Scott Forsyth's Blog

Postings on IIS, ASP.NET, SQL Server, Webfarms and general system admin.

Cloud Resources

IIS Resources

What’s New in IIS 8

With the beta release of Windows Server 8 today, Internet Information server (IIS) 8 is available to the public for testing and even production workload testing.  Many system administrators have been anxious to kick the tires and to find out which features are coming.

I’ll include a high level overview of what we will see in the upcoming version of IIS.  The focus with this release of IIS 8 is on the large scale hoster.  There are substantial performance improvements to handle thousands of sites on a single server farm—with ease.  Everything that I mention below is available for download and usage today.

Forgive me if there are typos.  I’m writing this while at the MVP Summit in Seattle while trying to listen to another session at the same time.  Thanks to the IIS team who gave detailed demos on this yesterday and gave me permission to talk about this.

Real CPU Throttling

Previous versions of IIS have CPU throttling but it doesn’t do what most of us want.  When a site reaches the CPU threshold the site is turned off for a period of time before it is allowed to run again.  This protects the other sites on the server but it isn’t a welcome action for the site in question since the site breaks rather than just slowing down. 

Finally in version IIS 8 there are kernel level changes to support real CPU Throttling.  Now there are two new actions for sites that reach the CPU threshold.  They are Throttle and Throttle under load.  If you used WSRM to achieve this in the past, you no longer need to do so, and the functionality is improved over what is available with WSRM.

The throttle feature will keep the CPU for a particular worker process at the level specified.  Throttling isn’t applied to just the primary worker process, but it also includes all child processes, if they happen to exist.

The Throttle under load feature will allow a site to use all possible CPU if it’s available while throttling the worker process if the server is under load.

The throttling is based on the user and not specifically on the application pool. This means that if you use dedicated users on more than one app pool then it throttles for all of app pools sharing the same user identity. Note that the application pool identity user is unique so if you use the app pool identity user—which is common—then each app pool will be throttled individually.

This is a welcome new feature and is nicely implemented.

SSL Scalability

Unless you deal with large scale site hosting with many SSL certificates you may not have realized that there is room for improvement in this area. 

Previous versions of IIS have limited secure site density.  Each SSL site requires its own IP address and after adding a few SSL sites, startup performance becomes slow and the memory demand is high.  Every certificate is loaded into memory on the first visit to an SSL site which creates a large memory footprint and a long delay on the first load. 

In IIS 8 the SSL certificate count is easily scalable to thousands of secure sites per machine with almost instantaneous first-loads.  Only the certificate that is needed is loaded and it will unload after a configurable idle period.  Additionally, enumerating or loading huge numbers of certificates is substantially improved.

SNI / SSL Host Header Support

Using host headers and a shared IP address with SSL certificate has always been problematic.  IIS 8 now offers Server Name Indication (SNI) support which allows many SSL sites to share the same IP.  SNI is a fairly new feature (within the last few years) which allows host headers to work with SSL. It does this by carrying the target host name in the TLS handshake rather than the encrypted part of the packet.

IIS 8 makes SNI support a first class citizen in the site bindings.

Note that SNI doesn't work on all browsers. For example, Internet Explorer in Windows XP does not support SNI.  Read more about that from Eric Law's blog post. Over 85% of browsers is use today support SNI, but since it's not 100%, it will not work universally. However, like the adoption issue with host headers in the '90s, it will a fully supported before we know it. More details with a list of browsers can be found here: http://en.wikipedia.org/wiki/Server_Name_Indication

This sets the stage for sharing IP addresses which is extra important as ipv4 IPs become more valuable and consolidation of IPs becomes the trend. 

SSL Manageability - Central Certificate Store (CCS)

In IIS 7 managing SSL is labor intensive, particularly for server farms.  All certificate must be imported on every machine in the farm.  When setting up new servers you must account for time needed to import certificates when scaling out, and even on small server farms.  In previous versions keeping certificates in sync between servers is difficult to manage and often requires manual steps.

In IIS8 there is a new Central Certificate Store (CCS).  Central Certificate Store allows storing certificates on a central file share instead of each machine.  You can point the servers to a single network share, or use replication like DFS-R to sync the folders between machines.

Renewal and syncing is as simple as xcopying pfx files to the location that you specify when enabling CCS on the web server.  Enabling CCS is straight forward too.  It works very similar to enabling Shared Configuration.

CCS compliments the SNI functionality to support sites with multiple certs and a single IP.

The mapping of bindings to certificates uses a bit of magic … by convention rather than configuration. This is important for extremely large lists of certificates. Now you don't need to select them from a huge list. The value of the host header needs to match the name of the cert. Your CCS folder will have many .pfx files with names that match the domain name.  Basically the name of the .pfx files in the certificate store is the primary key.

If you use a wildcard cert then it needs to be named _.domain.com.pfx.

As you would assume, there is support for Multiple Domain Certificates (Unified Communications Certificate [UCC]). If you use multiple domain certificates using the subjectAltName feature of the certificate then you just create multiple copies of the pfx, one for each subjectAltName.

