IIS Warm Up Period

Discussion in 'ASP .Net' started by Arsen V., May 5, 2004.

  1. Arsen V.

    Arsen V. Guest

    Hi,

    We have a website with a very high volume of traffic. The pages are ASP.NET.
    There are some configuration settings that get loaded by the Global.asx file
    on Application Start event. The load time for those settings is about 3
    seconds.

    When the site is running on IIS5 everything is okay.

    When the site is running on IIS6 there are problems. It looks like when IIS
    starts and all the requests start coming in it is trying to compile the
    ASP.NET CLR and to load the settings in Global.asx. However, since there are
    over 100 requests/second, soon it starts to give Service Unavailable and log
    errors QueueFull in the HTTPERR file.

    If I manually stop the IIS, set the directory security of the website to
    accept only the local requests, execute one request, wait 5 seconds, and
    then change the security to accept all requests, it works great.

    Is there a way to give IIS a warm up time? I think it fails because there
    are so many requests that come right away before the CLR is compiled and the
    load settings in the Global.asx has time to execute.

    Thanks,
    Arsen
     
    Arsen V., May 5, 2004
    #1
    1. Advertising

  2. No, IIS does not have a "warm up period" feature. It is pretty easy to
    script WAST or ACT to custom tailor such a warm-up optimized for your
    website, though.

    Websites that have high traffic volume usually devise their own mix of
    requests to "warm up" a server and get various applications pre-compiled,
    etc -- this is especially necessary for .Net applications, which incur a CLR
    load-up cost as well as ASP.Net pre-compilation cost. After the server is
    warmed up, then it is dropped into the live rotation.

    There shouldn't be much difference between IIS5 and IIS6 in startup unless
    you're using the health-monitoring features of IIS6 to recycle the worker
    process.

    --
    //David
    IIS
    This posting is provided "AS IS" with no warranties, and confers no rights.
    //
    "Arsen V." <> wrote in message
    news:...
    Hi,

    We have a website with a very high volume of traffic. The pages are ASP.NET.
    There are some configuration settings that get loaded by the Global.asx file
    on Application Start event. The load time for those settings is about 3
    seconds.

    When the site is running on IIS5 everything is okay.

    When the site is running on IIS6 there are problems. It looks like when IIS
    starts and all the requests start coming in it is trying to compile the
    ASP.NET CLR and to load the settings in Global.asx. However, since there are
    over 100 requests/second, soon it starts to give Service Unavailable and log
    errors QueueFull in the HTTPERR file.

    If I manually stop the IIS, set the directory security of the website to
    accept only the local requests, execute one request, wait 5 seconds, and
    then change the security to accept all requests, it works great.

    Is there a way to give IIS a warm up time? I think it fails because there
    are so many requests that come right away before the CLR is compiled and the
    load settings in the Global.asx has time to execute.

    Thanks,
    Arsen
     
    David Wang [Msft], May 6, 2004
    #2
    1. Advertising

  3. Arsen V.

    Arsen V. Guest

    Hi David,

    How can I prevent the IIS6 server from being "dropped into the live
    rotation" until the warm up scripts run?

    What happens now, is that when the computer comes up, IIS starts and
    immediately attempts to process the requests which queue up and cause
    problems.

    Is there a way to tell the IIS to start accepting the requests only after
    certain warm up? I need this to be automatic so if IIS is restarted in the
    middle of the night it can come back up without problems.

    Thanks,
    Arsen

    "David Wang [Msft]" <> wrote in message
    news:...
    > No, IIS does not have a "warm up period" feature. It is pretty easy to
    > script WAST or ACT to custom tailor such a warm-up optimized for your
    > website, though.
    >
    > Websites that have high traffic volume usually devise their own mix of
    > requests to "warm up" a server and get various applications pre-compiled,
    > etc -- this is especially necessary for .Net applications, which incur a

    CLR
    > load-up cost as well as ASP.Net pre-compilation cost. After the server is
    > warmed up, then it is dropped into the live rotation.
    >
    > There shouldn't be much difference between IIS5 and IIS6 in startup unless
    > you're using the health-monitoring features of IIS6 to recycle the worker
    > process.
    >
    > --
    > //David
    > IIS
    > This posting is provided "AS IS" with no warranties, and confers no

    rights.
    > //
    > "Arsen V." <> wrote in message
    > news:...
    > Hi,
    >
    > We have a website with a very high volume of traffic. The pages are

    ASP.NET.
    > There are some configuration settings that get loaded by the Global.asx

    file
    > on Application Start event. The load time for those settings is about 3
    > seconds.
    >
    > When the site is running on IIS5 everything is okay.
    >
    > When the site is running on IIS6 there are problems. It looks like when

    IIS
    > starts and all the requests start coming in it is trying to compile the
    > ASP.NET CLR and to load the settings in Global.asx. However, since there

    are
    > over 100 requests/second, soon it starts to give Service Unavailable and

    log
    > errors QueueFull in the HTTPERR file.
    >
    > If I manually stop the IIS, set the directory security of the website to
    > accept only the local requests, execute one request, wait 5 seconds, and
    > then change the security to accept all requests, it works great.
    >
    > Is there a way to give IIS a warm up time? I think it fails because there
    > are so many requests that come right away before the CLR is compiled and

    the
    > load settings in the Global.asx has time to execute.
    >
    > Thanks,
    > Arsen
    >
    >
    >
    >
     
    Arsen V., May 7, 2004
    #3
  4. Arsen,

    Do you have multiple web servers in a farm? It wasn't clear from your
    posts. Are you using a hardware load balancer in front like a BigIP or
    similar? If so, you could script up a custom restarter like:

    1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of the
    LB pool in a short time depending on how you have your LB setup to check
    website health.
    2. IISRESET
    3. Locally, request your webpages to invoke custom code. Easily scriptable
    with VBScript/WinHTTP or a variety of command line tools or even WAS as
    David Wang suggests.
    4. Drop IPSec blocks.

