Beware, this is not an easy task. IBM still makes this a pain process (for obvious reasons). Here are all my notes on setting up IIS with Domino. If you accomplish this you are much better off because you can soon begin to realize the power of ASP.Net and Domino working together.
Tips to help you configure Domino with IIS
Posted by Alex Elliott on 1.Apr.03 at 03:01 AM using a Web browser
Category: GeneralRelease: All ReleasesPlatform: Windows 2000
After reading all the problems people have been having with Domino and IIS I thought I would share some tips on setting up and configuring your server.
I'm happy to say that I run several websites on a single partitioned Domino server with IIS as the frontend to it all. Interestingly enough this is all run with only one external ip address. My configuration is such that all incoming traffic is initially handled by IIS and then directed to the appropriate Domino partition as per my configuration. Running HTTP, SMTP and POP3 seperately on each partition is no problem at all.
So here we go. The tips shown below may not work for all configurations but works best for me so I hope they provide you with some good ideas. While these were written for multiple partitions they should equally apply to a single Domino server as well.
Use multiple network cards
--------------------------
I have two network cards. One network card has a single ip address which I have configured IIS to bind itself to. The other network card has been assigned 3 ip addresses. Each of my 3 Domino server paritions uses one of these ip address. If you want to use the same port numbers you will need multiple ip addresses.
DNS names of websites
---------------------
Each of my 3 registered internet domain names have been configured on the internet to point to my single external ip address.
Hosts File on server
--------------------
On my server I have configured each of my Domain names to bind to its assigned internal ip addresses. This is done through the Windows hosts file - c:\winnt\system32\drivers\etc\hosts. This is required so all internet protocol bindings will be to the correct ip address.
Edit the Notes.ini file for each server
---------------------------------------
Add the following line to the Notes.ini file of your Domino servers
TCPIP_TCPIPAddress=0,192.168.0.4:1352
Where the first part of the variable TCPIP corresponds to your port name and the IP address corresponds to the appropriate internal ip address you have assigned to your server.
Disable IIS Socket Pooling
--------------------------
This one is the big show stopper that gets everyone. IIS uses a feature called 'Socket Pooling' which means even though you configure it to operate only on one IP address it actually binds itself to all ip addresses which causes problems with all your internet protocols. For information on disabling this click this link:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q238131
No you'll be able to use the same port numbers on the different ip addresses and IIS will behave itself like you want it to.
Configuring IIS
---------------
Here's some IIS configuration tips:
* If you want Domino to handle all authentication enable only the 'Anonymous Access' option in the 'Anonymous Access and Authentication control' section of the Directory Security tab of your IIS website properties.
* The IP Address specified in the website identification section should be the same for each web server and all should have port 80. This IP address should be the IP address you have assigned to IIS. In the Advanced section of the website identification add the various headers for incoming web addresses and again assign them to the same IP address for IIS. I have added 2 headers for each of my websites in the format of: 'www.xyz.com.au' and 'xyz.com.au'.
* My Home Directory for each website in IIS has been set to the Domino data directory
Configuring Websphere plugin
----------------------------
* If you want ALL incoming traffic directed to your Domino server by IIS the '<UriGroup Name="default_host_URIs">' section of the websphere plugin configuration file should only contain the following line: <Uri Name="/*"/>.
I've copied some sections from the websphere plugin configuration file showing how you can configure each section of it for each Domino partition. You just need to copy and configure each section appropriate to your Domino server partitions. You should only need to change the port numbers (if required) and 'XYZ' with your server/Domain names.
