ActiveXperts NNTP Server monitoring
ActiveXperts solution to monitor NNTP servers
ActiveXperts Network Monitor can check NNTP news servers by establishing a connection on the remote TCP port (usually port 119) and do a handshake. By handshaking, ActiveXperts Network Monitor can verify that the remote server's NNTP protocol is working well.
[click below to enlarge]
[click below to enlarge]
An NNTP News Server rule takes the following parameters:
- Host - Hostname or IP address of the server to be monitored;
- Port - TCP port number of the NNTP protocol. Default: 119;
- Send command when connected - As soon as connection is established, send a command. By default, no command string will be sent;
- Response must include string - when connected, optionally send a command. Then wait for the response. The default response for NNTP servers includes: '200';
- Timeout - Number of milliseconds before the check will timeout. Usually, a connection to the server will be established within 1 second. However, some slow/busy server need more time. Recommended value is 7000 milliseconds.
NNTP and IIS
Overview of NNTP
You can think of a newsgroup as an e-mail mailbox that is accessible to everyone. A newsgroup usually has a theme or typical topic of discussion. For example, an intranet NNTP server might host newsgroups relating to the company 401K plan or for debate over a proposed sales strategy. "Articles" are "posted" in much the same way that e-mail messages are sent to a person’s mailbox. Just as you can reply to an e-mail message, you can post a reply to an article or an earlier posting, and others can post replies to your reply. Everyone can read all articles and send replies to any of them.
IIS includes the NNTP Service for use on the Internet or a local area network (LAN). Because newsgroups can be secured using SSL encryption and NTFS permissions, you can create private newsgroups for employees, suppliers, customers, or specific groups within an organization.
NNTP installs as an optional subcomponent of IIS. Its hardware and software requirements are identical to those of IIS.
Two sets of folders are created when you install the NNTP Service. By default, both install in the d:\inetpub folder. One, the News folder, contains the files for NNTP’s HTML Internet Service Manager pages and HTML documentation. The other, the Nntpfile folder, contains subdirectories and files used in the maintenance of the NNTP Service and the newsgroups hosted on the server. The newsgroups themselves are stored as subfolders of the Nntpfile\root folder. For example, a newsgroup named alt.support.unix would be stored as d:\inetpub\nntpfile\root\alt\support\unix, with the articles themselves stored in the final folder with a .nws extension.
Controlling and Monitoring the NNTP service
You can stop, start, pause, and resume the NNTP Service with either the Services applet in Control Panel or the Rebar in Internet Service Manager. You can achieve the same results from the command line by typing one of the following:
net stop nntpsvc net start nntpsvc net pause nntpsvc net continue nntpsvc
Once paused, the NNTP Service continues to transmit news articles over connections established before the service was paused, but no new connections can be made. If stopped, the NNTP Service immediately terminates all connections.
All events that the NNTP Service generates are recorded in the System Log of the Event Viewer. In addition, counters for the NNTP Service are added to Performance Monitor.
You must be a member of the local Administrators group on the IIS server to manage the NNTP Service. Use either the Internet Service Manager snap-in or the HTML Internet Service Manager pages to configure the NNTP Service.
There are no server-level Master dialog boxes for the NNTP Service. Furthermore, there can be only one NNTP site per server, and you cannot delete this site without uninstalling the NNTP Service. You cannot create additional NNTP sites, but you can create multiple newsgroups.
The Default NNTP Site has three container objects beneath it in the Scope pane. Expiration Policies determine when newsgroup articles should be deleted automatically. The Directories container shows virtual directories for the NNTP Service. The Current Sessions container shows remote NNTP clients and servers that are engaged in uploading or downloading articles.
To create a new newsgroup, go to the Default NNTP Site dialog box and select the Groups tab. Click the "Create new newsgroup" button. In this dialog box, you specify:
- Newsgroup. In this box, type the name of the newsgroup as you want it to appear to clients who download and subscribe to it (e.g., alt.support.unix).
- Description. In this box, type an optional description of the nature of the discussions or information that can be found in this group.
- Newsgroup prettyname. In this box, type an optional alternative name for the group. The prettyname is intended to be a more user-friendly name (e.g., "Support for Post-Unix Shock Syndrome" instead of "alt.support.unix"). However, not all client newsreaders can display the prettyname.
- Read only. Enabling this checkbox prevents anyone except the NNTP administrator or moderator from posting to the newsgroup.
We discuss the moderator options under "NNTP Security" later in this module. A moderator is an editor who must approve all articles before they can appear in the newsgroup.
When a client newsreader posts articles to a newsgroup, we often assume these articles are stored on a local drive of the NNTP server. However, the physical location of articles for newsgroups can be changed from the default d:\inetpub\nntpfile\root\newsgroupname. The user does not actually see anything that resembles a directory in his/her newsreader application. Nor does the administrator of the NNTP server work with URLs or path names that must be redirected to other locations (as with the Web and FTP services). An NNTP virtual directory is considered merely an alternative storage location for a newsgroup’s articles.
