In this chapter, you learn how to
The explosive growth of the Internet in the mid-1990s creates an opportunity as well as a challenge for Windows NT network administrators. Organizations that for years have relied on Novell NetWare servers now are adopting Windows NT Server to create private intranets and to connect to the public Internet. A recent market study conducted by Cognitive Communications and reported in the August 5, 1996, issue of Newsbytes indicates that 85 percent of the firms surveyed either have set up or are planning to implement an organization-wide intranet. The use of the Internet as a marketing tool for a wide range of products and services is increasing at a furious pace. Substituting an Internet connection for 800-number dial-up connections for network access by mobile employees can save a substantial part of a firm's monthly telephone charges.
This chapter provides an introduction to Microsoft's Internet product line, the linchpin of which is Internet Information Server (IIS) 2.0, a component of Windows NT Server 4.0. Its primary topics are planning for Internet services, connecting to an Internet service provider, how IIS services work, and installing IIS 2.0. IIS HTTP (World Wide Web), FTP (File Transfer Protocol), and Gopher services are fully integrated with Windows NT Server 4.0 and, if installed, Microsoft SQL Server 6.5. Thus, installation and startup of IIS 2.0 is a relatively simple process, especially for a private intranet. Planning and connectivity issues require far more attention than simply starting up IIS; thus, much of this chapter is devoted to these two subjects.
Microsoft is pursuing an aggressive strategy to gain the position of premier provider of Internet operating systems, applications, and development tools. Microsoft is betting heavily on the company's ability to succeed in a field that historically has been dominated by UNIX servers and Netscape browsers. Integrating a no-charge copy of Internet Information Server (IIS) 2.0 with Windows NT 4.0 is certain to accelerate the adoption of Windows NT and IIS as the most popular Internet server platform. Microsoft's dominance of the client-side operating system market, combined with free distribution of its Internet Explorer 3.0 browser, portends trying times for Netscape and its Navigator product line.
On December 7, 1995, Microsoft jumped headlong into the Internet arena and quickly provided the software that network administrators and Webmasters need, ranging from developer tools to client-side components. If a piece of its Internet software puzzle is missing, Microsoft either licenses the needed technology or acquires the firm that developed it. Microsoft intends this comprehensive (and acquisitive) approach to put the company in the enviable position of providing an all-around, one-stop solution for participants in what Bill Gates calls the "Internet gold rush."
Microsoft's Internet product offerings, as of mid-1996, include the following browsers, content authoring tools, and servers:
Microsoft also supplies the following APIs and development tools for programmers of the company's Internet client and server platforms:
What's remarkable about the items in the two preceding lists is that most of the products described are available at no charge, except for the cost of downloading time. For a list of products available from the Microsoft Web site, visit the Microsoft Free Product Downloads page at http://www.microsoft.com/msdownload/.
It's important to create a comprehensive plan before you start bringing up your site. The plan should include the services you intend to offer, and how you plan to provide user access to those services. Following are the issues to resolve before you start the installation of IIS:
The Microsoft SiteBuilder Workshop at http://microsoft.com/workshop/ provides a wide range of information and software for developing Web sites, including sections on planning and production, as well as site administration.
Microsoft's BackOffice Family Licensing and Pricing page at http://www.microsoft.com/BackOffice/det4.htm provides details on Microsoft SQL Server licensing policies.
The rest of this chapter helps you determine the answers to the first five of these questions, with emphasis on getting started with Internet Information Server 2.0. Chapter 20, "Administering Intranet and World Wide Web Sites," covers logging, database connectivity, and content creation for Web sites.
The first issue to settle is how you connect to the Internet. Even if you intend to establish only an intranet, you might want to consider using the Internet to provide low-cost inbound access to your Web site for telecommuters and mobile employees. Your company's link to the Internet will be provided by an Internet service provider (ISP). The ISP assigns your site a domain name (companyname.com) and an IP address, which is registered with InterNIC, an organization responsible for assuring that all Internet sites have globally unique domain names. The selection of an ISP is a critical step in setting up your Web site.
If you want to provide public access to your Web site and private dial-up networking via the Internet, you need a firewall to maintain network privacy. A firewall also is necessary to provide security if your Web server is connected to your organization's LAN. Microsoft offers its Proxy Server (code-named Catapult) as a software firewall for providing network users safe access to the Internet; you also can buy third-party hardware firewalls. Visit http://www.microsoft.com/infoserv/catapult/ for more information on the Proxy Server.
Choosing an ISP used to be easy, because there were very few. As the popularity of the Internet has grown, so too has the number of businesses vying for your connectivity dollars. Some of the names will be familiar: MCI, Sprint, GTE, and so forth. Your local phone system carrier may have joined the game as well. Other ISPs are literally run out of an enterprising person's basement.
Some of the important points to consider while choosing an ISP include the following:
Just as important as your choice of an ISP is the technology you use to make the Internet connection. Table 19.1 lists the more common telecommunications technologies and their capacities in raw bits per second, approximate number of users supported, approximate monthly cost, and interface type.
Table 19.1 The Different Types of Available Connections to the Internet
| Type Connection | Data Rate Simultaneous | Users | Monthly Cost Approximate | Interface Local-Loop |
| Dial-up | 28.8kbps | 1-2 | $40-100 | 2 wire twisted pair |
| 56k | 56kbps | 10-20 | $300-800 | 2 or 4 wire twisted pair |
| ISDN | 144kbps | 10-40 | $60-250 | 2 wire twisted pair |
| Frame | Up to | 5-250 | $200-1000 | 2 or 4 wire twisted pair or fiber |
| Relay | 1.544mbps | |||
| T-1 | 1.544mbps | 50-250 | $100-3000 | 4 wire twisted pair or fiber |
| T-3 | 44.736mbps | 250-4,000 | $50,000-150,000 | Fiber or coax |
Table 19.1 shows that you can approach getting connected to the Internet in many different ways. Your decision must be based primarily on anticipated traffic, which services are available from your ISP, and your local telephone carrier's ability to provide the service to your site. The costs shown in table 19.1 are the approximate combined monthly rates of ISP and local carrier charges. These costs don't include hook-up fees or the necessary hardware, such as CSU/DSUs (Channel Service Unit/Data Service Unit) and routers. Of course, the costs in your area may vary, but table 19.1 should give you a good idea of what expenses to expect.
