Evaluating Application Isolation Modes
Applies To: Windows Server 2003, Windows Server 2003 with SP1
The IIS application isolation mode that you choose affects performance, reliability, security, and feature availability. Worker process isolation mode is the recommended mode of operation for IIS 6.0 because it provides a more robust platform for applications and the ability to isolate applications in separate application pools without incurring a performance penalty. Also, in the default configuration, worker process isolation mode provides a higher level of security than does IIS 5.0 isolation mode because its default host process identity is Network Service.
Some applications might have compatibility problems when they run in worker process isolation mode. If compatibility problems occur, you might need to use IIS 5.0 isolation mode. For applications that run in IIS 5.0 isolation mode, Local System is the only available process identity when you run an application in-process in Inetinfo.exe. For more information about IIS security, see Managing a Secure IIS 6.0 Solution. Also see Configuring Worker Process Identities and IIS and Built-in Accounts.
Important
IIS6.0 cannot run both application isolation modes simultaneously on the same computer. Therefore, on a single computer running IIS6.0, you cannot run some Web applications in worker process isolation mode and others in IIS5.0 isolation mode. If your applications require different modes, you must run them on separate computers.
When you are deciding which application isolation mode to use, follow these guidelines:
Use worker process isolation mode unless you need to use IIS 5.0 isolation mode because of a specific compatibility problem. For example, an application that checks to see if an application is running in a process named Inetinfo.exe is incompatible with worker process isolation mode.
For Web sites that contain static content and simple ASP applications, run the applications in worker process isolation mode because these Web sites usually require little or no modification.
For applications that run correctly on IIS 5.0, try running them first in worker process isolation mode. If they do not work correctly, change them back to IIS 5.0 isolation mode until you can diagnose and fix the incompatibility.
Applications that cannot run in worker process isolation mode
Applications that run in worker process isolation mode can take advantage of all the worker process behaviors, which include multi-instancing, recycling, and configurable process identity. Certain application characteristics conflict with the architecture of worker process isolation mode and must be run in IIS 5.0 isolation mode until you can modify them.
The following applications or application characteristics conflict with worker process isolation mode:
Read raw data filters. This type of filter can be loaded only in IIS 5.0 isolation mode.
Dependency on Inetinfo.exe. Applications that must run in an Inetinfo.exe worker process can run only in IIS 5.0 isolation mode because applications cannot run in Inetinfo.exe in worker process isolation mode.
Requires Dllhost.exe. Web applications that must run in a Dllhost.exe environment can run only in IIS 5.0 isolation mode because running Web applications in Dllhost.exe is not an option in worker process isolation mode.
Applications that use SF_NOTIFY_READ_RAW_DATA filters
ISAPI filters that use SF_NOTIFY_READ_RAW_DATA notifications work differently depending on the isolation mode in which IIS 6.0 is running. To understand the differences, remember that a global filter is installed for the entire IIS service and sees requests for all Web sites, whereas a site filter is installed at the site level and sees requests only for the site where it is installed.
Note
The only raw data filter that works differently in IIS 6.0 is SF_NOTIFY_READ_RAW_DATA. SF_NOTIFY_SEND_RAW_DATA works as expected and is supported in both application isolation modes.
For IIS 6.0 running in IIS 5.0 isolation mode, the behavior is the same as it was in IIS 5.0. Because IIS must read the host header information to route the request to the correct site, and because the READ_RAW_DATA notification is sent before the host header arrives from the client, it is impossible to know which site must be notified. For this reason, site fiters cannot register for SF_NOTIFY_READ_RAW_DATA notifications. Global filters, however, can register for SF_NOTIFY_READ_RAW_DATA notifications.
IIS 6.0 running in worker process isolation mode does not support SF_NOTIFY_READ_RAW_DATA notifications. Worker process isolation mode is based on application pools, which do not correspond directly to sites. Http.sys routes a request based on server bindings and the URL namespace. Because a READ_RAW_DATA notification must be sent before IIS has received enough information from the client request to determine the server bindings and URL, IIS cannot route a READ_RAW_DATA notification to the correct worker process. This is not an issue in IIS 6.0 running in IIS 5.0 isolation mode, because Inetinfo.exe is always the only worker process.
For information about how the SF_NOTIFY_READ_RAW_DATA notification works with Secure Sockets Layer (SSL), see SSL and SF_NOTIFY_READ_RAW_DATA filters in Managing a Secure IIS 6.0 Solution.
Applications that require special handling to run in worker process isolation mode
Applications that you cannot load into multiple processes simultaneously have the following limitations:
You cannot run them in application pools configured to perform overlapped recycling.
You cannot run them in application pools configured as Web gardens.
Instead, run this type of application in an application pool that is not configured for overlapped recycling and that is not configured to run as a Web garden. For more information about overlapped recycling, see Features of Worker Process Isolation Mode. For information about configuring overlapped recycling, see Recycling Worker Processes with IIS 6.0.
If the IIS 6.0 WWW service is running in worker process isolation mode (the IIS 6.0 default mode), and you must run applications that require a functionality that is available only in IIS 5.0 isolation mode, change to IIS 5.0 isolation mode until you can correct the incompatibility. When running your server in IIS 5.0 isolation mode, you cannot take advantage of worker process isolation and the other features of worker process isolation mode.