    Have you looked at the web garden concept? Maybe it makes sense for you to
    use > 1 process for this site if you have some semi-stable custom code that
    needs restarting periodically. Regular restarts of IIS or the OS are
    something that you don't need if you are running stable code. If you do
    seem to need these restarts, this means you have a problem with your custom
    code that you need to investigate. With stable web components, IIS will run
    for very long periods.

    John Alderson

    "Arsen V." <> wrote in message
    news:%...
    > Hi David,
    >
    > How can I prevent the IIS6 server from being "dropped into the live
    > rotation" until the warm up scripts run?
    >
    > What happens now, is that when the computer comes up, IIS starts and
    > immediately attempts to process the requests which queue up and cause
    > problems.
    >
    > Is there a way to tell the IIS to start accepting the requests only after
    > certain warm up? I need this to be automatic so if IIS is restarted in the
    > middle of the night it can come back up without problems.
    >
    > Thanks,
    > Arsen
    >
    > "David Wang [Msft]" <> wrote in message
    > news:...
    >> No, IIS does not have a "warm up period" feature. It is pretty easy to
    >> script WAST or ACT to custom tailor such a warm-up optimized for your
    >> website, though.
    >>
    >> Websites that have high traffic volume usually devise their own mix of
    >> requests to "warm up" a server and get various applications pre-compiled,
    >> etc -- this is especially necessary for .Net applications, which incur a

    > CLR
    >> load-up cost as well as ASP.Net pre-compilation cost. After the server
    >> is
    >> warmed up, then it is dropped into the live rotation.
    >>
    >> There shouldn't be much difference between IIS5 and IIS6 in startup
    >> unless
    >> you're using the health-monitoring features of IIS6 to recycle the worker
    >> process.
    >>
    >> --
    >> //David
    >> IIS
    >> This posting is provided "AS IS" with no warranties, and confers no

    > rights.
    >> //
    >> "Arsen V." <> wrote in message
    >> news:...
    >> Hi,
    >>
    >> We have a website with a very high volume of traffic. The pages are

    > ASP.NET.
    >> There are some configuration settings that get loaded by the Global.asx

    > file
    >> on Application Start event. The load time for those settings is about 3
    >> seconds.
    >>
    >> When the site is running on IIS5 everything is okay.
    >>
    >> When the site is running on IIS6 there are problems. It looks like when

    > IIS
    >> starts and all the requests start coming in it is trying to compile the
    >> ASP.NET CLR and to load the settings in Global.asx. However, since there

    > are
    >> over 100 requests/second, soon it starts to give Service Unavailable and

    > log
    >> errors QueueFull in the HTTPERR file.
    >>
    >> If I manually stop the IIS, set the directory security of the website to
    >> accept only the local requests, execute one request, wait 5 seconds, and
    >> then change the security to accept all requests, it works great.
    >>
    >> Is there a way to give IIS a warm up time? I think it fails because there
    >> are so many requests that come right away before the CLR is compiled and

    > the
    >> load settings in the Global.asx has time to execute.
    >>
    >> Thanks,
    >> Arsen
    >>
    >>
    >>
    >>

    >
    >
     
    John Alderson, May 7, 2004
    #4
  5. Arsen V.

    Arsen V. Guest

    Hi John,

    Thanks for your suggestion. This is pretty much what I was looking for. I
    did not think of the idea to use IPSECCMD to block the requests! This is
    great.

    Yes, I do have a Load Balancer in front of the web farm. The code is
    stable. However, sometimes due to load there is too much queueing (this only
    occurs on IIS 6) and the IIS server shuts down the process.

    Thanks,
    Arsen

    "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
    news:%23uEQk%...
    > Arsen,
    >
    > Do you have multiple web servers in a farm? It wasn't clear from your
    > posts. Are you using a hardware load balancer in front like a BigIP or
    > similar? If so, you could script up a custom restarter like:
    >
    > 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of the
    > LB pool in a short time depending on how you have your LB setup to check
    > website health.
    > 2. IISRESET
    > 3. Locally, request your webpages to invoke custom code. Easily

    scriptable
    > with VBScript/WinHTTP or a variety of command line tools or even WAS as
    > David Wang suggests.
    > 4. Drop IPSec blocks.
    >
    > Have you looked at the web garden concept? Maybe it makes sense for you

    to
    > use > 1 process for this site if you have some semi-stable custom code

    that
    > needs restarting periodically. Regular restarts of IIS or the OS are
    > something that you don't need if you are running stable code. If you do
    > seem to need these restarts, this means you have a problem with your

    custom
    > code that you need to investigate. With stable web components, IIS will

    run
    > for very long periods.
    >
    > John Alderson
    >
    > "Arsen V." <> wrote in message
    > news:%...
    > > Hi David,
    > >
    > > How can I prevent the IIS6 server from being "dropped into the live
    > > rotation" until the warm up scripts run?
    > >
    > > What happens now, is that when the computer comes up, IIS starts and
    > > immediately attempts to process the requests which queue up and cause
    > > problems.
    > >
    > > Is there a way to tell the IIS to start accepting the requests only

    after
    > > certain warm up? I need this to be automatic so if IIS is restarted in

