![[Copyright Information]](graphics/copyrite.jpg)
![[Table of Contents]](graphics/toc.jpg)
![[Que Home Page]](graphics/que_home.jpg)
![[Prev Chapter]](graphics/chapprev.jpg)
![[Next Chapter]](graphics/chapnext.jpg)
Once you decide to set up an Intranet or Internet system and provide access to your users, you quickly find that it is a rather large task to find all the tools and accessories needed for an effective Web presence. For example, in most production implementations, you'll find both Web and FTP access to the system. In many cases, there is also a Gopher service that should be available to your users.
It's best to pull together a comprehensive Web plan before you start bringing up your site. This should include the services you plan to offer, and, possibly more importantly, how you plan to provide access to those services. Here are some quick questions to answer before you start the installation of your Internet Information Server (IIS):
What type and logging accessibility will you want for server audit logging? If you want to use the logging to SQL Server, you'll also need to purchase that license as needed to support the server connection.
Of course, there are many more questions that you'll need to answer and account for before you put the ISS server into production. You'll see some of these as you go through installing and configuring the server throughout this chapter.
The next three sections show how these services work at a basic level. Each service has a unique place in the on-line world and each quickly becomes a vital component of your system.
Displaying a Web page requires a series of conversations between the Web browser and several components. First, there's an issue of allowing the user to enter the address of the document to be displayed. After this, the address provided by the user must be looked up.
You may recall from Chapter 2 that DNS and WINS services provide names to TCP/IP address resolutions on your Intranet. On the Internet, a network of DNS servers is responsible for the name resolution mapping to an IP address.
For example, when you decide you want to visit the Microsoft Web site, you simply enter http://www.microsoft.com for the URL that you want to view. The "http" portion of the address indicates to the browser that the type of connection you're trying to make is to a Web server. The browser will first look up the address on the Internet by referencing the DNS server specified by Internic for that domain. The address that is returned, 198.105.232.5 as of this writing, is then used to connect to the server.
 You'll be hearing more about URLs and the types of protocols later in this chapter in the "Understanding URLs" section.  |
When your browser contacts the Web server, it requests a document, either by default or by specifically calling for a document. In cases where you don't specify any particular document name, as is the case in the previous paragraph, the default page is loaded automatically.
When the server "loads" the page, it sends the page to the Web browser for display and review. On the whole, Web pages are simple text files and, as they are transmitted to the browser, formatting expressions, placement, etc. are carried out by the browser itself. Listing 3.1 shows a sample basic Web page
Listing 3.1 - A simple HTML document (03samp01.htm)
<!doctype html public "-//IETF//DTD HTML//EN">
<HTML>
<HEAD>
<TITLE>HTML Sample pages</TITLE>
</HEAD>
<BODY BACKGROUND="../images/backgrnd.gif" BGCOLOR="FFFFFF">
<TABLE>
<TR>
<TD><IMG SRC="../images/SPACE.gif" ALIGN="top" ALT=" "></TD>
<TD><A HREF="/samples/IMAGES/mh_html.map">
--> <IMG SRC="/SAMPLES/images/mh_html.gif" ismap BORDER=0
--> ALIGN="top" ALT=" "></A></TD>
</TR>
<TR>
<TD><IMG SRC="../images/SPACE.gif" ALIGN="top" ALT=" "></TD>
<TD><HR> <font size=+3>HTML</font> <font size=+3>S</font>
--> <font size=+2>tyle</font> <font size=+3>E</font>
--> <font size=+2>xamples</font>
<P>
<font size=2>Below are links to several pages that
demonstate styles that are built in to the HTML
language. While looking at these pages, try using the
View Source menu item in your browser to see the HTML
that defines each page. You can copy text from that view
to use in your own Web pages you are authoring.
</font>
</TD>
</TR>
<P>
<TR>
<TD><IMG SRC="../images/space.gif"
ALIGN="center" ALT=" "></td>
<td>
<UL>
<IMG SRC="../images/bullet_H.gif" ALIGN="center" ALT=" ">
--> <A HREF="/samples/htmlsamp/styles.htm">Very
basic HTML styles</A>
<P><IMG SRC="../images/bullet_H.gif"
ALIGN="center" ALT=" ">
--> <A HREF="/samples/htmlsamp/styles2.htm">A
few additional
--> HTML styles</A>
<P><IMG SRC="../images/bullet_H.gif"
ALIGN="center" ALT=" ">
--> <A HREF="/samples/htmlsamp/tables.htm">Basic
HTML tables</A>
</UL></font>
<P>
</td>
</tr>
</TABLE>
</BODY>
</HTML>
In addition to plain text that you see in a typical HTML document, there are usually placeholders for graphics and other elements, including video clips, sound clips and more. Even though these are binary-type files, in and of themselves, their notation in the HTML document will be called out with Text-based tags. Find out more about different tags and how their implementation as this book explores different features and technologies.
