6427A-ENU LabManual

OFFICIAL
MICROSOFT
LEARNING
PRODUCT
6427A
Lab Instructions and Answer Key: Configuring and Troubleshooting Internet Information Services in Windows Server 2008
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2008 Microsoft Corporation. All rights reserved. Microsoft, Access, Active Directory, Internet Explorer, Outlook, PowerPoint, SharePoint, SQL Server, Visual Basic, Visual C#, Visual Studio, Win32, Windows, Windows Media, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Technical Reviewer: Philip Morgan
Product Number: 6427A Part Number: X14-69082 Released: 12/2007
Lab Instructions: Configuring an Internet Information Services 7.0 Web Server
Module 1
Contents:
Exercise 1: Installing IIS Using Role Manager Exercise 2: Installing IIS Using Unattended Setup Exercise 3: Installing IIS on Server Core from Command Line Exercise 4: Configuring IIS and Validating Functionality 2 4 6 8
Lab: Configuring an IIS 7.0 Web Server
Exercise 1: Installing IIS Using Role Manager

Scenario
You receive a service request from the Enterprise Design Team to prepare three Web servers to host Web sites and Web applications. One of the companies acquired by Woodgrove Bank has a classic ASP application that needs to be hosted in IIS7.
Exercise Overview
In this exercise, you will learn how to install IIS 7.0 using Role Manager. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin. Turn on Network Discovery. Install the Web server role.
Task 1: Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin

Start 6427A-NYC-SVR1, and log on as LocalAdmin with the password of Pa$$w0rd.
Task 2: Turn on Network Discovery

Open Network and Sharing Center and turn on Network Discovery and File Sharing for all public networks.
Task 3: Install the Web server role

Use Server Manager to add the Web Server (IIS) role and ASP as a required service. Test functionality by loading http://localhost in the browser.
Results: After this exercise, you should have successfully verified that the Web Server (IIS) role is installed and loaded the IIS Welcome page in Internet Explorer.
Exercise 2: Installing IIS Using Unattended Setup

Scenario
Now you will set up the second IIS Web server to host the new ASP.NET application. You will install IIS by creating an Unattend.XML file based on the example given on the student CD by modifying it to only install the features needed. This will be an ASP.NET application server and will need to have all security, compression and caching features installed so that development can experiment with configuration.
Exercise Overview
In this exercise, you will learn how to install IIS using unattended setup. This exercises main tasks are: 1. 2. 3. 4. Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin. Turn on Network Discovery. Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features. Install IIS using Pkgmgr with the Unattend.XML file and verify once completed.

Start 6427A-NYC-SVR3, and log on as LocalAdmin with the password of Pa$$w0rd.

Open Network and Sharing Center and turn on Network Discovery and File Sharing for all public networks.
Task 3: Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features
1. Open E:\mod01\labfiles\unattend.xml in Notepad and delete the following lines:
<selection <selection <selection <selection <selection <selection <selection <selection <selection <selection name="IIS-HttpRedirect" state="true"/> name="IIS-ASP" state="true"/> name="IIS-CGI" state="true"/> name="IIS-ISAPIExtensions" state="true"/> name="IIS-ISAPIFilter" state="true"/> name="IIS-IIS6ManagementCompatibility" state="true"/> name="IIS-Metabase" state="true"/> name="IIS-WMICompatibility" state="true"/> name="IIS-LegacyScripts" state="true"/> name="IIS-LegacySnapIn" state="true"/>
2.
Save the modified file to c:\unattend.xml.
Task 4: Install IIS using Pkgmgr with the Unattend.XML file and verify once completed
1. 2. 3. Start /w pkgmgr /n:unattend.xml to install IIS. Verify installation by using the command echo %errorlevel%. Use Server Manager to verify that the Web server role is installed, and open http://localhost in the browser.
Results: After this exercise, you should have successfully installed IIS using an unattend file and verified the IIS Welcome page.
Exercise 3: Installing IIS on Server Core from Command Line

Scenario
The final server you will install is a Server Core Web server that will act primarily as a redirection server to the ASP server.
Exercise Overview
In this exercise, you will learn how to install IIS via the command line in a Server Core environment. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator. Disable the firewall. Install IIS from the command line.
Task 1: Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator

Start 6427A-NYC-SVR2, and log on as Administrator with the password of Pa$$w0rd.
Task 2: Disable the firewall

On NYC-SVR2, in the command prompt window, type netsh firewall set opmode disable and press Enter.
Task 3: Install IIS from the command line

1. Type the following and then press Enter. Note that the feature names are casesensitive:
Start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IISCommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IISHttpErrors;IIS-HttpRedirect;WAS-WindowsActivationService;WASProcessModel
2.
When the process completes, type echo %errorlevel%, and then press Enter.
On NYC-SVR1, in Internet Explorer, browse to http://nyc-svr2 to verify functionality.

Results: After this exercise, you should have successfully installed IIS on Microsoft Server 2008 Server Core from the command line and verified by loading the IIS Welcome page from another machine running Internet Explorer.
Exercise 4: Configuring IIS and Validating Functionality

Scenario
With the three Web servers installed, configure each as necessary to perform its function.
Exercise Overview
In this exercise, you will configure common IIS features and validate functionality. This exercises main tasks are: 1. 2. Configure NYC-SVR1 for ASP debugging, detailed error messages, HTTP compression and SMTP Service. Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression. Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1.
3.
Task 1: Configure NYC-SVR1 for ASP debugging, detailed error messages, and HTTP compression
1. On NYC-SVR1, in Internet Information Services (IIS) Manager, under ASP Compilation settings, enable Client-side and Server-side debugging. Enable Send Errors to Browser. 2. Under HTTP Response Headers, set Expire Web Content. Under Compression, enable Static Content Compression. Under Error Pages, enable Detailed error messages.
On NYC-SVR3, in Internet Explorer, browse to a page on NYC-SVR1 that does not exist, such as http://nyc-svr1/default.asp to check error functionality.
Task 2: Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression and SMTP
1. On NYC-SVR3, in Internet Information Services (IIS) Manager, under Failed Request Tracing, enable Failed Request Tracing. 2. 3. 4. Add a rule to trace status code 500 for critical errors.
Enable Directory Browsing, Windows Authentication, and ASP.NET Impersonation. In Server Manager, add the UDDI Services role and configure it to not require SSL. In IIS Manager, under Output Caching, add a cache rule for the aspx extension to enable User-mode caching. Under ASP.NET, configure SMTP email for email address NYCSVR3@WoodGroveBank.com, server name SMTP.WoodgroveBank.com.
5.
Test the configuration by browsing to http://localhost/uddi. Browse to http://localhost/aspnet_client and investigate the failed request log.
10
Task 3: Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1
1. On NYC-SVR2, in the command prompt window, type cd \windows\system32\inetsrv\config and then press Enter. Type edit applicationHost.config and then press Enter. Scroll down to <defaultDocument enabled="true"> (approximately line 169), and change "true" to "false". Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and modify this line to read:
<httpRedirect enabled="true" exactDestination="false" childOnly="false" destination="http://10.10.0.24/" />
2.
On NYC-SVR3, in Internet Explorer, browse to http://nyc-svr2 to test the redirection.

Results: After this exercise, you should have successfully configured and verified the configuration of the three web servers.
Lab Instructions: Configuring IIS 7.0 Web Sites and Application Pools
Module 2
Contents:
Exercise 1: Configuring Authentication Types Exercise 2: Creating a Web Site and Web Application Exercise 3: Creating an Application Pool Exercise 4: Configuring an Existing Application Pool 2 5 7 8
Lab: Configuring IIS 7.0 Web Sites and Application Pools
Exercise 1: Configuring Authentication Types

Scenario
You receive a service request from the Enterprise Design Team to organize the existing NYC-WEB-A server into virtual directories by access level. There will be two access levels: public and restricted. Anyone on the network should be able to access the public content. Only authenticated users should be able to access restricted.
Exercise Overview
In this exercise, you will learn how to create virtual directories and configure anonymous authentication. This exercises main tasks are: 1. 2. 3. 4. 5. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add Basic, Windows Integrated and Digest Security features to the IIS Role. Create a virtual directory named Public. Configure the public virtual directory for anonymous authentication.
Task 1: Start the 6427A-NYC-DC1 virtual

Start 6427A-NYC-DC1.
Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator

Start 6427A-NYC-WEB-A, and log on as LocalAdmin with the password of Pa$$w0rd.
Task 3: Add Basic, Windows Integrated and Digest Security features to the IIS Role
Use Server Manager to add the Basic Authentication, Windows Authentication, and Digest Authentication role services to the Web server role.
Task 4: Create a virtual directory named public

Use Internet Information Services Manager to create a virtual directory named public pointing to the physical directory c:\inetpub\public. Copy the contents of c:\inetpub\wwwroot to c:\inetpub\public.
Task 5: Configure the public virtual directory for anonymous authentication

1. 2. 3. 4. 5. Use Internet Information Services Manager to make sure that Anonymous Authentication is enabled for Public. In Server Manager, enable the local Guest account, and allow Guest to log on locally. Use Switch User to logon as NYC-WEB-A\Guest with no password. Open http://localhost/public in the browser to verify that the local guest can browse to the public directory. Use Switch user to login as local administrator with password of Pa$$w0rd before continuing with next exercise.
Results: After this exercise, you should have successfully verified that the Public directory is created. and loaded the IIS Welcome page in Internet Explorer with the Guest account.
Exercise 2: Creating a Web Site and Web Application

Scenario
Next you will create two web sites, and two web applications, in the employee and restricted virtual directories, named Woodgrove and Exec respectively. Exec will be a .NET 3.0 application. You will also delegate administrative access to ITAdmins_WoodgroveGG.
Exercise Overview
In this exercise, you will learn how to create web sites and applications. This exercises main tasks are: 1. 2. 3. 4. Create a site named Woodgrove. Copy the Woodgrove application to the appropriate directory. Add the .NET 3.0 Feature to the server. Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG.
Task 1: Create a site named Woodgrove

On NYC-WEB-A, in IIS Manager, add a Web site named Woodgrove and set its physical path to c:\inetpub\woodgrove, and its http port to 88.
Task 2: Copy the Woodgrove Application to the Appropriate Directory

Copy the Woodgrove application from e:\Mod02\Labfiles\Woodgrove to c:\inetpub\woodgrove.
Task 3: Add the .NET 3.0 Feature and ASP.NET to the server
In Server Manager, add .NET 3.0 Framework and ASP.NET.
Task 4: Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG

In IIS Manager, under Permissions, give Full Control to the security group ITAdmins_WoodgroveGG.
Results: After this exercise, you should have successfully installed .NET 3.0 Framework, ASP.NET, and created the Woodgrove site and copied its content.
Exercise 3: Creating an Application Pool

Scenario
You will now create a new application pool for temporary applications..
Exercise Overview
In this exercise, you will learn how to create an application pool. This exercises main task is: 1. Create an application pool named TempPool.
Task 1: Create an application pool named TempPool

On NYC-WEB-A, in IIS Manager, add an application pool named TempPool.
Results: After this exercise, you should have successfully added an application pool named TempPool.
Exercise 4: Configuring an Existing Application Pool

Scenario
Next, you will configure the new application pools according to the needs for the new applications. You will also practice starting, stopping, and recycling the application pools and configuring health settings. You will also rename the Exec and Woodgrove pools to ExecPool and WoodgrovePool.
Exercise Overview
In this exercise, you will configure the application pools and validate functionality. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Rename Woodgrove to WoodgrovePool. Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users. Configure TempPool to use LocalSystem as worker process identity. Stop, start and recycle WoodgrovePool. Configure TempPool for Classic Pipeline Mode. Remove TempPool. Configure Health and Recycling settings for WoodgrovePool.
Task 1: Rename Woodgrove to WoodgrovePool

On NYC-WEB-A, in IIS Manager, rename the Woodgrove application pool to WoodgrovePool.
Task 2: Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users
1. 2. In IIS Manager, disable Anonymous authentication for the Woodgrove site. On NYC-SVR1, logon as LocalAdmin with password Pa$$w0rd. Note that this machine is not joined to the domain. Browse to http://nyc-web-a.woodgrovebank.com, then browse to http://nyc-web-a-woodgrovebank.com:88 and compare results. On NYC-WEB-A, browse to http://localhost:88 and compare results.
3.
Task 3: Configure TempPool to use LocalSystem as worker process identity

In IIS Manager, configure the TempPool application pool to use LocalSystem as its worker process identity.
10
Task 4: Stop, start and recycle WoodgrovePool

1. 2. 3. In IIS Manager, stop the WoodgrovePool application pool and note the status. Start the WoodgrovePool application pool and note the status. Recycle WoodgrovePool and note the status.
Task 5: Configure TempPool for Classic Pipeline Mode

In IIS Manager, configure the TempPool application pool to use the classic pipeline.
Task 6: Remove TempPool

In IIS Manager, remove the application pool TempPool.
Task 7: Configure Health and Recycling settings for WoodgrovePool

In IIS Manager, configure the WoodgrovePool application pool to recycle after every 1000 requests, to log the number of requests, and set the Rapid Fail Failure Interval to 10 minutes.
Results: After this exercise, you should have successfully configured and verified the configuration of the application pools.
Lab Instructions: Configuring IIS 7.0 Application Settings
Module 3
Contents:
Exercise 1: Configuring ASP.NET Exercise 2: Configuring ASP.NET Application Development Settings Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools Exercise 4: Configuring ASP.NET Security 2 6 8 11
Lab: Configuring IIS 7.0 Application Settings
Exercise 1: Configuring ASP.NET

Scenario
You receive a service request from the Enterprise Design Team to deploy an application server. You need to add and configure the ASP.NET role service, and Application Server role, on the Web Server. The server will be available from the Internet and Sales Associates will need to log in with the user name sales and password support from their clients sites to get contact information for support. This requires a medium level of security. If there is an error, the error message returned to the client browser should direct the user to contact their district sales manager for login information.
Exercise Overview
In this exercise, you will learn how to add the ASP.NET role service and configure ASP.NET. You will choose and configure the appropriate authentication model, and set up custom error pages to handle HTTP errors. This exercises main tasks are: 1. 2. 3. 4. 5. 6. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add ASP.NET and Basic Security features to the IIS Role. Create the SalesSupport application and copy the ASP.NET application files. Configure Basic Security to allow access to authenticated Woodgrovebank domain users. Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors.
Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as LocalAdmin

Start 6427A-NYC-DC1, and log on as LocalAdmin with the password of Pa$$w0rd.

Start 6427A-NYC-WEB-A, and log on as Administrator with the password of Pa$$w0rd.
Task 3: Add ASP.NET and Basic Security features to the IIS Role
On NYC-WEB-A, use Server Manager to add the ASP.NET and Basic Authentication role services.
Task 4: Create the SalesSupport application and copy the ASP.NET application files
1. 2. On NYC-WEB-A, use IIS Manager to add the SalesSupport application with a physical path of c:\inetpub\wwwroot\SalesSupport. Copy the application files from E:\Mod03\Labfiles\SalesSupport to c:\inetpub\wwwroot\SalesSupport.
Task 5: Configure Basic Security to allow access to authenticated Woodgrovebank domain users
1. 2. 3. On NYC-WEB-A, use IIS Manager to disable Anonymous Authentication and enable Basic Authentication for the domain and realm woodgrovebank. Browse to http://localhost/salessupport. Notice that you are prompted for credentials. Enter user name yvonne with password Pa$$w0rd. Close and reopen the browser, and then browse again to http://localhost/salessupport. Try logging in with credentials that do not have a domain account, such as user name Bob with no password. Close the browser before continuing to the next task.
4.
Task 6: Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors
1. 2. Copy the contents of E:\Mod03\Labfiles\WBErrors to c:\inetpub\custerr \en-US. In IIS Manager, edit the custom error for error 401 so that it redirects to 401.aspx. Edit the custom error code for error 404 so that it redirects to Other_Erros.aspx. Note that you would repeat this for the rest of the error codes if you were doing this in a real world situation. Open Internet Explorer and browse again to http://localhost/salessupport. Try logging in with credentials that do not have a domain account, such as user name Bob with no password. If prompted, assign the site to the allowed list, and then note the custom 404 error.
Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, configured Basic authentication, and verified custom error pages in Internet Explorer.
3.
4.
Exercise 2: Configuring ASP.NET Application Development Settings

Scenario
Next you will configure some test settings for the SalesSupport application. The Enterprise Design team is planning on implementing a database to store the support resource data. You will need to enter the provided connection string. You will also rename the cookie that the page uses to SalesSupport. Next you will create a custom control for testing the new configuration. Finally, you will set some application settings and then verify that the application can read them by loading the custom test page.
Exercise Overview
In this exercise, you will learn how to configure ASP.NET application development settings. This exercises main tasks are: 1. 2. 3. 4. Configure ASP.NET Connection Strings to connect to Resources.MDF. Configure ASP.NET Session State settings to rename the cookie to SalesSupport. Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0. Add application settings at Site and Application levels.
Task 1: Configure ASP.NET Connection Strings to connect to Resources.MDF

On NYC-WEB-A, in IIS Manager, modify the Connection Strings for the SalesSupport application to use the following connection string as LocalResources:
data source=.\SQLEXPRESS;AttachDbFileName=e:\mod03\labfiles\resources.mdf ;IntegratedSecurity=True
Task 2: Configure ASP.NET Session State settings to rename the cookie to SalesSupport
Rename the Session State cookie name to SalesSupport_SessionID.
Task 3: Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0

In IIS Manager, register a new custom control with the tag preface of Woodgrovebank. Set the Namespace to TestControls and the Assembly to Version=1.0.0.0.
Task 4: Add application settings at site and application levels

1. Open Internet Explorer and browse to http://localhost/salessupport /test.aspx. Enter username yvonne and password Pa$$w0rd. Notice that the test application reports that no application settings are defined. In IIS Manager, add an Application setting named DefaultLocation with the value "New York" to the Default Web Site. In Internet Explorer, refresh the page and compare the results. In IIS Manager, note the inheritance setting for the Application Settings, Add another Application setting named debug_mode with value "true". In Internet Explorer, refresh the page and compare results. Close Internet Explorer before continuing.
Results: After this exercise, you should have configured ASP.NET development settings and verified test page functionality.
2. 3. 4. 5.
Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools
Scenario
You will now deploy the SalesSupport application to two new instances. Once instance will be a test deployment with additional testing configuration. Another instance will be for the German division of Woodgrove and will need to be set for German globalization settings. Additionally, you will disable the debug mode for the production version of SalesSupport.
Exercise Overview
In this exercise, you will learn how to create an application pool. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. 8. Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test. Create the applications SalesSupport_De and SalesSupport_Test. Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories. Assign the applications to the appropriate application pools. Configure application pool recycling for unlimited requests. Configure the SalesSupport_Test application pool to record recycled events. Configure the SalesSupport .NET compilation debug setting to False. Configure the SalesSupport_De application globalization settings for Germany.
Task 1: Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test
On NYC-WEB-A, in IIS Manager, add three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test.
Task 2: Create the applications SalesSupport_De and SalesSupport_Test

1. 2. In IIS Manager, create an application named SalesSupport_De with a physical path of c:\inetpub\wwwroot\SalesSupport_De. Create an application named SalesSupport_Test with a physical path of c:\inetpub\wwwroot\SalesSupport_Test.
Task 3: Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories
At the command prompt, change to the c:\inetpub\wwwroot directory and then use XCopy to copy the files and directory structure from SalesSupport to SalesSupport_De and SalesSupport_Test.
Task 4: Assign the applications to the appropriate application pools

1. 2. In IIS Manager, modify the SalesSupport, SalesSupport_De and SalesSuppot_Test to use their correspondingly named application pools. Disable anonymous authentication and enable basic authentication with the domain and realm of woodgrovebank for both SalesSupport_De and SalesSupport_Test applications.
Task 5: Configure production application pool recycling for unlimited requests

In IIS Manager, modify the SalesSupport and SalesSupport_De application pool recycling so that they do not recycle on regular intervals.
Task 6: Configure the SalesSupport_Test application pool to record recycled events

In IIS Manager, modify the SalesSupport_Test application pool recycling to recycle every 1024 requests, and modify the Recycling Events to Log to log number of requests, On-Demand, and Configuration Changes.
10
Task 7: Configure the SalesSupport .NET compilation debug setting to False

In IIS Manager, modify the SalesSupport .NET Compilation behavior settings so that Debug is False.
Task 8: Configure the SalesSupport_De application globalization settings for Germany

1. 2. In IIS Manager, modify the SalesSupport_De .NET Globalization settings so that culture and UI Culture are set to German (Germany) (de-DE). Start Internet Explorer and browse to http://localhost/salessupport and enter user name yvonne and password Pa$$w0rd. On a second and third tab, browse to http://localhost/salessupport_de and http://localhost /salesupport_test with yvonne's credentials so that all three applications are loaded in the browser. Open Task Manager and note the instances of w3wp.exe. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx and notice the date format in the page. Close Internet Explorer before continuing.
Results: After this exercise, you should have successfully deployed multiple applications with separate application pools, configured recycling and debug settings, and configured and verified .Net globalization settings.
3. 4. 5.
11
Exercise 4: Configuring ASP.NET Security

Scenario
Next, you will configure the machine key, .NET trust level, and File and Folder security.
Exercise Overview
In this exercise, you will configure ASP.NET security settings. This exercises main tasks are: 1. 2. 3. 4. 5. Set the machine key of SalesSupport_de. Configure the SalesSupport_Test site for medium trust level. Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page on SalesSupport. Enable Tracing and Logging for the SalesSupport_Test site. Configure Request Filtering so that only ASPX requests are processed.
Task 1: Set the machine key of SalesSupport_de

On NYC-WEB-A, in IIS Manager, generate a new Machine Key for SalesSupport_De.
Task 2: Configure the SalesSupport_Test site for medium trust level

In IIS Manager, set the .NET Trust Level to Medium for the application SalesSupport_Test.
12
Task 3: Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page in SalesSupport
1. 2. 3. In IIS Manager, modify the permissions of SalesSupport\test.aspx so that permissions are not inherited and only ITAdmins_WoodgroveGG is allowed. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and try to use the credentials of yvonne as user name and password Pa$$w0rd. Refresh the page and log in with a user account that is a member of ITAdmins_WoodgroveGG, such as user name Betsy and password Pa$$w0rd. Close Internet Explorer before continuing.
4.
Task 4: Enable Tracing and Logging for the SalesSupport_Test site

1. 2. In IIS Manager, add all of the role services for Health and Diagnostics to the Web Server role. In Notepad, open c:\inetpub\wwwroot\SalesSupport_Test\test.aspx. a. Modify the first line to read:
<@ Page Language="C#" trace="true" %>
b.
Modify the fifth line to read:

Response.Write("This message should appear");
c. 3.
Save the file and close Notepad.
In Internet Explorer, browse to http://localhost/salessupport_test /test.aspx and use credentials of user name Betsy and password Pa$$w0rd if prompted. Examine the page for trace messages and information. Close Internet Explorer. In IIS Manager, enable Web Site Failed Request Tracing for the Default Web Site, and then add a Failed Request Tracing Rule to trace ASP.NET for Status code 200 with verbose results.
4. 5.
13
6.
Open Internet Explorer, and browse to http://localhost/salessupport_test /test.aspx and use credentials of user name Betsy and password Pa$$w0rd if prompted. In Internet Explorer, open the most recent fr######.xml file from c:\inetpub\logs\failedreqlogfiles\w3svc. Examine the Errors and Warning section.
7.
Task 5: Configure Request Filtering so that only ASPX requests are processed
1. In Internet Explorer, browse to http://localhost/welcome.png, and then browse to http://localhost/iisstart.htm. Notice that this page contains the graphic. Close Internet Explorer. In Notepad, open c:\inetpub\wwwroot\web.config. After the sixth line, add the following security section:
<security> <requestFiltering> <fileExtensions allowUnlisted="false" > <add fileExtension=".aspx" allowed="true"/> </fileExtensions> </requestFiltering> </security>
2. 3.
4. 5. 6. 7.
Save the file and close Notepad.
Open Internet Explorer, and browse to http://localhost/welcome.png. Notice the error. Browse to http://localhost/iisstart.htm. Notice the error. At the command prompt, change to the c:\inetpub\wwwroot directory and then copy iisstart.htm to iisstart,aspx. In Internet Explorer, browse to http://localhost/iisstart.aspx. Notice that the page loads without error, but the graphic does not display.
Results: After this exercise, you should have successfully configured and verified the configuration of the advanced security settings for ASP.NET.
Lab Instructions: Configuring IIS 7.0 Modules
Module 4
Contents:
Exercise 1: Configuring and Editing Native Modules Exercise 2: Configuring and Editing Managed Modules 2 6
Lab: Configuring and Editing Modules
Exercise 1: Configuring and Editing Native Modules