    the
    > > middle of the night it can come back up without problems.
    > >
    > > Thanks,
    > > Arsen
    > >
    > > "David Wang [Msft]" <> wrote in message
    > > news:...
    > >> No, IIS does not have a "warm up period" feature. It is pretty easy to
    > >> script WAST or ACT to custom tailor such a warm-up optimized for your
    > >> website, though.
    > >>
    > >> Websites that have high traffic volume usually devise their own mix of
    > >> requests to "warm up" a server and get various applications

    pre-compiled,
    > >> etc -- this is especially necessary for .Net applications, which incur

    a
    > > CLR
    > >> load-up cost as well as ASP.Net pre-compilation cost. After the server
    > >> is
    > >> warmed up, then it is dropped into the live rotation.
    > >>
    > >> There shouldn't be much difference between IIS5 and IIS6 in startup
    > >> unless
    > >> you're using the health-monitoring features of IIS6 to recycle the

    worker
    > >> process.
    > >>
    > >> --
    > >> //David
    > >> IIS
    > >> This posting is provided "AS IS" with no warranties, and confers no

    > > rights.
    > >> //
    > >> "Arsen V." <> wrote in message
    > >> news:...
    > >> Hi,
    > >>
    > >> We have a website with a very high volume of traffic. The pages are

    > > ASP.NET.
    > >> There are some configuration settings that get loaded by the Global.asx

    > > file
    > >> on Application Start event. The load time for those settings is about 3
    > >> seconds.
    > >>
    > >> When the site is running on IIS5 everything is okay.
    > >>
    > >> When the site is running on IIS6 there are problems. It looks like when

    > > IIS
    > >> starts and all the requests start coming in it is trying to compile the
    > >> ASP.NET CLR and to load the settings in Global.asx. However, since

    there
    > > are
    > >> over 100 requests/second, soon it starts to give Service Unavailable

    and
    > > log
    > >> errors QueueFull in the HTTPERR file.
    > >>
    > >> If I manually stop the IIS, set the directory security of the website

    to
    > >> accept only the local requests, execute one request, wait 5 seconds,

    and
    > >> then change the security to accept all requests, it works great.
    > >>
    > >> Is there a way to give IIS a warm up time? I think it fails because

    there
    > >> are so many requests that come right away before the CLR is compiled

    and
    > > the
    > >> load settings in the Global.asx has time to execute.
    > >>
    > >> Thanks,
    > >> Arsen
    > >>
    > >>
    > >>
    > >>

    > >
    > >

    >
     
    Arsen V., May 7, 2004
    #5
  6. Arsen V.

    Arsen V. Guest

    Hi John,

    Windows 2003 Server dos not come with "IPSECCMD". What can I use instead?

    Could you point me to a simple example of how to block TCP/80 and then
    unblock it using the command line?

    Thanks,
    Arsen

    "Arsen V." <> wrote in message
    news:...
    > Hi John,
    >
    > Thanks for your suggestion. This is pretty much what I was looking for. I
    > did not think of the idea to use IPSECCMD to block the requests! This is
    > great.
    >
    > Yes, I do have a Load Balancer in front of the web farm. The code is
    > stable. However, sometimes due to load there is too much queueing (this

    only
    > occurs on IIS 6) and the IIS server shuts down the process.
    >
    > Thanks,
    > Arsen
    >
    > "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
    > news:%23uEQk%...
    > > Arsen,
    > >
    > > Do you have multiple web servers in a farm? It wasn't clear from your
    > > posts. Are you using a hardware load balancer in front like a BigIP or
    > > similar? If so, you could script up a custom restarter like:
    > >
    > > 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of

    the
    > > LB pool in a short time depending on how you have your LB setup to check
    > > website health.
    > > 2. IISRESET
    > > 3. Locally, request your webpages to invoke custom code. Easily

    > scriptable
    > > with VBScript/WinHTTP or a variety of command line tools or even WAS as
    > > David Wang suggests.
    > > 4. Drop IPSec blocks.
    > >
    > > Have you looked at the web garden concept? Maybe it makes sense for you

    > to
    > > use > 1 process for this site if you have some semi-stable custom code

    > that
    > > needs restarting periodically. Regular restarts of IIS or the OS are
    > > something that you don't need if you are running stable code. If you do
    > > seem to need these restarts, this means you have a problem with your

    > custom
    > > code that you need to investigate. With stable web components, IIS will

    > run
    > > for very long periods.
    > >
    > > John Alderson
    > >
    > > "Arsen V." <> wrote in message
    > > news:%...
    > > > Hi David,
    > > >
    > > > How can I prevent the IIS6 server from being "dropped into the live
    > > > rotation" until the warm up scripts run?
    > > >
    > > > What happens now, is that when the computer comes up, IIS starts and
    > > > immediately attempts to process the requests which queue up and cause
    > > > problems.
    > > >
    > > > Is there a way to tell the IIS to start accepting the requests only

    > after
    > > > certain warm up? I need this to be automatic so if IIS is restarted in

    > the
    > > > middle of the night it can come back up without problems.
    > > >
    > > > Thanks,
    > > > Arsen
    > > >
    > > > "David Wang [Msft]" <> wrote in message
    > > > news:...
    > > >> No, IIS does not have a "warm up period" feature. It is pretty easy

    to
    > > >> script WAST or ACT to custom tailor such a warm-up optimized for your
    > > >> website, though.
    > > >>
    > > >> Websites that have high traffic volume usually devise their own mix

    of
    > > >> requests to "warm up" a server and get various applications

    > pre-compiled,
    > > >> etc -- this is especially necessary for .Net applications, which

    incur
    > a
    > > > CLR
    > > >> load-up cost as well as ASP.Net pre-compilation cost. After the

    server
    > > >> is
    > > >> warmed up, then it is dropped into the live rotation.
    > > >>
    > > >> There shouldn't be much difference between IIS5 and IIS6 in startup
    > > >> unless
    > > >> you're using the health-monitoring features of IIS6 to recycle the