When a binary-type file is encountered, it is transferred at the Web browser's request as a separate and distinct data stream. This allows the browser to control whether the object is transferred as well as when. You may notice that the more recently released versions of browsers have the text for a given page displayed first. After this, the graphics and other objects display , allowing the quickest access to the immediately usable portion of a page.
With many browsers, including Microsoft's Internet Explorer as shown in Figure 3.1, you can turn off images altogether, making pages load substantially faster. When images and other binary types are requested by the browser, they are sent, usually using the MIME (Multipurpose Internet Mail Extensions) protocol, to the requesting browser where it displays them according to the HTML page directions.
Image load time should be less of an issue with your Intranet since network speeds generally support good throughput. You should usually leave the option to load pages/view images selected to get the most out of your Web pages, complete with images. |
Fig. 3.1 - Turning off images can improve performance significantly, especially over slow connections to a server, especially those less than 28,800 baud.
The FTP service is installed on your system when you install IIS, so you can provide this service to your users. This allows you to make files, documents and other objects available to your users through a variety of means, not only as Web documents.
In the mainstream, there are three different ways to gain access to an FTP site:
At first, the final option may seem a bit strange. But keep in mind that many pages that are on the Web, both on the Intranet and Internet, supply links to download a file to your system. One of the ways to accomplish this from the Web page is to provide a link to an FTP address for the file you request. When your browser sees this address, uses the FTP protocol to download the file. In these cases, notice that the URL lists the file's address as follows:
ftp://ftp.<sitename>.<site extension>/ [directory/...]<filename>
For example:
ftp://ftp.intellicenter.com/reality/sitelist.zip
specifies that the file SITELIST.ZIP is found at the IntelliCenter site. By recognizing the URL as one that necessitates file transfer, your browser enables downloading the file without leaving the browser environment.
You'll notice when you access a URL that refers to an FTP site that your browser will indicate that it's signing in to the site, sending commands and more. This is because the browser changes into "FTP emulation" mode and begins an electronic conversation with the FTP server to retrieve the item you've requested. |
The other two options for accessing a site include a command-line, character-based solution and a dedicated FTP utility. When you install Windows '95 and Windows NT, you are automatically provided with a character-based FTP utility. If you want to access a remote site manually with this utility, you can do so by simply selecting Start, Run, FTP. As you can see in Figure 3.2, you're presented with a command line prompt that allows you to open a connection to a remote system and then carry out standard FTP commands to save or retrieve files on the remote system.
Fig. 3.2 - The DOS version of FTP is a good, lowest common denominator approach to testing your FTP connection to a remote server. If all else fails, give the character-based FTP commands a try and see if you're able to connect using it.
Overall, with the command line version, you OPEN a connection to the remote system and you CLOSE it when finished. The GET command retrieves files to your system and the PUT command sends files to the remote system.
In a vast majority of FTP sites, you'll rarely be able to upload files or other information to the site unless you're a known user to their system. Downloading files is an option that is often left in a more anonymous state, allowing downloads from users that are not directly known to the system. When you sign on to an FTP server and you see that it's an anonymous server, you'll generally sign in with a user name of ANONYMOUS and send your e-mail address to the remote system as the password. This will allow you to access any areas set up as publicly accessible. In many cases, if you retrieve sensitive files or other protected information, you need to sign in to the FTP site with a specific user ID and password, just as you do when you log on to the network. In fact, the "Installing the Internet Information Server" sections later in this chapter explain the logon process users go through when using FTP and Web content on your system. Users log on to your system through the same NT-based user-authentication services, though obviously through a different user interface, that you use in standard network logons.
If you're accessing a protected FTP site, your Web browser, depending on the version you're using and the level and type of protection at the FTP site, may not be able to successfully connect. In these cases, be sure to try an alternative method of attaching, either with the command line version or a third-party utility. In many cases, the alternative methods will solve any accessibility problems you may be encountering. |
If you're using an FTP utility, you'll probably find that most will store configurations for several sites. If you're using WS_FTP, a shareware utility, when you start the application you'll be prompted to select the site to connect with. An example of this is shown in Figure 3.3.
