This article assumes you're familiar with Windows 2000

Host a Discussion Forum with the Windows 2000 NNTP Service Davide Marcato

If you've ever used a newsgroup, you've used NNTP. Now Windows 2000 makes this functionality easy to implement and serve up from your site.

To the average Internet user, the Network News Transfer Protocol (NNTP) is synonymous with Usenet, a network of newsgroups dedicated to the discussion of every imaginable subject you can think of, and one of the most valuable resources on the Internet today.       To the Internet techie though, NNTP is a standard Internet protocol defined by RFC 977 (http://info.internet.isi.edu/in-notes/rfc/files/rfc977.txt) that makes all this discussion possible, dictating the interactions between a client's news-reading software and the NNTP server that hosts the groups. By building on NNTP technology, you can exploit this same power to provide a valuable service to your customers.       Suppose you run a software development company that sells products to a vast market. You offer technical support to your customers, typically via phone and e-mail. Wouldn't it be nice if you could set up a server to host discussion forums where your customers can post questions, answer other customers' inquiries, and share information?       The Microsoft® NNTP service built into Microsoft Windows® 2000 Server offers all the power of Usenet newsgroups in a highly customizable way. In this article I will show you how to set up an NNTP server in Windows 2000 and create your own newsgroups. I'll begin with a discussion of what a news server is and how it's structured. The News Server       The news server acts as the central host for discussion forums, also called newsgroups. Although newsgroups are independent of each other, their names follow a hierarchical structure. For example, on Usenet you'll find the C++ discussion group comp.lang.c++, which is part of the subtree comp.lang (computing languages), which itself is part of the comp tree (computing). There is no significance in the hierarchy of a group; it just simplifies the organization of the topic areas and aids in the administration process, as I'll discuss later.       The typical client connects to the news server through TCP port 119, retrieves new messages (often called postings or articles), and sends any new posts written by the user. However, direct posting is not always permitted. The postmaster, or administrator of the news server, may decide to make some or all of the newsgroups read-only. In this case the new articles don't reach the groups directly, but are redirected to the moderator of the group who will either accept or reject them individually.       Access to the news server can be open to everyone, or it can require user authentication. The NNTP service in Windows 2000 supports granular fine-tuning of the security policies and is capable of handling an infinite number of virtual domains and independent server instances on a single, properly configured machine. Installing NNTP       The installation of the Windows 2000 NNTP service is quick and straightforward. Since NNTP is part of Microsoft Internet Information Services (IIS) 5.0, you can add it to your machine during installation of the operating system or at a later time. If you are installing NNTP after installing Windows 2000, open the Control Panel, run Add/Remove Programs and click on the Add/Remove Windows Components button on the left side of the dialog box. In the Windows Components Wizard, select the IIS item and click on the Details button. A new dialog box will appear listing all the services in IIS, including the NNTP Service. Enable the corresponding checkbox and the Windows Installer will add the necessary files and registry keys.       Like Web and SMTP services, which I covered in the December 1999 issue of MIND, the NNTP service can be managed through a Microsoft Management Console (MMC) snap-in inside the Internet Services Manager window, reachable via the Start button (Programs | Administrative Tools). The MMC Interface        Figure 1 shows the snap-in immediately after installation. There is one default virtual server defined for you in advance. This virtual server listens for all connections on TCP port 119 on the local machine and lets everyone in to read and post articles at will. The child element in the MMC hierarchy, labeled Expiration Policies, contains groups of rules governing when articles should be purged if you don't want posts to stay on your server forever. New expiration policies can be created by following the instructions of the wizard when you right-click on the appropriate context menu item. An expiration policy may apply to all the newsgroups carried by a virtual server or to just a selected subset.

