IIS and WAP Deployment

Last updated: January 14, 2026

📚 Reference: This guide aligns with IIS Documentation and Web Application Proxy Overview

The Day I Learned About IIS Security

Early in my career, I deployed an IIS web application using the default settings. Within hours of going live, the application pool crashed repeatedly, users complained about slow performance, and security scans revealed the server was vulnerable to several attack vectors.

That painful experience taught me that IIS isn't "install and publish" – it requires careful configuration of application pools, authentication methods, security hardening, and performance tuning. This article shares what I've learned deploying hundreds of IIS applications in production environments.

What is Internet Information Services (IIS)?

IIS is Microsoft's web server platform for hosting websites, web applications, and services. In my deployments, IIS serves as the foundation for:

Public-facing websites: Corporate sites, customer portals
Internal web applications: Intranet, SharePoint, custom apps
REST APIs: Microservices, integration endpoints
ADFS endpoints: Federation metadata, authentication pages
Exchange/OWA: Email web access
Application hosting: ASP.NET, PHP, Node.js applications

Why I Deploy IIS

From my experience, IIS provides:

Windows integration: Seamless with Active Directory, NTLM, Kerberos
Performance: Kernel-mode caching, application pool isolation
Security: Request filtering, URL rewriting, dynamic IP restrictions
Management: PowerShell automation, centralized configuration
Scalability: Web farms, ARR (Application Request Routing), load balancing

IIS Architecture

Core Components

HTTP.SYS

Kernel-mode driver that:

Listens on TCP ports (80, 443)
Routes requests to correct application pool
Handles SSL/TLS termination
Implements kernel-mode caching

Windows Activation Service (WAS)

Manages application pool lifecycle:

Starts worker processes
Monitors health
Recycles pools based on configuration

Application Pools (w3wp.exe)

Isolated process boundaries for applications:

Each pool runs as separate w3wp.exe process
Crashes in one pool don't affect others
Different identity per pool
Configurable resource limits

Websites

Logical containers that define:

Bindings (IP, port, hostname)
Physical path to content
Associated application pool
Authentication methods

Installing IIS

Basic Installation

# Install IIS with common features
Install-WindowsFeature -Name Web-Server -IncludeManagementTools

# Verify installation
Get-Service W3SVC, WAS | Select-Object Name, Status

# Test default site
Invoke-WebRequest -Uri "http://localhost" -UseBasicParsing

Full Installation with All Features

# Install IIS with all features I typically use
$features = @(
    'Web-Server',
    'Web-WebServer',
    'Web-Common-Http',
    'Web-Default-Doc',
    'Web-Dir-Browsing',
    'Web-Http-Errors',
    'Web-Static-Content',
    'Web-Http-Redirect',
    'Web-Health',
    'Web-Http-Logging',
    'Web-Custom-Logging',
    'Web-Log-Libraries',
    'Web-ODBC-Logging',
    'Web-Request-Monitor',
    'Web-Http-Tracing',
    'Web-Performance',
    'Web-Stat-Compression',
    'Web-Dyn-Compression',
    'Web-Security',
    'Web-Filtering',
    'Web-Basic-Auth',
    'Web-CertProvider',
    'Web-Client-Auth',
    'Web-Digest-Auth',
    'Web-Cert-Auth',
    'Web-IP-Security',
    'Web-Url-Auth',
    'Web-Windows-Auth',
    'Web-App-Dev',
    'Web-Net-Ext45',
    'Web-Asp-Net45',
    'Web-ISAPI-Ext',
    'Web-ISAPI-Filter',
    'Web-WebSockets',
    'Web-Mgmt-Tools',
    'Web-Mgmt-Console',
    'Web-Mgmt-Compat',
    'Web-Metabase',
    'Web-Scripting-Tools'
)

Install-WindowsFeature -Name $features -IncludeManagementTools

# Import IIS PowerShell module
Import-Module WebAdministration

Install URL Rewrite Module

Essential for redirects and rewrite rules:

# Download and install URL Rewrite
$urlRewriteUrl = "https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi"
$installer = "C:\Temp\rewrite_amd64.msi"

Invoke-WebRequest -Uri $urlRewriteUrl -OutFile $installer
Start-Process msiexec.exe -ArgumentList "/i `"$installer`" /qn" -Wait

