IIS 6: The Complete Reference
|
|
You can view and change the configurations for an NNTP virtual server from the Properties window (as described in the previous section). The Properties window for an NNTP virtual server has the following four tabs:
-
General Provides configuration settings for IP and port, connection timeout, and path header
-
Access Provides configuration settings for how a client can establish a connection with the NNTP virtual server
-
Settings Provides configuration settings for how a client can interact with the NNTP server
-
Security Provides configuration settings for users and groups to configure the NNTP virtual server
General Tab Settings
When the Properties window is accessed initially, the General tab is open by default, as shown in Figure 5-3. The following may be configured on the General tab:
-
IP Address Settings for the IP address that the NNTP virtual server will use. The default value for the IP address is the (All Unassigned) value.
-
Limit Number Of Connections To Sets the maximum number of settings allowed to connect with the server. The default value is 5000 connections.
-
Connection Time-out Sets the maximum time, in minutes, that a client is allowed to remain connected during a period of inactivity. The default value is 10 minutes.
-
Path Header The value that will be used for each posting as the Path line. By default, no value appears in this setting.
-
Enable Logging Sets the logging format that the NNTP virtual server will use. By default, logging is not turned on.
Unlike the FTP and WWW services, Microsoft does not provide a Windows Script Host (WSH) script to configure NNTP virtual servers. The MMC is the only tool available for making configuration changes. Another limitation to the NNTP configuration functionality is its inability to import or export the configuration for an NNTP virtual server. The FTP and WWW services did offer this feature, allowing you to export the configuration for an FTP virtual directory into a file and import it again on that server, or even on a different server with the exact configuration settings. This is a significant limitation. In addition, some settings can be set only during the creation of the NNTP virtual server, such as the Internal Files Path setting. If settings need to be changed at a future date, the only option, short of manually editing the NNTP configuration settings in the server’s registry or metabase, is to create a new version of the NNTP virtual server with the new internal files path and manually replicate all of the settings in the new version.
IP Addresses and Ports
One or more combinations of IP addresses and port numbers may be specified. By default, any IP address placed in the IP Address drop-down box will use port 119. If additional IP addresses and port numbers should be specified, click the Advanced button to open the Advanced window, where you can configure multiple identities for the NNTP virtual server (identity means IP address and port combination). You can also set the port for use if the client connects using SSL and if you have your server set up with a certificate.
Connections
The number of connections that the NNTP virtual server will allow and the maximum idle connection time period for a client are both configurable. In the Limit Number Of Connections To text box, you can enter a value that will restrict the number of concurrent connections that the NNTP virtual server will handle at any one time. If a client requests a connection when the NNTP virtual server is operating at the limit, the client will be refused a connection. The Connection Time-out text box allows you to configure the maximum time that a client is allowed to remain connected while remaining idle. If the connection limit is routinely being exceeded, reducing the connection timeout property for the NNTP virtual server may improve performance of the NNTP virtual server to meet client demand.
Path Header
The value entered in the Path Header text box is placed in the path line of the message post submitted through the NNTP virtual server. The directory name service (DNS) name for the host server is used when no value appears in the text box. By default, no value appears in this setting. You can specify more than one value in the Path Header by separating the names using any type of punctuation, other than a period.
Enable Logging
NNTP logging works the same way it does for the SMTP service in IIS. IIS maintains logs of NNTP events and interactions with an NNTP virtual server for a given connection. A single log is generated for each NNTP virtual server if logging is enabled. Using the Properties window for a NNTP virtual server, the administrator may choose to log or not to log, the log style, the file location or database for the log, and the data included in the log.
To configure the logging for an NNTP virtual server, open the NNTP virtual server’s Properties window. On the General tab, select the Enable Logging checkbox. In the Active Log Format combo box, choose whether the log will be written to a database table or a text file format. (See Chapter 11 for more information about setting up logging.)
Access Tab Settings
The settings on the Access tab, as shown in Figure 5-4 and described here, allow you to configure the ways that users can access the NNTP virtual server:
-
Access Control These settings determine the way that the NNTP virtual server will allow a client to connect and the criteria used for access control.
-
Secure Communication Wizards are provided to help set up and install SSL certificates on the server to enable SSL communication with clients. Refer to Chapter 2 for more information about this configuration.
-
Connection Control These settings determine how a client can connect based on IP address.
Access Control
Clients connecting to the NNTP virtual server may be authenticated or allowed to connect using anonymous credentials. Based on the credentials offered during authentication, access to material contained within the newsgroup may be controlled using Windows security settings for the directories that the newsgroups use to store content. Configuration for authentication for clients requesting a connection is performed on the Access tab. Using Windows file permissions on the directory hosting the newsgroup data, you will be able to produce a system that provides access control to newsgroup content.