    > worker
    > > >> process.
    > > >>
    > > >> --
    > > >> //David
    > > >> IIS
    > > >> This posting is provided "AS IS" with no warranties, and confers no
    > > > rights.
    > > >> //
    > > >> "Arsen V." <> wrote in message
    > > >> news:...
    > > >> Hi,
    > > >>
    > > >> We have a website with a very high volume of traffic. The pages are
    > > > ASP.NET.
    > > >> There are some configuration settings that get loaded by the

    Global.asx
    > > > file
    > > >> on Application Start event. The load time for those settings is about

    3
    > > >> seconds.
    > > >>
    > > >> When the site is running on IIS5 everything is okay.
    > > >>
    > > >> When the site is running on IIS6 there are problems. It looks like

    when
    > > > IIS
    > > >> starts and all the requests start coming in it is trying to compile

    the
    > > >> ASP.NET CLR and to load the settings in Global.asx. However, since

    > there
    > > > are
    > > >> over 100 requests/second, soon it starts to give Service Unavailable

    > and
    > > > log
    > > >> errors QueueFull in the HTTPERR file.
    > > >>
    > > >> If I manually stop the IIS, set the directory security of the website

    > to
    > > >> accept only the local requests, execute one request, wait 5 seconds,

    > and
    > > >> then change the security to accept all requests, it works great.
    > > >>
    > > >> Is there a way to give IIS a warm up time? I think it fails because

    > there
    > > >> are so many requests that come right away before the CLR is compiled

    > and
    > > > the
    > > >> load settings in the Global.asx has time to execute.
    > > >>
    > > >> Thanks,
    > > >> Arsen
    > > >>
    > > >>
    > > >>
    > > >>
    > > >
    > > >

    > >

    >
    >
     
    Arsen V., May 7, 2004
    #6
  7. Hi Arsen,

    IPSECCMD is a part of the Support Tools that can be found on your
    installation CD ROM. The syntax is very similar to Windows 2000's
    IPSECPOL - part of the Resource Kit. I do have a set of commands to do a
    block on 80, 443 but I'll have to dig them up at work. I'll post them for
    you.

    John


    "Arsen V." <> wrote in message
    news:...
    > Hi John,
    >
    > Windows 2003 Server dos not come with "IPSECCMD". What can I use instead?
    >
    > Could you point me to a simple example of how to block TCP/80 and then
    > unblock it using the command line?
    >
    > Thanks,
    > Arsen
    >
    > "Arsen V." <> wrote in message
    > news:...
    >> Hi John,
    >>
    >> Thanks for your suggestion. This is pretty much what I was looking for. I
    >> did not think of the idea to use IPSECCMD to block the requests! This is
    >> great.
    >>
    >> Yes, I do have a Load Balancer in front of the web farm. The code is
    >> stable. However, sometimes due to load there is too much queueing (this

    > only
    >> occurs on IIS 6) and the IIS server shuts down the process.
    >>
    >> Thanks,
    >> Arsen
    >>
    >> "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
    >> news:%23uEQk%...
    >> > Arsen,
    >> >
    >> > Do you have multiple web servers in a farm? It wasn't clear from your
    >> > posts. Are you using a hardware load balancer in front like a BigIP or
    >> > similar? If so, you could script up a custom restarter like:
    >> >
    >> > 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of

    > the
    >> > LB pool in a short time depending on how you have your LB setup to
    >> > check
    >> > website health.
    >> > 2. IISRESET
    >> > 3. Locally, request your webpages to invoke custom code. Easily

    >> scriptable
    >> > with VBScript/WinHTTP or a variety of command line tools or even WAS as
    >> > David Wang suggests.
    >> > 4. Drop IPSec blocks.
    >> >
    >> > Have you looked at the web garden concept? Maybe it makes sense for
    >> > you

    >> to
    >> > use > 1 process for this site if you have some semi-stable custom code

    >> that
    >> > needs restarting periodically. Regular restarts of IIS or the OS are
    >> > something that you don't need if you are running stable code. If you
    >> > do
    >> > seem to need these restarts, this means you have a problem with your

    >> custom
    >> > code that you need to investigate. With stable web components, IIS
    >> > will

    >> run
    >> > for very long periods.
    >> >
    >> > John Alderson
    >> >
    >> > "Arsen V." <> wrote in message
    >> > news:%...
    >> > > Hi David,
    >> > >
    >> > > How can I prevent the IIS6 server from being "dropped into the live
    >> > > rotation" until the warm up scripts run?
    >> > >
    >> > > What happens now, is that when the computer comes up, IIS starts and
    >> > > immediately attempts to process the requests which queue up and cause
    >> > > problems.
    >> > >
    >> > > Is there a way to tell the IIS to start accepting the requests only

    >> after
    >> > > certain warm up? I need this to be automatic so if IIS is restarted
    >> > > in

    >> the
    >> > > middle of the night it can come back up without problems.
    >> > >
    >> > > Thanks,
    >> > > Arsen
    >> > >
    >> > > "David Wang [Msft]" <> wrote in message
    >> > > news:...
    >> > >> No, IIS does not have a "warm up period" feature. It is pretty easy