Install Application Request Routing (ARR)

For load balancing and reverse proxy:

# Download ARR
$arrUrl = "https://download.microsoft.com/download/E/9/8/E9849D6A-020E-47E4-9FD0-A023E99B54EB/requestRouter_amd64.msi"
$installer = "C:\Temp\arr_amd64.msi"

Invoke-WebRequest -Uri $arrUrl -OutFile $installer
Start-Process msiexec.exe -ArgumentList "/i `"$installer`" /qn" -Wait

Application Pool Configuration

Creating Application Pools

# Create application pool with gMSA
New-WebAppPool -Name "SecureAppPool"

# Configure .NET CLR version
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name managedRuntimeVersion -Value "v4.0"

# Set identity to gMSA (my preferred method)
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name processModel.identityType -Value 3
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name processModel.userName -Value "COMPANY\svc-WebApp$"
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name processModel.password -Value ""

# Or use built-in identity
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name processModel.identityType -Value 2
# 0 = LocalSystem, 1 = LocalService, 2 = NetworkService, 3 = Specific User, 4 = ApplicationPoolIdentity

Application Pool Recycling

# Configure recycling schedule (daily at 2 AM)
Clear-ItemProperty IIS:\AppPools\SecureAppPool -Name recycling.periodicRestart.schedule
New-ItemProperty IIS:\AppPools\SecureAppPool -Name recycling.periodicRestart.schedule -Value @{value="02:00:00"}

# Recycle after 1 GB private memory
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name recycling.periodicRestart.privateMemory -Value 1048576

# Recycle after 24 hours
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name recycling.periodicRestart.time -Value "1.00:00:00"

# Disable time-based recycling
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name recycling.periodicRestart.time -Value "00:00:00"

# Recycle on configuration change
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name recycling.periodicRestart.configChange -Value $true

Application Pool Limits

# CPU limit (percentage)
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name cpu.limit -Value 80000
# 80000 = 80% of one core

# Idle timeout (minutes)
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name processModel.idleTimeout -Value "00:20:00"

# Queue length
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name queueLength -Value 1000

# Max worker processes (for web garden)
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name processModel.maxProcesses -Value 1
# > 1 creates web garden (multiple w3wp.exe processes)

Rapid-Fail Protection

# Enable rapid-fail protection
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name failure.rapidFailProtection -Value $true

# Failures before rapid-fail (default 5)
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name failure.rapidFailProtectionMaxCrashes -Value 5

# Time window for failure count (minutes)
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name failure.rapidFailProtectionInterval -Value "00:05:00"

# Action on rapid-fail
Set-ItemProperty IIS:\AppPools\SecureAppPool -Name failure.autoShutdownExe -Value ""

Website Configuration

Creating Websites

# Create website
New-Website -Name "CorporateIntranet" `
    -Port 443 `
    -Protocol https `
    -PhysicalPath "D:\WebApps\Intranet" `
    -ApplicationPool "SecureAppPool" `
    -Force

# Add HTTP binding
New-WebBinding -Name "CorporateIntranet" -Protocol http -Port 80

# Add HTTPS binding with certificate
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*intranet.company.com*"}

New-WebBinding -Name "CorporateIntranet" `
    -Protocol https `
    -Port 443 `
    -HostHeader "intranet.company.com" `
    -SslFlags 1

# Bind certificate
$binding = Get-WebBinding -Name "CorporateIntranet" -Protocol https
$binding.AddSslCertificate($cert.Thumbprint, "My")

Host Headers and SNI

# Create website with specific host header
New-WebBinding -Name "CorporateIntranet" `
    -Protocol https `
    -Port 443 `
    -HostHeader "intranet.company.com" `
    -SslFlags 1

# SNI (Server Name Indication) - multiple SSL sites on same IP
New-WebBinding -Name "App1" `
    -Protocol https `
    -Port 443 `
    -HostHeader "app1.company.com" `
    -SslFlags 1  # 1 = SNI enabled

New-WebBinding -Name "App2" `
    -Protocol https `
    -Port 443 `
    -HostHeader "app2.company.com" `
    -SslFlags 1

Virtual Directories and Applications

# Create virtual directory
New-WebVirtualDirectory -Site "Default Web Site" `
    -Name "documents" `
    -PhysicalPath "\\fileserver\documents"

