Microsoft's newest weapon in the Web server wars

Among all the promising new features in Windows NT 4.0, Microsoft is placing high hopes on its Internet Information Server (IIS) 2.0, an Internet and intranet Web server that is part of the OS. Last February, Microsoft released IIS 1.0. Since then, it has changed significantly and is poised as Microsoft's newest weapon in the Web server wars.

Microsoft integrated IIS with NT so users can install it with NT 4.0, improved IIS's performance, and added many features missing from IIS 1.0. These new features include a Hypertext Markup Language (HTML) Administrator, improved server logging, a Secure Sockets Layer (SSL) Key Manager, and a much improved Internet Database Connector (IDC). Screen 1 shows the GUI administrator, the Internet Service Manager. Aside from these improvements, IIS 2.0's best feature is its price: It comes with NT 4.0, or you can download it for free from Microsoft.

Integration with NT 4.0
NT 4.0 Server and Workstation include IIS, and the IIS server that ships with NT Server is optimized to enhance Hypertext Transfer Protocol (HTTP) server performance. The NT Workstation version, Peer Web Services (PWS), is for light-traffic Web sites such as personal Web pages or small corporate intranets. For developers, PWS supports all the standard extensions in the NT Server version of IIS, so you no longer need a dedicated NT server to test new server extensions.

Because IIS 2.0 is part of NT, Microsoft included the installation process in NT 4.0 Setup. IIS runs as a service, so you install it by selecting IIS as a network service option and pointing to the install directory. IIS 2.0 takes only two or three minutes to install.

Increased Performance
Reminiscent of the Norton SysInfo speed wars of the early '80s and the video benchmark wars of the early '90s, the new competition is for HTTP server performance. Although Microsoft claims IIS 2.0 offers up to a 40% increase in performance over IIS 1.0, independent performance tests weren't complete at press time. This speed increase is primarily the result of optimizations in NT 4.0's I/O subsystem.

Some HTTP benchmarks show 200 connections per second, which translates to 17.2 million hits per day, or 6.3 billion hits per year. Knowing that your server can sustain such a high hit rate is comforting, even if your site isn't extremely popular.

Note though, that advertised performance claims for HTTP benchmarks can be misleading. For example, an HTTP vendor can claim to outperform the competition by 200%. Even if this claim is true, understanding the circumstances of this 200% performance gain is critical. Suppose a Web server performs well under low- and high-traffic loads, but not in medium-traffic situations. Competing vendors will tout the medium-load numbers if they indicate that the vendor's product is 200% faster. In fact, at high loads, the 200% faster server can under-perform the slower server. A word to the wise: Investigate the claims and test conditions before relying on any benchmark.

HTML Administrator
Most new Web servers include a Web browser-based administration tool, and IIS 2.0 is no different. IIS 2.0's HTML Administrator, as you see in Screen 2, looks like IIS's tabbed configuration dialog.

The HTML Administrator gives you most of the functionality of the server-based configuration dialog, including the ability to add or remove directories, change the server logging options, and grant or deny access to specific IP addresses. However, like any HTML interface, IIS's HTML Administrator has limitations. For example, it doesn't let you manage multiple servers from a central server status screen. Instead, you have to log in to each server individually through an account in the NT Administrator's group. Also, you can't start and stop services through the HTML Administrator. The advantage of this new tool is that you can manage any IIS 2.0 server remotely, even from non-Win32 based computers, such as UNIX and Macintosh machines.

Improved Logging
IIS lets you configure services to log information from multiple IIS servers into one database. This logging lets you identify which users are accessing the Web servers and what information they're accessing. Microsoft improved the logging feature in IIS 2.0 to capture service errors such as 403 Forbidden and 404 Not Found. Service error information is important to Web masters who need to check for broken links and view HTTP logs to identify users attempting to breach site security. In addition to logging service errors, IIS 2.0 lets you create log files in National Center for Supercomputing Applications (NCSA) format.

Despite these IIS improvements, Microsoft left out two important server variables: HTTP_REFERER and USER_ AGENT. The HTTP_REFERER variable identifies where links to the site come from. You can use this information for marketing purposes or to keep tabs on who's linking to your site. The USER_ AGENT variable identifies what type of Web browser a client is using. You can use these statistics to tailor your site to its most active clientele. For example, by tabulating the USER_AGENT data, you can determine how many users support a specific HTML tag. In turn, this information can influence your site design decisions. To log these variables with IIS, you have to add a third-party Internet Server API (ISAPI) filter.

SSL Key Manager
IIS 2.0 makes enabling the SSL data security protocol painless. Using SSL, IIS encrypts private data such as credit card numbers with reasonable assurance that the information will transmit securely between the IIS server and Web browsers that support SSL, such as Microsoft's Internet Explorer (IE) and Netscape's Navigator. The IIS SSL Key Manager works like the Internet Service Manager by letting you administer multiple local and remote servers through one interface.

