IIS Isolation Mode
IIS 6.0 runs in two different operating modes called Application Isolation Mode (Isolation Mode): Working Process Isolation Mode and IIS 5.0 Isolation Mode. Both modes depend on HTTP. sys as Hypertext Transfer Protocol (HTTP) listeners. However, their internal working principles are completely different.
The work process Isolation Mode utilizes the re-designed architecture of IIS 6.0 and uses the core components of the work process. IIS 5.0 isolation mode is used for applications that depend on specific functions and behaviors of IIS 5.0. This isolation mode is composed Iis5isolationmodeenabled: Specifies the database attribute configuration.
The Isolation Mode of your selected IIS application affects performance, reliability, security, and functional availability. Working Process Isolation Mode is recommended for IIS 6.0 operations because it provides a more reliable platform for applications. The work process Isolation Mode also provides a higher level of security, because the application running in the work process is identified as NetworkService by default.
The default ID of an application running in IIS 5.0 Isolation Mode is LocalSystem, which allows access and has the ability to change almost all resources on the computer.
Although the working process isolation mode provides enhanced isolation, reliability, availability, and performance, some applications may still have compatibility issues when running in this mode. If you encounter compatibility problems, use the IIS 5.0 Isolation Mode.
When deciding which Isolation Mode to use, consider the following:
- Unless the IIS 5.0 Isolation Mode is required due to specific compatibility issues, the working process isolation mode is used.
- Websites with static content and simple Microsoft Active Server Pages (ASP) applications should be able to run in work process isolation mode without modification or modification.
- If applications can run correctly on IIS 5.0, they should be able to run correctly in IIS 5.0 Isolation Mode.
Note:IIS 6.0 cannot run two application isolation modes at the same time. Therefore, on the same IIS server, it is impossible to run some Web applications in Working Process Isolation Mode and other applications in IIS 5.0 Isolation Mode. To have applications that require independent mode, you must run them on a separate computer.
This topic contains the following information:
- Working Process Isolation Mode
- IIS 5.0 Isolation Mode
- Compare functions in IIS 6.0 Mode
- Default Value of Isolation Mode
- HTTP Filter
Working Process Isolation Mode
Working Process Isolation Mode utilizes all new core components of IIS 6.0. Enable the application pool, recycle, and health check functions in Working Process Isolation Mode. These functions will be described later in this topic.
Describes the IIS 6.0 architecture that runs in Working Process Isolation Mode.
In, you can see that only the specific application code is loaded into the working process. Examples of specific application code are ASP and ASP. NET applications, because the runtime engines of these programming platforms are implemented as Internet Server API (ISAPI) extensions.
This architecture makes IIS very reliable, because no matter what service interruption occurs in the working process, the Web Publishing Service (WWW Service), IIS Management Service and HTTP. sys can run continuously without being affected. Similarly, websites running in work processes are not affected by faults running in other work processes because they are isolated from each other through process boundaries.
The following steps describe how to process requests in the work process Isolation Mode:
- The request arrives at http. sys.
- HTTP. sys determines whether the request is valid. If the request is invalid, it returns an invalid request code to the client.
- If the request is valid, HTTP. sys checks whether the response exists in its kernel mode cache.
- If the response exists in the cache, HTTP. sys returns the response immediately.
- If the response is not cached, HTTP. sys will determine the correct request queue and put the request in the queue.
- If no workflow is assigned to the queue, HTTP. sys notifies the WWW Service to start a workflow.
- The worker process extracts the request from the queue and processes it.
- The worker process returns the response to HTTP. sys.
- HTTP. sys returns the response to the client and records the request (if this configuration is done ).
IIS 5.0 Isolation Mode
The IIS 5.0 Isolation Mode ensures the compatibility of applications developed for IIS 5.0. The IIS 5.0 request processing in IIS 6.0 Isolation Mode is almost the same as that in IIS 5.0. In IIS 5.0 Isolation Mode, the application pool, recycle, and health check functions are unavailable.
Describes IIS running in IIS 5.0 Isolation Mode.
In IIS 5.0 Isolation Mode, HTTP. sys is used in the same way in Working Process Isolation Mode. The only exception is that it only transmits requests to a single request queue maintained by the WWW Service. According to the configuration of the Isolation Mode-in-process, in-pool, or out-of-process-requests are processed in inetinfo.exe or dllhost.exe.
Compare functions in IIS 6.0 Mode
The following table is used as a reference to understand the roles of the IIS 5.0 feature in IIS 6.0 Isolation Mode and working process Isolation Mode.
IIS Functions |
IIS 5.0 Isolation Mode Host/component |
Working Process Isolation Mode Host/component |
Workflow Management |
N/ |
Svchost.exe/WWW Service |
Worker Process |
N/ |
W3wp.exe/Worker Process |
ISAPI extension in the running process |
Inetinfo.exe |
W3wp.exe |
External ISAPI extension for Running Processes |
Dllhost.exe |
N/A (all ISAPI extensions are in process) |
Run ISAPI filter |
Inetinfo.exe |
W3wp.exe |
HTTP. sys Configuration |
Svchost.exe/WWW Service |
Svchost.exe/WWW Service |
HTTP support |
Windows kernel/HTTP. sys |
Windows kernel/HTTP. sys |
IIS configuration database |
Inetinfo.exe |
Inetinfo.exe |
FTP |
Inetinfo.exe |
Inetinfo.exe |
NNTP |
Inetinfo.exe |
Inetinfo.exe |
SMTP |
Inetinfo.exe |
Inetinfo.exe |
Default Value of Isolation Mode
When IIS 6.0 is installed on a computer without an earlier version of IIS, the isolation mode is automatically set to work process Isolation Mode. If you upgrade IIS from an earlier version, the isolation mode is set to IIS 5.0.
The following table specifies the default Isolation Mode When IIS 6.0 is installed.
Install |
Isolation Mode |
Install IIS 6.0 |
Working Process Isolation Mode |
Upgrade from earlier versions of IIS 6.0 |
The Isolation Mode has not changed. |
Upgrade from IIS 5.0 |
IIS 5.0 Isolation Mode |
Upgrade from IIS 4.0 |
IIS 5.0 Isolation Mode |
HTTP Filter
Secure Sockets Layer (SSL) requests are encrypted, and the kernel-mode HTTP service lacks the ability to decrypt requests or respond to encrypted requests. The user mode service HTTP filter effectively solves this problem. It is used to decrypt SSL requests and encrypt the returned results. The HTTP filter service runs in two IIS operation modes:
- When IIS 6.0 runs in a working Isolation Mode, isass.exe acts as the host of the HTTP filter.
- When IIS 6.0 runs in an IIS 5.0 Isolation Mode, inetinfo.exe acts as the host of the HTTP filter.