IIS

1 Introduction

Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by Microsoft for use with Windows NT family. IIS supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions (for example, Windows XP Home edition), and is not active by default.

The KEMP LoadMaster is used to load balance the IIS workload. The LoadMaster offers advanced Layer 4 and Layer 7 server load balancing, SSL Acceleration and a multitude of other advanced Application Delivery Controller (ADC) features. The LoadMaster intelligently and efficiently distributes user traffic among the application servers so that users get the best experience possible. 

1.1 Document Purpose

This document provides the recommended LoadMaster settings used when load balancing the IIS workload. The KEMP Support Team is available to provide solutions for scenarios not explicitly defined. The KEMP support site can be found at: https://support.kemptechnologies.com

1.2 Intended Audience

This document is intended to be read by anyone who is interested in configuring the LoadMaster to optimize the IIS server.

2 Template

KEMP has developed a template containing our recommended settings for this workload. You can install this template to help when creating Virtual Services, as it automatically populates the settings. This is quicker and easier than manually configuring each Virtual Service. If needed, changes can be made to any of the Virtual Service settings after using the template.

Download released templates from the Templates section on the KEMP documentation page: http://kemptechnologies.com/documentation.

For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description on the KEMP Documentation Page.

For steps on how to manually add and configure each of the Virtual Services using the recommended settings, refer to the steps in this document.

3 Architecture

Architecture.png

4 Configure the LoadMaster

The deployed IIS environment determines which of the following setups is used.

4.1 Enable Subnet Originating Requests Globally

It is best practice to enable the Subnet Originating Requests option globally.

In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.

In a two-armed setup where the Virtual Service is on network/subnet A, for example, and the Real Servers are on network B - Subnet Originating Requests should be enabled on LoadMasters with firmware version 7.1-16 and above.

When Subnet Originating Requests is enabled, the LoadMaster will route traffic so that the Real Server will see traffic arriving from the LoadMaster interface that is in that network/subnet not the Virtual Service address.

When Subnet Originating Requests is enabled globally, it is automatically enabled on all Virtual Services. If the Subnet Originating Requests option is disabled globally, you can choose whether or not to enable Subnet Originating Requests on a per-Virtual Service basis.

To enable Subnet Originating Requests globally, follow the steps below:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to System Configuration > Miscellaneous Options > Network Options.

SCMONO002.png

2. Tick the Subnet Originating Requests check box.

4.2 Enable Check Persist Globally

It is recommended that you change the Always Check Persist option to Yes – Accept Changes. Use the following steps:

1. Go to System Configuration > Miscellaneous Options > L7 Configuration.

SCMOLC001.png

2. Click the Always Check Persist dropdown arrow and select Yes – Accept Changes.

4.3 Create the IIS Virtual Services

The following sections describe the recommended settings for the IIS Virtual Services.

4.3.1 Create an IIS HTTP Virtual Service

The following are the steps involved and the recommended settings to configure the IIS Virtual Service:

1. In the main menu of the LoadMaster Web User Interface (WUI), go to Virtual Services > Add New.

Create an IIS HTTP Virtual.png

2. Type a valid Virtual Address.

3. Type 80 as the Port.

4. Enter a recognizable Service Name, such as IIS HTTP Virtual Service.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Persistence Mode

Active Cookie

SSL Acceleration must be enabled before you can select Active Cookie as a Persistence Mode.

 

Timeout

1 Hour

 

 

Cookie name

JSESSIONID

 

 

Scheduling Method

least connection

 

7. Add the Real Servers:

8. Expand the Real Servers section.

9. Click Add New.

a) Enter the address of the relevant Real Server.

b) Complete the other fields as required.

c) Click Add this Real Server then click OK to the pop-up message.

d) Repeat the steps above to add more Real Servers as needed, based on your environment.

4.3.2 Create an IIS HTTPS Virtual Service

The following are the steps involved and the recommended settings to configure the IIS HTTPS Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

Create an IIS HTTPS Virtual.png

2. Type a valid Virtual Address.

3. Type 443 as the Port.

4. Enter a recognizable Service Name, such as IIS HTTPS Virtual Service.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Persistence Mode

Source IP Address

 

 

Timeout

1 Hour

 

 

Scheduling Method

least connection

 

 

Idle Connection Timeout

900

 

Advanced Properties

Add a Port 80 Redirector VS

https://%h%s

Click Add HTTP Redirector. This automatically creates a redirect on port 80.

Real Servers

URL

/

 

7. Add the Real Servers:

8. Expand the Real Servers section.

9. Click Add New.

a) Enter the address of the relevant Real Server.

b) Complete the other fields as required.

c) Click Add this Real Server then click OK to the pop-up message.

d) Repeat the steps above to add more Real Servers as needed, based on your environment.

