by Arthur Knowles
Few Windows NT components stand alone. They generally rely on one or more subcomponents to function properly. The Internet Information Server (IIS) is no different. It too requires additional components in order to function properly. Although it also is possible to just install IIS blindly (meaning without consideration of the consequences), you may wind up with a product that does not perform up to your expectations or that may be a target for a security breach. In either case, the consequences could be quite severe. A competitor could gain access to proprietary data through your Internet connection, and you could lose your job.
Note: Internet security is a topic of such importance that an entire chapter is devoted to it. Before you actually install IIS, I suggest that you read Chapter 6, "Windows NT and IIS Security Issues."
Although Internet security is outside the main focus of this chapter, performance considerations certainly are not. And where you plan to install IIS and the associated data you plan to publish certainly will impact the performance of IIS. So this is where the discussion starts. After you determine where to install IIS, you will learn about the preinstallation requirements. Depending on where you plan to install IIS and how you plan to use it, this can be a pretty hefty list. This should not cause you undue stress, however, because I will walk you through the actual mechanics of installing the various components, as well as describe why you might want to use each of these components so that you can make an informed decision about their use. After this is out of the way, you can install IIS and publish data on the Internet for all your customers to see, hear, and interact with. Chapter 4, "Installing and Using Microsoft Internet Information Server," gives you complete details of the installation and publishing processes.
The first thing you should consider when planning your installation is where to install IIS and its related components. Do you have a very limited budget? Or do you have sufficient funds to carefully plan your installation to obtain maximum performance? Will you place all your data on a single server? Will you use an external database for dynamic publishing? Will you connect to your server to update the data using your local area network? Or will you use a dial-up connection? You need to consider all these items because it will make a difference as to how and where you will install IIS.
If you are on a limited budget, you might not have a choice. You might have to install everything on a single server. Most publishers with a limited budget also have a low-speed Internet connection. A low-speed connection includes single ISDN BRI or modem connections. If this is the case, you also should consider publishing only static data. If your server is fast enough (a 75 MHz Pentium or higher), you might want to consider using an Access database if you plan to provide dynamic publishing capabilities.
With this configuration, you can use the Windows NT Server Remote Access Service (RAS) to provide your dial-up Internet connection. You also can use RAS for dial-in clients to create a publishing site without ever connecting to the Internet. You do not really have to connect to the Internet to publish data. You need an Internet connection only if you want to reach millions of Internet users or to allow your network users to reach the Internet. If you are providing local support, however, a non-Internet publishing service might be just what you need. You might be providing local technical support to your customers, for example. These users can dial up your server for information, software upgrades, and so on and use familiar Internet tools (like the Internet Explorer) to access these services. In most cases, this is less expensive and easier to maintain than a dedicated bulletin board system (BBS). As your client list grows, you can migrate to the Internet. This certainly is easier than converting a proprietary BBS and all your data.
If you do go this route, you should consider using Windows NT Server operating in Server mode instead of a domain controller. This provides more efficient use of local resources without the overhead required by a domain controller. The only time I recommend a domain controller instead of a server is if you also might need to migrate a user account list (for your dial-in clients, for example), because any time you upgrade a server to a domain controller, you lose your account database. It's much better to take the performance hit now than it is to have to reenter each user account, password, and home directory and then have to reconfigure any file or directory permissions later.
Okay, I'll admit it: An unlimited budget is unrealistic. It is quite possible, however, that your budget is sufficient to build a very high-performance publishing site. This can include using frame relay, T1, T2, T3, SMDS, or ATM as your pipeline to the Internet. Your Internet connection is really the main consideration when creating a high-performance publishing site because, if your servers cannot pump your data fast enough over your Internet connection, it doesn't really matter how fast your servers are. If this is the case, the budget for your hardware should be proportionally higher as well. In most cases, your yearly Internet connection fees will far outweigh your hardware purchases.
You therefore should plan on having multiple Windows NT Server installations. You can use one or more domain controllers with one or more installations operating in Server mode (which are referred to as servers in the rest of this chapter). These servers should be used as your IIS and SQL Server platforms because these provide the best all-around performance. All your installations should be connected to each other via a 100 Mbps network segment for optimum network throughput and the fastest possible publishing site.