Fig. 3.3 - Be sure to check the options for connecting if you experience any difficulty gaining access to a site. For example, if you do not have a firewall or gateway installed (see Chapter 9) be sure the firewall option is not selected.
Gopher's ability to connect, to get what it needs and to disconnect is optimal for this type of situation. To a large degree, Gopher relies on standard text files, although it supports other types of files. In practice, Gopher is superseded by the vast popularity of the Web and its graphical content. For the purposes of your Intranet, Gopher has a less-important role than it might if you bring up a server based on the Internet.
Before you install Gopher, have a name established for your server on the network. Set up the server name by indicating the name in the Network options for TCP/IP. From the Control Panel, select Network settings. Next, select the Protocols tab and click TCP/IP protocol. When you click Configure, the DNS tab allows you to indicate the server name. See Figure 3.4 for an example of how to set up this tab.
Fig. 3.4 - You must have a Host Name defined to make the Gopher service available to your users.
See more details about installing your Gopher server, and making the information on your system available to it in the "Installing the Internet Information Server" sections later in this chapter.
The NT domain controls all aspects of who accesses your system, how they access it, when they access it, and more. Since the domain controls all these different aspects, it is important to understand how to set up your user base, assign rights, and control your users' access privileges. Be sure to review chapter 2 for more information on NT installations and setting up users and their rights.
 Never grant administrative rights to users you are about to set up for your IIS server processes, login accounts, etc. Be sure you set up separate and distinct accounts for anonymous Web, FTP and Gopher access, if you support each of these services. If you use the system administrator account for logins for these services, you have a serious breach of security. It is only a matter of time before your system is threatened by a user's ability to access and destroy many aspects of it. If you use the same account between the FTP, Web, and Gopher services, it is more difficult to determine where a problem lies if you need to track logins, accesses, and other user-specific questions, such as comments and problem reports.
While you do not have to pre-define these user accounts, you should plan for them and make sure you come back and validate user rights on all services prior to making the services available at any level. |
Installation of the server and its components is pretty straightforward. From the distribution media, select the install program, SETUP.EXE. You are first asked to confirm that you want to install the software on your system, and then asked to select the desired components for installation. See Figure 3.5 for more information.
Fig. 3.5 - You have the option to deselect different components for your installation. Installation of ODBC components is recommended, because logging to ODBC datasources requires some items installed with these components.
You may find it curious that the IIS installs ODBC components. In addition to logging capabilities that extend to ODBC databases, IIS also fully supports an integration of the IIS processes and ODBC databases. This means that your Web content is based on, or produced by, ODBC information. If you do not install this component, you cannot work with the databases later.
If you have previously installed some Office '95 or other ODBC components on your system, you will notice that the disk space requirements for ODBC capabilities are 0. This is because the ODBC components are shared with the previously installed versions and require no additional application components.
It'sa good idea to leave this item selected, even if it shows that the ODBC capabilities are already installed. By doing so, you allow the setup program to verify the ODBC and ensure that it's the most recent release. |
The next step is to indicate where you want to install the files for each of the three services. Be sure to note these directories because, by default, they are the starting point for each of the services. For example, consider the default directories shown in Figure 3.6. When users access your Web site, by default they access the C:\INETSRV\WWWROOT directory. This is where the Web service expects to find your initial starting pages.
You can change these directories to reflect any other directory, drive, or system you prefer. Note that if you change them to point to a different server altogether, you introduce a new level of complexity that may be inadvisable on the initial installation. The added complexity comes from the fact that if the network connection is lost to the remote system, your service is effectively down. This is the case, even though there may be nothing wrong with either the master server or the secondary server where the files reside.
Fig. 3.6 - It can be a good idea to place your server's content on a drive separate from the system files. This makes backups easier to manage.
Once you indicate where you want to base the services, the setup program installs each of the components and starts each of the services.
The different components of IIS run as NT services. When each service is installed and started, you know immediately if there are any potential problems with your installation by using the Internet Service Manager from the new Internet Services menu option. Services that start successfully are listed as running. If a service fails to start, it's listed as Stopped.
When prompted, you can select the ODBC drivers to install on your system. The drivers shipped with the server, and selected during your installation, list automatically. You can use other ODBC drivers later when you establish logging or database connectivity pages. Consequently, you do not install the driver(s) listed if they are not applicable to your installation.