Create an IIS HTTPS Redirect Virtual Service

Clicking the Add HTTP Redirector button automatically creates a port 80 redirect Virtual Service. This is optional, but the purpose of this Virtual Service is to redirect any clients who have connected using HTTP to the HTTPS Virtual Service. KEMP also recommends changing the Real Server Check Method and Persistence Mode to None.

4.3.3 Create an IIS HTTPS Offloaded Virtual Service

The following are the steps involved and the recommended settings to configure the IIS HTTPS Offloaded Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

Create an IIS HTTPS Offloaded.png

2. Type a valid Virtual Address.

3. Type 443 as the Port.

4. Enter a recognizable Service Name, such as IIS HTTPS Offloaded HTTP Virtual Service.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Persistence Mode

Active Cookie

SSL Acceleration must be enabled before you can select Active Cookie as a Persistence Mode.

 

Timeout

1 Hour

 

 

Scheduling Method

least connection

 

 

Idle Connection Timeout

900

 

SSL Properties

SSL Acceleration

Enabled

 

 

Cipher Set

BestPractices

 

Advanced Properties

Add a Port 80 Redirector VS

https://%h%s

Click Add HTTP Redirector. This automatically creates a redirect on port 80.

Real Servers

Real Server Check Method

HTTPS Protocol

 

 

URL

/

 

7. Add the Real Servers:

8. Expand the Real Servers section.

9. Click Add New.

a) Enter the address of the relevant Real Server.

b) Complete the other fields as required.

c) Click Add this Real Server then click OK to the pop-up message.

d) Repeat the steps above to add more Real Servers as needed, based on your environment.

Create an IIS HTTPS Offloaded Redirect Virtual Service

Clicking the Add HTTP Redirector button automatically creates a port 80 redirect Virtual Service. This is optional, but the purpose of this Virtual Service is to redirect any clients who have connected using HTTP to the HTTPS Virtual Service. KEMP also recommends changing the Real Server Check Method and Persistence Mode to None.

4.3.4 Create an IIS HTTPS Re-encrypt Virtual Service

The following are the steps involved and the recommended settings to configure the IIS HTTPS Re-encrypt Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

Create an IIS HTTPS Re encrypt.png

2. Type a valid Virtual Address.

3. Type 443 as the Port.

4. Enter a recognizable Service Name, such as IIS HTTPS Re-encrypt Virtual Service.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comment

Standard Options

Persistence Mode

Active Cookie

SSL Acceleration must be enabled before you can select Active Cookie as a Persistence Mode.

 

Timeout

1 Hour

 

 

Cookie name

JSESSSIONID

 

 

Scheduling Method

least connection

 

 

Idle Connection Timeout

900

 

SSL Properties

SSL Acceleration

Enabled

 

 

Reencrypt

Enabled

 

 

Cipher Set

Best Practices

 

Advanced Properties

Add a Port 80 Redirector VS

https://%h%s

Click Add HTTP Redirector. This automatically creates a redirect on port 80.

Real Servers

URL

/

 

7. Add the Real Servers:

8. Expand the Real Servers section.

9. Click Add New.

a) Enter the address of the relevant Real Server.

b) Complete the other fields as required.

c) Click Add this Real Server then click OK to the pop-up message.

d) Repeat the steps above to add more Real Servers as needed, based on your environment.

Create an IIS HTTPS Re-encrypt Redirect Virtual Service

Clicking the Add HTTP Redirector button automatically creates a port 80 redirect Virtual Service. This is optional, but the purpose of this Virtual Service is to redirect any clients who have connected using HTTP to the HTTPS Virtual Service. KEMP also recommends changing the Real Server Check Method and Persistence Mode to None.

4.4 Create the IIS and WAF Virtual Services

The following sections describe the recommended settings for the IIS and WAF Virtual Services.

4.4.1 Create an IIS HTTP and WAF Virtual Service

The following are the steps involved and the recommended settings to configure the IIS HTTP WAF Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

Create an IIS HTTP and WAF.png

2. Type a valid Virtual Address.

3. Type 80 as the Port.

4. Enter a recognizable Service Name, such as IIS HTTP WAF Virtual Service.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Standard Options

Persistence Mode

Source IP Address

 

Timeout

6 Minutes

 

Scheduling Method

least connection

WAF Options

Enabled

Yes

 

Default Operation

Block Mode

 

Audit mode

Audit Relevant

 

Enabled Rules

owasp_protocol_violations

 

 

owasp_protocol_anomalies

 

 

owasp_request_limits

 

 

owasp_bad_robots

 

 

owasp_generic_attacks

 

 

owasp_xss_attacks

 

 

owasp trojans

 

 

owasp_common_exceptions

 

Application Specific

iis_attacks

Real Servers

Real Server Check Method

HTTPS Protocol

Real Servers

URL

/

7. Add the Real Servers:

8. Expand the Real Servers section.

9. Click Add New.

a) Enter the address of the relevant Real Server.

b) Complete the other fields as required.

c) Click Add this Real Server then click OK to the pop-up message.

d) Repeat the steps above to add more Real Servers as needed, based on your environment.