    > to
    >> > >> script WAST or ACT to custom tailor such a warm-up optimized for
    >> > >> your
    >> > >> website, though.
    >> > >>
    >> > >> Websites that have high traffic volume usually devise their own mix

    > of
    >> > >> requests to "warm up" a server and get various applications

    >> pre-compiled,
    >> > >> etc -- this is especially necessary for .Net applications, which

    > incur
    >> a
    >> > > CLR
    >> > >> load-up cost as well as ASP.Net pre-compilation cost. After the

    > server
    >> > >> is
    >> > >> warmed up, then it is dropped into the live rotation.
    >> > >>
    >> > >> There shouldn't be much difference between IIS5 and IIS6 in startup
    >> > >> unless
    >> > >> you're using the health-monitoring features of IIS6 to recycle the

    >> worker
    >> > >> process.
    >> > >>
    >> > >> --
    >> > >> //David
    >> > >> IIS
    >> > >> This posting is provided "AS IS" with no warranties, and confers no
    >> > > rights.
    >> > >> //
    >> > >> "Arsen V." <> wrote in message
    >> > >> news:...
    >> > >> Hi,
    >> > >>
    >> > >> We have a website with a very high volume of traffic. The pages are
    >> > > ASP.NET.
    >> > >> There are some configuration settings that get loaded by the

    > Global.asx
    >> > > file
    >> > >> on Application Start event. The load time for those settings is
    >> > >> about

    > 3
    >> > >> seconds.
    >> > >>
    >> > >> When the site is running on IIS5 everything is okay.
    >> > >>
    >> > >> When the site is running on IIS6 there are problems. It looks like

    > when
    >> > > IIS
    >> > >> starts and all the requests start coming in it is trying to compile

    > the
    >> > >> ASP.NET CLR and to load the settings in Global.asx. However, since

    >> there
    >> > > are
    >> > >> over 100 requests/second, soon it starts to give Service Unavailable

    >> and
    >> > > log
    >> > >> errors QueueFull in the HTTPERR file.
    >> > >>
    >> > >> If I manually stop the IIS, set the directory security of the
    >> > >> website

    >> to
    >> > >> accept only the local requests, execute one request, wait 5 seconds,

    >> and
    >> > >> then change the security to accept all requests, it works great.
    >> > >>
    >> > >> Is there a way to give IIS a warm up time? I think it fails because

    >> there
    >> > >> are so many requests that come right away before the CLR is compiled

    >> and
    >> > > the
    >> > >> load settings in the Global.asx has time to execute.
    >> > >>
    >> > >> Thanks,
    >> > >> Arsen
    >> > >>
    >> > >>
    >> > >>
    >> > >>
    >> > >
    >> > >
    >> >

    >>
    >>

    >
    >
     
    John Alderson, May 8, 2004
    #7
  8. Arsen,

    Here's a set of commands to create a IPSec Filter policy to block tcp/80 and
    tcp/443. Instead of using IPSECCMD, I used NETSH.

    *********************************************
    netsh ipsec static add policy name="Packet Filters - IIS" description="Web
    Server Hardening policy" assign=no
    netsh ipsec static add filterlist name="HTTP Server" description="Server
    Hardening"
    netsh ipsec static add filterlist name="HTTPS Server" description="Server
    Hardening",
    netsh ipsec static add filterlist name="ALL Inbound Traffic"
    description="Server Hardening"
    netsh ipsec static add filteraction name=SecPermit description="Allows
    Traffic to Pass" action=permit
    netsh ipsec static add filteraction name=Block description="Blocks Traffic"
    action=block
    netsh ipsec static add filter filterlist="HTTP Server" srcaddr=any
    dstaddr=me description="HTTP Traffic" protocol=TCP srcport=0 dstport=80
    netsh ipsec static add filter filterlist="HTTPS Server" srcaddr=any
    dstaddr=me description="HTTPS Traffic" protocol=TCP srcport=0 dstport=443
    netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any
    dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0
    dstport=0",
    netsh ipsec static add rule name="HTTP Server Rule" policy="Packet Filters -
    IIS" filterlist="HTTP Server" kerberos=yes filteraction=Block
    netsh ipsec static add rule name="HTTPS Server Rule" policy="Packet
    Filters - IIS" filterlist="HTTPS Server" kerberos=yes filteraction=Block
    netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet
    Filters - IIS" filterlist="ALL Inbound Traffic" kerberos=yes
    filteraction=SecPermit
    netsh ipsec static set policy name="Packet Filters - IIS" assign=y"
    *********************************************

    Once it's created, you can enable and disable it by using NETSH to assign or
    unassign the policy. The last command above assigns it so it enables it.