Figure 1: The NNTP Service MMC Snap-in

The second item in the MMC hierarchy, Virtual Directories, lists the directories where the archives of articles are stored. Bear in mind that the names of the discussion forums are organized hierarchically. Every newsgroup tree or subtree can be associated with a physical directory on the server's hard disks. How the file hierarchy is arranged is up to the administrator.       The last item in the MMC hierarchy, Current Sessions, provides the administrator with a snapshot of the clients connected to the server at any point in time, displaying their user name if it's known (or an anonymous face if it isn't), the source IP address, and the time the connection was established. In case of an emergency you can interrupt all active sessions at once by selecting the Terminate All context menu item, or selectively cut off certain clients by selecting the Terminate menu item. The Virtual Server       If you right-click on the name of the default virtual server and follow the New submenu, you can add a new virtual server, a new virtual directory, or a new expiration policy. What is a virtual server in this context? It's an NNTP server that listens on a specific TCP port of a specific IP address and manages its business according to the parameters set by the administrator. Does it make sense to have more than one virtual server on a single machine? Yes, it does, although you will probably find yourself using only one server most of the time. If you associate your computer's network card with more than a single IP address (which is perfectly legal), or if you want differently configured versions of the NNTP service listening on different TCP ports (for example, one freely accessible and one for authorized users only), managing multiple virtual servers will help you meet your needs. Each virtual server will appear to the client as an entirely distinct service. If, on the other hand, all you need is to run a regular standard-port news server, you will not need this option.       Once it's set up, you can do something practical with your news server. Creating a secondary NNTP virtual server is a rare requirement, so I won't go down that path. Instead, I will configure the default server to fit my needs, which consist of hosting two hierarchies of discussion groups and configuring the software to allow users to read and post articles on them.       While the virtual NNTP server is technically up and running on port 119, it has not yet been fully configured. To do so, right-click on the server's name in the left pane of the MMC snap-in and select the Properties page.

Figure 2: General Settings

The first tab, General, presents you with some general working parameters, as shown in Figure 2. The Description field simply contains the name displayed in the MMC snap-in to identify that specific virtual server, and carries no particular relevance outside this environment. Feel free to change it to any name you prefer; in this case, replace the default name with "MIND Samples NNTP Server."       The Path header field influences how the local machine is identified in the header of each article posted through the server. In this case, the host is news.company.com in the DNS, so you should use that path header for consistency. (What the prerelease documentation neglects to say is that the string you put in this field also influences the important Xref: header.) Once you have modified this content, you must stop and restart the service for the changes to take effect.       The IP address field, as I explained earlier, specifies which addresses this virtual server will respond to, with All Unassigned catching all those that are not handled by others. Clicking on the Advanced button will open up a dialog box to activate more than one identity for the current server. Notice how you can have the same virtual server responding to requests on different ports simply by adding entries in this list. The TCP and SSL (Secure Sockets Layer) port fields control which port numbers should be used during clear and encrypted communications with the clients. Notice that if you set any of these (especially the TCP port), your users will also have to configure their clients to bind to a nonstandard port number. For the convenience of your users, stick to the default ports 119 and 563. Limiting Connections       The Connections group of fields on the General properties tab specifies the workload limitations that will be imposed on the virtual server to avoid congestion. The number of maximum simultaneous connections can be unlimited or set to a specific threshold. Allowing unlimited connections can be hazardous, as NNTP connections rapidly starve the machine of resources due to the constant disk access and data transfer involved in every connection. The default value of 5000 connections is only reasonable when a well-equipped computer (or group of computers) is behind it. For this example, reduce the value to a large, but more manageable setting of 1000 connections.       The Connection timeout field sets the number of seconds of inactivity after which the server will close a client session. The default value of 600 seconds (10 minutes) is a reasonable value to use. Logs       The last group of options on the General properties tab controls logging. As the administrator, you can request logs of every operation performed by the server, tailoring the output to the level of detail you find adequate. Even the format of the log files is configurable. You can choose from among several standard Internet logging formats, such as: W3C Extended Log file format Microsoft IIS Log file format NCSA Common Log file format Database on registered ODBC data source       The ODBC option produces logs that are easy to manipulate using standard database tools, but creates a significant performance hit because adding records to a database is slower than writing to a text file. Therefore, you should perform some tests before deciding which one you'll use. In general, if you decide to take the ODBC route, be sure to have a scalable and reliable DBMS like SQL Server™ on the back end. For best performance you could turn off logging altogether, which leaves no track of the activity of your service. This may not be a wise choice, depending on the target of your news service. If you have a corollary service, you may decide to live without logs and save precious power for your users. If logs are critical to your setup, you have no alternative but to accept the slowdown.       For this test I chose the W3C Extended Log format. By clicking the Properties button you are presented with a dialog box that lets you customize the exact items that will be recorded in your log files, how often log files are generated, and the location where they are saved on the disk. For this example, the default setting of a daily log placed in System32\LogFiles works just fine. NNTP Settings       The second tab is labeled NNTP Settings, as you can see in Figure 3. Here you may choose to set up a news server with read-only access, denying users the ability to post articles. In this case, uncheck the "Allow client posting" box. Otherwise, if you want to allow posting, check that box and define the maximum size of any post in kilobytes (the default maximum is 1000KB, including attachments). Here you can also choose the maximum size of any session, defined as the total number of bytes sent in a single session. The way NNTP enforces the session limit is different from the way it enforces the post limit. If the user attempts a single post larger than the post limit, the server will simply return an error and discard the data that has been sent. On the other hand, if a user attempts a post that is larger than the maximum session limit, the server will actually disconnect the user when the limit is reached to keep him from overflowing the disk. Therefore, you should set the maximum session size to be larger than the maximum post size, but smaller than the amount of disk space you want set aside for NNTP, again to keep a user from using all the NNTP disk space. In this sample I'm not accepting attachments to messages, so I can limit the post size to approximately 30KB.

