Raw data filters

Hi Drew,

Very good question!

For the raw data, I will try to explain this for you.

IIS6 introduces a new configurable process architecture model: Worker
Process Isolation Mode(WPIM). Another new mode is IIS5 isolation mode. The
chosen configuration can have a significant effect on how ISAPI filters
behave. When IIS 6.0 is in WPIM, the process model is based on application
pools, which do not correspond directly to sites. The issue of
SF_NOTIFY_READ_RAW_DATA is moot, because IIS does not support this ISAPI
filter notification when it runs in worker process isolation mode. This
occurs because Http.sys routes the request based on server bindings and the
URL namespace. It cannot route a READ_RAW_DATA notification to the right
process. This is not an issue in IIS 5.0 isolation mode because Inetinfo is
always the only worker process.

Furthermore, you can obtain more information about the ISAPI filter from
Microsoft.com. Please go to:
Developer Notes for ISAPI Filters
http://msdn.microsoft.com/library/en-us/iisref/htm/DeveloperNotesforISAPIFil
ters.asp?frame=true

In addition, there are also some new samples for ISAPI which may help you a
lot on the development. Please go to:
New ISAPI Samples
http://msdn.microsoft.com/library/en-us/iisref/htm/isapisamples.asp?frame=tr
ue

These samples are included in IIS SDK of platform SDK. You can find it from
the link below.
http://www.microsoft.com/msdownload/platformsdk/sdkupdate/

Does this answer your question? Thank you for using Microsoft NewsGroup!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 >> Stay informed about: Raw data filters 

Chris,

Excellent webcast! It really helped to explain a lot of
concepts and clear up any 'unknowns' I had with IIS 6.0.
I forwarded the link to our developers and other staff
members.

I do have another question. In your presentation you
used SSL and SSPIfilt(?) as an example of the raw data
filtering. My question is, if we install an SSL cert.
will this force us to run under IIS 5 IM? Or is that
just another method of implementing SSL? What advice
would you have for implementing SSL on IIS 6?

Thanks,
Drew


 >-----Original Message-----
 >Hey ~
 >
 >Any ISAPI filter that requires registration with
Inetinfo for Read Raw
 >Notifications will fail because IIS no longer has access
to the raw stream
 >of data. In this case, HTTP.sys takes the stream of
data in the form of a
 >request and passes to IIS in the form of a message...
 >
 >So, for example, IIS 5 used to have data passed like
this:
 >
 >GET /default.asp , etc...
 >
 >In IIS 6, we get something like this:
 >
 >3, 10, etc...
 >
 >The difference, IIS understands how HTTP.sys will pass
the data to us and we
 >no longer access the raw data. Hence, registering for
this just don't work.
 >If a ISAPI filter requires this functionality, it will
not work and the
 >filter will fail to load. For more details, I recommend
that you review the
 >webcast on this topic where we talk about this...
 >
 >http://www.microsoft.com/usa/webcasts/ondemand/2279.asp
 >
 >--
 >~Chris (MSFT)
 >IIS Supportability Lead
 >
 >This posting is provided "AS IS" with no warranties, and
confers no rights
 >
 >
 >"Drew" <dyang DeleteThis @bayada.com> wrote in message
 >news:0ffe01c38c42$4e30ff70$a001280a@phx.gbl...
  >> In one of the technical white papers for Windows Server
  >> 2003, it is stated that "Some applications may not be
  >> compatible with IIS 6.0 worker process isolation mode
  >> such as applications written as read raw data
  >> filters..." Can someone explain or give an example of
  >> this?
  >>
  >> Regards,
  >> Drew
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Raw data filters 

Hi Xu,

Thank you very much for the explanation.

Drew

 >-----Original Message-----
 >Hi Drew,
 >
 >Very good question!
 >
 >For the raw data, I will try to explain this for you.
 >
 >IIS6 introduces a new configurable process architecture
model: Worker
 >Process Isolation Mode(WPIM). Another new mode is IIS5
isolation mode. The
 >chosen configuration can have a significant effect on
how ISAPI filters
 >behave. When IIS 6.0 is in WPIM, the process model is
based on application
 >pools, which do not correspond directly to sites. The
issue of
 >SF_NOTIFY_READ_RAW_DATA is moot, because IIS does not
support this ISAPI
 >filter notification when it runs in worker process
isolation mode. This
 >occurs because Http.sys routes the request based on
server bindings and the
 >URL namespace. It cannot route a READ_RAW_DATA
notification to the right
 >process. This is not an issue in IIS 5.0 isolation mode
because Inetinfo is
 >always the only worker process.
 >
 >Furthermore, you can obtain more information about the
ISAPI filter from
 >Microsoft.com. Please go to:
 >Developer Notes for ISAPI Filters
 >http://msdn.microsoft.com/library/en-
us/iisref/htm/DeveloperNotesforISAPIFil
 >ters.asp?frame=true
 >
 >In addition, there are also some new samples for ISAPI
which may help you a
 >lot on the development. Please go to:
 >New ISAPI Samples
 >http://msdn.microsoft.com/library/en-
us/iisref/htm/isapisamples.asp?frame=tr
 >ue
 >
 >These samples are included in IIS SDK of platform SDK.
You can find it from
 >the link below.
 >http://www.microsoft.com/msdownload/platformsdk/sdkupdate
/
 >
 >Does this answer your question? Thank you for using
Microsoft NewsGroup!
 >
 >Wei-Dong Xu
 >Microsoft Product Support Services
<font color=purple> >Get Secure! - <a style='text-decoration: underline;' href="http://www.microsoft.com/security</font" target="_blank">www.microsoft.com/security</font</a>>
 >This posting is provided "AS IS" with no warranties, and
confers no rights.
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Raw data filters 

