Internet Information Service (IIS) can access data in Server Message Block (SMB) file
systems in the same way as it accesses data in on-premises disks. IIS provides the
web and FTP services to separate website storage from computing. This topic describes
how to configure IIS to access a NAS file system.
Background information
Windows server is a popular platform that is used to build websites. A large number
of users build websites on Windows Elastic Compute Service (ECS) instances and store
the content resources of the website on a reliable and high-throughput SMB file system.
In addition, the computing and storage resources support auto scaling based on specific
business requirements.
The FTP service provided by IIS includes a wide range of requirements. A large number
of website administrators remotely manage website content by using the FTP service.
Meanwhile, a large number of Alibaba Cloud users want to transfer and share files
between WANs and Alibaba Cloud by using the FTP service on Windows ECS instances.
In this example, IIS 7.5 (Windows Server 2008 R2) is used to describe how to use NAS
to provide both the web service and FTP service for a Windows ECS instance. You can
also use Server Load Balancer (SLB) to build a multi-server website that provides
error tolerance. For more information, see What is SLB?
Notice
- The topic provides some security suggestions, but they are not a complete security
solution. You must devise your own plans to secure your web service and data. For
example, you can safeguard your system security by setting up firewalls, configuring
security groups for ECS instances, and installing operating system patches. You can
also safeguard your service security by using the security services of Alibaba Cloud.
- In this topic, a normal user named iss_user is used. We recommend that you access
data as this user instead of the system administrator when you deploy FTP services
or run IIS web services on Windows Server 2016.
Install Windows IIS
In this example, Windows Server 2008 R2 is used to describe how to add an IIS role
and install IIS by using Server Manager.
- In the Windows server, choose .
- In the left-side navigation pane of the Server Manager dialog box, click Roles and then click Add Roles.
- In the left-side navigation pane of the Add Roles Wizard, click Server Roles and select Web Server (IIS).
- In the left-side navigation pane of the Add Roles Wizard, click Role Services, and select the role services that you want to install for the web server (IIS).
In addition to the default services, you must also select ASP and FTP Server to enable FTP services and demonstrate dynamic web pages by using scripts.

- Click Next and complete the installation as prompted.
Access the SMB file system
You can store your web resources and configuration files in the shared directory (myshare
by default) of the SMB file system. You can configure the permission group of the
SMB file system to make sure that the web server can read data from and write data
to the file system.
- Open the File Explorer window and enter \\xxxx-xxxx.cn-hangzhou.nas.aliyuncs.com\myshare in the address bar to access the SMB file system. where:
- xxxx-xxxx.cn-hangzhou.nas.aliyuncs.com is the domain name of the mount target for the SMB file system.
- myshare is the default shared directory of the SMB file system. You cannot change this directory.
- Create a subdirectory named www in the myshare directory of the SMB file system to store web page files of your website.
In this example, the static web page file index.html and the dynamic web page file
test.asp are created in the myshare\www directory. The following sample code shows how to create the files:
Set up the Windows IIS web service
- In the Windows server, choose .
- In the left-side navigation pane, choose , and click Basic Settings.
- In the Edit Site dialog box, set Physical path and click OK.
In the Physical path field, enter the storage path of web resources on NAS, for example, \\xxxx-xxxx-shanghai.nas.aliyuncs.com\myshare\www. xxxx-xxxx-shanghai.nas.aliyuncs.com is the domain name of the mount target. You must change the domain name based on
your business requirements.

Note
- By default, you must use a user account and user group of IIS to access a network
drive (for example, Z:\) mapped in the user session. You cannot directly access the
mapped network drive as a Windows user. Otherwise, an access error may occur.
- If you are using Windows Server 2016, you must perform other operations to integrate
IIS with NAS after you set up the Windows IIS web service. For more information, see
How can I integrate IIS with NAS?
- Verify the setting.
Enter the local paths of the index.html and test.asp files in the address bar of your
browser to open these files. If the following figures are displayed, IIS is running
as expected. You can also configure security groups for your ECS instances and configure Windows
Firewall to guarantee access security.


Set up the Windows IIS FTP service
- In the Windows server, choose .
- Install the SSL certificate.
- On the homepage, double-click Server Certificates.
- On the Server Certificates page, click Create Self-Signed Certificate.
- Specify a name for the certificate, and click OK.
- Set up an FTP site.
- In the left-side navigation pane, double-click Sites.
- On the Sites page, click Add FTP Site.
- In the Add FTP site dialog box, set the relevant parameters and click Next.
In the Physical path field, enter the storage path of web resources on NAS, for example, \\xxxx-xxxx-shanghai.nas.aliyuncs.com\myshare\www. xxxx-xxxx-shanghai.nas.aliyuncs.com is the domain name of the mount target. You must change the domain name based on
your business requirements.
You can select another subdirectory in the myshare directory based on your business requirements. You can also set up multiple FTP sites
that provide different ports to access different directories.

- In the Binding and SSL Settings dialog box, set the relevant parameters and click Next.
Set the following parameters:
- Port: The default port number is 21. For security concerns, port 2222 is used.
- SSL Certificate: select the created SSL certificate.

- Configure the authentication and authorization information, and click Finish.
Set the following parameters:
- Authentication: Select Basic.
- Authorization: Select a user who is allowed to access NAS. In this example, iis_user is used.
- Permissions: Grant read and write permissions to the user.

- Set up the FTP firewall.
On the homepage, double-click FTP Firewall Support dialog box, specify Data Channel Port Range, and then click Apply.

- In the Server Manager window, restart the FTP service to validate the port range configurations.
- In the ECS console, configure the security group for the ECS instance to restrict
the access of FTP clients. For more information, see Create a security group.
- Access the FTP site through the FTP client WinSCP.
- Open WinSCP.
- Click Yes to accept the server certificate.
- Set the protocol type, port number, and logon information.
- Enter the password of the authorized user (iis_user).
- Establish a data connection to allow the server to read data from and write data to
remote directories.
- After the connection is created, you can upload and download files.
How can I achieve coordination of IIS and NAS in Windows Server 2016?
If you are using Windows Server 2016, you must perform the following operations to
achieve coordination of IIS and NAS after you set up the Windows IIS web service:
- Modify the registry key of the SMB client.
- On the Windows server, choose .
- In the left-side navigation pane of Registry Editor, choose , right-click a blank area, and then choose .
- Set the value name to AllowInsecureGuestAuth, set the value data to 1, and then click OK.
- Specify a local user to access the web resources stored on NAS.
- In the Windows server, choose .
- In the left-side navigation pane, choose , and click Basic Settings.
- In the Edit Site dialog box, click Connect as.
- Select Specific User and click Set.
- Set the username and password, and then click OK.
In this example, the iis_user user is used.
How can I achieve coordination of IIS and NAS in Windows Server 2019?
If you are using Windows Server 2019, you must follow the steps in
How can I achieve coordination of IIS and NAS in Windows Server 2016? to modify the registry key and add the iis_user. You must also run the
New-SmbGlobalMapping command in PowerShell to mount the file system and resolve the load failure of DLL.
The following code is an example:
# Define clear text string for username and password
[string]$userName = 'WORKGROUP\administrator'
[string]$userPassword = '****'
# Convert to SecureString
[securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
[pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)
New-SmbGlobalMapping -LocalPath z: -RemotePath \\file-system-id.region.nas.aliyuncs.com\myshare -Persistent $true -Credential $credObject
****
is the logon password of the administrator.