Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > IIS Warm Up Period

Reply
Thread Tools

IIS Warm Up Period

 
 
Arsen V.
Guest
Posts: n/a
 
      05-05-2004
Hi,

We have a website with a very high volume of traffic. The pages are ASP.NET.
There are some configuration settings that get loaded by the Global.asx file
on Application Start event. The load time for those settings is about 3
seconds.

When the site is running on IIS5 everything is okay.

When the site is running on IIS6 there are problems. It looks like when IIS
starts and all the requests start coming in it is trying to compile the
ASP.NET CLR and to load the settings in Global.asx. However, since there are
over 100 requests/second, soon it starts to give Service Unavailable and log
errors QueueFull in the HTTPERR file.

If I manually stop the IIS, set the directory security of the website to
accept only the local requests, execute one request, wait 5 seconds, and
then change the security to accept all requests, it works great.

Is there a way to give IIS a warm up time? I think it fails because there
are so many requests that come right away before the CLR is compiled and the
load settings in the Global.asx has time to execute.

Thanks,
Arsen



 
Reply With Quote
 
 
 
 
David Wang [Msft]
Guest
Posts: n/a
 
      05-06-2004
No, IIS does not have a "warm up period" feature. It is pretty easy to
script WAST or ACT to custom tailor such a warm-up optimized for your
website, though.

Websites that have high traffic volume usually devise their own mix of
requests to "warm up" a server and get various applications pre-compiled,
etc -- this is especially necessary for .Net applications, which incur a CLR
load-up cost as well as ASP.Net pre-compilation cost. After the server is
warmed up, then it is dropped into the live rotation.

There shouldn't be much difference between IIS5 and IIS6 in startup unless
you're using the health-monitoring features of IIS6 to recycle the worker
process.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Arsen V." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
Hi,

We have a website with a very high volume of traffic. The pages are ASP.NET.
There are some configuration settings that get loaded by the Global.asx file
on Application Start event. The load time for those settings is about 3
seconds.

When the site is running on IIS5 everything is okay.

When the site is running on IIS6 there are problems. It looks like when IIS
starts and all the requests start coming in it is trying to compile the
ASP.NET CLR and to load the settings in Global.asx. However, since there are
over 100 requests/second, soon it starts to give Service Unavailable and log
errors QueueFull in the HTTPERR file.

If I manually stop the IIS, set the directory security of the website to
accept only the local requests, execute one request, wait 5 seconds, and
then change the security to accept all requests, it works great.

Is there a way to give IIS a warm up time? I think it fails because there
are so many requests that come right away before the CLR is compiled and the
load settings in the Global.asx has time to execute.

Thanks,
Arsen




 
Reply With Quote
 
 
 
 
Arsen V.
Guest
Posts: n/a
 
      05-06-2004
Hi David,

How can I prevent the IIS6 server from being "dropped into the live
rotation" until the warm up scripts run?

What happens now, is that when the computer comes up, IIS starts and
immediately attempts to process the requests which queue up and cause
problems.

Is there a way to tell the IIS to start accepting the requests only after
certain warm up? I need this to be automatic so if IIS is restarted in the
middle of the night it can come back up without problems.

Thanks,
Arsen

"David Wang [Msft]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> No, IIS does not have a "warm up period" feature. It is pretty easy to
> script WAST or ACT to custom tailor such a warm-up optimized for your
> website, though.
>
> Websites that have high traffic volume usually devise their own mix of
> requests to "warm up" a server and get various applications pre-compiled,
> etc -- this is especially necessary for .Net applications, which incur a

CLR
> load-up cost as well as ASP.Net pre-compilation cost. After the server is
> warmed up, then it is dropped into the live rotation.
>
> There shouldn't be much difference between IIS5 and IIS6 in startup unless
> you're using the health-monitoring features of IIS6 to recycle the worker
> process.
>
> --
> //David
> IIS
> This posting is provided "AS IS" with no warranties, and confers no

rights.
> //
> "Arsen V." <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> Hi,
>
> We have a website with a very high volume of traffic. The pages are

ASP.NET.
> There are some configuration settings that get loaded by the Global.asx

file
> on Application Start event. The load time for those settings is about 3
> seconds.
>
> When the site is running on IIS5 everything is okay.
>
> When the site is running on IIS6 there are problems. It looks like when

IIS
> starts and all the requests start coming in it is trying to compile the
> ASP.NET CLR and to load the settings in Global.asx. However, since there

are
> over 100 requests/second, soon it starts to give Service Unavailable and

log
> errors QueueFull in the HTTPERR file.
>
> If I manually stop the IIS, set the directory security of the website to
> accept only the local requests, execute one request, wait 5 seconds, and
> then change the security to accept all requests, it works great.
>
> Is there a way to give IIS a warm up time? I think it fails because there
> are so many requests that come right away before the CLR is compiled and

the
> load settings in the Global.asx has time to execute.
>
> Thanks,
> Arsen
>
>
>
>



 
Reply With Quote
 
John Alderson
Guest
Posts: n/a
 
      05-07-2004
Arsen,

Do you have multiple web servers in a farm? It wasn't clear from your
posts. Are you using a hardware load balancer in front like a BigIP or
similar? If so, you could script up a custom restarter like:

1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of the
LB pool in a short time depending on how you have your LB setup to check
website health.
2. IISRESET
3. Locally, request your webpages to invoke custom code. Easily scriptable
with VBScript/WinHTTP or a variety of command line tools or even WAS as
David Wang suggests.
4. Drop IPSec blocks.

