Placing your Web server on an Internet Service Provider's (ISP's) network is the most cost-effective way to improve Web site performance. However, managing your Web site remotely creates barriers to site administration and requires careful attention to security. A successful co-location strategy depends on an understanding of Internet technology, a proper perspective, careful planning, diligence, and a little luck.
Selecting an ISP
Careful ISP selection is an important first step in your co-location strategy. When selecting a provider, ask the ISP about their network specifications. With this information, you can assess the network performance levels you can expect from a co-location setup. Questions to ask include:
- What is the bandwidth of the ISP's internal network?
- How many servers reside on each segment of the ISP's network?
- Does the ISP use switching technology or would your server be a node on an overused network segment?
- Does the ISP perform backups on a separate segment or on the same segment where your server resides?
- What is the bandwidth of the ISP's Internet connection? Many ISPs are not first-tier Internet providers. Instead, they connect to another ISP to access the Internet. In this case, find out the network specifications of the first-tier provider's network.
- Does the ISP provide conditioned power or must you purchase a UPS?
- Does the ISP provide asynchronous or ISDN out-of-band connections to the internal network?
Network performance is only one aspect of provider selection. Local network management is a crucial component of ISP selection, even though you must remotely manage your Web servers. In fact, redundant management is one benefit of co-location. You should regularly monitor Web services such as Internet Relay Chat (IRC), Network News Transfer Protocol (NNTP), HTTP, and Simple Mail Transfer Protocol (SMTP). Ideally, any critical events in your Web server's NT event logs should also appear in the ISP's monitoring system.
A solid backup strategy is the most important server management service an ISP provides. Most ISP's let you configure automated backups for your Web servers, or the ISP can manage server backups through its own system. If automated backups occur independently of the ISP's backup strategy, then your staff must manage your tape archive. This management includes tape swapping and off-site storage. In most cases, it's your responsibility to create a backup strategy that protects your data and provides off-site backups.
The cost of co-location varies widely from provider to provider. Price does not necessarily reflect the ISP's services. In many cases, you pay for the ISP's name. Additionally, pricing is different for server rental and space rental. Server rentals cost between $450 and $3500 per month, depending on the server configuration. Space rental costs from $250 to $1000 per month, depending on the space required. Virtual Web hosting is another option for establishing an Internet presence; however, you have less control of the configuration and the services provided.
Selecting Server Hardware
After you have selected an ISP, you must properly size your servers. Unless you expect a flood of business the moment you place your server on the Internet, you don't need the latest and greatest server technology on the market. Our typical Web server is an HP NetServer LHpro with dual Pentium Pro 200MHz processors, 256MB of RAM, and dual power supplies. We run SQL Server, Internet Information Server (IIS) 3.0, NNTP, IRC, and SMTP and our custom Internet Server API (ISAPI) filter for user and URL authentication. Additionally, we run services for virus protection, automated backups, remote access, and network management.
Our system supports more than 500 users who log on to the database for online training (nine companies host online training through our site). Anonymous Internet users access our servers for public content. NT Performance Monitor provides the server statistics. Screen 1 shows a typical peek period of Internet activity. The statistics demonstrate that the server's hardware is not busy during peek Internet activity. We tracked the system object rather than the processor object because our typical Web server contains two processors. Notice that processor use peaked at 68 percent and average use was about 11 percent. Disk and RAM activity remained low for the monitoring period.
Proper hardware selection is crucial to an effective Web server co-location strategy. Don't underestimate the value of selecting a server from a known NT server hardware manufacturer like Compaq, HP, or Intergraph. These companies design servers to run NT Server in high-load production environments. Poor server selection can lead to significant downtime, particularly on a heavily loaded system.
Server component selection is the next step, and redundancy is the key for 24 * 7 operation. Server mirroring and clustering aren't necessary unless your system is mission critical. A more cost-effective step for redundant servers is to synchronize the Web content directories with Microsoft's content replication system, which is part of Site Server 2.0. If uptime becomes an issue in the future, you can add server mirroring or clustering. See Windows NT Magazine, June 1998, for more information about NT clustering solutions.
Although server mirroring or clustering is not crucial, disk redundancy is. You must configure your hardware array before installing the operating system (OS). NT includes software-level RAID 1 (disk mirroring) and RAID 5 (disk striping with parity), but hardware-level RAID is more efficient and more robust. For example, HP offers hardware RAID levels 1, 3, 5, 10, 30, and 50. Also, hardware-level RAID allows disk hot sparing and hot swapping. Hot sparing lets another disk take over for a failing disk in the array. Hot swapping means that, in an emergency, you can remove a disk and replace it while the computer is operating.