Scenario
You received a service request from the application development team specifying the modules that are required to install, test, and run an application on the specified Web server. To reduce the server footprint and vulnerability, you must remove the unnecessary modules.
Exercise Overview
In this exercise, students will learn how to remove native modules from a Web server to improve security and reduce the server footprint. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator. Backup the current Web server configuration. Examine the modules currently installed on the Web server. Remove the Default Document Module and the Directory Listing Module. Validate that the modules have been removed and test the new server configuration. Restore the modules to the Web server configuration. Validate that the modules have been restored and test the server configuration.
Task 1: Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator

Start 6427A-NYC-WEB-B, and log on as Administrator with the password of Pa$$w0rd.
Task 2: Backup the current Web server configuration

Open command prompt and use appcmd to backup the server configuration.
Task 3: Examine the modules currently installed on the Web server

Use the IIS Manager to examine the modules.
Task 4: Remove the Default Document Module and the Directory Listing Module
1. 2. 3. 4. Browse the default Web site. Use Notepad to edit the applicationHost.config. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the <globalModules> tag. Delete the references to the DefaultDocumentModule and the DirectoryListingModule from within the <handlers accessPolicy="Read, Script"> tag. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the <modules> tag.
5.
Task 5: Validate that the modules have been removed and test the new server configuration
1. 2. 3. Use IIS Manager to validate that the removed modules entries are missing. Use Internet Explorer to check the default Web site. Use Internet Explorer to retrieve the default Web page. Default Web pageURL: http://localhost/default.aspx
Task 6: Restore the modules to the Web server configuration

Open command prompt and use appcmd to restore the server configuration.
Task 7: Validate that the modules have been restored and test the server configuration
Open command prompt and use appcmd to backup the server configuration.
Results: After this exercise, you should have successfully removed native modules from a Web server, and then confirmed that the server operates as expected
Exercise 2: Configuring and Editing Managed Modules

Scenario
To increase throughput, it has been determined that output caching would be beneficial on some of the applications on the Web server. You need to make sure that the Output Cache module is installed and configured as specified in the service request. The development team also requested the installation of a new Managed Module that provides an additional level of logging for their application.
Exercise Overview
In this exercise, students will learn how to add new managed modules to a Web server. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Install the logging managed module. Confirm the installation of the logging managed module. Test the Web sites forms authentication page. Examine the modules currently running on the Web server. Remove the forms authentication managed module. Test the new configuration.
Task 1: Install the logging managed module

1. Create a new folder: 2. C:\inetpub\ logging_module\
Copy files for logging_module Web site. Source: E:\Mod04\Labfiles\logging_module Destination: C:\inetpub\ logging_module\
3. 4.
Change the security for C:\inetpub\logging_module\logs to allow Users (NYC-WEB-B\Users). Use IIS Manager to add a new Web site: Site name: logging_module Physical path: C:\inetpub\logging_module Port: 8181
Task 2: Confirm the installation of the logging managed module

1. 2. 3. 4. Use Internet Explorer to view the logging_module Web site. Load the Web site's second page. Use IIS Manager to examine the modules for the logging_module Web site. Examine the logs created by the logging_module Web site. Location: C:\inetpub\logging_module\logs
Task 3: Test the Web sites forms authentication page

Use Internet Explorer to log into the default Web site and retrieve a confidential memo. Destination: Shared Documents Email: lmartin@woodgrovebank.com Password: Pa$$w0rd Memo: Woodgrove Confidential Memo
Task 4: Examine the modules currently running on the Web server

Use IIS Manager to examine the OutputCache module.
Task 5: Remove the forms authentication managed module

Use IIS Manager to remove the FormsAuthentication module.
Task 6: Test the new configuration

Attempt to view the Shared Documents folder again using Internet Explorer.
Results: After this exercise, you should have successfully added a managed module to the Web server.
Lab Instructions: Securing the IIS 7.0 Web Server and Web Sites
Module 5
Contents:
Exercise 1: Configure a Secure Web Server Exercise 2: Configure Authorization, Authentication, and Access Exercise 3: Configure Logging 3 7 13
Lab: Securing IIS 7.0 Web Server and Web Sites
Exercise 1: Configure a Secure Web Server

Scenario
Additional security measures need to be put in place to protect the Web server. These measures will protect the Web server against unauthorized access by specific IP addresses and domains. Additional ISAPI and CGI restrictions need to be put into place. Then you are given a list of accounts authorized for a specific site. You must give separate access to the IT Admin group and the developer, Herbert Dorner. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. Start the 6427A-NYC-DC1 virtual machine and log on as Administrator. Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator. Create a self-signed server certificate for the Web server. Block IP addresses as specified in the service request. Examine the current ISAPI and CGI Restrictions. Install the .NET Framework 1.1. Set ISAPI and CGI restrictions to use ASP.NET version 1.1. Set the rights and permissions for Active Directory users. Test and validate the new configuration.
Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Administrator

Task 2: Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator

Start 6427A-NYC-WEB-B, and log on as Administrator with the password of Pa$$w0rd.
Task 3: Create a self-signed server certificate for the Web server

1. 2. 3. On NYC-WEB-B, open the IIS Manager. Open Server Certificates. Create a Self-Signed Certificate: Friendly name: woodgrovebank
Task 4: Block IP addresses as specified in the Service Request

1. 2. Using the IIS Manager, set IPv4 Address and Domain Restrictions. Add a deny rule entry: 3. Specific IPv4 address: 10.10.20.1
Add a deny rule entry: IPv4 address: 10.10.10.0 Mask: 255.255.255.0
Task 5: Examine the current ISAPI and CGI Restrictions

Using the IIS Manager, examine the ISAPI and CGI Restrictions.
Task 6: Install the .NET Framework 1.1

1. Install the .NET Framework 1.1. 2. File location: E:\ Mod05\Labfiles Installer: dotnetfix.exe
Install the .NET Framework 1.1 Service Pack 1. File location: E:\ Mod05\Labfiles Installer: NDP1.1sp1-KB867460-X86.exe
Task 7: Set ISAPI and CGI restrictions to use ASP.NET version 1.1
1. 2. Using the IIS Manager, set the ISAPI and CGI Restrictions. Allow ASP.NET v1.1.4322.
Task 8: Set the rights and permissions for Active Directory users
Set the rights and permissions for Active Directory users. Folder: C:\inetpub\wwwroot\ Location: WoodgroveBank.com Object names to select: ITAdmins_WoodgroveGG Object names to select: Herbert Allow: Full control
Task 9: Test and validate the new configuration

Validate the new configuration. Group or user names: ITAdmins_WoodgroveGG Group or user names: Herbert Dorner
Results: After this exercise, you should have successfully set IP restrictions, ISAPI and CGI restrictions, and Active Directory permissions, as specified in a service request document
Exercise 2: Configure Authorization, Authentication, and Access

Scenario
Additional security measures need to be put in place to protect the Web server. An application is protected with forms authentication, but it is discovered that some of the content can bypass forms authentication and still be accessed, such as a jpg, by entering the direct URL path and file name. You must configure the protected content to use the managed forms authentication module. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Turn off the Web site cache for the shared documents folder. Sign into the Woodgrove Bank Web site and retrieve the confidential memo. Bypass the Web site forms authentication. Modify the applicationHost.config file to handle forms authentication. Reconfigure the authorization and authentication so that the protected content uses forms authentication. Test and validate the Web sites new configuration
Task 1: Turn off the Web site cache for the shared documents folder
Using the IIS Manager, add Custom HTTP Response Header. Name: Cache-Control Value: no-cache
Task 2: Sign into the Woodgrove Bank Web site and retrieve the confidential memo
1. Use Internet Explorer to log into the default Web site and retrieve a confidential memo. 2. Destination: Shared Documents Email: lmartin@woodgrovebank.com Password: Pa$$w0rd Memo: Woodgrove Confidential Memo
Sign-out of the Web site.
Task 3: Bypass the Web site forms authentication

Use Internet Explorer to retrieve the Confidential Memo. Confidential Memo URL: http://localhost/docs/shared/Woodgrove_memo.jpg
Task 4: Modify the applicationHost.config to unlock the URL Authorization <configSections> section by changing the override mode default to allow
Unlock URL Authorization in the applicationHost.config file: File location: C:\windows\system32\inetsrv\config File name: applicationHost.config Section: <configSections> Original code:
<section name="authorization" overrideModeDefault="Allow" />
Replacement code:
<section name="authorization" type="System.WebServer.Configuration.UrlAuthorizationSection, System.ApplicationHost, Version=7.0.0.0, culture=neutral, PublicKeyToken=31bf3856ad364e35" overrideModeDefault="Allow" />
Task 5: Modify the applicationHost.config <applicationPools> section to change the Classic .NET application pool to Integrated mode
Change the Classic .NET application pool to Integrated mode in the applicationHost.config file: File location: C:\windows\system32\inetsrv\config File name: applicationHost.config Section: <applicationPools> Original code:
<add name="Classic .NET AppPool" managedPipelineMode="Classic" />
Replacement code:
<add name="Classic .NET AppPool" managedPipelineMode="Integrated" />
Task 6: Modify the applicationHost.config file to disable all other authentication types except for anonymous
Disable all other authentication types except for anonymous in the applicationHost.config file: File location: C:\windows\system32\inetsrv\config File name: applicationHost.config Section: <authentication> Append enabled="false" to: clientCertificateMappingAuthentication digestAuthentication iisClientCertificateMappingAuthentication windowsAuthentication
10
Task 7: Modify the applicationHost.config file to protect all content by removing the managedHandler precondition from the <system.webServer> section
Protect all content by removing the managedHandler precondition in the applicationHost.config file: File location: C:\windows\system32\inetsrv\config File name: applicationHost.config Section: <system.webServer> Original code:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />
Replacement code:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
Original code:
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="managedHandler" />
Replacement code:
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
11
Task 8: Reconfigure the authorization and authentication so that the protected content uses forms authentication
1. Reconfigure authorization so that the protected content uses forms authentication in the Web.Config file: File location: C:\inetpub\wwwroot File name: Web.Config Section: <authorization> Add the line <allow users=lmartin@woodgrovebank.com />, above the line  Original code:
<
Replacement code:
<deny users="?" />
2.
Using the IIS Manager, reconfigure authentication so that the protected content uses forms authentication. Launch Authentication Disable Anonymous Authentication
12
Task 9: Test and validate the Web sites new configuration

1. Use Internet Explorer to log into the default Web site and retrieve the confidential memo. 2. 3. Destination: Shared Documents Email: lmartin@woodgrovebank.com Password: Pa$$w0rd Memo: Woodgrove Confidential Memo
Sign-out of the Web site. Use Internet Explorer and attempt to retrieve the Confidential Memo. Confidential Memo URL: http://localhost/docs/shared/Woodgrove_memo.jpg
Results: After reconfigure the Web sites authorization and authentication, so that all content uses forms authentication and thereby protecting the confidential memo, the only way to obtain the memo is by having the correct credentials.
13
Exercise 3: Configure Logging

Scenario
Additional security measures need to be put in place to protect the Web server. You received a service request to keep a log of all visitors to the Web server for the past 24 hours. You must enable and configure logging and then test and verify the log. The main tasks for this exercise are as follows: 1. 2. Examine and configure logging options. Test the logging operations.
Task 1: Examine and configure logging options

Using the IIS Manager, set the logging options. Select: Use local time for file naming and rollover
Task 2: Test the logging operations

1. 2. Using Internet Explorer, refresh the Web site. View the log file: Log file location: C:\ inetpub\logs\LogFiles\W3SVC1
Results: After examining the configuration of the Web servers logging settings, the current log file was examined and proven to successfully track the Web servers activity.
Lab Instructions: Configuring Delegation and Remote Administration
Module 6
Contents:
Exercise 1: Configuring Remote Administration Exercise 2: Configuring Delegated Administration Exercise 3: Configuring Feature Delegation 2 4 8
Lab: Configuring Delegation and Remote Administration
Exercise 1: Configuring Remote Administration

Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer.
A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server. You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated. In this exercise you will practice configuring a Web server for remote administration. This exercises main tasks are: 1. 2. Configure NYC-WEB-B for remote administration. Test NYC-WEB-B remote administration.
Task 1: Configure NYC-WEB-B for remote administration

1. 2. 3. Add the IIS Management role service to NYC-WEB-B. Configure the IIS Management service to accept both Windows Credentials and IIS Manager Credentials. Start the IIS Management service.
Task 2: Test NYC-WEB-B remote administration

1. 2. On NYC-DC1, add the IIS Management Console. On NYC-DC1, use the IIS Management Console to connect to NYC-WEB-B. On the NYC-WEB-B Default Web Site, set index.htm at the first default document.
Results: After completing this exercise, you should have configured the IIS Management Service to accept remote connections and you should have tested a remote connection from NYC-DC1.
Exercise 2: Configuring Delegated Administration

Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer. A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server. You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated. In this exercise you will practice delegating administration of two Web sites to the appropriate business owners. This exercises main tasks are: 1. 2. 3. 4. Configure delegated administration for the Human Resources site. Share the Woodgrove sales Web site for Betsy Stadick. Configure delegated administration for the Sales site. Test delegated administration for the Human Resources and Sales sites.
Task 1: Configure delegated administration for the Human Resources site

1. On NYC-WEB-B, share WoodgroveHRSite. 2. Location: E:\Mod06\Labfiles Site: WoodgroveHRSite Administrator: Herber Dorner Rights: Co-owner
Using IIS Manager, grant the Windows user Herber Dorner access to the HR site.
Task 2: Share the Woodgrove sales Web site for Betsy Stadick
On NYC-WEB-B, share the Woodgrove sales Web site for Betsy Stadick. Location: E:\Mod06\Labfiles Site: WoodgroveSalesSite Administrator: Betsy Stadick Rights: Co-owner
Task 3: Configure delegated administration for the Sales site

Allow configuration override for the authentication section of applicationHost.config. Use Notepad to open C:\windows\system32\intesrv\config \applicationhost.config. Remove the following text:
<anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication /> <clientCertificateMappingAuthentication /> <digestAuthentication /> <iisClientCertificateMappingAuthentication
Insert the following text on the line before </configuration>: The text is available in the file: C:\Mod06\Labfiles\EnableAnonymousAuthentication.txt.
<location overrideMode="Allow"> <system.webServer> <security> <authentication> <anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication /> <clientCertificateMappingAuthentication /> <digestAuthentication /> <iisClientCertificateMappingAuthentication /> <windowsAuthentication /> </authentication> </security> </system.webServer> </location>
Save changes to the applicationHost.config file.
Task 4: Test delegated administration for the Human Resources and Sales sites
1. 2. On NYC-DC1, log in as woodgrovebank\herbert with a password of Pa$$w0rd. Use IIS Manager to connect to the HR site on NYC-WEB-B. 3. Password: Pa$$w0rd Server name: NYC-WEB-B Site name: HR User name: herbert@woodgrovebank.com Connection Name: Human Resources Site
Use IIS Manager to connect to the Sales site on NYC-WEB-B. Password: Pa$$w0rd Server name: NYC-WEB-B
Site name: Sales User name: herbert@woodgrovebank.com
Question: Why does an error occur? Answer: This error occurs because Herbert was not granted IIS Manager permission on the Sales site. 4. 5. Log in to NYC-DC1 as woodgrovebank\betsy with a password of Pa$$w0rd. Disable Windows authentication and anonymous authentication in the Web.config file for the Sales site. Use Notepad to open \\NYC-WEB-B\WoodgroveSalesSite\Web.Config. Insert the following text on the line before </configuration>: The text is available in the file: C:\Mod06\Labfiles\DisableAuthentications.txt
<system.webServer> <security> <authentication> <windowsAuthentication enabled=false /> <anonymousAuthentication enabled="false" /> </authentication> </security> </system.webServer>
6.
Save changes to the Web.config file.
Use Internet Explorer to access http://sales.woodgrovebank.com. Question: Why does the server report a 401 error? Answer: The server reports a 401 error because both Anonymous Authentication and Windows Authentication have been disabled. The web server is unable to service a request for a web page if no means for authentication is configured.
7.
Attempt to configure \\NYC-WEB-B\WoodgroveHRSite\Web.Config.

Results: After completing this exercise, you should have successfully delegated administration for the Human Resources Web site to Herber Dorner and delegated administration for the Sales Web site to Betsy Stadick.
Exercise 3: Configuring Feature Delegation

Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer. A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated. In this exercise you will practice configuring delegated administration so that all site owners can administer the error messages for their site. This exercises main tasks are: 1. 2. Configure feature delegation for the Human Resources and Sales sites. Test feature delegation for the Human Resources site.
Task 1: Configure feature delegation for the Human Resources and Sales sites
On NYC-WEB-B, use feature delegation to set Error Pages to Read/Write.
Task 2: Test feature delegation for the Human Resources site

1. 2. 3. 4. On NYC-DC1, log in as woodgrovebank\herbert with a password of Pa$$w0rd. Use IIS Manager to connect to the HR site on NYC-WEB-B with the user name herbert@woodgrovebank.com. Set a custom error page of /ErrorPages/custom404.htm for the 404 error page. Use Internet Explorer to open URL: http://hr.woodgrovebank.com/missingpage.htm
Results: After completing this exercise, you should have successfully configured the Human Resources and Sales sites so that the site owners can customize error pages for each site.
Lab Instructions: Using Command-line and Scripting for IIS 7.0 Administration
Module 7
Contents:
Exercise 1: Manage IIS Web Sites with PowerShell Exercise 2: Use Microsoft.Web.Administration Exercise 3: Automate IIS Administration using Scripts Exercise 4: Navigating IIS tasks using WMI and AppCmd 2 5 7 10
Lab: Using Command-line and Scripting for IIS 7.0 Administration
Exercise 1: Manage IIS Web Sites with PowerShell

Scenario
The development team requires additional tools to manage their Web sites. First you need to make sure that PowerShell will correctly manage the servers services and make sure it can successfully stop and start the Web service.
In this exercise, you will learn how to use PowerShell to manage IIS 7.0. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Use PowerShell to identify all services. Use PowerShell to identify running services that start with a "w". Stop the w3svc service using PowerShell. Start the w3svc service using PowerShell. List the Powershell.exe process using the get-wmiobject cmdlet.
Task 1: Start the 6427A-NYC-WEB-B virtual machine and log on as Administrator Task 2: Use PowerShell to identify all services
Use the get-service cmdlet.
Task 3: Use PowerShell to identify running services that start with a w

Use the get-service -include w* | sort-object -property status cmdlet.
Task 4: Stop the w3svc service using PowerShell

Use the stop-service cmdlet. Use the get-service cmdlet to confirm.
Task 5: Start the w3svc service using PowerShell

Use the start-service cmdlet. Use the get-service cmdlet to confirm.
Task 6: List the Powershell.exe process using the get-wmiobject cmdlet

Use the Get-WmiObject -query "Select * From Win32_Process Where Name = 'powershell.exe'" cmdlet.
Results: After this exercise, you should have successfully identified, stopped and started services using PowerShell.
Exercise 2: Use Microsoft.Web.Administration

Scenario
You need to verify that a script will effectively stop and start using MWA. Run the script and then check to make sure that the service is stopped. Then restart the service using the script and verify that it is started. In this exercise, you will learn how to use MWA to execute a script. The main tasks for this exercise are as follows: 1. 2. 3. 4. Load Microsoft.Web.Administration.dll. Get Web site information with MWA. Create a function using MWA to find Web sites. Use the findsite function to list the default Web site, the default Web site ID, and then stop and start the default Web site.
Task 1: Load Microsoft.Web.Administration.dll

Open PowerShell. Use this command: [System.Reflection.Assembly]::LoadFrom(C:\windows\system32\inetsrv\ Microsoft.Web.Administration.dll")
Task 2: Get Web site information with MWA

(New-Object Microsoft.Web.Administration.ServerManager).Sites (New-Object Microsoft.Web.Administration.ServerManager).Sites | ForEach-Object {$_.Name}
Task 3: Create a function using MWA to find Web sites

function findsite {$name=$args[0]; ((New-Object Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name match $name}); }
Task 4: Use the findsite function to list the default Web site, the default Web site ID, and then stop and start the default Web site
Results: After this exercise, you should have successfully used Microsoft.Web.Administration to gather Web site information and created a function to start and stop the default Web site.
Exercise 3: Automate IIS Administration using Scripts

Scenario
The development team provided you with a script that lists Web sites on the server. You need to test and run the script using PowerShell. You also need to deploy several identical Web sites using the same default content located on a share. A PowerShell script will be used to automate this task. In this exercise, you will learn how to use a PowerShell scripts. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. 7. Create Microsoft.PowerShell profile script to automatically load assemblies. Set execution policy to unrestricted. Add a global variable to profile script. List sites using global variable. Use PowerShell script to find sites. Review and run a script to create a Web site. Use PowerShell script to verify site was created.
Task 1: Create Microsoft.PowerShell profile script to automatically load assemblies

To open profile script: if (test-path $profile) {echo Path exists.} else {newitem path $profile itemtype file force}; notepad $profile Profile script:
echo Microsoft IIS 7.0 Environment Loader echo Copyright 2006 Microsoft Corporation. All rights reserved. echo Loading IIS 7.0 Managed Assemblies $inetsrvDir = (join-path path $env:windir childPath \system32\inetsrv\) Get-ChildItem Path (join-path path $inetsrvDir childPath Microsoft*.dll) | ForEach-Object {[System.Reflection.Assembly]::LoadFrom( (join-path path $inetsrvDir childPath $_.Name)) } echo Assemblies loaded.
Task 2: Set execution policy to unrestricted

View execution policy with get-executionpolicy cmdlet. Set execution policy with set-executionpolicy cmdlet.
Task 3: Add a global variable to profile script

Add this line to the profile script:
new-variable iismgr value (New-Object Microsoft.Web.Administration.ServerManager) scope global
Task 4: List sites using global variable Task 5: Use PowerShell script to find sites
1. 2. Save the script located in E:\Mod07\Labfiles\scripts\iis.type.ps1.xml to c:\windows\System32\WindowsPowerShell\v1.0. Type the following at the end of the profile script:
new-variable iissites value (New-Object Microsoft.Web.Administration.ServerManager).Sites scope global new-variable iisapppools value (New-Object Microsoft.Web.Administration.ServerManager).ApplicationPools scope global update-typedata append (join-path path $PSHome childPath iis.types.ps1xml)
3.
At the PowerShell Command Prompt run $iissites.Find(^Default*).
Task 6: Review and run a script to create a Web site

1. 2. The script is located in E:\Mod07\Labfiles\scripts\CreateWebsite \CreateWebsite\CreateWebsite\Bin\Debug\CreateWebsite.exe. Copy the script to the C:\drive and run it from PowerShell.
Task 7: Use PowerShell script to verify site was created

Use $iissites.Find to locate NewSite.
Results: After this exercise, you should have successfully created a Microsoft.PowerShell profile script. You should have also used a saved script to list Web site. Finally, you should have successfully created a site named NewSite.
10
Exercise 4: Navigating IIS tasks using WMI and AppCmd

Scenario
You need to verify which tasks are running on the server. Use WMI and AppCmd to display the list of running tasks. In this exercise, students will use WMI and AppCmd for IIS administration. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. 6. Use AppCmd to identify tasks running on the Web server. Use AppCmd to identify all running application pools. Use AppCmd to recycle all running application pools. Move all applications in a site to NewAppPool apppool. Store configuration information to file, and then restore the configuration information. Use WMI to list the default Web site on the Web server.
Task 1: Use AppCmd to identify tasks running on the Web server

1. 2. Open a Command Prompt. Navigate to c:\windows\system32\inetsrv to run AppCmd.
Task 2: Use AppCmd to identify all running application pools Task 3: Use AppCmd to recycle all running application pools
Use this command: appcmd list apppool /xml | appcmd recyle apppool /in
Task 4: Move all applications in a site to NewAppPool apppool