# Create application
New-WebApplication -Site "Default Web Site" `
    -Name "api" `
    -PhysicalPath "D:\WebApps\API" `
    -ApplicationPool "APIAppPool"

# List applications
Get-WebApplication -Site "Default Web Site"

Authentication Configuration

Windows Authentication

# Enable Windows Authentication
Install-WindowsFeature -Name Web-Windows-Auth

# Configure website for Windows Authentication
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" `
    -Name "enabled" `
    -Value $true `
    -PSPath "IIS:\Sites\CorporateIntranet"

# Disable anonymous authentication
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/anonymousAuthentication" `
    -Name "enabled" `
    -Value $false `
    -PSPath "IIS:\Sites\CorporateIntranet"

# Enable kernel-mode authentication (Kerberos)
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" `
    -Name "useKernelMode" `
    -Value $true `
    -PSPath "IIS:\Sites\CorporateIntranet"

# Configure providers (Negotiate first, then NTLM fallback)
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication" `
    -Name "providers" `
    -Value "Negotiate,NTLM" `
    -PSPath "IIS:\Sites\CorporateIntranet"

Kerberos Configuration

For Windows Authentication to use Kerberos (more secure than NTLM):

# Set SPNs for application pool identity
setspn -A HTTP/intranet.company.com COMPANY\svc-IntranetApp$
setspn -A HTTP/intranet COMPANY\svc-IntranetApp$

# Verify SPNs
setspn -L COMPANY\svc-IntranetApp$

# Test Kerberos
# Install Kerberos Configuration Manager
# Or check with klist on client after accessing site
klist tickets

Forms Authentication

# Enable forms authentication
Set-WebConfigurationProperty -Filter "/system.web/authentication" `
    -Name "mode" `
    -Value "Forms" `
    -PSPath "IIS:\Sites\PublicWebsite"

# Configure forms authentication
Set-WebConfigurationProperty -Filter "/system.web/authentication/forms" `
    -Name "loginUrl" `
    -Value "/login.aspx" `
    -PSPath "IIS:\Sites\PublicWebsite"

Set-WebConfigurationProperty -Filter "/system.web/authentication/forms" `
    -Name "timeout" `
    -Value 30 `
    -PSPath "IIS:\Sites\PublicWebsite"

Client Certificate Authentication

# Require client certificates
Set-WebConfigurationProperty -Filter "/system.webServer/security/access" `
    -Name "sslFlags" `
    -Value "Ssl,SslNegotiateCert,SslRequireCert" `
    -PSPath "IIS:\Sites\SecureAPI"

# Enable client certificate mapping
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/iisClientCertificateMappingAuthentication" `
    -Name "enabled" `
    -Value $true `
    -PSPath "IIS:\Sites\SecureAPI"

SSL/TLS Configuration

Install SSL Certificate

# Request certificate from internal CA (shown in PKI article)
# Or import purchased certificate
$pfxPassword = ConvertTo-SecureString "CertPassword!" -AsPlainText -Force
Import-PfxCertificate -FilePath "C:\Certs\webapp.company.com.pfx" `
    -CertStoreLocation Cert:\LocalMachine\My `
    -Password $pfxPassword

# Bind to website
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*webapp.company.com*"}

$binding = Get-WebBinding -Name "WebApp" -Protocol https
$binding.AddSslCertificate($cert.Thumbprint, "My")

Configure TLS Protocols

# Disable SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1
# Enable only TLS 1.2 and TLS 1.3

$protocols = @{
    'SSL 2.0' = @{Server = 0; Client = 0}
    'SSL 3.0' = @{Server = 0; Client = 0}
    'TLS 1.0' = @{Server = 0; Client = 0}
    'TLS 1.1' = @{Server = 0; Client = 0}
    'TLS 1.2' = @{Server = 1; Client = 1}
    'TLS 1.3' = @{Server = 1; Client = 1}
}

foreach ($protocol in $protocols.Keys) {
    $serverPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Server"
    $clientPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$protocol\Client"
    
    New-Item -Path $serverPath -Force | Out-Null
    New-Item -Path $clientPath -Force | Out-Null
    
    New-ItemProperty -Path $serverPath -Name "Enabled" -Value $protocols[$protocol].Server -PropertyType DWORD -Force
    New-ItemProperty -Path $serverPath -Name "DisabledByDefault" -Value $(1 - $protocols[$protocol].Server) -PropertyType DWORD -Force
    