The Advanced...button allows you to indicate if version checking should be done on your system during the installation. This ensures that the most recent version of each of the drivers is installed by validating the date of your system files with the date on the new, incoming files. Generally, this is helpful because if your system files are newer, they are not replaced. If you need to refresh the files, regardless of their current state on your system, as may be the case if you're doing extensive testing, you may want to select the Advanced option and deselect the version checking options, as shown in Figure 3.7.
Figure 3.7 - Turning off the version checking will overwrite the files on your system regardless of whether they are newer than the incoming files.
Once installed, the server installs the Internet Explorer browser, and updates a new Start Menu program group.
At this point, if you review the running services in the control panel, you see that the FTP Publishing Service, World Wide Web Publishing Service and Gopher Publishing Services are running and ready to go.
Congratulations! Your server is up and running. As a quick test, start the newly installed browser and you move to the default home page automatically installed on your system. See Figure 3.8 for an example. You should also try accessing your system by indicating http://<machine name> for the address. This will access your server using the newly installed services.
Figure 3.8 - The default home page installed with your new server includes a guided tour, several examples of pages and interfaces with different technologies including database and text file-based systems.
Now that your server components are installed, it's time to configure them and make sure you maintain control so you can insure provide the best service possible to your users. In the next few sections, you'll see how to set the various options to enable logging, auditing and other options that help you keep a handle on what's happening on your system.
You'll find that there are components of your system, be it at a content level or at a wholesale component level, that just aren't exercised as much as they could be. In these areas, you might want to investigate updating or changing content, or you may want to remove the component completely.
Always enable logging. As you'll see, you can set up logging to maintain only a limited history. If you worry about histories piling up, consider setting options low to keep only five days of history. Begin to spot trends while at the same time you can use the logs to help in case of any problems that may arise.
All of the different options for the services are managed from the Microsoft Internet Server menu option, in the Internet Service Manager application. As you can see in Figure 3.9, you can also start and stop services from the Service Manager.
Figure 3.9 - Each of the services on the server you are monitoring is shown in the Service Manager. You can make changes to configuration, logging and security from this application.
Figure 3.10 - The Web Service property sheet provides a single point of maintenance for the options that control your World Wide Web service.
Web browsing, is typically an anonymous service, until you get into the realm of confidential information. While it's possible to lock down your whole site by removing the anonymous login feature, it's more likely that you'll have the anonymous logon defined, and, at the same time, secure different areas on your system for protected access.
You'll notice that, when you installed your system, a new user was automatically added to your user database. The user, given a name of "IUSR_" plus the name of your system, HOLODECK3 in this case, is added with sufficient rights to access your server's services and browse your server's content. When this user is created, it is created with the same basic rights as a user that might be considered "average" without special considerations.
The user is created as a member of the DOMAIN USERS group and the GUEST group. Of course, the user also belongs to the EVERYONE group when allowed or disallowed access to a given resource. When the account is created, the initial password is blank.
Figure 3.11 - Any account you want to grant access to the server's content should be set up to logon locally.
A user must be able to logon locally because, when the user requests access, the request is made of the Web Server process. That process takes the name provided by the user and logs onto NT's standard security with it. By doing so, any security rights and permissions will also be assigned to the account, providing a solid security model, fully integrated with the NT domain model. 
A very important facet about the IUSR_HOLODECK3 account is that it has been granted the right the Logon Locally, as you can see in Figure 3.11.
In situations where you want every user to log in to the server, deselect the Allow Anonymous option. This will make sure that everyone provides a user name and password when accessing the server.
The good side effect of this is that your logging of resource usage will reflect the people that are really using the system as it will log their user name and accesses. The downside of this is that you'll be forcing another login for the user, in addition to the network logon. This can be bothersome in today's industry push for fewer logons.
As mentioned earlier, the other important setup option is the type of authentication top be used. Two different types of authentication are used to secure all or part of your site. The mix of browsers employed on your Intranet dictates your decision of authentication type. As of this writing, the only browser supporting the Windows NT Challenge/Response option is the Microsoft Internet Explorer 2.0 or later.If you have a mixed browser community, for example if you have users using Netscape's browser, you'll be blocking them from access to your site if you select this option before Netscape has enabled it in their browser.
