Configuring HTTP for Windows Vista

myITforum Daily Newsletter; October 16, 2006

myITforum Newsletters — Mon, 16 Oct 2006 16:06:06 GMT

myITforum Daily Newsletter Daily Newsletter October 16, 2006 The myITforum.com newsletter is delivered

re: Configuring HTTP for Windows Vista

Adam — Mon, 16 Oct 2006 17:28:21 GMT

Hang on ... where and at what layer is this check performed?

Does this mean that the user can't open a socket to listen on at port 8000 (or any other port?) and that this is enforced by the kernel?

Or is the check performed by the web service process in userspace? In which case, what's to stop the user from either evading the check (copying the binary and patching it?) or just installing a different web server (apache?) to run the service from? Or writing their own?

(Yes, a home-written one probably won't be fast, or stable, or scale very well, or be as extensible as IIS, or be usable as a transparent proxy, or.... but if it only needs to do one particular job....)

Can you at least clarify "listening at a particular HTTP address"? I get listening on a TCP/IP port/address pair. I also get using HTTP over TCP/IP. But I don't see how an HTTP "address" is different from any other TCP/IP address.

Very confused.

Use OneWay for Long-Running Operations

Nicholas Allen's Indigo Blog — Mon, 16 Oct 2006 18:57:50 GMT

I have a long-running service operation that needs to receive a response. What options do I have for

re: Configuring HTTP for Windows Vista

Nicholas Allen — Mon, 16 Oct 2006 19:13:52 GMT

HTTP.sys is a kernel device driver for processing HTTP connections on XP SP2 and later. Besides doing a lot of work for you, it also allows multiple applications to share the same TCP port. You can configure the IP addresses and ports that HTTP.sys listens on. Many pieces of Winodws (WCF, IIS 6 and later) are built on top of HTTP.sys.

re: Configuring HTTP for Windows Vista

Adam — Mon, 16 Oct 2006 19:54:12 GMT

Device driver? Huh? What device? Or does "device driver" == "kernel module"?

You guys put an HTTP server in the kernel? Blech! :)

How do multiple apps share the same TCP port? The best documentation I found on http.sys was http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/a2a45c42-38bc-464c-a097-d7a202092a54.mspx?mfr=true but it seems a little light on technical details. Is there anything more involved that you know of? If not, does this port-sharing work for any TCP port, or only ones with HTTP running over the top?

Also, why would you *want* multiple apps on the same port? What's wrong with running different apps on different ports?

re: Configuring HTTP for Windows Vista

Nicholas Allen — Mon, 16 Oct 2006 20:34:02 GMT

HTTP.sys is a protocol driver for HTTP traffic in the same sense that TCPIP.sys is a protocol driver for IP traffic. HTTP.sys handles incoming connections on the TCP port and dispatches to applications based on the path in the HTTP request. This lets me host http://mymachine/myapp1/ in IIS using ASMX and at the same time host http://mymachine/myapp2/ in WCF. Businesses can have hundreds or even thousands of applications hosted on a single machine like this without opening every port in their firewall.

re: Configuring HTTP for Windows Vista

Adam — Tue, 17 Oct 2006 11:40:09 GMT

This is something I've never understood. What's wrong with opening ports in your firewall. If you have myapp1 running on port 8000 and myapp2 on port 8001, what disadvantage is there doing that over running them both on port 8000, or port 80?

I can see plenty of advantages. Such as being able to use the firewall to limit source IPs that can connect to myapp1 while leaving myapp2 open to the world. Such as being able to move myapp1 to a different server and use destination NAT/port forwarding to make it transparent.

The whole point of TCP ports is to allow multiple applications to run on a single interface. Why reinvent that as part of the HTTP namespace?

New and Notable 115

Sam Gentile — Tue, 17 Oct 2006 17:18:44 GMT

There is so much I want to say about important topics like Rocky's well-written, thought provoking Semantic

New and Notable Links : Oct 11 - 16 2006

Dan's Archive — Wed, 18 Oct 2006 12:23:28 GMT

re: Configuring HTTP for Windows Vista

Nicholas Allen — Wed, 18 Oct 2006 21:10:56 GMT

That's an arms race between firewall administrators, who want to keep all traffic out, and application developers, who want to let all traffic through. As firewalls offer more ways of restricting or filtering, application developers get more creative in tunneling their applications through innocuous data streams.