Use this command: appcmd list app /site.name:"NewSite" /xml | appcmd set app /in /applicationPool:NewAppPool
11
Task 5: Store configuration information to file, and then restore the configuration information
To store configuration information: appcmd list config Default Web Site/ /section:caching /xml /config > config.xml To restore configuration information: appcmd set config Default Web site/ /in < config.xml
Task 6: Use WMI to list the default Web site on the Web server
1. Using Notepad create a file named GetSite.vbs with the following code:
Set oIIS = GetObject("winmgmts:root\WebAdministration") Set oSite = oIIS.Get("Site.Name='Default Web Site'") WScript.Echo "Retrieved an instance of Site " WScript.Echo " Name: " & oSite.Name WScript.Echo " ID: " & oSite.ID
2. 3. 4.
Open a Command Prompt and navigate to folder where GetSite.vbs is located Type cscript //h:cscript. Run GetSite.vbs script.
Results: After this exercise, you should have successfully used AppCmd to recycle application pools, move application and store configuration information to a file. You should have also successfully identified the default Web site using WMI.
Lab Instructions: Tuning IIS 7.0 for Improved Performance
Module 8
Contents:
Exercise 1: Deploying Applications Exercise 2: Configuring IIS Performance Options Exercise 3: Managing Application Pools to Improve Performance 2 5 8
Lab: Tuning IIS 7.0 for Improved Performance
Exercise 1: Deploying Applications

Scenario
You receive a request to deploy a second copy of an installed application, and then deploy updates to the new installation so that the Enterprise Design QA team can test the proposed updates.
Exercise Overview
In this exercise, students will learn how to deploy an application, as well as application updates, with Xcopy. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add ASP.NET and Dynamic Content Compression features to the IIS Role.
4. 5. 6. 7.
Create the SalesSupport application and copy the ASP.NET application files. Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy. Deploy the application updates to SalesSupport2 using Xcopy. Create and assign an application pool for SalesSupport2 and test functionality.
Task 1: Start the 6427A-DC1 virtual machine


Start 6427A-NYC-WEB-A, and log on as LocalAdmin with the password of Pa$$w0rd.
Task 3: Add ASP.NET and Dynamic Content Compression features to the IIS Role
On NYC-WEB-A, use Server Manager to add the ASP.NET and Dynamic Content Compression role services.
1. 2. On NYC-WEB-A, use IIS Manager to add the SalesSupport application with a physical path of c:\inetpub\wwwroot\SalesSupport. Copy the application files from E:\Mod08\Labfiles\SalesSupport to c:\inetpub\wwwroot\SalesSupport.
Task 5: Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy
1. 2. 3. At the command prompt, change directories to c:\inetpub\wwwroot. Create a new directory named SalesSupport2. Use the xcopy command to copy all of the files and the directory structure from SalesSupport to SalesSupport2.
Task 6: Deploy the application updates to SalesSupport2 using Xcopy

1. 2. At the command prompt, use Xcopy to copy the updated files from E:\mod08\labfiles\salessupport2 to c:\inetpub\wwwroot\salessupport2. In IIS Manager, add the application SalesSupport2 with the physical path c:\inetpub\wwwroot\salesupport2.
Task 7: Create and assign an application pool for SalesSupport2 and test functionality
1. 2. In IIS Manager, add an application pool named SalesSupport2 and assign it to the SalesSupport2 application. In Internet Explorer, browse to http://localhost/salesupport, and then browse to http://localhost/salessupport2 and compare results.
Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, deployed that SalesSupport2 application, and verified functionality.
Exercise 2: Configuring IIS Performance Options

Scenario
Next you will configure performance options for the SalesSupport application. First, you will use Performance Monitor to look at the current machine performance. Then you will configure and test output caching, compression, and throttling.
Exercise Overview
In this exercise, students will learn how to configure IIS Performance Options. This exercises main tasks are: 1. 2. 3. 4. Use Performance Monitor to measure performance. Configure Output Caching. Configure Compression. Configure connection limit throttling.
Task 1: Use Performance Monitor to measure performance

1. 2. 3. 4. 5. On NYC-WEB-A, open Performance Monitor. Remove all counters, and then add the Web Service counters Bytes Sent/sec for all instances. With Performance Monitor running, in Internet Explorer, browse to http://localhost/salessupport/test.aspx. After the page loads, click refresh several times rapidly. Notice that the time is dynamically updated with each refresh. Close Internet Explorer. Examine the throughput in Performance Monitor.
Task 2: Configure Output Caching

1. In IIS Manager, add a cache rule to the SalesSupport application for the extension .aspx. 2. Select Kernel-mode caching. Click At time intervals, and then delete the existing text and type 00:00:10.
In Internet Explorer, browse to http://localhost/salessupport/test.aspx and click refresh several times rapidly for at least 30 seconds. Notice how often the time is updated. Browse to http://localhost/salessupport2/test.aspx, and then click refresh several times rapidly. Notice that the time updates with each refresh. In Reliability and Performance Monitor, compare the graphs for the two pages. You may need to zoom in to see the difference.
3. 4.
Task 3: Configure Compression

1. 2. 3. 4. 5. 6. In Internet Explorer, browse to http://localhost. Click refresh several times rapidly. In Reliability and Performance Monitor examine the throughput. In IIS Manager, enable static content compression for the default web site. In Internet Explorer, browse to http://localhost and click refresh several times rapidly. In Reliability and Performance Monitor examine the throughput. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and click refresh several times rapidly.
7. 8. 9.
In Reliability and Performance Monitor examine the throughput. In IIS Manager, enable dynamic content compression. In Internet Explorer, browse to http://localhost/salessupport/test.aspx and click refresh several times rapidly.
10. In Reliability and Performance Monitor examine the throughput and compare results.
Task 4: Configure connection limit throttling

1. Open Internet Explorer and browse to http://localhost. Open two more tabs and browse to http://localhost so that you have three tabs open to http://localhost. Right-click a tab and choose Refresh All. Notice that all of the tabs refresh successfully. Close Internet Explorer. In IIS Manager, set a Web Site Limit for the default web site so that the number of connections is limited to 1. In Internet Explorer, open three tabs to http://localhost. Right-click a tab and choose Refresh All. Notice that one of the tabs now reports an error. Close Internet Explorer before continuing.
Results: After this exercise, you should have configured performance options and verified functionality.
2. 3. 4.
Exercise 3: Managing Application Pools to Improve Performance

Scenario
You will now modify the application pools to improve resource usage.
Exercise Overview
In this exercise, students will learn how to manage application pools to improve performance. This exercises main tasks are: 1. 2. 3. Use Reliability and Performance Monitor to measure resource usage. Recycle an application pool. Assign SalesSupport and SalesSupport2 to the same application pool.
Task 1: Use Reliability and Performance Monitor to measure resource usage

1. On NYC-WEB-A, open Internet Explorer and browse to http://localhost/salessupport. Open a second tab, and browse to http://localhost/salessupport2. Open Reliability and Performance Monitor. Examine the memory usage of w3wp.exe and the number of instances.
2.
Task 2: Recycle an application pool

1. 2. 3. In IIS Manager, recycle the SalesSupport2 application pool. In Reliability and Performance Monitor, examine the memory and number of instances of w3wp.exe and compare results. Close Internet Explorer before continuing.
Task 3: Assign SalesSupport and SalesSupport2 to the same application pool

1. 2. 3. In IIS Manager, modify the SalesSupport2 application to use the default application pool, and then remove the SalesSupport2 application pool. Open Internet Explorer and browse to http://localhost/salessupport. Open a second tab and browse to http://localhost/salessupport2. In Reliability and Performance Monitor, examine the memory and number of instances of w3wp.exe.
Results: After this exercise, you should have recycled and consolidated application pools, and verified resource usage with Reliability and Performance Monitor.
Lab Instructions: Ensuring Web Site Availability with Web Farms
Module 9
Contents:
Exercise 1: Backing Up an IIS Web Site Exercise 2: Restoring an IIS Web Site Exercise 3: Enabling Shared Configurations Exercise 4: Configuring Network Load Balancing 2 5 6 8
Lab: Ensuring Web Site Availability with Web Farms
Exercise 1: Backing Up an IIS Web Site

Scenario
The Enterprise Design Team has asked you to explore options for increasing Web site availability. Before you begin, you will back up an existing site and verify that it can be restored properly.
The main tasks for this exercise are as follows: 1. 2. 3. 4. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator. Backup the Web site, Web application, and config files to the E: drive.
Task 1: Start the 6427A-NYC-DC1 virtual machine Task 2: Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator
Log on to NYC-WEB-D. User: Woodgrovebank\Administrator Password: Pa$$w0rd
Task 3: Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator

Log on to NYC-WEB2. User: Woodgrovebank\Administrator Password: Pa$$w0rd
Task 4: Backup the Web site, Web application, and config files to the E: drive
1. Create a new folder: 2. E:\Web Site Backup
Copy the files: Source: C:\inetpub\wwwroot Destination: \\NYC-WEB-D\E\Web Site Backup
Results: After this exercise, you should have successfully backed up a Web site. Provide the results of the exercise so students will know when and if they have completed the lab exercise successfully.
Exercise 2: Restoring an IIS Web Site

Scenario
The Enterprise Design Team has asked you to verify that the backups can be restored properly. Do this by restoring the Web files to a second server and confirm that the second server functions properly. The main task for this exercise is: 1. Restore the Web site, Web application, and config files from the shared drive.
Task 1: Restore the Web site, Web application, and config files from the shared drive
1. 2. Open the default Web site in Internet Explorer on NYC-WEB2. Copy the files: 3. Source: \\NYC-WEB-D\E\Web Site Backup Destination C:\inetpub\wwwroot
Refresh the default Web site in Internet Explorer on NYC-WEB2.

Results: After this exercise, you should have successfully restored a Web site to a second server. Provide the results of the exercise so students will know when and if they have completed the lab exercise successfully.
Exercise 3: Enabling Shared Configurations

Scenario
The next step is for increasing Web site availability. Now that you have two identically configured Web servers, implement shared configurations for them. The main tasks for this exercise are as follows: 1. 2. 3. Export and Enable Shared Configuration. Add the second Web server to use the Shared Configuration. Test the Shared Configuration.
Task 1: Export and Enable Shared Configuration

1. Export configuration using IIS Manager. 2. 3. Server: NYC-WEB-D Physical Path: \\NYC-WEB-D\E Encryption keys password: Pa$$w0rd
Using IIS Manager, enable shared configuration. Physical Path: \\NYC-WEB-D\E User name: Woodgrovebank\Administrator Password: Pa$$w0rd Encryption key password: Pa$$w0rd
Using IIS Manager, start Management Service.
Task 2: Add the second Web server to use the Shared Configuration.
1. Using IIS Manager, enable shared configuration. 2. Server: NYC-WEB2 Physical Path: \\NYC-WEB-D\E User name: Woodgrovebank\Administrator Password: Pa$$w0rd Encryption key password: Pa$$w0rd
Using IIS Manager, start Management Service.
Task 3: Test the Shared Configuration.

1. Using IIS Manager, add the default document for NYC-WEB-D. 2. Server: NYC-WEB-D Name: test.html
Using IIS Manager, check the default document for NYC-WEB2.

Results: After this exercise, you should have successfully configured a two-server network with an underlying foundation of shared configurations.
Exercise 4: Configuring Network Load Balancing

Scenario
With the two Web servers set up with Shared Configurations, configure Network Load Balancing to increase Web site availability. The main tasks for this exercise are as follows: 1. 2. 3. 4. Create a new Network Load Balancing cluster. Add the second host to the Network Load Balancing cluster. Add the second server to the Network Load Balancing cluster. Verify Network Load Balancing using NLB commands.
Task 1: Create a new Network Load Balancing cluster

Using Network Load Balancing Manager, add a new cluster. Server: NYC-WEB-D Host: NYC-WEB-D Interface IP address: 10.10.0.21 Cluster IP Addresses, IPv4 address: 10.10.0.27 Cluster IP Addresses, Subnet mask: 255.255.0.0 Full Internet name: cluster.woodgrovebank.com
Task 2: Add the second host to the Network Load Balancing cluster
Using Network Load Balancing Manager, add the second host to the cluster. Host: NYC-WEB2 Local Area Connection interface IP address: 10.10.0.26 Priority (unique host identifier): 2
Task 3: Add the second server to the Network Load Balancing cluster
Using Network Load Balancing Manager, add the second server to the cluster. Server: NYC-WEB2
Task 4: Verify Network Load Balancing using NLB commands

1. Using the Command Prompt, verify Network Load Balancing. 2. 2. Server: NYC-WEB2 Command: NLB query 10.10.0.27
Using the Command Prompt, verify Network Load Balancing. Server: NYC-WEB-D Command: NLB query 10.10.0.27
Using the Command Prompt, verify Network Load Balancing. Server: NYC-WEB-D Command: NLB display
Results: After this exercise, you should have successfully restored a Web site to a second server. Provide the results of the exercise so students will know when and if they have completed the lab exercise successfully.
Lab Instructions: Troubleshooting IIS 7.0 Web Servers
Module 10
Contents:
Exercise 1: Troubleshooting Authentication Exercise 2: Troubleshooting Authorization Exercise 3: Troubleshooting Communication Exercise 4: Troubleshooting Configuration 2 5 7 9
Lab: Troubleshooting IIS 7.0 Web Servers
Exercise 1: Troubleshooting Authentication

Scenario
You receive a service request asking to resolve a user issue. The passwordprotected intranet site is accessed by domain users within the company, but is not allowing access to anyone. Using logs and detailed error messages, you must resolve the problem.
Exercise Overview
In this exercise, you will troubleshoot an authentication issue using IIS logs and detailed error messages. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator. Browse to http://localhost/salessupport. Examine the log file. Enable Detailed Error Messages. Reproduce the issue and examine the detailed error. Resolve the issue and test functionality.
Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator

Start 6427A-NYC-DC1 and log on as Woodgrovebank\Administrator, password Pa$$w0rd.
Task 2: Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator

Start 6427A-NYC-WEB-E and log on as Woodgrovebank\Administrator, password Pa$$w0rd.
Task 3: Browse to http://localhost/salessupport

On NYC-WEB-E, test functionality by loading http://localhost/salessupport in the browser.
Task 4: Examine the log file

In C:\inetpub\logs\LogFiles\W3SVC1, open the most recent log file and look for the error. Note the substatus.
Task 5: Enable Detailed Error Messages

In IIS Manager, enable Detailed errors for local requests and custom error pages for remote requests.
Task 6: Reproduce the issue and examine the detailed error

In Internet Explorer, browse to http://localhost/salessupport. Examine the detailed error information.
Task 7: Resolve the issue and test functionality

1. 2. Based on the detailed error, modify the configuration in IIS Manager to correct the issue. In Internet Explorer, browse to http://localhost/salessupport to verify that the issue has been corrected.
Results: After this exercise, you should have successfully examined the IIS log files, enabled detailed error messages, and resolved the authentication issue.
Exercise 2: Troubleshooting Authorization

Scenario
You receive another service request to secure another Web site where all users are able to view the content. You must reproduce the issue, determine the cause, and resolve the issue.
Exercise Overview
In this exercise, you will troubleshoot authorization using Failed Request Tracing. This exercises main tasks are: 1. 2. 3. 4. Browse to http://localhost/salessupport2. Enable Failed Request Tracing and add a rule to trace successful requests. Reproduce the issue and examine the Failed Request Tracing log. Resolve the issue and verify functionality.
Task 1: Browse to http://localhost /salessupport2

On NYC-WEB-E, in Internet Explorer, browse to http://localhost/salessupport2.
Task 2: Enable Failed Request Tracing and add a rule to trace successful requests
In IIS Manager, add a Failed Request Tracing rule to trace successful requests.
Task 3: Reproduce the issue and examine the Failed Request Tracing log
1. 2. In Internet Explorer, browse to http://localhost/salessupport2. Examine the latest failed request tracing log in c:\inetpub\logs \FailedReqLogFiles\W3SVC1. Examine the authorization information in the log.
Task 4: Resolve the issue and verify functionality

Based on the log, modify the configuration in IIS Manager to correct the issue. In Internet Explorer, browse to http://localhost/salessupport2 to verify that the issue has been corrected
Results: After this exercise, you should have successfully enabled failed request tracing, and resolved the authorization issue.
Exercise 3: Troubleshooting Communication

Scenario
Users are reporting that a Web application is returning an error when they try to browse to it. You must troubleshoot why the Web application cannot open the content.
Exercise Overview
In this exercise, you will troubleshoot communication using tools. This exercises main tasks are: 1. 2. 3. 4. Reproduce the issue. Use Ping to verify communication with the Web server. Enable detailed errors and examine the detailed error. Correct the problem and verify functionality.
Task 1: Reproduce the issue

On NYC-DC1, in Internet Explorer, browse to http://nyc-webe/netapp/content.
Task 2: Use Ping to verify communication with the Web server

At the command prompt, type ping NYC-WEB-E, and then press ENTER.
Task 3: Enable detailed errors and examine the detailed error

1. 2. On NYC-WEB-E, in IIS Manager, enable detailed errors. In Internet Explorer, browse to http://localhost/netapp/content. Examine the detailed error information.
Task 4: Correct the problem and verify functionality

1. 2. On NYC-WEB-E, in IIS Manager, correct the configuration based on the information from the detailed error. In Internet Explorer, browse to http://localhost/netapp/content to verify that the error has been corrected.
Results: After this exercise, you should used ping to verify communication, enabled detailed error messages, and resolved the error.
Exercise 4: Troubleshooting Configuration

Scenario
Users are reporting they receive multiple errors when trying to view JPG files that previously worked. You know that multiple people have the ability to modify this site including Web.config and related files.
Exercise Overview
In this exercise, you will troubleshoot configuration using detailed error messages. This exercises main tasks are: 1. 2. 3. Reproduce the issue and examine the detailed error message. Examine and correct the web.config file. Verify functionality.
Task 1: Reproduce the issue and examine the detailed error message
1. 2. On NYC-WEB-E, in Internet Explorer, browse to http://localhost/pics/logo.jpg Examine the detailed error information.
Task 2: Examine and correct the web.config file

Open the web.config file located in c:\Pics. Correct the error and save the file based on the information from the detailed error.
Task 3: Verify functionality

In Internet Explorer, browse to http://localhost/pics/logo.jpg.
Results: After this exercise, you should have reproduced the problem, examined the detailed error message, and resolved the error.
Lab Answer Key: Configuring an Internet Information Services 7.0 Web Server
Module 1
Contents:
Exercise 1: Installing IIS Using Role Manager Exercise 2: Installing IIS Using Unattended Setup Exercise 3: Installing IIS on Server Core from Command Line Exercise 4: Configuring IIS and Validating Functionality 2 5 8 10
Lab: Configuring an IIS 7.0 Web Server

Logon Information:
Virtual Machine: NYC-SVR1, NYC-SVR2, NYC-SVR3 User Name: LocalAdmin or Administrator Password: Pa$$w0rd
Estimated time: 60 minutes
Exercise 1: Installing IIS using Role Manager

Scenario
You receive a service request from the Enterprise Design Team to prepare three Web servers to host Web sites and Web applications. One of the companies acquired by Woodgrove Bank has a classic ASP application that needs to be hosted in IIS7.
Exercise Overview
In this exercise, you will learn how to install IIS 7.0 using Role Manager. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin. Turn on Network Discovery. Install the Web server role.
Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine. Task 1: Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin
1. 2. On the Lab Launcher, next to 6427A-NYC-SVR1, click Launch. Log on to NYC-SVR1 as LocalAdmin with the password of Pa$$w0rd.

1. 2. On NYC-SVR1, click Start | Network. Click the information bar with the text Network discovery and file sharing are turned off. Network computers and devices are not visible. Click to change.... Click Turn on network discovery and file sharing. Click Yes, turn on network discovery and file sharing for all public networks. Close Network.
3. 4. 5.
Task 3: Install the Web server role

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR1, click Start and click Server Manager. In the details pane, in the Roles Summary section, click Add roles. The Add Roles Wizard dialog box appears. Click Next. In the Roles box, select Web Server (IIS). The Add Roles Wizard dialog box appears. Click Add Required Features. Click Next twice. In the Roles services box, select ASP. The Add Roles Wizard dialog box appears. Click Add Required Role Services. Click Next and then click Install.
10. When the installation is complete, click Close.
11. In the console pane, expand Roles. 12. Notice that the Web Server (IIS) role is installed. 13. Click Start | All Programs | Internet Explorer. 14. The Microsoft Windows Internet Explorer window opens. Browse to http://localhost. 15. Notice that the IIS7 Welcome page loads, indicating that IIS is successfully installed and running.
Results: After this exercise you should have successfully verified that the Web Server (IIS) role is installed and loaded the IIS Welcome page in Internet Explorer.
Exercise 2: Installing IIS Using Unattended Setup

Scenario
Now you will set up the second IIS Web server to host the new ASP.NET application. You will install IIS by creating an Unattend.XML file based on the example given on the student CD by modifying it to only install the features needed. This will be an ASP.NET application server and will need to have all security, compression and caching features installed so that development can experiment with configuration.
Exercise Overview
In this exercise, you will learn how to install IIS using unattended setup. This exercises main tasks are: 1. 2. 3. 4. Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin. Turn on Network Discovery. Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features. Install IIS using Pkgmgr with the Unattend.XML file and verify once completed.

1. 2. On the Lab Launcher, next to 6427A-NYC-SVR3, click Launch. Log on to NYC-SVR3 as LocalAdmin with the password of Pa$$w0rd.

1. 2. On NYC-SVR3, click Start | Network. Click the information bar with the text Network discovery and file sharing are turned off. Network computers and devices are not visible. Click to change.... Click Turn on network discovery and file sharing. Click Yes, turn on network discovery and file sharing for all public networks.
3. 4.
5.
Close Network.
Task 3: Create the Unattend.XML file by copying the default XML file provided and removing unnecessary features
1. 2. 3. 4. 5. 6. Click Start, type Notepad, and then press Enter. The Notepad window opens. On the File menu, click Open. The Open dialog box appears. In the Text Documents list, click All Files. Browse E:\Mod01\Labfiles. Click unattend_all.xml and then click Open. Delete the following lines:
name="IIS-HttpRedirect" state="true"/> name="IIS-ASP" state="true"/> name="IIS-CGI" state="true"/> name="IIS-IIS6ManagementCompatibility" state="true"/> name="IIS-Metabase" state="true"/> name="IIS-WMICompatibility" state="true"/> name="IIS-LegacyScripts" state="true"/> name="IIS-LegacySnapIn" state="true"/>
<selection <selection <selection <selection <selection <selection <selection <selection
7.
The Unattend.Xml file needs to be modified with the correct
version number. It should read Version="6.0.6001.18000" (this will match the HAL major and minor version numbers). To do this, Edit Version=6.0.6001.16659 to Version="6.0.6001.18000" 8. 9. On the File menu, click Save As. The Save As dialog box appears. Type c:\unattend.xml, and then click Save.
10. Close Notepad.
Task 4: Install IIS using Pkgmgr with the Unattend.XML file and verify once completed
1. Click Start, and then click Command Prompt.
2. 3. 4. 5. 6. 7. 8. 9.
Type cd \ and then press Enter. Type start /w pkgmgr /n:unattend.xml and then press Enter. When the process completes, type echo %errorlevel% and then press Enter. Note that it may take up to four minutes to complete. Notice that the return code is 0 indicating a successful installation. Type exit, and then press Enter. In Server Manager, in the console pane, expand Roles. Note that you may need to refresh the console. Notice that Web Server (IIS) is installed. Click Start | All Programs | Internet Explorer.
10. The Windows Internet Explorer window opens. Browse to http://localhost. 11. Notice that the IIS Welcome page appears.
Results: After this exercise you should have successfully installed IIS using an unattend file and verified the IIS Welcome page.
Exercise 3: Installing IIS on Server Core from Command Line

Scenario
The final server you will install is a Server Core Web server that will act primarily as a redirection server to the ASP server.
Exercise Overview
In this exercise, you will learn how to install IIS via the command line in a Server Core environment. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator. Disable the firewall. Install IIS from the command line.
Task 1: Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator

1. 2. On the Lab Launcher, next to 6427A-NYC-SVR2, click Launch. Log on to NYC-SVR2 as Administrator with the password of Pa$$w0rd.
Task 2: Disable the firewall

On NYC-SVR2, in the command prompt window, type netsh firewall set opmode disable and press Enter.
Note: Disabling the firewall should not be done in a real-world environment as it is bad security practice.
Task 3: Install IIS from the command line

1. Type the following and then press Enter. Note that the feature names are casesensitive: Start /w pkgmgr /iu:IIS-WebServerRole;IIS-WebServer;IISCommonHttpFeatures;IIS-StaticContent;IIS-DefaultDocument;IISHttpErrors;IIS-HttpRedirect;WAS-WindowsActivationService;WASProcessModel 2. 3. 4. 5. When the process completes, type echo %errorlevel%, and then press Enter. Note that it may take up to two minutes to complete. Notice that the return code is 0 indicating a successful installation. On NYC-SVR1, in Internet Explorer, browse to http://nyc-svr2. Notice that the IIS Welcome page loads, indicating that the Web server role on NYC-SVR2 is installed and functioning.
Results: After this exercise you should have successfully installed IIS on Microsoft Server 2008 Server Core from the command line and verified by loading the IIS Welcome page from another machine running Internet Explorer.
10
Exercise 4: Configuring IIS and Validating Functionality