    New-ItemProperty -Path $clientPath -Name "Enabled" -Value $protocols[$protocol].Client -PropertyType DWORD -Force
    New-ItemProperty -Path $clientPath -Name "DisabledByDefault" -Value $(1 - $protocols[$protocol].Client) -PropertyType DWORD -Force
}

# Restart required
Restart-Computer

Configure Cipher Suites

# Set strong cipher suites (TLS 1.2/1.3)
$cipherSuites = @(
    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'
    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'
)

$cipherString = $cipherSuites -join ','
Enable-TlsCipherSuite -Name $cipherString

# Verify
Get-TlsCipherSuite | Select-Object Name

HTTP to HTTPS Redirect

# Install URL Rewrite module (shown earlier)
# Create redirect rule

$ruleName = "HTTP to HTTPS Redirect"
$siteName = "Default Web Site"

# Get configuration
$config = Get-WebConfiguration -Filter "system.webServer/rewrite/rules/rule[@name='$ruleName']" -PSPath "IIS:\Sites\$siteName"

if ($null -eq $config) {
    Add-WebConfigurationProperty -PSPath "IIS:\Sites\$siteName" `
        -Filter "system.webServer/rewrite/rules" `
        -Name "." `
        -Value @{
            name='HTTP to HTTPS Redirect'
            stopProcessing=$true
        }
    
    Set-WebConfigurationProperty -PSPath "IIS:\Sites\$siteName" `
        -Filter "system.webServer/rewrite/rules/rule[@name='$ruleName']/match" `
        -Name "url" `
        -Value "(.*)"
    
    Set-WebConfigurationProperty -PSPath "IIS:\Sites\$siteName" `
        -Filter "system.webServer/rewrite/rules/rule[@name='$ruleName']/conditions" `
        -Name "." `
        -Value @{input='{HTTPS}'; pattern='off'}
    
    Set-WebConfigurationProperty -PSPath "IIS:\Sites\$siteName" `
        -Filter "system.webServer/rewrite/rules/rule[@name='$ruleName']/action" `
        -Name "type" `
        -Value "Redirect"
    
    Set-WebConfigurationProperty -PSPath "IIS:\Sites\$siteName" `
        -Filter "system.webServer/rewrite/rules/rule[@name='$ruleName']/action" `
        -Name "url" `
        -Value "https://{HTTP_HOST}/{R:1}"
    
    Set-WebConfigurationProperty -PSPath "IIS:\Sites\$siteName" `
        -Filter "system.webServer/rewrite/rules/rule[@name='$ruleName']/action" `
        -Name "redirectType" `
        -Value "Permanent"
}

Security Hardening

Request Filtering

# Block dangerous extensions
$blockedExtensions = @('.exe', '.com', '.bat', '.cmd', '.vbs')
foreach ($ext in $blockedExtensions) {
    Add-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
        -Filter "system.webServer/security/requestFiltering/fileExtensions" `
        -Name "." `
        -Value @{fileExtension=$ext; allowed=$false}
}

# Set request limits
Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/security/requestFiltering/requestLimits" `
    -Name "maxAllowedContentLength" `
    -Value 30000000  # 30 MB

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/security/requestFiltering/requestLimits" `
    -Name "maxUrl" `
    -Value 4096

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/security/requestFiltering/requestLimits" `
    -Name "maxQueryString" `
    -Value 2048

# Block double encoding
Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/security/requestFiltering" `
    -Name "allowDoubleEscaping" `
    -Value $false

# Block high bit characters
Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/security/requestFiltering" `
    -Name "allowHighBitCharacters" `
    -Value $false

Remove Server Headers

# Remove X-Powered-By header
Clear-WebConfigurationProperty -PSPath "IIS:\" `
    -Filter "system.webServer/httpProtocol/customHeaders" `
    -Name "."