The most familiar and popular way to gain access to the Internet is simply a modem and ordinary voice line to dial into an ISP. This is an inexpensive and relatively pain-free method for a few users to gain Internet access. Typically, each computer has its own modem and a dedicated POTS (plain old telephone service) line; access is available only to the user of that computer. The problem with individual Internet access is the cost of installing dedicated lines and the monthly charge for them.
It's possible, using Windows NT Remote Access Server or a hardware router, to provide multiuser access with a single POTS line. The performance of this type of connection is acceptable for only a few simultaneous users. More than about two simultaneous users slows response to an unacceptable level. Although dial-up access may be sufficient for a few internal users occasionally "surfing the Net," it's unlikely that external customers would visit your Web site if a 28.8kbps modem is your primary means of connection.
Most modem manufacturers tout compatibility with various hardware compression technologies. One manufacturer claims an 8:1 compression ratio, turning its 28.8kbps modem into a 230.4kbps speedster. Although this compression is possible using certain types of text data, don't count on throughput being anything near this value for real-life information. Web site content often is heavily graphical in nature. Graphic files are particularly difficult to compress; in the case of JPEG and GIF files, compression has already taken place, and little or no additional hardware compression is likely.
If you plan to host a Web server on your local premises and/or have several users that need to access the Internet, a dedicated 56kbps connection is a good place to start. Your carrier may call the 56kbps connection 56k, DDS, Digital Data Service, Dataphone Digital Service, or some other variation on the same theme. The 56kbps digital circuits have been around for a long time and were the first commonly available high-speed technology to move information between remote sites. Although 56kbps communication doesn't seem all that fast by today's standards, users considered it a blistering data rate in the days when 300- and 1,200-baud modems were the standard.
In telecommunications terminology, a 56kbps circuit is known as a DS0 (pronounced "dee-ess-zero") circuit. A DS0 circuit is one of the basic building blocks used by telecommunications companies. A fully digital circuit is being used, so no digital-to-analog conversion is necessary and, accordingly, many problems inherent in analog circuits and modems-primarily noise-are removed from the equation.
The additional bandwidth and reliability don't come free. The cost of a 56kbps circuit often is an order of magnitude higher than that of a voice circuit. You also need more hardware to set up the link; a router and CSU/DSU is required at each end of the circuit. Figure 19.1 shows the physical configuration of using a 56kbps circuit to connect your LAN to the Internet through an ISP.
19.1
A typical configuration for a dedicated 56kbps circuit to an ISP that connects to the Internet.
In addition to a router to direct the TCP/IP traffic, you need a CSU/DSU to connect to your carrier's circuit. The CSU is used to terminate the digital circuit in a method acceptable to the phone company. The CSU usually has LEDs on the front of the unit to indicate the status of the link and for loopback testing. The DSU, located between the CSU and your router, is responsible for converting the electrical signal from your router into a signal acceptable by your CSU.
The disadvantage of using 56kbps lines lies in their point-to-point operation. Although this obviously isn't a problem if you have a single site, the setup and equipment expenses can become significant if you're connecting multiple sites. If you have several sites to connect, you should investigate frame-relay services.
Although your telephone cable may struggle with a 28.8kbps analog modem connection, it probably can carry a 144kbps digital ISDN signal. ISDN (Integrated Services Digital Network) has been hailed as the ideal service for telecommuters and small businesses. Due to real and imagined political and technological problems, however, the ISDN promise only recently has become a reality in North America. (ISDN has been widely available in Europe for many years.) If anything, ISDN's recent North American popularity has proven that consumers and telecommuters were starved for its advanced capabilities.
The "Integrated" part of ISDN refers to the capability to handle voice and data simultaneously over the same twisted-pair cable that currently provides your voice or modem service. ISDN is a switched, point-to-point, connection-based system that's purely digital. ISDN's digital nature allows it to dial, handshake, and connect in only a second or two. The average modem can take nearly a minute to perform the same task.
The standard ISDN circuit is called BRI (Basic Rate Interface) service. BRI consists of two 64kbps data channels and one 16kbps signal channel. The 64kbps channels are called B, or bearer, channels. (In some locations, the B channels are 56.1kbps.) The 16kbps channel, called the D or data channel, is used for circuit signaling and management. BRI service is also referred to as 2B+D service. The two 64kbps channels can be used for voice or data in parallel or combination. You can use one channel for data and the other for voice, or both channels for data and voice. You can't make direct use of the D channel.
Through a technique called bonding, both B channels can be combined to form a single 128kbps data connection channel. The most popular type of bonding is called Multi-Link PPP (Point-to-Point Protocol), or MLPPP. Currently, no standards for bonding exist, but industry groups are working on a standard. In some cases, you need the same brand of ISDN equipment on each end of the circuit to enable bonding.
Figure 19.2 shows the typical ISDN setup. The service termination point is called the NT-1 (Network Terminator, type 1). The NT-1 is provided by your carrier or, more commonly, is built into your ISDN equipment. The NT-1 terminates a single twisted-pair cable from the central office (called a local loop, or U interface), and converts the data on the local loop to an S/T interface. The T signal connects to an NT-2 network terminator, which is responsible for breaking the signal into its B and D channels, and connecting to non-ISDN devices, such as a voice telephone, through an optional terminal adapter (TA).
19.2
The hardware components for an ISDN BRI connection to an ISP.
Typical ISDN equipment contains the NT-1, NT-2, and a TA, and is often referred to as an ISDN adapter. An ISDN adapter is roughly analogous to the CSU/DSU used by 56kbps connections. Your terminal equipment, such as your PC or your router, connects to external ISDN adapters, such as Motorola's BitSURFR Pro, with an RS-232 (serial port) connection. The ISDN adapter appears to Windows NT as a very fast modem. Internal ISDN adapters, such as the US Robotics Sportster 128K, also includes the NT-1 and NT-2 components.
In addition to the R, S/T, and U ISDN interfaces is a V interface at the central office (CO) that connects the Line Termination (LT) function for the local loop to the Exchange Termination (ET) function for connecting the CO to other exchanges. The V interface usually resides in the CO switch.
