KBA-01567: Using an IIS Farm


How do I set up an IIS farm?


You need a farm load balancer and 2 or more IIS systems.

Load Balancer

  • Recommended: VA-R20 from loadbalancer.org configured for layer-4 with persistence.  (See screenshots at bottom)
  • Microsoft ARR add-in for IIS

Other load balancers should also work well: be sure the balancer supports server/session affinity.


In order to provide best performance, a client session should stick with the same server. The concept is that if a user is active and clicks a response/post back within, say 30 seconds, then their request should be serviced by the same server.

For layer 7 balanced HTTP applications, affinity is accomplished by using a cookie. Use ARRAffinity as the affinity cookie name. Microsoft ARR will preserve affinity based on that cookie until all browsers are closed. Other farm providers expire the cookie (and affinity) if the client remains idle for longer than a configured interval, in which case affinity should last at least as long as the VSPD in-memory cache time.  We recommend as long as possible: a minimum of 5 minutes and perhaps up to 8 hours. Affinity is always overruled if the assigned server node goes down.

When a user logs out of sfPMS, the affinity cookie is always expired. This allows a new server to be assigned.

For HAPROXY, your backend cookie directive might look like this:

cookie ARRAffinity insert indirect nocache preserve maxidle 9h maxlife 14h #cookie persistence

  • Critical: use ARRAffinity as the cookie name!
  • Recommended: Add the preserve keyword to allow sfPMS to release affinity upon logoff.
  • Optional: The maxidle and maxlife options reset affinity if someone has left the browser open and idle.

Layer-4 Load balancer may call the concept persistence.  Layer-4 does not use a cookie, the load balancer does it all.  But session persistence is required!

Shared Resources

All farm members will share:

  • ASPNET_StateServer—This allows all farm members to share session state information. sfPMS makes very light use of asp.net state, but the session ID must be common across all servers.  Designate one system to run the aspnet_state service, open the port in its firewall, and enable external traffic in the registry.   In ICTool, specify the common IP address or system name on the member lines.
  • Decryption Keys—ICtool publishes the asp-net decryption keys in web.config and makes them the same on all farm member servers.  Only sfPMS uses these keys; ‘maching.config‘ is not affected.
  • ATC—Generally, one system runs ATC.  All member servers will talk to the single ATC and ATC will direct all its requests to a single member server. If that member server is also part of the load balancer, give it a lower distribution because ATC often accounts for 10% of total load!  It ATC is given its own IIS server that is not part of the load balanced set, then give that virtual server lower resource priority.  ATC is more patient than an average user.
  • Application Pool Active Directory Credentials—All the IIS servers application pools should be assigned a common set of domain credentials. These are used to access file shares.  Host the file shares on a file server, a SAN, or the load balancer.
    • VSPD folder—View State and Page Data State files. These files are often 1-2mb in size and exist per page.  They are pruned automatically.  The common location allows affinity to lapse.
    • FSPD folder—This holds license and session state files. These are smaller (<100KB each) and generally one per concurrent session.  A single folder can be used for both VSPD and FSPD, but two folders makes certain operations more efficient.

Farm members each need the same exact IIS layout.

Set up the rolls and features on one image, and save the configuration to an XML file. Then use Power Shell to push the configuration to the other members.

  • Install-WindowsFeature –ConfigurationFilePath C:SpitfireFarmMemberDeploymentConfigTemplate.xml -ComputerName servername

You then want to create the sites in exactly the same layout because ICTool wants the site number on each server to be the same.  They each should have the same folder structure in c:spitfire.  Think identical images!

Health Check

Your farm manager likely supports a URL for a server health check.  We recommend GET sfPMS/sfSiteHealth.ashx?brief=1 and checking for “Site Running” in the response.

For example, the default HAPROXY health check works by verifying how IIS responds. You can use a more robust check in the “backend” section of the webfarm config. Use the following, replacing sfpms with your IIS application name for the site:

default-server inter 9s rise 2 fall 3 # increased interval
option httpchk GET /sfpms/sfSiteHealth.ashx?brief=1 #
http-check expect string Site Running #

Roles and Backups

Once you have the farm deployed and running, you will want to keep an image backups of the following roles.  Some may have been combined. There is no need for regularly/daily backups of these servers. They can be redeployed from their spare images if damaged.

  • The ARR server
  • The ICTool server  (often combined with ARR or ATC)
  • The ATC server
  • The SSRS server
  • The member server.  Ideally, this image is generalized (SYSPREPed) to allow use for easily creating additional members for additional farm capacity.  See http://technet.microsoft.com/en-us/library/cc721940(v=ws.10).aspx or search for using sysprep to clone a server.  VMware templates may have different perperation procedures.


  • Each member server should have 4 cores and 16GB of RAM.  If using dynamic RAM, use 10GB of startup RAM and a dynamic range of 8GB to 16GB.
  • The ATC node can have 2 cores and 12-16GB or RAM.

LoadBalancer.org Example

Thanks to one of our clients to providing these screen shots.  There are lots of decisions to make, and your IP addresses will certainly vary!

Modify Virtual Service

Be sure to

  • enable Persistence.  Timeout of 300 is reasonable; minimum would be 2 times “PDS Seconds” specified in ICTool, which would typically be 2*25=50.  Note that this value is ignored if a node goes down.
  • configure a health check!
    • Request to Send: use /sfPMS/sfSiteHealth.ashx?brief=1 Includes a leading slash.
    • Response Expected: If you leave the field blank, health is assumed if any 200 response is received.
    • Virtual Host: If your IIS nodes serve multiple hostnames, include the relevant one for this service in the Virtual Host field (empty below)

virtual service setup

Modify Real Server

“Real Server” listing is fairly simple – just the name and IP address.  Play with weights as you wish.  It is critical to “solve the ARP problem” as described in LoadBalancer.org’s IIS Deployment Guide

real server setup

KBA-01567; Last updated: December 11, 2023 at 12:49 pm
Keywords:  ARR