4.4.2 Create an IIS HTTPS Offloaded and WAF Virtual Service

The following are the steps involved and the recommended settings to configure the IIS HTTPS Offloaded and WAF Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

Create an IIS HTTPS Offloaded_1.png

2. Type a valid Virtual Address.

3. Type 443 as the Port.

4. Enter a recognizable Service Name, such as IIS HTTPS Offloaded WAF Virtual Service.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comments

Standard Options

Persistence Mode

Source IP Address

 

 

Timeout

6 Minutes

 

 

Scheduling Method

least connection

 

 

Idle Connection Timeout

900

 

SSL Properties

Enabled

Selected

 

 

Cipher Set

Best Practices

 

Advanced Properties

Add a Port 80 Redirector VS

https://%h%s

Click Add HTTP Redirector. This automatically creates a redirect on port 80.

WAF Options

Enabled

Yes

 

 

Default Operation

Block Mode

 

 

Audit Mode

Audit Relevant

 

 

Enabled Rules

owasp_protocol_violations

 

 

 

owasp_protocol_anomalies

 

 

 

owasp_request_limits

 

 

 

owasp_bad_robots

 

 

 

owasp_generic_attacks

 

 

 

owasp_xss_attacks

 

 

 

owasp_trojans

 

 

 

owasp_common_exceptions

 

 

Application Specific

iis_attacks

 

Real Servers

Real Server Check Method

HTTPS Protocol

 

Real Servers

URL

/

 

7. Add the Real Servers:

8. Expand the Real Servers section.

9. Click Add New.

a) Enter the address of the relevant Real Server.

b) Complete the other fields as required.

c) Click Add this Real Server then click OK to the pop-up message.

d) Repeat the steps above to add more Real Servers as needed, based on your environment.

Create an IIS HTTPS Offloaded and WAF Redirect Virtual Service

Clicking the Add HTTP Redirector button automatically creates a port 80 redirect Virtual Service. This is optional, but the purpose of this Virtual Service is to redirect any clients who have connected using HTTP to the HTTPS Virtual Service. KEMP also recommends changing the Real Server Check Method and Persistence Mode to None.

4.4.3 Create an IIS HTTPS Re-encrypt and WAF Virtual Service

The following are the steps involved and the recommended settings to configure the IIS HTTPS Re-encrypt and WAF Virtual Service:

1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.

Create an IIS HTTPS Re encrypt_1.png

2. Type a valid Virtual Address.

3. Type 443 as the Port.

4. Enter a recognizable Service Name, such as IIS HTTPS Re-encrypt and WAF Virtual Service.

5. Click Add this Virtual Service.

6. Configure the settings as recommended in the following table:

Section

Option

Value

Comments

Standard Options

Persistence Mode

Source IP Address

 

 

Timeout

6 Minutes

 

 

Scheduling Method

least connection

 

 

Idle Connection Timeout

900

 

SSL Properties

Enabled

Selected

 

 

Reencrypt

Selected

 

 

Cipher Set

Best Practices

 

Advanced Properties

Add a Port 80 Redirector VS

https://%h%s

Click Add HTTP Redirector. This automatically creates a redirect on port 80.

WAF Options

Enabled

Yes

 

 

Default Operation

Block Mode

 

 

Audit mode

Audit Relevant

 

 

Enabled Rules

owasp_protocol_violations

 

 

 

owasp_protocol_anomolies

 

 

 

owasp_request_limits

 

 

 

owasp_bad_robots

 

 

 

owasp_generic_attacks

 

 

 

owasp_xss_attacks

 

 

 

owasp_trojans

 

 

 

owasp_common_exceptions

 

 

Application Specific

iis_attacks

 

Real Servers

Real Server Check Method

HTTPS Protocol

 

Real Servers

URL

/

 

7. Add the Real Servers:

8. Expand the Real Servers section.

9. Click Add New.

a) Enter the address of the relevant Real Server.

b) Complete the other fields as required.

c) Click Add this Real Server then click OK to the pop-up message.

d) Repeat the steps above to add more Real Servers as needed, based on your environment.

Create an IIS HTTPS Re-encrypt and WAF Redirect Virtual Service

Clicking the Add HTTP Redirector button automatically creates a port 80 redirect Virtual Service. This is optional, but the purpose of this Virtual Service is to redirect any clients who have connected using HTTP to the HTTPS Virtual Service. KEMP also recommends changing the Real Server Check Method and Persistence Mode to None.

References

Unless otherwise specified, the following documents can be found at http://kemptechnologies.com/documentation.

Virtual Services and Templates, Feature Description

Document History

 

Date

Change

Reason for Change

Version

Resp.

Nov 2016

Initial draft

First draft

1.0

POC

Jan 2017

Minor changes

Updated Copyright Notices

2.0

LB

July 2017 Minor changes Updates made 3.0 CMC

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments