Jump to: navigation, search

Difference between revisions of "HowTo:Configure Microsoft IIS for UBIK"


(Configure Upload of large files)
 
(26 intermediate revisions by 4 users not shown)
Line 10: Line 10:
 
File:UI Application Pool.03.png|3 - Application Pool
 
File:UI Application Pool.03.png|3 - Application Pool
 
</gallery>
 
</gallery>
 +
 +
{{Attention|If a [[#Optional:_Local_IIS_User|local user]] is used it must be set at the ''Identity'' parameter of the Application Pool.}}
  
 
== Certificate ==
 
== Certificate ==
The web service communicates with the {{UBIK}} client via an secured connection, which requires a SSL certificate on the server and client side. Use a public key certificate from a certificate authority or a self-signed certificate, both will work for {{UBIK}}. A new self-signed certificate can be created in the ''Internet Information Server (IIS) Manager'', exported using the export function and sent to the development team. As already mentioned, the client has to know this certificate as well, hence it need to be integrated it into the mobile application.
+
A secure connection between the {{UBIK}} clients and web service requires a SSL certificate on both, the server and client. This certificate can either be a root authority certificate, or any other public key certificate from a certificate authority enabling a secured connection between the web service and the clients. Self-signed certifcates will be rejected by the client {{Version/WinXSince|4.0}} {{Version/XamarinSince|4.0}}
 +
 
 +
A new self-signed certificate can be created in the ''Internet Information Server (IIS) Manager'', exported using the export function and sent to the development team. As already mentioned, the client has to know this certificate as well, hence it need to be integrated it into the mobile application.
  
{{Attention|{{UBIK}} requires a valid certificate for SSL encryption!}}
+
{{Attention|{{UBIK}} requires a valid certificate for SSL encryption, free certifcates can be obtained e.g. from [https://letsencrypt.org/ Let's Encrypt]!}}
  
 
<gallery widths="400" heights="400" >
 
<gallery widths="400" heights="400" >
Line 23: Line 27:
 
File:UI Certificate.04.png|5 - Installed certificates
 
File:UI Certificate.04.png|5 - Installed certificates
 
</gallery>
 
</gallery>
 +
 +
 +
 +
 +
  
 
== Bindings ==
 
== Bindings ==
Line 35: Line 44:
 
</gallery>
 
</gallery>
  
===For Windows 8.1 Clients===
+
===For WinX and Web-Client===
 
<gallery widths="400" heights="400" >
 
<gallery widths="400" heights="400" >
 
File:UI Binding.01.png|1 - Binding
 
File:UI Binding.01.png|1 - Binding
Line 42: Line 51:
 