    John Alderson



    "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
    news:%...
    > Hi Arsen,
    >
    > IPSECCMD is a part of the Support Tools that can be found on your
    > installation CD ROM. The syntax is very similar to Windows 2000's
    > IPSECPOL - part of the Resource Kit. I do have a set of commands to do a
    > block on 80, 443 but I'll have to dig them up at work. I'll post them for
    > you.
    >
    > John
    >
    >
    > "Arsen V." <> wrote in message
    > news:...
    >> Hi John,
    >>
    >> Windows 2003 Server dos not come with "IPSECCMD". What can I use instead?
    >>
    >> Could you point me to a simple example of how to block TCP/80 and then
    >> unblock it using the command line?
    >>
    >> Thanks,
    >> Arsen
    >>
    >> "Arsen V." <> wrote in message
    >> news:...
    >>> Hi John,
    >>>
    >>> Thanks for your suggestion. This is pretty much what I was looking for.
    >>> I
    >>> did not think of the idea to use IPSECCMD to block the requests! This is
    >>> great.
    >>>
    >>> Yes, I do have a Load Balancer in front of the web farm. The code is
    >>> stable. However, sometimes due to load there is too much queueing (this

    >> only
    >>> occurs on IIS 6) and the IIS server shuts down the process.
    >>>
    >>> Thanks,
    >>> Arsen
    >>>
    >>> "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
    >>> news:%23uEQk%...
    >>> > Arsen,
    >>> >
    >>> > Do you have multiple web servers in a farm? It wasn't clear from your
    >>> > posts. Are you using a hardware load balancer in front like a BigIP
    >>> > or
    >>> > similar? If so, you could script up a custom restarter like:
    >>> >
    >>> > 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out of

    >> the
    >>> > LB pool in a short time depending on how you have your LB setup to
    >>> > check
    >>> > website health.
    >>> > 2. IISRESET
    >>> > 3. Locally, request your webpages to invoke custom code. Easily
    >>> scriptable
    >>> > with VBScript/WinHTTP or a variety of command line tools or even WAS
    >>> > as
    >>> > David Wang suggests.
    >>> > 4. Drop IPSec blocks.
    >>> >
    >>> > Have you looked at the web garden concept? Maybe it makes sense for
    >>> > you
    >>> to
    >>> > use > 1 process for this site if you have some semi-stable custom code
    >>> that
    >>> > needs restarting periodically. Regular restarts of IIS or the OS are
    >>> > something that you don't need if you are running stable code. If you
    >>> > do
    >>> > seem to need these restarts, this means you have a problem with your
    >>> custom
    >>> > code that you need to investigate. With stable web components, IIS
    >>> > will
    >>> run
    >>> > for very long periods.
    >>> >
    >>> > John Alderson
    >>> >
    >>> > "Arsen V." <> wrote in message
    >>> > news:%...
    >>> > > Hi David,
    >>> > >
    >>> > > How can I prevent the IIS6 server from being "dropped into the live
    >>> > > rotation" until the warm up scripts run?
    >>> > >
    >>> > > What happens now, is that when the computer comes up, IIS starts and
    >>> > > immediately attempts to process the requests which queue up and
    >>> > > cause
    >>> > > problems.
    >>> > >
    >>> > > Is there a way to tell the IIS to start accepting the requests only
    >>> after
    >>> > > certain warm up? I need this to be automatic so if IIS is restarted
    >>> > > in
    >>> the
    >>> > > middle of the night it can come back up without problems.
    >>> > >
    >>> > > Thanks,
    >>> > > Arsen
    >>> > >
    >>> > > "David Wang [Msft]" <> wrote in message
    >>> > > news:...
    >>> > >> No, IIS does not have a "warm up period" feature. It is pretty
    >>> > >> easy

    >> to
    >>> > >> script WAST or ACT to custom tailor such a warm-up optimized for
    >>> > >> your
    >>> > >> website, though.
    >>> > >>
    >>> > >> Websites that have high traffic volume usually devise their own mix

    >> of
    >>> > >> requests to "warm up" a server and get various applications
    >>> pre-compiled,
    >>> > >> etc -- this is especially necessary for .Net applications, which

    >> incur
    >>> a
    >>> > > CLR
    >>> > >> load-up cost as well as ASP.Net pre-compilation cost. After the

    >> server
    >>> > >> is
    >>> > >> warmed up, then it is dropped into the live rotation.
    >>> > >>
    >>> > >> There shouldn't be much difference between IIS5 and IIS6 in startup
    >>> > >> unless
    >>> > >> you're using the health-monitoring features of IIS6 to recycle the
    >>> worker
    >>> > >> process.
    >>> > >>
    >>> > >> --
    >>> > >> //David
    >>> > >> IIS
    >>> > >> This posting is provided "AS IS" with no warranties, and confers no
    >>> > > rights.
    >>> > >> //
    >>> > >> "Arsen V." <> wrote in message
    >>> > >> news:...
    >>> > >> Hi,
    >>> > >>
    >>> > >> We have a website with a very high volume of traffic. The pages are
    >>> > > ASP.NET.
    >>> > >> There are some configuration settings that get loaded by the

    >> Global.asx
    >>> > > file
    >>> > >> on Application Start event. The load time for those settings is
    >>> > >> about

    >> 3
    >>> > >> seconds.
    >>> > >>
    >>> > >> When the site is running on IIS5 everything is okay.
    >>> > >>
    >>> > >> When the site is running on IIS6 there are problems. It looks like

    >> when
    >>> > > IIS
    >>> > >> starts and all the requests start coming in it is trying to compile

    >> the
    >>> > >> ASP.NET CLR and to load the settings in Global.asx. However, since
    >>> there
    >>> > > are
    >>> > >> over 100 requests/second, soon it starts to give Service
    >>> > >> Unavailable
    >>> and
    >>> > > log
    >>> > >> errors QueueFull in the HTTPERR file.
    >>> > >>
    >>> > >> If I manually stop the IIS, set the directory security of the
    >>> > >> website
    >>> to
    >>> > >> accept only the local requests, execute one request, wait 5
    >>> > >> seconds,
    >>> and
    >>> > >> then change the security to accept all requests, it works great.
    >>> > >>
    >>> > >> Is there a way to give IIS a warm up time? I think it fails because
    >>> there
    >>> > >> are so many requests that come right away before the CLR is
    >>> > >> compiled
    >>> and
    >>> > > the
    >>> > >> load settings in the Global.asx has time to execute.
    >>> > >>
    >>> > >> Thanks,
    >>> > >> Arsen
    >>> > >>
    >>> > >>
    >>> > >>
    >>> > >>
    >>> > >
    >>> > >
    >>> >
    >>>
    >>>

    >>
    >>

    >
     
    John Alderson, May 9, 2004
    #8
  9. Arsen V.