To enable SSL on any Web server, you have to generate a key pair for encrypting and decrypting data. With IIS, you start Key Manager, select the server to enable, and select Create New Key.

To use SSL, you have to obtain a certificate from a certifying authority such as VeriSign ( index.shtml) or Nortel ( entprods/entrust/main.html). To request a certificate, you complete a certificate request that includes your Web site information, organization name and location, and the password for the certificate. Screen 3 shows the certificate request form. From your form, Key Manager generates a text file that you can cut and paste into an email message to a certification authority. After verifying the accuracy of the requester's information, the certification authority returns the signed certificate. You then cut and paste the certificate back into Key Manager. Your Web server is now ready for secure Web communications. VeriSign charges $290 for a one-year SSL certificate.

IDC Improvements
IIS incorporates the IDC for connecting HTML documents to databases. IIS 1.0 didn't let IDC programmers retrieve server variables for use in the HTML Extension (HTX) files, a template that IIS needs to create dynamic HTML documents from a database. IIS 2.0 corrects this shortcoming and makes all server variables available to the IDC so users can access variables such as REMOTE_ USER, which gives the Web client's username if the users are logged on.

Frequently, a database must run multiple queries before returning query results. However, IIS 1.0 limits users to one SQL statement per IDC file. IIS 2.0 removes this limitation and lets you have multiple SQL statements in an IDC file.

IIS 2.0 also lets IDC programmers set up translation files to translate SQL data into a national-language character set in the generated HTML. This feature is useful for companies that publish SQL data in various languages.

Other Improvements
In IIS 1.0, if an HTTP request didn't end with a forward slash (/), the server converted the universal resource locator (URL) server name into an IP address. For example, the server transformed a request to into something like in the user's Web browser. Understandably, a company prefers its host address ( over its IP address ( IIS 2.0 remedies this problem by properly maintaining the host header information for single IP servers (single-hosted servers).

In addition to CERN map files, IIS 2.0 now supports NCSA map files. For Web masters, this support will ease the migration from NCSA HTTP servers to NT IIS 2.0.

Also, the HTTP byte range support in IIS 2.0 lets the server transmit a file at a specified offset. A user agent can restart an interrupted transmission where the HTTP transmission failed.

IIS's Future
Before the end of 1996, Microsoft intends to enhance IIS. IIS 1.0 limited developers to creating Common Gateway Interface (CGI), WinCGI, and ISAPI applications. Because each of these applications require a high degree of technical skill, Microsoft is adding easier development tools.

Microsoft's ActiveX Server, code named Denali, provides an intermediate-level tool that mixes HTML and scripting code. ActiveX Server gives IIS 2.0 users server-side scripting. Microsoft delivered a beta version of ActiveX Server to developers at the Microsoft World Wide Live event in mid-July. In fact, Microsoft has been using ActiveX Server on its high-traffic Web servers, and, for several months.

ActiveX Server includes a Visual Basic Script (VBS) interpreter and some interesting ActiveX objects such as an advertisement rotator and a browser component that customizes HTML output for the user's Web browser. Also, ActiveX has a content-linking component that creates a table of contents for Web pages and links them like pages in a book. Users can extend ActiveX Server through the scripting interface and by developing custom components that are dynamically linked with the Web server. The Denali engine will support VBS, JavaScript, Perl, and REXX. And because Denali is based on the ActiveX technology, developers can build server-side interpreters for other scripting languages.

You can also expect full support for server-side includes (SSIs) as an add-on module. IIS 1.0 and 2.0 support only the include file directive, but Microsoft is developing a module that will expand SSI support to server execution of CGI and ISAPI applications and IDC queries.

Microsoft also has an add-on document indexing and search engine, Microsoft Index Server (code named Tripoli), in beta. The Index Server can index HTML documents and Word documents and Excel spreadsheets. It supports full text indexing, including internal document information such as author, creation date, and last modification date. You can index and search documents written in English, Dutch, French, German, Italian, Spanish, and Swedish.

IIS 1.0's performance was good, but it had shortcomings that IIS 2.0 corrects. IIS's Web server is fast and includes File Transfer Protocol (FTP) and Gopher servers. Although improving performance is beneficial, server functionality through technologies such as ActiveX Server, Microsoft Index Server, and the IDC interface will attract users. The sooner Microsoft incorporates these technologies, the sooner the company will gain ground in the war of the Web servers. For details about ITS, see Carl Calvello and Thad Schwebke, "Troubleshooting Internet Information Server 2.0," page 107.

Internet Information Server 2.0
Microsoft * 206-882-8080
Price: Integrated in NT 4.0 or download for free at