Note that you can use the old method which binds to by certificate identifier and it works the same as it did in the past.

Furthermore there is a neat feature for the central repository that allows grouping by expiration date, which groups by "Today / This Week / Next Week / Next Month / Later" which is handy for seeing which certificates are ready to expire.

With these changes to the certificates, it makes for a powerful solution for large scale webfarm hosting with multiple tenants.

Dynamic IP Restrictions

Information about this is already available on the web, but it's moving along and getting closer for the final release.

FTP Logon Restriction

Yay. A new FTP IP Restrictions module is coming! This is similar in concept to Dynamic IP Restrictions for HTTP. One of the key differences is that it does gray listing rather than black listing. When someone is blocked, they are only blocked for the sample period (e.g. 30 seconds). This is nice because it's enough to thwart or slow brute force and common name password attacks, but legit invalid attempts can continue to attempt to log in without waiting for long periods of time.

What's extra nice about having this feature is that you can set it slightly more sensitive than your domain username lockout policy so that brute force attacks don't cause your username to be locked out from too many invalid attempts. The FTP IP Restrictions can throttle the hack attempts without locking out your domain users.

Application Initialization Module

Previously known as the application warm-up module which was pulled for a time, now it's ready in full force as Application Initialization Module.

This allows spinning up sites and pages before traffic arrives and handling of requests in a friendly way while the application first loads. It's not uncommon for a site to take a minute or longer on the first load (yes SharePoint admins, we feel your pain).  This allows you to protect the end user from being the person that triggers this.

It's possible to set a warm-up page at the server level as a single setting, or you can use powerful URL Rewrite rules for more flexibility.

You can also ensure that your load balancer’s health test page doesn’t serve up a valid response until the site is fully initialized according to your preferences.  Then the load balancer will bring a node into rotation only after the entire warm-up has completed.

Configuration Scale

The IIS configuration files (e.g. applicationHost.config) can handle very large files with ease now.  There are substantial performance improvements in the upcoming version. Only administrators with large numbers of sites on the same server or server farm (think thousands) would have noticed before, but for large scale performance the new changes are paving the way for huge scale.

Web Sockets

It’s important to include Web Sockets in this list too.  Apart from some brief information I really haven’t looked into Web Sockets in detail yet so I’ll just include a great link from Paul Batum on it.  Web Sockets does require Windows 8 or later on the server side. 

All in all these are welcome changes.  While previous versions of IIS already did a great job of handling massive amounts of traffic, IIS 8 now can handle thousands (or tens of thousands) of sites and their extensive configurations on a single server farm.  With HTTP and FTP logon restrictions, CPU throttling, the Application Initialization Module, and large scale SSL and configuration improvements, IIS 8 brings a number of welcome improvements.

Comments

Wesley Bakker said:

Just wanna say thanks. Good read.

# March 2, 2012 4:48 AM

Shahar shelly said:

Thanks . Good read.

What about web sockets ?

# March 3, 2012 3:41 PM

OWScott said:

Hi Shahar shelly. Good point, it is an important new feature in Windows 8/IIS so I updated my blog post to mention it.

# March 3, 2012 7:29 PM

Rene Pilon said:

Thanks for the article!  It's feeling like Christmas all of a sudden...

# March 6, 2012 9:59 PM

Gichan said:

I always loved IIS than Apache. Waiting to upgrade from IIS 7.5 to 8!

# March 7, 2012 1:20 AM

Manish Sethi said:

Good One..specially SSL part :)

# March 8, 2012 12:06 AM

Martin Rasch said:

I’m at another session at the same time.

I Have been busy MSDN Forums.

 Thanks to the IIS7 team for the changes.

Got the Consumer Preview Windows 8

I have not installed it yet

I have been looking for

a Wiki Post Talk about IIS Server.

Are you doing the Web Pro series and IIS 8

any place for an apprentice ?

I always think out loud :-).

Thanks,

I think this time Email is working and the avatar.

Martin

# March 9, 2012 8:56 PM

OWScott said:

Hey Martin. Hopefully you enjoy the Consumer Preview when you get a chance to install it.  I haven't planned a Web Pro series for IIS 8 yet.  First I'll be co-authoring "IIS 8 Professional".  After that I'll see what's next.  Thanks for the offer.  We'll be in touch.

# March 12, 2012 4:34 PM

akram said:

tnx.it was very good

# April 3, 2012 12:42 PM

Elham said:

thank you very much.

# April 7, 2012 3:53 AM

Gary said:

What about wildcard subdomain names?

Can we finally add a host header like this?

*.mydomain.com

This feature has been long overdue in IIS.

# April 16, 2012 10:47 AM

OWScott said:

Hi Gary,

That's been a frequent request over the years (me too).  It's not slated for IIS8 that I'm aware of but I'll bring it up to the IIS team again.  I could see URL Rewrite being able to play a rule with the host headers.  That would be really cool and it would support regex too, although I'm sure there are  things to consider like the performance and the possibility of duplicates.  In any case, I'll bring it up.  Good idea.

