@flaxking said in Need and IIS based hosting option aside from Azure:

they could rewrite enough to upgrade to the latest .Net and not have to run on Windows.

And confirmed. They are updating to ASP.Net Core 7

So they can run everything pretty much anywhere. Time to test out Kestrel and YARP it seems.

@DustinB3403 If it is not DNS, firewall is always a problem lol. Nice find.

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@phlipelder said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@jaredbusch said in Get Wildcard SSL Certs for IIS on Windows with LetsEncrypt:

@scottalanmiller my problem with Certs on Windows, in general, is that you almost always have to copy it around to multiple servers to make everything work well, and that jsut defeats the purpose of LE.

Based on what is on the site, Microsoft has an intrinsic trust with LE's root store. I should be able to set up a RD Session Host with a LE certificate for publishing and there should be no untrusted publisher for RemoteApps or Session Host desktops once the certificate's thumbprint is published via Group Policy?

One would hope that they would. LE is like the standard in SSL Certs. It's from the EFF, way more trustworthy than other cert authorities, IMHO.

Snag: Valid for 90 days. In larger RDS farm settings this would be a bear to manage. That means the need for an automated process.

It is expected to be automated. SSL Cert updates should not be intrusive. All of the tools for LE SSL Certs are designed around the idea that you will automate them and never need to worry about them again. It's about being less of a snag, not more of one.

Got it thanks. Looks like a bit of a learning curve then. 🙂

It's not bad. I find learning the LE pieces easier than learning to do it the old fashioned way 🙂 And with LE it is "learn once and ignore", rather than "learn once, forget, do again in a year or two all over again."

@psx_defector said in IIS Security setup:

Best practice isn't up to date.

Set it to PCI 1.2, that disables TLS1.0, all the AES stuff, etc. etc. You can also disable them manually in the first screen.

Great, thanks.

@bbigford said in How would you move an IIS workload from on site to a VPS:

I'll have to look into that, as I'm not sure how I can just copy the application folder though since it's an install on Windows.

Normally it is just a folder that contains the app. Presumably the app needs a datasouce as well, though. Where is that located?

What kind of web app is this? ASP.NET? PHP? Java?

Yep, setting protected-mode to no did the trick. SELinux was re-enabled and stuff works.

Now the question is can I get stuff to work with the most current version of Redis and on Fedora. 🙂

@scottalanmiller said in Appropriate Use of Hyper-V Checkpoints:

@eddiejennings said in Appropriate Use of Hyper-V Checkpoints:

@jaredbusch said in Appropriate Use of Hyper-V Checkpoints:

@eddiejennings said in Appropriate Use of Hyper-V Checkpoints:

With this upcoming project of virtualizing our production stuff, I've been thinking through the appropriate use of checkpoints. I'm sure there are other articles on this, but this seemed to be a good read.

My grand idea is that checkpoints would be used before installing Windows updates or some upgrade to an application. You take the checkpoint, apply the update, and if everything breaks, you apply the checkpoint. If nothing breaks, then you delete the checkpoint.

I'm curious how this would be handled with a SQL Server VM or Redis VM. You'd update your VM, transactions start happening, then things break causing you to have to apply the checkpoint. Any transactions that were done would be lost, which upon further thinking probably doesn't matter, since you probably couldn't trust any data put into the database while the stuff was in the process of breaking.

You have to make sure you don’t have transactions coming in. Simple as that. Anything is a headache waiting to happen.

Makes sense. When I do maintenance on these normally, I stop IIS once downtime’s been announced, then do my work. So I’d just take the checkpoints at that point. I imagine once stuffs back up and I confirm things aren’t broken, Hyper-V just handles merging the avhdx file in such a way that SQL Server, etc is none the wiser. Or is there significant risk of stuff breaking if it’s running while that merge process takes place?

No real risk. Just performance loss.

And never enought to matter to any SMB workload I have ever had to deal with.

@NashBrydges Oh this is awesome! Gonna be giving that a go on Monday or Tuesday.

Makes sense. Although I am a little worried that the new pool just died all by itself. I wonder why that would happen. Will see if it happens again.

OMG, nevermind. Figured that out too. Was a combination of a missing default path and the same .NET CLR pool version as before. It's a subfolder and needs its CLR version set, too. Argh. All is well now.

If you want to use a newer version of .Net, I generally tell it to use whatever version I want and the "Classic" version if it is listed. I've had problems similar using any other version.

@Dashrender said:

uh.. Isn't SAN a different situation altogether?

No. Both are a waste of money with little true value and hyped or marketed heavily as a good thing.

I see what you mean. And also, if you're making the change in the web.config, that should trigger an application restart anyway.

Something is preventing the pageSecurity object from being set. You could do a global text search for "pageSecurity" and find the code that sets it. That may be where the failure is happening.

Normally I would expect this to be caused by a missing security-related table, like Roles or something. But you said it was a full copy. You might want to double check.

Personally use VMware LogInsight. Pricing is per socket, or per device logged (and they have a VSPP price per month). Fairly reasonable and super easy to work with.