See "Setting up ISDN Modems and Routers," (Ch 18)
An alternative to ISDN adapters that emulate analog modems is an ISDN router. All the major manufacturers of TCP/IP routers, such as Cisco Systems and Ascend Communications, produce ISDN routers. An ISDN router makes the connection between the U channel and your Ethernet LAN, usually with 10BaseT media. Some ISDN routers support dial-on-demand. If idle for a preset period of time, the line disconnects. When a packet needs to be forwarded over the ISDN link, the router reconnects to the specified ISDN telephone number and forwards the traffic. ISDN connects very quickly, so the user notices little or no delay. The cost saving from using a dial-on-demand configuration can be significant if your carrier charges for connect time.
Availability of ISDN service varies considerably. In many areas of the United States, ISDN's popularity has pushed its demand beyond the supply. You may have to wait several months for your carrier to provide you with service. Also, you may have to wait for ISDN service to be available in your area. Many smaller or rural municipalities don't have ISDN service. Carriers in many states realized the benefits of ISDN years ago and, like Pacific Bell in California, have built substantial infrastructure to handle the demand.
ISDN's cost varies just as much as its availability; monthly service charges range from $30 to $180 per month and may depend on usage. ISDN modems range in cost from about $300 to $500. Many carriers charge a substantial installation fee, especially if the customer's premises are a long distance from the central office. If timed usage charges apply and your site generates substantial traffic, ISDN can become more expensive than a dedicated 56kbps or T-1 circuit. ISDN, however, is well suited for providing Windows NT's Remote Access Service and dial-up networking to mobile users, as well as outbound connections to the Internet.
If your Web server is hosted on the ISP's computer rather than on a server at your facility, an ISDN line is likely to be your most economical choice for managing the site. The speed of ISDN-roughly five times that of a 28.8kbps modem connection-greatly speeds the process of sending updates to the off-site server.
Currently, frame relay is a hot topic in the wide area networking industry, partly because a mid-1996 decision by the Federal Communications Commission requires carriers to publish tariffs for frame relay services. (Previously, the price of frame relay service was negotiable.) Frame relay is a switch-based technology developed by the local telephone companies (telcos). Local exchange carriers (LECs) have developed a network of frame-relay switches. Any point in the frame-relay network can access any of the other frame-relay switches. A company with multiple locations can communicate across the frame-relay network, with each location having to maintain only a single WAN connection.
A frame-relay connection point is called an access link. Access links are 56kbps or T-1 interfaces. The maximum data rate at each access link is called the port speed and is equal to or less than the interface link. For example, you may have a 56kbps access link but only a 32kbps port speed. Customers with a T-1 access link might have a 128kbps, 512kbps, or 1.544mbps port speed. The primary advantage of frame relay is that you pay only for the bandwidth you need and the time you use that bandwidth.
Routes across the frame-relay network are determined by a permanent virtual circuit (PVC). PVCs connect frame-relay devices, and a single access link can support multiple virtual circuits.
Your guaranteed bandwidth across a frame-relay network is called the committed information rate (CIR). The CIR is always less than the port speed and will be the biggest decision you make when ordering a frame-relay circuit. One highly promoted feature of frame relay is its capability to burst above the CIR. Bursting allows network traffic to take advantage of a period of lower activity in the frame-relay network to grab some extra bandwidth. The bursting capacity is available up to the port speed. However, the total bandwidth available within the network is finite, and each PVC is given a percentage based on its CIR.
Because the popularity of frame relay has grown, many carriers are finding their networks running at close to maximum throughput. Don't count on operating in burst mode very often. In fact, packets that go above the CIR are eligible to be discarded if the burst bandwidth isn't available at that particular instant. Needless to say, the delays caused by packets being discarded and the protocol recovery mechanism can result in long transmission delays and unhappy users.
One scenario for ISP connection is a T-1 access link with a 512kbps port speed and a 256kbps CIR. With this configuration, you always have at least 256kbps of throughput. Under ideal conditions, the circuit can temporarily burst up to 512kbps. If you determine that a bigger pipe is needed, you can increase the port speed and the CIR. Figure 19.3 shows an example configuration for a frame-relay installation.
19.3
Using frame relay to connect several sites to each other and to the Internet.
T-1 connections are used by organizations with large numbers of employees accessing the Internet or large numbers of Internet users accessing their servers. T-1 connections are very similar in concept and functionality to 56kbps lines. The obvious difference between 56kbps and T-1 is a 24-fold increase in bandwidth. T-1 circuits have a data rate of 1.544mbps in a dedicated, point-to-point configuration.
A T-1 circuit is another major building block for telecommunications networks. Also known as a DS1, a T-1 consists of 24 DS0s. Some carriers offer a variation on T-1, called Fractional T-1 (FT1). FT1 offers speeds from DS0 to DS1 usually in two, four, or six DS0 multiples. Fractional T-1 isn't always financially advantageous. For a slight increase in cost, you may be able to use a full T-1 circuit. Check with your carrier and ISP for price differentials.
Firms with truly huge bandwidth requirements (and very deep pockets) should investigate T-3 services. A T-3 service provides a data rate of 44.736mbps. T-3, also known as a DS3 circuit, is equivalent to 28 DS1s. Microsoft uses multiple T-3 circuits to support The Microsoft Network. If you're in the market for T-1 or higher speed circuits, plan on spending some time negotiating with your local carriers and ISP.
Names on the Internet are critical to its ease of operation, and the system that ties all the names together is the Internet's Domain Name Services (DNS). DNS is a hierarchical naming system used for Internet navigation and within many organizations that use TCP/IP. Like the Windows Internet Naming Service (WINS), DNS maps readable (friendly) names, such as microsoft.com, to numeric IP addresses, such as 207.68.137.35 (the IP address of microsoft.com).
See "Windows Internet Naming Service (WINS)," (Ch 17)
The Internet started as a simple network of a few systems. Each system was responsible for maintaining a hosts file, which mapped every system's name to its IP address. The drawbacks of maintaining a static hosts text database become apparent when considering a network of more than a few dozen systems. DNS was developed to overcome these limitations and to provide name services dynamically as the Internet grew and evolved. Although the original designers of DNS had no idea the Internet would grow to millions of systems internationally, the DNS system has, with a few enhancements along the way, scaled quite well.
