worked. You know that multiple people have the ability to modify this site including Web.config and related files.

Exercise Overview

In this exercise, you will troubleshoot configuration using detailed error messages.


1. Reproduce the issue and examine the detailed error message.

2. Examine and correct the web.config file.

3. Verify functionality.

Task 1: Reproduce the issue and examine the detailed error message 1. On NYC-WEB-E, in Internet Explorer, browse to http://localhost/pics/logo.jpg.

2. Notice the HTTP Error 404.4 – Not Found message.

3. In the Most likely causes section, notice that the most likely cause is The file extension for the requested URL does not have a handler configured to process the request on the Web server.

Task 2: Examine and correct the web.config file 1. In Windows Explorer, browse to C:\Pics.

2. Double-click web.config.

3. On the Windows dialog, click Select a Program from a list of installed programs, and then click OK. Click Notepad, and then click OK.

4. The Notepad window opens. Notice that the <handlers> section contains a line for handling static files.

5. Notice that the path attribute is set to “*.jgp”. Modify the line so that the path attribute correctly reads “*.jpg”.


7. Close Notepad.

Task 3: Verify functionality 1. In Internet Explorer, browse to http://localhost/pics/logo.jpg.

2. Notice that the Woodgrove Bank logo now appears successfully.


Results: After this exercise, you should have reproduced the problem, examined the detailed error message, and resolved the error.