Have you looked at the web garden concept? Maybe it makes sense for you to
use > 1 process for this site if you have some semi-stable custom code that
needs restarting periodically. Regular restarts of IIS or the OS are
something that you don't need if you are running stable code. If you do
seem to need these restarts, this means you have a problem with your custom
code that you need to investigate. With stable web components, IIS will run
for very long periods.

John Alderson

"Arsen V." <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi David,
>
> How can I prevent the IIS6 server from being "dropped into the live
> rotation" until the warm up scripts run?
>
> What happens now, is that when the computer comes up, IIS starts and
> immediately attempts to process the requests which queue up and cause
> problems.
>
> Is there a way to tell the IIS to start accepting the requests only after
> certain warm up? I need this to be automatic so if IIS is restarted in the
> middle of the night it can come back up without problems.
>
> Thanks,
> Arsen
>
> "David Wang [Msft]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> No, IIS does not have a "warm up period" feature. It is pretty easy to
>> script WAST or ACT to custom tailor such a warm-up optimized for your
>> website, though.
>>
>> Websites that have high traffic volume usually devise their own mix of
>> requests to "warm up" a server and get various applications pre-compiled,
>> etc -- this is especially necessary for .Net applications, which incur a

> CLR
>> load-up cost as well as ASP.Net pre-compilation cost. After the server
>> is
>> warmed up, then it is dropped into the live rotation.
>>
>> There shouldn't be much difference between IIS5 and IIS6 in startup
>> unless
>> you're using the health-monitoring features of IIS6 to recycle the worker
>> process.
>>
>> --
>> //David
>> IIS
>> This posting is provided "AS IS" with no warranties, and confers no

> rights.
>> //
>> "Arsen V." <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> Hi,
>>
>> We have a website with a very high volume of traffic. The pages are

> ASP.NET.
>> There are some configuration settings that get loaded by the Global.asx

> file
>> on Application Start event. The load time for those settings is about 3
>> seconds.
>>
>> When the site is running on IIS5 everything is okay.
>>
>> When the site is running on IIS6 there are problems. It looks like when

> IIS
>> starts and all the requests start coming in it is trying to compile the
>> ASP.NET CLR and to load the settings in Global.asx. However, since there

> are
>> over 100 requests/second, soon it starts to give Service Unavailable and

> log
>> errors QueueFull in the HTTPERR file.
>>
>> If I manually stop the IIS, set the directory security of the website to
>> accept only the local requests, execute one request, wait 5 seconds, and
>> then change the security to accept all requests, it works great.
>>
>> Is there a way to give IIS a warm up time? I think it fails because there
>> are so many requests that come right away before the CLR is compiled and

> the
>> load settings in the Global.asx has time to execute.
>>
>> Thanks,
>> Arsen
>>
>>
>>
>>

>
>


 
Reply With Quote
 
Arsen V.
Guest
Posts: n/a
 
      05-07-2004
Hi John,

Thanks for your suggestion. This is pretty much what I was looking for. I
did not think of the idea to use IPSECCMD to block the requests! This is
great.

Yes, I do have a Load Balancer in front of the web farm. The code is
stable. However, sometimes due to load there is too much queueing (this only
occurs on IIS 6) and the IIS server shuts down the process.

Thanks,
Arsen

"John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
news:%23uEQk%(E-Mail Removed)...
> Arsen,
>
> Do you have multiple web servers in a farm? It wasn't clear from your
> posts. Are you using a hardware load balancer in front like a BigIP or
> similar? If so, you could script up a custom restarter like:
>
> 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of the
> LB pool in a short time depending on how you have your LB setup to check
> website health.
> 2. IISRESET
> 3. Locally, request your webpages to invoke custom code. Easily

scriptable
> with VBScript/WinHTTP or a variety of command line tools or even WAS as
> David Wang suggests.
> 4. Drop IPSec blocks.
>
> Have you looked at the web garden concept? Maybe it makes sense for you

to
> use > 1 process for this site if you have some semi-stable custom code

that
> needs restarting periodically. Regular restarts of IIS or the OS are
> something that you don't need if you are running stable code. If you do
> seem to need these restarts, this means you have a problem with your

custom
> code that you need to investigate. With stable web components, IIS will

run
> for very long periods.
>
> John Alderson
>
> "Arsen V." <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > Hi David,
> >
> > How can I prevent the IIS6 server from being "dropped into the live
> > rotation" until the warm up scripts run?
> >
> > What happens now, is that when the computer comes up, IIS starts and
> > immediately attempts to process the requests which queue up and cause
> > problems.
> >
> > Is there a way to tell the IIS to start accepting the requests only

