Evolution of HTTP on Windows Platform

Before the boom of web and internet, HTTP was not so common is everyday life. When internet became more and more widely used, HTTP also grew in usage.


Basic web server serves static HTML type contents and then was the era in which there came several ways to extend the web server and its features. Because of the popularity of the web, on internet most of the companies connected to the web have port 80 (which is the default HTTP port) open on firewalls. Which simply means that to use HTTP most of the companies didn’t have restrictions and thereby became the default and uninterrupted way of global communication?


HTTP on Windows platform was initially used only by IIS for serving web sites. Gradually because of the simplicity and availability (of open port 80) of HTTP several other applications started using HTTP as a medium of transport. Then came the wave of all HTTP based protocols and having another protocol tunnel through HTTP.


RPC over HTTP (I would call it as “RPC through HTTP” rather) for Exchange and SQL to name a few. SQL started supporting HTTP so that you can expose a database over the web using HTTP and SQL queries can be executed using query string and the results returned as XML. Once, more and more application platforms started using HTTP, it became important that we have a uniform & consistent way on Windows platform to use HTTP protocol. So the kernel mode driver called HTTP.SYS was born. Since it’s a kernel mode driver, it gives us a lot of advantages (mainly on 64bit machines with a huge amount of memory for kernel mode caching and getting higher performance) and creates a layer which gives a consistent way of utilizing HTTP protocol. HTTP.SYS also provides API’s if we need to use HTTP protocol directly and bypass IIS. This route would obviously lack other features provided by IIS like health monitoring, easy management etc… but can be utilized for specific needs.


Next big leap – IIS7

Before we look at some of those upcoming features in IIS7, let us see what we lack till the current version of IIS i.e. IIS6.

·         Delegation of administration (very important for website hosting and also for hosting department websites with its own admin)

·         Extensibility (A thorough understanding of IIS is required in order to write high performance ISAPI Filters or Extensions)

·         You can add features but not replace features

·         Managing IIS was not possible when it comes to higher number of websites simply because the MMC style of interface is not efficient.

·         Even if you use ASP.NET (handlers or modules) it works at a lower level than ISAPI Filters/Extensions.

·         Debugging or tracing (A fair amount of tracing features were introduced in IIS6 and more with SP1 but still we resort to post-mortem dumps for 60% of our cases)

·         XCopy deployment of websites.


Now “few” of the highlights from IIS7 features list

·         Delegation of administration to granular level (like attribute level) and users can be either from Active Directory / SAM (workgroup) or custom database

·         You have managed and unmanaged API's to access IIS or for admin purposes (e.g. showing a list of pages currently running and how much CPU each of them are taking). This is possible in IIS6 with SP1 (Windows 2003 SP1) but with extra tools, but in IIS7 it’s available inside the MMC itself.

·         You can search or book mark a website when you have too many sites, for easy administration.

·         Now with the new Integrated Pipeline, you can write managed or unmanaged ISAPI

·         A lot of tracing functionalities are included e.g. Failed Request Tracing etc... Even specifics like “only requests failed with authentication” etc...

·         Since website related details (like default page etc...) are stored inside web.config (not necessarily ASP.NET application) you can deploy sites using XCopy and it simply works.

·         You can enable admin service with a different secure port which can be used for administering IIS remotely (http). This is not an admin website like before but a separate service.

·         You can replace existing IIS components by replacing the dll name in the application.config file. Example custom logging, custom authentication. This simply means that everything is pluggable and only required features are installed or loaded into the process. For example you don't want "Basic Authentication" you don't even install it.  This would reduce attack surface and enables better performance also.

·         My favorite feature, you can enable forms authentication with a single page (uses .NET 2.0) for htm / asp / asp.net / php / cgi / images or any application web site.


You can see some managed code snippets of IIS7 Admin API’s from the following link



Make sure you see the piece of code titled “Getting list of executing requests” which is my favorite.


Coming up - Screenshots of IIS7 Administration Interface J



Comments (2)
  1. Garry Trinder says:

    So things like Apache’s "mod_rewrite" or "mod_proxy" are now possible, too?

  2. Sukeshak says:

    IMHO, proxy or reverse proxy functionality is not really required as part of a webserver. ISA would be best for such things. But if someone really wants they can always implement it using managed/unmanaged modules.

    I believe mod_rewrite kind of of functionality is being implemented, once I get my hands on it will provide more info. here.

Comments are closed.

Skip to main content