You must insist on redundant power supplies in the server. Most Web server manufacturers include redundant power supplies as an add-on option. Power supplies are not expensive and you shouldn't overlook them. You can use redundant power supplies for load balancing when both supplies are operational, and if one of the power supplies fails, the operational power supply provides fault tolerance until you replace the failed power supply.
Communication Channels
In addition to redundant computer hardware, a redundant communications mechanism is a crucial and often overlooked part of remote management. You must always have a way to reach the server when access via the Internet is either not available or too slow for effective remote management. A 33.6Kbps modem or faster for out-of-band management provides excellent, economical access to the server. Most ISPs provide a phone line for out-of-band management but, in most cases, you'll incur the phone line installation and service charges. Some ISPs provide ISDN or dial-in services to their network. These dial-in access points are independent of the Internet. If your ISP offers this service, a modem for out-of-band management is not necessary.
A redundant communication mechanism gets you a step closer to a remotely manageable server, but what do you do when your only solution to a problem is to turn the server off and on? Although most ISPs will hit the server's power switch for you, a remote on/off switch is a better solution. APC offers a remote on/off device called the MasterSwitch. The switch accommodates multiple devices and connects to the ISP's network. After you assign an IP address to the switch, you can remotely access the switch and control power to the devices connected to it, as Screen 2 shows.
Now that you've selected your ISP and the hardware you need for remotely managing your Web site, you face the toughest piece of the process: an effective management strategy. Your management strategy must include performance monitoring, network monitoring, and support for day-to-day administrative operations. Remote management increases your server's vulnerability to attack, so security is crucial.
Monitoring Server Performance
Recognizing the importance of performance monitoring, Microsoft developed Performance Monitor, a powerful tool for monitoring NT. Performance Monitor determines whether the server is properly sized and whether you need to add resources to address bottlenecks. Performance monitor tracks counters contained in objects. Counters track every aspect of the OS's activity. Some software packages installed on an NT system (e.g., Internet Information Server--IIS) add objects and counters to the Performance Monitor.
You must regularly run Performance Monitor logging to capture performance statistics at the busiest times of the day. You use this information to baseline your server's activity. If the statistics change radically from the baseline figures, you might need to allocate additional resources to maintain performance.
The number of objects you monitor and the interval of capture affect the rate of log file growth. You need to monitor objects such as processor, physical disk, memory, and objects relating to your Web services. For example, we use Active Server Pages (ASP) extensively, so we collect the ASP object counters.
Monitoring the Network
The primary goal of network monitoring is to warn you of crucial hardware errors or a down server. The most common protocol for network monitoring is Simple Network Management Protocol (SNMP), which is part of the TCP/IP protocol suite. When you install SNMP on the server, a Network Management System (NMS) can monitor it. SNMP responds to GET, GET-NEXT, and SET commands from an NMS and sends unsolicited trap messages to an NMS. The Microsoft Windows NT Server 4.0 Resource Kit contains additional Management Information Base (MIB) files that you compile and install on the NMS to extend its ability to manage various NT services.
The NMS software is not bundled with NT Server; however, many hardware manufacturers include an NMS with a server purchase. Before you purchase a server, make sure the manufacturer includes a full-featured, non-evaluation NMS like HP's OpenView, Computer Associates' Unicenter TNG, or Compaq InsightManager. If not, add the additional cost of an NMS to the price of your server. The NMS software resides on your remote management computer, and the SNMP service runs on the Web server.
The NMS configures the server for data defined in the MIB for Internet and other TCP/IP-based services. The NMS also receives trap messages from the server. These functions let you remotely monitor and configure your servers. Screen 3 shows agents configured for an HP NetServer. Disk statistics show historical data for drive use.
Most hardware, network software, and OSs include MIB files that you install to the NMS to enhance its management capabilities. SNMP monitors thousands of statistics for functions such as HTTP, FTP, Windows Internet Naming Service (WINS), and NT administration.
Microsoft-Specific Monitoring Tools
Network Monitor, NETSTAT, IIS, and Event Viewer logs are key resources for remote server management. Network Monitor lets you capture and analyze all packets on your server's network segment. You use this information to baseline network traffic and see when your ISP's network has excessive traffic. The NETSTAT utility gives you a snapshot of network activity. You can see who is connected to the server, what TCP/IP ports are in use, and network traffic statistics generated by your server. IIS logging provides historical activity for Web services that appear in the Internet Service Manager (ISM). The Event Viewer generates logs for OS, application, and security system monitoring.
