Microsoft Virtual Labs

Allowing External Users to Manage IIS7 Web Applications

Allowing External Users to Manage IIS7 Web Applications

Table of Contents
Allowing External Users to Manage IIS7 Web Applications .................................................... 1
Exercise 1 ALLOWING EXTERNAL USERS TO MANAGE IIS7 WEB APPLICATIONS .....................................2

Allowing External Users to Manage IIS7 Web Applications

Allowing External Users to Manage IIS7 Web Applications

Objectives
After completing this lab, you will learn how to: Configure the management service Work with feature delegation Connect to IIS Manager from outside the firewall using TS RemoteApp Web servers are one of the services that most often are in need of remote administration by an external consultant. Many companies outsource web development activities and as a result, need to grant external users access to both manage content and configuration on their web servers. IIS 7 includes a new management service which addresses this need and TS RemoteApp provides a secure way to make management tools available outside the firewall. This demo shows how you can configure the management service, work with feature delegation, and connect to IIS Manager from outside the firewall using TS RemoteApp.

Scenario

Estimated Time to Complete This Lab Computers used in this Lab

20 Minutes

SFO-DC-01

Remote-CLI-01 The password for the Administrator account on all computers in this lab is: Passw0rd!

Page 1 of 4

Allowing External Users to Manage IIS7 Web Applications

Exercise 1 ALLOWING EXTERNAL USERS TO MANAGE IIS7 WEB APPLICATIONS

Scenario
One of the challenges that many companies face when it comes to developing and managing web sites, is administration of web servers. In a lot of cases, companies might outsource development of web applications and sites. This outsourcing requires that external users have access to internal web servers. This access is often complex, involving VPN or terminal server access, and requiring that these individual be given administrative rights on the web servers. IIS7 introduces a new management framework that makes it easy to not only give these users access to IIS, but restrict them to only specific sites and features. Tasks Complete the following tasks on: SFO-DC-01
1. Explore Feature

Detailed Steps Note: Well begin this demo by exploring feature delegation. Feature delegation allows me to define which settings in IIS are allowed to be administered, and which are not. Any feature can be delegated in several ways. Everything from full read/write to not visible. Here we have made three changes from the default. We have set the default document and directory browsing settings to read only. We have also set the Machine Key to not delegate. Well see the effect of this later in the demo, but what we have just done is limited the ability of certain items to be configured at the site level.
a. In SFO-DC-01 machine, Open IIS Manager by clicking on Start, and click on

Delegation

Internet Information Services (IIS) Manager

b. Click the Server Node: SFO-DC-01 (Woodgroovebank\administrator) c. Double click Feature Delegation d. Examine the value of Default Document, Directory Browsing and Machine Key 2. Configure the

Management Service

Note: The management service is what enables users on remote computers to connect to IIS and manage it. When the user connects, they have to provide credentials, and a site name. As you can see there are two types of credentials supported. IIS Manager credentials are new to IIS 7 and are very similar to the idea of a local account. This account is only valid in IIS 7. Perhaps one of the best examples of a use for this account is if you want to grant an external consultant access to configure your web server, but you do not want to create a domain account. This lets you create an account that is valid for the task you want them to perform only. Next well look at creating a new account named Consultant, and assigning it permissions.
a. In IIS Manager, click the Server Node: SFO-DC-01

(Woodgroovebank\administrator)
b. Double click Management Service c. Click Enable remote connections d. Click Windows and IIS Credentials e. Click Apply, then Start f.

Point out listening port number and certificate

Note: To manage new users, we only need to open the IIS Manager Users node, and from there we can create, delete, and manage accounts.
g. In IIS Manager, click the Server Node: SFO-DC-01

(Woodgroovebank\administrator)

Page 2 of 4

Allowing External Users to Manage IIS7 Web Applications Tasks Detailed Steps
h. Double click IIS Manager Users i. j.

Examine the New User option Click Consultant

k. Examine the available actions 3. Grant permission to

Don Hall and the Consultant

Note: Once the accounts are created, we need to assign permissions. When you assign permissions what you are doing is giving the account administrative permissions to all writeable delegated features in a website. We are going to go ahead and grant that permission to two of our users, the external consultant through the IIS Manager User account, and as well to the websites internal owner, Don Hall.
a. In IIS Manager, expand Sites, click Default Web Site. b. Double click IIS Manager Permissions c. Click Allow User in the Action pane. d. Click Select in the Allow User ensure the Windows option is selected, in the

Enter object name to select window, enter Woodgrovebank\DonHall, click Check Name, and click OK.
e. Click Allow User in the Action pane. f. 4. Connect to the site

Ensure the IIS Manager option is selected, click on Select. Select Consultant, and click OK. Click OK to add Consultant

as Consultant

Note: We have not got a framework in place that allows my external consultant to connect to my web server from a remote computer and manage it, all without having to grant that consultant a domain account. If that consultant has IIS Manager, and is able to connect to this web server using the management port, all they have to do is add the web site and they can configure it. The management port can be published via ISA Server, so that even with IIS Manager outside the firewall, you can connect and manage this web site.
a. In IIS Manager, on the File menu, click Connect to a site. b. Server Name: localhost c. Site name: Default web site d. Click Next e. User name: Consultant f.

Password: Passw0rd!

g. Click Next. h. Click Finish. 5. Administer Default

Web Site as Consultant

Note: Once you are connected as consultant, you will notice two things. First of all, both the Default Document and Directory Browsing settings are read-only. Secondly, there is no Machine Key setting. This is the effect of delegation. If we want to make a change to a setting we have read/write access to, such as the Database Connection strings, we can make that change. a. In IIS Manager click Default web site (Consultant).
b. Double click Default Document c. Examine its Read Only d. Click Default web site (Consultant). e. Double click Directory Browsing f.

Examine its Read Only

g. Click Default web site (Consultant).

Page 3 of 4

Allowing External Users to Manage IIS7 Web Applications Tasks Detailed Steps
h. Examine there is no Machine Key node. i. j.

Double click Connection Strings Click Add

k. Click Cancel

Complete the following task on: Remote-CLI01

6. Connect to IIS

Manager over TS Gateway

Note: What happens if we are am outside the firewall, and we are running an operating system that does not have the IIS7 Manager on it, or our version of IIS7 Manager does not support remote connections, like is found on Windows Vista? In that situation, another technology included in Windows Server 2008 can help. By using TS RemoteApp and TS Gateway we can make IIS Manager available outside the firewall over HTTPS to any operating system that has an RDP 6 client installed. Furthermore, we can publish that application using TS Web Access, which means there is no configuration on the client. In this case the external user will need a user account in Windows to logon to the TS Gateway, but once that is completed, they have full access to the IIS Manager application, and can begin connecting to internal sites. We are going to logon to my client, and from there connect to the TS Gateway that we have already configured. a. Switch to Remote-CLI-01 machine
b. Double click Internet Information Services Manager in the Start menu c. Click Connect to localhost. d. Examine the theme of IIS Manager. e. On the File menu, point out the Connect to a site option.

7. Summary

Note: In this demo youve seen the new capabilities in IIS 7which let you enable remote users to administer web sites. These features represent an opportunity to reduce overall complexity, by eliminating the need in most cases for external users to have local access to web sites, and administrator access to web sites. You can limit them to only the web site features you want them to manage, without having to give them full domain accounts. For users that dont have IIS 7 Manager, which is only available on Windows Server 2008, you can provide them with remote access to it using TS Gateway and TS Remote App.

Page 4 of 4