The version of Enfold Proxy released in September 2008 has full support for Internet Information Services (IIS 7) or Microsoft Vista. Version 4.0 EP did not officially support it, but the documentation contained steps about how to make it work.
If you are using IIS 7 on Server 2008, the directions for setting up IIS will be slightly different. See installing EP on Windows Server 2008.
IIS 7 must be installed on Vista (or Windows Server 2008). Before you install EP on IIS 7, you need to enable certain features.
Important: Vista will not let you install Enfold Proxy until you make these changes first to IIS.
You need to turn these features on by default.
Using an administrator account, go to Control Panel->Programs and Features-> Turn Windows Features On or Off -> Accept UAC dialog -> Internet Information Services. Then enable the following options:
- Web Management Tool -> IIS6 Management Capability -> IIS Metabase and IIS6 configuration capability
- World Wide Web Services -> Application Development Features -> ISAPI Extensions
- World Wide Web Services -> Application Development Features -> ISAPI Filters
- World Wide Web Services -> Security -> Basic Authentication (This must be checked if you are using single signon with NTLM).
- World Wide Web Services -> Security -> Windows Authentication (This must be checked if you are using single signon with NTLM).
NTLM/Single Sign on is a feature which lets Plone authenticate using Active Directory. You need to configure Plone to support NTLM, either with an addon or a customization in the ZMI. If you are not using NTLM, you don't need to enable Basic Authentication or Windows Authentication.
After you make these changes, press OK. Vista will provide a dialog saying "Please wait while the features are configured." After a minute or so, this dialog will close, and EP will be installed.
(This applies only to sites run by Enfold Proxy and Enfold Server with NTLM Authentication).
Logged in domain users on a Vista machine SP 1 may experience browser problems on IE 7 with automatic login. (This issue does not affect NTLM authentication on Firefox). If this problem occurs, domain users on Vista SP 1 may need to change some settings on IE 7.
In the advanced tab, browsers in the authenticated domain need to uncheck the option labeled Enable Integrated Windows authentication.
Note that you still need to keep the option in Security Settings for Automatic Login with current user and password for NTLM to work.
Vista's security model is intended to prevent the user from accidentally writing/editing system or configuration files. The Encontrol configuration utility will automatically prompt for the necessary elevation of privileges, but if you wish to edit this file by hand, you will need to do so from a process that is already elevated (ie, started with "Run as Administrator"); see the Vista documentation about how to do that.
Enfold Proxy runs as a native 64 bit application on Vista and has better performance than the 32 bit Vista version of Enfold Proxy. Generally, there are no incompatibility issues.
IIS 7 and Enfold Proxy run as native 64 bit applications, so Enfold Proxy contains full support for 64 bit IIS. Occasionally, a need may arise to make 64 bit IIS 7 to run in 32 mode instead of 64 bit mode. This can happen for example if you are already using ISAPI filters that need to run in 32 bit mode; in this case, it would make sense to make IIS 7 run in 32 bit mode.
Note: This method for "downgrading" 64 bit IIS works only on IIS 7. It does not work on IIS 6.
The steps are pretty simple.
- Open IIS.
- Click Application Pools.
- Right click DefaultAppPool . Choose Advanced Options.
- A big properties dialog will open. On the General Section where the field says Enable 32 bit applications, check true.
This option will only appear if you are using IIS on Vista 64. Of course, performance is much faster running in native 64 bit mode, but this option is here for backward compatibility.
The Enfold Proxy installer enables the allowDoubleEscaping option within IIS 7 with the following Windows command:
appcmd set config /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True /commit:appHost
By default, IIS cannot process URLs that contain the strings ++ or @@. By enabling allowDoubleEscaping, Enfold Proxy configures IIS to handle such URLs (as some Plone URLs contain these strings).
For more information, see Microsoft's official documentation: http://support.microsoft.com/kb/942076/