The DNS name space is a tree. Domain names are nodes, and systems are leaves on the tree (see fig. 19.4). A fully qualified domain name is constructed by concatenating the domain names to the system name from left to right as you climb the tree. Each component is separated by a dot. The root domain is .com for most Web sites, although .org (organization), .gov (government), and country codes (.ca for Canada) also are common. The organization name (microsoft, corp, and company) in figure 19.4 is prepended to the root domain, as in microsoft.com, corp.com, and company.com, forming a fully qualified domain name that corresponds to a particular IP address. Association of a domain name with an IP address is called name resolution. Finally, a service prefix (typically www, ftp, or news) is added, as in www.microsoft.com. The http:// prefix used by Web browsers identifies the hypertext transport protocol for HTML. For e-mail, the service prefix typically is the person's e-mail alias, separated from the domain name with an ampersand, as in anyone@company.com.
19.4
Hierarchical view of the domain name system.
New to Windows NT 4.0 is a native DNS service with a graphical user interface. Previously, you had to buy third-party DNS packages or, more likely, DNS services were provided by UNIX systems on the network. Windows NT Server 4.0's DNS service can integrate with WINS (Windows Internet Name Service). You're likely to be using WINS with DHCP (Dynamic Host Configuration Protocol) to dynamically manage your IP addresses on your internal networks. In this case, DNS handles name resolution at the upper layers and passes the request to WINS for final resolution. This capability is particularly important for those shops that use DNS and DHCP. You need to have either WINS or DNS running for intranet users to use friendly Internet-style names, rather than numeric IP addresses, to reach your IIS services.
If you publish only Web pages and your users have Microsoft Internet Explorer 2+, you don't need to install WINS or DNS. Typing only the server name (such as oakleaf0) in the browser's Address text box delivers Default.htm, the default (home) page of your Web site. Later in this chapter, the "Configuring the Directories" section describes how to change default page names.
See "Dynamic Host Configuration Protocol (DHCP)," (Ch 17)
Internet Information Server includes the three basic components you need to create a full-fledged intranet or Internet site: a Web service, an FTP server, and a Gopher server. Combining these services into IIS 2.0 lets you install, manage, and use them in a suite of applications.
The World Wide Web server component of IIS is Microsoft's answer to the core technology of today's Internet. Web servers deliver content to Web browsers as text-based documents. The documents contain special formatting called HyperText Markup Language (HTML) that's derived from the Standardized General Markup Language (SGML). Tags-embedded HTML codes enclosed by < and > characters-indicate to the browser exactly how a document should be displayed to the user. Following is an example of the HTML code for a simple Web page:
<!doctype html public "-//IETF//DTD HTML//EN"> <HTML> <HEAD> <TITLE>HTML Sample pages</TITLE> </HEAD> <BODY BACKGROUND="../images/backgrnd.gif" BGCOLOR="FFFFFF"> <TABLE> <TR> <TD><IMG SRC="../images/SPACE.gif" ALIGN="top" ALT=" "></TD> <TD><A HREF="/samples/IMAGES/mh_html.map"> <IMG SRC="/SAMPLES/images/mh_html.gif" ismap BORDER=0 ALIGN="top" ALT=" "></A></TD> </TR> <TR> <TD><IMG SRC="../images/SPACE.gif" ALIGN="top" ALT=" "></TD> <TD><HR> <font size=+3>HTML</font> <font size=+3>S</font> <font size=+2>tyle</font> <font size=+3>E</font> <font size=+2>xamples</font> <P> <font size=2>Below are links to several pages that demonstate styles that are built into the HTML language. While looking at these pages, try using the View Source menu item in your browser to see the HTML that defines each page. You can copy text from that view to use in your own Web pages you are authoring. </font> </TD> </TR> <P> <TR> <TD><IMG SRC="../images/space.gif" ALIGN="center" ALT=" "></td> <td> <UL> <IMG SRC="../images/bullet_H.gif" ALIGN="center" ALT=" "> <A HREF="/samples/htmlsamp/styles.htm">Very basic HTML styles</A> <P><IMG SRC="../images/bullet_H.gif" ALIGN="center" ALT=" "> <A HREF="/samples/htmlsamp/styles2.htm">A few additional HTML styles</A> <P><IMG SRC="../images/bullet_H.gif" ALIGN="center" ALT=" "> <A HREF="/samples/htmlsamp/tables.htm">Basic HTML tables</A> </UL></font> <P> </td> </tr> </TABLE> </BODY> </HTML>
In addition to plain text that you see in a typical HTML document, there usually are placeholders for graphics and other elements, including video clips, sound clips, and other non-text objects contained in binary (non-text) files. Binary files, such as backgrnd.gif in the preceding HTML example, are stored in files whose relative location from the Web root folder is specified in the tags. The virgule (forward slash, /) is used as the path separator, rather than the DOS backslash (\), because of the use of / by UNIX.
Displaying a Web page requires a series of conversations between the Web browser and other components of the Internet or a Windows NT server. The process consists of the following steps:
Many browsers, including Microsoft's Internet Explorer (IE), let you turn off images altogether, making pages load substantially faster. Figure 19.5 shows The Internet Properties sheet of IE 3.0, in which you can control whether the browser processes still image, sound, and/or video files by marking or clearing the check boxes in the Multimedia section. Images and other binary types requested by the browser usually are sent with the MIME (Multipurpose Internet Mail Extensions) protocol.
19.5
Specifying whether to display multimedia elements of Web pages with Internet Explorer's The Internet Properties sheet.
Image and other binary file loading time is less of an issue with intranets because network speeds generally support much higher throughput than modems or ISDN adapters. Leave the option to load pages/view images selected to display intranet Web pages with graphics.
File Transfer Protocol offers a means of transferring binary files with tolerance for speed difference between systems, varying network traffic, and divergent system platforms. With FTP, users can upload, download, or manage files on your network, on the Internet, or on your intranet server with the support of a proven protocol.
The FTP service is installed on your system when you install IIS, unless you specify otherwise, so you can provide this service to your users. FTP lets you make binary, document, and other types of files available to your users by the following means:
Many Web pages supply links to download graphics, audio, executable, and other types of files to your system. One way Web pages handle file downloads is to provide a link to an FTP address for the file you request. When your browser encounters an FTP address, it uses the FTP protocol to download the file. FTP addresses in Web documents have the following syntax:
ftp://ftp.sitename.site extension/[folder/...]filename.ext
As an example, ftp://ftp.intellicenter.com/reality/sitelist.zip specifies that the file SITELIST.ZIP is found at the IntelliCenter site in the Reality folder. By recognizing the URL as one that necessitates file transfer, your browser enables downloading the file without leaving the browser environment.
