Lesson 1: Configuring FTP 389 Once you have downloaded and installed FTP 7, you can launch IIS Manager to configure server settings Figure 7-12 shows the available FTP-related options for Default Web Site Figure 7-12 Viewing FTP options for Default Web Site in IIS Manager Managing FTP Sites After you have installed and configured FTP 7, you can use IIS Manager to create and configure FTP sites In this section, you will learn how to create new FTP sites and how to add FTP functionality to an existing Web site Creating a New FTP Site You can create new FTP sites to support different groups of users or to provide access to different sets of files To create a new FTP site, right-click either the server object or the Sites folder in the left pane of IIS Manager, and then select Add FTP Site This will start the Add FTP Site Wizard The first page prompts you for information about the name of the site (See Figure 7-13.) This name will be used for administration purposes, so you should choose a descriptive name if you plan to host multiple FTP sites on the same server The Physical Path setting enables you to specify the root folder for the FTP site You can choose any existing folder path, but many installations will use a subfolder within the %SystemDrive%\Inetpub folder 390 Chapter Configuring FTP and SMTP Services Figure 7-13 Adding a new FTP site by using IIS Manager On the second page of the process, you can specify the binding and SSL settings for the new FTP site (See Figure 7-14.) The binding settings include the following options: IP Address The default setting is for the FTP site to respond to all incoming requests on any network adapter or IP address on the server If the computer is configured with multiple network adapters or multiple IP addresses on the same adapter, you can choose a specific address, using the drop-down list Port This is the TCP port on which the FTP site will respond By convention, the default port for FTP communications is port 21 If you choose a different port, FTP users will be required to configure their FTP client software to connect by using the server’s port number Virtual Host Administrators can create multiple Web sites that respond on the same IP address and port through virtual host names These names rely on Domain Name System (DNS) entries to determine to which site users will connect Users can also include the virtual host name as part of their logon name to specify to which site they want to log on Lesson 1: Configuring FTP 391 Start FTP Site Automatically When this option is enabled, the FTP site will start automatically and whenever the computer is rebooted or the FTP service is restarted If you plan to start the FTP site manually whenever it is required, disable this option Figure 7-14 Configuring Binding And SSL Settings for a new FTP site You can also select an SSL Certificate and whether to allow or require Secure Socket Layer (SSL) connections for this FTP site You will learn more about these options later in this section On the Authentication And Authorization Information page, you specify how security will be managed for the new FTP site (See Figure 7-15.) When you click the Finish button, the new FTP site will be created and added to the left pane of IIS Manager When you select the FTP Site object, you can use the commands in the Actions pane to start, restart, or stop the FTP site You will also see a list of all the configuration options for the FTP site in the center pane of IIS Manager (See Figure 7-16.) 392 Chapter Configuring FTP and SMTP Services Figure 7-15 Configuring Authentication And Authorization Information settings for a new FTP site Figure 7-16 Viewing FTP-related options in IIS Manager Lesson 1: Configuring FTP 393 Understanding FTP Configuration Files All configuration settings for FTP sites are stored in the XML-based config files You can view and edit these settings, using a text editor Server-level settings for both Web sites and FTP sites are stored within the ApplicationHost.config file For more information about using these configuration files and for performing configuration backups, see Chapter Creating Virtual Directories You can easily organize content through physical folders within an FTP site For example, you can create a folder hierarchy for different types of applications and data In some cases, however, you will want to provide access to content that is not located within the FTP root folder To this, you can create virtual directories Virtual directories are pointers to folder locations and can be nested within other virtual directories or physical folders Assuming that users have the appropriate permissions, they will see the virtual directory as if it were a physical folder All upload and download operations, however, will be directed to the physical folder Virtual directories are useful when you want some content to be shared between multiple physical sites or when you not want to move or copy the data to the FTP root folder To create a new virtual directory, right-click the parent object in the left pane of IIS Manager and select Add Virtual Directory This will launch the Add Virtual Directory dialog box (See Figure 7-17.) Site Name and Path information shows you details about the location in which the new virtual directory will be created Alias is the name of the folder as users of the site will see it The Physical Path setting specifies the full physical location of the content that you want to make available Figure 7-17 Adding a new virtual directory to an FTP site 394 Chapter Configuring FTP and SMTP Services By default, virtual directories will use Pass-Through Authentication for determining whether users have permissions to access the content This means that the user account used during logon must have permissions on the content folder You