Scenario
With the three Web servers installed, configure each as necessary to perform its function.
Exercise Overview
In this exercise, you will configure common IIS features and validate functionality. This exercises main tasks are: 1. 2. Configure NYC-SVR1 for ASP debugging, detailed error messages, HTTP compression and SMTP Service. Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression. Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1.
3.
Task 1: Configure NYC-SVR1 for ASP debugging, detailed error messages, and HTTP compression
1. 2. 3. 4. 5. 6. 7. 8. On NYC-SVR1, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-SVR1 | Sites, and then click Default Web Site. In the details pane, double-click ASP. In the Compilation section, expand Debugging Properties. In the Enable Client-side Debugging list, click True. In the Enable Server-side Debugging list, click True. In the Send Errors to Browser list, click True. In the Actions pane, click Apply.
11
9.
In the Connections pane, click Default Web Site.
10. In the details pane, double-click HTTP Response Headers. 11. In the Actions pane, click Set Common Headers. 12. The Set Common HTTP Response Headers dialog box appears. Select Expire Web content, and then click OK. 13. In the Connections pane, click Default Web Site. 14. In the details pane, double-click Compression. 15. Notice that Enable static content compression is checked. 16. In the Connections pane, click Default Web Site. 17. In the details pane, double-click Error Pages. 18. In the Actions pane, click Edit Feature Settings 19. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click OK. 20. On NYC-SVR3, in the Internet Explorer, browse to http://nycsvr1/default.asp. 21. Notice that you get a detailed HTTP Error 404 page, indicating that the NYCSVR1 web server has been configured properly. Question: How does the Detailed Error page differ from the default Custom error page? Answer: The Detailed Error Page lists trace events and steps for troubleshooting.
Task 2: Configure NYC-SVR3 to trace server errors, enable directory browsing, enable windows authentication and impersonation, configure UDDI, and enable dynamic output compression and SMTP
1. 2. 3. On NYC-SVR3, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-SVR3 | Sites, and then click Default Web Site. In the Actions pane, click Failed Request Tracing.
12
4. 5. 6. 7. 8. 9.
The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable, and then click OK. In the details pane, in the IIS section, double-click Failed Request Tracing Rules. In the Actions pane, click Add. The Add Failed Request Tracing Rule dialog box appears. Click Next. In the Status code(s) field, type 500. Select Event severity, and then in the Event severity list, click Critical Error.
10. Click Next and then click Finish. 11. In the Connections pane, click Default Web Site. 12. In the details pane, in the IIS section, double-click Directory Browsing. 13. In the Actions pane, click Enable. 14. In the Connections pane, click Default Web Site. 15. In the details pane, in the IIS section, double-click Authentication. 16. In the details pane, click Windows Authentication. 17. In the Actions pane, click Enable. 18. In the details pane, click ASP.NET Impersonation. 19. In the Actions pane, click Enable. 20. In Server Manager, in the console pane, right-click Roles and then click Add Roles. 21. The Add Roles Wizard dialog box appears. Click Next. 22. Select UDDI Services, and then click Next twice. 23. Select UDDI Services Database and UDDI Services Web Application. 24. The Add Roles Wizard dialog box appears. Click Add Required Role Services, and then click Next. 25. Click Do not require SSL, and then click Next seven times. Click Install. 26. When installation completes, click Close. Note that it may take up to eight minutes to complete. 27. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site.
13
28. In the details pane, in the IIS section, double-click Output Caching. 29. In the Actions pane, click Add. 30. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx. 31. Select User-mode caching and then click OK. 32. In the Connections pane, click Default Web Site. 33. In the details pane, in the ASP.NET section, double-click SMTP E-mail. 34. In the E-mail address field, type NYC-SVR3@WoodgroveBank.com. 35. In SMTP Server field, type SMTP.WoodgroveBank.com. 36. In the Actions pane, click Apply. 37. In Internet Explorer, browse to http://localhost/uddi. 38. Notice the UDDI Services page loads. 39. Browse to http://localhost/aspnet_client. 40. Notice that there is a detailed HTTP Error 500.24. 41. Under Detailed Error Information, right-click C:\inetpub\logs\FailedReqLogFiles, and then click Copy Shortcut. 42. Click Start | Run. Right-click the Open field and then click Paste. 43. Click OK. 44. Double-click W3SVC1. 45. Notice that there is a failed request log for the server error: fr00001.xml.
Task 3: Configure NYC-SVR2 to have no default documents, and redirect requests to NYC-SVR1
1. 2. 3. 4. On NYC-SVR2, in the command prompt window, type cd \windows\system32\inetsrv\config and then press Enter. Type edit applicationHost.config and then press Enter. Scroll down to <defaultDocument enabled="true"> (approximately line 169), and change "true" to "false". Scroll down to <httpRedirect enabled="false" /> (approximately line 246), and modify this line to read:
14
<httpRedirect enabled="true" exactDestination="false" childOnly="false" destination="http://10.10.0.24/" /> 5. 6. 7. 8. On the File menu, click Save. On the File menu, click Exit. On NYC-SVR3, in Internet Explorer, browse to http://nyc-svr2. Notice that the IIS 7 Welcome page loads and the address field has changed to http://10.10.0.24. Question: What would be displayed if redirection was not enabled? Answer: Since there is no default document, an error message would be displayed and the address bar would still display http://nyc-svr2. 9. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise you should have successfully configured and verified the configuration of the three web servers.
Note: After you have completed the lab exercises closing the VMs and selecting undo disk is not required for hosted labs. Click the Quit button to exit.
Lab Answer Key: Configuring IIS 7.0 Web Sites and Application Pools
Module 2
Contents:
Exercise 1: Configuring Authentication Types Exercise 2: Creating a Web Site and Web Application Exercise 3: Creating an Application Pool Exercise 4: Configuring an Existing Application Pool 2 6 9 10
Lab: Configuring IIS 7.0 Web Sites and Application Pools

Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-A, NYC-SVR1 User Name: Administrator Password: Pa$$w0rd
Exercise 1: Configuring Authentication Types

Scenario
You receive a service request from the Enterprise Design Team to organize the existing NYC-WEB-A server into virtual directories by access level. There will be two access levels: public and restricted. Anyone on the network should be able to access the public content. Only authenticated users should be able to access restricted.
Exercise Overview
In this exercise, you will learn how to create virtual directories and configure anonymous authentication. This exercises main tasks are: 1. 2. 3. 4. 5. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add Basic, Windows Integrated and Digest Security features to the IIS Role. Create a virtual directory named Public. Configure the public virtual directory for anonymous authentication.
Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine.
Task 1: Start the 6427A-NYC-DC1 virtual machine

On the Lab Launcher, next to 6427A-NYC-DC1 click Launch.

1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-A click Launch. Log on to NYC-WEB-A as Woodgrovebank\Administrator with the password of Pa$$w0rd.
Task 3: Add Basic, Windows Integrated and Digest Security features to the IIS Role
1. 2. 3. On NYC-WEB-A, in Server Manager, in the console pane, expand Roles and then click Web Server (IIS). Right-click Web Server (IIS) and then click Add Role Services. The Add Role Services dialog box appears. In the Role services box, under Security, select Basic Authentication, Windows Authentication, and Digest Authentication. Click Next and then click Install. When the installation is complete, click Close. In the details pane, in the Role Services section, notice that Basic Authentication, Windows Authentication, and Digest Authentication are listed as Installed.
4. 5. 6.
Task 4: Create a virtual directory named public

1. 2. 3. 4. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-WEB-A | Sites and then click Default Web Site. In the Actions pane, click View Virtual Directories. Click Add Virtual Directory.
5. 6. 7. 8. 9.
The Add Virtual Directory dialog box appears. In the Alias field, type Public. Next to the Physical path field, click the Browse (...) button. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make New Folder. Type Public, and then click OK. Click OK.
10. Click Start | Computer and then browse to C:\inetpub\wwwroot. 11. Select all, then right-click and then click Copy. 12. Browse to C:\inetpub\public, right-click, and then click Paste.
Task 5: Configure the public virtual directory for anonymous authentication

1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, expand Default Web Site and then click Public. In the details pane, double-click Authentication. Click Anonymous Authentication. Notice that it is enabled. In the Actions pane, click Edit. The Edit Anonymous Authentication Credentials dialog appears. Notice that Specific user is selected and set to IUSR. Click Cancel. In Server Manager, in the console pane, expand Configuration | Local Users and Groups and then click Users. In the details pane, right-click Guest, and then click Properties. The Guest Properties dialog box appears. Clear Account is disabled, and then click OK.
Note: It is a poor security practice and should not be done in a real-world scenario. 10. Click Start | Administrative Tools | Local Security Policy. 11. The Local Security Policy window opens. In the console pane, expand Local Policies and then click User Rights Assignment. 12. In the details pane, right-click Allow log on locally, and then click Properties.
13. The Allow log on locally Properties dialog appears. Click Add User or Group. 14. The Select Users, Computers, or Groups dialog box appears. Click Locations. 15. The Locations dialog box appears. Click NYC-WEB-A, and then click OK. 16. In the Enter the object names to select field, type Guest, and then click OK twice. 17. Close Local Security Policy. 18. Click Start | Switch User. 19. Logon as NYC-WEB-A\Guest with no password. 20. Click Start | All Programs | Internet Explorer. 21. The Windows Internet Explorer window opens. Browse to http://localhost. Note that weve set the default site to the Public virtual directory so theres no need to use localhost/public. Notice that the IIS7 Welcome page loads. 22. Click Start | Switch User. 23. Log on as Woodgrovebank\Administrator with the password of Pa$$w0rd.
Results: After this exercise, you should have created virtual directories on the Web server and provided both public and restricted access levels to those directories.
Exercise 2: Creating a Web Site and Web Application

Scenario
Next you will create two web sites, and two web applications, in the employee and restricted virtual directories, named Woodgrove and Exec respectively. Exec will be a .NET 3.0 application. You will also delegate administrative access to ITAdmins_WoodgroveGG.
Exercise Overview
In this exercise, you will learn how to create web sites and applications. This exercises main tasks are: 1. 2. 3. 4. Create a site named Woodgrove. Copy the Woodgrove application to the appropriate directory. Add the .NET 3.0 Feature to the server. Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG.
Task 1: Create a site named Woodgrove

1. 2. 3. 4. 5. 6. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, click Sites. In the Actions pane, click Add Web Site. The Add Web Site dialog box appears. In the Site name field, type Woodgrove. In Physical path, click the Browse (...) button. The Browse For Folder dialog box appears. Browse to C:\inetpub, and then click Make New Folder. Type woodgrove, and then click OK.
7. In the Port field, type 88, and then click OK.
Task 2: Copy the Woodgrove Application to the Appropriate Directory

1. 2. 3. In Windows Explorer, browse to E:\Mod02\Labfiles\WoodGrove. Select all, then right-click, and then click Copy. Browse to C:\inetpub\woodgrove, right-click, and then click Paste.
Task 3: Add the .NET 3.0 Feature and ASP.NET to the server
1. 2. 3. 4. 5. 6. 7. 8. 9. In Server Manager, in the console pane, click Features. In the details pane, click Add Features. The Add Features Wizard dialog box appears. Select .NET Framework 3.0 Features. The Add Features Wizard dialog box appears. Click Add Required Role Services. Click Next twice. On the Select Role Services page, select ASP.NET. The Add Features Wizard dialog box appears. Click Add Required Role Services. Click Next, and then click Install. When the installation is complete, click Close.
Task 4: Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG

1. 2. 3. 4. 5. 6. Internet Information Services (IIS) Manager, in the Connections pane, expand Sites and then click Woodgrove. In the Actions pane, click Edit Permissions. The woodgrove Properties dialog box appears. Click the Security tab. Click Edit. The Permissions for woodgrove dialog box appears. Click Add. The Select, Users, Computers, or Groups dialog box appears. In the Enter the object names to select field, type ITAdmins_WoodgroveGG, and then click Check Names.
7. 8.
Click OK. Next to Full control, select Allow and then click OK twice.
Results: After this exercise, you should have successfully installed .NET 3.0 Framework, ASP.NET, and created the Woodgrove site and copied its content.
Exercise 3: Creating an Application Pool

Scenario
You will now create a new application pool for temporary applications.
Exercise Overview
In this exercise, you will learn how to create an application pool. This exercises main tasks are: Create an application pool named TempPool.
Task 1: Create an application pool named TempPool

1. 2. 3. 4. 5. On NYC-WEB-A, in Internet Information Services (IIS) Manager, expand NYC-WEB-A and then click Application Pools. In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type TempPool. Click OK. In the details pane, notice that TempPool appears in the list of application pools.
Results: After this exercise, you should have successfully added an application pool named TempPool.
10
Exercise 4: Configuring an Existing Application Pool

Scenario
Next, you will configure the new application pools according to the needs for the new applications. You will also practice starting, stopping, and recycling the application pools and configuring health settings. You will also rename the Exec and Woodgrove pools to ExecPool and WoodgrovePool.
Exercise Overview
In this exercise, you will configure the application pools and validate functionality. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Rename Woodgrove to WoodgrovePool. Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users. Configure TempPool to use LocalSystem as worker process identity. Stop, start and recycle WoodgrovePool. Configure TempPool for Classic Pipeline Mode. Remove TempPool. Configure Health and Recycling settings for WoodgrovePool.
Task 1: Rename Woodgrove to WoodgrovePool

1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB-A, in Internet Information Services (IIS) Manager, expand Sites and then click Woodgrove. In the Actions pane, click Basic Settings. The Edit Site dialog box appears. Click Select. The Select Application Pool dialog box appears. In the Application pool list, click TempPool, and then click OK twice. In the Connections pane, click Application Pools. In the details pane, click Woodgrove. In the Actions pane, click Rename. Type WoodgrovePool, and then press Enter.
11
9.
In the Connections pane, click Woodgrove.
10. In the Actions pane, click Basic Settings. 11. The Edit Site dialog box appears. Click Select. 12. The Select Application Pool dialog box appears. In the Application pool list, click WoodgrovePool, and then click OK twice.
Task 2: Configure WoodgrovePool and the Woodgrove site for Windows Integrated authentication to allow all authenticated users
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, expand Sites and then click Woodgrove. In the details pane, double-click Authentication. Click Windows Authentication. In the Actions pane, click Enable. In the details pane, click Anonymous Authentication. In the Actions pane, click Disable. On the Lab Launcher, next to 6427A-NYC-SVR1 click Launch. Log on to NYC-SVR1 as LocalAdmin with the password of Pa$$w0rd. Note that this machine is not joined to the domain. Click Start | All Programs | Internet Explorer.
10. The Windows Internet Explorer window opens. Browse to http://nyc-weba.woodgrovebank.com. Notice that the IIS Welcome page appears indicating that the previous anonymous public site configuration is correct.
12
11. Browse to http://nyc-web-a.woodgrovebank.com:88. Notice that there is an error message and the page will not load. Windows authentication has failed for this user/machine. Question: Why does Windows authentication fail? Answer: Because NYC-SVR1 is not joined to the Woodgrovebank domain, the user account cannot be authenticated. 12. On NYC-WEB-A, click Start | All Programs | Internet Explorer. 13. The Windows Internet Explorer window opens. Browse to http://localhost:88. Notice that the Woodgrove Bank page appears. Windows authentication is successful.
Task 3: Configure TempPool to use LocalSystem as worker process identity

1. 2. 3. 4. 5. 6. 7. In Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools. In the details pane, click TempPool. In the Actions pane, click Advanced Settings. The Advanced Settings dialog box appears. Under the Process Model section, click Identity. Next to NetworkService, click the Browse (...) button. The Application Pool Identity dialog box appears. In the Built-in account list, click LocalSystem. Click OK twice.
Task 4: Stop, start and recycle WoodgrovePool

1. 2. 3. 4. In the Connections pane, click Application Pools. In the details pane, click WoodgrovePool. In the Actions pane, click Stop. In the details pane, notice that the status of WoodgrovePool changes to Stopped.
13
5. 6. 7.
In the Actions pane, click Start. In the details pane, notice that the status of WoodgrovePool changes to Started. In the Actions pane, click Recycle. WoodgrovePool recycles, however the results may not be visible.
Task 5: Configure TempPool for Classic Pipeline Mode

1. 2. 3. 4. 5. In the Connections pane, click Application Pools. In the details pane, click TempPool. In the Actions pane, click Basic Settings. The Edit Application Pool dialog box appears. In the Managed pipeline mode list, click Classic. Click OK.
Task 6: Remove TempPool

1. 2. 3. 4. In the Connections pane, click Application Pools. In the details pane, click TempPool. In the Actions pane, click Remove. The Confirm Remove dialog box appears. Click Yes.
14
Task 7: Configure Health and Recycling settings for WoodgrovePool

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click Application Pools. In the details pane, click WoodgrovePool. In the Actions pane, click Recycling. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number of requests. In the Fixed Number of requests field, type 1000. Click Next. On the Recycling Events to Log page, select Number of requests. Click Finish. In the Actions pane, click Advanced Settings.
10. The Advanced Settings dialog box appears. In the Rapid-Fail Protection section, click Failure Interval (minutes). 11. In the value column, type 10 and then click OK. Close each of the running virtual machines. Do not save changes so they are reset to defaults for the next lab.
Results: After this exercise, you should have successfully configured and verified the configuration of the application pools.
Lab Answer Key: Configuring IIS 7.0 Application Settings
Module 3
Contents:
Exercise 1: Configuring ASP.NET Exercise 2: Configuring ASP.NET Application Development Settings Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools Exercise 4: Configuring ASP.NET Security 2 8 12 19
Lab: Configuring IIS 7.0 Application Settings

Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-A User Name: Administrator Password: Pa$$w0rd
Estimated time: 60 minutes Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine.
Exercise 1: Configuring ASP.NET

Scenario
You receive a service request from the Enterprise Design Team to deploy an application server. You need to add and configure the ASP.NET role service, and Application Server role, on the Web Server. The server will be available from the Internet and Sales Associates will need to log in with the user name sales and password support from their clients sites to get contact information for support (This is a very poor security practice and all authenticated connections should use individual user names and you do not have appropriate permissions to set the username and password). This requires a medium level of security. If there is an error, the error message returned to the client browser should direct the user to contact their district sales manager for login information.
Exercise Overview
In this exercise, you will learn how to add the ASP.NET role service and configure ASP.NET. You will choose and configure the appropriate authentication model, and set up custom error pages to handle HTTP errors. This exercises main tasks are: 1. 2. 3. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add ASP.NET and Basic Security features to the IIS Role.
4. 5. 6.
Create the SalesSupport application and copy the ASP.NET application files. Configure Basic Security to allow access to authenticated Woodgrovebank domain users. Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors.


Task 3: Add ASP.NET and Basic Security features to the IIS Role
1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB-A, in Server Manager, in the console pane, expand Roles and then click Web Server (IIS). Right-click Web Server (IIS), and then click Add Role Services. The Add Role Services dialog box appears. In the Role services box, under Application Development, select ASP.NET. The Add Role Services box appears. Click Add Required Role Services. In the Role Services box, under Security, select Basic Authentication. Click Next, and then click Install. When the installation is complete, click Close. In the details pane, in the Role Services section, notice that ASP.NET and Basic Authentication are listed as Installed.
1. 2. 3. 4. 5. 6. 7. 8. 9. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-WEB-A | Sites and then click Default Web Site. In the Actions pane, click View Applications. Click Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport. Next to the Physical path field, click the Browse (...) button. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then click Make New Folder. Type SalesSupport and then click OK. Click OK.
10. Click Start | Computer and then browse to E:\Mod03\Labfiles\SalesSupport. 11. Select all, then right-click and then click Copy. 12. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.
Task 5: Configure Basic Security to allow access to authenticated Woodgrovebank domain users
1. 2. 3. 4. 5. 6. 7. In Internet Information Services (IIS) Manager, in the Connections pane, expand Default Web Site and then click SalesSupport. In the details pane, double-click Authentication. Click Anonymous Authentication. In the Actions pane, click Disable. In the details pane, click Basic Authentication. In the Actions pane, click Enable. Click Edit.
8. 9.
The Edit Basic Authentication Settings dialog appears. In the Default domain and Realm fields, type woodgrovebank. Click OK.
10. Click Start | All Programs | Internet Explorer. 11. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. 12. The Connect to localhost dialog box appears. Notice that there is a warning about basic authentication and insecure credentials. 13. In the User name field, type yvonne. Note that Yvonne is a marketing account manager with a domain account in the Woodgrovebank domain. 14. In the Password field, type Pa$$w0rd and then click OK. Notice that the Sales Support Resources page loads successfully. 15. Close Internet Explorer. Note that you must close the browser to reset the session so you can try logging in as a different user. 16. Click Start | All Programs | Internet Explorer. 17. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. 18. The Connect to localhost dialog box appears. In the User name field, type bob. Note that Bob does not have a domain account in the Woodgrovebank domain. 19. Leave the Password field blank and then click OK. 20. Click OK two more times. Notice that you get an HTTP 401.1 Unauthorized error. Note that detailed error messages show up locally by default. 21. Close Internet Explorer.
Task 6: Configure custom error pages for 401.aspx for 401 errors, and Other_Errors.aspx for all other errors
1. 2. 3. In Windows Explorer, browse to E:\Mod03\Labfiles\WBErrors. Select all, right-click and then click Copy. Browse to C:\inetpub\custerr\en-US, right-click, and then click Paste.
4. 5. 6. 7. 8. 9.
In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport. In the details pane, double-click Error Pages. In the Actions pane, click Edit Feature Settings. The Edit Error Pages Settings box appears. Click Custom error pages. Click OK. In the details pane, under the Status Code column, click 401.
10. In the Actions pane, click Edit. 11. The Edit Custom Error Page dialog box appears. Click Set. 12. The Set Localized Custom Error Path dialog box appears. In the Relative file path field, delete the existing text and then type 401.aspx. 13. Click OK twice. 14. In the details pane, under the Status Code column click 404. 15. In the Actions pane, click Edit. 16. The Edit Custom Error Page dialog box appears. Click Set. 17. The Set Localized Custom Error Path dialog box appears. In the Relative file path field, delete the existing text and then type Other_Errors.aspx. 18. Click OK twice. Note that in a real world situation, you would repeat these steps for each error that you wanted to assign to a custom error message. 19. Click Start | All Programs | Internet Explorer. 20. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. 21. The Connect to localhost dialog box appears. In the User name field, type bob. 22. Leave the Password field blank and then click OK three times. Notice that there is now a custom error message directing you to contact your district sales manager. 23. Close Internet Explorer. 24. Click Start | All Programs | Internet Explorer. 25. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport/brokenlink.
26. The Connect to localhost dialog box appears. In the User name field, type yvonne. 27. In the Password field, type Pa$$w0rd and then click OK. If you are prompted, add the site to the allowed list. Notice that you get a custom error that is slightly different. Since the path brokenlink doesnt exist, this is a custom 404 error. 28. Close Internet Explorer.
Tip: If you are having problems verifying your custom error settings, and changes dont seem to be taking effect, be sure to clear the browser cache.
Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, configured Basic authentication, and verified custom error pages in Internet Explorer.
Exercise 2: Configuring ASP.NET Application Development Settings

Scenario
Next you will configure some test settings for the SalesSupport application. The Enterprise Design team is planning on implementing a database to store the support resource data. You will need to enter the provided connection string. You will also rename the cookie that the page uses to SalesSupport. Next you will create a custom control for testing the new configuration. Finally, you will set some application settings and then verify that the application can read them by loading the custom test page.
Exercise Overview
In this exercise, you will learn how to configure ASP.NET application development settings. This exercises main tasks are: 1. 2. 3. 4. Configure ASP.NET Connection Strings to connect to Resources.MDF. Configure ASP.NET Session State settings to rename the cookie to SalesSupport. Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0 Add application settings at Site and Application levels.
Task 1: Configure ASP.NET Connection Strings to connect to Resources.MDF

1. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, expand Sites | Default Web Site and then click SalesSupport. In the details pane, double-click Connection Strings. In the Actions pane, click Add. The Add Connection String dialog box appears. In the Name field, type LocalResources. Click Custom. In the Custom field delete the existing text and then type data source=.\SQLEXPRESS;AttachDbFileName=e:\mod03\labfiles\resources. mdf;IntegratedSecurity=True Click OK.
2. 3. 4. 5. 6.
7.
Task 2: Configure ASP.NET Session State settings to rename the cookie to SalesSupport
1. 2. 3. 4. In the Connections pane, click SalesSupport. In the details pane, double-click Session State. In the Cookie Settings section, in the Name field, delete the existing text and then type SalesSupport_SessionID. In the Actions pane, click Apply.
Task 3: Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0