The way the NT Challenge/Response option works is, if a user requests a secured page and is not currently signed in with sufficient rights, the server fails the request and closes the connection to the browser. The browser knows what has happened by the server response. Since the attempt failed, the browser prompts the user for credentials and passes this information to the server along with another attempt to access the secured resources. The server will use the new credentials to logon to NT and attempt access to the resource.
In addition, the user ID and password are sent across the link encrypted, which protects them from being "stolen" in transit by someone with less-than-noble intentions.
With the Basic (Clear Text) option, the User ID and password are sent across the link encoded, but still decipherable by prying eyes. The browser keeps a channel to the server open as it attempts to access the shared resource. You'll notice that, if you enable the Clear Text option, the Service Manager will warn you, as in Figure 3.12, that you're enabling a less-secure method of working with UserIDs and passwords and it asks you to confirm that this is what you want to do.
Figure 3.12 - The service manager warns you if you select the less-secure option.
The bottom line is, if you have non-Microsoft browsers accessing secure material on your site, you must turn on the Clear Text option. If you know you do not have this concern, do not enable the Clear Text option. Simply use the NT challenge/response option.
Most of the configuration options among the different IIS services are largely identical. Because of this, there is limited coverage in the FTP and Gopher section for completing these basic options. The different configuration options are explained in the next few sections The differences between the standard configuration with the Web server options, and the FTP and Gopher services are covered later. |
As you can see in Figure 3.13, you can establish any number of directory aliases. Reach each by an incoming Web browser request indicating the address of the alias in the URL. For example, look at the following URL:
http://www.intellicenter.com/users
will load the default document from the C:\INETSRV\USERS directory on your system.
Figure 3.13 - Setting up directories enables you to break up server content logically
This dialog box indicates the default document option and name. Without indicating the default here, users must provide the directory name and file when accessing your Web server. If you specify a default page, the file indicated by the user's URL is provided, if it indicates a fully qualified document path. If it indicates only a root path, but no specific document, the default document is appended to the path. Taking our example from above, the URL:
http://www.intellicenter.com/users
will actually load:
http://www.intellicenter.com/users/default.htm
when the user requests it. Only disable this option if you attempt to lock down the site and require the users accessing it to provide a fully-qualified URL to specific documents. If you deselect this option and try to access the site without indicating the document name, you receive an error message similar to the one shown in Figure 3.14.
Figure 3.14 - If you have users complaining that they cannot access your site and they are receiving an error indicating only that they are denied access the site, check your World Wide Web server setup to make sure you have enabled the Default document option.
If you want to implement a system following the UNIX standard for default pages, change your default page from DEFAULT.HTM to INDEX.HTML. INDEX.HTML is the default starting page on a vast majority of Web servers, so setting the default to the standard makes it easier for an experienced Web user to maintain pages on the server. |
One of the biggest reasons you return to the Directories tab is to help manage and dissect the content you providing to the users of your system. By placing different content in different directory trees, you accomplish several things: First, you place the information in physically different areas, potentially even on a different server.
Second, you limit the scope of any search engines incorporated at your site. You can generally limit the scope of the search engine to a particular directory structure. By separating content into different areas, you speed search time for your user base.
Third, you can move static content to a directory tree that may be backed up less frequently, perhaps only an a monthly basis. If you have other content that is more dynamic, perhaps pages such as those maintained by an online magazine or other constantly changing source, you can keep those types of pages in a directory tree that is backed up daily or at least more frequently than the other, more static information.
When you Add a new directory, or when you update the Edit Properties for an existing directory you set up, establish the location of the directory and several other parameters for it. See Figure 3.15 for the dialog box that used to configure the directory aliasing.
Figure 3.15 - Use home directories when the user fails to indicate another directory in theURL. If you depend on a Home directory to direct users to the beginning point at your site, be sure you select the Enable Default Document option for the Web Publishing Service.
The first item, Directory, is the physical directory location to make available to the Web service. Although this can be a Universal Naming Convention, or UNC, path, plan carefully when placing content on a remote server should be carefully planned out and is not to be taken lightly. If you provide a UNC name for the Directory entry, you must provide the User Name and Password shown in the Account Information frame on the dialog box.
You can only have a single directory indicated to be the Home Directory per IIS system. If you select a new Home Directory, IIS prompts you to save the change to the new home location when you apply or accept the changes made. |
Placing content on a remote server is tricky because when the remote server is accessed, it is accessed using the name and password you provide in all cases. If the username and password you provide does not have access to the resource, the user will not be able to access it. This is also true if the resource is protected and does not allow access to the username and password you indicate. This is regardless of whether they should otherwise have access.