can change this behavior by clicking Connect As and selecting the Specific User option You will then be able to provide a username and password for a specific account When the Specific User account option is enabled, all requests for information stored in the physical path you specify will be performed using that user’s security context Configuring Advanced FTP Site Properties In addition to the standard properties available in Features View of IIS Manager, you can also configure Advanced Settings options To access these settings, click Advanced Settings in the Actions pane Figure 7-18 shows the available options and their default values Figure 7-18 Configuring Advanced Settings for an FTP site The Behavior section includes options for fine-tuning the settings of the FTP site The Connections section enables you to control data channel timeouts (in seconds) as well as a maximum number of connections These settings can be helpful for managing performance on busy Web and FTP servers The File Handling section provides options for dealing with partial uploads and allowing a session to perform actions while uploading data Managing FTP Site Bindings FTP provides a simplified method for Web site administrators to manage their content by using FTP In previous versions of FTP, administrators were required to configure a new site or Lesson 1: Configuring FTP 395 virtual directories manually for accessing Web site content You can now add a new FTP site binding to a Web site to provide access automatically to FTP clients This is useful when you want to allow remote administrators and Web developers to access or modify the contents of specific Web sites To add a new FTP binding, select a Web site in IIS Manager, and then click Bindings Click the Add button to create a new site binding (See Figure 7-19.) Figure 7-19 Adding a new FTP site binding to an existing Web site In the Add Site Binding dialog box, you will be able to change the Type setting to FTP You can then enter IP address, port, and host name information for determining how users will be able to access the FTP site After you have added an FTP binding, you will see a grouping for FTPrelated commands in Features View of IIS Manager You can use these features to modify the settings of the FTP site binding in the same way as you would for a standalone Web site You will also see a new Manage FTP Site section in the Actions pane An FTP site that is part of a Web site can be started, stopped, and restarted independently of the Web site IMPORTANT FTP port numbers and security Changing the port from the default setting of port 21 can add a little extra security to an FTP server configuration Casual intruders will often attempt to connect to this port to find unprotected FTP servers In general, however, the idea of “security through obscurity” is not the best solution Simply making an FTP server harder to find will not address the most important security issues Always remember to use other security features such as firewall settings, authentication settings, and authorization rules in conjunction with site bindings Managing FTP User Security Users can upload and download sensitive data through FTP servers, and you can choose from several methods to control which individuals have access to specific content In this section, you will learn about authentication, authorization, and user isolation settings 396 Chapter Configuring FTP and SMTP Services Configuring Authentication Options You can use Authentication settings for an FTP site to determine how users can access the content stored on the site There are several built-in methods for managing authentication To configure these settings in IIS Manager, select the FTP site object, and then double-click FTP Authentication in Features View Figure 7-20 shows an example of authentication options You can enable or disable various authentication options, using the Actions pane The Edit command in the Actions pane enables you to specify additional details for the selected authentication method Figure 7-20 Viewing FTP Authentication settings for an FTP site Anonymous Authentication allows all users that connect to the site to access content regardless of the credentials they provide Use this option when you plan to make the content available to all visitors to the FTP site or when you are using other security methods to restrict access to the site When an FTP user makes a request to read or write data, Anonymous Authentication will use a specified user account to validate permissions The default setting is to use the built-in IUSR account for this purpose You can assign a specific Windows account by clicking the Edit command in the Actions pane You can then provide a specific user identity for use by Anonymous Authentication (See Figure 7-21.) Basic Authentication requires visitors to the Web site to provide credentials for a valid Windows user account The account can be a local Windows username and password or can belong to an Active Directory domain if the server is a member of a domain It is important to remember that, by default, credentials sent to the FTP server are sent in clear text This can present a security risk, especially for FTP connections that are made over the Internet You will use Basic Lesson 1: Configuring FTP 397 Authentication primarily when you want to restrict FTP-based access to content based on user credentials Figure 7-21 Modifying Anonymous Authentication Credentials settings You can also choose from two other authentication methods by selecting the Custom Providers command in the Actions pane IIS Manager Authentication (IISManagerAuth) configures the Web site to accept credentials for an IIS Manager User This method is useful when you want to restrict access to the FTP site to specific users who not have Windows accounts on