Figure 3: NNTP Settings

The next two checkboxes toggle advanced features on and off. The first controls whether peer news servers are permitted to log into your server and pull articles, so they can mirror your contents and offer it to their users. This mechanism is used by Microsoft with their public msnews.microsoft.com news server, which is mirrored (partially or totally) by many other NNTP hosts worldwide, thereby reducing the load of the main server. For a corporate server you will probably want to turn this switch off, as I did in this sample.       The second checkbox governs control messages. A control message is a special type of posting that doesn't show up regularly in a group, but rather requests a particular service of the news server. The most common control message is the Cancel message, through which the author of a posting requests that a published article of his be immediately deleted from the archives. For a fully operational news server, leave this box option enabled. The Moderator       The NNTP Settings tab in the Properties dialog displays a field from which you can select the SMTP server used to send postings directed to a moderated group. As you'll see later on, when you create a moderated group you must also provide the e-mail address of the moderator, who approves or rejects each post sent to her. In case there is no moderator e-mail account associated with a certain newsgroup, the postings are forwarded to the default moderator, whose address is created following the format name.of.the.group@ domain.com. The administrator's e-mail account is used when the server cannot deliver a message to a moderator during its activity. Here, I set it to postmaster@company.com. Notice that you have to turn on this functionality manually in the registry (see the Windows 2000 NNTP documentation for the exact steps). Adding Discussion Groups       Under the Groups tab you'll find all the discussion groups hosted by the server, as shown in Figure 4.

Figure 4: Creating Newsgroups

For this sample, I'm adding seven new groups, distributed under two subtrees—win2000.iis and win2000.general. If you select a newsgroup and click on the Edit button, you'll see the dialog in Figure 5. For each group you can choose the name, decide if it is moderated (by a specified moderator or by the default moderator), create its description, and set its read/write or read-only property. The Display Name field provides a more reader-friendly name that some browsers can display in place of the official group name. This field supports Unicode strings, which makes it useful in a wide-character language such as Chinese. If you don't plan to support Far East alphabets, leave the box empty.

Figure 5: Newsgroup Properties

Security Accounts       Items under the Security Accounts tab control who can modify the configuration settings of the virtual server and which account hosts anonymous clients when they connect to the NNTP server (see Figure 6). In this case, you need to provide both a user name and a password that is valid in the Windows domain, then grant that account rights on the machine to which you want to transfer all anonymous clients.