    Arsen V. Guest

    Thank you very much!

    "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
    news:%...
    > Arsen,
    >
    > Here's a set of commands to create a IPSec Filter policy to block tcp/80

    and
    > tcp/443. Instead of using IPSECCMD, I used NETSH.
    >
    > *********************************************
    > netsh ipsec static add policy name="Packet Filters - IIS" description="Web
    > Server Hardening policy" assign=no
    > netsh ipsec static add filterlist name="HTTP Server" description="Server
    > Hardening"
    > netsh ipsec static add filterlist name="HTTPS Server" description="Server
    > Hardening",
    > netsh ipsec static add filterlist name="ALL Inbound Traffic"
    > description="Server Hardening"
    > netsh ipsec static add filteraction name=SecPermit description="Allows
    > Traffic to Pass" action=permit
    > netsh ipsec static add filteraction name=Block description="Blocks

    Traffic"
    > action=block
    > netsh ipsec static add filter filterlist="HTTP Server" srcaddr=any
    > dstaddr=me description="HTTP Traffic" protocol=TCP srcport=0 dstport=80
    > netsh ipsec static add filter filterlist="HTTPS Server" srcaddr=any
    > dstaddr=me description="HTTPS Traffic" protocol=TCP srcport=0 dstport=443
    > netsh ipsec static add filter filterlist="ALL Inbound Traffic" srcaddr=any
    > dstaddr=me description="ALL Inbound Traffic" protocol=any srcport=0
    > dstport=0",
    > netsh ipsec static add rule name="HTTP Server Rule" policy="Packet

    Filters -
    > IIS" filterlist="HTTP Server" kerberos=yes filteraction=Block
    > netsh ipsec static add rule name="HTTPS Server Rule" policy="Packet
    > Filters - IIS" filterlist="HTTPS Server" kerberos=yes filteraction=Block
    > netsh ipsec static add rule name="ALL Inbound Traffic Rule" policy="Packet
    > Filters - IIS" filterlist="ALL Inbound Traffic" kerberos=yes
    > filteraction=SecPermit
    > netsh ipsec static set policy name="Packet Filters - IIS" assign=y"
    > *********************************************
    >
    > Once it's created, you can enable and disable it by using NETSH to assign

    or
    > unassign the policy. The last command above assigns it so it enables it.
    >
    > John Alderson
    >
    >
    >
    > "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
    > news:%...
    > > Hi Arsen,
    > >
    > > IPSECCMD is a part of the Support Tools that can be found on your
    > > installation CD ROM. The syntax is very similar to Windows 2000's
    > > IPSECPOL - part of the Resource Kit. I do have a set of commands to do

    a
    > > block on 80, 443 but I'll have to dig them up at work. I'll post them

    for
    > > you.
    > >
    > > John
    > >
    > >
    > > "Arsen V." <> wrote in message
    > > news:...
    > >> Hi John,
    > >>
    > >> Windows 2003 Server dos not come with "IPSECCMD". What can I use

    instead?
    > >>
    > >> Could you point me to a simple example of how to block TCP/80 and then
    > >> unblock it using the command line?
    > >>
    > >> Thanks,
    > >> Arsen
    > >>
    > >> "Arsen V." <> wrote in message
    > >> news:...
    > >>> Hi John,
    > >>>
    > >>> Thanks for your suggestion. This is pretty much what I was looking

    for.
    > >>> I
    > >>> did not think of the idea to use IPSECCMD to block the requests! This

    is
    > >>> great.
    > >>>
    > >>> Yes, I do have a Load Balancer in front of the web farm. The code is
    > >>> stable. However, sometimes due to load there is too much queueing

    (this
    > >> only
    > >>> occurs on IIS 6) and the IIS server shuts down the process.
    > >>>
    > >>> Thanks,
    > >>> Arsen
    > >>>
    > >>> "John Alderson" <jalderson^at^adelphia^dot^net> wrote in message
    > >>> news:%23uEQk%...
    > >>> > Arsen,
    > >>> >
    > >>> > Do you have multiple web servers in a farm? It wasn't clear from

    your
    > >>> > posts. Are you using a hardware load balancer in front like a BigIP
    > >>> > or
    > >>> > similar? If so, you could script up a custom restarter like:
    > >>> >
    > >>> > 1. IPSECCMD blocks on tcp/80 and tcp/443 - This should take it out

    of
    > >> the
    > >>> > LB pool in a short time depending on how you have your LB setup to
    > >>> > check
    > >>> > website health.
    > >>> > 2. IISRESET
    > >>> > 3. Locally, request your webpages to invoke custom code. Easily
    > >>> scriptable
    > >>> > with VBScript/WinHTTP or a variety of command line tools or even WAS
    > >>> > as
    > >>> > David Wang suggests.
    > >>> > 4. Drop IPSec blocks.
    > >>> >
    > >>> > Have you looked at the web garden concept? Maybe it makes sense for
    > >>> > you
    > >>> to
    > >>> > use > 1 process for this site if you have some semi-stable custom

    code
    > >>> that
    > >>> > needs restarting periodically. Regular restarts of IIS or the OS