# Install URL Rewrite to remove Server header
# Create outbound rule to remove Server header
Add-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/rewrite/outboundRules" `
    -Name "." `
    -Value @{name='Remove Server Header'}

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/rewrite/outboundRules/rule[@name='Remove Server Header']/match" `
    -Name "serverVariable" `
    -Value "RESPONSE_Server"

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/rewrite/outboundRules/rule[@name='Remove Server Header']/action" `
    -Name "type" `
    -Value "Rewrite"

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/rewrite/outboundRules/rule[@name='Remove Server Header']/action" `
    -Name "value" `
    -Value ""

Security Headers

# Add security headers
$headers = @{
    'X-Frame-Options' = 'SAMEORIGIN'
    'X-Content-Type-Options' = 'nosniff'
    'X-XSS-Protection' = '1; mode=block'
    'Strict-Transport-Security' = 'max-age=31536000; includeSubDomains'
    'Content-Security-Policy' = "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
}

foreach ($header in $headers.Keys) {
    Add-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
        -Filter "system.webServer/httpProtocol/customHeaders" `
        -Name "." `
        -Value @{name=$header; value=$headers[$header]}
}

IP Restrictions

# Allow only specific IPs
Add-WebConfigurationProperty -PSPath "IIS:\Sites\SecureAdmin" `
    -Filter "system.webServer/security/ipSecurity" `
    -Name "." `
    -Value @{ipAddress='10.1.0.0'; subnetMask='255.255.0.0'; allowed=$true}

# Block specific IPs
Add-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/security/ipSecurity" `
    -Name "." `
    -Value @{ipAddress='192.168.1.100'; allowed=$false}

# Enable Dynamic IP Restrictions (requires module)
Install-WindowsFeature -Name Web-IP-Security

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests" `
    -Name "enabled" `
    -Value $true

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/security/dynamicIpSecurity/denyByConcurrentRequests" `
    -Name "maxConcurrentRequests" `
    -Value 20

Web Application Proxy (WAP)

WAP publishes internal applications to external users securely.

WAP Architecture

Installing WAP

# On DMZ server (NOT domain-joined)
# Install WAP role
Install-WindowsFeature Web-Application-Proxy -IncludeManagementTools

# Import WAP module
Import-Module WebApplicationProxy

# Get SSL certificate for external URL
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | 
    Where-Object {$_.Subject -like "*apps.company.com*"}

# Install WAP (requires ADFS admin credentials)
$adfsCredential = Get-Credential
Install-WebApplicationProxy `
    -FederationServiceTrustCredential $adfsCredential `
    -CertificateThumbprint $cert.Thumbprint `
    -FederationServiceName "adfs.company.com"

Publishing Applications Through WAP

Publish with ADFS Pre-authentication

# Publish application with ADFS authentication
Add-WebApplicationProxyApplication `
    -Name "Company Intranet" `
    -ExternalUrl "https://intranet.company.com/" `
    -ExternalCertificateThumbprint $cert.Thumbprint `
    -BackendServerUrl "https://intranet.company.local/" `
    -ADFSRelyingPartyName "Company Intranet" `
    -EnableHTTPRedirect $true `
    -ExternalPreAuthentication ADFS

# Verify
Get-WebApplicationProxyApplication | Select-Object Name, ExternalUrl

Publish with Pass-through Authentication

# Publish without pre-authentication (legacy app)
Add-WebApplicationProxyApplication `
    -Name "Legacy App" `
    -ExternalUrl "https://legacy.company.com/" `
    -ExternalCertificateThumbprint $cert.Thumbprint `
    -BackendServerUrl "http://legacy.company.local/" `
    -ExternalPreAuthentication PassThrough `
    -EnableHTTPRedirect $true

Publish with Client Certificate Authentication

# Publish requiring client certificates
Add-WebApplicationProxyApplication `
    -Name "Secure API" `
    -ExternalUrl "https://api.company.com/" `
    -ExternalCertificateThumbprint $cert.Thumbprint `
    -BackendServerUrl "https://api.company.local/" `
    -ExternalPreAuthentication ClientCertificate `
    -ClientCertificateAuthenticationBindingMode None

WAP Health Monitoring

# Check WAP service
Get-Service AppProxyCtrl, AppProxySvc | Select-Object Name, Status

# View published applications
Get-WebApplicationProxyApplication | Format-Table Name, ExternalUrl, BackendServerUrl

# Test application connectivity
Test-WebApplicationProxyApplication -Name "Company Intranet"

# View WAP configuration
Get-WebApplicationProxyConfiguration

Load Balancing with ARR

Application Request Routing for load balancing IIS servers.