When you access a URL that refers to an FTP site, your browser indicates that it's signing into the site, sending commands, and-if successful-receiving a file. The browser changes into FTP emulation mode and begins an electronic conversation with the FTP server to retrieve the item you've requested.
The other two options for accessing an FTP site include a command-line, character-based solution and a dedicated Windows FTP utility. When you install Windows 95 or Windows NT, you're automatically provided with a character-based FTP utility. To access a remote site manually with the Ftp.exe utility, follow these steps:
19.6
Using the command-line version of FTP included with Windows NT and Windows 95.
At a vast majority of FTP sites, you rarely can upload files or other information unless you're a known user to the system. Downloading files is an option that's often left in a more anonymous state, allowing downloads from users that aren't directly known to the system. Anonymous users can download publicly accessible files.
In many cases, if you retrieve sensitive files or other protected information, you must sign into the FTP site with a specific user ID and password, just as you do when you log on to a network.
Most Windows FTP utilities, such as WS_FTP (a shareware utility), store configurations for multiple sites. When you start the utility, you're prompted to select the site to which you want to connect. Figure 19.7 shows an example of configuration selection with WS_FTP.
19.7
Selecting a configuration for an FTP site in the WS_FTP utility.
To log on from a browser to an intranet FTP site with anonymous access, type ftp://anonymous@servername in the Address text box. Your browser displays a list of the folders and files in the designated FTP root folder.
The Gopher server, also installed when you install IIS, lets you publish conventional text documents for user review. A Gopher server excels in working with ASCII or ANSI documents, and provides extensive search and retrieval options. Gopher is one of the simplest interfaces to your server. The Gopher approach to information retrieval provides a way for a client system to make a request of a server, get the results quickly, and disconnect until the next request is ready to be processed. Gopher was created to address the world of the Internet, where millions of documents are available, and, at any given time, an extremely large number of users are searching for some bit of information.
Gopher's capability to connect, to get what it needs, and to disconnect is optimal for this type of situation. Gopher relies primarily on standard text files, although it supports other file types. In practice, Gopher has become a victim to the popularity of the Web and Web-based search services, such as Yahoo and AltaVista. Microsoft's Search Server (called Tripoli during its beta-test period) gives your users a much easier method of searching for content in text and some types of binary files.
You set up all access rights with the Windows NT Server's User Manager for Domains. Groups and users are the foundation for the security of IIS server processes and their components. If you don't observe the proper security policies when setting up an Internet server connected to your LAN, it's possible for hackers to obtain access to shared directories containing highly confidential information.
See "Working with User Manager for Domains," (Ch 12)
The Windows NT domain in which your Internet or intranet server resides controls all aspects of who can access your system, how they access it, when they access it, and more. The domain controls all these different aspects, so it's important to understand how to set up your intranet user base, assign rights, and control your users' access privileges. It's equally important to restrict permissions of the account used by visitors to your Internet site.
See "Understanding Domain Architecture and Security," (Ch 16)
Never grant administrative rights to users you're about to set up for your IIS server processes. Be sure to set up separate and distinct accounts for anonymous Web, FTP, and Gopher access, if you support more than a Web publishing service.
If you use the account with domain administrative privileges for logging on to the Internet services, you create a serious security breach. It's only a matter of time before your system is threatened by a user's ability to manipulate the content of the site, and possibly destroy the site. Only the network administrator, Webmaster, and designers should have administrative privileges for IIS.
If you use the same account for FTP, Web, and Gopher services, determining where a problem lies is more difficult if you need to track logons, accesses, and other user-specific questions, such as comments and problem reports.
Although you don't have to predefine these user accounts, you should plan for them and be sure to validate user rights on all services before making the Internet services available to users at any level.
Before you install IIS, make sure that you have enough disk space to store the documents and supporting objects (such as graphics) you intend to bring online. A complete installation of IIS 2.0 requires about 3.8M, including the sample files. Multimedia content consumes extraordinary amounts of disk space. If you aren't sure about the amount of content that you must store, prepare now to move user folders and other files to another server. Alternatively, consider adding another disk drive of 2G or greater capacity to your server.
Microsoft recommends that you install IIS 2.0 on an NTFS partition. This book recommends that all server partitions be formatted as NTFS for heightened security and improved performance. If you've installed Windows NT Server 4.0 in a FAT partition and don't want to convert that partition to NTFS, consider installing the content folders and files to another partition or drive that's formatted with NTFS. It's possible, but not easy, to store additional content on another server in the domain. IIS 2.0 doesn't recognize server shares mapped to logical drive letters, so you must use UNC in HTML tags if the content is located on a remote server. You'll find life much easier if you keep all your content (publishing) files on the same logical drive. Windows NT's Disk Manager lets you create volume sets of multiple drives that share the same logical drive letter, so you can expand the volume capacity later as capacity requirements increase.
See "Configuration Considerations: Volume Sets, Extensibility, and Booting," (Ch 5)
Before you install the Gopher service, you must establish a domain (friendly) name for your server on the network to permit intranet users to access Gopher. If you don't intend to provide Gopher service, skip this section. You can use WINS or DNS to establish the friendly name. To use DNS to establish the name for your server, you must be running the Windows NT DNS service. If you haven't installed the DNS service, follow these steps:
To establish the local domain name, follow these steps:
19.8
Defining a host name, domain name, and DNS server address in the DNS page of the Microsoft TCP/IP Properties sheet.
When you first install Windows NT Server 4.0, you're offered the opportunity to install IIS 2.0 during the latter part of the setup process. In this case, make sure that you mark the Install Microsoft Internet Information Server check box when specifying setup options during the initial installation process. If you aren't installing IIS 2.0 with a new or upgrade installation of Windows NT Server 4.0, you have the following options for launching the IIS 2.0 Setup program:
If you have existing content files, be sure to back up the files before installing IIS 2.0. Although removing a prior version of IIS doesn't remove existing directories or content files, a full backup of the existing IIS folders (d:\inetsrv is the default main folder for prior IIS versions) is recommended in case problems occur during the upgrade.
When the Internet Information Server Setup program starts, follow these steps:
19.9
Selecting the Internet services to install in the Microsoft Internet Information Server 2.0 Setup dialog.