after
> > certain warm up? I need this to be automatic so if IIS is restarted in

the
> > middle of the night it can come back up without problems.
> >
> > Thanks,
> > Arsen
> >
> > "David Wang [Msft]" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> No, IIS does not have a "warm up period" feature. It is pretty easy to
> >> script WAST or ACT to custom tailor such a warm-up optimized for your
> >> website, though.
> >>
> >> Websites that have high traffic volume usually devise their own mix of
> >> requests to "warm up" a server and get various applications

pre-compiled,
> >> etc -- this is especially necessary for .Net applications, which incur

a
> > CLR
> >> load-up cost as well as ASP.Net pre-compilation cost. After the server
> >> is
> >> warmed up, then it is dropped into the live rotation.
> >>
> >> There shouldn't be much difference between IIS5 and IIS6 in startup
> >> unless
> >> you're using the health-monitoring features of IIS6 to recycle the

worker
> >> process.
> >>
> >> --
> >> //David
> >> IIS
> >> This posting is provided "AS IS" with no warranties, and confers no

> > rights.
> >> //
> >> "Arsen V." <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> Hi,
> >>
> >> We have a website with a very high volume of traffic. The pages are

> > ASP.NET.
> >> There are some configuration settings that get loaded by the Global.asx

> > file
> >> on Application Start event. The load time for those settings is about 3
> >> seconds.
> >>
> >> When the site is running on IIS5 everything is okay.
> >>
> >> When the site is running on IIS6 there are problems. It looks like when

> > IIS
> >> starts and all the requests start coming in it is trying to compile the
> >> ASP.NET CLR and to load the settings in Global.asx. However, since

there
> > are
> >> over 100 requests/second, soon it starts to give Service Unavailable

and
> > log
> >> errors QueueFull in the HTTPERR file.
> >>
> >> If I manually stop the IIS, set the directory security of the website

to
> >> accept only the local requests, execute one request, wait 5 seconds,

and
> >> then change the security to accept all requests, it works great.
> >>
> >> Is there a way to give IIS a warm up time? I think it fails because

there
> >> are so many requests that come right away before the CLR is compiled

and
> > the
> >> load settings in the Global.asx has time to execute.
> >>
> >> Thanks,
> >> Arsen
> >>
> >>
> >>
> >>

> >
> >

>



 
Reply With Quote
 
Arsen V.
Guest
Posts: n/a
 
      05-07-2004
Hi John,

Windows 2003 Server dos not come with "IPSECCMD". What can I use instead?

Could you point me to a simple example of how to block TCP/80 and then
unblock it using the command line?

Thanks,
Arsen

"Arsen V." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi John,
>
> Thanks for your suggestion. This is pretty much what I was looking for. I
> did not think of the idea to use IPSECCMD to block the requests! This is
> great.
>
> Yes, I do have a Load Balancer in front of the web farm. The code is
> stable. However, sometimes due to load there is too much queueing (this

only
> occurs on IIS 6) and the IIS server shuts down the process.
>
> Thanks,
> Arsen
>
> "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
> news:%23uEQk%(E-Mail Removed)...
> > Arsen,
> >
> > Do you have multiple web servers in a farm? It wasn't clear from your
> > posts. Are you using a hardware load balancer in front like a BigIP or
> > similar? If so, you could script up a custom restarter like:
> >
> > 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of

the
> > LB pool in a short time depending on how you have your LB setup to check
> > website health.
> > 2. IISRESET
> > 3. Locally, request your webpages to invoke custom code. Easily

> scriptable
> > with VBScript/WinHTTP or a variety of command line tools or even WAS as
> > David Wang suggests.
> > 4. Drop IPSec blocks.
> >
> > Have you looked at the web garden concept? Maybe it makes sense for you

> to
> > use > 1 process for this site if you have some semi-stable custom code

> that
> > needs restarting periodically. Regular restarts of IIS or the OS are
> > something that you don't need if you are running stable code. If you do
> > seem to need these restarts, this means you have a problem with your

> custom
> > code that you need to investigate. With stable web components, IIS will

> run
> > for very long periods.
> >
> > John Alderson
> >
> > "Arsen V." <(E-Mail Removed)> wrote in message
> > news:%(E-Mail Removed)...
> > > Hi David,
> > >
> > > How can I prevent the IIS6 server from being "dropped into the live
> > > rotation" until the warm up scripts run?
> > >
> > > What happens now, is that when the computer comes up, IIS starts and
> > > immediately attempts to process the requests which queue up and cause
> > > problems.
> > >
> > > Is there a way to tell the IIS to start accepting the requests only

> after
> > > certain warm up? I need this to be automatic so if IIS is restarted in

> the
> > > middle of the night it can come back up without problems.
> > >
> > > Thanks,
> > > Arsen
> > >
> > > "David Wang [Msft]" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > >> No, IIS does not have a "warm up period" feature. It is pretty easy

to
> > >> script WAST or ACT to custom tailor such a warm-up optimized for your
> > >> website, though.
> > >>
> > >> Websites that have high traffic volume usually devise their own mix

of
> > >> requests to "warm up" a server and get various applications

> pre-compiled,
> > >> etc -- this is especially necessary for .Net applications, which

incur
> a
> > > CLR
> > >> load-up cost as well as ASP.Net pre-compilation cost. After the

server
> > >> is
> > >> warmed up, then it is dropped into the live rotation.
> > >>
> > >> There shouldn't be much difference between IIS5 and IIS6 in startup
> > >> unless
> > >> you're using the health-monitoring features of IIS6 to recycle the