the local FTP server The IIS Management role service must be installed and enabled before you can use this authentication method For more information about creating and managing IIS Manager Users, see Chapter 6, “Managing Web Server Security.” Like Basic Authentication credentials, the username and password information is sent in clear text between the FTP client and the FTP server ASP.NET Authentication (AspNetAuth) relies on the NET user management framework for authentication It is useful when you have created an ASP.NET Web site that validates user credentials It is common for Web applications to use credentials data stored in a database to validate access and permissions to the site Defining FTP Authorization Rules You can use FTP Authorization rules to determine which users have access to specific content within the FTP site Authorization rules can be defined at the level of the FTP site or for specific logical or virtual folders These capabilities provide you with the flexibility to implement granular authorization rules based on the type of content that should be available to users There are two types of authorization rules: Allow Rules and Deny Rules By default, a new FTP site will not have any predefined authorization rules You can use the commands in the Actions pane to create new rules Figure 7-22 shows the available options when creating a new rule 398 Chapter Configuring FTP and SMTP Services Figure 7-22 Adding an Allow FTP Authorization rule Allow and Deny rules can apply to the following types of users: All Users All Anonymous Users Specified Roles Or User Groups Specified Users After you select to which users or groups the rule will apply, you can select whether the user will have read, write, or read and write permissions Configuring FTP User Isolation Options When you are managing access permissions and settings for an FTP server, a common requirement is to provide individual users with their own folders and directories Users should be able to upload and download files from their own folders but should be prevented from accessing those that belong to other users The FTP User Isolation feature enables you to configure these settings To modify the settings, select an FTP site in IIS Manager, and then open the FTP User Isolation feature (See Figure 7-23.) The default selection for user isolation settings is FTP Root Directory This option configures the server to start users in the FTP root directory, as you defined when you created the FTP site This setting is most appropriate when you want all users to be able to access the same content You can then use authorization rules to define permissions further on specific folders The User Name Directory option specifies that every user will have his or her own starting folder based on the username that was provided If the user-specific folder name does not 444 Chapter Figure 8-3 Configuring Windows Media Services Viewing information about Streaming Media Services in Server Manager Using Windows Media Services Management Tools Windows Media Services has two main administrative tools You can launch the Windows Media Services console by selecting Windows Media Services from the Administrative Tools program group (See Figure 8-4.) If you have chosen to install the Web-Based Administration option, you can also configure Windows Media Services by using a Web browser The default port for the Windows Media Administration Web site is HTTP port 8080 You can start, stop, and reconfigure the Web site, using IIS Manager (See Figure 8-5.) Lesson 1: Configuring Windows Media Services Figure 8-4 Using the Windows Media Services console Figure 8-5 Viewing the Windows Media Administration Site by using IIS Manager 445 446 Chapter Configuring Windows Media Services Once you have started the site, you can access it by launching Windows Media Services (Web) from the Administrative Tools program group or by navigating to its URL directly The default site bindings not include an SSL-enabled site binding, so you will receive the warning shown in Figure 8-6 For more information about configuring and enabling Secure Sockets Layer (SSL) for a Web site, see Chapter 6, “Managing Web Server Security.” You can also continue to the Windows Media Services administration Web site without using an SSL connection Figure 8-6 Viewing a Windows Media Services Security Settings warning The Windows Media Services Administration Web site, as shown in Figure 8-7, has been designed to resemble the Windows Media Services console All the same features and functions are available using this site The Web pages are configured to refresh automatically at regular intervals to ensure that current information is displayed In general, the administration Web site is more convenient for performing remote management features The remainder of the screens and instructions in this lesson will focus on using the Windows Media Services console However, most of the same steps can be completed using the Windows Media Services Administration Web site Lesson 1: Configuring Windows Media Services Figure 8-7 447 Viewing the Windows Media Services Administration Web site Managing Publishing Points Publishing points are used to define the locations and types of content available to users of Windows Media Services When you install the Streaming Media Services role, a default publishing point named (on-demand) is created automatically The root file system location for this folder is %SystemDrive%\Wmpub\Wmroot This location contains a set of default media files, including sample Windows Media Video (.wmv) video files, playlists, and image files Creating a New Publishing Point When you want to provide access to new content, you can create a new publishing point, using the Windows Media Services console To start the process, right-click the