1. 2. 3. 4. In the Connections pane, click SalesSupport. In the details pane, double-click Pages and Controls. In the Action pane, click Register Controls. Click Add Custom Control.
10
5. 6. 7. 8.
The Add Custom Control dialog box appears. In the Tag prefix field type Woodgrovebank. In the Namespace field, type TestControls. In the Assembly field, type Version=1.0.0.0. Click OK.
Task 4: Add application settings at site and application levels

1. 2. 3. 4. Click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport/test.aspx. The Connect to localhost dialog box appears. In the User name field, type yvonne. In the Password field, type Pa$$w0rd and then click OK. Notice that the Woodgrove Bank Sales Application Settings Test Page opens. It should report No Application Settings defined. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the details pane, double-click Application Settings. In the Actions pane, click Add. The Add Application Setting dialog box appears. In the Name field, type DefaultLocation. In the Value field, type New York.
10. Click OK. 11. In Internet Explorer, click the Refresh button. Notice that it now reports DefaultLocation = New York. 12. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport. 13. In the details pane, double-click Application Settings. 14. Notice in the details pane that DefaultLocation is inherited. 15. In the Actions pane, click Add.
11
16. The Add Application Setting dialog appears. In the Name field, type debug_mode. 17. In the Value field, type true. 18. Click OK. 19. In Internet Explorer, click the Refresh button. Notice that it now reports DefaultLocation = New York and debug_mode = true. Question: How might the application settings be used in real world Web applications? Answer: The application can customize content or actions based on the settings. This gives flexibility to the administrator to customize the application at deployment time. 20. Close Internet Explorer.
Results: After this exercise, you should have configured ASP.NET development settings and verified test page functionality.
12
Exercise 3: Configuring a Web Server to Host Multiple Applications with Separate Application Pools
Scenario
You will now deploy the SalesSupport application to two new instances. Once instance will be a test deployment with additional testing configuration. Another instance will be for the German division of Woodgrove and will need to be set for German globalization settings. Additionally, you will disable the debug mode for the production version of SalesSupport.
Exercise Overview
In this exercise, you will learn how to create an application pool. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. 8. Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test. Create the applications SalesSupport_De and SalesSupport_Test. Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories. Assign the applications to the appropriate application pools. Configure application pool recycling for unlimited requests. Configure the SalesSupport_Test application pool to record recycled events. Configure the SalesSupport .NET compilation debug setting to False. Configure the SalesSupport_De application globalization settings for Germany.
Task 1: Create three application pools named SalesSupport, SalesSupport_De, and SalesSupport_Test
1. 2. 3. 4. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools. In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type SalesSupport. Click OK.
13
5. 6. 7. 8. 9.
In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type SalesSupport_De. Click OK. In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type SalesSupport_Test.
10. Click OK. 11. In the details pane, notice that SalesSupport, SalesSupport_DE, and SalesSupport_Test appear in the list of application pools.
Task 2: Create the applications SalesSupport_De and SalesSupport_Test

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click Default Web Site. In the Actions pane, click View Applications. Click Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport_De. Next to the Physical path field, click the Browse () button. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then click Make New Folder. Type SalesSupport_De and then click OK twice. Click Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport_Test.
10. Next to the Physical path field, click the Browse () button. 11. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then click Make New Folder. 12. Type SalesSupport_Test and then click OK twice. 13. In the details pane, notice that SalesSupport, SalesSupport_DE, and SalesSupport_Test appear in the list of applications.
14
Task 3: Use XCopy to deploy the files from the SalesSupport directory to the SalesSupport_DE and SalesSupport_Test directories
1. 2. 3. 4. 5. Click Start | Command Prompt. Type cd \inetpub\wwwroot and then press Enter. Type xcopy /e SalesSupport\*.* SalesSupport_De and then press Enter. Type dir SalesSupport_De and then press Enter to confirm that the files were copied. Type xcopy /e SalesSupport\*.* SalesSupport_Test and then press Enter.
Shortcut: Press Up Arrow twice, and then Backspace and change the last few characters of the previous command line to _Test, and then press Enter.
6.
Type dir SalesSupport_Test and then press Enter to confirm that the files were copied.
Task 4: Assign the applications to the appropriate application pools

1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click View Applications. In the details pane, click /SalesSupport. In the Actions pane, click Basic Settings. The Edit Application dialog box appears. Click Select. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport, and then click OK twice. In the details pane, click /SalesSupport_De. In the Actions pane, click Basic Settings. The Edit Application dialog box appears. Click Select.
10. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport_De, and then click OK twice. 11. In the details pane, click /SalesSupport_Test.
15
12. In the Actions pane, click Basic Settings. 13. The Edit Application dialog box appears. Click Select. 14. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport_Test, and then click OK twice. 15. In the Connections pane, click SalesSupport_De. 16. In the details pane, double-click Authentication. 17. Click Anonymous Authentication. 18. In the Actions pane, click Disable. 19. In the details pane, click Basic Authentication. 20. In the Actions pane, click Enable. 21. Click Edit. 22. The Edit Basic Authentication Settings dialog appears. In the Default domain and Realm fields, type woodgrovebank. 23. Click OK. 24. In the Connections pane, click SalesSupport_Test. 25. In the details pane, double-click Authentication. 26. Click Anonymous Authentication. 27. In the Actions pane, click Disable. 28. In the details pane, click Basic Authentication. 29. In the Actions pane, click Enable. 30. Click Edit. 31. The Edit Basic Authentication Settings dialog appears. In the Default domain and Realm fields, type woodgrovebank. 32. Click OK.
Task 5: Configure production application pool recycling for unlimited requests

1. 2. In the Connections pane, click Application Pools. In the details pane, click SalesSupport.
16
3. 4. 5. 6. 7. 8. 9.
In the Actions pane, click Recycling. The Edit Application Pool Recycling Settings dialog box appears. Clear the Regular time intervals check box, and then click Next. Click Finish. In the details pane, click SalesSupport_De. In the Actions pane, click Recycling. The Edit Application Pool Recycling Settings dialog box appears. Clear Regular time intervals check box, and then click Next. Click Finish.
Task 6: Configure the SalesSupport_Test application pool to record recycled events

1. 2. 3. 4. 5. 6. In the details pane, click SalesSupport_Test. In the Actions pane, click Recycling. The Edit Application Pool Recycling Settings dialog box appears. Select Fixed number of requests. In the Fixed number of requests field, type 1024 and then click Next. On the Recycling Events to Log page, select Number of requests, Ondemand, and Configuration changes. Click Finish.
Task 7: Configure the SalesSupport .NET compilation debug setting to False

1. 2. 3. 4. In the Connections pane, click SalesSupport. In the details pane, double-click .NET Compilation. Under Behavior, in the Debug list, click False. In the Actions pane, click Apply. Question: What is the advantage of disabling the debug setting in .NET compilation?
17
Answer: The compiled code will be smaller and faster without debug code. It is a good idea to use this setting when an application is fully tested and deployed to final production.
Task 8: Configure the SalesSupport_De application globalization settings for Germany

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click SalesSupport_De. In the details pane, double-click .NET Globalization. In the Culture list, click German (Germany) (de-DE). In the UI Culture list, click German (Germany) (de-DE). In the Actions pane, click Apply. Click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. The Connect to localhost dialog box appears. In the User name field, type yvonne. In the Password field, type Pa$$w0rd and then click OK.
10. Open a second tab in Internet Explorer and then browse to http://localhost/salessupport_test. 11. Open a third tab and then browse to http://localhost/salessupport_de. 12. Right-click the notification area and then click Task Manager. 13. The Task Manager window opens. Click the Processes tab. 14. Under the Image Name column, notice that there are at least three instances of w3wp.exe running, indicating at least three separate application pools. 15. Close Task Manager. 16. In Internet Explorer, browse to http://localhost/salessupport_de/test.aspx. Notice that the date is now in dd.mm.yyyy format, the cultural default for Germany. 17. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
18
Results: After this exercise, you should have successfully deployed multiple applications with separate application pools, configured recycling and debug settings, and configured and verified .Net globalization settings.
19
Exercise 4: Configuring ASP.NET Security

Scenario
Next, you will configure the machine key, .NET trust level, and File and Folder security.
Exercise Overview
In this exercise, you will configure ASP.NET security settings. This exercises main tasks are: 1. 2. 3. 4. 5. Set the machine key of SalesSupport_de. Configure the SalesSupport_Test site for medium trust level. Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page on SalesSupport. Enable Tracing and Logging for the SalesSupport_Test site. Configure Request Filtering so that only ASPX requests are processed.
Task 1: Set the machine key of SalesSupport_de

1. 2. 3. 4. On NYC-WEB-A, in Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport_De. In the details pane, double-click Machine Key. In the Actions pane, click Generate Keys. Click Apply.
Task 2: Configure the SalesSupport_Test site for medium trust level

1. 2. 3. 4. In the Connections pane, click SalesSupport_Test. In the details pane, double-click .NET Trust Levels. In the Trust level list, click Medium (web_mediumtrust.config). In the Actions pane, click Apply.
20
Task 3: Configure File and Folder security so that only ITAdmins_WoodgroveGG can access the Test.aspx page in SalesSupport
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click SalesSupport. In the details pane, click the Content View tab at the bottom of the window. Click test.aspx. In the Actions pane, click Edit Permissions. The test.aspx Properties dialog box appears. Click the Security tab. Click Advanced. The Advanced Security Settings for test.aspx dialog box appears. Click Edit. Clear the Include inheritable permissions from this objects parent check box. The Windows Security dialog box appears asking if you want to copy the inherited permissions. Click Copy.
10. Click Users (NYC-WEB-A\Users), and then click Remove. 11. Click Add. 12. The Select User, Computer, or Group dialog box appears. In the Enter the object name to select field, type Network Service. Note that since we have removed Users, we need to specifically allow the Network Service account. The SalesSupport application pool is running under the Network Service account with pass-through authentication. 13. Click Check Names, and then click OK. 14. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next to Full control, select Allow. 15. Click OK. 16. Click Add. 17. The Select User, Computer, or Group dialog box appears. In the Enter the object name to select field, type ITAdmins_WoodgroveGG. 18. Click Check Names, and then click OK. 19. The Permission Entry for test.aspx dialog box appears. In the Permissions section, next to Full control, select Allow.
21
20. Click OK four times. 21. In Internet Explorer, browse to http://localhost/salessupport/test.aspx. 22. The Connect to localhost dialog box appears. In the User name field, type yvonne. 23. In the Password field, type Pa$$w0rd and then click OK. 24. Click OK two more times. Notice that Yvonne no longer has access to test.aspx. 25. Click the Refresh button. 26. The Connect to localhost dialog box appears. In the User name field, type betsy. Note that Betsy is a member of the ITAdmins_WoodgroveGG security group. 27. In the Password field, type Pa$$w0rd and then click OK. Notice that Betsy has access to the page. 28. Close Internet Explorer.
Task 4: Enable Tracing and Logging for the SalesSupport_Test site

1. 2. 3. 4. 5. 6. 7. 8. 9. In Server Manager, in the console pane, expand Roles and then click Web Server (IIS). Right click Web Server (IIS), and then click Add Role Services. The Add Role Services dialog box appears. Select Health and Diagnostics to select all of the Health and Diagnostics services. Click Next, and then click Install. When the installation completes, click Close. Click Start, type Notepad and then press Enter. The Notepad window opens. On the File menu, click Open. The Open dialog box appears. In the Text Documents list, click All Files. Browse to C:\inetpub\wwwroot\SalesSupport_Test.
10. Click test.aspx, and then click Open. 11. In the first line of the file, modify the trace=false attribute to read trace=true so that the line reads:
22
<@ Page Language=C# trace=true %>
12. On the fifth line of the file, type This message should appear between the double quotes, so that the line reads:
Response.Write(This message should appear);
Question: How would an application use tracing? Answer: A developer can add trace commands to the Web application code to record information that can be used for debugging and monitoring. The administrator has the ability to enable or disable tracing as needed. 13. On the File menu, click Save. 14. Close Notepad. 15. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx. 16. If the Connect to localhost dialog box appears, in the User name field, type betsy. 17. In the Password field, type Pa$$w0rd and then click OK. 18. Notice that This message should appear appears at the top of the page. Scroll down and notice that the trace information appears at the bottom of the page. 19. In the Trace Information section, the next to last lines contain the trace messages from the test.aspx file. Notice that the warning message is red. 20. Close Internet Explorer. 21. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. 22. In the Actions pane, click Failed Request Tracing. If Failed Request Tracing does not appear, close and reopen IIS Manager for the added Health and Diagnostics features to appear. 23. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable, and then click OK. 24. In the details pane, double-click Failed Request Tracing Rules. 25. In the Actions pane, click Add.
23
26. The Add Failed Request Tracing Rule wizard appears. On the Specify Content to Trace page, click ASP.NET (*.aspx), and then click Next. 27. On the Define Trace Conditions page, in the Status code(s) field, type 200 and then click Next. 28. On the Select Trace Providers page, under Providers, clear all check boxes except ASPNET. 29. Click ASPNET. 30. Under Areas, clear all check boxes except Page. 31. Under Verbosity, notice that it is set to Verbose. 32. Click Finish. 33. In Internet Explorer, browse to http://localhost/salessupport_test/test.aspx. 34. If the Connect to localhost dialog box appears, in the User name field, type betsy. 35. In the Password field, type Pa$$w0rd and then click OK. 36. Press CTRL + O. 37. The Open dialog box appears. Click Browse. 38. Browse to C:\inetpub\logs\FailedReqLogFiles\W3SVC1. 39. In the HTML Files list, click All Files. 40. If there is more than one, click the most recent fr######.xml file, and then click Open. 41. Click OK. 42. The failed request log opens. Notice in the Request Summary section the details of the request: App Pool is SalesSupport_Test, Authentication is Basic, User from token is WOODGROVEBANK\betsy. 43. In the Errors and Warnings section, click Expand All. 44. Notice that the warning This is a warning. appears.
Task 5: Configure Request Filtering so that only ASPX requests are processed
1. In Internet Explorer, browse to http://localhost/welcome.png.
24
Notice that the IIS7 graphic appears. 2. Browse to http://localhost/iisstart.htm. Notice that the IIS7 Welcome page appears. 3. 4. 5. 6. 7. 8. 9. Close Internet Explorer. Click Start, type Notepad and then press Enter. The Notepad window opens. On the File menu click Open. The Open dialog box appears. In the Text Documents list, click All Files. Browse to C:\inetpub\wwwroot. Click web.config, and then click Open. After the sixth line, <system.webServer>, press Enter and then add the following security section:
<security> <requestFiltering> <fileExtensions allowUnlisted="false" > <add fileExtension=".aspx" allowed="true"/> </fileExtensions> </requestFiltering> </security>
Question: How could you disable only certain extensions, such as .MP3 and .WMA? Answer: Set the allowUnlisted property to true. Add the unallowed file extensions and set their allowed properties to false. 10. On the File menu, click Save. 11. Close Notepad. 12. Click Start | All Programs | Internet Explorer. 13. The Windows Internet Explorer window opens. Browse to http://localhost/welcome.png. 14. Notice that HTTP Error 404.7 appears. Detailed error messaging states that The request filtering module is configured to deny the file extension. 15. Browse to http://localhost/iisstart.htm. Notice the same error. 16. Click Start | Command Prompt.
25
17. Type cd \inetpub\wwwroot and then press Enter. 18. Type copy iisstart.htm *.aspx and then press Enter. 19. Type dir, and then press Enter and notice that the file was copied it iisstart.aspx. 20. In Internet Explorer, browse to http://localhost/iisstart.aspx. Notice that the page with the aspx extension loads without error but the image still does not display. 21. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have successfully configured and verified the configuration of the advanced security settings for ASP.NET.
Lab Answer Key: Configuring IIS 7.0 Modules
Module 4
Contents:
Exercise 1: Configuring and Editing Native Modules Exercise 2: Configuring and Editing Managed Modules 2 7
Lab: Configuring and Editing Modules

Logon Information:
Virtual Machine: NYC-WEB-B User Name: Woodgrovebank\Administrator Password: Pa$$w0rd
Exercise 1: Configuring and Editing Native Modules

Scenario
You received a service request from the application development team specifying the modules that are required to install, test, and run an application on the specified web server. To reduce the server footprint and vulnerability, you must remove the unnecessary modules.
Exercise Overview
In this exercise, you will learn how to remove native modules from a Web server to improve security and reduce the server footprint. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Backup the current Web server configuration. Examine the modules currently installed on the Web server. Remove the Default Document Module and the Directory Listing Module. Validate that the modules have been removed and test the new server configuration. Restore the modules to the Web server configuration. Validate that the modules have been restored and test the server configuration.
Task 1: Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator

1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-B, click Launch. Log on to NYC-WEB-B as Woodgrovebank\Administrator with the password of Pa$$w0rd.
Task 2: Backup the current Web server configuration.

1. 2. 3. 4. 5. On NYC-WEB-B, if Server Manager opens, Close the Server Manager and click Start | Command Prompt. Type cd \windows\system32\inetsrv\ and then press Enter. Type appcmd add backup original and then press Enter. Notice that the AppCmd completes the backup and reports BACKUP object "original" added. Question: When using the appcmd add backup command, where are the backup configuration file placed? Answer: In a new folder, in the C:\Windows\System32\inetserv\backup\ folder.
Task 3: Examine the modules currently installed on the Web server

1. 2. 3. 4. 5. 6. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, click NYC-WEB-B. In the details pane, in the Group by list, click Category. In the details pane, in the Server Components section, double-click Modules. In the Group by list, click Module Type. Notice that the DefaultDocumentModule and the DirectoryListingModule entries are listed in the Native Modules section. Question: What do the DefaultDocumentModule and DirectoryListingModules do?
Answer: The DefaultDocumentModule offers the functionality of offering the Web browser a default file when a specified folder or directory is specified by the URL. The DirectoryListingModule will supply the Web client with a list of the folder contents, when a folder or directory is specified by the URL.
Task 4: Remove the Default Document Module and the Directory Listing Module
1. 2. 3. 4. 5. 6. 7. In the Connections pane, expand NYC-WEB-B | Sites, and then click Default Web Site. In the Actions pane, click Browse *:80(http). The Windows Internet Explorer window opens. Notice that the Woodgrove Bank page opens as expected. Click Start | Computer and then browse to C:\windows\system32\inetsrv\config\. In the details pane, double-click applicationHost.config. The Notepad window opens. Find the <globalModules> section. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the <globalModules> tag by deleting these two lines:
<add name="DefaultDocumentModule" image= "%windir%\System32\inetsrv\defdoc.dll" /> <add name="DirectoryListingModule" image= "%windir%\System32\inetsrv\dirlist.dll" />
8. 9.
Scroll down to the bottom of the file and find the <system.webServer> section. Delete the references to the DefaultDocumentModule and the DirectoryListingModule from within the <handlers accessPolicy="Read, Script"> tag by replacing:
<add name="StaticFile" path="*" verb="*" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingMod ule" resourceType="Either" requireAccess="Read" />
With the line:

<add name="StaticFile" path="*" verb="*" modules="StaticFileModule" resourceType="Either" requireAccess="Read" />
10. Delete the DefaultDocumentModule and the DirectoryListingModule entries from within the <modules> tag. Delete the two lines:
<add name="DefaultDocumentModule" lockItem="true" /> <add name="DirectoryListingModule" lockItem="true" />
11. On the File menu, click Save. 12. Close Notepad.
Task 5: Validate that the modules have been removed and test the new server configuration
1. 2. 3. 4. In Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-B. In the details pane, in the Server Components section, double-click Modules. In the Native Modules section, notice that the DefaultDocumentModule and the DirectoryListingModule entries are gone. In Internet Explorer, click the Refresh button. Notice that the Web page is now blank, even though Internet Explorer indicates that it is done loading. 5. In Internet Explorer, browse to http://localhost/default.aspx. Notice that the Web page loads after you specify the default document. Question: Why did the Web page get restored after the file name, default.aspx was added to the URL? Answer: The Web server is still completely operational, but no longer offers default documents or directory browsing. So if a full URL is specified, complete with a file name, then the Web server will return that file to the Web client, if available.
Task 6: Restore the modules to the Web server configuration

In the Command Prompt, type appcmd restore backup original and then press Enter. Notice that the AppCmd completes the restore and reports that the original configuration has been restored.
Question: After the AppCmd completes the restore, where does it restore the configure files to? Answer: The files are restored to the C:\Windows\System32\inetsrv\config folder.
Task 7: Validate that the modules have been restored and test the server configuration
6. Use IE to browse to http://localhost/, and then click Refresh Notice that the page once again loads properly from the default document. 7. Close Internet Explorer.
Results: After this exercise, you should have successfully removed native modules from a Web server, and then confirmed that the server operates as expected.
Exercise 2: Configuring and Editing Managed Modules

Scenario
To increase throughput, it has been determined that output caching would be beneficial on some of the applications on the web server. You need to make sure that the Output Cache module is installed and configured as specified in the service request. The development team also requested the installation of a new Managed Module that provides an additional level of logging for their application.
Exercise Overview
In this exercise, you will learn how to add new managed modules to a Web server. This exercises main tasks are: 1. 2. 3. 4. 5. 6. Install the logging managed module. Confirm the installation of the logging managed module. Test the Web site forms authentication functionality. Examine the modules currently running on the Web server. Remove the forms authentication managed module. Test the new configuration.
Task 1: Install the logging managed module

1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows Explorer, browse to C:\inetpub\. Right-click inetpub, and then click New | Folder. Type logging_module and then press Enter. Browse to E:\Mod04\Labfiles\logging_module. Select all, then right-click and then click Copy. Browse to C:\inetpub\logging_module, right-click, and then click Paste. Browse to C:\inetpub\logging_module\logs\. Right-click logs, and then click Properties. The logs Properties dialog box appears. Click the Security tab.
10. Click Edit.
11. The Permissions for logs dialog box appears. In the Group or user names section, click Users (NYC-WEB-B\Users). 12. In the Permissions for Users box, next to Modify, select Allow. 13. Click OK twice. 14. In Internet Information Services (IIS) Manager, in the Connections pane, click Sites. 15. In the Actions pane, click Add Web Site. 16. The Add Web Site dialog box appears. In the Site name field, type logging_module. 17. In the Physical path field, type C:\inetpub\logging_module. 18. In the Port field, type 8181. 19. Click OK.
Task 2: Confirm the installation of the logging managed module

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Actions pane, click Browse *:8181 (http). The Windows Internet Explorer window opens. Click Go on to Second Page. Notice that the second page loads. Close Internet Explorer. In Internet Information Services (IIS) Manager, in the Connections pane, click logging_module. In the details pane, in the Server Components section, double-click Modules. In the Managed Modules section, click Logger. In the Actions pane, click Edit. The Edit Managed Module dialog box appears. Notice that the type is listed as HttpLogger. Click Cancel.
10. In Windows Explorer, browse to C:\inetpub\logging_module\logs. 11. Double-click [yyyymmdd].txt. 12. The Notepad window opens. Notice the log entries for http://localhost:8181/default.aspx and http://localhost:8181/second_page.htm.
Question: Why does the log file entries have the numbers 8181 listed? Answer: The logging module records the complete URL of the requested Web site files. The logging_module web site was configured to use port number 8181, which is a secondary Web site port. 13. Close Notepad.
Task 3: Test the Web site forms authentication functionality

1. 2. 3. 4. 5. 6. 7. 8. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click Browse *:80 (http). The Windows Internet Explorer window opens. Click Shared Documents. In the Email field, type lmartin@woodgrovebank.com. In the Password field, type Pa$$w0rd. Click Login. If you get the AutoComplete Passwords dialog box, click No. Click Woodgrove Confidential Memo. Notice that the image representing the Woodgrove Confidential Memo appears. 9. Click the Back button.
10. Click Signout. 11. Click Home.
Task 4: Examine the modules currently running on the Web server

1. 2. 3. 4. 5. In the Internet Information Services (IIS) Manager window, in the Connections pane, click NYC-WEB-B. In the details pane, in the Server Components section, double-click Modules. In the Managed Modules section, click OutputCache. In the Actions pane, click Edit. The Edit Managed Module dialog box appears. Notice that the module is configured properly and is set to run normally.
10
6.
Click Cancel.
Task 5: Remove the forms authentication managed module

1. 2. 3. 4. 5. In the Connections pane, click Default Web Site. In the details pane, in the Server Components section, double-click Modules. In the Managed Modules section, click FormsAuthentication. In the Actions pane, click Remove. The Confirm Remove dialog box appears. Click Yes.
Task 6: Test the new configuration

1. In the Internet Explorer window, click Shared Documents. Notice that you now get Access is denied error message, indicating that the logon failed because the forms authentication module has been removed. Question: Why is the Access denied error message displayed at this point? Answer: The Access is denied error message indicates that the logon failed because the forms authentication module has been removed. 2. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have successfully added a managed module to the Web server.
Lab Answer Key: Securing the IIS 7.0 Web Server and Web Sites
Module 5
Contents:
Exercise 1: Configure a Secure Web Server Exercise 2: Configure Authorization, Authentication, and Access Exercise 3: Configure Logging 2 8 15
Lab: Securing the IIS 7.0 Web Server and Web Sites
Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-B User Name: Woodgrovebank\Administrator Password: Pa$$w0rd
Exercise 1: Configure a Secure Web Server

Scenario
Additional security measures need to be put in place to protect the Web server. These measures will protect the web server against unauthorized access by specific IP addresses and domains. Additional ISAPI and CGI restrictions need to be put into place. Then you are given a list of accounts authorized for a specific site. You must give separate access to the IT Admin group and the developer, Herbert Dorner.
Exercise Overview
In this exercise, you will be supplied the service request document and the Active Directory account list. Start the exercise by creating a self-signed server certificate. You will then need to set the IP restrictions as outlined in the service request. Then set ISAPI and CGI restrictions. You must run the .NET Framework 1.1 Aspnet_isapi.dll on your Web server. You can follow these steps to set the ASP.NET ISAPI to Allowed in the ISAPI and CGI Restrictions list. Finally, you have to create an application pool that uses .NET Framework 1.1 and that is configured to use ISAPI mode to process requests made to applications in the application pool. Finally, set the Active Directory permissions, as specified in the service request document. This exercises main tasks are: 1. Start the 6427A-NYC-DC1 virtual machine.
2. 3. 4. 5. 6. 7. 8. 9.
Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Create a self-signed server certificate for the Web server. Block IP addresses as specified in the service request. Examine the current ISAPI and CGI Restrictions. Install the .NET Framework 1.1. Set ISAPI and CGI restrictions to use ASP.NET version 1.1. Set the rights and permissions for Active Directory users. Validate the new configuration.

