DESY WindowsNT Web-Services

SLAC HEPNT / HEPIX Meeting October 4. - 8. 1999

1

DESY WindowsNT Web-Services

Henner Bartels

DESY WindowsNT Group

SLAC HEPNT / HEPIX Meeting October 4. - 8. 1999 2

Abstract

I will present the DESY WindowsNT solution for providing web services to our NT community.

As an example for web-based computing an intranet application scenario displaying our NT domain management tools will be reviewed.


Topics of Discussion

Motivations for implementing NT-based web-services

Implementation of our IIS-cluster Application design considerations NT domain management scenario


Motivations for Implementing NT-based

Web-services Demands of the WindowsNT group Requests of DESY groups End-user support


Demands of the WindowsNT Group

Increasing demands for web-based, cross-platform capable computing NT domain administration

MS BackOffice family relies on services provided by IIS Exchange, Office, WebDAV MTS, MSMQ

Simplified global collaboration and data exchange


Requests of DESY Groups

Complex web sites needed without having to setup a dedicated web server

None or minimal management overhead desired

Server-side scripting (e.g. CGI, ASP) Access to other domain resources Secured and closed forums


Group Webs

Group web spaces appear as sub-directories in the WindowsNT web

Full server-side scripting support including Perl, VBScript and others

Domain resources can be accessed using ActiveX, ADO, ADSI and MTS

No management overhead No support for https (using NT ACLs)


End-User Support

Personal web pages(e.g. www.desy.de/~hbartels) Available to users with Unix accounts No solution for non-Unix users or

those preferring to create content on NT without the hassle of file-transfer


Personal WebPages

Now fully supported(e.g. desyntwww.desy.de/~hbartels)

Web content located in the user home directory

No server-side scripting (security!) No support for https (using NT ACLs) A platform-independent solution is

still pending


Implementation of Our IIS-cluster

Key requirements Server configuration Cluster setup Data flow Manageability Drawbacks


Key Requirements

Scalable and robust solution Simple to manage Highly integrated with MS BackOffice Security using SSL, NTFS Content stored where user and group

data are located Server-side scripting using WSH


Server Configuration

Compatible industry PC equipped with: Pentium II running at 350 MHz 256 MB RAM 2 IDE Disks (mirrored, < 1 GB used) 2 NICs (1 onboard / 1 PCI card)

NT Enterprise Server, SP 5 IIS, Index Server, related Hot-Fixes Active State Perl


Cluster Considerations

To provide service reliability clustering

technologies are employed MS Cluster Server (Wolf Pack)

Fail-Over Server without load-balancing Requires (expensive) hardware

Windows Load Balancing Service No Fail-Over IP-based load-balancing (up to 32 nodes) In case a node fails only those connections

will have to reconnect


How WLBS Works

Cluster NIC sharesIP address andMAC on all nodes

Handles Clustertraffic and inboundconnections

The dedicatedNIC manages theestablished connections


Cluster Setup

DFS Files MTS Node Node

Switch

Hub


Data Flow

Switch

Hub

DFS Files MTS Node Node

Client


Manageability

Cluster nodes can be managed using MS Management Console

Configuration changes have to be replicated using scripts (ADSI)

Management of Group Webs will be implemented using a web interface Setting / Removing IP restrictions Enabling / Disabling HTTPS Set directory access rights


Drawbacks

IIS 4.0 is designed to store content on local disks Some ISAPI filters (e.g. .hqx) will not

work properly FrontPage Server extensions can not

be used When using HTTPS connections no

ACL check is performed, however delegation is properly handled


Application Design Considerations

Supported clients Client requirements Maintaining state information Using XML / XSL


Supported Clients

Netscape 3 Windows 3.11 (NICE)

Netscape 4+ Standard Unix Browser

Internet Explorer 4+ Standard(?) NT Browser Internet Explorer 5 is expected to be

the next standard viewer on NT


Client Requirements

To provide a visually appealing and

dynamic environment clients have to

support: Frames At least JavaScript 1.1 Layers (used in some applications) No Plug-Ins No Java /ActiveX


Maintaining State Information

Use of Cookies Cookies are usually disabled

Abuse URLs search part to communicate session state Difficult to maintain with static pages Interference when search part is used to

transport queries or form data Use global JavaScript variables stored in

top-level frame-set JavaScript has to be enabled


Using XML / XSL

XML data and accompanying DTDs are used to: Provide data used in multiple pages Store configuration information Markup data displayed by scripts

XML data is processed on the server XSL will be used to transform data for

clients with disabled scripting engines


NT Domain Management Scenario

DESY requirements Commercial solutions Application design Remote scripting object Live demonstration


DESY Requirements (I)

Computer and user management at DESY is handled by three groups User Consulting Office (UCO) Group administrators WindowsNT domain administrators

Tasks and scope of authorization vary slightly Changes of user properties Removing a computer from the domain Creation of new groups


DESY Requirements (II)

Setting of license-, inventory- and other management information

Most of these tasks require elevated

privileges, however the number of staff

with administrative rights must be small


Commercial Solutions

Commercial solutions (e.g. TEM) are providing: Fine-grained control over the various NT

management options NT based management clients

They require time to setup and maintain proper configuration

They do not come with a web-based client They can not be adopted to reflect site-

specific or non-NT related tasks


Application Design

We have implemented a framework that dynamically adopts to the privileges of the connecting user

Different views exist for managing users, web configuration and miscellaneous tools

Dynamic HTML, client and server-side scripting are providing an advanced and consistent user interface

The DESY Scripting Host (DSH) is used to gather data and perform requested actions with the required privileges


Usage


Summary

We have implemented an IIS-based web server using current clustering and load-balancing technologies

We were able to show the availability of our solution by hosting multiple Group Webs over a period of several month

Web-based applications have been successfully implemented and demonstrated no undesired behavior even after forcing cluster nodes to shut down


Next Steps

Automation of cluster management Extending available tools Better modularization of components Migration to IIS 5.0 Support for WebDAV

Documents

DESY WindowsNT Web-Services