No. IIS6 implements SSL internally, so all you need to do is enable a check
box to have SSL work -- as it should be. SSL works the same way in both
modes (except maybe slightly faster in IIS6 Native Mode).

Prior versions of IIS relied on SSPIFILT (a ReadRawData ISAPI Filter) to
implement SSL, so theoretically you could have removed the filter, and if
you checked the "enable SSL" checkbox, SSL will not work.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Drew" <dyang RemoveThis @bayada.com> wrote in message
news:03d301c38d03$f0380f90$a301280a@phx.gbl...
Chris,

Excellent webcast! It really helped to explain a lot of
concepts and clear up any 'unknowns' I had with IIS 6.0.
I forwarded the link to our developers and other staff
members.

I do have another question. In your presentation you
used SSL and SSPIfilt(?) as an example of the raw data
filtering. My question is, if we install an SSL cert.
will this force us to run under IIS 5 IM? Or is that
just another method of implementing SSL? What advice
would you have for implementing SSL on IIS 6?

Thanks,
Drew


 >-----Original Message-----
 >Hey ~
 >
 >Any ISAPI filter that requires registration with
Inetinfo for Read Raw
 >Notifications will fail because IIS no longer has access
to the raw stream
 >of data. In this case, HTTP.sys takes the stream of
data in the form of a
 >request and passes to IIS in the form of a message...
 >
 >So, for example, IIS 5 used to have data passed like
this:
 >
 >GET /default.asp , etc...
 >
 >In IIS 6, we get something like this:
 >
 >3, 10, etc...
 >
 >The difference, IIS understands how HTTP.sys will pass
the data to us and we
 >no longer access the raw data. Hence, registering for
this just don't work.
 >If a ISAPI filter requires this functionality, it will
not work and the
 >filter will fail to load. For more details, I recommend
that you review the
 >webcast on this topic where we talk about this...
 >
 >http://www.microsoft.com/usa/webcasts/ondemand/2279.asp
 >
 >--
 >~Chris (MSFT)
 >IIS Supportability Lead
 >
 >This posting is provided "AS IS" with no warranties, and
confers no rights
 >
 >
 >"Drew" <dyang RemoveThis @bayada.com> wrote in message
 >news:0ffe01c38c42$4e30ff70$a001280a@phx.gbl...
  >> In one of the technical white papers for Windows Server
  >> 2003, it is stated that "Some applications may not be
  >> compatible with IIS 6.0 worker process isolation mode
  >> such as applications written as read raw data
  >> filters..." Can someone explain or give an example of
  >> this?
  >>
  >> Regards,
  >> Drew
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Raw data filters 

Hi Drew,

Thank you for replying!

You are very welcome!

Thank you once more for using Microsoft NewsGroup!

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 >> Stay informed about: Raw data filters 

Wow! So are you saying I don't need to purchase an SSL
certificate from Verisign or Thawte, etc?

