This topic describes how to configure the built-in Internet Information Service (IIS) for Windows-based Elastic Compute Service (ECS) instances and configure Alibaba Cloud Apsara File Storage NAS to provide Web and File Transfer Protocol (FTP) services.

Background information

Apsara File Storage NAS provides file storage services for Alibaba Cloud ECS instances, E-HPC, Container Service, Elastic Web Hosting, Batch Compute, and other compute nodes. Apsara File Storage NAS is compatible with standard file access protocols, such as Network File System (NFS) and Server Message Block (SMB).

Compared with NFS, the SMB protocol is more compatible with Windows operating systems (OSs). Each different version of Windows OS supports the SMB protocol. Most Windows applications can access Apsara File Storage NAS through the SMB protocol without changing the application code. Therefore, we recommend that you use an SMB-based Apsara File Storage NAS file system when you run applications on Windows-based ECS instances.

Windows Server is a very popular platform for building websites. Many Alibaba Cloud users select Windows-based ECS instances to deliver website services. You can store content resources of your websites on a reliable pay-as-you-go SMB-based Apsara File Storage NAS file system with high throughput. IIS allows you to access the data stored on the file system in the same way that you access local data. In this way, you can separate computing and storage resources for your websites. In addition, you can scale your computing and storage resources based on your business needs.

The FTP service provided by IIS includes a wide range of requirements. Many website administrators remotely manage website content by using the FTP service. Meanwhile, many Alibaba Cloud users want to transfer and share files between wide area networks (WANs) and Alibaba Cloud by using the FTP service on Windows-based ECS instances.

This topic takes IIS 7.5 (Windows Server 2008 R2) as an example to describe how to use Apsara File Storage NAS to provide both the Web service and FTP service on a single Windows-based ECS instance. The instructions provided in this topic are also applicable for other versions of Windows OS. You can also use Alibaba Cloud Server Load Balancer (SLB) to construct a multi-server website with higher levels of error tolerance and resilience. For more information, see What is Server Load Balancer?

Note
  • The topic provides some security suggestions, but they cannot serve as a complete security solution. You must devise your own plans to secure your Web services and data. For example, you can safeguard your system security by setting up firewalls, configuring security groups for ECS instances, and installing OS patches. You can also safeguard your service security by using Alibaba Cloud security products.
  • For improved security and management, a normal user (iss_user) instead of the system administrator is used to access data through the FTP service or through the Web service provided by IIS installed on the Windows Server 2016 OS.
Architecture diagram

Install Windows IIS

The Windows Server 2008 R2 OS is taken as an example to describe how to add an IIS role and install IIS by using Server Manager.

For more information about how to install IIS on different Windows OSs, see Install IIS and ASP.NET Modules.

  1. Open the Server Manager window.
  2. Click the Roles node, and click Add Roles to open the Add Roles Wizard.
  3. Click the Server Roles node, and select Web Server (IIS).
    Select Web Server (IIS)
  4. Click the Role Services node and select role services to be installed for the Web Server (IIS).

    In addition to default services, you must also select FTP Server and ASP to deliver FTP service and demonstrate dynamic Web pages through scripts.

    Select role services
  5. After you complete the configuration, click Install.

Create and access an SMB file system

You can store your Web resources and configuration files in the shared directory (myshare by default) of an SMB-based Apsara File Storage NAS file system. After you create an SMB file system, you can configure a permission group to make sure that the current Web server can read data from and write data to the file system.

  1. Create an SMB file system. For more information, see Create a file system.
  2. Add a mount target for the SMB file system. For more information, see Add a mount target.
  3. Open the Windows Explorer window and enter \\xxxx-xxxx.cn-hangzhou.nas.aliyuncs.com\myshare in the address bar to access the SMB file system.
    • xxxx-xxxx.cn-hangzhou.nas.aliyuncs.com is the domain name of the mount target for the SMB file system.
    • myshare is the default shared directory of the SMB file system. You cannot change this directory.
  4. Create a subdirectory named www under the myshare directory of the SMB file system to store Web page files of your website.

    The static Web page file index.html and the dynamic Web page file test.asp are created as an example to describe how to deliver Web services. The static Web page shows Hello World! and the dynamic Web page shows the current system time that updates in real time.

    • Index.html 
      <HTML>

  <HEAD>

     <TITLE>Hello World in HTML</TITLE>

  </HEAD>

  <BODY>

     <CENTER><H1>Hello World! </H1></CENTER>

  </BODY>

</HTML>
    • Test.asp 
      <HTML>

  <BODY>

     This page was last refreshed on <%= Now() %>.

  </BODY>

</HTML>

Set up the Windows IIS Web service

  1. Open the Internet Information Services (IIS) Manager window.
  2. Click localhost, choose View Sites > Default Web Site, and then click Basic Settings.
  3. In the Edit Site dialog box that appears, configure Physical path and click OK.

    In the Physical path field, enter the storage path of Web resources on Alibaba Cloud Apsara File Storage NAS, for example, \\xxxx-xxxx-shanghai.nas.aliyuncs.com\myshare\www. xxxx-xxxx-shanghai.nas.aliyuncs.com is the domain name of the mount target. You must change the domain name based on your business requirements.