If you are using one server or many servers, you should carefully consider when you will place the data you plan to publish. You really have two choices: You can place the data all on one drive, or you can distribute it among multiple drives. If you have a choice, use multiple drives. For best performance, consider using a stripe set or stripe set with parity. Both these increase your drive's capability to access your data, which decreases your client's access times. If you have sufficient funds, consider a hardware RAID alternative, which increases your throughput even more.
You also should consider dividing your data based on the service and potential number of clients. If you will be providing a WWW and FTP site that hundreds or thousands of users will access and a Gopher site that less than 100 clients will access, devote your resources appropriately. Put your WWW and FTP data on your fastest drive, and place your Gopher data on your slowest drive. Your drives also should be NTFS rather than FAT partitions, because NTFS provides less wasted space due to large cluster size, faster access times, and increased security.
Because IIS is based on providing Internet-related services that rely on the TCP/IP protocol as the network transport, your first requirement is that you install the TCP/IP protocol, which also installs the utilities (arp, finger, hostname, ipconfig, nbtstat, netstat, ping, rcp, rexec, route, rsh, telnet, tftp, and tracert). You should not install the FTP service, however, because it conflicts with the IIS FTP Publishing Service.
If you will be using IIS as the basis for providing full-time Internet connectivity to your network clients, you might want to install a few additional services. Specifically, you want to include the following services:
Note: Even with RIP installed, you must have Internet routable IP addresses in order to use Windows NT Server as a gateway to the Internet. You cannot just assign a random block of IP addresses for use by your LAN clients and expect them to work. These addresses probably are already in use on the Internet, which means that you will have an IP address conflict and the connection attempt will fail. In order to obtain routable IP addresses, you must request these addresses from your Internet service provider or the InterNIC.
Note: In order to install these services, you must be a member of the Administrators group on the computer on which you want to install the service.
If you did not install all the TCP/IP utilities during your initial Windows NT Server installation, you can add them by using the Control Panel Network applet. Just follow these steps:
Figure 3.1. Installing a network protocol.
Figure 3.2. Installing the TCP/IP protocol.
Note: Your computer cannot be both a DHCP server and a DHCP client. It must be one or the other. If the computer also will be a DHCP server, you must manually configure the TCP/IP protocol as described in step 6.
Caution: If you will be installing a DNS server on the same computer that provides the WINS service, you should not enable the Enable DNS for Windows Resolution checkbox.
The DHCP server service also is installed through the Control Panel Network applet. You can use this service to automate the IP address allocations to your local and remote network clients. I generally recommend that the DHCP server be installed for even very small networks because this makes administration easier and provides a means for expansion without a lot of grunt work. Before you install the service on your current server, however, check for the existence of other DHCP servers on the network. These could be other Windows NT Servers, a UNIX server, or possibly even a server provided by your Internet service provider. You want to avoid at all costs any conflicts with existing scope. Creating and managing scopes is covered in Chapter 5, "Using DHCP, WINS, and DNS."
To install the DHCP server service, just follow these steps:
Note: If you want to use SNMP to configure the DHCP server service remotely, be sure to install the SNMP service, as described later in this chapter in "Installing the SNMP Service."
Tip: It is a good idea to install the additional services (such as WINS, DNS, RIP, SNMP, and RAS) at this point, because it will save you some additional time. This is not required, however, because you can install the services one at a time, as described in the following sections.
Installing the WINS service is quite similar to installing the DHCP server service. Although you can use the DHCP server service and WINS service separately, they function much better when used together. Managing your WINS service is covered in Chapter 5.
To install the WINS Service, just follow these steps:
Tip: If you want to use SNMP to configure the WINS service remotely, be sure to install the SNMP service, as described later in this chapter in " Installing the SNMP Service."
Note: Unlike the rest of the services you install, which are displayed on the Services tab, the WINS service is listed on the Protocols tab when installed.
If you are not very familiar with TCP/IP routing, it is a good idea to install the Routing Internet Protocol (RIP) even if you are not sure you will need it. This is because you can use RIP to build dynamic routing tables. This is preferred over building static routes with the route application because it lessens the administrative burden.
To install RIP, follow these steps:
Note: Although you might expect the RIP for Internet Protocol to be displayed on the Protocols page like the WINS service was, it instead is displayed on the Services page. Don't let the name confuse you; RIP really is a service.
The DNS service is based on the UNIX BIND service. It provides a means to map computer names to IP addresses, or IP addresses to computer names, much as the WINS service provides the same capability. The primary difference between WINS and DNS is that DNS uses a static mapping mechanism based on host files. Even if you plan on using WINS, you should install the DNS service because it can provide additional functionality when connecting to the Internet. Managing your DNS service is covered in Chapter 5.