> worker
> > >> process.
> > >>
> > >> --
> > >> //David
> > >> IIS
> > >> This posting is provided "AS IS" with no warranties, and confers no
> > > rights.
> > >> //
> > >> "Arsen V." <(E-Mail Removed)> wrote in message
> > >> news:(E-Mail Removed)...
> > >> Hi,
> > >>
> > >> We have a website with a very high volume of traffic. The pages are
> > > ASP.NET.
> > >> There are some configuration settings that get loaded by the

Global.asx
> > > file
> > >> on Application Start event. The load time for those settings is about

3
> > >> seconds.
> > >>
> > >> When the site is running on IIS5 everything is okay.
> > >>
> > >> When the site is running on IIS6 there are problems. It looks like

when
> > > IIS
> > >> starts and all the requests start coming in it is trying to compile

the
> > >> ASP.NET CLR and to load the settings in Global.asx. However, since

> there
> > > are
> > >> over 100 requests/second, soon it starts to give Service Unavailable

> and
> > > log
> > >> errors QueueFull in the HTTPERR file.
> > >>
> > >> If I manually stop the IIS, set the directory security of the website

> to
> > >> accept only the local requests, execute one request, wait 5 seconds,

> and
> > >> then change the security to accept all requests, it works great.
> > >>
> > >> Is there a way to give IIS a warm up time? I think it fails because

> there
> > >> are so many requests that come right away before the CLR is compiled

> and
> > > the
> > >> load settings in the Global.asx has time to execute.
> > >>
> > >> Thanks,
> > >> Arsen
> > >>
> > >>
> > >>
> > >>
> > >
> > >

> >

>
>



 
Reply With Quote
 
John Alderson
Guest
Posts: n/a
 
      05-08-2004
Hi Arsen,

IPSECCMD is a part of the Support Tools that can be found on your
installation CD ROM. The syntax is very similar to Windows 2000's
IPSECPOL - part of the Resource Kit. I do have a set of commands to do a
block on 80, 443 but I'll have to dig them up at work. I'll post them for
you.

John


"Arsen V." <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi John,
>
> Windows 2003 Server dos not come with "IPSECCMD". What can I use instead?
>
> Could you point me to a simple example of how to block TCP/80 and then
> unblock it using the command line?
>
> Thanks,
> Arsen
>
> "Arsen V." <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi John,
>>
>> Thanks for your suggestion. This is pretty much what I was looking for. I
>> did not think of the idea to use IPSECCMD to block the requests! This is
>> great.
>>
>> Yes, I do have a Load Balancer in front of the web farm. The code is
>> stable. However, sometimes due to load there is too much queueing (this

> only
>> occurs on IIS 6) and the IIS server shuts down the process.
>>
>> Thanks,
>> Arsen
>>
>> "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
>> news:%23uEQk%(E-Mail Removed)...
>> > Arsen,
>> >
>> > Do you have multiple web servers in a farm? It wasn't clear from your
>> > posts. Are you using a hardware load balancer in front like a BigIP or
>> > similar? If so, you could script up a custom restarter like:
>> >
>> > 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of

> the
>> > LB pool in a short time depending on how you have your LB setup to
>> > check
>> > website health.
>> > 2. IISRESET
>> > 3. Locally, request your webpages to invoke custom code. Easily

>> scriptable
>> > with VBScript/WinHTTP or a variety of command line tools or even WAS as
>> > David Wang suggests.
>> > 4. Drop IPSec blocks.
>> >
>> > Have you looked at the web garden concept? Maybe it makes sense for
>> > you

>> to
>> > use > 1 process for this site if you have some semi-stable custom code

>> that
>> > needs restarting periodically. Regular restarts of IIS or the OS are
>> > something that you don't need if you are running stable code. If you
>> > do
>> > seem to need these restarts, this means you have a problem with your

>> custom
>> > code that you need to investigate. With stable web components, IIS
>> > will

>> run
>> > for very long periods.
>> >
>> > John Alderson
>> >
>> > "Arsen V." <(E-Mail Removed)> wrote in message
>> > news:%(E-Mail Removed)...
>> > > Hi David,
>> > >
>> > > How can I prevent the IIS6 server from being "dropped into the live
>> > > rotation" until the warm up scripts run?
>> > >
>> > > What happens now, is that when the computer comes up, IIS starts and
>> > > immediately attempts to process the requests which queue up and cause
>> > > problems.
>> > >
>> > > Is there a way to tell the IIS to start accepting the requests only

>> after
>> > > certain warm up? I need this to be automatic so if IIS is restarted
>> > > in

>> the
>> > > middle of the night it can come back up without problems.
>> > >
>> > > Thanks,
>> > > Arsen
>> > >
>> > > "David Wang [Msft]" <(E-Mail Removed)> wrote in message
>> > > news:(E-Mail Removed)...
>> > >> No, IIS does not have a "warm up period" feature. It is pretty easy