You can store a newsgroup’s articles in any folder on a local drive or in a shared folder on a remote drive with a UNC path name. When storing to a shared folder, you can specify the domain/user name and password for the account used to access this folder.
A virtual directory can contain the articles for a single newsgroup or for an entire category of newsgroups. For example, a virtual directory for the group alt.support.unix will contain just it’s own group’s messages. But if you create a new group named alt.support.unix.superuser, the NNTP Service automatically creates a subfolder named Superuser in the virtual directory, and that group’s articles will be stored there. If desired, you can create a virtual folder for a general category of groups (e.g., alt.*), and any new group falling under this category will have the appropriate subdirectories created for it under its virtual directory (e.g., alt.discussion. botany.carnivorous).
There are three benefits of using virtual directories. Because the articles for newsgroups can be spread across multiple drives, I/O performance should increase. Second, if storage space is running low, you can add additional space by installing a new drive or using a shared folder on a network drive. Third, you can easily move newsgroups and their articles from one location to another by redefining the virtual directory location.
To create a virtual directory,
- Right-click the Directories container under the Default NNTP Site.
- Click New, then choose Virtual Directory. The Virtual Directory Wizard appears, prompting for the name of the newsgroup or newsgroup category (e.g., alt.*) whose articles require a new location.
- Type a name (the asterisk is not necessary) and click Next.
- The wizard prompts for a new location for the article files. Click Browse to choose a local hard drive path or shared folder. If you choose a shared folder, the wizard prompts for a user name and password to use when connecting to it.
Once created, a virtual directory has an object representing it in the Directories container. Select the Directories container in the Scope pane, and the Results pane displays all virtual directories as yellow folders. If you right-click a folder object and choose Properties, you see the Virtual Directory tab (see Figure 10.3). We discuss the options on the Virtual Directory tab below.
With the Allow Posting box, you can specify whether to let clients post new articles to newsgroups. You can configure this setting at the Default NNTP Site level as the default for all newsgroups but you can change this default for individual newsgroups. Check the "Allow posting" box to control posting to just this one newsgroup.
Restrict Newsgroup Visibility
This option restricts the listing of newsgroups for clients that do not have read access to some of the available newsgroups. See "NNTP Security," below, for more information about this feature.
You can enable or disable logging of NNTP activity for all newsgroups by modifying this option at the Default NNTP Site level. However, you can change this default setting for an individual newsgroup by setting the "Log access" option for just this newsgroup. Note that you can use this box only to disable logging when the default for logging has already been turned on with the "Enable logging" check box in the News Site dialog box. It is not possible to enable logging for a single newsgroup when logging is turned off for all other newsgroups at the Default NNTP Site level. Therefore, if you would like to enable logging for a single Virtual Directory, you have to enable logging for the entire NNTP site, then selectively disable it for the virtual directories you don’t want logged.
Index News Content
You can enable or disable indexing of newsgroup articles for all newsgroups by modifying this option at the Default NNTP Site level. However, you can change this option for a single newsgroup by setting the option here for just this newsgroup. You can use this option to turn on indexing of one group even if the default at the site level is to disable it.
With this option, you can control whether encryption is used when uploading and downloading articles. We discuss the secure communications option under "NNTP Security" later in this module.
Popular newsgroups can receive hundreds of articles a day, and a single NNTP server can host thousands of newsgroups. If you don’t limit the number of stored newsgroup articles, the NNTP server will run out of hard drive space. Without free space, you cannot upload new articles, and, if you’ve configured your server with a single partition for the operating system and all data (not recommended), the computer can crash.
You can control the amount of hard-drive space used by newsgroup articles by implementing Expiration Policies, which automatically delete articles when articles reach a specified age or when the total hard-drive space used exceeds a specified limit (or a combination of both). Expiration Policies can be set to limit all newsgroups, a category of newsgroups, or even individual newsgroups.
You have several options for enforcing security on a Microsoft NNTP server, including options for authentication, encryption, restricting who can post and read articles, and whether remote NNTP servers can download newsgroups.
Restricting Access to Newsgroups
To prevent a user or group from accessing a newsgroup, assign NTFS permissions to the folders containing the newsgroup articles. By default, these are in Inetpub\nntpfile \root\newsgroupname. You can also secure virtual directories if they are located on a NTFS volume.
Restricting Newsgroup Visibility
Before a user can read the articles in a newsgroup, the user’s newsreader program must download and display a list of the newsgroups hosted on the NNTP server. If the newsgroup folders on the server have NTFS permissions that deny read access to a user or group, you can set an option so this user or group will not even be able to see the newsgroup in the list of available newsgroups.
