12.2 How Does IIS Work?

IIS runs as a set of services on Windows Server 2003. Each service uses Windows Server 2003 Application Programming Interfaces (APIs) to interact with the operating system's TCP/IP protocol stack. Figure 12-2 illustrates the interaction between IIS and the TCP/IP stack.

Figure 12-2. IIS and the Windows Server 2003 TCP/IP stack

As shown in Figure 12-2, each IIS service instructs the operating system to listen for incoming network traffic on specific TCP and UDP ports. These ports allow client applications to contact specific applications on a server. For example, web sites typically listen to TCP port 80, while FTP sites usually listen to TCP port 21.

When the TCP/IP stack receives incoming traffic on a port registered to an IIS service, the stack forwards that traffic to the appropriate service. The service can then analyze the traffic, take the appropriate actions, and if necessary, send a response back to the client that sent the request.

12.2.1 IIS Processing

Each IIS service processes incoming and outgoing traffic slightly differently. The FTP, SMTP, and NNTP services are all fairly straightforward, processing and responding to requests as defined in the appropriate Internet Engineering Task Force (IETF) Request for Comment (RFC) documents.

For ASP applications to work, IIS' World Wide Web (WWW) Publishing Service has to do a bit more work. When a user requests a specific web page, IIS loads the page from its location on the server's hard disk. Any pages with an .asp or .aspx file extension are preprocessed by the ASP DLL files. Other pages are often transmitted as-is to the requesting client.

.asp files use the older ASP DLL files; .aspx files use the newer ASP.NET libraries to process the pages. A single server can process pages of both types, because it can use the filename extension to identify the correct processing libraries.

For an ASP page, IIS uses the ASP processing libraries to execute the script code within the page. The code is removed by the library and replaced with the results of the code, which can include HTML tags, text, graphics, and other elements. The resulting page is passed back to IIS and transmitted to the requesting client.

12.2.2 IIS Security

IIS is integrated with Windows Server 2003's native security. By default, IIS is configured to accept anonymous connections, delivering web pages to anyone who requests them. However, you can configure IIS to require authentication. If authentication is required, IIS will demand logon credentials when a user requests a web page that has restrictive file permissions. IIS will deliver only files that users have permission to access.

IIS supports four primary forms of authentication, as shown in Figure 12-3.

Figure 12-3. IIS authentication methods

The four types of authentication include .NET Passport authentication, Windows-integrated authentication, Basic authentication, and Digest authentication. All of these authentication types will be discussed later in this chapter.

As shown in Figure 12-4, IIS security also allows you to restrict the computers that IIS will respond to. You can specify that IIS respond to only specific IP addresses or that it respond to all IP addresses except a specific list. This capability allows you to, for example, configure IIS to respond to known IP addresses of business partners but not to the general public.

Figure 12-4. IIS IP address restrictions