To install the DNS service, follow these steps:
Installing the SNMP service is quite similar to installing the other services described in the preceding sections. You may not need to install this service, however, if you do not have an SNMP monitoring and configuration tool. This service only provides a means to monitor or configure your Windows NT services remotely from an SNMP console, such as HP OvenView or a similar product. Although the resource kit provides a simple command-line SNMP console, you probably will find it easier, as I do, to use the Administration tools provided with Windows NT Server for remote administration.
Just in case you really need the SNMP service, you can install it by following these steps:
Installing the Simple TCP/IP services is very straightforward. Just follow these steps:
Installing the Microsoft TCP/IP printing services is also very straightforward and requires little user intervention. Just follow these steps:
The Remote Access Service (RAS) is a powerful tool that you can use to support your dial-in clients and provide complete network access to your network. You also can use RAS to create a wide area network, or you can use it as an Internet gateway. Before you can use the software, however, you must install it. After installing the software, you have to grant access to your remote clients with the Remote Access Administrator. Otherwise, these clients will be able to connect, but they will be denied access to the network and forcibly disconnected. The Remote Access Administrator also is useful for managing your remote access clients, as you will see later in this section.
One of the most interesting and powerful aspects of the Windows NT Server RAS is that it can use any of the installed network transports (NetBEUI, IPX/SPX, or TCP/IP) for your connection. And it can support up to 256 simultaneous client connections on a single server, provided your server has the horsepower and memory for it. This can provide the means to create a serious communications server to support your entire sales force. It even works quite well with client/server applications because these applications do not send great amounts of data over the wire. If you are trying to provide application sharing over the wire, although it is possible, I do not recommend it. RAS should be used to provide limited connectivity. By this, I mean that you should share only data files, not applications. Instead of sharing Microsoft Word for Windows, for example, you should install the application directly on the remote user's computer where it will execute quickly. The data files he accesses may be on the server, however. This still provides adequate user performance.
Note: The Windows NT Workstation and Windows 95 RAS can support the NetBEUI, IPX/SPX, and TCP/IP protocols. MS-DOS and Windows 3.x RAS client software is limited to the NetBEUI protocol. If you want to use the IPX/SPX or TCP/IP transports, you will need additional third-party software, such as an Internet SLIP or PPP application, to give your client a TCP/IP connection to your Windows NT Server.
Installing RAS is a multipart process if you want to get the most out of it. This is because Microsoft has configured the default settings to provide more reliable data communications on slower UARTs. To obtain a minimum connection of 38400 bps, you must have a 16450 or better UART. And, in reality, a 16450 sometimes will drop data, so a 19200 connection is a better selection. You need a 16550 UART that contains a 16 byte First In First Out (FIFO) buffer to obtain a speed of 57600. You need a proprietary UART from DigiBoard, Hayes, Equinox, or another manufacturer to obtain a 115200 connection rate.
Obtaining these higher data rates requires modifications to the serial.ini file (a temporary modification) or to the modem.inf (a permanent modification). These files are installed or created during your remote access installation. I will point out the modifications that are needed at the appropriate time during the installation discussion. Before you install RAS, you should install your multiport adapter, X.25 adapter, or ISDN adapter. After the hardware is added to the system, you need to install the adapter device driver.
To install the adapter device driver, follow these steps:
After the server restarts, you can install RAS software. You do this from the Control Panel Network applet. Just follow these steps:
Note: At this point, you should interrupt your RAS software installation to modify the modem.inf file to permanently change the configuration for your installed modems. Execute Notepad and open the SystemRoot\System32\ras\modem.inf file. Then search for your modem. If you have a Supra v32 bis modem, for example, perform a search for Supra. When you find the entry [Supra Fax Modem V32bis], you have found the right entry. Then you should change the MAXCONNECTBPS parameter from its default of 38400 to 57600. If you have a 28800 modem, change this parameter from 57600 to 115200. Then save the file and continue your RAS configuration.
