Since most Servers are moving towards TLS 1.3 and removing TLS 1.0/1.1 support, it is important to make note of certain Server configurations that might be required to make your .Net Framework Application compatible with new TLS versions like TLS 1.2.
Just upgrading the Application to latest .Net Framework like 4.8 version, which as per documentation states it automatically handles the compatibility with newer TLS versions when older TLS versions are disabled.
I have managed to resolve the issues on my server by updating the SSL Cipher Suite Order, I had mistakenly removed some of the suites that windows suggested was for TLS1.0 and 1.1 only when in actual fact they were needed for some TLS1.2 connections as well.
I resolved my issues by:
Open Run Prompt and run gpedit.msc
Navigate to “Administrative Templates > Network > SSL Configuration Settings”
Open SSL Cipher Suite Order
Paste the list of suites below into the text box (make sure there are no spaces)
In case you have a file in the virtual directory with filename containing non-English characters like Umlauts e.g. ö. When we try to access the path with it is becomes inaccessible, but the files with only English characters are accessible.
You can try the following IIS settings, first one is
Open the iis, double click the ‘Request Filtering’ icon
In the ‘File Name Extension’ right click->Edit Feature Settings…’ the file ‘web.config’
Check the option ‘Allow double escaping’ (this option is unchecked by default)
Repeat all above 3 steps for the ‘default website’ (or whatever you have given the name to your site)
UrlScan under ISAPI:
One of the possible causes could be you’re using UrlScan extension for IIS which is visible under ISAPI filters. It is applied to all sites by default. In our case, removing UrlScan for the site facing issue resolved the issue.
Consider a situation where you need to redirect your Application to the Error page when you receive a particular value in your query string. This can be done using URL Rewrite with an inbound rule either directly in IIS or add rules directly in your web.config.
I’ve found LogParser tool to be very useful for querying log files especially whenever I am required to analyze the IIS log files. You can download LogParser from here.
In this example, I’ll be querying multiple Log files unique users with Windows Authentication visiting the site. Click on the icon “Choose Log files/folders to query” and Add all files which you want to search. Open a New Query window and in the Query editor, enter the below query:
SELECT DISTINCT cs-username FROM '[LOGFILEPATH]'
This works much like SQL queries where IIS log headers work like columns. The above query will simply return distinct users visiting the site. Make sure the Log Type selected is W3CLOG.
Update to above example while searching for a QueryString and also getting the username count:
SELECT DISTINCT cs-username, COUNT(cs-username) FROM '[LOGFILEPATH]' WHERE cs-uri-query LIKE '%Excel%' GROUP BY cs-username
If you want to Output all the data to a .csv file, then you can use the below query:
SELECT DISTINCT cs-username INTO '[OUTFILEPATH]users.CSV' FROM '[LOGFILEPATH]'
You can check the default export directory where the file is created. It should be something like this “C:\Users\<username>\AppData\Roaming\ExLPT\Log Parser Studio\Output”.
Reverse Proxy is an intermediate Server that might be exposed to the Internet that can help secure your incoming traffic from the Client and forwarding the request to a back-end service that might be on a Private network. This returns the response back to the Client and hides your Web Server from the Outside world.
You need the following IIS extensions for configuring IIS Reverse Proxy:
Some non .Net Applications like the ones written in classic ASP are required to be debugged in Visual Studio. Since these are not hosted on IIS Express, but on IIS, you need to identify the worker process running your machine or the Server and attach the w3wp.exe with the Debug tool in Visual Studio.
Enable Debugging under IIS classic ASP section as shown below:
Under the Debug menu in Visual Studio, select “Attach to Process”:
There may be multiple worker processes running on the machine depending on how many applications are running under IIS. Match the right one with the correct ProcessID.
Add the debug points in your Asp file and hit the required Page in the browser.
An SSL certificate also known as a digital certificate helps establish a secure link between the Client browser and the Hosting Server.
Self-signed certificates are created when you need to test your website using an SSL certificate. This is usually not recommended for Production use especially if your website involves sensitive data transactions.
This example is from IIS 8.5. Open IIS Manager and select your Server name from the Left Pane. Double-click on Server Certificates as highlighted.
Select the option for Self-signed certificates on the right as shown. Provide a suitable name for your certificate in the dialog box.
The list will show the created SSL certificate with the validation for a year that is issued to the Server.
Add this certificate to your website with binding it to port 443.
Since the certificate is issued to the Server, you might get a certificate trust error in the browser. You can just continue to the website to test further. To get rid of this error, you’ll need to create either a SAN certificate or a wild card certificate as per your needs.
When it comes to managing your website traffic, one of the things to consider is the availability of your website.
IIS has a idle time-out property that is by default set to 20 minutes. This means that if no request comes for your site for 20 minutes of inactivity, IIS would kill the worker process to free-up resources. This means the memory utilised by loading of classes, session etc. This can be helpful when multiple websites may be hosted on the Server and is resource crunched.
You’ll find the below settings under the AppPool advanced settings:
So, when the next request comes to your site to access something e.g. Login page, IIS Server would again need to initialize the Worker process and load the required resources to serve that request. The first request will be slow to respond to the user because of all the initialization time required. You need to think in these terms that how much traffic usually comes to your site. If your website requires high availability, then you should consider setting the idle time-out to 0 in the App Pool settings. Or if high availability isn’t a concern, you can think for how many minutes you’d usually require your application to be available depending on the traffic.
There have been studies regarding the make or break for websites because of their initial load time. So, please be careful about this setting. Internet facing websites usually require high availability. For Intranet websites, you can think of some number of minutes based on the usage.