On the Lab Launcher, next to 6427A-NYC-DC1, click Launch.
Task 2: Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator.

1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-B, click Launch. Log on to NYC-WEB-B as Woodgrovebank\Administrator with the password of Pa$$word.
Task 3: Create a self-signed server certificate for the Web server

1. 2. 3. 4. 5. On NYC-WEB-B, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, click NYC-WEB-B. In the details pane, in the Group by list, click Category. In the details pane, in the Security section, double-click Server Certificates. In the Actions pane, click Create Self-Signed Certificate.
6. 7.
The Create Self-Signed Certificate dialog box appears. In the Specify a friendly name for the certificate field, type woodgrovebank. Click OK. Notice that the new self-signed certificate has been added to the certificate list. Question: What are the advantages and disadvantages of using self-signed certificates? Answer: The primary advantages of using a self-signed certificate are that it provides a secure method of transferring data. Unlike certificates offered by 3rd parties, self-signed certificates have no financial cost associated with them. They provide a good solution for securing Web data transfer or personal information, i.e. if used for personal use. The primary disadvantage of using self-signed certificates is that when used for public access, the user has no way to validate the authenticity of the certificate owner. This implies that there is no reputable 3rd party verifying the certificate owner. So, although the data is secure, you may not be able to trust the source.
Task 4: Block IP addresses as specified in the service request

1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click NYC-WEB-B. In the details pane, in the Security section, double-click IPv4 Address and Domain Restrictions. In the Actions pane, click Add Deny Entry. The Add Deny Restrictions Rule dialog box appears. In the Specific IPv4 address field, type 10.10.20.1. Click OK. In the Actions pane, click Add Deny Entry. The Add Deny Restrictions Rule dialog box appears. Click IPv4 address range. In the IPv4 address range field, type 10.10.10.0. In the Mask field, type 255.255.255.0.
10. Click OK. Notice that the new IP restrictions have been added to the list. Question: When would you want to use this feature to block IP addresses?
Answer: An organization may want to block malicious users or restrict access from a certain domain or location.
Task 5: Examine the current ISAPI and CGI Restrictions 1. 2. In the Connections pane, click NYC-WEB-B. In the details pane, in the Security section, double-click ISAPI and CGI Restrictions. Notice that Active Server Pages and ASP.NET v2.0.50727 are the only applications currently listed. 3. 4. 5. 6. 7. 8. In the details pane, click Active Server Pages. In the Actions pane, click Edit. The Edit ISAPI or CGI Restriction dialog box appears. Notice that you can easily edit the ISAPI or CGI path, description, and execution allow. Click Cancel. In the Action pane, click Edit Feature Settings. The Edit ISAPI or CGI Restrictions Settings dialog box appears. While its not a recommended practice, you can easily allow unspecified CGI and ISAPI modules. Click Cancel.
9.
Task 6: Install the .NET Framework 1.1

1. 2. 3. 4. 5. 6. 7. 8. Click Start | Computer and then browse to E:\ Mod05\Labfiles. Double-click dotnetfix.exe. The Microsoft .NET Framework 1.1 Setup dialog box appears, confirming if you want to install the .NET Framework package. Click Yes. The Microsoft .NET Framework 1.1 Setup dialog box appears, asking you to agree to the license agreement. Click I agree. Click Install. When the installation is complete, click OK. Note that it may take about four minutes to complete. In the Windows Explorer window, in the details pane, double-click NDP1.1sp1-KB867460-X86.exe. The Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) dialog box appears, confirming if you want to install the Service Pack. Click OK.
9.
The Microsoft .NET Framework 1.1 Service Pack 1 (KB867460) License Agreement dialog box appears, asking you to agree to the license agreement. Click I accept.
10. When the installation is complete, click OK. Note that it may take about two minutes to complete.
Task 7: Set ISAPI and CGI restrictions to use ASP.NET version 1.1
1. 2. In Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-B. In the details pane, in the Security section, double-click ISAPI and CGI Restrictions. Notice that the ASP.NET v1.1.4322 has been added. 3. 4. 5. 6. In the details pane, click ASP.NET v1.1.4322. In the Actions pane, click Edit. The Edit ISAPI or CGI Restriction dialog box appears. Select Allow extension path to execute, and then click OK. In the Connections pane, ensure that NYC-WEB-B is already expanded, and then click Application Pools. Notice that the ASP.NET v1.1 application pool has been added and started.
Task 8: Set the rights and permissions for Active Directory users
1. 2. 3. 4. 5. 6. 7. 8. In Windows Explorer, browse to C:\inetpub\. Right-click wwwroot and then click Properties. The wwwroot Properties dialog box appears. Click the Security tab. Click Edit. The Permissions for wwwroot dialog box appears. Click Add. The Select Users, Computers, or Groups dialog box appears. Click Locations. The Locations dialog box appears. If WoodgroveBank.com is not already highlighted, then in the Location tree, click WoodgroveBank.com. Click OK.
9.
In the Enter the object names to select field, type ITAdmins_WoodgroveGG and then click Check Names.
10. Click OK. Notice that the Read & execute, List folder contents, and Read options are allowed. 11. Click Add. 12. The Select Users, Computers, or Groups dialog box appears. In the Enter the object names to select field, type Herbert and then click Check Names. 13. Click OK. 14. Next to Full control, select Allow. 15. Click OK.
Task 9: Test and validate the new configuration

1. In the Group or user names field click ITAdmins_WoodgroveGG. Notice that the Read & execute, List folder contents, and Read options are allowed. 2. In the Group or user names field click Herbert Dorner. Notice that the all the options are allowed. 3. Click OK.
Results: After this exercise, you should have successfully set IP restrictions, ISAPI and CGI restrictions, and Active Directory permissions, as specified in a service request document
Exercise 2: Configure Authorization, Authentication and Access

Scenario
Additional security measures need to be put in place to protect the Web server. An application is protected with forms authentication, but it is discovered that some of the content can bypass forms authentication and still be accessed, such as a jpg, by entering the direct URL path and file name. You must configure the protected content to use the managed forms authentication module.
Exercise Overview
In this exercise, you must reconfigure authentication and authorization so that shared documents folder on the Web server is fully protected by forms authentication. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. 8. 9. Turn off the Web site cache for the shared documents folder. Sign into the Woodgrove Bank Web site and retrieve the confidential memo. Bypass the Web site forms authentication. Modify the applicationHost.config to unlock the URL Authorization <configSections> section by changing the override mode default to allow. Modify the applicationHost.config <applicationPools> section to change the Classic .NET application pool to Integrated mode. Modify the applicationHost.config file to disable all other authentication types except for anonymous. Modify the applicationHost.config file to protect all content by removing the managedHandler precondition from the <system.webServer> section. Reconfigure the authorization and authentication so that the protected content uses forms authentication. Test and validate the new Web site configuration.
Task 1: Turn off the Web site cache for the shared documents folder
1. On NYC-WEB-B, in Internet Information Services (IIS) Manager, in the Connections pane, ensure NYC-WEB-B | Sites | Default Web Site | docs is expanded, and then click shared.
10
2. 3. 4. 5.
In the details pane, in the HTTP Features section, double-click HTTP Response Headers. In the Actions pane, click Add. The Add Custom HTTP Response Header dialog box appears. In the Name field, type Cache-Control. In the Value field, type no-cache and then click OK.
Task 2: Sign into the Woodgrove Bank Web site and retrieve the confidential memo
1. 2. 3. 4. 5. 6. 7. 8. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click Browse *:80 (http). The Windows Internet Explorer window opens. Click Shared Documents. In the Email field, type lmartin@woodgrovebank.com. In the Password field, type Pa$$w0rd. Click Login. If you get the AutoComplete Passwords dialog box, click No. Click Woodgrove Confidential Memo. Notice that the image representing the Woodgrove Confidential Memo appears. 9. Click the Back button.
10. Click Signout.
11
Task 3: Bypass the Web site forms authentication

1. In Internet Explorer, browse to http://localhost/docs/shared/Woodgrove_memo.jpg. Notice that the image representing the Woodgrove Confidential Memo appears. Question: Why is the confidential memo being displayed even after the user logs out? Answer: The Web site and directory are not fully protected by forms authentication. 2. Click the Back button.
Task 4: Modify the applicationHost.config to unlock the URL Authorization <configSections> section by changing the override mode default to allow
1. 2. In Windows Explorer, browse to C:\windows\system32\inetsrv\config. In the details pane, double-click applicationHost.config. Unlock the URL Authorization section by changing the override mode default to 'allow'. Do this by modifying the authorization section indicated on the next step. 3. Find the <configSections> section. Find:
<section name="authorization" overrideModeDefault="Allow" />
And replace it with:

<section name="authorization" type="System.WebServer.Configuration.UrlAuthorizationSection, System.ApplicationHost, Version=7.0.0.0, culture=neutral, PublicKeyToken=31bf3856ad364e35" overrideModeDefault="Allow" />
12
Task 5: Modify the applicationHost.config <applicationPools> section to change the Classic .NET application pool to Integrated mode
Change the Classic .NET application pool to Integrated mode by finding the <applicationPools> section and replacing:
<add name="Classic .NET AppPool" managedPipelineMode="Classic" />
With:
<add name="Classic .NET AppPool" managedPipelineMode="Integrated" />
Task 6: Modify the applicationHost.config file to disable all other authentication types except for anonymous
1. 2. Find the <authentication> section. Append:
enabled="false"
To:
clientCertificateMappingAuthentication, digestAuthentication, iisClientCertificateMappingAuthentication, and windowsAuthentication.
Task 7: Modify the applicationHost.config file to protect all content by removing the managedHandler precondition from the <system.webServer> section
1. Remove the preconditions for FormsAuthentication and DefaultAuthentication from the modules section. Do this by finding the <system.webServer> section, and then modifying the lines indicated on the next steps. Replace:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" preCondition="managedHandler" />
2.
13
With:
<add name="FormsAuthentication" type="System.Web.Security.FormsAuthenticationModule" />
3.
Replace
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" preCondition="managedHandler" />
With:
<add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />
4. 5.
On the File menu, click Save. Close Notepad.
Task 8: Reconfigure the authorization and authentication so that the protected content uses forms authentication
1. 2. 3. 4. 5. 6. 7. 8. 9. In Windows Explorer, browse to C:\inetpub\wwwroot. In the details pane, double-click Web.Config. The Notepad window opens. Find the line <authorization> section. Add the line <allow users="lmartin@woodgrovebank.com" />, above the line . Remove the commenting brackets from the line , changing it to <deny users="?" />. On the File menu, click Save. Close Notepad. In Internet Information Services (IIS) Manager, in the Connections pane, click shared. In the details pane, in the Security section, double-click Authentication.
10. Click Anonymous Authentication. 11. In the Actions pane, click Disable.
14
Task 9: Test and validate the new Web site configuration

1. 2. 3. 4. 5. 6. 7. In Internet Explorer, in the Email field, type lmartin@woodgrovebank.com. In the Password field, type Pa$$w0rd. Click Login. Click Woodgrove Confidential Memo. Click the Back button. Click Signout. In Internet Explorer, browse to http://localhost/docs/shared/Woodgrove_memo.jpg. Notice that you are redirected to the login page and that proper authentication is now required to access the Woodgrove Memo file.
Results: After reconfigure the Web sites authorization and authentication, so that all content uses forms authentication and thereby protecting the confidential memo, the only way to obtain the memo is by having the correct credentials.
15
Exercise 3: Configure Logging

Scenario
Additional security measures need to be put in place to protect the Web server. You received a service request to keep a log of all visitors to the web server for the past 24 hours. You must enable and configure logging and then test and verify the log.
Exercise Overview
In this exercise, you must configure and test Web site logging operations. This exercises main tasks are: 1. 2. Examine and configure logging options. Test the logging operations.
Task 1: Examine and configure logging options

1. 2. 3. 4. 5. On NYC-WEB-B, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-B. In the details pane, in the Health and Diagnostics section, double-click Logging. Notice that the Log File Rollover Schedule is set for Daily. Select Use local time for file naming and rollover. In the Actions pane, click Apply.
16
Task 2: Test the logging operations

1. 2. 3. In Internet Explorer, click the Refresh button. In Windows Explorer, browse to C:\ inetpub\logs\LogFiles\W3SVC1. In the details pane, double-click the newest log file. Notice the most recent log entries at the bottom of the log. Notice that the log entries include a number of lines with the word GET. Question: What does the word GET mean in this log file? Answer: The GET commands indicate requests from the client to the Web server to retrieve the Web pages and images. 4. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After examining the configuration of the Web servers logging settings, the current log file was examined and proven to successfully track the Web servers activity.
Lab Answer Key: Configuring Delegation and Remote Administration
Module 6
Contents:
Exercise 1: Configuring Remote Administration Exercise 2: Configuring Delegated Administration Exercise 3: Configuring Feature Delegation 2 6 11
Lab: Configuring Delegation and Remote Administration

Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-B User Name: Woodgrovebank\Administrator Password: Pa$$w0rd
Estimated time: 60 minutes Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine.
Exercise 1: Configuring Remote Administration

Scenario
You need to be able to configure the server remotely. You must enable remote administration and then test it by accessing the administration features from a remote computer. A new site has been set up and you have been asked to delegate the administration of the site to the business owner. You will need to give the business owner permission to administer their site only, but not the other sites hosted on the server You have been assigned a service request to allow all site owners to administer the error messages for their site. You must unlock the error page feature so that it can be delegated.
Exercise Overview
In this exercise you will practice configuring a Web server for remote administration.
This exercises main tasks are: 1. 2. 3. 4. Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Configure NYC-WEB-B for remote administration. Test NYC-WEB-B remote administration.
Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator

1. 2. On the Lab Launcher, next to 6427A-NYC-DC1, click Launch. Log on to NYC-DC1 as Woodgrovebank\Administrator with the password of Pa$$w0rd.

Task 3: Configure NYC-WEB-B for remote administration

1. On NYC-WEB-B, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Internet Information Services (IIS) Manager connections pane, click NYC-WEB-B(WOODGROVEBANK\Administrator). In the details pane, in the Management section, double-click Management Service. Select Enable remote connections. Click Windows credentials or IIS Manager credentials. In the Actions pane, click Apply. Click Start.
2. 3. 4. 5. 6.
Task 4: Test NYC-WEB-B remote administration

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start and click Server Manager. In the Server Manager console pane, click Roles. Right-click Roles, and then click Add Roles. The Add Roles Wizard appears. Click Next. In the Roles box, select Web Server (IIS). The Add Roles Wizard dialog box appears. Click Add Required Features. Click Next twice. In the Role services box, clear all check boxes except for IIS Management Console. Click Next, and then click Install. When the installation completes, click Close.
10. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. 11. In the details pane, click Connect to a server. 12. The Connect to Server wizard appears. In the Server name field, type NYCWEB-B, and then click Next. 13. On the Provide Credentials page, in the User name field, type administrator@woodgrovebank.com. 14. In the Password field, type Pa$$w0rd, and then click Next. 15. The Server Certificate Alert dialog box appears. Click Connect. 16. The Specify a Connection Name dialog box appears. Click Finish. 17. In the Connections pane, expand NYC-WEB-B | Sites and then click Default Web Site. Question: Is the IIS Management Service available for configuration remotely? Answer: No, this service can only be configured locally
18. In the details pane, in the IIS section, double-click Default Document. 19. Click index.htm. 20. In the Actions pane, click Move Up. 21. The Default Document dialog box appears. Click Yes. 22. In the Actions pane, click Move Up.
Results: After completing this exercise, you should have configured the IIS Management Service to accept remote connections and you should have tested a remote connection from NYC-DC1.
Exercise 2: Configuring Delegated Administration

Scenario
Exercise Overview
In this exercise you will practice delegating administration of two web sites to the appropriate business owners. This exercises main tasks are: 1. 2. 3. 4. Configure delegated administration for the Human Resources site. Share the Woodgrove sales Web site for Betsy Stadick. Configure delegated administration for the Sales site. Test delegated administration for the Human Resources and Sales sites.
Task 1: Configure delegated administration for the Human Resources site

1. 2. 3. 4. 5. 6. On NYC-WEB-B, click Start | Computer and then browse to Allfiles(E:)\Mod06\Labfiles. Right-click WoodgroveHRSite, and then click Share. The File Sharing dialog box appears. Type Herbert and then click Add. Next to Herber Dorner, click Reader, and then click Co-owner. Click Share. The Your folder is shared page appears. Click Done.
7. 8. 9.
In the Internet Information Services (IIS) Manger Connections pane, expand Sites, and then click HR. In the details pane, in the Management section, double-click IIS Manager Permissions. In the Actions pane, click Allow User.
10. The Allow User dialog box appears. In the Windows field, type Herbert and then click OK.
Task 2: Share the Woodgrove Sales Web Site for Betsy Stadick
1. 2. 3. 4. 5. 6. In Windows Explorer, browse to E:\Mod06\Labfiles. Right-click WoodgroveSalesSite, and then click Share. The File Sharing dialog box appears. Type Betsy and then click Add. Next to Betsy Stadick, click Reader and then click Co-owner. Click Share. The Your folder is shared page appears. Click Done.
Task 3: Configure delegated administration for the Sales site

1. 2. 3. 4. 5. 6. Click Start, and click Run, then type Notepad, and then press ENTER. The Notepad window opens. On the File menu, click Open. The Open dialog box appears. In the Text Documents list, click All Files. Browse to C:\windows\system32\intesrv\config. Click applicationHost.config, and then click Open. Scroll down to the <authentication> tag and delete the following text:
<anonymousAuthentication enabled="true" userName="IUSR" /> <basicAuthentication enabled="false" /> <clientCertificateMappingAuthentication /> <digestAuthentication /> <iisClientCertificateMappingAuthentication /> <windowsAuthentication />
7. 8.
On the File menu, click Save. On the File menu, click Open.
9.
The Open dialog box appears. Browse to E:\Mod06\Labfiles.
10. Click EnableAnonymousAuthentication.txt, and then click Open. 11. On the Edit menu, click Select All. 12. On the Edit menu, click Copy. 13. On the File menu, click Open. 14. The Open dialog box appears. In the Text Documents list, click All Files. 15. Browse to C:\windows\system32\intesrv\config. 16. Click applicationHost.config, and then click Open. 17. Scroll to the end of the applicationhost.config file and put the cursor on the line before </configuration>. 18. On the Edit menu, click Paste. 19. On the File menu, click Save. 20. Close Notepad.
Task 4: Test delegated administration for the Human Resources and Sales sites
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start | Switch User. Log on as woodgrovebank\herbert with a password of Pa$$w0rd. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. The User Account Control dialog box appears. In the Password field, type Pa$$w0rd, and then click OK. In the details pane, click Connect to a site. The Connect to Site dialog box appears. In the Server name field, type NYCWEB-B. In the Site name field, type HR, and then click Next. The Provide Credentials page appears. In the User name field, type herbert@woodgrovebank.com. In the Password field, type Pa$$w0rd and then click Next.
10. The Server Certificate Alert dialog box appears. Click Connect.
11. The Specify a Connection Name dialog box appears. In the Connection Name field, type Human Resources Site and then click Finish. 12. In the Connections pane, click Start Page. 13. In the details pane, click Connect to a site. 14. The Connect to Site dialog box appears. In the Server name field, type NYCWEB-B. 15. In the Site name dialog box, type Sales, and then click Next. 16. The Provide Credentials page appears. In the User name field, type herbert@woodgrovebank.com. 17. In the Password field, type Pa$$w0rd, and then click Next. 18. The Connect to Site dialog box appears with an error stating that the user is not authorized to connect to the specified computer. Question: Why does this error occur? Answer: This error occurs because Herbert was not granted IIS Manager permission on the Sales site. 19. Click OK. 20. Click Cancel. 21. Close Internet Information Service (IIS) Manager. 22. The Internet Information Service (IIS) Manager dialog box appears, asking if you want to save changes. Click No. 23. Click Start | Switch User. 24. Log on as woodgrovebank\betsy with a password of Pa$$w0rd. 25. Click Start, and click Run, then type Notepad, and then press Enter. 26. The Notepad window opens. On the File menu, click Open. 27. The Open dialog box appears. Browse to E:\Mod06\Labfiles. 28. Click DisableAuthentications, and then click Open. 29. On the Edit menu, click Select All. 30. On the Edit menu, click Copy. 31. On the File menu, click Open.
10
32. The Open dialog box appears. In the File name field, type \\NYC-WEBB\WoodgroveSalesSite\Web.Config and then click Open. 33. Scroll to the end of the Web.Config file and put the cursor on the line before </configuration>. 34. On the Edit menu, click Paste. 35. On the File menu, click Save. 36. Close Notepad. 37. Click Start | Internet Explorer. 38. The Windows Internet Explorer window opens. Browse to http://sales.woodgrovebank.com. 39. Notice error 401 indicating that the user does not have permission to view this page. Question: Why does the server report this error? Answer: The server reports a 401 error because both Anonymous Authentication and Windows Authentication have been disabled. The web server is unable to service a request for a web page if no means for authentication is configured. 40. Click Start, and click Run, then type Notepad, and then press Enter. 41. The Notepad window opens. 42. On the File menu, click Open. 43. The Open dialog box appears. In the File name field, type \\NYC-WEBB\WoodgroveHRSite\Web.Config and then click Open. 44. The Network Error dialog box appears. Click See details and note the resulting error and notice that it says access is denied. 45. Click Cancel twice and then close Notepad.
Results: After completing this exercise, you should have successfully delegated administration for the Human Resources web site to Herbert Dorner and delegated administration for the Sales web site to Betsy Stadick.
11
Exercise 3: Configuring Feature Delegation

Scenario
Exercise Overview
In this exercise you will practice configuring delegated administration so that all site owners can administer the error messages for their site. This exercises main tasks are: 1. 2. Configure feature delegation for the Human Resources and Sales sites. Test feature delegation for the Human Resources site.
Task 1: Configure feature delegation for the Human Resources and Sales sites
1. 2. 3. 4. On NYC-WEB-B, in the Internet Information Services (IIS) Manger Connections pane, click NYC-WEB-B. In the details pane, in the Management section, double-click Feature Delegation. Click Error Pages. In the Actions pane, click Read/Write.
Task 2: Test feature delegation for the Human Resources site

1. 2. On NYC-DC1, click Start | Switch User, Log on as woodgrovebank\herbert with a password of Pa$$w0rd.
12
3. 4. 5. 6. 7. 8. 9.
Click Start | Administrative Tools | Internet Information Services (IIS) Manager. The User Account Control dialog box appears. In the Password field, type Pa$$w0rd, and then click OK. In the details pane, click Connect to a site. The Connect to Site dialog box appears. In the Server name field, type NYCWEB-B. In the Site name dialog box, type HR, and then click Next. The Provide Credentials page appears. In the User name file, type herbert@woodgrovebank.com. In the Password field, type Pa$$w0rd, and then click Next.
10. The Server Certificate Alert dialog box appears. Click Connect. 11. The Specify a Connection Name dialog box appears. In the Connection Name field, type Human Resources Site and then click Finish. 12. In the Connections pane, click Human Resources Site. 13. In the details pane, in the IIS section, double-click Error Pages. 14. Right-click the line beginning with 404, and then click Edit. 15. The Edit Custom Error Page dialog box appears. Click Execute a URL on this site. 16. In the URL (relative to site root) field, type /ErrorPages/custom404.htm and then click OK. 17. Click Start | Internet Explorer. 18. The Internet Explorer window opens. Browse to http://hr.woodgrovebank.com/missingpage.htm. 19. Note that the custom error page is displayed. 20. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After completing this exercise, you should have successfully configured the Human Resources and Sales sites so that the site owners can customize error pages for each site.
13
Lab Answer Key: Using Command-line and Scripting for IIS 7.0 Administration
Module 7
Contents:
Exercise 1: Manage IIS Web Sites with PowerShell Exercise 2: Use Microsoft.Web.Administration Exercise 3: Automate IIS Administration using Scripts Exercise 4: Navigating IIS tasks using WMI and AppCmd 2 5 7 11
Lab: Using Command-line and Scripting for IIS 7.0

Logon Information:
Virtual Machine: NYC-WEB-B User Name: Woodgrovebank\Administrator Password: Pa$$w0rd
Exercise 1: Manage IIS Web Sites with PowerShell

Scenario
The development team requires additional tools to manage their Websites. First you need to make sure that PowerShell will correctly manage the servers services and make sure it can successfully stop and start the Web service.
Exercise Overview
In this exercise, you will learn how to use PowerShell to manage IIS 7.0. This exercises main tasks are: 1. 2. 3. 4. 5. 6. Start the 6427A-NYC-WEB-B virtual machine and log on as Woodgrovebank\Administrator. Use PowerShell to identify all services. Use PowerShell to identify running services that start with a w. Stop the w3svc service using PowerShell. Start the w3svc service using PowerShell. List PowerShell.exe process using the get-wmiobject cmdlet.