File:UI_Binding_Win8.02.png|4 - Binding
 
File:UI_Binding_Win8.02.png|4 - Binding
 
</gallery>
 
</gallery>
 +
 +
 +
== Configure compression ==
 +
Web service responses can be compressed in order to improve performance and reduce web traffic. This can be easily done from the web server side in IIS manager.
 +
{{Hint|In case the compression modules are not yet installed, please refer to [[https://www.iis.net/configreference/system.webserver/httpcompression?showTreeNavigation=true this]] for instructions.}}
 +
<gallery widths="400" heights="300" >
 +
File:HowTo_IIS_Compression_01.png|1 - Entries for compression settings
 +
File:HowTo_IIS_Compression_02.png|2 - Enable compression in general
 +
File:HowTo_IIS_Compression_03.png|3 - Configure what & when to compress
 +
File:HowTo_IIS_Compression_04.png|4 - Configure what to compress
 +
</gallery>
 +
* It is possible to configure when to compress service responses like shown in Figure.3. The "dynamicCompressionDisableCpuUsage" tells the service to stop compressing when the CPU load reaches above 90%; And the "dynamicCompressionEnableCpuUsage" tells the service to start compressing when the CPU load drops below 50%. These parameters should work well in most cases but can be modified if necessary;
 +
* {{UBIK}} service responses are in formats of either "text/xml"(text/*) or "application/json". So just make sure they are configured to be compressed like shown in Figure.4. If there are no such entries, just right click and add them accordingly;
 +
* There are 10 different levels of compression, ranging from 0~9 where 9 is most CPU intensive but produces the best compress rate. The default level is 0 and this can be changed (e.g. to level 9) with the following command (need to run the Windows console as an administrator first):
 +
C:\Windows\System32\Inetsrv\Appcmd.exe set config -section:httpCompression -[name='gzip'].dynamicCompressionLevel:9
 +
<gallery widths="700" heights="140" >
 +
File:HowTo_IIS_Compression_05.png|5 - Change compression levels
 +
</gallery>
 +
Here are some test results of the transferred content size and duration under different compression levels.
 +
 +
{| class="wikitable" | width = "50%" | style="text-align:right;"
 +
|-
 +
! style="text-align:right;"| Compression Level !! style="text-align:right;"| Meta Definitions !! style="text-align:right;"| One Content Level !! style="text-align:right;"| Branch Download
 +
|-
 +
| Level 0|| 4,732,058 bytes || 23,470 bytes || 318,847,597 bytes (9 minutes)
 +
|-
 +
| Level 4|| 3,050,115 bytes || 7,915 bytes || 79,384,336 bytes (5 minutes)
 +
|-
 +
| Level 9|| 2,851,318 bytes || 5,681 bytes || 48,037,714 bytes (4 minutes)
 +
|-
 +
|}
 +
 +
As one can see from the table, compression can greatly reduce the amount of data to transfer. So theoretically, it is recommended to turn it on and use a higher compression level whenever possible. In practice, though, one has to check the following facts before making such a decision.
 +
* CPU: Compression will require additional CPU processing power (more for higher levels).
 +
* Network bandwidth: The lower the bandwidth, the more sense it makes to enable compression.
 +
 +
In the table above, one might already notice the reduction in time is not linear to the reduction in data amount. Take level 0 and level 9 for example, the time is "only" cut in half even when the data amount is reduced by 85%. These were tested with a 54Mbps bandwidth. Once we did our tests again with a 450Mbps bandwidth, the time reduction is even less (less than 6 minutes v.s. 3 minutes). If the bandwidth increases further, e.g. to Gbps, the time reduction might become negligible. Combined with a weak CPU, it is even possible that the time will be increased with higher compression levels.
 +
 +
Therefore, there is no general rulebooks for whether to turn on compression or not. The safest approach is still to try out different settings in the real setup.
 +
 +
As for the memory consumption, no observable difference was found between different compression settings (no compression and level 0 to 9) during our testing.
 +
 +
 +
 +
 +
  
 
== Create new Web Application ==
 
== Create new Web Application ==
Line 60: Line 115:
 
== Optional: Local IIS User ==
 
== Optional: Local IIS User ==
 
Create and use a local user on the web server if no appropriate domain-user is available.
 
Create and use a local user on the web server if no appropriate domain-user is available.
 +
 +
{{Attention|The user has to be able to copy the customizing to its local user data directory on the machine! Hence, it also needs appropriate user permissions to the {{UBIK}} data share.}}
  
 
<gallery widths="400" heights="400" >
 
<gallery widths="400" heights="400" >
Line 72: Line 129:
 
File:UI_Local_IIS_user.09.png‎|9 - Local IIS-user
 
File:UI_Local_IIS_user.09.png‎|9 - Local IIS-user
 
</gallery>
 
</gallery>
 +
 +
 +
 +
  
 
== Additional prerequisites ==
 
== Additional prerequisites ==
Line 80: Line 141:
 
Test the web service by entering the following URL in a browser:
 
Test the web service by entering the following URL in a browser:
 
<code>
 
<code>
https://<SERVER-IP>/<PATH-TO-UBIK-WEBSERVICE>/UBIKContent.svc/GetVersion
+
<nowiki>https://<SERVER-IP>[:<PORT>]/<PATH-TO-UBIK-WEBSERVICE>/UBIKContent.svc/GetVersion</nowiki>
 