From a user perspective though, having to remember a different port number for each service is pretty bad. Putting everything at the same server address with a memorable path name is an attractive solution. The alternative is virtual hosting each app with a different dns address, which gets back to a similar battle with corporate administrators.

It also saves some resources for hosts if they multiplex off a single port.

re: Configuring HTTP for Windows Vista

Adam — Thu, 19 Oct 2006 11:57:34 GMT

I think that's a bit of an overstatement on both sides.

App developers don't want to let *all* traffic through, just the traffic for the apps that they need/are developing. In fact, as a developer, I hardly ever need holes in a firewall while I'm *developing* apps - that's what internal test environments are for. But when it comes to external testing, sure, they need a hole in the firewall, but just one tiny hole, on a single port, to a single server.

Similarly, firewall admins generally don't want to keep *all* traffic out, they want to keep *unwanted* traffic out. But how they keep track of what traffic is wanted and what isn't? If it all looks the same and comes in over the same channel (HTTP over port 80), how can they tell what's wanted and what isn't? How can they ask an app developer if they're finished external testing of "fooble" and can they close off access to that *single* app now if there's no way to figure out which traffic is for "fooble" and which is for "bazzle"?

And if someone wants to run a service with known security holes open to the world on a server? If they ask for a new port to be opened for it, the firewall admins do their job, find the CVEs for it and turn the request down, great! Security is maintained. If they just hang it off another HTTP "subdirectory" and the network gets trashed - oops!

Running different apps off different ports allows you to audit what services are available to whom and where they're hosted in a single place - the firewall. Tunneling other protocols through/routing around the firewall defeats the entire purpose of having one!

I find that it interesting that MS appear to be coming down on the side of helping developers circumvent their own companies' security policies. Still, those pesky security experts! What do they know? They're way too paranoid and only get in the way.

Yeah, right.

Good to see that "secure by design, secure by default" policy shining through.

And I don't see how users find remembering ports any different from remembering other server data - they don't. When I get sent connection info for a service, I don't remember it, I keep the email with the URL and copy and paste as appropriate. If someone else needs the URL, I forward it to them. And what's so different about copy-and-pasting the followign URLs?

http://server.domain.com/myapp

https://server.domain.com:82/

I'm not sure about what resources can be saved by multiplexing. Could you elaborate on that?

Advanced URL ACLing with Windows Vista

Nicholas Allen's Indigo Blog — Wed, 01 Nov 2006 19:18:33 GMT

This article covers some of the advanced topics that I left out of the earlier piece on configuring HTTP

Deploying WCF in a Windows Service

using Colin.Bowern; — Tue, 19 Dec 2006 22:49:58 GMT

I deployed my first WCF service as a Windows Service today. It wasn't as straight forward as I...

2006 Year in Review

Nicholas Allen's Indigo Blog — Wed, 03 Jan 2007 21:07:54 GMT

I started this blog back in February hoping to produce a daily post throughout the entire month. I had

Configuring HTTP in Windows Vista

Govind's WebLog — Tue, 09 Jan 2007 23:45:19 GMT

Hosting a WCF service on a HTTP endpoint on Windows Vista has some issues given that you are not running

AddressAccessDeniedException: HTTP could not register URL http://+:8080/<…>.

PaulWh's Tech Blog — Sat, 05 May 2007 02:47:37 GMT

A while back, when I was first doing WCF development I ran into the following exception: AddressAccessDeniedException

Don't Run as Administrator

Nicholas Allen's Indigo Blog — Fri, 07 Sep 2007 23:43:03 GMT

I want to run this post as a reminder to people building and deploying services. I see people deploy

New and Notable 115

Sam Gentile — Tue, 25 Sep 2007 10:05:56 GMT

There is so much I want to say about important topics like Rocky's well-written, thought provoking

Enabling HttpListeners for Non-Admins

Dan's Archive — Mon, 28 Jul 2008 16:50:07 GMT

Enabling HttpListeners for Non-Admins

#.think.in infoDose #28 (29th Apr - 8th May)

#.think.in — Fri, 15 May 2009 11:32:14 GMT

#.think.in infoDose #28 (29th Apr - 8th May)

#.think.in — Sun, 31 May 2009 01:12:33 GMT

#.think.in infoDose #28 (29th Apr - 8th May)