I have a remote web server that I have full administrator access over, and I want to deploy a website.
When I use Visual Studio's Publish tool, among other things which seem a bit less convenient (FTP etc), I have the option of using either Windows Management Service or Remote Agent Service. All the documentation says is this:
To publish remotely through Remote
Agent Service, use
http://RemoteComputerName. This option
is typically used to deploy a Web
application inside a network (in an
intranet scenario). You must have
appropriate permissions to perform the
deployment on the destination server.
To publish to a hosting site using
Windows Management Service, use the
value that is specified by the hosting
provider. You can typically use just a
server name (HostedRemoteServer) or a
complete URL that includes a server
name, a port number, and the Web
Deploy handler name
(https://HostedRemoteServer:8172/MsDeploy.axd).
The hosting provider can tell you the
name of the server and the port
number, if applicable.
This isn't enough information for me to decide, though. Yeah, I'm not publishing over a network, but I do have full access over the machine I'm deploying to. At the same time, MsDeploy is the big fancy thing that Scott Hanselman describes in his talk and that I've been convinced as being the awesome way to deploy.
So which should I do? Are there any obscure security considerations or anything?
I recommend going the Management Service route. In addition to the msdeploy features, the Management Service feature gives you the ability to remotely administer IIS 7/7.5 from your machine. With all of your IIS servers in one console, you can easily export an application on one machine and import it onto another.
It seems like the most sophisticated msdeploy implementation from a security provisioning perspective and from a configuration perspective. The IIS manager allows you to easily configure details around the endpoint (SSL certificate, port, etc.). Well.. this is true on IIS 7/7.5 on Windows 2008 and R2, but not on Windows Vista or 7. For some strange reason, there is no UI for the Web Management settings on non-server SKU's.
The agent is basically a self contained web server without any of the user-level permissions capabilities. This is why it requires that the person doing the remote deployment has admin privileges on the target machine. It's feels like a simpler, bare metal implementation. Since you've already got IIS serving up HTTP/HTTPS and since IIS' HTTP implementation has kernel-level optimizations, you're not really gaining anything by going the agent route.
If you want to remotely administer Windows 2008 or R2 from Windows Vista/7, install this on your workstation: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32c54c37-7530-4fc0-bd20-177a3e5330b7 ... this was the icing on the cake for me.
Related
My ASP MVC web site effected from URL redirect malware recently.There are several web site hosted in IIS in azure server and only one web site opens unwanted popups and redirecting. I have checked same site within local IIS by hosting and it also gave the same result . This is not happening always but it happens suddenly.Any body has idea how I can figure out what is the reason and how I can prevent these issue ?
Since the issue occurs locally and also an Azure VM evidently not an Azure issue. As Adyson rightly mentioned “the site is infected and you need to restore a non-infected version from a backup or re-deploy from the correct version of the source.
In an IaaS deployment, you are still responsible for the management of the systems that you deploy, just like any other server or workstation in your environment. Patching, hardening, rights assignments, and any other activity related to the maintenance of your system are still your responsibility. For systems that are tightly integrated with your on-premises resources, you might want to use the same tools and procedures that you're using on-premises for things like antivirus, antimalware, patching, and backup.
Check the document Security best practices for IaaS workloads in Azure for more details: https://learn.microsoft.com/en-us/azure/security/azure-security-iaas
IIS security: At the level of Internet Information Services (IIS), you set content permissions, authentication controls, and operator privileges. Refer Managing Web Server Security (https://msdn.microsoft.com/en-us/library/bb727096.aspx?f=255&MSPPError=-2147217396) for more details.
I am quite new to azure and need a quick pointer to how to host an asp.net website in Azure VM. Thanks for your help in advance.
A little background...
We were using a windows server 2012 R2 and were hosting the site in IIS 6. This was an intranet site. Now we are migrating to public cloud so that it is accessible over internet. For this we have acquired an Azure VM (Windows OS). We have installed Visual studio 2013 and SQL server 2012 here. I have installed azure core SDK too.
Here are my questions:
What do I use instead of IIS to host? (Because I am not able to find any related app in azure VM)
Do I need to buy any more licenses for the same?
Should I host it in IIS only and because it is in public cloud, will it be accessible over internet?
Appreciate your help!
Since you have chosen the Infrastructure as a service ( IaaS) route you have to simply replicate the setup that you have on premises.
if IIS component is not there you just have to enable it in windows features.
