B# .NET Blog

Introduction

IIS 7.0 is the next generation web server software from Microsoft that will ship with Windows Longhorn Vista later on, appearing in the betas from beta 2 on. In this post I'll give a sneak peak on the features of IIS 7 announced so far. For more detailed information, we'll have to wait till the PDC most likely, where quite some sessions on IIS 7 are planned. Keep your eye on www.iisseven.com too!

Feature overview

Configuration

Today, IIS configuration isn't that easy as it could be. Take the deployment of an ASP.NET application as an example. The configuration of the web app itself is pretty easy and straightforward, using the web.config xcopy deployment mechanism. However, when you need to change the configuration of the web server itself, e.g. to change the authentication mechanism, to set up the default page, the configure error pages, configure application pools, create new vdirs, etc you'll have to call the helpdesk of the web server administration department (your own IT department, the ISP helpdesk, ...) to make the changes in the metabase of IIS (through the inetmgr tool or through scripts).

IIS 7 solves this problem by extending ASP.NET's xcopy deployment mechanism to the whole web platform, supporting XML-based configuration of the IIS settings for the web application. This way, one can delegate the configuration of various aspects of the web application to the web developers and adminstrators, while it's also possible to block the configuration of certain options. In the end, the new configuration model allows a 100% xcopy deployment mechanism of web applications.

To give you an example, I've written an article in the past on creating an picture gallery HTTP Handler in ASP.NET. In order to setup this HTTP Handler one needs to configure it through web.config but also to register the ASP.NET ISAPI for the .jpg extension in order to intercept all of the requests for image files on the server so that thumbnailing through the HTTP Handler's code is possible.

Componentized server

From an architectural perspective, IIS 7 has undergone signifiant changes in order to allow customization on virtually every level. In the past, IIS was built on a monolithic DLL model, which means that one single dll was holding all of the functionality of the webserver and it just wasn't possible to change one aspect of the whole webserver software without changing this dll itself. From a security perspective, this can be seen as a disadvantage too. Because all of the functionality is in one dll it's not possible to delete certain functionalities you don't need in your scenario (e.g. say, delete the module responsible for digest authentication).

IIS 7 introduces a building blocks model, in which all of the basic blocks do have a public API that allows you as a developer to extend and/replace the functionality of the IIS webserver. For example, you could write (using either managed or native code) a module to replace the default directory listing functionality to show thumbnails of images instead of displaying a file list, or write a module to implement your own authentication mechanism, or ...

These APIs will follow the design of the IHttpModule and IHttpHandler interfaces which are present in ASP.NET today. As the matter in fact, IIS 7 is absorbing the functionality of ASP.NET in order to deliver an integrated set of functionality. This "innovation through integration" evolution is in fact ongoing since IIS 6.0 where the application pool/worker process model of ASP.NET was integrated into the web server itself (in IIS 5.x there was still a separate executable called aspnet_wp.exe to run the web application).

Note that ISAPI still will be supported, although the new recommended way to extend the server will be through the public APIs for modules and handlers and so.

Components that will ship with the IIS 7 webserver software include the following:

• Logging and diagnostics: CustomLoggingModule, HttpLoggingModule, RequestMonitorModule, TracingModule
• Authentication and authorization: AnonymousAuthModule, BasicAuthModule, CertificateAuthModule, DigestAuthModule, FormsAuthModule, WindowsAuthModule; AccessCheckModule, UrlAuthorizationModule
• Extensibility: CGIModule, ISAPIFilterModule, ISAPIModule, ManagedEngineModule, ServerSideIncludeModule
• Publishing: DavModule

Each of these components can be disabled, replaced and extended if you want to do so. Furthermore, there are modules in the core of the webserver and even lower for protocol support:

• Core webserver: CustomErrorModule, DefaultDocumentModule, DirectoryListingModule, DynamicCompressionModule, HttpCacheModule, StaticCompressionModule, StaticFileModule
• HTTP protocol: ClientRedirectionModule, OptionsVerbModule, TraceVerbModule, ValidationRangeModule
• Configuration: ConfigurationModule
• Metadata caching: FileCacheModule, SiteCacheModule, UriCacheModule

Because of this extensibility you can expect a big ecosystem of IIS 7 extension modules to appear once IIS 7 hits the roads.

Diagnostics

IIS 7 allows IT admins to monitor all of the aspects of the webserver in realtime while it's running. This includes the monitoring and tracing of:

• sites
• application pools and applications
• requests

In this part fo the story, integration plays an important role too, because of the integration of ASP.NET and IIS 7 event collection for diagnostics. So there is an integration between IIS debugging/tracing/monitoring and the same stuff for ASP.NET applications (there are over 300 events that will be captured and reported). WMI support is present as well for the full range of events and diagnostic info.

Summary of quality attributes

So, IIS 7 provides the following quality attributes:

• Compatability: it's a key goal of the IIS 7 development team that all of the old ISAPIs, CGIs, ASP and ASP.NET apps, WMI/ADSI scripts will still run
• Componentization: the IIS 7 core has been broken down to a collection of modules instead of one big monolithic block as it was in the past
• Delegation of administration: through the web.config model, it's possible for site owners to configure their site completely themselves, allowing for xcopy deployment too
• Extensibility: developers can leverage the power of the public APIs that will ship with IIS 7 to write extensions to the webserver by implementing modules in native (C++) or managed (C#, VB.NET, etc) code
• Integration: ASP.NET and IIS come more closely together in IIS 7, e.g. by unifying the HttpHandler and HttpModule stacks and by providing a unified configuration system (note: Indigo will be integrated with IIS 7 too)
• Security: install only the modules you need in order to reduce the attack surface; use the new administration tools for easier management and use delegated administration to put the customer in control
• Supportability: this includes the new diagnostic subsystem, delegated administration, real-time monitoring, etc

I'll post about other features once more information is available. In the meantime you can perform a MSN Search (or a *whatever search engine you like* search) for IIS 7 to find more about it.

Schema

In the next picture, the unified HTTP pipeline of IIS 7 is displayed (click for large image):