 >-----Original Message-----
 >No. IIS6 implements SSL internally, so all you need to
do is enable a check
 >box to have SSL work -- as it should be. SSL works the
same way in both
 >modes (except maybe slightly faster in IIS6 Native Mode).
 >
 >Prior versions of IIS relied on SSPIFILT (a ReadRawData
ISAPI Filter) to
 >implement SSL, so theoretically you could have removed
the filter, and if
 >you checked the "enable SSL" checkbox, SSL will not work.
 >
 >--
 >//David
 >IIS
 >This posting is provided "AS IS" with no warranties, and
confers no rights.
 >//
 >"Drew" <dyang.RemoveThis@bayada.com> wrote in message
 >news:03d301c38d03$f0380f90$a301280a@phx.gbl...
 >Chris,
 >
 >Excellent webcast! It really helped to explain a lot of
 >concepts and clear up any 'unknowns' I had with IIS 6.0.
 >I forwarded the link to our developers and other staff
 >members.
 >
 >I do have another question. In your presentation you
 >used SSL and SSPIfilt(?) as an example of the raw data
 >filtering. My question is, if we install an SSL cert.
 >will this force us to run under IIS 5 IM? Or is that
 >just another method of implementing SSL? What advice
 >would you have for implementing SSL on IIS 6?
 >
 >Thanks,
 >Drew
 >
 >
  >>-----Original Message-----
  >>Hey ~
  >>
  >>Any ISAPI filter that requires registration with
 >Inetinfo for Read Raw
  >>Notifications will fail because IIS no longer has access
 >to the raw stream
  >>of data. In this case, HTTP.sys takes the stream of
 >data in the form of a
  >>request and passes to IIS in the form of a message...
  >>
  >>So, for example, IIS 5 used to have data passed like
 >this:
  >>
  >>GET /default.asp , etc...
  >>
  >>In IIS 6, we get something like this:
  >>
  >>3, 10, etc...
  >>
  >>The difference, IIS understands how HTTP.sys will pass
 >the data to us and we
  >>no longer access the raw data. Hence, registering for
 >this just don't work.
  >>If a ISAPI filter requires this functionality, it will
 >not work and the
  >>filter will fail to load. For more details, I recommend
 >that you review the
  >>webcast on this topic where we talk about this...
  >>
  >>http://www.microsoft.com/usa/webcasts/ondemand/2279.asp
  >>
  >>--
  >>~Chris (MSFT)
  >>IIS Supportability Lead
  >>
  >>This posting is provided "AS IS" with no warranties, and
 >confers no rights
  >>
  >>
  >>"Drew" <dyang.RemoveThis@bayada.com> wrote in message
  >>news:0ffe01c38c42$4e30ff70$a001280a@phx.gbl...
   >>> In one of the technical white papers for Windows
Server
   >>> 2003, it is stated that "Some applications may not be
   >>> compatible with IIS 6.0 worker process isolation mode
   >>> such as applications written as read raw data
   >>> filters..." Can someone explain or give an example of
   >>> this?
   >>>
   >>> Regards,
   >>> Drew
  >>
  >>
  >>.
  >>
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Raw data filters 

Disregard my previous email. I confused myself with
enabling SSL and obtaining a cert. from a certification
authority.

 >-----Original Message-----
 >No. IIS6 implements SSL internally, so all you need to
do is enable a check
 >box to have SSL work -- as it should be. SSL works the
same way in both
 >modes (except maybe slightly faster in IIS6 Native Mode).
 >
 >Prior versions of IIS relied on SSPIFILT (a ReadRawData
ISAPI Filter) to
 >implement SSL, so theoretically you could have removed
the filter, and if
 >you checked the "enable SSL" checkbox, SSL will not work.
 >
 >--
 >//David
 >IIS
 >This posting is provided "AS IS" with no warranties, and
confers no rights.
 >//
 >"Drew" <dyang.DeleteThis@bayada.com> wrote in message
 >news:03d301c38d03$f0380f90$a301280a@phx.gbl...
 >Chris,
 >
 >Excellent webcast! It really helped to explain a lot of
 >concepts and clear up any 'unknowns' I had with IIS 6.0.
 >I forwarded the link to our developers and other staff
 >members.
 >
 >I do have another question. In your presentation you
 >used SSL and SSPIfilt(?) as an example of the raw data
 >filtering. My question is, if we install an SSL cert.
 >will this force us to run under IIS 5 IM? Or is that
 >just another method of implementing SSL? What advice
 >would you have for implementing SSL on IIS 6?
 >
 >Thanks,
 >Drew
 >
 >
  >>-----Original Message-----
  >>Hey ~
  >>
  >>Any ISAPI filter that requires registration with
 >Inetinfo for Read Raw
  >>Notifications will fail because IIS no longer has access
 >to the raw stream
  >>of data. In this case, HTTP.sys takes the stream of
 >data in the form of a
  >>request and passes to IIS in the form of a message...
  >>
  >>So, for example, IIS 5 used to have data passed like
 >this:
  >>
  >>GET /default.asp , etc...
  >>
  >>In IIS 6, we get something like this:
  >>
  >>3, 10, etc...
  >>
  >>The difference, IIS understands how HTTP.sys will pass
 >the data to us and we
  >>no longer access the raw data. Hence, registering for
 >this just don't work.
  >>If a ISAPI filter requires this functionality, it will
 >not work and the
  >>filter will fail to load. For more details, I recommend
 >that you review the
  >>webcast on this topic where we talk about this...
  >>
  >>http://www.microsoft.com/usa/webcasts/ondemand/2279.asp
  >>
  >>--
  >>~Chris (MSFT)
  >>IIS Supportability Lead
  >>
  >>This posting is provided "AS IS" with no warranties, and
 >confers no rights
  >>
  >>
  >>"Drew" <dyang.DeleteThis@bayada.com> wrote in message
  >>news:0ffe01c38c42$4e30ff70$a001280a@phx.gbl...
   >>> In one of the technical white papers for Windows
Server
   >>> 2003, it is stated that "Some applications may not be
   >>> compatible with IIS 6.0 worker process isolation mode
   >>> such as applications written as read raw data
   >>> filters..." Can someone explain or give an example of
   >>> this?
   >>>
   >>> Regards,
   >>> Drew
  >>
  >>
  >>.
  >>
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Raw data filters 