> to
>> > >> script WAST or ACT to custom tailor such a warm-up optimized for
>> > >> your
>> > >> website, though.
>> > >>
>> > >> Websites that have high traffic volume usually devise their own mix

> of
>> > >> requests to "warm up" a server and get various applications

>> pre-compiled,
>> > >> etc -- this is especially necessary for .Net applications, which

> incur
>> a
>> > > CLR
>> > >> load-up cost as well as ASP.Net pre-compilation cost. After the

> server
>> > >> is
>> > >> warmed up, then it is dropped into the live rotation.
>> > >>
>> > >> There shouldn't be much difference between IIS5 and IIS6 in startup
>> > >> unless
>> > >> you're using the health-monitoring features of IIS6 to recycle the

>> worker
>> > >> process.
>> > >>
>> > >> --
>> > >> //David
>> > >> IIS
>> > >> This posting is provided "AS IS" with no warranties, and confers no
>> > > rights.
>> > >> //
>> > >> "Arsen V." <(E-Mail Removed)> wrote in message
>> > >> news:(E-Mail Removed)...
>> > >> Hi,
>> > >>
>> > >> We have a website with a very high volume of traffic. The pages are
>> > > ASP.NET.
>> > >> There are some configuration settings that get loaded by the

> Global.asx
>> > > file
>> > >> on Application Start event. The load time for those settings is
>> > >> about

> 3
>> > >> seconds.
>> > >>
>> > >> When the site is running on IIS5 everything is okay.
>> > >>
>> > >> When the site is running on IIS6 there are problems. It looks like

> when
>> > > IIS
>> > >> starts and all the requests start coming in it is trying to compile

> the
>> > >> ASP.NET CLR and to load the settings in Global.asx. However, since

>> there
>> > > are
>> > >> over 100 requests/second, soon it starts to give Service Unavailable

>> and
>> > > log
>> > >> errors QueueFull in the HTTPERR file.
>> > >>
>> > >> If I manually stop the IIS, set the directory security of the
>> > >> website

>> to
>> > >> accept only the local requests, execute one request, wait 5 seconds,

>> and
>> > >> then change the security to accept all requests, it works great.
>> > >>
>> > >> Is there a way to give IIS a warm up time? I think it fails because

>> there
>> > >> are so many requests that come right away before the CLR is compiled

>> and
>> > > the
>> > >> load settings in the Global.asx has time to execute.
>> > >>
>> > >> Thanks,
>> > >> Arsen
>> > >>
>> > >>
>> > >>
>> > >>
>> > >
>> > >
>> >

>>
>>

>
>


 
Reply With Quote
 
John Alderson
Guest
Posts: n/a
 
      05-09-2004
Arsen,

Here's a set of commands to create a IPSec Filter policy to block tcp/80 and
tcp/443. Instead of using IPSECCMD, I used NETSH.

*********************************************
netsh ipsec static add policy name="Packet Filters - IIS" description="Web
Server Hardening policy" assign=no
netsh ipsec static add filterlist name="HTTP Server" description="Server
Hardening"
netsh ipsec static add filterlist name="HTTPS Server" description="Server
Hardening",
netsh ipsec static add filterlist name="ALL Inbound Traffic"
description="Server Hardening"
netsh ipsec static add filteraction name=SecPermit description="Allows
Traffic to Pass" action=permit
netsh ipsec static add filteraction name=Block description="Blocks Traffic"
action=block
netsh ipsec static add filter filterlist="HTTP Server" srcaddr=any
dstaddr=me description="HTTP Traffic" protocol=TCP srcport=0 dstport=80
netsh ipsec static add filter filterlist="HTTPS Server" srcaddr=any
dstaddr=me description="HTTPS Traffic" protocol=TCP srcport=0 dstport=443
netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any
dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0
dstport=0",
netsh ipsec static add rule name="HTTP Server Rule" policy="Packet Filters -
IIS" filterlist="HTTP Server" kerberos=yes filteraction=Block
netsh ipsec static add rule name="HTTPS Server Rule" policy="Packet
Filters - IIS" filterlist="HTTPS Server" kerberos=yes filteraction=Block
netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet
Filters - IIS" filterlist="ALL Inbound Traffic" kerberos=yes
filteraction=SecPermit
netsh ipsec static set policy name="Packet Filters - IIS" assign=y"
*********************************************

Once it's created, you can enable and disable it by using NETSH to assign or
unassign the policy. The last command above assigns it so it enables it.