To set this option for all newsgroups (except those in virtual directories), go to the Default NNTP Site dialog box, select the Home Directory tab, and check the "Restrict Newsgroup Visibility" box. To set this option for a newsgroup stored in a virtual directory, go to the properties of that virtual directory and check the same box.
By default, a client can post articles directly to a newsgroup. In a moderated newsgroup, on the other hand, clients cannot post directly; instead, all articles sent to the newsgroup are converted into e-mail messages and forwarded to a moderator who must approve them. A moderator might exclude articles that contain offensive content, inaccurate information, or company secrets.
You can encrypt articles you post or retrieve from the NNTP server. After you install a Server Certificate using the Key Manager utility, the SSL protocol scrambles data flowing between client and server using a 40-bit encryption key (or an optional 128-bit encryption key in the U.S. and Canada). You can enable encryption for all newsgroups with virtual directories or for all newsgroups without virtual directories.
You can also use SSL for client authentication. The NNTP Service uses the Anonymous, Basic, and Windows NT Challenge/Response authentication methods in the same way the Web, FTP, and SMTP Services do. To set the authentication options, go to the Default NNTP Site dialog box and select the Directory Security tab. Next, click the Edit button under "Password Authentication Method." You can also enhance authentication using SSL. If a digital certificate is installed on a client’s newsreader, you can use Public Key encryption to verify the identity of the client and ensure that no spoofing or impersonation is occurring. You can also require this SSL verification of the client’s identity.
If a client’s identity is authenticated through SSL, that client’s certificate can be used as a passkey to automatically log the user on with a valid NT user account. Check the box for "Client certificate mapping to Windows NT user accounts" to match the client’s digital certificate to an NT user account. Once the user is "mapped" to a user account, all actions the user makes on the NNTP server are done under the security context of that user account. Hence, special NTFS file permissions and auditing can be enforced for a single user.
IP Address Restrictions
You can control access to the NNTP Service based on a client’s IP address. To enable this, go to the Default NNTP Site, select the Directory Security tab, and click Edit under "IP Address and Domain Name Restrictions." Choose either to accept or deny access by default, and then make exceptions as you would for the Web or FTP services.
Newsreader clients and other NNTP servers can send commands to create and delete newsgroups on the local NNTP server, or to cancel previously posted articles. To permit such commands to be executed automatically, go to the Default NNTP Site dialog box, select the NNTP Settings tab, and check the "Allow control messages" box.
Allow News Servers to Pull Articles from This News Server
Remote NNTP servers can download local newsgroups and their articles, then publish them. To permit remote NNTP servers to do this, go to the Default NNTP Site dialog box, select the NNTP Settings tab, and check the “Allow News servers to pull articles from this News server” box.
A unique addition to the NNTP Service available with the Windows NT Option Pack is the ability to use Index Server to create a searchable database of all keywords found in news articles. Index Server includes a Web page interface for conducting searches of the articles database.
To enable indexing of newsgroup articles, go to the Default NNTP Site dialog box, choose the Home Directory tab, and check the “Index news content” box. The Index Server will scan regularly newsgroup articles stored in the Inetpub\nntpfile\root folder (the default location). However, if you want indexing of virtual directories as well, you must modify each virtual directory individually to start its indexing. To include a virtual directory in the indexing process, go to the dialog box for the desired virtual directory object in the Directories container. In the dialog box, check the “Index news content” box.
Like most network services, the NNTP Service benefits from upgraded hardware, increased network bandwidth, and the relocation of other services to different machines. Because articles are stored as individual files, and because access to them may be nearly random, the NNTP Service is especially sensitive to the performance of the disk subsystem. One way to increase disk efficiency is to install multiple local hard drives (preferably UltraWide SCSI) and spread the most popular newsgroups across the drives.
Use the following settings to optimize NNTP performance:
- Avoid the use of SSL encryption or client authentication.
- Disable logging, or log only to text files (not to an ODBC database).
- Do not restrict remote users’ access based on their DNS domain names.
- Do not require Basic or Challenge/Response Authentication.
- Do not Restrict Newsgroup Visibility.
A number of files keep track of newsgroups and their articles. These files can become corrupt; you can ensure proper functioning of the NNTP Service by “rebuilding” the NNTP server periodically — a procedure similar to Scandisk, but for NNTP control files. Use this procedure when you encounter errors accessing articles, after deleting a large number of articles, or after restoring the NNTP newsgroups from tape.
To rebuild the NNTP server,
- Stop the NNTP Service from the Internet Service Manager snap-in or from the Services applet in Control Panel.
- Right-click the Default NNTP Site object and select Task.
- Choose Rebuild Server. In the dialog box that appears, choose the desired level of rebuilding: Standard, Medium, or Thorough. The higher the level, the more aggressive and complete the scanning and rewriting of the files, and the longer the NNTP server will be off-line.