Task 2: Use PowerShell to identify all services

1. On NYC-WEB-B, if Server Manager opens, Close the Server Manager and click Start | All Programs | Windows PowerShell 1.0 | Windows PowerShell. At the Windows PowerShell prompt, type get-service and then press Enter.
2.
Notice the status, name, and display name of each service.
Task 3: Use PowerShell to identify running services that start with a w

1. 2. Type get-service -include w* | sort-object -property status and then press Enter. Notice the list of services that begin with a w with the stopped services listed first.
Task 4: Stop the w3svc service using PowerShell

1. 2. Type stop-service -servicename w3svc and then press Enter. Type get-service -servicename w3svc and then press Enter
Task 5: Start the w3svc service using PowerShell.

1. 2. Type start-service -servicename w3svc and then press Enter. Type get-service -servicename w3svc and then press Enter.
Task 6: List PowerShell.exe process using the get-wmiobject cmdlet

1. 2. Type Get-WmiObject -query "Select * From Win32_Process Where Name = 'powershell.exe'" and then press Enter. Notice the detailed information for the powershell.exe process. Question: What operating system is listed in the details? Answer: Microsoft Windows Server 2008 Enterprise.
Results: After this exercise, you should have successfully identified, stopped and started services using PowerShell.
Exercise 2: Use Microsoft.Web.Administration

Scenario
You need to verify that a script will effectively stop and start using MWA. Run the script and then check to make sure that the service is stopped. Then restart the service using the script and verify that it is started.
Exercise Overview
In this exercise, you will learn how to use MWA to execute a script. This exercises main tasks are: 1. 2. 3. 4. Load Microsoft.Web.Administration.dll. Get Website information with MWA. Create a function using MWA to find Websites. Use the findsite function to list the default Website, the default Website ID, and then stop and start the default Website.
Task 1: Load Microsoft.Web.Administration.dll

1. On NYC-WEB-B, in PowerShell, type [System.Reflection.Assembly]::LoadFrom("C:\windows\system32\inetsrv\ Microsoft.Web.Administration.dll") and then press Enter. Notice the GAC, version and location for the Microsoft.Web.Administration.dll, which signifies the DLL file was loaded.
2.
Task 2: Get Website information with MWA

1. 2. 3. 4. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites and then press Enter. Notice the detailed information for the sites on the server. Type (New-Object Microsoft.Web.Administration.ServerManager).Sites | ForEach-Object {$_.Name} and then press Enter. Notice the names of the Websites on the server.
Task 3: Create a function using MWA to find Websites

Type function findsite {$name=$args[0]; ((New-Object Microsoft.Web.Administration.ServerManager).Sites | Where-Object {$_.Name -match $name}); } and then press Enter. Question: This command line didn't return any values. What did it do? Answer: This command line created the command findsite, which integrates the Microsoft.Web.Administration module into an easy-to-use single command.
Task 4: Use the findsite function to list the default Website, the default Website ID, and then stop and start the default Website
1. 2. 3. 4. 5. 6. 7. 8. Type findsite default* and then press Enter. Notice the detailed information for the default Website. Type (findsite default*).ID and then press Enter. Notice the ID for the default Website: 1. Type (findsite default*).Stop() and then press Enter. Notice the status for the default Website is now stopped. Type (findsite default*).Start() and then press Enter. Notice the output is unknown. Question: Why does the command return an output value of unknown? Answer: Because it attempted to start the default Web site without first checking to see if it was stopped or checking the result. 9. Type (findsite default*).State and then press Enter.
10. Notice the status for the default Website is now started.
Results: After this exercise, you should have successfully used Microsoft.Web.Administration to gather Website information and created a function to start and stop the default Website.
Exercise 3: Automate IIS Administration using Scripts

Scenario
The development team provided you with a script that lists Websites on the server. You need to test and run the script using PowerShell. You also need to deploy several identical Websites using the same default content located on a share. A PowerShell script will be used to automate this task.
Exercise Overview
In this exercise, you will learn how to use a PowerShell scripts. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Create Microsoft.PowerShell profile script to automatically load assemblies. Set execution policy to unrestricted. Add a global variable to profile script. List sites using global variable. Use PowerShell script to find sites. Review and run a script to create a Website. Use PowerShell script to verify site was created.
Task 1: Create Microsoft.PowerShell profile script to automatically load assemblies

1. On NYC-WEB-B, in PowerShell, type if (test-path $profile) {echo "Path exists."} else {new-item -path $profile -itemtype file -force}; notepad $profile and then press Enter. The Notepad window opens. Type the following:
echo "Microsoft IIS 7.0 Environment Loader" echo "Copyright 2006 Microsoft Corporation. All rights reserved." echo "Loading IIS 7.0 Managed Assemblies" $inetsrvDir = (join-path -path $env:windir -childPath "\system32\inetsrv\") Get-ChildItem -Path (join-path -path $inetsrvDir -childPath "Microsoft*.dll") | ForEach-Object {[System.Reflection.Assembly]::LoadFrom((join-path -path $inetsrvDir -childPath $_.Name))} echo "Assemblies loaded."
2.
3.
On the File menu, click Save.
Task 2: Set execution policy to unrestricted

1. 2. 3. 4. Minimize but do not close Notepad. In Windows PowerShell, type get-executionpolicy and then press Enter. Notice the executionpolicy is set to restricted. Type set-ExecutionPolicy Unrestricted and then press Enter.
Task 3: Add a global variable to profile script

1. 2. 3. In Notepad, at the end of the script, type, new-variable iismgr -value (NewObject Microsoft.Web.Administration.ServerManager) -scope "global". On the File menu, click Save. Minimize but do not close Notepad.
Task 4: List sites using global variable

1. 2. 3. 4. Close Windows PowerShell and then reopen it. Notice the script information that now executes when you open PowerShell. Type $iismgr.Sites and then press Enter. Notice the site information that is displayed.
Task 5: Use PowerShell script to find sites

1. 2. 3. 4. 5. 6. 7. 8. 9. Close Windows PowerShell. Click Start | Computer, and then browse to E:\Mod07\Labfiles\Scripts. Right-click iis.type.ps1xml, and then click Edit. The Notepad window opens. Review the code. On the File menu, click Save As. The Save As dialog box appears. In the Save as type list, click All Files. Browse to C:\windows\System32\WindowsPowerShell\v1.0 and then click Save. Close Notepad. Restore Notepad, at the end of the script, type the following:
new-variable iissites -value (New-Object Microsoft.Web.Administration.ServerManager).Sites -scope "global" new-variable iisapppools -value (New-Object Microsoft.Web.Administration.ServerManager).ApplicationPools -scope "global" update-typedata -append (join-path -path $PSHome -childPath "iis.types.ps1xml")
10. On the File menu, click Save. 11. Close Notepad. 12. Click Start | All Programs | Windows PowerShell 1.0 | Windows PowerShell. 13. The Windows PowerShell window opens. Type $iissites.Find("^Default*") and then press Enter.
10
14. Notice the details for the default Website are listed.
Task 6: Review and run a script to create a default Website in PowerShell

1. 2. 3. 4. In Windows Explorer, browse to E:\Mod07\Labfiles\Scripts\CreateWebsite\CreateWebsite\CreateWebsite. Double-click CreateWebsite.cs. The Notepad window opens. Review the code, and then close Notepad. In Windows Explorer, browse to E:\Mod07\Labfiles\Scripts\CreateWebsite\CreateWebsite\CreateWebsite \bin\Debug. Right-click CreateWebsite.exe, and then click Copy. Browse to C:\ and then click Paste. In Windows PowerShell, type c:\CreateWebsite.exe and then press Enter.
5. 6. 7.
Task 7: Use PowerShell script to verify Website was created

1. 2. Type $iissites.Find("^NewSite*") and then press Enter. Notice the details for the new Website are listed.
Results: After this exercise, you should have successfully created a Microsoft.PowerShell profile script. You should have also used a saved script to list Website. Finally, you should have successfully created a site named NewSite.
11
Exercise 4: Manage IIS tasks using WMI and AppCmd

Scenario
You need to verify which tasks are running on the server. Use WMI and AppCmd to display the list of running tasks.
Exercise Overview
In this exercise, you will use WMI and AppCmd for IIS administration. This exercises main tasks are: 1. 2. 3. 4. 5. 6. Use AppCmd to identify tasks running on the Web server. Use AppCmd to identify all running application pools. Use AppCmd to recycle all running application pools. Move all applications in a site to NewAppPool application pool. Store configuration information to file, and then restore the configuration information. Use WMI to list the Default Web Site on the Web server.
Task 1: Use AppCmd to identify tasks running on the Web server

1. 2. 3. 4. On NYC-WEB-B, click Start | Command Prompt. Type cd \windows\system32\inetsrv and then press Enter. Type appcmd list wp and then press Enter. Notice this command lists the current running worker processes. If the command doesnt list any results, there arent any worker processes running.
Task 2: Use AppCmd to identify all running application pools

1. 2. Type appcmd list apppool and then press Enter. Notice the currently running application pools are listed.
12
Task 3: Use AppCmd to recycle all running application pools

1. 2. Type appcmd list apppool /xml | appcmd recycle apppool /in and then press Enter. Notice the message is displayed DefaultAppPool successfully recycled.
Task 4: Move all applications in a site to NewAppPool application pool

1. 2. Type appcmd list app /site.name:"NewSite" /xml | appcmd set app /in /applicationPool:NewAppPool and then press Enter Notice the following is displayed APP object NewSite/ changed.
Task 5: Store configuration information to file, and then restore the configuration information
1. 2. 3. Type appcmd list config "Default Web Site/" /section:caching /xml /config > config.xml and then press Enter. Type appcmd set config "Default Web Site/" /in < config.xml and then press Enter. Notice the configuration changes were applied to the Default Web Site.
Task 6: Use WMI to list the Default Web Site on the Web server
1. 2. Click Start, type Notepad and then press Enter. The Notepad window opens. Type:
Set oIIS = GetObject("winmgmts:root\WebAdministration") Set oSite = oIIS.Get("Site.Name='Default Web Site'") WScript.Echo "Retrieved an instance of Site" WScript.Echo "Name: " & oSite.Name WScript.Echo "ID: " & oSite.ID
3. 4. 5. 6.
On the File menu, click Save. The Save As dialog box appears. In the File name field, type C:\GetSite.vbs. In the Save as type list, click All Files, and then click Save. Close Notepad.
13
7. 8. 9.
From the command prompt, type cd \, and then press Enter. Type cscript //h:cscript, and then press Enter. Notice the default script has been set to cscript.exe.
10. Type getsite.vbs, and then press Enter. 11. Notice the Web site name and ID are displayed. 12. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have successfully used AppCmd to recycle application pools, move application and store configuration information to a file. You should have also successfully identified the default Website using WMI.
Lab Answer Key: Tuning IIS 7.0 for Improved Performance
Module 8
Contents:
Exercise 1: Deploying Applications Exercise 2: Configuring IIS Performance Options Exercise 3: Managing Application Pools to Improve Performance 2 6 10
Lab: Tuning IIS 7.0 for Improved Performance

Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-A User Name: Woodgrovebank\Administrator Password: Pa$$w0rd
Exercise 1: Deploying Applications

Scenario
You receive a request to deploy a second copy of an installed application, and then deploy updates to the new installation so that the Enterprise Design QA team can test the proposed updates.
Exercise Overview
In this exercise, students will learn how to deploy an application, as well as application updates, with Xcopy. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator. Add ASP.NET and Dynamic Content Compression features to the IIS Role. Create the SalesSupport application and copy the ASP.NET application files. Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy. Deploy the application updates to SalesSupport2 using Xcopy. Create and assign an application pool for SalesSupport2 and test functionality.


Task 3: Add ASP.NET and Dynamic Content Compression features to the IIS Role
1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB-A, click Start and click Server Manager. In Server Manager console pane, expand Roles and then click Web Server (IIS). Right-click Web Server (IIS), and then click Add Role Services. The Add Role Services dialog box appears. In the Role services box, select ASP.NET. The Add Role Services box appears. Click Add Required Role Services. In the Performance section, select Dynamic Content Compression. Click Next and then click Install. When the installation completes, click Close. In the details pane, in the Role Services section, notice that ASP.NET and Dynamic Content Compression are listed as Installed.
1. 2. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-WEB-A | Sites and then click Default Web Site.
3. 4. 5. 6. 7. 8. 9.
In the Actions pane, click View Applications. Click Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport. Next to the Physical path field, click the Browse (...) button. The Browse For Folder dialog box appears. Browse to C:\inetpub\wwwroot, and then click Make New Folder. Type SalesSupport and then click OK. Click OK.
10. Click Start | Computer and then browse to E:\Mod08\Labfiles\SalesSupport. 11. Select all, then right-click and click Copy. 12. Browse to C:\inetpub\wwwroot\SalesSupport, right-click, and then click Paste.
Task 5: Deploy a second copy of the SalesSupport application named SalesSupport2 using Xcopy
1. 2. 3. 4. 5. Click Start | Command Prompt. Type cd \inetpub\wwwroot and then press Enter. Type md SalesSupport2 and then press Enter. Type xcopy /e SalesSupport\*.* SalesSupport2. Notice that 36 files are copied.
Task 6: Deploy the application updates to SalesSupport2 using Xcopy

1. 2. 3. 4. 5. At the command prompt, type E: and then press Enter. Type cd \Mod08\Labfiles\SalesSupport2 and then press Enter. Type xcopy /e *.* c:\inetpub\wwwroot\salessupport2 and then press Enter. When prompted to overwrite files, press A for all. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site.
6. 7. 8. 9.
In the Actions pane, click View Applications. lick Add Application. The Add Application dialog box appears. In the Alias field, type SalesSupport2. Next to the Physical path field, click the Browse (...) button.
10. The Browse For Folder dialog box appears. Browse to C:\inetput\wwwroot\SalesSupport2, and then click OK twice.
Task 7: Create and assign an application pool for SalesSupport2 and test functionality
1. 2. 3. 4. 5. 6. 7. 8. 9. In the Connections pane, click Application Pools. In the Actions pane, click Add Application Pool. The Add Application Pool dialog box appears. In the Name field, type SalesSupport2 and then click OK. In the Connections pane, expand Default Web Site and then click SalesSupport2. In the Actions pane, click Basic Settings. The Edit Application dialog box appears. Click Select. The Select Application Pool dialog box appears. In the Application pool list, click SalesSupport2, and then click OK twice. Click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport.
10. Notice that the Woodgrove Bank Sales Support page loads successfully. 11. In Internet Explorer, browse to http://localhost/salessupport2. 12. Notice that the Woodgrove Bank Sales Support page version 2.0 loads successfully.
Results: After this exercise, you should have successfully verified that the ASP.NET role service is installed, deployed that SalesSupport2 application, and verified functionality.
Exercise 2: Configuring IIS Performance Options

Scenario
Next you will configure performance options for the SalesSupport application. First, you will use Performance Monitor to look at the current machine performance. Then you will configure and test output caching, compression, and throttling.
Exercise Overview
In this exercise, students will learn how to configure IIS Performance Options. This exercises main tasks are: 1. 2. 3. 4. Use Performance Monitor to measure performance. Configure Output Caching. Configure Compression. Configure connection limit throttling.
Task 1: Use Performance Monitor to measure performance

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-WEB-A, click Start | Administrative Tools | Reliability and Performance Monitor. In the console pane, click Performance Monitor. In the details pane, right-click the graph, and then click Remove All Counters. The Performance Monitor Control dialog box appears. Click OK. Above the graph, click the Add button (green plus). The Add Counters dialog box appears. In the Available counters list, scroll down, and then expand Web Service. Click Bytes Sent/sec. In the Instances of selected object field, click <All instances>. Click Add, and then click OK.
10. With Reliability and Performance monitor running, in Internet Explorer, browse to http://localhost/salessupport/test.aspx. 11. After the page loads, click Refresh several times rapidly. Notice that the dynamically generated time updates each time you refresh.
12. Close Internet Explorer. 13. In Reliability and Performance Monitor, notice that the graph reflects the throughput. Note that you can right-click the graph and then click Scale Selected Counters to get a better representation. You may need to do this a couple of times to get a zoomed in view of the data.
Task 2: Configure Output Caching

1. In Internet Information Services (IIS) Manager, in the Connections pane, expand NYC-WEB-A(WOODGROVEBANK)| Sites | Default Web Site and then click SalesSupport. In the details pane, in the IIS section, double-click Output Caching. In the Actions pane, click Add. The Add Cache Rule dialog box appears. In the File name extension field, type .aspx. Select Kernel-mode caching. Click At time intervals, and then delete the existing text and type 00:00:10. Click OK. Open Internet Explorer, and browse to http://localhost/salessupport/test.aspx. Click Refresh several times rapidly for at least 30 seconds.
2. 3. 4. 5. 6. 7. 8. 9.
10. Notice that the time updates only every 10 seconds after the first couple of loads and that the subsequent loads are much faster. 11. In Internet Explorer, browse to http://localhost/salessupport2/test.aspx. 12. Click Refresh several times rapidly. 13. Notice that the time updates with each load. 14. In Reliability and Performance monitor, compare the two peaks for throughput on the graph. Notice that the first peak has higher throughput than the second.
Task 3: Configure Compression

1. In Internet Explorer, browse to http://localhost.
2. 3. 4. 5. 6. 7. 8. 9.
Click Refresh several times rapidly. In Reliability and Performance Monitor, note the throughput on the graph. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the details pane, in the IIS section, double-click Compression. Clear the Enable static content compression check box. In the Actions pane, click Apply. In Internet Explorer, browse to http://localhost. Click Refresh several times rapidly.
10. In Reliability and Performance Monitor, note the throughput on the graph. There should not be much change for static compression. Question: Why does the graph show little or no change? Answer: Static compression is cached. Only the first page load requires processing the compression. 11. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx. 12. Click Refresh several times rapidly. 13. In Reliability and Performance Monitor, note the throughput on the graph. 14. In Internet Information Services (IIS) Manager, in the details pane, select Enable dynamic content compression. 15. In the Actions pane, click Apply. 16. In Internet Explorer, browse to http://localhost/SalesSupport/test.aspx. 17. Click Refresh several times rapidly. 18. Close Internet Explorer. 19. In Reliability and Performance Monitor, note the throughput on the graph. The throughput has decreased because dynamic compression negates dynamic output caching.
Task 4: Configure connection limit throttling

1. 2. Open Internet Explorer, and browse to http://localhost. Right click the IIS7 tab, and then click New Tab.
3. 4. 5. 6. 7. 8. 9.
In the new tab, browse to http://localhost. Repeat to create another new tab, and then browse to http://localhost. You should have three tabs open. Right-click one of the tabs, and then click Refresh All. Notice that all of the tabs refresh successfully. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click Limits.
10. The Edit Web Site Limits dialog box appears. Select Limit number of connections. 11. In the Limit number of connections field, type 1. 12. Click OK. 13. Open Internet Explorer, and browse to http://localhost in three tabs. 14. In Internet Explorer, right-click one of the tabs, and then click Refresh All. 15. Notice that at least one of the tabs now reports Service Unavailable. 16. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
Results: After this exercise, you should have configured performance options and verified functionality.
10
Exercise 3: Managing Application Pools to Improve Performance

Scenario
You will now modify the application pools to improve resource usage.
Exercise Overview
In this exercise, students will learn how to manage application pools to improve performance. This exercises main tasks are: 1. 2. 3. Use Reliability and Performance Monitor to measure resource usage. Recycle an application pool. Assign SalesSupport and SalesSupport2 to the same application pool.
Task 1: Use Reliability and Performance Monitor to measure resource usage

1. 2. 3. 4. 5. 6. On NYC-WEB-A, open Internet Explorer, and browse to http://localhost/salessupport. Open a second tab and browse to http://localhost/salessupport2. In Reliability and Performance Monitor, in the console pane, click Reliability and Performance. In the details pane, expand Memory. Click the Image column heading to sort by image name, and then scroll down to w3wp.exe. Notice that there are two instances running. Note the amount of memory being used by each in the Commit (KB) and Working Set (KB) columns.
Task 2: Recycle an application pool

1. 2. 3. In Internet Information Services (IIS) Manager, in the Connections pane, click Application Pools. In the details pane, click SalesSupport2. In the Actions pane, click Recycle.
11
4. 5.
In Reliability and Performance Monitor, notice that one of the w3wp.exe processes consumes less memory. Close Internet Explorer. In the Internet Explorer dialog box, click Close Tabs.
Task 3: Assign SalesSupport and SalesSupport2 to the same application pool

1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport2. In the Actions pane, click Basic Settings. The Edit Application dialog box appears. Click Select. The Select Application Pool dialog box appears. In the Application pool list, click DefaultAppPool. Click OK twice. In the Connections pane, click Application Pools. In the details pane, click SalesSupport2. In the Actions pane, click Remove. The Confirm Remove dialog box appears. Click Yes.
10. Open Internet Explorer, and browse to http://localhost/salessupport. 11. Open a second tab and browse to http://localhost/salessupport2. 12. In Reliability and Performance Monitor, notice that is now only one w3wp.exe process and less total memory consumed. 13. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have recycled and consolidated application pools, and verified resource usage with Reliability and Performance Monitor.
Lab Answer Key: Ensuring Web Site Availability with Web Farms
Module 9
Contents:
Exercise 1: Backing Up an IIS Web Site Exercise 2: Restoring an IIS Web Site Exercise 3: Enabling Shared Configurations Exercise 4: Configuring Network Load Balancing 2 5 7 11
Lab: Ensuring Web Site Availability with Web Farms

Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-D, NYC-WEB2 User Name: Woodgrovebank\Administrator Password: Pa$$w0rd
Exercise 1: Backing Up an IIS Web Site

