Use Windows IIS to access Apsara File Storage NAS - Best Practices| Alibaba Cloud Documentation Center

Background information

Windows server is a popular platform that is used to build websites. A large number of users build websites on Windows Elastic Compute Service (ECS) instances and store the content resources of the website on a reliable and high-throughput SMB file system. In addition, the computing and storage resources support auto scaling based on specific business requirements.

The FTP service provided by IIS includes a wide range of requirements. A large number of website administrators remotely manage website content by using the FTP service. Meanwhile, a large number of Alibaba Cloud users want to transfer and share files between WANs and Alibaba Cloud by using the FTP service on Windows ECS instances.

In this example, IIS 7.5 (Windows Server 2008 R2) is used to describe how to use NAS to provide both the web service and FTP service for a Windows ECS instance. You can also use Server Load Balancer (SLB) to build a multi-server website that provides error tolerance. For more information, see What is SLB?

Notice

The topic provides some security suggestions, but they are not a complete security solution. You must devise your own plans to secure your web service and data. For example, you can safeguard your system security by setting up firewalls, configuring security groups for ECS instances, and installing operating system patches. You can also safeguard your service security by using the security services of Alibaba Cloud.
In this topic, a normal user named iss_user is used. We recommend that you access data as this user instead of the system administrator when you deploy FTP services or run IIS web services on Windows Server 2016.

Install Windows IIS

In this example, Windows Server 2008 R2 is used to describe how to add an IIS role and install IIS by using Server Manager.

Note For more information about how to install IIS on different Windows operating systems, see Install IIS and ASP.NET Modules.

In the Windows server, choose Start > Administrative Tools > Server Manager.
In the left-side navigation pane of the Server Manager dialog box, click Roles and then click Add Roles.
In the left-side navigation pane of the Add Roles Wizard, click Server Roles and select Web Server (IIS).
In the left-side navigation pane of the Add Roles Wizard, click Role Services, and select the role services that you want to install for the web server (IIS).

In addition to the default services, you must also select ASP and FTP Server to enable FTP services and demonstrate dynamic web pages by using scripts.
Click Next and complete the installation as prompted.

Access the SMB file system

You can store your web resources and configuration files in the shared directory (myshare by default) of the SMB file system. You can configure the permission group of the SMB file system to make sure that the web server can read data from and write data to the file system.

Open the File Explorer window and enter \\xxxx-xxxx.cn-hangzhou.nas.aliyuncs.com\myshare in the address bar to access the SMB file system. where:
- xxxx-xxxx.cn-hangzhou.nas.aliyuncs.com is the domain name of the mount target for the SMB file system.
- myshare is the default shared directory of the SMB file system. You cannot change this directory.
Create a subdirectory named www in the myshare directory of the SMB file system to store web page files of your website.
In this example, the static web page file index.html and the dynamic web page file test.asp are created in the myshare\www directory. The following sample code shows how to create the files:
- Index.html
```
<HTML>
  <HEAD>
     <TITLE>Hello World in HTML</TITLE>
  </HEAD>
  <BODY>
     <CENTER><H1>Hello World! </H1></CENTER>
  </BODY>
</HTML>                         
```
  Hello World! is displayed in the static web page.
- Test.asp
```
<HTML>
  <BODY>
     This page was last refreshed on <%= Now() %>.
  </BODY>
</HTML>                            
```
  The current system time is displayed on the dynamic web page.

Set up the Windows IIS web service

In the Windows server, choose Start > Windows Operating System > Administrative Tools > Internet Information Services (IIS) Manager.
In the left-side navigation pane, choose View Sites > Default Web Site, and click Basic Settings.
In the Edit Site dialog box, set Physical path and click OK.
In the Physical path field, enter the storage path of web resources on NAS, for example, \\xxxx-xxxx-shanghai.nas.aliyuncs.com\myshare\www. xxxx-xxxx-shanghai.nas.aliyuncs.com is the domain name of the mount target. You must change the domain name based on your business requirements.
Note
- By default, you must use a user account and user group of IIS to access a network drive (for example, Z:\) mapped in the user session. You cannot directly access the mapped network drive as a Windows user. Otherwise, an access error may occur.
- If you are using Windows Server 2016, you must perform other operations to integrate IIS with NAS after you set up the Windows IIS web service. For more information, see How can I integrate IIS with NAS?
Verify the setting.

Enter the local paths of the index.html and test.asp files in the address bar of your browser to open these files. If the following figures are displayed, IIS is running as expected. You can also configure security groups for your ECS instances and configure Windows Firewall to guarantee access security.