Consider the following scenario to help explain this approach. First, your main Web server is located on Holodeck3. For your standard, default Intranet connections, users specify either HOLODECK3 or HTTP://HOLODECK3 to access your DEFAULT.HTM page, located in the WWWROOT directory. This works fine, because the user logs in to the system as your standard Internet Guest account, IUSR_HOLODECK3.
Now, suppose that you place some material on a system called TWINKIE. This server has a share, SECRET, that you want to connect to. Only one user, Julie, has access to \\TWINKIE\SECRET In order to make the connection to the share, specify the full UNC path in the Directory text box and indicate both Julie's username and password.
The final step is to provide Read access to the directory and call it SECRET. Once this is done, users will be able to access the share.
One item of caution with this scenario: anyone accessing your server can access the new directory by simply indicating its URL. The URL would be:
http://holodeck3/secret
and it provides access to the DEFAULT.HTM file, located at that location. Remember, you initially set the directory for very limited access, only by the user named Julie. By providing the name and password in this manner in the property sheets for the directory mapping, you bypass the security on the directory entirely, making the information available to any user on your network. In essence, you hard-code the directory name and password.
This apparent bypass of security happens because you provide NT's security layer with a valid user name and password. The remote machine does not provide the same level of security that you have if attempting to access a secured directory or file physically located on the IIS server.
For this reason, carefully architect your server to provide secure and non-secure access to the information you want to make available. Never put information on a remote system if the information needs to be protected from some users and available to other users. Put public, widely available, information on the remote server.
In cases where you have secure information, always put the information directly on the IIS server, allowing the NT security management to step in, protecting the information.
This same approach applies to Virtual Server configurations. When you indicate a virtual server, the provided username and password is used to connect to the remote system. If secure information resides at that remote location, move it to the local system and allow NT to manage the secure access to the information.
The final option in establishing a directory link is to indicate the access rights To provide content, select the Read access rights. To create a program directory to provide additional functionality to the User's Web browser experience, grant Execute rights.
Read access means read only access. You cannot make or save changes to the directory. Execute access is read only as well, but it also removes directory privileges--those privileges that allow you to scan directory contents.
Never grant Read access to any of your established program or scripts subdirectories. If you do, users may not only browse the directory, looking for different programs that "look interesting," but also they can run these programs to see what they do. By providing Execute rights, users execute applications and scripts, but cannot do blind directory listings or copying of files from the location. |
The Log files created by the Internet Server include the IP address for the incoming request, what type of request was made and information about the success or failure of the request. Note, too, that logs provide information about the actual accessed pages. In the case of your Web server, this information is very valuable when determining what content to revise, keep, or remove from the system.
Set up Logging on the Logging tab for the Web Publishing Service properties sheet, seen in Figure 3.16.
Figure 3.16 - Logging options include logging to a text file or to an ODBC datasource.
Most logging options are self-explanatory, but there are a few items of note. Specifically, you probably want to select the Automatically open new log option and select Daily. When the service runs, the current log file is open, denying access to the file for review purposes. To provide information in a timely manner when first bringing up your Intranet, you'll want recent information as quickly as possible. By selecting the Daily option, you'll only have to wait until just after midnight to open the previous day's log.
Note that the Log file directory will initially point to a directory in the Windows NT directory structure. You may want to change this to a more accessible location, perhaps in the INETSRV directory structure. This will be easier to manage if you're using any logging or administrative utilities.
When you bring up the system, use the Log to File option rather than setting up a database connection and logging in that manner. This will simply remove one more variable from your installation should you need to track down any strange behavior when your system first comes up. Later, after your system is in place and you're comfortable with it, you can implement the logging to the database.
Figure 3.17 - Setting controlling parameters on the IP addresses that are, or are not, allowed access is often a reactionary measure to block someone from accessing your system.
The alternative is to indicate that everyone has access to the system except for those indicated on this tab. A very powerful tool, these options let you effectively lock either a person or a system out of your server. In cases where you have a confirmed attempt or attempts to compromise your system, you can remove the offending person's access rights and he'll no longer be able to bring problems to your support efforts.
Whether you're indicating who can or cannot access your system, you'll be using the same dialog box, with a different title bar. Figure 3.18 shows what the form looks like for entering the IP addresses of the offending systems.
Figure 3.18 - When you enter the IP address, you grant or revoke access based on that address. Remember, if the problem user uses DHCP, this does not necessarily prevent him or her from gaining access to the system because their address changes with each log in to the system.