For testing purposes, you can use Self-Signed certificates (Versign, et al
also provide free "test certs") -- Check out the tool SelfSSL from the IIS6
Resource Kit on how to do this:
<a style='text-decoration: underline;' href="http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en" target="_blank">http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a...73-b628</a>

So, yes, it is easy to test out SSL encryption on IIS6 without spending any
money nor time.

Now, people frequently do not realize that browsers expect more than
encryption from SSL:
1. SSL is for encryption
2. SSL is for trust

Self-Signed certs allow you to do #1, but #2 is not satisfied. Verisign, et
al, have special authority to satisfy #2. If you wish to do any sort of
commerce or do not control the client browser's root certificates (which is
pretty much the majority case), then you will need to pay money to Verisign,
et al, to avoid legitimate browser security popups. #2 is not free, even
for Open Source.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Drew" <dyang RemoveThis @bayada.com> wrote in message
news:0ebc01c38da5$92a56920$a301280a@phx.gbl...
Disregard my previous email. I confused myself with
enabling SSL and obtaining a cert. from a certification
authority.

 >-----Original Message-----
 >No. IIS6 implements SSL internally, so all you need to
do is enable a check
 >box to have SSL work -- as it should be. SSL works the
same way in both
 >modes (except maybe slightly faster in IIS6 Native Mode).
 >
 >Prior versions of IIS relied on SSPIFILT (a ReadRawData
ISAPI Filter) to
 >implement SSL, so theoretically you could have removed
the filter, and if
 >you checked the "enable SSL" checkbox, SSL will not work.
 >
 >--
 >//David
 >IIS
 >This posting is provided "AS IS" with no warranties, and
confers no rights.
 >//
 >"Drew" <dyang RemoveThis @bayada.com> wrote in message
 >news:03d301c38d03$f0380f90$a301280a@phx.gbl...
 >Chris,
 >
 >Excellent webcast! It really helped to explain a lot of
 >concepts and clear up any 'unknowns' I had with IIS 6.0.
 >I forwarded the link to our developers and other staff
 >members.
 >
 >I do have another question. In your presentation you
 >used SSL and SSPIfilt(?) as an example of the raw data
 >filtering. My question is, if we install an SSL cert.
 >will this force us to run under IIS 5 IM? Or is that
 >just another method of implementing SSL? What advice
 >would you have for implementing SSL on IIS 6?
 >
 >Thanks,
 >Drew
 >
 >
  >>-----Original Message-----
  >>Hey ~
  >>
  >>Any ISAPI filter that requires registration with
 >Inetinfo for Read Raw
  >>Notifications will fail because IIS no longer has access
 >to the raw stream
  >>of data. In this case, HTTP.sys takes the stream of
 >data in the form of a
  >>request and passes to IIS in the form of a message...
  >>
  >>So, for example, IIS 5 used to have data passed like
 >this:
  >>
  >>GET /default.asp , etc...
  >>
  >>In IIS 6, we get something like this:
  >>
  >>3, 10, etc...
  >>
  >>The difference, IIS understands how HTTP.sys will pass
 >the data to us and we
  >>no longer access the raw data. Hence, registering for
 >this just don't work.
  >>If a ISAPI filter requires this functionality, it will
 >not work and the
  >>filter will fail to load. For more details, I recommend
 >that you review the
  >>webcast on this topic where we talk about this...
  >>
  >>http://www.microsoft.com/usa/webcasts/ondemand/2279.asp
  >>
  >>--
  >>~Chris (MSFT)
  >>IIS Supportability Lead
  >>
  >>This posting is provided "AS IS" with no warranties, and
 >confers no rights
  >>
  >>
  >>"Drew" <dyang RemoveThis @bayada.com> wrote in message
  >>news:0ffe01c38c42$4e30ff70$a001280a@phx.gbl...
   >>> In one of the technical white papers for Windows
Server
   >>> 2003, it is stated that "Some applications may not be
   >>> compatible with IIS 6.0 worker process isolation mode
   >>> such as applications written as read raw data
   >>> filters..." Can someone explain or give an example of
   >>> this?
   >>>
   >>> Regards,
   >>> Drew
  >>
  >>
  >>.
  >>
 >
 >
 >.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Raw data filters