John Alderson



"John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
news:%(E-Mail Removed)...
> Hi Arsen,
>
> IPSECCMD is a part of the Support Tools that can be found on your
> installation CD ROM. The syntax is very similar to Windows 2000's
> IPSECPOL - part of the Resource Kit. I do have a set of commands to do a
> block on 80, 443 but I'll have to dig them up at work. I'll post them for
> you.
>
> John
>
>
> "Arsen V." <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi John,
>>
>> Windows 2003 Server dos not come with "IPSECCMD". What can I use instead?
>>
>> Could you point me to a simple example of how to block TCP/80 and then
>> unblock it using the command line?
>>
>> Thanks,
>> Arsen
>>
>> "Arsen V." <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hi John,
>>>
>>> Thanks for your suggestion. This is pretty much what I was looking for.
>>> I
>>> did not think of the idea to use IPSECCMD to block the requests! This is
>>> great.
>>>
>>> Yes, I do have a Load Balancer in front of the web farm. The code is
>>> stable. However, sometimes due to load there is too much queueing (this

>> only
>>> occurs on IIS 6) and the IIS server shuts down the process.
>>>
>>> Thanks,
>>> Arsen
>>>
>>> "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
>>> news:%23uEQk%(E-Mail Removed)...
>>> > Arsen,
>>> >
>>> > Do you have multiple web servers in a farm? It wasn't clear from your
>>> > posts. Are you using a hardware load balancer in front like a BigIP
>>> > or
>>> > similar? If so, you could script up a custom restarter like:
>>> >
>>> > 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of

>> the
>>> > LB pool in a short time depending on how you have your LB setup to
>>> > check
>>> > website health.
>>> > 2. IISRESET
>>> > 3. Locally, request your webpages to invoke custom code. Easily
>>> scriptable
>>> > with VBScript/WinHTTP or a variety of command line tools or even WAS
>>> > as
>>> > David Wang suggests.
>>> > 4. Drop IPSec blocks.
>>> >
>>> > Have you looked at the web garden concept? Maybe it makes sense for
>>> > you
>>> to
>>> > use > 1 process for this site if you have some semi-stable custom code
>>> that
>>> > needs restarting periodically. Regular restarts of IIS or the OS are
>>> > something that you don't need if you are running stable code. If you
>>> > do
>>> > seem to need these restarts, this means you have a problem with your
>>> custom
>>> > code that you need to investigate. With stable web components, IIS
>>> > will
>>> run
>>> > for very long periods.
>>> >
>>> > John Alderson
>>> >
>>> > "Arsen V." <(E-Mail Removed)> wrote in message
>>> > news:%(E-Mail Removed)...
>>> > > Hi David,
>>> > >
>>> > > How can I prevent the IIS6 server from being "dropped into the live
>>> > > rotation" until the warm up scripts run?
>>> > >
>>> > > What happens now, is that when the computer comes up, IIS starts and
>>> > > immediately attempts to process the requests which queue up and
>>> > > cause
>>> > > problems.
>>> > >
>>> > > Is there a way to tell the IIS to start accepting the requests only
>>> after
>>> > > certain warm up? I need this to be automatic so if IIS is restarted
>>> > > in
>>> the
>>> > > middle of the night it can come back up without problems.
>>> > >
>>> > > Thanks,
>>> > > Arsen
>>> > >
>>> > > "David Wang [Msft]" <(E-Mail Removed)> wrote in message
>>> > > news:(E-Mail Removed)...
>>> > >> No, IIS does not have a "warm up period" feature. It is pretty
>>> > >> easy

>> to
>>> > >> script WAST or ACT to custom tailor such a warm-up optimized for
>>> > >> your
>>> > >> website, though.
>>> > >>
>>> > >> Websites that have high traffic volume usually devise their own mix

>> of
>>> > >> requests to "warm up" a server and get various applications
>>> pre-compiled,
>>> > >> etc -- this is especially necessary for .Net applications, which

>> incur
>>> a
>>> > > CLR
>>> > >> load-up cost as well as ASP.Net pre-compilation cost. After the

>> server
>>> > >> is
>>> > >> warmed up, then it is dropped into the live rotation.
>>> > >>
>>> > >> There shouldn't be much difference between IIS5 and IIS6 in startup
>>> > >> unless
>>> > >> you're using the health-monitoring features of IIS6 to recycle the
>>> worker
>>> > >> process.
>>> > >>
>>> > >> --
>>> > >> //David
>>> > >> IIS
>>> > >> This posting is provided "AS IS" with no warranties, and confers no
>>> > > rights.
>>> > >> //
>>> > >> "Arsen V." <(E-Mail Removed)> wrote in message
>>> > >> news:(E-Mail Removed)...
>>> > >> Hi,
>>> > >>
>>> > >> We have a website with a very high volume of traffic. The pages are
>>> > > ASP.NET.
>>> > >> There are some configuration settings that get loaded by the

>> Global.asx
>>> > > file
>>> > >> on Application Start event. The load time for those settings is
>>> > >> about

>> 3
>>> > >> seconds.
>>> > >>
>>> > >> When the site is running on IIS5 everything is okay.
>>> > >>
>>> > >> When the site is running on IIS6 there are problems. It looks like

>> when
>>> > > IIS
>>> > >> starts and all the requests start coming in it is trying to compile

>> the
>>> > >> ASP.NET CLR and to load the settings in Global.asx. However, since
>>> there
>>> > > are
>>> > >> over 100 requests/second, soon it starts to give Service
>>> > >> Unavailable
>>> and
>>> > > log
>>> > >> errors QueueFull in the HTTPERR file.
>>> > >>
>>> > >> If I manually stop the IIS, set the directory security of the
>>> > >> website
>>> to
>>> > >> accept only the local requests, execute one request, wait 5
>>> > >> seconds,
>>> and
>>> > >> then change the security to accept all requests, it works great.
>>> > >>
>>> > >> Is there a way to give IIS a warm up time? I think it fails because
>>> there
>>> > >> are so many requests that come right away before the CLR is
>>> > >> compiled
>>> and
>>> > > the
>>> > >> load settings in the Global.asx has time to execute.
>>> > >>
>>> > >> Thanks,
>>> > >> Arsen
>>> > >>
>>> > >>
>>> > >>
>>> > >>
>>> > >
>>> > >
>>> >
>>>
>>>

>>
>>

>


 
Reply With Quote
 
Arsen V.
Guest
Posts: n/a
 
      05-10-2004
Thank you very much!