Publishing Points object on the left side of the console, and then select the Add Publishing Point (Wizard) command On the Welcome page, click Next The Publishing Point Name page of the Add Publishing Point Wizard will ask you to provide a name for the new publishing point (See Figure 8-8.) This name should be brief but also descriptive because it will be used as part of the URL used by clients to connect to content 448 Chapter Figure 8-8 Configuring Windows Media Services Providing a name for a new publishing point The Content Type page of the wizard will prompt you to specify the type of content that will be made available through this publishing point (See Figure 8-9.) The options are: Encoder (A Live Stream) Playlist (A Mix Of Files And/Or Live Streams That You Can Combine Into A Continuous Stream) One File (Useful For A Broadcast Of An Archived File) Files (Digital Media Or Playlists) In A Directory (Useful For Providing Access For OnDemand Playback Through A Single Publishing Point) The Publishing Point Type page enables you to create either a Broadcast Publishing Point or an On-Demand Publishing Point (See Figure 8-10.) Based on the option you chose on the previous page, one of the options might be unavailable Lesson 1: Configuring Windows Media Services Figure 8-9 449 Specifying Content Type settings for a new publishing point Figure 8-10 Specifying the Publishing Point Type The Delivery Options For Broadcast Publishing Points page enables you to specify whether you want to use Unicast or Multicast communications (See Figure 8-11.) The default setting is Unicast, which is the most compatible approach but which also uses the most bandwidth For networks that support multicast, you can choose the Multicast option When you select Multicast, you also can enable Unicast rollover, a feature that provides unicast transmissions to clients that cannot access the multicast stream 450 Chapter Configuring Windows Media Services Figure 8-11 Selecting the unicast or multicast delivery option When you are creating a publishing point that provides access to files, you will be presented with the Directory Location page (See Figure 8-12.) The Location Of Directory setting specifies the root folder in which media content is located You should plan to store all the audio and video files you want to make available within this folder Figure 8-12 Configuring Directory Location settings for a new publishing point Lesson 1: Configuring Windows Media Services 451 The Enable Access To Directory Content Using Wildcards option enables users to access any of the files directly that are stored in this location They can this by manually modifying the URL if they know the name of the file to retrieve Enabling this option is useful when you have a large number of files to which you want to link directly However, if you want to ensure that users can access only the files you make available, using links on a Web site, disable this option The Content Playback page provides options related to how playlists will be created and managed for on-demand content The two options are: Loop (Content Plays Continuously) Shuffle (Content Plays Randomly) If you have chosen to create an on-demand publishing point that is based on a live feed, the Encoder URL page will prompt you to provide the URL of the encoder that will provide the media content (See Figure 8-13.) The URL should include the full path and port number to a server that is running a Windows Media Services–based encoder Figure 8-13 Providing encoder URL information when creating a broadcast publishing point The Unicast Logging page of the Add Publishing Point Wizard enables you to set the collection and storage of usage statistics for Unicast users of the publishing point The Publishing Point Summary page provides a list of the selections you have made in previous steps (See Figure 8-14.) 452 Chapter Configuring Windows Media Services Figure 8-14 Viewing a summary of publishing point settings The final page of the wizard contains important information about the URL that will be used to access the publishing point (See Figure 8-15.) At this point, you will also be able to choose from various files that will help make your content accessible to users You will learn more about these options later in this section Figure 8-15 Completing the Add Publishing Point Wizard Lesson 1: Configuring Windows Media Services 453 Administering Publishing Points You can manage the status of publishing points, using the Windows Media Services console To manage the status of a publishing point and to perform other administrative functions, right-click the appropriate object The available commands include: Start Stop Allow New Connections Deny New Connections Duplicate Rename Remove Individual publishing points can be started and stopped individually You can also use the Duplicate command to create a new publishing point (with a new name and URL) based on the settings of an existing one Denying new connections effectively makes the contents of the publishing point inaccessible to new users but continues to send streamed information to users who have already connected The Stop command ends all streams for the publishing point by disconnecting any active users Monitoring Publishing Points The Monitor tab of a publishing point provides an overview of current connections and statistics related to the content currently being served (See Figure 8-16.) By default, the display is configured to refresh automatically every three seconds You can use the Reset All Counters command (icons located at the bottom of the tab) to reset all cumulative-value counters to their initial values The View Performance Monitor command opens a new window that displays relevant Windows Performance Monitor counters for the publishing point As with the full Performance