    are
    > >>> > something that you don't need if you are running stable code. If

    you
    > >>> > do
    > >>> > seem to need these restarts, this means you have a problem with your
    > >>> custom
    > >>> > code that you need to investigate. With stable web components, IIS
    > >>> > will
    > >>> run
    > >>> > for very long periods.
    > >>> >
    > >>> > John Alderson
    > >>> >
    > >>> > "Arsen V." <> wrote in message
    > >>> > news:%...
    > >>> > > Hi David,
    > >>> > >
    > >>> > > How can I prevent the IIS6 server from being "dropped into the

    live
    > >>> > > rotation" until the warm up scripts run?
    > >>> > >
    > >>> > > What happens now, is that when the computer comes up, IIS starts

    and
    > >>> > > immediately attempts to process the requests which queue up and
    > >>> > > cause
    > >>> > > problems.
    > >>> > >
    > >>> > > Is there a way to tell the IIS to start accepting the requests

    only
    > >>> after
    > >>> > > certain warm up? I need this to be automatic so if IIS is

    restarted
    > >>> > > in
    > >>> the
    > >>> > > middle of the night it can come back up without problems.
    > >>> > >
    > >>> > > Thanks,
    > >>> > > Arsen
    > >>> > >
    > >>> > > "David Wang [Msft]" <> wrote in

    message
    > >>> > > news:...
    > >>> > >> No, IIS does not have a "warm up period" feature. It is pretty
    > >>> > >> easy
    > >> to
    > >>> > >> script WAST or ACT to custom tailor such a warm-up optimized for
    > >>> > >> your
    > >>> > >> website, though.
    > >>> > >>
    > >>> > >> Websites that have high traffic volume usually devise their own

    mix
    > >> of
    > >>> > >> requests to "warm up" a server and get various applications
    > >>> pre-compiled,
    > >>> > >> etc -- this is especially necessary for .Net applications, which
    > >> incur
    > >>> a
    > >>> > > CLR
    > >>> > >> load-up cost as well as ASP.Net pre-compilation cost. After the
    > >> server
    > >>> > >> is
    > >>> > >> warmed up, then it is dropped into the live rotation.
    > >>> > >>
    > >>> > >> There shouldn't be much difference between IIS5 and IIS6 in

    startup
    > >>> > >> unless
    > >>> > >> you're using the health-monitoring features of IIS6 to recycle

    the
    > >>> worker
    > >>> > >> process.
    > >>> > >>
    > >>> > >> --
    > >>> > >> //David
    > >>> > >> IIS
    > >>> > >> This posting is provided "AS IS" with no warranties, and confers

    no
    > >>> > > rights.
    > >>> > >> //
    > >>> > >> "Arsen V." <> wrote in message
    > >>> > >> news:...
    > >>> > >> Hi,
    > >>> > >>
    > >>> > >> We have a website with a very high volume of traffic. The pages

    are
    > >>> > > ASP.NET.
    > >>> > >> There are some configuration settings that get loaded by the
    > >> Global.asx
    > >>> > > file
    > >>> > >> on Application Start event. The load time for those settings is
    > >>> > >> about
    > >> 3
    > >>> > >> seconds.
    > >>> > >>
    > >>> > >> When the site is running on IIS5 everything is okay.
    > >>> > >>
    > >>> > >> When the site is running on IIS6 there are problems. It looks

    like
    > >> when
    > >>> > > IIS
    > >>> > >> starts and all the requests start coming in it is trying to

    compile
    > >> the
    > >>> > >> ASP.NET CLR and to load the settings in Global.asx. However,

    since
    > >>> there
    > >>> > > are
    > >>> > >> over 100 requests/second, soon it starts to give Service
    > >>> > >> Unavailable
    > >>> and
    > >>> > > log
    > >>> > >> errors QueueFull in the HTTPERR file.
    > >>> > >>
    > >>> > >> If I manually stop the IIS, set the directory security of the
    > >>> > >> website
    > >>> to
    > >>> > >> accept only the local requests, execute one request, wait 5
    > >>> > >> seconds,
    > >>> and
    > >>> > >> then change the security to accept all requests, it works great.
    > >>> > >>
    > >>> > >> Is there a way to give IIS a warm up time? I think it fails

    because
    > >>> there
    > >>> > >> are so many requests that come right away before the CLR is
    > >>> > >> compiled
    > >>> and
    > >>> > > the
    > >>> > >> load settings in the Global.asx has time to execute.
    > >>> > >>
    > >>> > >> Thanks,
    > >>> > >> Arsen
    > >>> > >>
    > >>> > >>
    > >>> > >>
    > >>> > >>
    > >>> > >
    > >>> > >
    > >>> >
    > >>>
    > >>>
    > >>
    > >>

    > >

    >
     
    Arsen V., May 10, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bob Johnson
    Replies:
    0
    Views:
    3,801
    Bob Johnson
    Aug 7, 2003
  2. Ravikanth[MVP]

    Automatic logout after elapsed period

    Ravikanth[MVP], Aug 21, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    493
    Ravikanth[MVP]
    Aug 21, 2003
  3. laimis

    keeping asp.net pages warm

    laimis, Jul 18, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    685
    Brock Allen
    Jul 18, 2005
  4. NiTiN

    very warm hello to ALL

    NiTiN, Oct 29, 2007, in forum: Java
    Replies:
    2
    Views:
    349
    Hunter Gratzner
    Oct 29, 2007
  5. Replies:
    0
    Views:
    340
Loading...

Share This Page