Microsoft IIS App Server (v14 Infinity)
| Table of Contents | |||
|
Infinity
Leading edge features |
|
Description
Configures an IIS (Internet Information Services) web application server.
Features
- Multi-cloud Support - Launch a server into one several supported cloud infrastructures. Check the ServerTemplate's Images tab to see which MultiCloud Images (MCIs) are included by default. However, additional MCIs can be added to the ServerTemplate, if desired.
- Support for retrieving application code from a supported remote object storage (ROS) location (e.g., Amazon S3 bucket, Rackspace Cloud Files container, Azure Blob container, etc.) that contains the MSDeploy package.
- Built-in support for connecting to an HAProxy load balancer server, Amazon Elastic Load Balancer (ELB), or Rackspace Cloud Load Balancer (CLB).
- Pre-configured alerts for monitoring common system metrics.
- Utilizes RightScale tag-based routing for connecting to HAProxy load balancer servers.
- Support for Powershell 3.0.
Overview
Software Application Versions
- .Net 3.5 SP1
- .Net 4.0
- .Net 4.5
- IIS 7.5 (on Windows 2008R2 image)
- IIS 8.0 (on Windows 2012 image)
Application Deployment
Application code can only be retrieved and deployed using an MSDeploy package from a supported ROS service.
- Remote Object Storage (ROS) location
- Amazon S3 bucket
- Rackspace Cloud Files container (US and UK)
- Azure Blob Object Storage container
- SoftLayer Object Storage container
- OpenStack (Swift) Object Storage container
Note: If you want to retrieve your application code from one of the following locations, please see the Microsoft IIS App Server (v13.5 LTS) LTS version instead.
- SVN Repository
- Remote Object Storage (ROS) location
- URL to a publicly-readable .zip file (e.g. http://files.example.com/myapp.zip)
The IIS Download and sync Web Deploy package boot script downloads your application code from the specified ROS location, unpacks it (if necessary), and places it into the following directory by default: C:\Inetpub\wwwroot\<WEB_SITE_NAME>\release\<GMT-timestamp>
Application Logs
The ServerTemplate contains a boot script (SYS Configure IIS logs rotation policy), which sets up a Windows scheduled task to upload an archive of any log entries older that one day to a specified container in one of the supported ROS services.
- Remote Object Storage (ROS) location
- Amazon S3 bucket
- Rackspace Cloud Files container (US and UK)
- Azure Blob Object Storage container
- SoftLayer Object Storage container
- OpenStack (Swift) Object Storage container
The archives are taken once per day at a randomly generated time that is set at boot time. Currently, there is no way to preconfigure the time prior to launching the server. Archives are not auto-deleted after a certain amount of time. You must manually delete archive files that you no longer want to keep.
The archives are saved as .zip files using the following naming convention: <COMPUTER_NAME>-IISLOGS-YYYYMMDDHHMMSS.zip
Example: http://my-bucket.s3.amazonaws.com/RIGHTSC-FTBKOJU-IISLOGS-2013043016254548.zip
Windows Firewall and Security
The methods you will use to secure access to your IIS server depend on the cloud provider.
- For clouds that support security groups (e.g. Amazon EC2, CloudStack, and OpenStack) you must create a security group for the application servers to use that has TCP port 3389 open for Remote Desktop Connections (RDP), and any other ports required by the server (for example, port 80 for HTTP and/or 443 for HTTPS).
Note: All images > v13.5 have Windows Firewall enabled, but allow ports 80 and 443 by default.
- The SYS open ports in Windows firewall boot script opens up ports specified by the FIREWALL_OPEN_PORTS_TCP input. By default it will allow connections from a load balancer to the application on TCP port 8000.
- By default, TCP Port 3389 is automatically opened to allow RDP access. The permission is defined in the image and is not set by a script in the ServerTemplate like ports 80 and 443.
- You could use the SYS open ports in Windows firewall RightScript as an operational script and the FIREWALL_OPEN_PORTS_TCP and FIREWALL_OPEN_PORTS_UDP inputs to open up additional TCP/UDP ports for ingress communication. TCP Port 8000 is assigned to the FIREWALL_OPEN_PORTS_TCP input value by default to allow ingress traffic from the load balancer to the IIS app server.
- Windows Firewall is turned on by default. However, you can use the SYS Disable Windows Firewall and SYS Enable Windows Firewall scripts to control this setting.
- SSL is supported if you want to use the application server as a standalone server without any load balancing tier. It is recommended that you use a credential for the CERT_PASSWORD input.