When you enter the address, you can enter it with "wildcards" by selecting the Group of Computers option and providing the IP address only to the portion that remains constant for the systems you need to address. In the example in Figure 3.18, any computer with an address prefix of 199.200 will be excluded from accessing the system.
You can also specify an individual computer by indicating either the IP address, or by selecting the ellipses button and providing the computer name that should be granted or denied access.
The final option on the Advanced options tab controls the total throughput on your server. You may need to control your server's utilization. It may be too much of a hit on your company's Intranet access line. Further, you may need to maintain a certain level of performance on the server. In any event, you can control the volume of Server-generated information by enabling the Limit Network Use... check box. Usually, this is not a factor for your Intranet. The Limit Network Use check box provides more for an Internet connection to manage the flow of information through the connection to the Internet.
Figure 3.19 - Always check the current sessions before shutting down the server, if at all possible. This helps ensure that no one is currently on the FTP server, and allows you to warn users to exit the system before you can continue.
The Comment line and Current Sessions are both unique to the FTP service. The Comment line displays in the Internet Service Manager when you review the monitored services.
The Current Sessions button shows you exactly who is on the system, how long they have been on, etc. Do not turn off the server as long as servers appear on the display. If you turn off the server, you lost not only the user connection, but also their download, completed to that point.
At this writing, no Gopher client was located who recognized an Intranet address for the URL beyond the Microsoft Internet Explorer. The Gopher protocol, one of the first cross-server protocols letting users skip around the Internet, is superseded in many ways by other protocols and navigation technologies. The WWW Browser and FTP utility applications markets are squeezing Gopher out. These markets focus on bringing active, real-time and more lively and graphical content to the Web. As a result, Gopher is more of a text retrieval tool for large, historical and legacy databases, than an active player in today's Internet landscape.
If you use the Internet Explorer and want to access the Gopher server, preface the URL with the URL identifier of Gopher. |
Figure 3.20 - As with the other services, you can establish virtual directories for your Gopher service.
You still have the option to Add or Remove directory mappings, and you can Edit existing mappings. Each of these options uses the properties dialog shown in Figure 3.21. From this dialog, you designate a directory as the home, or default, directory, and you attach to remote directories using a pre-assigned user name and password.
Figure 3.21 - As with the other services' directory mapping capabilities, establish only one Home directory for each Gopher service.
You only need to indicate the user name and password if directing the mapping to a directory with a UNC name. Also, the same cautions apply here with regard to security and how it applies to the account. Since you are ,in effect, hard-coding the username and password to access the resource; make sure that all users gaining access to the materials are eligible to see those materials. For more information on how to set up the virtual directories and the impact of this username and password, see the "Configuring the Directories" section earlier in this chapter.
The final difference encountered when setting up your Gopher server is the Service tab and its information provided on your site. As you can see in Figure 3.22, this tab offers several options, ranging from timeout values to the name and email address of the Gopher administrator. It's probably a good idea to leave the timeout values at their defaults unless you're experiencing heavy network delays in accessing your server.
Figure 3.22 - Values on the Service tab become defaults when you create the index files used to access your site.
Gopher uses a series of indexes and content information files, called tag files, to access your site. By default, the values in the Service tab are used by the Gopher Server if the client requests the information. This way, the client determines who is contacted about the site in the event of a problem.
This feature of Gopher is really quite nice. Deciding whom to contact at a given site can be quite a problem in many cases. While your development style certainly carries your own flair, always make sure the system administrator name and email address are prominently available to your system users. |
When you create these tag files, you'll use the GDSSET utility. GDSSET creates a small, hidden file that holdings information about the files. Here is a simple text file indexed by using this utility:
0
GdsPriv=Gs1.0;04/03/96;22:37:37
Type=0
Name=Demonstration Information
The command line to create this file is:
gdsset -g0 -f "Demonstration Information" -d crack.txt
This command line specifies several different things, probably most importantly the file type and the description that should be used to display the indicated file. When you run the utility, you'll get a quick read-out of the results, as shown in the listing below.