<!-- Server groups provide a mechanism of grouping servers together. -->
<ServerGroup Name="XYZ_Server_Group">
<Server Name="XYZ">
<!-- The transport defines the hostname and port value that the web server
plugin will use to communicate with the application server. -->
<Transport Hostname="www.xyz.com.au" Port="80" Protocol="http"/>
</Server>
</ServerGroup>
<!-- Virtual host groups provide a mechanism of grouping virtual hosts together. -->
<VirtualHostGroup Name="XYZ_Host">
<VirtualHost Name="www.xyz.com.au:80"/>
<VirtualHost Name="xyz.com.au:80"/>
<VirtualHost Name="www.xyz.com.au:8080"/>
</VirtualHostGroup>
<!-- A route ties together each of the above components. -->
<Route ServerGroup="XYZ_Server_Group" UriGroup="default_host_URIs" VirtualHostGroup="XYZ_Host"/>
Configuration of internet site documents
----------------------------------------
When configuring your internet site documents in the Public Address Book, make sure of the following:
* The value entered in the Organization field matches that of your Notes Certifier Organization name
* For some reason Lotus decided to make the 'Domino Server that Host this site' field multi-value if a space was entered. If you have a space in your server name this could cause problems as it will break your server name into multi-values. I had to edit the public address book template to remove the option for a space to act a multi-value seperator.
Hope this helps in some way..
Alex Elliott
aelliott@agecom.com.au
--------------------------------------
First, Lotus' docs are WRONG! Now I feel better. To get IIS and Domino working on the same box, follow the directions in the Help and then go back and change the following:
1. Change the HTTP in your Domino HTTP task in the NAB. I used port 8090.
2. Load the HTTP task in Domino. Previous to R6, you did not need to do this.
3. In the Plugin-cfg.xml file, on the Transport line, change the Port # to match the Port you assigned in the NAB. My line is:
<Transport Hostname="myserver.mydomain.com" Port="8090" Protocol="http"/>
4. In the same file in the UniGroup, change the 3 lines you entered from:
<Uri Name="*/.nsf*">
<Uri Name="*/icons/">
<Uri Name="*/domjava/">
To:
<Uri Name="*.nsf*"/>
<Uri Name="*/icons/*"/>
<Uri Name="*/domjava/*"/>
5. In the Registry, the correct keyname is: "Plugin Config" NOT "Plug-in Config"
_________________________________________________________________
Configuring Domino for IIS
Article Info
Article ID: 699
Pub: Group Computing Magazine
Dept: Feature
Technology:
Lotus
Date: August 2001
Printer Friendly
Related Topics:
• Internet
• HTTP Task
• Microsoft Integration
• Servers
• Web Serving
Other Articles By:
Jason Collier
Article Feedback:
• Feedback can be submitted only for articles that are less than six months old.
by Jason Collier
Since its inception as a collaborative solution, Lotus Notes has been on the cutting edge of technology, but compatibility issues with HTML authoring utilities and other Web servers have been a pitfall for Notes administrators and developers. Consequently, Domino has long been considered a great database and messaging platform that also happens to include a Web server.
With R5, Lotus offers considerable enhancements to the Domino Web engine to bring Domino closer to the forefront in Web server capabilities, reliability, and performance (e.g., HTML file access control, Internet clustering support, CORBA and IIOP protocol support). However, Domino still lacks features available on other popular Web servers. The need for separate IP addresses for every Web site you host and the inability to run Active Server Pages (ASPs) sites on Domino servers are major shortcomings, for example.
So in R5, Lotus also gives you the ability to configure Domino to use the Microsoft Internet Information Server (IIS) to handle HTTP requests. You can now utilize Domino's robust security architecture and groupware features while also capitalizing on several capabilities within IIS that the Domino Web server lacks. (Note that configuration options for the Apache HTTP server may be included with Rnext, and see "The iSeries Didn't Get Left Out!" below, for another Web server option.)
Implementation of IIS is supported for Domino servers running on the Windows NT 4.0 and Windows 2000 platforms. Here, I outline the installation and configuration options required for both platforms, and I explain IIS features that a Notes administrator might not recognize.