If the disk space requirement for the ODBC Drivers & Administration selection is 0, ODBC drivers are already installed. Even in this case, you should mark the ODBC check box to ensure that the latest ODBC 2.5 drivers are installed.
19.10
Specifying the location of content files in the Publishing Directories dialog.
19.11
Selecting installation of the 32-bit ODBC 2.5 driver for Microsoft SQL Server in the Install Drivers dialog.
The three components of IIS run as Windows NT services. You use Internet Service Manager to check the status of IIS services. There are two versions of Internet Service Manager:
19.12
Displaying the status of installed IIS services in the executable version of Internet Service Manager.
19.13
Using the HTML version of Internet Service Manager to administer IIS 2.0 remotely.
You must have administrative privileges to run either version of Internet Service Manager. The HTML version isn't located in the \InetPub\wwwroot subfolders to which, by default, the anonymous Internet or intranet user has access.
As a quick test of the installation, double-click the Internet Explorer icon on the desktop to start the newly installed browser, which automatically displays a default home.htm file. To verify that the IIS demonstration files are installed correctly, type servername (such as oakleaf0) in the Address text box of the browser to open the InetPub\wwwroot\default.htm page (see fig. 19.14). Internet Explorer automatically prepends http:// to servername.
19.14
The default home page for the IIS 2.0 demonstration files displayed in Internet Explorer 2.0.
To verify accessibility to your Internet server by networked users, at a remote client type servername or http://servername in your browser's Address text box. Experiment by navigating to the sample site, Volcano Coffee Company, to test the speed of your network connection and IIS 2.0. Volcano's home page, shown in the Windows 95 version of Internet Explorer in figure 19.15, includes several small graphics, a waveform audio file, and an animated marquee ("Get on The Great Taste Tour").
19.15
The home page of the Volcano Coffee Company sample Web site displayed in the Windows 95 version of Internet Explorer 3.0.
Although auditing and logging of your Internet services might appear to be related only to security issues, auditing and logging have many other benefits. You should know who is accessing the various services and content offered by your server. User access information helps you recognize the need for additional services, better ways to service users, and emerging trends in usage and server loading.
Always enable logging. You can set up logging to maintain only a limited history. If you worry about the size of history files, consider setting options to keep only five days or less of history. You begin to spot trends, and simultaneously use the logs to help in case of any problems that may arise.
To set Web server options and logging parameters, open Internet Service Manager and double-click the icon for the WWW service to open the WWW Service Properties sheet. The following sections describe how to set server options and logging parameters for your Web service in the four pages of the WWW Service Properties sheet.
The Service page of the WWW Service Properties sheet (see fig. 19.16) includes two very critical items that specify the privileges of users of your Web server. The Anonymous Logon section specifies the default logon name and password for your system users. The Password Authentication section lets you indicate the type of authentication used for secure access to the service.
19.16
Setting service options for the Web server in the Service page of the WWW Service Properties sheet.
The remaining default option values of the Service page usually are satisfactory for Web sites with moderate traffic. It's seldom necessary to change the default TCP Port value (80). You might want to decrease the Connection Timeout to less than the default 15 minutes.
Web browsing is typically an anonymous service, unless your site includes confidential information. You can secure your entire Web site by clearing the Allow Anonymous check box. However, it's more common to assign an anonymous logon account for access to non-confidential information while simultaneously securing other areas for protected access. You must allow anonymous logon if your server is connected to the Internet for public access.
When you install IIS 2.0, a new user is automatically added to your Windows NT user database. The user, given a name of IUSR_ plus the name of your system (OAKLEAF0 in this case), has sufficient rights to access your server's services and browse your server's content. This new user is created with the same basic rights as a user that might be considered "average."
The anonymous user is created as a member of the Domain Users group and the Guest group. Of course, the user also belongs to the Everyone group when allowed or disallowed access to a given resource. IIS creates a random password for the anonymous user account. A very important facet of the IUSR_OAKLEAF0 account is that it's granted the Log On Locally right, as shown in the User Manager for Domains User Rights Policy dialog (see fig. 19.17).
19.17
The User Rights Policy dialog displaying the Log On Locally right granted to the IUSR_OAKLEAF0 account.
All users of the Web service must be able to log on locally because the logon request is made to the WWW Server process. That process takes the name provided by the user and logs on through Windows NT's standard security model. By doing so, Windows NT assigns appropriate security rights and permissions to the logon account, providing a solid security model that's fully integrated with the Windows NT domain model.
In situations where you want every user to log on to the server, deselect the Allow Anonymous option in the WWW Service Properties sheet (refer to fig. 19.16). This assures that everyone using your Web site provides a user name and password when accessing the server. Intranet users are authenticated by their current credentials-their user name and password. Internet users are prompted for a user name and password before being granted access to your site. The advantage of requiring password access is that your logging of resource usage reflects the people who are really using the system.
As mentioned earlier, the other important setup option is the type of authentication to be used. Two different authentication types are used to secure all or part of your site. The mix of browsers used on your intranet dictates your decision of authentication type. As of this writing, the only browser supporting the Windows NT Challenge/Response option is Microsoft Internet Explorer 2.0 or later. If you have a mixed browser community-for example. if you have users with Netscape's Navigator browser-you must also enable Basic (Clear Text) authentication in the Service page of the WWW Service Properties sheet (refer to fig. 19.16). Otherwise, you block such users from access to your site.
The NT Challenge/Response option works in the following manner:
With the Basic (Clear Text) option, the User ID and password move across the link encoded, but still decipherable by a determined hacker. The browser keeps a channel to the server open as it attempts to access the shared resource. If you enable the Basic (Clear Text) option, the Internet Service Manager warns you that you're enabling a less secure method of sending passwords over the network and asks you to confirm your choice (see fig. 19.18).
19.18
Internet Service Manager's warning when you enable the Basic (Clear Text) authentication option.
Most of the configuration options for the three IIS services are largely identical. Thus, this chapter provides limited coverage in the FTP and Gopher sections for completing the basic configuration options. The differences between the standard configuration with the Web server options, and the FTP and Gopher services, are covered in the sections devoted to these two services.
At first glance, the Directories page of the WWW Service Properties sheet might seem an unimportant feature, and the default folders might appear adequate for your foreseeable needs. As time goes on and you provide more services to your users, however, you will find that the folder options are a central component of your system, and are especially helpful in Web and FTP services.
