.NET Agent Settings for IIS Applications

Enable the Agent to monitor IIS application pools

By default, the Agent is not enabled for any IIS application pool. Enable it explicitly for each pool by adding an apppool element with the enabled="true" attribute to the configuration file:

<seeker>
  <iis>
    <apppool name="DefaultAppPool" enabled="true"/>
  </iis>
</seeker>

Map IIS application pools to Seeker projects

• If multiple applications are running under the same IIS, you might want to map each application pool to a specific Seeker project by setting the project attribute in the configuration file to match the application pool to the relevant project’s key. The following example instructs an Agent to use project1_key for all the applications running under MyAppPool:

  <seeker>
    <iis>
      <apppool name="MyAppPool" enabled="true" project="project1_key"/>
    </iis>
  </seeker>

  Attention: If the SEEKER_PROJECT_KEY environment variable is defined, it takes priority, and this configuration is ignored.

• You can instruct an Agent to use a certain project as default for all application pools that are not mapped to any specific projects, and report detected vulnerabilities to that project. The following example defines my_project_key as the default project.

  <seeker>
    <iis project="my_project_key">
      <apppool name="MyAppPool" enabled="true"/>
    </iis>
  </seeker>

• You can map projects to IIS application pools.

  The example below creates the following project mappings:
  • Defines project_def1_key as the default project for all IIS application pools.
  • Maps project1_key to the MyAppPool application pool.

  <seeker>
    <iis project="project_def1_key">
      <apppool name="MyAppPool" enabled="true" project="project1_key"/>
     </iis>
  </seeker>

  As a result, the Agent will use project_def1_key for all IIS application pools but MyAppPool.

Map IIS applications to Seeker projects

In addition to mapping an entire application pool to a Seeker project, you can map each individual applications within a pool to a different project. The following example maps each application's virtualPath or physicalPath to the respective project's key.

<seeker>
  <iis>
    <apppool name="MyAppPool" enabled="true" project="project_key">
      <app virtualPath="/app1" project="project1_key"/>
      <app virtualPath="/app2" project="project2_key" projectVersion="2.1"/>
      <app virtualPath="/app3" project="project3_key" customTags="tag1,tag2"/>
      <app physicalPath="c:\inetpub\wwwroot\myapplication1" project="project4_key"/>
      <app physicalPath="c:\myApp" project="project5_key"/> 
    </apppool>
  </iis>
</seeker>

Identify testing environments where Agent is running

<seeker>
  <iis>
   <apppool name="MyAppPool" customTags="dev,app">
      <app virtualPath="/myapplication" customTags="dev,test" />
      <app virtualPath="/otherapp" />
    </apppool>
  </iis>
</seeker>

Control the loader optimization policy of the Seeker .NET Agents service

The default loader optimization of the Seeker .NET Agents service can potentially cause issues with certain applications, for example, MS Sharepoint applications. An application might fail with the exception "Loading this assembly would produce a different grant set from other instances". To avoid these issues, you would need to manually set the COMPLUS_LoaderOptimization system environment variable.

Seeker simplifies this task by enabling automatic setting of this variable via the dotnet-agent.config file.

Add the loaderOptimization attribute to the iis node with one of the following values:

• Enable: To set the environment variable COMPLUS_LoaderOptimization=1.
• Disable: To do nothing.
• Auto: Default, to set the environment variable COMPLUS_LoaderOptimization=1 if Sharepoint is installed.

<!-- auto is the default value for all application pools -->
<seeker> 
  <iis loaderOptimization="Auto"/> 
    <!-- Starting from IIS 10, it is possible to set different values for different application pools -->
    <!-- For versions before IIS 10, these settings are ignored -->
    <apppool name="AppPool1" enabled="true" loaderOptimization="Enable" />
    <apppool name="AppPool2" enabled="true" loaderOptimization="Disable" />
    <apppool name="AppPool3" enabled="true" loaderOptimization="Auto" />
    <!-- "Default" means the default behavior defined by the value in the iis node -->
    <apppool name="AppPool4" enabled="true" loaderOptimization="Default" /> 
  </iis>
<seeker/>

Control which IIS processes to monitor

By default, an Agent would monitor all the processes running under IIS. You can define which of the processes to include in or exclude from monitoring.

• In the processIncludes attribute of an appPool, define regular expressions to monitor only matching processes in that application pool. Regex values are case-insensitive.

  <seeker>
    <iis>
      <apppool name="defaultappPool" enabled="true" project="myProject" processIncludes=".*w3wp\.exe.*"/>
    </iis>
  </seeker>

• In the processExcludes attribute of an appPool, define regular expressions to exclude the matching processes in that application pool from monitoring.

  Note that the processIncludes setting overrides the processExcludes setting.

  <seeker>
    <iis>
     <apppool name="defaultappPool" enabled="true" project="myProject" processExcludes=".*dotnet\.exe.*"/>
    </iis>
   </seeker>

Configure start and stop timeouts for IIS services

When the Seeker .NET Agents service starts, it restarts IIS services. The serviceStartTimeout and serviceStopTimeout parameters define the start and stop timeouts that Seeker waits till IIS services are restarted. Their respective default values are 60 and 120 seconds.

For IIS 7-9, you can adjust these values as follows:

<seeker> 
  <iis serviceStartTimeout="120" serviceStopTimeout="180"/>
</seeker>