Monitor application, you can use the commands on the toolbar to add values or to customize the display For example, you can add counters related to the Processor, Memory, and Network Interface objects to collect more details about the overall performance of the server 454 Chapter Configuring Windows Media Services Figure 8-16 Monitoring activity for a publishing point by using the Windows Media Services console Configuring Source Settings Every publishing point must have source information to specify which media files will be available to users As you learned in the previous section, you can specify the default information when you create a new publishing point by using the Add Publishing Point Wizard You can also use the Windows Media Services console to make changes to the source settings To this, select a publishing point, and then click the Source tab (See Figure 8-17.) The options and details on this page will vary based on the type of publishing point you have created For example, a publishing point that provides access to live broadcast video will have information about the URL of the streaming source whereas on-demand publishing points will include playlist and file location information The Source settings provide an easy way to modify the type of content that is accessible to users without having to create a new publishing point You can highlight a video and click the Test Stream button to access the media automatically by using Windows Media Player directly or by launching Windows Internet Explorer to play the content Lesson 1: Configuring Windows Media Services 455 Figure 8-17 Configuring Source settings for an on-demand publishing point Creating Announcements After you have prepared a new publishing point for the Windows Media Services server, you will need a method to make the content available to users The Windows Media Services console enables you to create announcements, which are a method of creating links and playlists for the content you want to make available The last step of the Add Publishing Point Wizard enables you to create the relevant types of announcements automatically The options include: Create An Announcement File (.asx) Or Web Page (.htm) Create A Wrapper Playlist (.wsx) Create A Wrapper Playlist (.wsx) And Announcement File (.asx) Or Web Page (.htm) Depending on which option you select, you will be presented with one or more wizard options You can also view and modify the announcement settings for an existing publishing point by selecting it in the Windows Media Services console and clicking the Announce tab (See Figure 8-18.) 456 Chapter Configuring Windows Media Services Figure 8-18 Viewing Announce settings for a publishing point You can use announcements information in your own Web pages (for example, by creating a tag that links directly to a publishing point), or you can provide links to the playlist files or wrappers themselves Using the Create Wrapper Wizard The Create Wrapper Wizard enables you to create a wrapper playlist that includes media files and advertisements (See Figure 8-19.) Lesson 1: Configuring Windows Media Services 457 Figure 8-19 Using the Create Wrapper Wizard Click the Add Media button to add new files or other types of content (See Figure 8-20.) The data can come from other publishing points and can include a mix of on-demand and live encoder-based content After you have selected the appropriate option, you’ll be prompted for the location in which the wsx file should be stored Generally, you should place the file within the publishing point’s root folder so it will be accessible to users You can also copy or move the file to another location such as the root folder of a Web site Figure 8-20 Adding media to a Wrapper playlist 458 Chapter Configuring Windows Media Services Using the Unicast Announcement Wizard If you have selected to deliver streaming content by using the unicast method, you can use the Unicast Announcement Wizard to configure the appropriate options By default, unicast URLs are prefixed with the mms content type (for example, mms://Server2.contoso.com/Media) Client media players such as Windows Media Player are automatically associated with this URL type, so the content can start playback automatically when the user clicks an appropriate hyperlink in a Web page The Save Announcement Options page of the wizard enables you to specify the location into which the Announcement file (.asx) will be saved (See Figure 8-21.) The default location is within the root folder of the Web Server (IIS) server role’s Default Web Site object Figure 8-21 Saving announcement files You can also use this page to create an HTML Web page that includes an embedded player and a link to the content This method provides a simplified way for Web developers to see the HTML and media player tags they need to include in their own code Later, you can load the Web page directly in Internet Explorer If you have Windows Media player installed, you can then test the announcement by playing the video (See Figure 8-22.) If you plan to place the link to the media within an existing Web page, you can use the Copy The Syntax For Embedding A Player In A Web Page To The Clipboard option ... (See Figure 7- 1 6.) 392 Chapter Configuring FTP and SMTP Services Figure 7- 1 5 Configuring Authentication And Authorization Information settings for a new FTP site Figure 7- 1 6 Viewing FTP-related... server (See Figure 7- 3 7. ) You can select an IP Address or All Unassigned from the drop-down list, or you can use the Advanced button to configure multiple bindings Figure 7- 3 7 Configuring general... transfer to occur without encryption 402 Chapter Configuring FTP and SMTP Services Figure 7- 2 4 Configuring FTP SSL settings, using IIS Manager Figure 7- 2 5 Configuring an advanced SSL policy for an FTP