</code>
 
</code>
 +
 +
== Further Security Configuration & Hardening ==
 +
 +
=== TLS Level ===
 +
If the {{UBIK}} WebServices are supposed to communicate with other WebServices, e.g. an interface component or an Azure Blob container for file storage, the appropriate TLS level needs to be ensured. While this can be enforced with a registry key, it is best practice to let the OS and the .NET Framework negotiate it. To enable that, the ''targetFramework'' attribute of the ''httpRuntime'' element in the ''Web.config'' file of the WebService in question (normally the {{UBIK}} content WebService) has to be set to the desired .NET Framework level, should typically be the same that the service was compiled against. So if TLS 1.2 shall be supported and default, the ''targetFramework'' needs to be set to 4.6 like in this example:
 +
 +
<source lang="xml">
 +
<system.web>
 +
<customErrors mode="Off"/>
 +
<httpRuntime maxRequestLength="65536" targetFramework="4.6" />
 +
<compilation debug="true"
 +
defaultLanguage="c#"
 +
targetFramework="4.6" />
 +
</system.web>
 +
</source>
 +
 +
 +
The full documentation on TLS best practices with .NET can be found [https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls here].
 +
 +
=== Hardening ===
 +
For hardening instructions of IIS, please follow the following best practice guidelines:
 +
* [https://www.cisecurity.org/benchmark/microsoft_iis/ Center for Internet Security IIS Benchmark]
 +
* [https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj635855(v=ws.11) Security Best Practices for IIS]
 +
 +
 +
== Configure Upload of large files ==
 +
{{Attention|The [[Configuration_Files/web.config#Upload_of_large_files]] and [[Configuration_Files/Bindings.config#Upload_of_large_files]] must also be adapted otherwise, the upload will fail.}}
 +
 +
The following description was taken from: https://www.inflectra.com/Support/KnowledgeBase/KB306.aspx
 +
 +
* Open IIS Manager.
 +
* Select the website that you want to configure.
 +
* Make sure you are in the Feature View per the button at the bottom of the manager.
 +
* Select Requests Filtering and open it by double-clicking the icon. The Request Filtering pane displays:
 +
 +
<gallery widths="400" heights="400" >
 +
File: IIS1.png|1 - Request Filtering
 +
</gallery>
 +
 +
* From the Actions pane on the right-hand side of the screen click Edit Features Settings.
 +
* Edit Request Filtering Settings window will open.
 +
* In the Request Limits section, enter the appropriate Maximum allowed content length ('''Bytes''') and then click the OK button
 +
<gallery widths="400" heights="400" >
 +
File: IIS2.png|2 - Edit Feature Settings
 +
</gallery>
 +
 +
* Restart IIS
 +
 +
[[Category:How-To|Configure Microsoft IIS for UBIK]]
 +
[[Category:Installing|Configure Microsoft IIS for UBIK]]
 +
[[Category:Pages with broken file links|Configure Microsoft IIS for UBIK]]
 +
[[Category:Web service|Configure Microsoft IIS for UBIK]]
  
 
== See also ==
 
== See also ==
* [[Install UBIK Web Service|Install {{UBIK}} Web Service]]
+
* [[HowTo:Install UBIK Web Service|Install {{UBIK}} Web Service]]
* [[Install Microsoft IIS]]
+
* [[HowTo:Install Microsoft IIS]]
  
[[Category:UBIK Web Service]]
+
[[Category:How-To|Configure Microsoft IIS for UBIK]]
 +
[[Category:Installing|Configure Microsoft IIS for UBIK]]
 +
[[Category:Pages with broken file links|Configure Microsoft IIS for UBIK]]
 +
[[Category:Web service|Configure Microsoft IIS for UBIK]]

Latest revision as of 11:27, 24 April 2024

IIS Manager
IIS Manager

The web server can be configured using the Internet Information Services (IIS) Manager console, which provides a graphical user interface to manage and configure the web server accordingly for the UBIK® web service.

Add Application Pool

An application pool is a group of one or more URLs that are served by a worker process or a set of worker processes. Application pools set boundaries for the applications they contain, which means that any applications that are running outside a given application pool cannot affect the applications in the application pool.

IC Attention.pngIf a local user is used it must be set at the Identity parameter of the Application Pool.

Certificate

A secure connection between the UBIK® clients and web service requires a SSL certificate on both, the server and client. This certificate can either be a root authority certificate, or any other public key certificate from a certificate authority enabling a secured connection between the web service and the clients. Self-signed certifcates will be rejected by the client

A new self-signed certificate can be created in the Internet Information Server (IIS) Manager, exported using the export function and sent to the development team. As already mentioned, the client has to know this certificate as well, hence it need to be integrated it into the mobile application.

IC Attention.pngUBIK® requires a valid certificate for SSL encryption, free certifcates can be obtained e.g. from Let's Encrypt!




Bindings

Web sites and services have something called Server Bindings which represent the underlying address, port, and potentially a host header that the website is accessed using. The UBIK® client accesses the web service via a secured port (https), where it is necessary to configure the appropriate certificate.

For Android Clients

For WinX and Web-Client


Configure compression

Web service responses can be compressed in order to improve performance and reduce web traffic. This can be easily done from the web server side in IIS manager.