Configure ARR

# Install ARR (shown earlier)
# Enable proxy
Set-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" `
    -Filter "system.webServer/proxy" `
    -Name "enabled" `
    -Value $true

# Create server farm
New-Item -Path "IIS:\ServerFarms\WebFarm" -Type ServerFarm

# Add servers to farm
Add-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" `
    -Filter "webFarms/webFarm[@name='WebFarm']/server" `
    -Name "." `
    -Value @{address='10.1.10.101'}

Add-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" `
    -Filter "webFarms/webFarm[@name='WebFarm']/server" `
    -Name "." `
    -Value @{address='10.1.10.102'}

# Configure load balancing algorithm
Set-WebConfigurationProperty -PSPath "MACHINE/WEBROOT/APPHOST" `
    -Filter "webFarms/webFarm[@name='WebFarm']/applicationRequestRouting" `
    -Name "affinity.useCookie" `
    -Value $true

# Create URL rewrite rule to route to farm
Add-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/rewrite/rules" `
    -Name "." `
    -Value @{name='ARR_WebFarm'; stopProcessing=$true}

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/rewrite/rules/rule[@name='ARR_WebFarm']/match" `
    -Name "url" `
    -Value "(.*)"

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/rewrite/rules/rule[@name='ARR_WebFarm']/action" `
    -Name "type" `
    -Value "Rewrite"

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/rewrite/rules/rule[@name='ARR_WebFarm']/action" `
    -Name "url" `
    -Value "http://WebFarm/{R:1}"

Monitoring and Troubleshooting

Performance Monitoring

# Key IIS performance counters
$counters = @(
    "\Web Service(_Total)\Current Connections"
    "\Web Service(_Total)\Bytes Total/sec"
    "\Web Service(_Total)\Get Requests/sec"
    "\Web Service(_Total)\Post Requests/sec"
    "\APP_POOL_WAS(_Total)\Current Application Pool State"
    "\APP_POOL_WAS(_Total)\Current Application Pool Uptime"
    "\Process(w3wp)\% Processor Time"
    "\Process(w3wp)\Private Bytes"
    "\Process(w3wp)\Thread Count"
)

# Monitor in real-time
while ($true) {
    Clear-Host
    Get-Counter -Counter $counters -SampleInterval 1 -MaxSamples 1 | 
        ForEach-Object {$_.CounterSamples} | 
        Format-Table Path, CookedValue -AutoSize
    Start-Sleep -Seconds 5
}

Failed Request Tracing

# Enable Failed Request Tracing
Install-WindowsFeature Web-Http-Tracing

# Configure for site
Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/tracing/traceFailedRequests" `
    -Name "enabled" `
    -Value $true

# Add trace rule for 500 errors
Add-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/tracing/traceFailedRequests" `
    -Name "." `
    -Value @{path='*'}

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/tracing/traceFailedRequests/add[@path='*']/traceAreas" `
    -Name "." `
    -Value @{provider='WWW Server'; areas='Authentication,Security,Filter,StaticFile,CGI,Compression,Cache,RequestNotifications,Module,FastCGI,WebSocket'; verbosity='Verbose'}

Set-WebConfigurationProperty -PSPath "IIS:\Sites\Default Web Site" `
    -Filter "system.webServer/tracing/traceFailedRequests/add[@path='*']/failureDefinitions" `
    -Name "statusCodes" `
    -Value "500-599"

# View traces
# Logs stored in: C:\inetpub\logs\FailedReqLogFiles\

Common Issues

Application Pool Crashes

# Check application event log
Get-WinEvent -LogName Application | 
    Where-Object {$_.ProviderName -like "*WAS*" -or $_.ProviderName -like "*W3SVC*"} | 
    Select-Object TimeCreated, Id, Message | 
    Format-List

# Common event IDs:
# 5002 = Application pool stopped
# 5011 = Application pool recycled
# 5021 = Worker process startup failed

# Check for rapid-fail protection
Get-ItemProperty IIS:\AppPools\* | 
    Select-Object Name, State, @{Name='RapidFail';Expression={$_.failure.rapidFailProtection}}

Kerberos Authentication Failures

# Check SPNs
setspn -L COMPANY\svc-WebApp$

# Test from client
klist purge
# Access website
klist tickets
# Should show HTTP/sitename ticket

# Enable Kerberos logging
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1 /f

# View Kerberos events
Get-WinEvent -LogName System | 
    Where-Object {$_.Id -in @(4,27,31)} | 
    Select-Object TimeCreated, Id, Message