Implementing IIS on a Windows Server
You must use Microsoft IIS 4.0, which is distributed as part of the Windows NT 4.0 Option Pack, to implement IIS on a Windows NT 4.0 platform. The basic installation and configuration steps are as follows:
1. Install and configure your NT 4.0 server in accordance with the directions from Microsoft.
2. Apply the appropriate Service Pack (SP). I recommend that you use NT 4.0 SP6a with IIS (which includes several fixes that improve performance and reliability) and Domino 5.0.5 or later because this configuration is very stable. Microsoft also posts hot fixes for any security holes discovered in the IIS product.
3. If necessary, update the version of Internet Explorer (IE) on your server.
4. After you install the operating system, apply the Option Pack. Note that you must reapply any NT Service Packs after applying the Option Pack because files that are updated by the NT Service Packs are overwritten by the NT Option Pack CD.
5. You are now ready to install Domino. In the NT Service Manager, make sure that the World Wide Web Publishing Service is running. When prompted, select IIS as the Web server and provide the computer's host name and the port that IIS will run on. Most likely, IIS will run on Port 80, but you can configure it to listen on other TCP/IP ports as well.
The Windows 2000 operating system includes IIS 5.0, which can be configured during Windows 2000 installation or after installation is complete. After you have installed and configured the operating system (including the latest Security Pack for Windows 2000 Server), you are ready to install and configure Domino. As with the implementation instructions for IIS 4.0 on a Windows NT Server, make sure that the World Wide Web Publishing Service is running, select IIS as the Web server, and provide the computer's host name and the port that IIS will run on (again, IIS will most likely run on port 80).
To enable Domino for IIS on an existing Windows NT or 2000 server, you must first ensure that the Domino HTTP task isn't running and has been removed from the server's Notes.INI file. You then enable Domino for IIS at the Server document's Internet Protocols tab. Select the Domino Web Engine tab (Figure 1) and change the Does this server use IIS? field to Yes. Also make sure the Protocol field is set to either HTTP or HTTPS and that the Host name and Port number fields are correct.
Once you complete Domino configuration, you must configure several aspects of IIS. IIS configuration is performed via the Internet Services Manager snap-in for the Microsoft Management Console (MMC). In NT4, you open a specific console file for each Web site.
ISAPI Filters and Extensions
Internet Server Application Programming Interface (ISAPI) filters, which are used to render data from Domino databases to users via IIS, are quickly replacing Common Gateway Interface (CGI) scripts as the standard in Web interactivity.
With CGI scripts, input is passed to environment variables (where processing occurs), and data is sent back to the Web browser. The ISAPI filter architecture is similar, but it has one big advantage over the CGI infrastructure — performance. Each time CGI is executed, the server must create a new process for each request. This places a considerable burden on the server and requires a substantial investment in server resources.
Instead of using an executable, ISAPI uses dynamic linked libraries (DLLs) that are loaded into the server's memory. Because the code is cached and doesn't need to be reloaded for each request, performance is enhanced. You must configure IIS to use the ISAPI extension when it receives Domino database requests with the .NSF extension.
To configure the ISAPI extension for Windows NT:
1. Start the MMC and open the console file for the Web site.
2. Right-click the IIS Web site and select Properties.
3. Select the Home Directory tab of the Web Site Properties display, then choose Configuration and click Add to open the Application Extension Mapping display.
4. In the Executable field of the Filter Properties dialog box at the ISAPI Filters tab, select Browse and locate the Niisextn.DLL file in the Domino Directory. If you're running on the Alpha platform, select Aiisextn.DLL.
5. In the extension field, enter .NSF.
6. In the Methods Exclusions field, enter these HTTP methods (which Domino for IIS doesn't support): PUT and DELETE.
7. Select Script Engine, deselect that the File Exists, and click OK.
To configure the ISAPI extension for Windows 2000:
1. Open the Internet Services Manager in the Administrative Tools program group.
2. Right-click IIS Web site and select Properties.
3. Select the Home Directory tab and set Application Protection to Low. Note that the Application Protection setting is intended to control the way applications are launched (to keep one unresponsive application from causing others to crash), but ISAPI configuration for Domino for IIS requires that all applications be set to the same setting (Low).