    Note
    • By default, you must use a user account and user group of IIS to access a network drive (for example, Z:\) mapped in the current user session. You cannot directly access the mapped network drive as a Windows user. Otherwise, an access error message is displayed.
    • If you are using the Windows Server 2016 OS, you need to complete other operations following the Windows IIS Web service setting to achieve coordination of IIS and Alibaba Cloud Apsara File Storage NAS. For more information, see FAQ.
    Configure the physical path
  4. Verify the setting.

    Enter the local paths of index.html and test.asp files in the address bar of your local browser to open these files. The pages shown in the following figures are displayed if IIS is running as expected.

    You can also configure security groups for your ECS instances and configure Windows Firewall to guarantee Web access security.

    Verification resultVerification result

Set up the Windows IIS FTP service

  1. Open the Internet Information Services (IIS) Manager window.
  2. Install the SSL certificate.
    1. On the page of the localhost, double-click Server Certificates.
      Install the server certificate
    2. On the Server Certificates page that appears, click Create Self-Signed Certificate.
    3. Specify a name for the certificate, and click OK.
  3. Set up an FTP site.
    1. On the Sites page, click Add FTP Site.
    2. In the Add FTP site dialog box, configure the relevant information and click Next.

      In the Physical path field, enter the storage path of Web resources on Alibaba Cloud Apsara File Storage NAS, for example, \\xxxx-xxxx-shanghai.nas.aliyuncs.com\myshare\www. xxxx-xxxx-shanghai.nas.aliyuncs.com is the domain name of the mount target. You must change the domain name based on your business requirements.

      You can select another subdirectory under the myshare directory based on your business requirements. You can also set up multiple FTP sites with different ports to access different directories.

      Configure the physical path
    3. In the Binding and SSL Settings dialog box, configure the relevant information and click Next.
      • Port: The default port number is 21. For security concerns, port number 2222 is used.
      • SSL Certificate: Select the created SSL certificate.
      Configure the physical path
    4. Configure authentication and authorization information, and click Finish.
      • Authentication: Select Basic.
      • Authorization: Select a user who is allowed to access Apsara File Storage NAS. iis_user is used as an example.
      • Permissions: Set read/write permissions for the user.
      Configure authentication and authorization information
  4. Set up the FTP firewall.

    Open the FTP Firewall Support dialog box, specify the Data Channel Port Range, and then click Apply.

    FTP firewall
  5. In the Server Manager window, restart the FTP service to make the port range configuration take effect.
    Restart the FTP service
  6. In the ECS console, configure the security group for the ECS instance to restrict access to or from FTP clients. For more information, see Create a security group.
    Configure a security group
  7. Access the FTP site through the FTP client WinSCP.
    1. Open WinSCP.
    2. Click Yes to accept the server certificate.

      When an FTP client accesses an FTP site for the first time, the client must accept the server certificate.

      Accept the server certificate
    3. Set the protocol type, port number, and logon information.
      Set the protocol type
    4. Enter the password of the authorized user (iis_user).
      Set the password
    5. Establish a data connection to allow the server to read data from and transfer data with remote directories.
      Establish a data connection
    6. After the data connection is established, you can upload and download files.
      Upload and download data

FAQ

How can I achieve coordination of IIS and Alibaba Cloud Apsara File Storage NAS if I am using the Windows Server 2016 OS?

If you are using the Windows Server 2016 OS, you need to complete other operations following the Windows IIS Web service setting to achieve coordination of IIS and Alibaba Cloud Apsara File Storage NAS. The operations you need to take are as follows:

  1. Modify the registry key of the SMB client.
    1. Open the Registry Editor window.
    2. Choose HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > LanmanWorkstation > Parameters > AllowInsecureGuestAuth, right-click a blank area, and choose New > DWORD (32-bit) Value.
    3. Set the value name to AllowInsecureGuestAuth and set the value data to 1.
  2. Specify a local user to access Web resources stored on Alibaba Cloud Apsara File Storage NAS.
    1. Open the Internet Information Services (IIS) Manager window.
    2. Click localhost, choose View Sites > Default Web Site, and then click Basic Settings.
    3. In the Edit Site dialog box, click Connect as.
    4. Select Specific User and click Set.
    5. Set the username and password, and then click OK.
      Set the user to iis_user.
Note
  • When you access files stored in the Apsara File Storage NAS shared directory through IIS, the backend of IIS may access the shared directory multiple times. Although each access does not take a long time, multiple accesses may cause a long response time to clients. To avoid this situation, you can choose HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > LanmanWorkstation > Parameters and specify larger values (for example, 600) for the following three registry keys: FileInfoCacheLifetime, FileNotFoundCacheLifetime, and DirectoryCacheLifetime. For more information, see SMB2 Client Redirector Caches Explained.
  • If the three registry keys are unavailable, you can create the registry keys by using the field format that is required by your Windows OS.
  • IIS accesses the contents of JavaScript (JS), Cascading Style Sheets (CSS), and other Web page programs frequently. We recommend that you select a local directory to store the contents.