"John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
news:%(E-Mail Removed)...
> Arsen,
>
> Here's a set of commands to create a IPSec Filter policy to block tcp/80

and
> tcp/443. Instead of using IPSECCMD, I used NETSH.
>
> *********************************************
> netsh ipsec static add policy name="Packet Filters - IIS" description="Web
> Server Hardening policy" assign=no
> netsh ipsec static add filterlist name="HTTP Server" description="Server
> Hardening"
> netsh ipsec static add filterlist name="HTTPS Server" description="Server
> Hardening",
> netsh ipsec static add filterlist name="ALL Inbound Traffic"
> description="Server Hardening"
> netsh ipsec static add filteraction name=SecPermit description="Allows
> Traffic to Pass" action=permit
> netsh ipsec static add filteraction name=Block description="Blocks

Traffic"
> action=block
> netsh ipsec static add filter filterlist="HTTP Server" srcaddr=any
> dstaddr=me description="HTTP Traffic" protocol=TCP srcport=0 dstport=80
> netsh ipsec static add filter filterlist="HTTPS Server" srcaddr=any
> dstaddr=me description="HTTPS Traffic" protocol=TCP srcport=0 dstport=443
> netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any
> dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0
> dstport=0",
> netsh ipsec static add rule name="HTTP Server Rule" policy="Packet

Filters -
> IIS" filterlist="HTTP Server" kerberos=yes filteraction=Block
> netsh ipsec static add rule name="HTTPS Server Rule" policy="Packet
> Filters - IIS" filterlist="HTTPS Server" kerberos=yes filteraction=Block
> netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet
> Filters - IIS" filterlist="ALL Inbound Traffic" kerberos=yes
> filteraction=SecPermit
> netsh ipsec static set policy name="Packet Filters - IIS" assign=y"
> *********************************************
>
> Once it's created, you can enable and disable it by using NETSH to assign

or
> unassign the policy. The last command above assigns it so it enables it.
>
> John Alderson
>
>
>
> "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
> news:%(E-Mail Removed)...
> > Hi Arsen,
> >
> > IPSECCMD is a part of the Support Tools that can be found on your
> > installation CD ROM. The syntax is very similar to Windows 2000's
> > IPSECPOL - part of the Resource Kit. I do have a set of commands to do

a
> > block on 80, 443 but I'll have to dig them up at work. I'll post them

for
> > you.
> >
> > John
> >
> >
> > "Arsen V." <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> >> Hi John,
> >>
> >> Windows 2003 Server dos not come with "IPSECCMD". What can I use

instead?
> >>
> >> Could you point me to a simple example of how to block TCP/80 and then
> >> unblock it using the command line?
> >>
> >> Thanks,
> >> Arsen
> >>
> >> "Arsen V." <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >>> Hi John,
> >>>
> >>> Thanks for your suggestion. This is pretty much what I was looking

for.
> >>> I
> >>> did not think of the idea to use IPSECCMD to block the requests! This

is
> >>> great.
> >>>
> >>> Yes, I do have a Load Balancer in front of the web farm. The code is
> >>> stable. However, sometimes due to load there is too much queueing

(this
> >> only
> >>> occurs on IIS 6) and the IIS server shuts down the process.
> >>>
> >>> Thanks,
> >>> Arsen
> >>>
> >>> "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
> >>> news:%23uEQk%(E-Mail Removed)...
> >>> > Arsen,
> >>> >
> >>> > Do you have multiple web servers in a farm? It wasn't clear from

your
> >>> > posts. Are you using a hardware load balancer in front like a BigIP
> >>> > or
> >>> > similar? If so, you could script up a custom restarter like:
> >>> >
> >>> > 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out

of
> >> the
> >>> > LB pool in a short time depending on how you have your LB setup to
> >>> > check
> >>> > website health.
> >>> > 2. IISRESET
> >>> > 3. Locally, request your webpages to invoke custom code. Easily
> >>> scriptable
> >>> > with VBScript/WinHTTP or a variety of command line tools or even WAS
> >>> > as
> >>> > David Wang suggests.
> >>> > 4. Drop IPSec blocks.
> >>> >
> >>> > Have you looked at the web garden concept? Maybe it makes sense for
> >>> > you
> >>> to
> >>> > use > 1 process for this site if you have some semi-stable custom

code
> >>> that
> >>> > needs restarting periodically. Regular restarts of IIS or the OS