4. Still at the Home Directory tab, select Configuration, and the App Mappings display appears. Make sure that Cache ISAPI Applications is selected, then click Add. A Mappings dialog box appears.
5. In the Executable field, enter the full path name of the ISAPI extension file: Niisextn.DLL.
6. In the Extension field, enter .NSF.
7. In the Verbs box, select Limit To, and enter GET,POST.
8. Select Script Engine, deselect that the File Exists, and click OK.
Additional Configuration Requirements
Unless noted, these further configuration procedures are the same for Windows NT 4.0 and Windows 2000 servers.
IIS extension filter. The IIS extension filter ensures that user credentials are passed correctly between IIS and Domino. To configure it:
1. Start the MMC and open the console file for the Web site (for Windows NT), or open the Internet Services Manager (for Windows 2000).
2. Right-click IIS Web site and select Properties. The Web Site Properties dialog box appears (Figure 2).
3. Select the ISAPI Filters tab and click Add. The Filter Properties dialog box appears.
4. In the Filter Name field, enter a description of the IIS filter (e.g., Domino).
5. In the Executable field, select Browse.
6. Locate the Niisfilt.DLL file in the Domino directory. If you are running on the Alpha platform (only available on NT 4.0), select the file Aiisfilt.DLL. Click OK.
Domino icons/Java applet directories. Domino generates several pages automatically for Notes applications. These pages may contain Java applets for displaying a rich text editor or icons for use in views and other applications. To enable these components to display, you must create a virtual directory to map them to their proper folders. Pages that are dynamically built by Domino expect these icons and applets to be available in specific locations. To create virtual file directories:
1. Start the MMC and open the console file for the Web site (for Windows NT), or open the Internet Services Manager for (Windows 2000).
2. Right-click on your IIS Web site (labeled Default Web Site until renamed), select New, and then choose Virtual Directory (Figure 3).
3. When prompted for an alias for your folder, enter "icons" and click Next.
4. At the prompt, enter the fully qualified path to the Domino icons directory (e.g., if you installed Domino using the default directories, use c:\lotus\domino\data\domino\icons), select Next, then click Finish. You do not need to change the default permission settings.
5. Repeat steps 2 through 5, but enter "domjava" in the Alias field of the Virtual Directory dialog box and specify the fully qualified path to the applet directory (e.g., if you installed Domino using the default directories, use c:\lotus\domino\data\domino\java).
Web site properties. Web sites using IIS can have a single IP address for multiple domains. You determine which sites will answer to which host requests in the Host Header Name field of the Advanced Multiple Web Site Configuration display (Figure 4). You reach this display by selecting the Advanced button at the Web Site tab of the Default Web Site Properties display. The host header configuration routes requests to the appropriate Web site in the IIS snap-in. IIS also lets you use multiple host headers per Web site.
You can also use the Web Site tab to customize the IP address to which your site will respond and to designate the port your Web site listens to for TCP and SSL requests. Here are the remaining configurations available at the Web Site tab (Figure 5):
Connections — which lets you either accept an unlimited number of simultaneous connections or limit the number of concurrent sessions to prevent Web server overload.
Connection Timeout — which lets you control how long a connection can remain idle before being disconnected by the IIS server.
Enable Logging — which lets you track visitors to your site. In Windows 2000, you can also log to an ODBC database.
Directory security. Domino for IIS supports both IIS security and Domino security, and these security features are tightly integrated to provide robust Web-based solutions. When a Web site's visitor makes a request to Domino for IIS, inbound requests are first validated against the IIS security settings, and then the request is passed to Domino for authentication.
IIS supports four authentication methods, which you enable at the Directory Security tab of the Default Web Site Properties display:
Anonymous access. If this option is enabled, IIS doesn't require a user name or password, and any visitor accessing the Web site is passed directly to Domino without being challenged. If anonymous access is enabled in IIS and you're prompted for a user name and password when requesting a Domino resource, authentication is being prompted by the Domino server.
