IIS 6.0

Hi.

I've just installed (last week) a new W2K3 server (std.) with IIS 6.0.
2 things about IIS:
-first, configured to listen on port 80 on internal NIC, it was continuing listening on external 80, prohibiting WebProxy service (ISA 2000) to listen for Incoming Web requests on external 80. Well, I've configured IIS to listen on internal 81 and I provided functionality, but IIS still do something I cannot identify. I record hundreds of "ISA Server detected a spoof attack from Internet Protocol (IP) address 127.0.0.1". They come from IIS. If I stop the service, the spoofs stop. So, what is IIS doing and I don't know? Or, should IIS do it and I don't have to know or control it?

-second, I host a site with ASP.NET applications. It was OK in old IIS 5. Now, it works, but only sometimes... I mean, you had rather receive an "HTTP 400 - Bad Request" than having the page displayed. The pages are pretty simple, so that is couldn't be a problem of big amount of info. What disturb me the most is the fact that some clients call asking what happen, they input their login 7 or 8 times and they are still asked to provide the login data. They ask for the password (thinking their password has changed).

Thank you for any help.

Ovidiu

1. Use HTTPCFG.EXE from the Resource Kit (I believe it is there on the CD,
under <CD>\support\tools\support.cab ) to restrict HTTP.SYS (and hence IIS)
to listen on on specific interfaces. HTTP.SYS defaults to listening for
port 80 on all interfaces.
2. You will have to look at the server log files, under
%SYSTEMROOT%\System32\LogFiles --> for HTTPERR\*.log and W3SVC#\*.log as
well as the event log for clues. Reasons for 400 responses are usually
recorded in HTTPERR\*.log

As for having login failures -- that depends on how the server is
configured. Integrated authentication doesn't work in Internet scenarios,
and if you use custom AppPool Identity and have the server in a domain, be
sure to read ALL of the documentation on Custom AppPool Identity for one
potential issue with Kerberos. Check the web logs for more info on what's
going on -- you need to give the sub status error code for all those 401
responses.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"ovidiu" <anonymous DeleteThis @discussions.microsoft.com> wrote in message
news:49D78E42-93D0-4D64-9CC2-3FF09653A505@microsoft.com...
Hi.

I've just installed (last week) a new W2K3 server (std.) with IIS 6.0.
2 things about IIS:
-first, configured to listen on port 80 on internal NIC, it was continuing
listening on external 80, prohibiting WebProxy service (ISA 2000) to listen
for Incoming Web requests on external 80. Well, I've configured IIS to
listen on internal 81 and I provided functionality, but IIS still do
something I cannot identify. I record hundreds of "ISA Server detected a
spoof attack from Internet Protocol (IP) address 127.0.0.1". They come from
IIS. If I stop the service, the spoofs stop. So, what is IIS doing and I
don't know? Or, should IIS do it and I don't have to know or control it?

-second, I host a site with ASP.NET applications. It was OK in old IIS 5.
Now, it works, but only sometimes... I mean, you had rather receive an "HTTP
400 - Bad Request" than having the page displayed. The pages are pretty
simple, so that is couldn't be a problem of big amount of info. What disturb
me the most is the fact that some clients call asking what happen, they
input their login 7 or 8 times and they are still asked to provide the login
data. They ask for the password (thinking their password has changed).

Thank you for any help.

Ovidiu