If you do not want to use IIS you can explore self hosted asp.net applications.
Since you have chosen the Windows server VM image and created the VM you do not need to pay for anything additional for windows license.
By default only 2 endpoints( ports) will be open in a Windows VM. 1 for remote desktop and other for powershell remoting.
refer this post for enabling endpoints for you hosted applications.
https://learn.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-classic-setup-endpoints
You have two options basically
Use Azure Paas - Here you would host your existing application as a Cloud service using a web role and a Azure SQL Database. This might mean some changes to the existing application but would need less management from you. You can find the migration steps here
Use Azure Iaas - This is pretty much what you are trying to do. Host your application to a VM and manage all the required software (IIS,Sql server etc) on your own. Although this option might be easier in terms of migrating your application it involves managing the infrastructure on your own. Here is a link on how to install IIS on a Azure VM.
You don't need any additional licenses since you are paying for the VM which includes all required licenses. In case you decide to use SQL Server as Iaas you can also use your existing SQL Server license when running SQL Server on an Azure VM.
I control a server running IIS 8 on Windows Server 2012. I want to publish a few basic asp.net websites with the Publish option in Visual Studio 2012. There are no good/current Microsoft articles on the server configuration steps.
1) What exactly do I need to do on the server? I don't see any "web deploy" role option under the various IIS roles. I have read of some people downloading and installing "Web Deploy 3.0" from Microsoft but that file is one year old and it seems strange that I would have to download another file to use a promoted IIS file deployment option. If you are using IIS7 or IIS7.5 instead of IIS8 like me, please feel free to reply what YOU do, but let me know what version you are using.
2) Is the authentication process encrypted? For example, FTP would send passwords in plain text. FTP over SSL doesn't but setting up even a self-issued SSL cert is annoying just to get secure authentication. So what about Web Deploy? Is it safe or no?
3) Must I open port 8172 on the server's firewall? Microsoft's documentation says I "might need to".
4) On the Visual Studio side, it wants an account for authentication. Is this a Windows account on the server? Should I then right click the IIS website folder on the server and add this user there or is there some other preferred way of mapping users to websites? If so, what rights are required?
Please answer any or all of the above but please focus on the server side configuration and not the client (visual studio). Please don't suggest FTP as I am truly wanting to try Web Deploy. I am adding an IIS 7.5 tag too since some of the answers may be the same as for IIS 8.
It appears that one must still download the Web Deploy extension. Also, Version 3.5 is now available.
To download on a server, default IE security rules will require you add something like http://*.microsoft.com as a trusted site else you can't download the installer.
The whole package is rather large in its purpose and covers many deployment/backup/transfer type scenarios for IIS. So, when you install it, it turns into "Web Platform Installer 4.6" and installs roughly 10 prerequisites in addition to Web Deploy 3.5. Those prerequisites covers CLR Types, SQL Server framework (even if you don't have SQL Server installed), SQL Server shared management objects, etc. I did check afterwards if all these items are uninstallable through control panel (in case I changed my mind about web deploy) and they are there.
Finally, to configure web deploy on a site, I found this document:
http://www.iis.net/learn/publish/using-web-deploy/configure-the-web-deployment-handler
To find more information about this, google "web deployment handler".
It also does appear that you can configure secure authentication, which is the main reason I went down this Web Deploy publishing path instead of using plain clear-text FTP. However, http://www.iis.net/learn/publish/using-web-deploy/introduction-to-web-deploy says
Web Deploy is secure. Web Deploy supports transfer over HTTPS. Note that variants of FTP such as SFTP and FTPS are also secure.
I'm not sure if this means I will have to use an SSL certificate anyway. I was hoping Web Deploy provided more authentication options that were both secure and didn't need a certificate.
The answer marked correct pointed me in the right direction to publish a web site from Visual Studio 2013 to Server 2012. The Validate Connection button kept stating check Web Management service is installed.