Tip: You can click the Settings button to configure additional modem characteristics. You can enable or disable the modem speaker, hardware flow control, and error control. All these options are enabled by default. You also can choose to enable the hardware compression features (disabled by default) of the modem. You should use the software compression in most cases because it can outperform the hardware compression (particularly if you do not set the DTE rate to four times your carrier rate—57600 for a 14400 modem). If you have a slower CPU, however, enabling hardware compression sometimes can outperform software compression. You need to use the trial-and-error method to determine which compression option is better for you and your clients. For what it's worth, when I connect with my laptop, I find that hardware compression performs better than software compression.
Tip: You also can set encryption settings for your dial-in clients in the Network Configuration dialog box. The default is to require Microsoft encrypted authentication. This setting may prevent PPP and SLIP connections from being authenticated if you are not using the Microsoft remote access client. To prevent this from happening, enable the Allow any authentication including clear text option. This option still attempts to encrypt the password, but if all else fails, it supports a clear text password attempt. If you are really concerned about the security of your data when it is sent over the remote access connection, you can enable the Require data encryption setting. This encrypts all data transmitted over the connection.
Tip: If you will be using more than one PPP connection to the Internet, check the Enable Multilink option to merge your separate datastreams into a single datastream and increase throughput.
After you restart your computer, you can use the Remote Access application located in the Remote Access Service group on the Taskbar and connect to other RAS servers. If you did not perform the earlier modifications to the modem.inf file during the installation, you should modify the serial.ini file. This file is located in the SystemRoot\System32\ras directory. For each com port installed, change the MAXCONNECTBPS and IntialBps parameters to reflect your highest DTE rate (57600 for a 14400 modem).
After you make this change, you can run the remote access client. The first time you do, you are prompted to create a phone book entry. In the Edit Phone Book Entry dialog box, enter a name for your connection in the Entry Name field, a phone number to dial in the Phone Number field, and a comment for the entry in the Description field.
The Remote Access Admin application is located in the Remote Access Service group on the Taskbar. You use this application to grant access to your dial-in users, to check the status of the communications port, to send messages to your remotely connected users, and to stop or start RAS on your computer or a remote computer.
Before your dial-in clients can access your network through RAS, you must grant these users permissions to connect through a dial-in connection. Just choose Users | Permissions to access the Remote Access Permissions dialog box.
For each user for which you want to provide dial-in access, follow these steps:
Tip: To quickly grant permission to all users to dial into your network, click the Grant All button. To delete all user permissions, click the Remove All button.
To determine who is using your remote access connections, just double-click the server entry or choose Server|Communications Ports to display the Communications Ports dialog box. If you have any connected users, the User field lists the connected user, and the Started field lists the time at which the user connected to your server.
If you have an active connection, the following buttons are enabled:
If you want to determine the compression ratios or errors that have occurred on the selected port, click the Port Status button.
In order to use RAS to connect to the Internet, you need a Point to Point Protocol (PPP) or Serial Line Internet Protocol (SLIP) account from an Internet service provider. After you obtain an account, all you need to do is create a phone book entry with the remote access client.
Follow these steps:
After you complete these steps, just double-click your new entry to dial out and connect to your Internet provider.
If you will be using your RAS connection as a gateway to the Internet so that your LAN clients can access the Internet through this same server, you have a bit of additional work to do. Specifically, you need to add the following values to the following keys in the registry:
|
Key: |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasArp\Parameters |
|
Value: |
DisableOtherSrcPackets |
|
Key: |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\IPCP |
|
Value: |
PriorityBasedOnSubNetwork |
Both of these values are regular double words (REG_DWORD). DisableOtherSrcPackets should be set to 0, and PriorityBasedOnSubNetwork should be set to 1. The first entry specifies that network packets should use the IP address of the LAN client sent over the RAS link instead of the computer providing the RAS connection. This will ensure that the data is routed to the proper client. The second entry specifies that the network packets should be sent to the appropriate destination, and adapter, based on the individual subnet. This is usually required, for example, when your LAN has a subnet like 206.170.127.x and your RAS connection (or your ISP's subnet) is 206.170.126.x. If the PriorityBasedOnSubNetwork is not set to 1 (the default is assumed to be 0), all network traffic would be routed thorough your network adapter. When you set this value, however, your LAN traffic will be passed over your network adapter, and your Internet traffic will be passed over your RAS connection.
In this chapter, you learned a bit about where you should install IIS, as well as the preinstallation requirements for a successful IIS installation. You also walked through the installation of the various components. Finally, you learned how to install and configure RAS.
In the next chapter, you will learn how to configure the IIS and begin publishing your content on the Internet.