Figure 6: Security Accounts

The listbox in the lower half of the dialog lists the names of the security principals who are granted the rights to modify the settings of this virtual NNTP server. Valid users are identified by the Windows NT® domain name followed by the official name of the account . As you have probably realized by now, all of the configuration options are applied at the virtual host level and do not extend to the global machine-wide level. Consequently, you might decide to grant some users access to the configuration options of a secondary virtual server, while preventing them from tampering with the settings of the default news server. The default security policy considers the members of the Administrators group to be server operators, which is a reasonable setting for small to mid-sized servers. If you run a large corporate server, you might not be comfortable having to grant your mail administrator full rights in the Windows domain. If this is the case, consider adding your mail administrator to the operator's list, or create a new group in User Manager comprising the users with this kind of privileged access to the NNTP service. For this example I opted for the first solution and added the user Davide from the domain called Development to the operator's list. Notice this applies to Windows NT domains, not DNS, so Development must be a valid network domain and not a name registered with an authorized Internet naming authority. Directory Security       The next tab in the group deals with several facets of security control (see Figure 7).

Figure 7: Directory Security

The Edit button in the Password Authentication Method box specifies the types of authentication that will be accepted for inbound connection attempts (see Figure 8). The first, Allow Anonymous access, is the default, and should always be checked if your NNTP server must communicate with anonymous clients over the Internet. Basic authentication permits the client to identify itself with a user name and password rather than impersonating the default account chosen by the administrator for anonymous logins. Notice that security is at risk with this method because the password travels over the wire in plain text and thus can be easily sniffed. A better and more flexible solution is selecting "Enable SSL Client Authentication", where the client and the server negotiate the best security mechanism that they both support. Then the password never travels over the wire in a reusable form.

Figure 8: Authentication Settings

To achieve the highest level of security, extended not only to the password, but also to the entire exchange of data between client and server, check the "Enable the SSL Client Authentication" checkbox. By enabling authentication, you interface your NNTP server with an SSL certificate authority and enable encryption of the network traffic flowing through the communication channel in both directions. Beware of the resource overhead involved in processing high volumes of data prior to conducting any actual work. This can negatively affect performance. An in-depth analysis of all of the pros and cons of enabling SSL client authentication falls beyond the scope of this article. For this sample, turn off encryption altogether and enable only anonymous and Windows package-based authentication.       Access can be restricted based on the IP address of the client, too. This approach has the advantage of retaining full compatibility with any NNTP user, whereas authentication-based security works only with specific clients. Clicking on the corresponding Edit button lets you grant access to everyone except those whose IP address you add to the black list. You can also choose to deny access to everyone except those whose IP address is included in the list. For the server to be publicly accessible, grant everyone access rights.       A side note: if you restrict relay rights to your LAN only (this can be done through a filter in the subnet mask), you might run into the paradoxical situation of being unable to access the groups from the server machine itself. The reason is that your client will be detected as coming from the IP address on which the service is answering, hence if you contacted localhost (the loopback alias for the local machine in TCP/IP), you'll be seen as 127.0.0.1, which by definition cannot match with the subnet mask of any LAN. You can work around this by either remembering to test your local server, always using its real-world IP address, or granting additional relay rights to IP address 127.0.0.1. This is safe because nobody outside the local machine can use the special loopback address. The Home Directory       The home directory of the virtual news server is the subject of the last tab in the Properties window. As you can see in Figure 9, you can decide whether the core of the files containing the article archives should reside on the local machine or in a remote location, and what the path should be. This setting can be overridden by creating multiple virtual directories to store the data associated with different article subtrees in different locations.