Basic authentication. If this option is enabled, IIS will prompt a Web site visitor for credentials, which are then validated against a Windows NT/2000 user name and password on the NT/2000 server. If authenticated successfully, the user name is then passed to Domino. The Domino server trusts that IIS has authenticated the user against their NT/2000 password but not against their Internet password stored in their Person document. Consequently, in order to authenticate, the Web site visitor must be a registered NT/2000 user and a registered Domino user if Access Control Lists are set for any access designation other than anonymous access.
Windows NT Challenge/Response or NT LAN Manager (NTLM). These security options are commonly used in an intranet or extranet configuration in which users' workstations are running Windows NT/2000 and the users are authenticated against a Domain Controller. Both methods are Microsoft protocols that are supported only when users access the site via the IE browser. When a visitor accesses a Domino IIS Web site, IE automatically sends the current logon account name to IIS, which verifies it against the NT Security Accounts Manager (SAM) database or Active Directory.
Because IIS assumes that the user has properly logged on to the workstation and authenticated with an NT Domain Controller, and because the Domino server assumes IIS has properly authenticated the user, these methods raise obvious security concerns. Note also, if basic authentication, Windows NT Challenge/Response, or NTLM are configured, the Person document in the Domino Directory must include the user's NT account name in the user name field.
Secure Sockets Layer (SSL). Domino and IIS both support SSL, but all SSL connections are handled by IIS. If client certificates are enabled, IIS will pass those certificates to the Domino server.
Performance properties. You can configure the following IIS performance settings to protect the quality of your server's service:
Performance Tuning — which lets IIS self-adjust to handle the number of anticipated requests.
Enable Bandwidth Throttling — which lets you limit the amount of bandwidth your Web site utilizes per second.
Enable Process Throttling — which lets you limit the processor resources the IIS server can utilize.
Home Directory properties. You can use the settings at this tab to change the location of your Web site's home directory. When using IIS on your Domino server, you should set the default location to the Domino server's data directory. The following permissions can be set at the Home Directory tab:
Read — which lets users read or download files or directories.
Write — which lets users upload files and associated properties to the enabled directory on your server or change content in a write-enabled file.
Directory browsing — which lets users see a hypertext listing of the files and subdirectories in the site's virtual directory. This is comparable to letting Web visitors browse the data directory of the Domino server, and I don't recommend that you enable this feature.
Index this resource — which lets Microsoft Indexing Service include this directory in a full-text index of your Web site. This feature requires additional disk space and isn't needed to utilize Domino full-text search capabilities. I don't recommend that you enable this option.
Documents. You can define your site's default Web page at this tab. These are the available settings:
Enable Default Document — which specifies the Notes database or HTML file that you want displayed when the server receives an HTTP request.
Enable Document Footer — which designates an HTML-formatted footer to be displayed on all documents sent by your Web server.
Custom Errors. Like the settings in the Domino Web Configuration database, the settings at this tab let you map common error messages to custom documents, which can be HTML pages or documents in a Notes database.
A Few Trade-offs for Increased Web Server Functionality
Configuring Domino for IIS is a powerful solution for your Web serving needs, but there is an issue you should be aware of to ensure successful operation. Because Domino must be set up to interact with the system account to generate a Notes.RIP file, if the server generates a Web Application Manager (WAM) error in the Windows Event Log when running Domino for IIS, no Notes.RIP file is produced to aid you with troubleshooting.
There is a solution, however. IIS handles the exception instead of passing it to the system debugger by default. To disable this functionality and let the system debugger (Quincy) handle exceptions and generate a .RIP file, perform these steps:
1. Open the MMC.
2. Right-click the server name (not the Web site name), and select Properties. The Master Properties dialog box appears.
3. Under Master Properties, select WWW Service, and click Edit.
4. At the Home Directory tab, select Configuration.
5. At the Process Options tab, deselect Enable debug exception catching, and click Apply. Then click OK at the next three displays to return to the MMC or the Internet Services Manager main display.