Network Level
Load Balancer to Application Server
By default, the application server is configured to listen for requests from a load balancer server/service on TCP port 8000, as defined by the APPLICATION_LISTENER_PORT input. If you are using RightScale's Load Balancer with HAProxy (v14 Infinity) ServerTemplate with the IIS application servers, it will send requests to the application server based on its server tag, which is based upon the APPLICATION_LISTENER_PORT input. However, if you are using a cloud load balancing service like ELB or CLB, you must configure them to send requests to the appropriate port. Therefore, if you change the application listener port to something other than 8000, you must make sure that the load balancer server(s) are also configured appropriately.
Application Server to Database Server
Before an application (e.g., IIS) can perform an action on a database (e.g. create a new record), the application server(s) must first be granted access at the network-level before it can successfully make an application-level request. IIS communicates with the SQL database over TCP port 1433.
Application Level
Once the database server has updated its permissions to allow access between the application and database tiers, the application will be able to connect to the database using the required information. For example, the application will locate the "primary" database server using the DB_CONNECTION_STRING input, which is a comma-separated string (e.g. Server=184.106.99.159;Database=mydb;User ID=myuser;Password=MyPassword123;) that consists of the following information:
- Server - The IP address or hostname of the "primary" database server. (e.g. db-primary.example.com; 10.166.206.251)
- Database - The name of the database that the application will connecto to. (e.g. mydb)
- User ID - The username that the application will use to connect to the database. (e.g. myuser)
- Password - The password of the username that the application will use to connect to the database. (e.g. mypass123)
The application will access the database using the credentials found in the database connection string. You might want to create a credential for the string if you prefer to hide the value from your end users.
Database Connection
The database connection string, as defined by the DB_CONNECTION_STRING input is used by the IIS application to connect to the SQL database. The IIS Download and sync Web Deploy package boot script generates a database connection string in your IIS configuration settings (web.config file) with the values that your web application can use to connect to a remote SQL Server database.
If the database does not have a SQL Server user that can be used by the application to access the database, you should use the DB SQLS Create login operational script on the running database server to create the SQL user before you launch the application server.
Note: It's recommended that you use credentials to hide the username and password for the OPT_CONNECTION_STRING_DB_USER_ID and OPT_CONNECTION_STRING_DB_USER_PASSWORD inputs.
Load Balancing Support
The ServerTemplate contains scripts and inputs that support the following load balancing solutions.
- HAProxy
- Amazon Elastic Load Balancers (ELB)
- Rackspace Cloud Load Balancers (CLB)
By default, the ServerTemplate is designed to connect to an HAProxy load balancer launched with RightScale's Load Balancer with HAProxy ServerTemplate via the IIS Register with HAProxy (Chef-based) (v13.x) boot script, which uses machine tags to establish the appropriate connections between the HAProxy load balancer and application servers.
If you want to use an ELB or CLB instead of HAProxy, you should clone the template and customize the boot and decommission scripts by replacing the HAProxy connect/disconnect scripts with the appropriate ELB/CLB connect/disconnect scripts. See the Microsoft IIS App Server (v14 Infinity) - Tutorial for detailed instructions on how to modify the ServerTemplate.
SSL
A server certificate and private key in X.509/PEM format is required to support HTTPS (HTTP with SSL/TLS) protocol with the ELB and HAProxy load balancers. IIS server certificates are typically exported in .pfx (PKCS#12) format. However, you can generate PEM-formatted certificate and private key files for the load balancers using the SYS Convert PFX operational script. For more information, see the Microsoft IIS App Server (v13 Infinity) - Runbook.
Custom IIS Monitoring
The SYS IIS monitoring install boot script configures the server for custom monitoring graphs that are specific to IIS applications. View graphs for the following metrics under the Monitoring tab and create custom alerts based on these metrics. Several alerts are preconfigured for the ServerTemplate including a few that are specific to IIS applications. However, you can also create your additional alerts based on any of the other monitored metrics. See Create a Custom Alert Specification.
Below is a list of the monitored metrics that are unique to the IIS ServerTemplate.
- IIS Anonymous Users per Second
- IIS Connection Attempts per Second
- IIS Current Connections
- IIS Get Requests per Second
- IIS Logon Attempts per Second
- IIS Non-Anonymous Users per Second
- IIS Not Found Errors per Second
- IIS Post Requests per Second
- IIS Total Bytes Received
- IIS Total Bytes Sent
- IIS Inetinfo Handle Count
- IIS Inetinfo Percent Processor Time
- © Copyright 2015 RightScale Technical Support