Figure 9: Home Directory

The Access restrictions options influence the accessibility of the newsgroups contained in the home directory. You can allow or disallow posting and restrict the visibility of the list of newsgroups to the users who have the right to read and post to them. If you uncheck this box, everybody will be able to see the list of groups—even those they are not permitted to access. I suggest you leave this box unchecked for free news servers, thereby avoiding a significant performance hit.       The Content control options on the right side of the dialog affect auxiliary server features, such as the logging of transactions in the IIS log and the indexing of the posts' bodies to simplify keyword searches in the article base. These options apply to the contents of server's home directory only and can be set for each virtual directory. Notice that in order for logging to work, the administrator must have turned on the functionality at the global level in the General property tab first.       The Secure Communications box enables and configures the SSL protocol for guaranteeing secure encrypted communications between the client and the server. This setting affects access to the home directory only and overrides the global parameters. Virtual Directories and Expiration Policies       Now that the working parameters of the virtual server are configured and the groups have been created, I'll divide the physical locations where the postings of the two parallel subtrees are stored and establish the expiration policies.       First, confirm the changes made to the properties of the servers and right-click on the Virtual Directories item on the left pane of the MMC (see Figure 1). Then follow the New menu item, create a new virtual directory for the group subtree win2000.iis (which includes the four discussion groups related to SMTP, NNTP, FTP, and the Web), and set its physical path to E:\Inetpub\MindNntp\IIS (or to whatever location you want to store the data). Since the directory doesn't exist, you'll be prompted to create a new one. Answer yes, and shortly the right pane will display the new virtual directory. Repeat the process for the win2000.general subtree, but this time put the files on a different disk, such as F:\Inetpub\MindNntp\General. This way you can distribute the expensive disk-to-memory data transfers among several disks and significantly improve performance. Moreover, you can write to a remote disk location if you want to distribute the load across different machines. A fast network link is mandatory to make this approach effective, and it pays off when the news service experiences heavy traffic.       The next step involves setting an expiration policy. Just for practice, I'll establish two different expiration policies for the two subtrees. The win2000.general group will probably have heavier traffic and more messages, so a seven-day expiration policy seems reasonable. For the other subtree a 12-day expiration time seems like a good choice. Right-click on the Expiration Policies item in the left pane of the MMC and follow the New menu item. For simplicity, create a new policy named win2000.iis.* and set it to affect only a selected subset of the groups. Proceeding in the wizard, you'll be asked the names of the groups. To identify the subtree you're configuring, add win2000.iis.* to the list and move on. The final value to provide is the expiration time, which is expressed in hours. Enter 288 for a 12-day timeframe. Repeat the same process for the other subtree, setting a 168-hour expiration time.

Figure 10: Expiration Policies

When you are finished, the window should look like the one in Figure 10. Since I haven't mentioned the Size field, you might wonder what it represents. In brief, it is supposed to represent the maximum size of the articles archive allowed by the policy. When the peak is reached, the server automatically starts to delete the postings one by one, from the oldest to the most recent, until the size falls below the cap again. This feature is convenient for containing the growth of the data files, but it doesn't appear to be supported as of Windows 2000 Server Beta 3 Build 2031, so the Size field must be set to Unlimited. Look for it in the final version. Conclusion       One key to the success of Usenet is the simplicity of the NNTP protocol. With NNTP, a large number of servers in the same news network can exchange articles with one another in such a way that each of them always carries the complete archive of postings. A server that receives a new article by a client adds it to its own archive, contacts the upper node in the chain of news feeders, and passes it a copy of the complete posting. The second NNTP server stores it locally, then attempts to send it to its uplink server, and so on in a hierarchical manner. The process is complicated by the enormous number of servers carrying all or part of the Usenet groups, as well as by the possibility of technical failures that could interrupt the chain.       One measure to overcome it involves having the messages travel through redundant paths, which significantly increases bandwidth consumption, but reduces the single point of failure factor. At the current stage of the technology, the NNTP server in Windows 2000 does not fully support this. Although the server is NNTP-compliant (which means you can access it with your favorite newsreader, like Microsoft Outlook® Express), the service supports only groups hosted on a single machine, the one where it is installed in the first place. Future releases of the service might add the most advanced features, making it feasible to host large-scale public networks of discussion groups like Usenet.       Even today, however, the NNTP service in Windows 2000 fits the bill for creating value-added discussion forums within a company, either for internal use or open to the public.

http://msdn.microsoft.com/workshop/essentials/forstarters/starts1223.asp

  From the January 2000 issue of Microsoft Internet Developer.