Network Monitor. Network Monitor lets you troubleshoot network traffic problems. If you suspect that poor Web server performance is related to traffic on the ISP's network, you can run Network Monitor to see if that's the case.
The NT Server version of Network Monitor is limited in its reach, so if you use the NT Server version, it must run local to your Web server's network segment to capture segment traffic. The Systems Management Server (SMS) 1.2 version or later of Network Monitor can run on a remote management station and display captured packets from remote network segments.
For remote traffic monitoring, you need to review summary statistics in Network Monitor rather than examine individual packets. The opening screen in Network Monitor provides several views of traffic, as Screen 4 shows. You use Network Monitor's summary data to determine which computers on the ISP's network are over-using the segment. If you detect over-use, the ISP might be able to move your server to another segment or address congestion on the network segment.
NETSTAT. The NETSTAT utility provides a snapshot of your server's activity on the network. If you notice poor network performance or need to troubleshoot other protocol issues, the batch file in Listing 1 lets you use NETSTAT as an activity monitor. This command logs network statistics on IP, Internet Control Message Protocol (ICMP), TCP, UDP, active connections listed by friendly name using TCP, and active connections listed by IP address for all TCP/IP-based protocols running on the server. Every 30 minutes, the program writes the statistics to the NETSTAT.LOG file in the D:\LOGS\NETSTAT directory. Use this command only for troubleshooting, because the log file grows rapidly. After you collect statistics for a day, break out of the batch file with Ctrl+C when the SLEEP command is running. The SLEEP command is a resource kit utility. You need this handy utility to run the batch file. Although the NETSTAT command includes a time interval switch in which you specify how often the command should run, the NETSTAT.LOG file is never closed. Therefore, when you break out of the command with CTRL-C, the log file will be empty. The SLEEP command lets the NETSTAT.LOG file close after each logging period. Figure 1 shows some of the log entries in the NETSTAT.LOG file.
You use the NETSTAT.LOG file to watch for excessive traffic, which might indicate a Synchronous character (SYN) attack or failed packets. A SYN attack occurs when a hacker floods the ISP's network with half-open TCP port connections. In the NETSTAT.LOG file, you'll see an excessive number of connections showing SYN_RECEIVED in the state column. Your ISP needs to filter for this event.
IIS Logging. Although the NETSTAT utility is a quick way to log information about your server's activity, IIS logging includes automated, robust, configurable network activity logging functions. You configure IIS logging through the ISM Logging tab in IIS 3.0 or in the Site tab in IIS 4.0. Most Internet services, with the exception of IRC, contain a logging function. Screen 5 shows the IIS 3.0 Logging tab for the WWW Service Properties page.
To enhance log-reporting capabilities, you can log to an Open Database Connectivity (ODBC) data source rather than an ASCII file. However, logging to an ODBC data source increases server-processing overhead. If you have a database on a separate server on the ISP's network, log to this database rather than a database running on the same server that runs your Web services.
IIS writes log files to \systemroot\SYSTEM32\LOGFILES. You should change this path for each IIS service that supports logging. If you don't change the path, you risk filling your boot partition with log files and crashing the server. Give each IIS service a distinct directory for log file storage. Screen 5 shows a configuration where HTTP logging writes its log files to the D:\LOGFILES\WWW directory.
IIS 4.0 includes Site Server Express, which lets you import the IIS log files and use the Site Server Express Report Writer to analyze your Web site's activity. For example, the Report Writer tells you who is using your site, what pages users access most, and what countries users are from. Site Server Express works with logs generated in both IIS 3.0 and IIS 4.0.
NT Event Viewer. NT writes two logs by default: the Application log and System log. If you have auditing configured on your server, the Security log collects security events as well. You view these logs through the Event Viewer application. You must monitor these logs for proper OS and application performance, and review the Security log for unusually high logon failures and other security events that suggest a hacker attack.
You can use NT event auditing to report on virtually any OS event. However, overuse of this feature severely impacts server performance. Keep File and Object access auditing to a minimum. Auditing logon failures can indicate a random password attack, so this audit is important. If you suspect account access abuses, you should monitor logon success too. Balance the need for auditing against its impact on server performance.
Remote Server Management
Web server co-location is a cost-effective strategy for boosting your Web site's performance. A fast Web site presents a professional image of your company. A properly sized server and the right hardware deliver the performance and reliability that keeps visitors coming to your site. After you have co-located your Web server, you face an even greater challenge: remote server management. SNMP access, Performance Monitor, Network Monitor, and log collection are useful for remote Web administration only if you can access the data offsite. We will discuss remote access and securing your remote Web server in part two of "Remote Web Administration."