As of April 2014 these simple steps work:
Install Web Deploy
http://www.iis.net/downloads/microsoft/web-deploy
In Powershell:
(from: https://www.orcsweb.com/blog/jamie-furr/manage-and-install-iis8-on-windows-2012-server-core/)
Install-WindowsFeature Web-Server
Install-WindowsFeature Web-Mgmt-Service
Set-ItemProperty -Path
HKLM:\SOFTWARE\Microsoft\WebManagement\Server -Name
EnableRemoteManagement -Value 1
Net Stop WMSVC
Net Start
WMSVC
netsh advfirewall firewall add rule name=”Allow Web
Management” dir=in action=allow service=”WMSVC”
In IIS:
(from
http://blog.richardszalay.com/2013/02/02/building-a-deployment-pipeline-with-msdeploy-part-4-server-configuration/)
Create a new non-admin user
Once your user is created, we need
to grant it permission to deploy the site. Right click on your
website and select “Configure for Web Deploy Publishing…” from the
“Deploy” sub menu
I'm a developer now developing my startup. I really don't know much about IIS setup. I will host my startup on Amazon EC2. And I want to know how can I scale my application if my traffic increase. I been reading about MS Deploy and Web Farm Framework here: https://serverfault.com/questions/127409/iis-configuration-synchronization-for-web-server-farm . And I want a simple architecture, with not to much configuration. So I been looking an experience with an IIS web farm and Amazon ELBs. And I did not find any one.
So the question is:
It is possible to make a IIS web farm with Amazon ELBs?
Any experience on Ec2? IIS web deploy or WFF and/or without ELBs?
What you recommend for an easy web farm setup?
You can do almost anything you want with IIS on EC2. They are full servers (well window 2k8 datacenter edition) and you can open any ports you need to communicate between servers. Here is an explicit tutorial on how to set up WFF, for example, on EC2.
The question is, are you sure you need to build a web farm? If you simply want to have multiple servers running your code then you can accomplish this without anything more than IIS and the tools that EC2 provides.
You build your app so it uses shared resources (like a session state server, central location for storing user uploaded content), configure a server the way you like it, and capture a server image (AMI). You use this image when you configure AutoScaling to launch new instances based on server metrics (like CPU usage), and they would be automatically added to the load balancer when launched.
The last challenge is ensuring servers launched automatically are running your latest code. You can write a custom program to get the latest code from somewhere (like SVN) on server startup, or you can use something much simpler like Dropbox to handle the synchronization.
Webdeploy is an alternative to WebDav, FTP, and FrontPage extensions. It also acts as an alternative to DFS for replicating websites. I found instructions for configuring Windows 2008, but I'm unclear how to set up 2003 especially when multiple sites / IP Addresses are present.
It is possible to install Web Deploy Tool 1.1 on Windows 2003 for IIS6. Generally this tool is used for synchronization between remote/local sources. You can refer to the following article about how to use Web Deploy Tool 1.1 on Windows Server 2003:
Synchronize IIS 6.0 Web Sites
http://learn.iis.net/page.aspx/445/synchronize-iis-60-web-sites/
However, it's not possible to use this tool to enable publishing from Visual Studio 2010 to the webserver. The reason is that this method relies on ‘Web Management Service’, which is newly introduced in IIS 7. This service can be used when there are some users delegated to manage certain sites or applications on the server. However, this service does not exist on Windows Server 2003.
IIS Web Management Service (WMSvc):
http://technet.microsoft.com/en-us/library/cc735010(WS.10).aspx
I use WebDeploy (MSDeploy) on 2003 servers to ensure content, IP addresses, certificates, etc remain the same across a MS NLB cluster. I also created a batch file to automate most of the different functions based on what I want to do (Full Server replication, single website, content only). Here are my notes on using the tool that I posted on my company's internal blog:
MSDeploy (http://www.iis.net/download/webdeploy) is a tool developed by Microsoft to make migrating, deploying, copying, and backing up websites easier. It was developed for IIS 7, but most features work in IIS 6. It can also be used to move a website from IIS 6 to 7 although I have not tested this. Some things to keep in mind when using MSDeploy are:
MSDeploy must be installed on both source and destination servers
The “Web Deployment Agent Service” must be running on both source and destination servers
Application Pools for the website must be created on the destination server before using MSDeploy or it will fail. I think this is fixed in IIS 7, but I am not 100% sure
When deploying a website, MSDeploy will attempt to put the files in exactly the same path on the destination server. If the path doesn’t exist on the destination server (like if the source path is D:\website and the destination server doesn’t have a D: drive it will fail)
The migrated website will have the exact same configuration as it did on the source IIS server. Some settings you might want to change after the move/copy are the website IP address and home directory path. You will need to make those changes manually on the destination server.
The metabase keys will need to be edited on a per-server basis since they are unique for each server (unless you created the sites using MSDeploy, then it uses the same key string across servers). As more and more sites get deployed with MSDeploy, the key strings will become universal for all servers since the metabase keys will be the same on all servers.