# April 17, 2012 10:52 AM

Noam said:

Thanks for the great article

# June 1, 2012 1:49 AM

Stefan Boberg said:

Thanks for the info!

Will WebSocket support in http.sys be backported for Windows 7/Server 2008 R2 or earlier?

# June 2, 2012 6:09 AM

OWScott said:

Stefan, I don't believe so. The latest I've heard is that it won't, so unless that changes, and I don't have any reason to believe that it will, it won't be backported.

# June 2, 2012 9:41 AM

OWScott said:

@CodeAngry, I fully agree. I can't see why good reason why it's not there already. It certainly would be valuable.

# July 2, 2012 9:05 AM

sebastian gomez said:

is IIS8 gonna be available only in the "Pro" version of Windows 8? or is gonna be in the "non-pro" version of Windows 8 as well?

# July 18, 2012 10:58 PM

OWScott said:

Hi Sebastian. From what I understand it still hasn't been announced yet. That's a decision for the licensing team and not a technical limitation between the standard and pro version.  I do know that IIS is not supported on the ARM processor (WinRT), but for the other versions that's still to be announced.

# July 19, 2012 8:42 PM

Markiv Mariaj said:

Will IIS 8 on Windows 8 Professional have any maximum concurrent session limitations like IIS 7 had on Windows 7 Ultimate and Professional?

# September 17, 2012 12:37 AM

OWScott said:

Hi Markiv,

Good question. Basically the story is the same between Vista, Win 7 and Win 8. The 'connection limit' at the OS level was remove from XP to Vista so that now IIS itself will queue request while having a concurrent connection limit.  Because of the queuing there is rarely a hard failure like in Windows XP, but requests will not be processed as quickly as the server OSes.  

# October 4, 2012 10:53 AM

OWScott said:

Hi Eric,

Thanks for mentioning. You're right that it's IE specific. I fixed the wording and linked to your blog post while I was at it.  I also clarified the wording for how SNI carries the host name.

# November 8, 2012 3:46 PM

Maciej Franecki said:

Scott, could you please tell us what is the exact limit of concurrent connections that IIS is Windows 8 allows? Is it 10 like in Windows 7 or maybe that number has changed? It's very important for my current project.

# November 10, 2012 11:00 AM

OWScott said:

Hi Maciej,

I'll see if I can find out.  I can't find that answer anywhere on the web right now, so I'm asking around to try to find out for sure.

# November 10, 2012 12:36 PM

Maciej Franecki said:

Thank you Scott I appreciate your help. I also couldn't find that information on the web.

# November 11, 2012 3:11 AM

Maciej Franecki said:

Scott, I couldn't wait any longer as my client needed to know what system to put on a PC (a temporary serwer on a client OS...). So I created a test case. It seems that there is a limit of 10 concurrent requests, just like in Windows 7.

Funny thing is, that the Express version has no limit (which I have just found out).

# November 12, 2012 4:59 PM

OWScott said:

Hi Maciej,

You just beat me by a few minutes.  I found the authoritative answer on this.

For Windows 7:

 Home Starter = 1

 Home Basic=1

 Home Premium=3

 Ultimate, Professional & Enterprise=10

For Windows 8:

 Windows 8=3

 Windows 8 Professional=10

 Windows RT=N/A (IIS does not run on Windows RT)

So that confirms your findings, which must be on Win 8 professional.  Good to know about the non-limit on Express too.

# November 12, 2012 5:24 PM

Maciej Franecki said:

Wow, this is a comprehensive answer, thanks for all the great details!

# November 13, 2012 4:14 AM

Ned Smith said:

Can IIS 8 express with VS 2012 / Azure tools run successfully on Windows 7?  Or are they designed to only go with Windows 8?

# January 8, 2013 4:08 PM

Ned Smith said:

Found it:

"IIS 8.0 Express is supported on the following operating systems:

•Supported Native Platforms •Windows 8 Client (Intel/AMD) 32-bit/64-bit

•Windows Server 2012 (Intel/AMD) 64-bit

•Supported Down-level Platforms •Windows 7 (x86 and x64)

•Windows Server 2008 R2 (x86 and x64)

•Windows Vista SP1 and later (x86 and x64)

•Windows Server 2008 (x86 and x64)

# January 8, 2013 4:15 PM

Vijay said:

Hi,

I have windows 8 enterprise edition. I developed a sample WCF websocket server-client application. In which  the server is not allowing to connect more than 10 clients. Is it a websocket limitation or IIS limitation?. If so how can I overcome this limitation?.

Regards,

Vijay

# January 10, 2013 7:56 AM

OWScott said:

Hi Vijay,

Check out this post: weblogs.asp.net/.../windows-8-iis-8-concurrent-requests-limit.aspx

Neither IIS nor the server will limit connections in Enterprise edition. This sounds to me like it's a WCF setting that is causing it. I'm not sure which one, but I would start there.

# January 10, 2013 9:33 AM

Ashutosh said:

Thank you it's good

# July 16, 2013 8:33 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)