Urlscan to RequestFiltering migration using MSDeploy

In addition to FastCGI migration provider, MSDeploy 1.0 RTW shipped with a URLScan to request filtering migration provider to ease migration of UrlScan.ini settings to system.webServer/security/requestFiltering section. Even though URLScan 3.1 is supported on Win2K8 and you are not required to move to request filtering module, there are few advantages in using request filtering module. One advantage is that all your configuration can stay together in applicationHost.config and web.config and you are not required to maintain a separate configuration file. Another advantage is that you can take advantages of new configuration system features like distributed configuration, shared configuration, locking, ability to use appcmd, UI, configuration editor etc which cannot be used if you use UrlScan and your configuration is in UrlScan.ini. In Win2K8 R2, you get additional advantages like configuration system auditing. Moreover, request filtering is one of the core IIS modules and will continue to get much attention compared to URLScan. If you are running Win2K8 SP2 or Win2K8 R2 in which request filtering module has all the features available in URLScan 3.1, you should definitely evaluate migrating from URLScan to request filtering. If you decide to migrate, migration is as simple as running a MSDeploy sync command.

URLScan migration is handled by a new provider in msdeploy named UrlScanConfig which accepts “INI” or “APPHOST” as path. When path is “INI”, URLScan configuration from “%windir%\system32\inetsrv\urlscan\urlscan.ini” is read. When path is “APPHOST”, configuration is picked from system.webServer/security/requestFiltering section. This migration provider works similar to FastCGI migration provider. UrlScanConfig migration provider reads UrlScan.ini configuration and produces xml which looks like requestFiltering section configuration. MSDeploy engine then takes care of comparing xml and doing add/update/delete operations on destination to make destination configuration same as source. Because msdeploy sync is a single master sync engine, we take care of not removing configuration from requestFiltering section which doesn’t have a counterpart in UrlScan. For example, hiddenSegments configuration in apphost is not deleted (skipped using urlScanSkipIncompatRuleHandler) and also applyToWebDav properties are not touched. Below are few examples showing the usage of UrlScanConfig migration provider.

Command to dump urlscan.ini settings.
        msdeploy –verb:dump –source:urlScanConfig=ini –xml
        msdeploy –verb:dump –source:UrlScanConfig=apphost -xml

Command to migrate urlscan.ini to requestFiltering section.
        msdeploy –verb:sync –source:urlScanConfig=ini –dest:urlScanConfig=apphost -whatif

UrlScanConfig provider can be used to migrate global urlscan.ini configuration to server level requestFiltering section. Migrating site level UrlScan.ini is not supported. Here is how various URLScan properties map to requestFiltering section.

 

UseAllowVerbs

If set to 1 AllowVerbs section is used. Else DenyVerbs section in urlscan.ini is used

UseAllowExtensions

If set to 1 AllowExtensions section is used. Else DenyExtensions section in urlscan.ini is used

VerifyNormalization

allowDoubleEscaping

AllowHighBitCharacters

allowHighBitCharacters

UnescapeQueryString

unescapeQueryString

 

RequestLimits

MaxAllowedContentLength, MaxUrl and MaxQueryString settings are moved to requestLimits.

AllowVerbs, DenyVerbs

If UseAllowVerbs is 1, verbs@allowUnlisted is set to false and entries are added with enabled=”true”. If UseAllowVerbs is 0, entries has enabled=”false” and verbs@allowUnlisted is set to true.

AllowExtensions, DenyExtensions

When UseAllowExtensions is set 1, extensions are added with enabled=”true” and fileExtensions@allowUnlisted is set to false. When UseAllowExtensions is 0, fileExtensions@allowUnlisted is set to true and entries are added with enabled=”false”.

DenyHeaders

Moved to requestLimits/headerLimits after removing colon.

AlwaysAllowedUrls

alwaysAllowedUrls collection

DenyUrlSequences

denyUrlSequences collection

AlwaysAllowedQueryStrings

alwaysAllowedQueryStrings collection

DenyQueryStringSequences

denyQueryStringSequences collection

 

For each rule in RulesList, a filteringRule is created and Rule properties are mapped as following.

AppliesTo

filteringRule/appliesTo

DenyDataSection

filteringRule/denyStrings.

ScanURL

filteringRule@scanUrl

ScanAllRaw

filteringRule@scanAllRaw

ScanQueryString

filteringRule@scanQueryString

ScanHeaders

filteringRule/scanHeaders

 

All other properties (NormalizeUrlBeforeScan, AllowDotInPat, RemoveServerHeader, AlternateServerName, AllowLateScanning, UseFastPathReject, RejectResponseUrl, EnableLogging, PerProcessLogging, PerDayLogging, LogLongUrls, LoggingDirectory) are ignored because either they don’t make sense or the feature is always enforced by IIS core. We do block migration when incompatible versions of source and destination are present. Some request filtering features like applyToWebDav and hiddenSegments were not present in webDav. urlscanConfig migration provider doesn’t touch these properties if they are present on target. Not that if version of UrlScan is not compatible with IIS version present, migration will not be performed.

Thanks,
Kanwal