The Internet Service Manager is another example of Microsoft's failure to make a full transition to substitution of the term folder for directory. For consistency with the rest of this book, folder is used except in cases where directory is part of a proper name for a dialog or dialog object.
Figure 19.19 shows the default folders created when you install IIS 2.0. The C:\WINNT\System32\inetsrv\iisadm folder, which contains the Web pages for the HTML version of the Internet Service Manager, is aliased to the virtual folder /iisadm. You access virtual folders by appending the folder name to the server address, as in [http://]oakleaf0/iisadm for intranet access. Marking the Enable Default Document check box and specifying the name of an existing default document is the equivalent of the [http://]oakleaf0/iisadm/default.htm address. Unless you want to make the user enter the name of a specific document, each virtual folder should include a default document.
19.19
The default folders and virtual folder aliases set up by IIS 2.0.
You can have only a single folder specified as the home folder for your entire Web server. If you specify a different home folder, IIS prompts you to save the change.
You can establish any number of folder aliases by clicking the Add button to display the Directory Properties sheet. As an example, you can create a virtual folder, named demo, for the C:\InetPub\wwwroot\samples folder (see fig. 19.20). Intranet users can access the default.htm document with the [http://]oakleaf0/demo address. If you specify a folder on a remote server, you must enter the UNC path to the server share and type valid credential entries for the share in the User Name and Password text boxes in the Account Information section (shown disabled in fig. 19.20). Figure 19.21 shows the demo virtual folder added to the Directory list of the WWW Service Properties sheet. Folder aliases aren't visible to users browsing your FTP service. To use FTP's cd aliasname command to change folders, the user must have prior knowledge of the name of the folder alias.
19.20
Adding a new virtual folder to the Directories page.
19.21
The new virtual demo folder added to the Directory list.
If you want to implement a system following the UNIX standard for default pages, change your default document name from default.htm to index.html. Index.html is the default starting page on the vast majority of Web servers, so setting the default to the standard makes it easier for an experienced UNIX Webmaster to maintain pages on the server.
The final option in establishing a virtual folder is to specify the access rights in the Directory Properties sheet. To enable viewing content, mark the Read check box. Read access means read-only access; users can't make any changes to the folder. To enable a program folder that has executable files that add functionality to your Web pages, mark the Execute check box. Execute access does not allow users to scan folder contents.
Never grant Read access to any of your application or script subfolders. If you do, users may not only browse the folders, seeking programs that "look interesting," but they also can run the programs to see what they do. By providing Execute rights, users can execute applications and scripts, but can't perform blind folder listings or copy files from the location. This means that you should not mix scripts and applications with Web pages in a single folder.
The primary use of the Directories page of the WWW Service Properties sheet is to manage the content you provide to the users of your system. By placing different categories of content in different folder trees, you accomplish the following objectives:
Placing content on a remote server share is tricky, because when the remote server is accessed, the share is accessed using the name and password you provide in all cases. If the user name and password you provide doesn't have access to the share, the user can't access the pages the share contains, whether or not the user has permissions for the share itself.
Consider the following scenario to help explain this approach:
There's one problem with this scenario: Anyone accessing your server can access the new folder by typing its virtual folder URL, http://holodeck3/secret, which provides access to the default.htm file. Bear in mind that you initially set the folder for very limited access (only by the user named Julie). By providing the name and password in the property sheet for the folder mapping, you bypass the security on the folder entirely, making the information available to any user on your network who can launch Internet Service Manager. In essence, you hard-code the folder name and password.
This apparent security bypass happens because you provide Windows NT's security layer with a valid user name and password. The remote server doesn't provide the same level of security that you have when attempting to access a secured folder or file physically located on the IIS server.
For this reason, carefully architect your server to provide secure and non-secure access to the information you want to make available. Never put information on a remote server if the information needs to be protected from some users and available to other users. Put public, widely available information on the remote server.
In cases where you have secure information, always put the information on the IIS server, allowing Windows NT's security management to step in, protecting the information.
This same approach also applies to virtual server configurations. When you indicate a virtual server, the provided user name and password is used to connect to the remote server. If secure information resides at that remote location, move it to the local system and allow Windows NT to manage the secure access to the information.
The log files created by the Internet Information Server include the IP address for the incoming request, the type of request made, and information about the success or failure of the request. Logs also provide information about access to individual pages. In the case of your Web server, this information is very valuable when determining what content to revise, keep, or remove from the system. You set standard logging options in the Logging page for the WWW Service Properties sheet (see fig. 19.22).
19.22
Setting options in the Logging page of the WWW Service Properties sheet.
Most of the logging options shown in figure 19.22 are self-explanatory, but following are recommendations for starting up your Web site:
See "Logging to an ODBC Data Source," (Ch 20)
You can import the text version of the log into Microsoft Excel to perform quick checks on system performance. The fields of the log file are comma-separated (Excel .csv format). Excel's Text Import Wizard makes the process easy, but you must manually select Delimited in step 1 of the Wizard and specify Comma in step 2 to achieve the desired result. Figure 19.23 shows a typical log file imported into Excel 7.0, with a few of columns compressed to display the Web pages viewed. During startup, it's easier to analyze usage with Excel than to write a database front end that does the analysis automatically. You can use Access 95 to import the text file and view the log in table datasheet view. Access 95's Text Import Wizard is quite similar to Excel 7.0's.
19.23
A Web service log imported into an Excel 7.0 worksheet.
The Advanced options, which are common to all three IIS server processes, let you exclude computers with specific IP addresses or specify the IP address of each computer allowed access to your site. Figure 19.24 shows settings that allow only three specified computers to gain access to the site. Alternatively, you can use a subnet mask to let a group of computers within a subnet access the site.
19.24
Specifying the IP address of individual computers that have access to your site.
The alternative is to indicate that everyone has access to the system except for those IP addresses in the list. In cases where you have a confirmed attempt or attempts to compromise your system, you can remove the offending person's access rights. Figure 19.25 shows a group of computers having IP addresses beginning with 131.254.7 locked out of the site.
19.25
Denying access to a group of computers based on their IP address range.