6. Stop and restart the Web site services.
For more information about .RIP files, see "Troubleshooting Domino HTTP Server Crashes," July 2001 (article 671).
There are a few other trade-offs that you must consider. Domino for IIS doesn't support partitioned Domino servers, Domino clustering using the Internet Cluster Manager (ICM), session-based authentication, or password-protected server ID files. However, many administrators and developers will find these disadvantages a small price to pay for the opportunities that integrating Domino with IIS affords them and their users.
The iSeries Didn't Get Left Out!
The iSeries (the new name for the AS/400) has its own native HTTP server, which was available long before Domino became available natively on the AS/400. So a number of organizations used the native server to handle their Web content.
When Domino for the iSeries arrived, the iSeries quickly became the second most popular platform for Domino, and many managers of existing iSeries sites wanted to move their Web applications to the new Domino HTTP server. However, converting content designed for the native HTTP server for use with the Domino HTTP server can be quite time consuming. More importantly, using the native HTTP server lets you integrate your Web applications with RPG applications in ways that the Domino HTTP server doesn't support. So, for some time, there has been a demand for Domino on the iSeries to support the native HTTP server just as Domino supports Microsoft Internet Information Server (IIS) on the Windows NT and Windows 2000 platforms.
That wish came true as of R5.0.4. There are two steps to configure this support. First, you must point the Domino server to an existing instance (e.g., a server running on an AS/400) of the native HTTP server. You can define a one-to-one relationship between a Domino server and an instance of the native HTTP server by using the CHGDOMSVR (Change Domino Server) command at the AS/400 command line.
Second, you must change your native HTTP server instance to handle Domino requests. Domino for the iSeries includes a service program called LIBHTTPX to handle requests forwarded by the native HTTP server, and you must let the HTTP server know which requests (e.g., those ending in .nsf) to pass to Domino. You can make this change using the native HTTP server's Web administration feature.
As with the use of IIS on Windows NT/2000, there are some tradeoffs in using the native HTTP server with Domino on the iSeries (e.g., Domino Web administration no longer works). You must evaluate whether such tradeoffs are worth the additional functionality available as a result of using the native HTTP server.
Detailed configuration instructions are in Domino for AS/400 R5.0.4 Release Notes at
http://www.notes.net. Also review the release notes for your specific Domino version because there have been enhancements and changes since R5.0.4.
As a long-time iSeries programmer and administrator, I'm happy to see that this Domino platform isn't playing a poor second fiddle to Domino on Windows NT/2000.
— Jim Hoopes
Additional Resources
You may find these additional resources helpful when configuring IIS on your Domino server.
Lotus
Domino R5 Performance and Scalability at
ftp://ftp.lotus.com/pub/lotusweb/collaboration/whitepapers/wpdom5performscale.pdf
The Domino Performance Zone at
http://www.lotus.com/performance
Technotes (go to
http://support.lotus.com and search for keywords "domino, iis"):
How to Configure Domino for Microsoft IIS (171744)
Installing Domino for IIS on Windows 2000 (177628)
How Does Authentication Work with Domino for IIS (170581)
Incorporating SSL with Domino for IIS (170582)
Microsoft
IIS Deployment Resources at
http://www.microsoft.com/technet/iis/deploy.asp
Deploying Windows 2000 with IIS 5.0 for Dot Coms: Best Practices at
http://www.microsoft.com/technet/iis/iisdtcom.asp
The Art and Science of Web Server Tuning with Internet Information Services 5.0 at
http://www.microsoft.com/technet/iis/iis5tune.asp
IIS 4.0 Tuning Parameters for High-Volume Sites at
http://msdn.microsoft.com/workshop/server/feature/tune.asp
— J.C.
Return to top
. . . . . . RE: hide domino behind an IIS serve... (~Tony Chulugeni... 30.Sep.03)
Print this page