SSL/TLS Errors

# Test SSL configuration
Invoke-WebRequest -Uri "https://webapp.company.com" -UseBasicParsing

# Check certificate binding
netsh http show sslcert

# View TLS handshake with PowerShell
$tcpClient = New-Object System.Net.Sockets.TcpClient("webapp.company.com", 443)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false)
$sslStream.AuthenticateAsClient("webapp.company.com")
$sslStream.RemoteCertificate
$sslStream.Close()
$tcpClient.Close()

Best Practices Summary

Application Pools

Separate pools per application: Isolation prevents cascade failures
Use gMSA for identity: Automatic password management
Configure recycling: Schedule during low-traffic periods
Set resource limits: Prevent resource exhaustion

Security

HTTPS everywhere: Redirect HTTP to HTTPS
Strong TLS only: Disable SSL 2.0/3.0, TLS 1.0/1.1
Request filtering: Block dangerous extensions and characters
Security headers: HSTS, X-Frame-Options, CSP
Remove server headers: Don't advertise IIS version

Performance

Enable compression: Static and dynamic content
Configure caching: Output caching, kernel caching
Limit connections: Prevent resource exhaustion
Monitor performance: Proactive alerting

Authentication

Prefer Windows Auth: Seamless for internal apps
Configure Kerberos: More secure than NTLM
Use ADFS for cloud: Federated SSO
Client certificates: For high-security APIs

Conclusion

IIS is a powerful, flexible web server platform. From my experience deploying IIS across hundreds of applications, success requires:

Proper application pool configuration: Isolation and security
Strong SSL/TLS: Protect data in transit
Defense in depth: Multiple security layers
Monitoring and alerting: Proactive issue detection
Regular maintenance: Certificate renewals, security updates

In the next article, we'll bring everything together with Enterprise Identity Integration Patterns, showing how AD, ADFS, PKI, IIS, and WAP work together in complete authentication flows.

hashtagThe Day I Learned About IIS Security

hashtagWhat is Internet Information Services (IIS)?

hashtagWhy I Deploy IIS

hashtagIIS Architecture

hashtagCore Components

hashtagHTTP.SYS

hashtagWindows Activation Service (WAS)

hashtagApplication Pools (w3wp.exe)

hashtagWebsites

hashtagInstalling IIS

hashtagBasic Installation

hashtagFull Installation with All Features

hashtagInstall URL Rewrite Module

hashtagInstall Application Request Routing (ARR)

hashtagApplication Pool Configuration

hashtagCreating Application Pools

hashtagApplication Pool Recycling

hashtagApplication Pool Limits

hashtagRapid-Fail Protection

hashtagWebsite Configuration

hashtagCreating Websites

hashtagHost Headers and SNI

hashtagVirtual Directories and Applications

hashtagAuthentication Configuration

hashtagWindows Authentication

hashtagKerberos Configuration

hashtagForms Authentication

hashtagClient Certificate Authentication

hashtagSSL/TLS Configuration

hashtagInstall SSL Certificate

hashtagConfigure TLS Protocols

hashtagConfigure Cipher Suites

hashtagHTTP to HTTPS Redirect

hashtagSecurity Hardening

hashtagRequest Filtering

hashtagRemove Server Headers

hashtagSecurity Headers

hashtagIP Restrictions

hashtagWeb Application Proxy (WAP)

hashtagWAP Architecture

hashtagInstalling WAP

hashtagPublishing Applications Through WAP

hashtagPublish with ADFS Pre-authentication

hashtagPublish with Pass-through Authentication

hashtagPublish with Client Certificate Authentication

hashtagWAP Health Monitoring

hashtagLoad Balancing with ARR

hashtagConfigure ARR

hashtagMonitoring and Troubleshooting

hashtagPerformance Monitoring

hashtagFailed Request Tracing

hashtagCommon Issues

hashtagApplication Pool Crashes

hashtagKerberos Authentication Failures

hashtagSSL/TLS Errors

hashtagBest Practices Summary

hashtagApplication Pools

hashtagSecurity

hashtagPerformance

hashtagAuthentication

hashtagConclusion

hashtagFurther Reading