IC Hint square.pngIn case the compression modules are not yet installed, please refer to [this] for instructions.
  • It is possible to configure when to compress service responses like shown in Figure.3. The "dynamicCompressionDisableCpuUsage" tells the service to stop compressing when the CPU load reaches above 90%; And the "dynamicCompressionEnableCpuUsage" tells the service to start compressing when the CPU load drops below 50%. These parameters should work well in most cases but can be modified if necessary;
  • UBIK® service responses are in formats of either "text/xml"(text/*) or "application/json". So just make sure they are configured to be compressed like shown in Figure.4. If there are no such entries, just right click and add them accordingly;
  • There are 10 different levels of compression, ranging from 0~9 where 9 is most CPU intensive but produces the best compress rate. The default level is 0 and this can be changed (e.g. to level 9) with the following command (need to run the Windows console as an administrator first):
C:\Windows\System32\Inetsrv\Appcmd.exe set config -section:httpCompression -[name='gzip'].dynamicCompressionLevel:9

Here are some test results of the transferred content size and duration under different compression levels.

Compression Level Meta Definitions One Content Level Branch Download
Level 0 4,732,058 bytes 23,470 bytes 318,847,597 bytes (9 minutes)
Level 4 3,050,115 bytes 7,915 bytes 79,384,336 bytes (5 minutes)
Level 9 2,851,318 bytes 5,681 bytes 48,037,714 bytes (4 minutes)

As one can see from the table, compression can greatly reduce the amount of data to transfer. So theoretically, it is recommended to turn it on and use a higher compression level whenever possible. In practice, though, one has to check the following facts before making such a decision.

  • CPU: Compression will require additional CPU processing power (more for higher levels).
  • Network bandwidth: The lower the bandwidth, the more sense it makes to enable compression.

In the table above, one might already notice the reduction in time is not linear to the reduction in data amount. Take level 0 and level 9 for example, the time is "only" cut in half even when the data amount is reduced by 85%. These were tested with a 54Mbps bandwidth. Once we did our tests again with a 450Mbps bandwidth, the time reduction is even less (less than 6 minutes v.s. 3 minutes). If the bandwidth increases further, e.g. to Gbps, the time reduction might become negligible. Combined with a weak CPU, it is even possible that the time will be increased with higher compression levels.

Therefore, there is no general rulebooks for whether to turn on compression or not. The safest approach is still to try out different settings in the real setup.

As for the memory consumption, no observable difference was found between different compression settings (no compression and level 0 to 9) during our testing.




Create new Web Application

In the IIS Manager expand the Default Web Site node and navigate through the folder structure to the folder containing the UBIK® web service components.

Optional: Local IIS User

Create and use a local user on the web server if no appropriate domain-user is available.

IC Attention.pngThe user has to be able to copy the customizing to its local user data directory on the machine! Hence, it also needs appropriate user permissions to the UBIK® data share.



Additional prerequisites

  • Ensure that the service ports are not blocked by a firewall.
  • Ensure that port forwarding is established if needed (e.g. for Microsoft Azure Virtual Computers or servers behind a gateway)

Testing the Web Service

Test the web service by entering the following URL in a browser: https://<SERVER-IP>[:<PORT>]/<PATH-TO-UBIK-WEBSERVICE>/UBIKContent.svc/GetVersion

Further Security Configuration & Hardening

TLS Level

If the UBIK® WebServices are supposed to communicate with other WebServices, e.g. an interface component or an Azure Blob container for file storage, the appropriate TLS level needs to be ensured. While this can be enforced with a registry key, it is best practice to let the OS and the .NET Framework negotiate it. To enable that, the targetFramework attribute of the httpRuntime element in the Web.config file of the WebService in question (normally the UBIK® content WebService) has to be set to the desired .NET Framework level, should typically be the same that the service was compiled against. So if TLS 1.2 shall be supported and default, the targetFramework needs to be set to 4.6 like in this example:

<system.web>
        <customErrors mode="Off"/>
        <httpRuntime maxRequestLength="65536" targetFramework="4.6" />
        <compilation debug="true"
                                 defaultLanguage="c#"
                                 targetFramework="4.6" />
</system.web>


The full documentation on TLS best practices with .NET can be found here.

Hardening

For hardening instructions of IIS, please follow the following best practice guidelines:


Configure Upload of large files

IC Attention.pngThe Configuration Files/web.config and Configuration Files/Bindings.config must also be adapted otherwise, the upload will fail.

The following description was taken from: https://www.inflectra.com/Support/KnowledgeBase/KB306.aspx

  • Open IIS Manager.
  • Select the website that you want to configure.
  • Make sure you are in the Feature View per the button at the bottom of the manager.
  • Select Requests Filtering and open it by double-clicking the icon. The Request Filtering pane displays:
  • From the Actions pane on the right-hand side of the screen click Edit Features Settings.
  • Edit Request Filtering Settings window will open.
  • In the Request Limits section, enter the appropriate Maximum allowed content length (Bytes) and then click the OK button
  • Restart IIS

See also