are
> >>> > something that you don't need if you are running stable code. If

you
> >>> > do
> >>> > seem to need these restarts, this means you have a problem with your
> >>> custom
> >>> > code that you need to investigate. With stable web components, IIS
> >>> > will
> >>> run
> >>> > for very long periods.
> >>> >
> >>> > John Alderson
> >>> >
> >>> > "Arsen V." <(E-Mail Removed)> wrote in message
> >>> > news:%(E-Mail Removed)...
> >>> > > Hi David,
> >>> > >
> >>> > > How can I prevent the IIS6 server from being "dropped into the

live
> >>> > > rotation" until the warm up scripts run?
> >>> > >
> >>> > > What happens now, is that when the computer comes up, IIS starts

and
> >>> > > immediately attempts to process the requests which queue up and
> >>> > > cause
> >>> > > problems.
> >>> > >
> >>> > > Is there a way to tell the IIS to start accepting the requests

only
> >>> after
> >>> > > certain warm up? I need this to be automatic so if IIS is

restarted
> >>> > > in
> >>> the
> >>> > > middle of the night it can come back up without problems.
> >>> > >
> >>> > > Thanks,
> >>> > > Arsen
> >>> > >
> >>> > > "David Wang [Msft]" <(E-Mail Removed)> wrote in

message
> >>> > > news:(E-Mail Removed)...
> >>> > >> No, IIS does not have a "warm up period" feature. It is pretty
> >>> > >> easy
> >> to
> >>> > >> script WAST or ACT to custom tailor such a warm-up optimized for
> >>> > >> your
> >>> > >> website, though.
> >>> > >>
> >>> > >> Websites that have high traffic volume usually devise their own

mix
> >> of
> >>> > >> requests to "warm up" a server and get various applications
> >>> pre-compiled,
> >>> > >> etc -- this is especially necessary for .Net applications, which
> >> incur
> >>> a
> >>> > > CLR
> >>> > >> load-up cost as well as ASP.Net pre-compilation cost. After the
> >> server
> >>> > >> is
> >>> > >> warmed up, then it is dropped into the live rotation.
> >>> > >>
> >>> > >> There shouldn't be much difference between IIS5 and IIS6 in

startup
> >>> > >> unless
> >>> > >> you're using the health-monitoring features of IIS6 to recycle

the
> >>> worker
> >>> > >> process.
> >>> > >>
> >>> > >> --
> >>> > >> //David
> >>> > >> IIS
> >>> > >> This posting is provided "AS IS" with no warranties, and confers

no
> >>> > > rights.
> >>> > >> //
> >>> > >> "Arsen V." <(E-Mail Removed)> wrote in message
> >>> > >> news:(E-Mail Removed)...
> >>> > >> Hi,
> >>> > >>
> >>> > >> We have a website with a very high volume of traffic. The pages

are
> >>> > > ASP.NET.
> >>> > >> There are some configuration settings that get loaded by the
> >> Global.asx
> >>> > > file
> >>> > >> on Application Start event. The load time for those settings is
> >>> > >> about
> >> 3
> >>> > >> seconds.
> >>> > >>
> >>> > >> When the site is running on IIS5 everything is okay.
> >>> > >>
> >>> > >> When the site is running on IIS6 there are problems. It looks

like
> >> when
> >>> > > IIS
> >>> > >> starts and all the requests start coming in it is trying to

compile
> >> the
> >>> > >> ASP.NET CLR and to load the settings in Global.asx. However,

since
> >>> there
> >>> > > are
> >>> > >> over 100 requests/second, soon it starts to give Service
> >>> > >> Unavailable
> >>> and
> >>> > > log
> >>> > >> errors QueueFull in the HTTPERR file.
> >>> > >>
> >>> > >> If I manually stop the IIS, set the directory security of the
> >>> > >> website
> >>> to
> >>> > >> accept only the local requests, execute one request, wait 5
> >>> > >> seconds,
> >>> and
> >>> > >> then change the security to accept all requests, it works great.
> >>> > >>
> >>> > >> Is there a way to give IIS a warm up time? I think it fails

because
> >>> there
> >>> > >> are so many requests that come right away before the CLR is
> >>> > >> compiled
> >>> and
> >>> > > the
> >>> > >> load settings in the Global.asx has time to execute.
> >>> > >>
> >>> > >> Thanks,
> >>> > >> Arsen
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >>
> >>> > >
> >>> > >
> >>> >
> >>>
> >>>
> >>
> >>

> >

>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VoIPCheap/Stunt/SIPDiscount/Et.al - Mobile - Top-up Expiry Period -- Campaign for Correct Expiry Period on Finarea VOIP Service Mobile Top-Ups News Reader UK VOIP 16 06-26-2006 05:03 PM
keeping asp.net pages warm laimis ASP .Net 3 07-18-2005 10:33 PM
OT: Something to warm your spirits LnkWizard MCSE 3 01-25-2005 09:30 PM
Using 70-306 as warm-up for 70-316 Lazlo Woodbine MCSD 6 06-10-2004 06:01 AM
Hello it's warm at last rgraham48 Computer Support 3 10-21-2003 04:24 PM



Advertisments