Note | See Chapter 7 for more information about authentication. |
To configure the server’s authentication, open the Properties window, then the Access tab, and then click the Authentication button found in the Access Control area. An Authentication Methods window opens, as shown in Figure 5-5, with the following settings:
-
Allow Anonymous No credentials are required to authenticate and use the NNTP virtual server. This is the default setting.
-
Basic Authentication Specified username and password are transmitted to the host server for authentication using clear text.
-
Integrated Windows Authentication Authentication is performed using a special Windows cryptic technique for transmitting information without sending the specified password to the host server for authentication.
-
Enable SSL Client Authentication Authentication and communication protocol for the NNTP virtual server are enabled using SSL. If checked, and the host server has an SSL certificate, the client will communicate with the server using SSL.
The authentication protocols are not mutually exclusive selections, so any one or more may be selected. If Enable SSL Client Authentication is selected, the Require SSL Client Authentication and Enable Client Certificate Mapping To Windows User Accounts settings become enabled so that they may be configured as well.
Allow Anonymous Check Allow Anonymous to enable a client to connect without providing any credentials. Click the Anonymous button to open the Anonymous Account window, where you can set the Windows user credentials that anonymous users will be provided when they interact with the host through the NNTP virtual server. By default, a system account named ANONYMOUS LOGIN is used if no account is specified.
Basic Authentication Checking Basic Authentication enables a user to connect using a login and password. The credentials supplied will be used to determine access control if newsgroups restrict access using Windows file permissions. The credentials are supplied to the NNTP virtual server via plaintext.
Integrated Windows Authentication Checking Integrated Windows Authentication enables a user to connect using the Windows credentials that they used to access their workstation. The credentials supplied will be used to determine access control if newsgroups restrict access using Windows file permissions. The credentials are supplied to the NNTP virtual server via a special Window’s cryptic technique for transmitting information without sending the specified password to the host server.
Enable SSL Client Authentication If the Enable SSL Client Authentication box is checked, users may authenticate and communicate using SSL. The host server must have an SSL certificate to support SSL communication with a client.
Require SSL Client Authentication If the Require SSL Client Authentication checkbox is checked, the only way a client may connect is by using SSL. If no support for access control to a newsgroup is needed, the user will have to present credentials using basic authentication or integrated Windows authentication, or client certificates may be mapped to Windows user accounts.
Enable Client Certificate Mapping To Windows User Accounts SSL provides clients a means of transmitting data back and forth with the NNTP virtual server in an encrypted form. The SSL certificate also provides a mechanism for identifying a client uniquely. The problem with using SSL as an authentication credential is that Windows has no idea what the certificate means in terms of the Windows file permissions to determine access control. To resolve this issue, you can map Windows user accounts to SSL certificates. By checking this checkbox, the Client Mappings button becomes enabled. Click the button to open the Account Mappings window. (See Chapter 10 for more information about mapping certificates to accounts.)
Secure Communication
In the Access tab, you can click the Certificate button to open the Web Server Certificate Wizard. The wizard, and the process for setting key pairs and certificates tasks, are the same as they are for the WWW service. Refer to Chapter 2 for more information about using the Web Server Certificate Wizard.
Connection Control
Computers that have a particular IP address or domain name may be restricted from using a given NNTP virtual server or exclusively allotted access to use a given NNTP virtual server. To set connection restrictions, click the Connection button found under the Connection Control area of the Access tab. A Connection dialog box will open with two explicit option selectors at the top, a list in the middle, and Add and Remove buttons below the list. The two explicit options selectors are labeled Only The List Below and All Except The List Below. Selecting one option will refresh the list to show the IP addresses or domain names that apply to the given restriction.
Click the Add button to open a window prompting for IP address, domain name, or subnets that should be added to the list for the given restriction. Select an option in the list and click the Remove button to remove the selected IP address or domain name. When the changes are complete, click OK to set the changes; otherwise, click Cancel and no changes will be made in the configuration. By default, no restrictions are set for a given SMTP virtual server.
Settings Tab
Click the Settings tab in the Properties window to see the settings shown in Figure 5-6. The configurations on the Settings tab affect the way a NNTP virtual server functions in its routine newsgroup serving.
An NNTP virtual server may be configured to restrict client postings using the following settings:
-
Allow Client Posting Enables the client to post newsgroup messages to the NNTP virtual server. This is checked by default. If this configuration is not set, the NNTP virtual server will act as a read-only server.
-
Limit Post Size When this checkbox is checked, a maximum size for posting a message is imposed on the NNTP virtual server. By default, this setting is checked and a message no larger than 1000 KB is allowed.
-
Limit Connection Size This checkbox imposes a size limit of cumulative postings for a given connection. This setting is checked by default and the default cumulative posting limit is 20 megabytes (MB).
An NNTP virtual server may be configured to restrict news feed postings using the following settings:
-
Allow Feed Posting Enables news feeds to post to the NNTP virtual server. This is checked by default.
-
Limit Post Size When this checkbox is checked, a maximum size for posting a message is imposed on the NNTP virtual server. By default, this setting is checked and a message no larger then 1500 KB is allowed.