Set up the Windows IIS FTP service

In the Windows server, choose Start > Windows Operating System > Administrative Tools > Internet Information Services (IIS) Manager.
Install the SSL certificate.
1. On the homepage, double-click Server Certificates.
2. On the Server Certificates page, click Create Self-Signed Certificate.
3. Specify a name for the certificate, and click OK.
Set up an FTP site.
1. In the left-side navigation pane, double-click Sites.
2. On the Sites page, click Add FTP Site.
3. In the Add FTP site dialog box, set the relevant parameters and click Next.
  
  In the Physical path field, enter the storage path of web resources on NAS, for example, \\xxxx-xxxx-shanghai.nas.aliyuncs.com\myshare\www. xxxx-xxxx-shanghai.nas.aliyuncs.com is the domain name of the mount target. You must change the domain name based on your business requirements.
  
  You can select another subdirectory in the myshare directory based on your business requirements. You can also set up multiple FTP sites that provide different ports to access different directories.
4. In the Binding and SSL Settings dialog box, set the relevant parameters and click Next.
  Set the following parameters:
  - Port: The default port number is 21. For security concerns, port 2222 is used.
  - SSL Certificate: select the created SSL certificate.
5. Configure the authentication and authorization information, and click Finish.
  Set the following parameters:
  - Authentication: Select Basic.
  - Authorization: Select a user who is allowed to access NAS. In this example, iis_user is used.
  - Permissions: Grant read and write permissions to the user.
Set up the FTP firewall.

On the homepage, double-click FTP Firewall Support dialog box, specify Data Channel Port Range, and then click Apply.
In the Server Manager window, restart the FTP service to validate the port range configurations.
In the ECS console, configure the security group for the ECS instance to restrict the access of FTP clients. For more information, see Create a security group.
Access the FTP site through the FTP client WinSCP.
1. Open WinSCP.
2. Click Yes to accept the server certificate.
3. Set the protocol type, port number, and logon information.
4. Enter the password of the authorized user (iis_user).
5. Establish a data connection to allow the server to read data from and write data to remote directories.
6. After the connection is created, you can upload and download files.

How can I achieve coordination of IIS and NAS in Windows Server 2016?

If you are using Windows Server 2016, you must perform the following operations to achieve coordination of IIS and NAS after you set up the Windows IIS web service:

Modify the registry key of the SMB client.
1. On the Windows server, choose Start > Administrative Tools > Registry Editor.
2. In the left-side navigation pane of Registry Editor, choose HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > LanmanWorkstation > Parameters > AllowInsecureGuestAuth, right-click a blank area, and then choose New > DWORD (32-bit) Value.
3. Set the value name to AllowInsecureGuestAuth, set the value data to 1, and then click OK.
Specify a local user to access the web resources stored on NAS.
1. In the Windows server, choose Start > Windows Operating System > Administrative Tools > Internet Information Services (IIS) Manager.
2. In the left-side navigation pane, choose View Sites > Default Web Site, and click Basic Settings.
3. In the Edit Site dialog box, click Connect as.
4. Select Specific User and click Set.
5. Set the username and password, and then click OK.
  In this example, the iis_user user is used.

Note

When IIS accesses a file in the shared directory of the NAS file system, the backend of IIS may access the shared directory for multiple times. Although each access request does not take a long time, the client may take a long time to respond if multiple access requests are sent. For more information, see How to improve performance when using IIS to access NAS?
We recommend that you store the web-related files such as JS and CSS files to local disks if these files are frequently accessed by IIS.
If a write failure still occurs after you perform the preceding operations, see Install and configure the AD domain to resolve the access failure from IIS in Windows Server 2016 to SMB file systems, or.

How can I achieve coordination of IIS and NAS in Windows Server 2019?

If you are using Windows Server 2019, you must follow the steps in How can I achieve coordination of IIS and NAS in Windows Server 2016? to modify the registry key and add the iis_user. You must also run the New-SmbGlobalMapping command in PowerShell to mount the file system and resolve the load failure of DLL. The following code is an example:

# Define clear text string for username and password
[string]$userName = 'WORKGROUP\administrator'
[string]$userPassword = '****'

# Convert to SecureString
[securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force

[pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)
New-SmbGlobalMapping -LocalPath z: -RemotePath \\file-system-id.region.nas.aliyuncs.com\myshare -Persistent $true -Credential $credObject

**** is the logon password of the administrator.

Prerequisites