Scenario
The Enterprise Design Team has asked you to explore options for increasing Web site availability. Before you begin, you will back up an existing site and verify that it can be restored properly.
Exercise Overview
In this exercise, students will learn how to back up a Web site. Use the virtual disk drive E: for the backup drive, as a stand-in for a remote storage device. This exercises main tasks are: 1. 2. 3. 4. Start the 6427A-NYC-DC1 virtual machine. Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator. Backup the Web site, Web application, and config files to the E: drive.
Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine. Task 1: Start the 6427A-NYC-DC1 virtual machine
On the Lab Launcher, next to 6427A-NYC-DC1, click Launch.
Task 2: Start the 6427A-NYC-WEB-D virtual machine and log on as Woodgrovebank\Administrator

1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-D, click Launch. Log on to NYC-WEB-D as Woodgrovebank\Administrator with the password of Pa$$w0rd.
Task 3: Start the 6427A-NYC-WEB2 virtual machine and log on as Woodgrovebank\Administrator

1. 2. On the Lab Launcher, next to 6427A-NYC-WEB2, click Launch. Log on to NYC-WEB2 as Woodgrovebank\Administrator with the password of Pa$$w0rd.
Task 4: Backup the Web site, Web application, and config files to the E: drive
1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB-D, click Start | Computer, and then browse to E:. In the File menu, click New | Folder. Type Web Site Backup, and then press Enter. Browse to\\NYC-WEB-D\E\Web Site Backup. Browse to C:\inetpub\wwwroot. In the details pane, select all, right-click, and then click Copy. Browse to \\NYC-WEB-D\E\Web Site Backup, right-click and then click Paste. Notice that the Web site files are now backed up to this shared folder.
Results: After this exercise, you should have successfully backed up a web site.
Exercise 2: Restoring an IIS Web Site

Scenario
The Enterprise Design Team has asked you to verify that the backups can be restored properly. Do this by restoring the Web files to a second server and confirm that the second server functions properly.
Exercise Overview
In this exercise, students will learn how to restore a Web site. This exercises main task is: Restore the Web site, Web application, and config files from the shared drive.
Task 1: Restore the Web site, Web application, and config files from the shared drive
1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB2, on the desktop, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, expand NYC-WEB2 | Sites, and then click Default Web Site. In the Actions pane, click Browse *:80 (http). The Microsoft Internet Explorer window opens. Notice that the IIS 7.0 default page is displayed. Click Start | Computer, and then browse to C:\inetpub\wwwroot. Notice that the folder contains the two IIS 7.0 default Web site files, iisstart.htm and welcome.png, and the aspnet_client folder. Browse to the networked computer NYC-WEB-D. If the NYC-WEB-D computer is not displayed in the details pane, network discovery may be turned off. Click the notice bar, and then click Turn on network discovery and file sharing. Browse to\\NYC-WEB-D\E\Web Site Backup.
9.
10. In the details pane, select all, right-click and then click Copy. 11. Browse to C:\inetpub\wwwroot, right-click and then click Paste.
12. If a Copy File dialog box appears, indicating that you are about to overwrite any files or folders, click Copy and Replace. 13. If a Confirm Folder Replace dialog box appears, indicating that you are about to overwrite a folder, click Yes. 14. Notice that the new Web site files are now copied to this location. 15. In Internet Explorer, click the Refresh button. 16. Notice that the Woodgrove Bank Web site has been deployed on the second Web server. Question: What process on the Web server led to the Woodgrove Bank Web site being displayed instead of the IIS 7.0 default Web site? Answer: After the Woodgrove Bank Web site files were copied to the second Web server, the default file default.aspx superseded the file iisstart.htm.
Results: After this exercise, you should have successfully restored a web site to a second server.
Exercise 3: Enabling Shared Configurations

Scenario
The next step is for increasing Web site availability. Now that you have two identically configured Web servers, implement shared configurations for them.
Exercise Overview
In this exercise, students will learn how to enable shared configuration. This exercises main tasks are: 1. 2. 3. Export and Enable Shared Configuration. Add the second Web server to use the Shared Configuration. Test the Shared Configuration.
Task 1: Export and Enable Shared Configuration

1. 2. 3. 4. 5. On NYC-WEB-D, click Start | Administrative Tools | Internet Information Services (IIS) Manager. In the Connections pane, click NYC-WEB-D. In the details pane, in the Management section, double-click Shared Configuration. In the Actions pane, click Export Configuration. The Export Configuration dialog box appears, allowing you to export the local configuration files, settings, and encryption keys. In the Physical path field, type \\NYC-WEB-D\E. In the Encryption keys password and Confirm password fields, type Pa$$w0rd. Click OK. The Export Configuration dialog box appears indicating that the files were exported successfully. Click OK. In the details pane, select Enable shared configuration.
6. 7. 8. 9.
10. In the Physical Path field, type \\NYC-WEB-D\E. 11. In the User name field, type Woodgrovebank\Administrator. 12. In the Password and Confirm password fields, type Pa$$w0rd.
13. In the Actions pane, click Apply. 14. The Encryption Keys Password dialog box appears for you to enter the encryption key. In the Enter encryption key password field, type Pa$$w0rd. 15. Click OK. 16. The Shared Configuration dialog box appears, indicating that the current encryption keys were backed up. Click OK. 17. The Shared Configuration dialog box appears, indicating that IIS Manager and Management service must be restarted for these changes to be completed. Click OK. 18. Close Internet Information Services (IIS) Manager. 19. Click Start | Administrative Tools Internet Information Services (IIS) Manager. 20. In the Connections pane, click NYC-WEB-D. 21. In the details pane, in the Management section, double-click Management Service. 22. In the Actions pane, click Start.
Task 2: Add the second Web server to use the Shared Configuration
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-WEB2, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB2. In the details pane, in the Management section, double-click Shared Configuration. Select Enable shared configuration. In the Physical Path field, type \\NYC-WEB-D\E. In the User name field, type Woodgrovebank\Administrator. In the Password and Confirm password fields, type Pa$$w0rd. In the Actions pane, click Apply. The Encryption Keys Password dialog box appears. In the Enter encryption key password field, type Pa$$w0rd. Click OK.
10. The Shared Configuration dialog box appears, indicating that the current encryption keys were backed up. Click OK. 11. The Shared Configuration dialog box appears, indicating that IIS Manager and Management service must be restarted for these changes to be completed. Click OK. 12. Close Internet Information Services (IIS) Manager. 13. Click Start | Administrative Tools | Internet Information Services (IIS) Manager. 14. In the Connections pane, click NYC-WEB2. 15. In the details pane, in the Management section, double-click Management Service. 16. In the Actions pane, click Start.
10
Task 3: Test the Shared Configuration

1. 2. 3. 4. On NYC-WEB-D, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-D. In the details pane, in the IIS section, double-click Default Document. In the Actions pane, click Add. The Add Default Document dialog box appears to allow us to add a default document to test the shared configuration. In the Name field, type test.html and then click OK. On NYC-WEB2, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB2. In the details pane, in the IIS section, double-click Default Document. Notice that the default document test.html has been added to the top of the list for the second Web server as well, Question: Why has the default document test.html has been added to the top of the list for the second Web server as well? Answer: The default document test.html has been added to the top of the list for the second Web because both servers are using shared configuration.
Results: After this exercise, you should have successfully configured a two-server network with an underlying foundation of shared configurations.
5. 6. 7.
11
Exercise 4: Configuring Network Load Balancing

Scenario
With the two Web servers set up with Shared Configurations, configure Network Load Balancing to increase Web site availability.
Exercise Overview
In this exercise, students will ensure Web site availability by implementing Network Load Balancing. This exercises main tasks are: 1. 2. 3. 4. Create a new Network Load Balancing cluster. Add the second host to the Network Load Balancing cluster. Add the second server to the Network Load Balancing cluster. Verify Network Load Balancing using NLB commands.
Task 1: Create a new Network Load Balancing cluster

1. 2. 3. On NYC-WEB-D, click Start | Administrative Tools | Network Load Balancing Manager. In the console pane, right-click Network Load Balancing Clusters and then click New Cluster. The New Cluster: Connect dialog box appears. Start the process by connecting to the Network Load Balance host computer. In the Host field, Type NYC-WEB-D, and then click Connect. Make sure the Local Area Connection interface with Interface IP address 10.10.0.21 is highlighted, and then click Next. The New Clusters: Host Parameter page shows the dedicated IP addresses and the initial host state. Click Next. The New Clusters: Cluster IP Addresses page allows you to add cluster IP addresses that are shared by every member of the cluster. Click Add. The Add IP Address dialog box appears, allowing you to add IPv4 or IPv6 addresses to the cluster. In the Add IPv4 address field, type 10.10.0.27. In the Subnet mask field, type 255.255.0.0, and then click OK. Make sure the newly added cluster IP address is highlighted. Click Next.
4. 5. 6. 7. 8. 9.
12
10. The New Clusters: Cluster Parameters page allows you to modify the operation mode of the cluster IP addresses. In the Full Internet name field, type cluster.woodgrovebank.com. 11. Click Multicast. 12. Click Next. 13. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP address port rules. Click Finish. Wait for the operation to complete before continuing.
Task 2: Add the second host to the Network Load Balancing cluster
1. 2. In the console pane, right-click cluster.woodgrovebank.com and then click Add Host to Cluster. The Add Host to Cluster: Connect dialog box appears. Add the second host computer. In the Host field, Type NYC-WEB2, and then click Connect. Wait for the operation to complete before continuing. Make sure the Local Area Connection interface with Interface IP address 10.10.0.26 is highlighted, and then click Next. The New Clusters: Host Parameter page shows the dedicated IP addresses and the initial host state. Make sure that the Priority (unique host identifier) is 2, and then click Next. The New Clusters: Port Rules page allows you to add, edit, and remove cluster IP address port rules. Click Finish. Wait for the operation to complete before continuing.
3. 4.
5.
Task 3: Add the second server to the Network Load Balancing cluster
1. 2. On NYC-WEB2, Click Start, click Administrative Tools, and then click Network Load Balancing Manager. The Network Load Balancing Manager window opens and loads the current cluster. The Warning dialog box appears, presenting a warning about running NLB in Unicast mode. Click OK.
Task 4: Verify Network Load Balancing using NLB commands

1. Click Start | Command Prompt.
13
2. 3. 4. 5. 6. 7. 8.
Type NLB query 10.10.0.27 and then press Enter. Notice that the NLB command indicates that host 2 has entered a converging state with the cluster. On NYC-WEB-D, click Start | Command Prompt. Type NLB query 10.10.0.27 and then press Enter. Notice that the NLB command indicates that host 1 has entered a converging state with the cluster. Type NLB display and then press Enter. The results show very detailed information about the cluster and its current state. Scroll to the top of the displayed information to examine the Configuration section. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have successfully configured network load balancing on a two-server network, with an underlying foundation of shared configurations.
9.
Lab Answer Key: Troubleshooting IIS 7.0 Web Servers
Module 10
Contents:
Exercise 1: Troubleshooting Authentication Exercise 2: Troubleshooting Authorization Exercise 3: Troubleshooting Communication Exercise 4: Troubleshooting Configuration 2 5 8 10
Lab: Troubleshooting IIS 7.0 Web Servers

Logon Information:
Virtual Machine: NYC-DC1, NYC-WEB-E User Name: Woodgrovebank\Administrator Password: Pa$$w0rd
Exercise 1: Troubleshooting Authentication

Scenario
You receive a service request asking to resolve a user issue. The passwordprotected intranet site is accessed by domain users within the company, but is not allowing access to anyone. Using logs and detailed error messages, you must resolve the problem.
Exercise Overview
In this exercise, you will troubleshoot an authentication issue using IIS logs and detailed error messages. This exercises main tasks are: 1. 2. 3. 4. 5. 6. 7. Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator. Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator. Browse to http://localhost/salessupport. Examine the log file. Enable Detailed Error Messages. Reproduce the issue and examine the detailed error. Resolve the issue and test functionality.
Note: If you have already logged on to a virtual machine, skip the logon task for that particular virtual machine. Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as Woodgrovebank\Administrator
1. 2. On the Lab Launcher, next to 6427A-NYC-DC1, click Launch. Log on to NYC-DC1 as Woodgrovebank\Administrator with the password of Pa$$w0rd.
Task 2: Start the 6427A-NYC-WEB-E virtual machine and log on as Woodgrovebank\Administrator

1. 2. On the Lab Launcher, next to 6427A-NYC-WEB-E, click Launch. Log on to NYC-WEB-E as Woodgrovebank\Administrator with the password of Pa$$w0rd.
Task 3: Browse to http://localhost/salessupport

1. 2. 3. On NYC-WEB-E, click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://localhost/salessupport. Notice the Server Error: 401 Unauthorized message.
Task 4: Examine the log file

1. 2. 3. 4. Click Start | Computer and then browse to C:\inetpub\logs\LogFiles\W3SVC1. Double-click the most recent log file. The Notepad window opens. Scroll to the far right and examine the last entries in the log file. Notice that the status is 401 and substatus is 2. Close Notepad.
Task 5: Enable Detailed Error Messages

1. Click Start | Administrative Tools | Internet Information Services (IIS Manager).
2. 3. 4. 5.
In the Connections pane, expand NYC-WEB-E | Sites | Default Web Site and then click SalesSupport. In the details pane, in the IIS section, double-click Error Pages. In the Actions pane, click Edit Feature Settings. The Edit Error Pages Settings dialog box appears. Click Detailed errors for local requests and custom error pages for remote requests, and then click OK.
Task 6: Reproduce the issue and examine the detailed error

1. 2. 3. In Internet Explorer, browse to http://localhost/salessupport. Notice the detailed error message reports HTTP Error 401.2 - Unauthorized. Scroll down to Most likely causes. Notice the first cause is No authentication protocol (including anonymous) is selected in IIS.
Task 7: Resolve the issue and test functionality

1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, click SalesSupport. In the details pane, in the IIS section, double-click Authentication. Notice that all authentication methods are Disabled. In the details pane, click Basic Authentication. In the Actions pane, click Enable. In the details pane, notice that Basic Authentication is Enabled, and all other authentication methods are Disabled. In Internet Explorer, browse to http://localhost/salessupport. Notice that you are prompted for credentials. For User name, type Yvonne. For Password type Pa$$w0rd and then click OK.
10. Notice that the SalesSupport application now loads without error. 11. Close Internet Explorer.
Results: After this exercise, you should have successfully examined the IIS log files, enabled detailed error messages, and resolved the authentication issue.
Exercise 2: Troubleshooting Authorization

Scenario
You receive another service request to secure another Web site where all users are able to view the content. You must reproduce the issue, determine the cause, and resolve the issue.
Exercise Overview
In this exercise, you will troubleshoot authorization using Failed Request Tracing. This exercises main tasks are: 1. 2. 3. 4. Browse to http://localhost/salessupport2. Enable Failed Request Tracing and add a rule to trace successful requests. Reproduce the issue and examine the Failed Request Tracing log. Resolve the issue and verify functionality.
Task 1: Browse to http://localhost /salessupport2

1. 2. 3. On NYC-WEB-E, in Internet Explorer, browse to http://localhost/salessupport2. Notice that you are not prompted for credentials and the page loads without error. Close Internet Explorer.
Task 2: Enable Failed Request Tracing and add a rule to trace successful requests
1. 2. 3. 4. In Internet Information Services (IIS) Manager, in the Connections pane, click Default Web Site. In the Actions pane, click Failed Request Tracing. The Edit Web Site Failed Request Tracing Settings dialog box appears. Select Enable, and then click OK. In the Connections pane, click SalesSupport2.
5. 6. 7. 8.
In the details pane, in the IIS section, double-click Failed Request Tracing Rules. In the Actions pane, click Add. The Add Failed Request Tracing Rule dialog box appears. Click Next. Under Status code(s), type 200, and then click Next. Question: Why do we use status code 200 for this issue? Answer: Status code 200 is used for a successful page load in IIS. Since the page is loading without error, we must use the status code 200 to trace the issue.
9.
Under Providers, clear ASP and ISAPI Extension. Leave ASPNET and WWW Server checked.
10. Click Finish.
Task 3: Reproduce the issue and examine the Failed Request Tracing log
1. 2. 3. 4. 5. 6. 7. In Internet Explorer, browse to http://localhost/SalesSupport2. In Windows Explorer, browse to c:\inetpub\logs\FailedReqLogFiles\W3SVC1. Double-click fr000001.xml. If prompted to add the site to the Trusted sites zone, click Add twice and then click Close. Under Request Summary, notice that Authentication is anonymous. Click the Compact View tab. Scroll down and examine the lines that begin with AUTH_SUCCEEDED and USER_SET. Notice that the authorized user is . Question: What did we learn from the Failed Request Tracing log? Answer: Anonymous users are being allowed to access the site. Since anonymous authentication happens successfully, users are not being prompted to enter credentials. 8. Close Internet Explorer.
Task 4: Resolve the issue and verify functionality

1. 2. 3. 4. 5. 6. 7. 8. 9. In Internet Information Services (IIS) Manager, in the Connections pane, click SalesSupport2. In the details pane, double-click Authorization Rules. Notice that Anonymous Users are Allowed. In the details pane, in the IIS section, click Anonymous Users. In the Actions pane, click Remove. The Confirm Remove dialog box appears. Click Yes. In the Connections pane, click SalesSupport2. In the details pane, in the IIS section, double-click Authentication. Notice that both Anonymous Authentication and Basic Authentication are Enabled.
10. Click Anonymous Authentication. 11. In the Actions pane, click Disable. 12. In Internet Explorer, browse to http://localhost/salessupport2. 13. Notice that you are prompted for credentials. For User name, type Yvonne. 14. For Password, type Pa$$w0rd and then click OK. 15. Notice that the SalesSupport2 application loads without error. 16. Close Internet Explorer and open it again to create a new session. 17. Browse to http://localhost/salessupport2. 18. When prompted for credentials, leave both fields blank and click OK three times. 19. Notice that you get a 401 Unauthorized message.
Results: After this exercise, you should have successfully enabled failed request tracing, and resolved the authorization issue.
Exercise 3: Troubleshooting Communication

Scenario
Users are reporting that a Web application is returning an error when they try to browse to it. You must troubleshoot why the Web application cannot open the content.
Exercise Overview
In this exercise, you will troubleshoot communication using tools. This exercises main tasks are: 1. 2. 3. 4. Reproduce the issue. Use Ping to verify communication with the Web server. Enable detailed errors and examine the detailed error. Correct the problem and verify functionality.
Task 1: Reproduce the issue

1. 2. 3. On NYC-DC1, click Start | All Programs | Internet Explorer. The Windows Internet Explorer window opens. Browse to http://nyc-webe/netapp/content. Notice the 500 Internal server error message.
Task 2: Use Ping to verify communication with the Web server

1. 2. 3. Click Start | Command Prompt. Type ping NYC-WEB-E and then press Enter. Notice that the ping succeeds indicating that NYC-DC1 and NYC-WEB-E are communicating.
Task 3: Enable detailed errors and examine the detailed error

1. 2. 3. 4. 5. 6. 7. 8. On NYC-WEB-E, in Internet Information Services (IIS) Manager, in the Connections pane, click NYC-WEB-E. In the details pane, in the IIS section, double-click Error Pages. In the Actions pane, click Edit Feature Settings. The Edit Error Pages Settings dialog box appears. Click Detailed errors, and then click OK. In Internet Explorer, browse to http://localhost/netapp/content. Notice the 500.19 error. Next to Config Error, notice the message Cannot read configuration file because the network path is not found. Next to Config File, notice the path has nyc-weeb-e for the server name.
Task 4: Correct the problem and verify functionality

1. 2. 3. 4. 5. Internet Information Services (IIS) Manager, in the Connections pane, expand NetApp and then click Content. In the Actions pane, click Advanced Settings. The Advanced Settings dialog box appears. In the Physical Path field, modify the path to read \\nyc-web-e\content, and then click OK. In Internet Explorer, browse to http://localhost/netapp/content. Notice that the IIS Welcome page appears and there is no error message.
Results: After this exercise, you should used ping to verify communication, enabled detailed error messages, and resolved the error.
10
Exercise 4: Troubleshooting Configuration

Scenario
Users are reporting they receive multiple errors when trying to view JPG files that previously worked. You know that multiple people have the ability to modify this site including Web.config and related files.
Exercise Overview
In this exercise, you will troubleshoot configuration using detailed error messages. This exercises main tasks are: 1. 2. 3. Reproduce the issue and examine the detailed error message. Examine and correct the web.config file. Verify functionality.
Task 1: Reproduce the issue and examine the detailed error message
1. 2. 3. On NYC-WEB-E, in Internet Explorer, browse to http://localhost/pics/logo.jpg. Notice the HTTP Error 404.4 Not Found message. In the Most likely causes section, notice that the most likely cause is The file extension for the requested URL does not have a handler configured to process the request on the Web server.
Task 2: Examine and correct the web.config file

1. 2. 3. In Windows Explorer, browse to C:\Pics. Double-click web.config. On the Windows dialog, click Select a Program from a list of installed programs, and then click OK. Click Notepad, and then click OK.
11
4. 5. 6. 7.
The Notepad window opens. Notice that the <handlers> section contains a line for handling static files. Notice that the path attribute is set to *.jgp. Modify the line so that the path attribute correctly reads *.jpg. On the File menu, click Save. Close Notepad.
Task 3: Verify functionality

1. 2. 3. In Internet Explorer, browse to http://localhost/pics/logo.jpg. Notice that the Woodgrove Bank logo now appears successfully. Close each of the running virtual machines. Do not save changes so they are reset to default for the next lab.
Results: After this exercise, you should have reproduced the problem, examined the detailed error message, and resolved the error.

6427A-ENU LabManual

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

6427A-ENU LabManual

Hochgeladen von

Copyright:

Verfügbare Formate

OFFICIAL

Technical Reviewer: Philip Morgan

Product Number: 6427A Part Number: X14-69082 Released: 12/2007

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Lab: Configuring an IIS 7.0 Web Server

Exercise 1: Installing IIS Using Role Manager

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Task 1: Start the 6427A-NYC-SVR1 virtual machine and log on as LocalAdmin

Task 2: Turn on Network Discovery

Task 3: Install the Web server role

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Exercise 2: Installing IIS Using Unattended Setup

Task 1: Start the 6427A-NYC-SVR3 virtual machine and log on as LocalAdmin

Task 2: Turn on Network Discovery

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Save the modified file to c:\unattend.xml.

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Exercise 3: Installing IIS on Server Core from Command Line

Task 1: Start the 6427A-NYC-SVR2 virtual machine and log on as Administrator

Task 2: Disable the firewall

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Task 3: Install IIS from the command line

On NYC-SVR1, in Internet Explorer, browse to http://nyc-svr2 to verify functionality.

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Exercise 4: Configuring IIS and Validating Functionality

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

Lab Instructions: Configuring an Internet Information Services 7.0 Web Server

On NYC-SVR3, in Internet Explorer, browse to http://nyc-svr2 to test the redirection.

Lab: Configuring IIS 7.0 Web Sites and Application Pools

Exercise 1: Configuring Authentication Types

Task 1: Start the 6427A-NYC-DC1 virtual

Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator

Task 4: Create a virtual directory named public

Task 5: Configure the public virtual directory for anonymous authentication

Exercise 2: Creating a Web Site and Web Application

Task 1: Create a site named Woodgrove

Task 2: Copy the Woodgrove Application to the Appropriate Directory

Task 4: Delegate administrative access of Woodgrove to ITAdmins_WoodgroveGG

Exercise 3: Creating an Application Pool

Task 1: Create an application pool named TempPool

Exercise 4: Configuring an Existing Application Pool

Task 1: Rename Woodgrove to WoodgrovePool

Task 3: Configure TempPool to use LocalSystem as worker process identity

Task 4: Stop, start and recycle WoodgrovePool

Task 5: Configure TempPool for Classic Pipeline Mode

Task 6: Remove TempPool

Task 7: Configure Health and Recycling settings for WoodgrovePool

Lab Instructions: Configuring IIS 7.0 Application Settings

Lab Instructions: Configuring IIS 7.0 Application Settings

Lab: Configuring IIS 7.0 Application Settings

Exercise 1: Configuring ASP.NET

Lab Instructions: Configuring IIS 7.0 Application Settings

Task 1: Start the 6427A-NYC-DC1 virtual machine and log on as LocalAdmin

Task 2: Start the 6427A-NYC-WEB-A virtual machine and log on as Woodgrovebank\Administrator

Lab Instructions: Configuring IIS 7.0 Application Settings

Lab Instructions: Configuring IIS 7.0 Application Settings

Lab Instructions: Configuring IIS 7.0 Application Settings

Exercise 2: Configuring ASP.NET Application Development Settings

Task 1: Configure ASP.NET Connection Strings to connect to Resources.MDF

Lab Instructions: Configuring IIS 7.0 Application Settings

Task 3: Add a custom control: Woodgrovebank.TestControls Version=1.0.0.0