Listing 3.2 - Results of running the GDSSET utility
Gopher Object Type = 0
Gopher FriendlyName = Demonstration Information
Tag information for C:\inetsrv\gophroot\crack.txt
Object Type = 1
Friendly Name = crack.txt
Admin Name = Default Admin Name
Admin Email = Default Admin Email
The following table shows the different options that are commonly used. You can run the GDSSET utility without any parameters for other options, including debug options.
| -g | The type of file being indexed |
| -f | "Friendly" description to be displayed instead of the file name |
| -d | The file name of the file being referenced. This is case-sensitive |
| -c | If you're updating, or changing, an existing tag file |
| -D | Indicates the directory. This is case-sensitive |
| -a | Administrator's name |
| -e | Administrator's email address |
The easiest way to tag files is to use the command line version of the utility, as follows:
GDSSET <filename>
where <filename> is the name of the file you want to set up. GDSSET prompts you for the file's friendly name and then saves the tag file. Saved tag files are hidden in the directory accessed when running the GDSSET utility. These tag files save with the same filename as the original file represented, but a new extension "gtg," adds to the file, indicating a Gopher Tag file.
The Type of file specified is shown in table 3.2 below.
| 0 | Standard text file |
| 1 | Directory of additional Gopher files |
| 9 | A binary file, the default |
| g | A GIF graphic file |
| h | An HTML page |
There are other types, but these are probably the most common for your Intranet installation. Generally, your tag file defaults to type 9, a binary file. This indicates to the server that it should MIME-encode the file, allowing the browser to work with it as it chooses. The browser, on the other hand, examines the file type, by its extension, determining the best action for the file:, to download the file to the local hard drive, or to display it in the browser.
Remember, your specified URL starts with a prefix, often "http:" in the cases initially discussed. The http: in these cases indicates a Web server connection, directing the browser how to communicate to the server processes.
In addition, with your Intranet setting, you can specify only the server name. The browser generally resolves the server name to an IP address and then attempts to attach to that server's Web service. The Web service is generally considered the default protocol in these cases. |
You can accomplish the same connection, using the examples in this chapter, by requesting either of the following URLs: |
http://holodeck3
holodeck3
The URL prefixes shown in Table 3.3 are generally supported by mainstream browsers.
| File: | Opens a network drive file for browsing. Note: you do not require a connection to a Web, FTP, or Gopher server for this protocol. Example: "File:///c:\mydir\myfile.htm" |
| Http: | Opens an HTML document for viewing. Example: "http://holodeck3/" or "http://www.microsoft.com/ie/ie.htm" |
| Https: | Opens a secure HTML document for viewing. This requires the establishment of a Secure Socket Layer conversation with the Server. Example: "https://holodeck3" |
| Gopher: | Opens a Gopher session. Example: "gopher://holodeck3" |
| FTP: | Opens a file transfer protocol, or FTP session. Example: "ftp://www.intellicenter.com/myfile.zip" |
You may encounter other prefixes, but these prefixes are more likely on the Internet. For example, "telnet:" establishes a telnet session to the address you indicate and "news:" attempts to attach to a Usenet News service. Note that many of these less-commonly-implemented protocols may actually execute utilities dedicated to support these protocols.
Public, non-protected information is maintained on the IntelliCenter's charter and class outlines. IntelliCenter has also published information via FTP that contains some sample files and utilities.
IntelliCenter chooses not to implement Gopher service at this time. However, should the need arise, IntelliCenter may offer it in the future. One of the difficult things to implement at the site is the security. In forgetting the "Everyone" group, it was difficult to determine why first attempts to protect portions of the site were unsuccessful. After removing the access for the EVERYONE group, and granting specific access to user groups based on their group's "need to know," the site was secured. If security is a concern, be sure you remove the group's access and apply it to the subdirectories on your system, starting with the root directory.
When you secure your site, you'll be opening yourself up to a bit more maintenance for users requiring restricted access. Control over content, access and users is paramount if your user base is to have confidence in the services you're bringing on-line.
From here, look into the following sources of information that expands on these topics:
Copyright ©1996, Que Corporation. All rights reserved. No part of this book may be used or reproduced in any form or by any means, or stored in a database or retrieval system without prior written permission of the publisher except in the case of brief quotations embodied in critical articles and reviews. Making copies of any part of this book for any purpose other than your own personal use is a violation of United States copyright laws. For information, address Que Corporation, 201 West 103rd Street, Indianapolis, IN 46290.Notice: This material is from BackOffice Intranet Kit, ISBN: 0-7897-0848-5. The electronic version of this material has not been through the final proof reading stage that the book goes through before being published in printed form. Some errors may exist here that are corrected before the book is published. This material is provided "as is" without any warranty of any kind.