To enter an address, click the Add button of the Advanced page to open the Permit Access On or Deny Access On dialog. When you enter the address, you can use "wild cards" by selecting the Group of Computers option and providing the part of the IP address that's constant for the systems addressed. When entering a single computer's address, you can click the ellipsis button at the right of the IP Address text box to enter a computer name based on DNS entries. The ellipsis button is disabled in figure 19.25 because manual entry of a group of computer names is selected.
The Limit Network Use check box of the Advanced page lets you limit the total throughput on your server that's devoted to the service. The default value, 4,096KB/S, is a substantial percentage of a 10BaseT or 10Base2 network connection. If you need to limit total throughput of all your site's services, you can type any reasonable value (between, say, 1,000 to 5,000) into the text box.
The FTP service options are quite similar to those for the Web service described in the preceding sections. The differences lie in the first two pages of the FTP Service Properties sheet, Service and Messages. The Service page (see fig. 19.26) adds a Current Sessions button, but doesn't include the Password Authentication options of the WWW Service Properties sheet.
19.26
The Service page of the FTP Service Properties sheet.
The Current Sessions button opens the FTP Users Sessions dialog to show you who's on the system, when they connected, and how long they've been on. Don't turn off the FTP server as long as users appear on the display. If you turn off the FTP server, you not only close the user connection, but also terminate their download operation in progress.
The Messages page (see fig. 19.27) lets you personalize your FTP site with Welcome, Exit, and Maximum connections messages. If you have an index for the content of your FTP site, it's a common practice to suggest that users read the index before proceeding. When you connect to an FTP site with a browser, the Welcome message appears below the FTP Root at Servername title (see fig. 19.28).
19.27
Specifying the messages that appear when a user logs on and off an FTP site, and when the maximum number of connections is reached.
19.28
Internet Explorer 3.0 playing a waveform audio (.WAV) file from an FTP site.
When you set up the Gopher server options, the Logging and Advanced options are identical to those for the other services, and the Directories option is quite similar. However, the Service page (see fig. 19.29) varies slightly from the Service page of the other two services. You enter the name or title and an e-mail address to which to report problems in the Service Administrator section.
19.29
Setting up Gopher options in the service.
At this writing, no Gopher client has been found that recognizes an intranet address for the URL other than that of the Microsoft Internet Explorer. The Gopher protocol, one of the first cross-server protocols to let users skip around the Internet, is a legacy technology superseded by other protocols and new navigation technologies. With Internet search servers, such as Digital's AltaVista and Microsoft's Search Server for intranets, there's little incentive to implement IIS 2.0's Gopher service.
If you use Internet Explorer and want to access the Gopher server, preface the URL with the URL identifier of Gopher.
Gopher uses a series of indexes and content information files, called tag files, to access your site. You use the GDSSET command-line utility, located in the \WINNT\system32 and \WINNT\system32\inetsrv folders, to create these tag files. GDSSET creates a small, hidden file that contains information about the files. Following is a simple tag file for a text file named crack.txt created with GDSSET:
0 GdsPriv=Gs1.0;04/03/96;22:37:37 Type=0 Name=Demonstration Information
The command line to create this file is
gdsset -g0 -f "Demonstration Information" -d crack.txt
This command line includes a set of options, plus the description and name of the file. When you run the utility, you receive a simple display of the result, as in the following example:
Gopher Object Type = 0
Gopher FriendlyName = Demonstration Information
Tag information for C:\inetsrv\gophroot\crack.txt
Object Type = 1
Friendly Name = crack.txt
Admin Name = Default Admin Name
Admin Email = Default Admin Email
Table 19.2 lists the options that are commonly used with GDSSET.
Table 19.2 Common GDSSET Command-Line Options
| Option | Description |
| -g | The type of file being indexed |
| -f | "Friendly" description to be displayed instead of the file name |
| -d | The file name of the file being referenced (case-sensitive) |
| -c | For updating, or changing, an existing tag file |
| -D | Indicates the folder (case-sensitive) |
| -a | Administrator's name |
| -e | Administrator's e-mail address |
The easiest way to tag files is simply to use the file name parameter,
GDSSET filename.ext
where filename.ext is the name of the file you want to index. GDSSET prompts you for the file's friendly name and then saves the tag file. Saved tag files are hidden in the folder from which you run the GDSSET utility. These tag files save with the same file name as the original file indexed, but a new extension, .GTG, is appended to the file name to specify a Gopher tag file.
The type of source file is specified in accordance the codes shown in table 19.3.
Table 19.3 Common Gopher File Types for Tag Files
| Code | Type of Gopher Tag File |
| 0 | Standard text file |
| 1 | Folder of additional Gopher files |
| 9 | A binary file, the default |
| g | A GIF graphic file |
| h | An HTML page |
The file type codes shown in table 19.3 are the most common for intranet and Internet installations. The tag file defaults to type 9, a binary file, indicating to the server that it should MIME-encode the file. The browser examines the file type and determines whether to download the file to the local hard drive or to display it in the browser.
The URL prefixes listed in table 19.4 are supported by most mainstream browsers.
Table 19.4 Common URL Prefixes
| Prefix | Purpose |
| File: | Opens a local or network drive file for browsing. Example: File://c:\mydir\myfile.htm |
| Http: | Opens an HTML document for viewing. Example: http://holodeck3/ or http://www.microsoft.com/ie/ie.htm |
| Https: | Opens a secure HTML document for viewing, requiring the establishment of a Secure Socket Layer conversation with the server. Example: https://holodeck3 |
| Gopher: | Opens a Gopher session. Example: gopher://holodeck3 |
| FTP: | Opens a FTP session. Example: ftp://www.intellicenter.com/myfile.zip |
You may encounter other prefixes, but the prefixes listed in table 19.4 are the most common on the Internet. Other prefixes include telnet: (which establishes a Telnet session to the address you indicate) and news: (which attempts to attach to a Usenet News service). Many of these less commonly implemented protocols execute locally stored utility applications to support these protocols.
Microsoft's IIS 2.0 is intended primarily to be a high-performance Web server for private intranets and the public Internet. This chapter explained how to set up and connect to each service offered by IIS 2.0. World Wide Web, FTP, and (to a lesser degree) Gopher services combine to provide comprehensive sources of information for intranet and Internet users.
The following chapters provide additional information related to the topics discussed in this chapter:
© 1996, QUE Corporation, an imprint of Macmillan Publishing USA, a Simon and Schuster Company.