-
Limit Connection Size Imposes a size limit of cumulative postings for a given connection. This setting is checked by default and the default cumulative posting limit is 40 MB.
The NNTP virtual server may also be restricted from allowing other NNTP servers from pulling news from your NNTP virtual server. By selecting the Allow Servers To Pull News Articles From This Server checkbox, you can enable or restrict other NNTP servers from accessing your server with a new pull feed. By default, this checkbox is not selected.
The Allow Control Messages checkbox allows messages to be posted that can create newsgroups, post messages, and delete message posts. By default, this checkbox is not selected, so control messages are not normally allowed. This feature poses a potential security risk given that it enables clients to configure your NNTP virtual server to an extent.
The NNTP virtual server can also support newsgroup moderation, in which the moderator must approve postings prior to their publication to the group. The SMTP Server For Moderated Groups text box will accept the DNS name for the SMTP server that should be used to send messages to the moderator. A local file path may also be specified, if preferred.
If a moderated newsgroup does not have a specified moderator, the Default Moderator Domain text box may be used to specify a domain to use to send moderator notifications. The e-mail messages would be sent in the form of <news group name>@<domain name>, where the <news group name> value is the name of the newsgroup that the message was posted to and the <domain name> is the domain name that is entered in the text box.
Nondelivery reports for e-mail notifications sent to moderators can be forwarded to an administrator using the information in the Administrator E-mail Account text box. This feature may be useful for helping to discover when a group moderator no longer exists. The e-mail address placed in the text box will be used to forward all nondelivery reports generated from a moderator posting notification failures. Entering the e-mail address alone does not enable this feature, however. An edit must be performed on the registry at the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\NntpSvc\Parameters\.
At the specified key in the registry, create a new DWORD value named MailFromHeader with a value of 1, and the functionality to forward nondelivery reports generated from a moderator posting notification failures will be activated.
Security Tab
To configure any given NNTP virtual server, permissions must be set for Windows users or groups on the host or other authenticating server that has a trusted relationship with the host server of the NNTP virtual server. The users or groups that must perform administrative tasks for the NNTP virtual server must be designated as operators for the NNTP virtual server. By default, the Administrators group, the NT AUTHORITY\ LOCAL SERVICE, and the NT AUTHORITY\NETWORK SERVICE accounts are designated as operators for any given NNTP virtual server.
You can designate a user as an operator for a given NNTP virtual server in the Security tab, as shown in Figure 5-7. A list box will show the Administrators group and the users that are designated as operators. Below the list are Add and Remove buttons. Click the Add button to open the Select Users Or Groups dialog box. After selecting a user or group, click OK, and the selected users or groups are added to the list of designated operators for the NNTP virtual server. To remove a user or group in the list, select the user or group and then click Remove. The Administrators group cannot be removed.
Creating a New NNTP Virtual Server
If you need to create a new NNTP virtual server, IIS 6 provides a wizard that walks you through the process. The wizard is unfortunately the only way to create a new NNTP virtual server unless you write your own WSH script. The internal files path for the new NNTP virtual server should be known prior to starting the process of creating the new NNTP virtual server, since it cannot be changed after creation.
-
To create a new NNTP virtual server, right-click the Internet Information Services (IIS) Manager node in the Computer Manager MMC.
-
Choose New | NNTP Virtual Server, and the New NNTP Virtual Server Wizard will open and display the welcome screen, prompting for a name for the new NNTP virtual server.
-
Enter a name to identify the NNTP virtual server in the MMC, and click the Next button.
-
The next screen prompts for the IP address and port that should be used for the new NNTP virtual server. The IP address has to be an existing IP address that the server is configured to support. The port default for NNTP is 119. Using a port other than 119 would require the clients to use a nonstandard port to communicate with the server. Click the Next button to continue.
-
The wizard prompts you to select an internal files path. This path cannot be changed after the NNTP virtual sever is created, so select an appropriate path and click the Next button to continue.
-
The Select Storage Medium screen of the wizard will prompt you to select where the content should be stored. Choose File System or Remote Share. Click Next to continue.
-
If you choose File System, the wizard will prompt for the news content medium file path. Enter the file path to a local drive on the server where you would like the news content to be stored. The path location selected will contain the content of the newsgroups, so you should expect that the drive medium could occupy a significant amount of storage space depending on the configurations for the NNTP virtual server. Click the Finish button to complete the wizard.
-
If you selected Remote Share in step 6, enter the Universal Naming Convention (UNC) file path to a host. Click the Next button to continue.
-
The wizard will prompt for the network credentials that should be used to access the remote share. Enter the login and password that should be used to authenticate to the remote host. Click the Finish button to complete the wizard.
After the New NNTP Virtual Server Wizard is finished, the new NNTP virtual server will have a new node added to and displayed in the MMC. If the NNTP virtual server does not have any conflicts, it should start immediately after it is created.
|
|