The Apache Tomcat Connectors - Web Server HowTo

${tomcat_home} is the root directory of tomcat. Your Tomcat installation should have the following subdirectories:

• ${tomcat_home}\conf - Where you can place various configuration files
• ${tomcat_home}\webapps - Containing example applications
• ${tomcat_home}\bin - Where you place web server plugins

In all the examples in this document ${tomcat_home} will be c:\tomcat. A worker is defined to be a tomcat process that accepts work from the IIS server.

The IIS to Tomcat redirector is supported for:

• IIS running on any currently supported version of Windows
• All currently supported versions of Tomcat

The redirector may work with IIS running on older, unsupported versions of Windows and/or Tomcat but such configurations are not supported.

The redirector uses the AJP protocol to send requests to the Tomcat containers. The AJP version used is ajp13. All current versions Tomcat support the ajp13 protocol. Others servlet engines such as Jetty and JBoss also support the ajp13 protocol.

The ajp12 protocol has been deprecated and you should no longer use it. The ajp14 protocol is considered experimental.

1. The ISAPI redirector is a Microsoft IIS plugin (filter + extension). IIS loads the redirector plugin and calls its filter function for each in-coming request.
2. The filter then tests the request URL against a list of URI-paths held inside uriworkermap.properties. If the current request matches one of the entries in the list of URI-paths, the filter transfers the request to the extension.
3. The extension collects the request parameters and forwards them to the appropriate worker using the defined protocol like ajp13.
4. The extension collects the response from the worker and returns it to the browser.

These instructions have been written based on Windows Server 2012 R2 and tested with all supported Windows operating systems up to Windows 11 / Windows Server 2022.

These installation instructions have been tested with a default installation of IIS plus ISAPI Extensions and Filters on a clean, fully patched OS installation with Tomcat 9 installed in C:\Program Files\Apache Software Foundation\Tomcat 9.0. This is referred to as ${tomcat_home} for the remainder of this document.

1. Create a directory ${tomcat_home}\isapi
2. Allow the IIS process to create the ISAPI redirector log file. Modify the path as necessary if the log file is to be written to a different directory. Enter the following at a command prompt:

   >icacls "C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi" /grant "IIS APPPOOL\DefaultAppPool":(OI)(CI)M
   

   On client operating systems with User Account Control (UAC) enabled, the command prompt must be opened using Run as administrator for the above command to complete successfully.
3. Download the appropriate (32-bit or 64-bit) isapi_redirect.dll for your operating system and place it in ${tomcat_home}\isapi
4. Set the premissions for isapi_redirect.dll. On Windows Server 2019 it appears to be necessary to explicitly set the permissions for this dll. Enter the following at a command prompt:

   >icacls "C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi\isapi_redirect.dll" /grant "Everyone":RX
   

5. Create ${tomcat_home}\isapi\isapi_redirect.properties file to configure the ISAPI redirctor. Configuration can also be performed via registry settings - see below. The contents of this file should be:

   extension_uri=/jakarta/isapi_redirect.dll
   log_file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi\isapi_redirect.log
   log_level=info
   worker_file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi\workers.properties
   worker_mount_file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\isapi\uriworkermap.properties
   

   Be careful so that Windows does not add a .txt extension to the file.
6. Create ${tomcat_home}\isapi\workers.properties file to configure the Tomcat instances that requests will be passed to. For a single Tomcat instance on the local machine the contents of this file should be:

   worker.list=tomcat01
   worker.tomcat01.type=ajp13
   worker.tomcat01.host=localhost
   worker.tomcat01.port=8009
   

7. Create ${tomcat_home}\isapi\uriworkermap.properties file to configure which requests will be passed to Tomcat. To expose the examples web application the contents of this file should be:

   /examples/*=tomcat01
   

8. Using the IIS management console, add a new virtual directory to your IIS web site. In a clean install, this will be the Default Web Site. The name of the virtual directory must be jakarta. Its physical path should be the directory where you placed isapi_redirect.dll.
9. Select the newly created virtual directory in the management console and then double-click Handler Mappings. Select the (currently disabled) ISAPI-dll entry and then click Edit Feature Permissions in the action pane. In the dialog box that opens, select Execute so all three permissions are selected. Click OK and ISAPI-dll should now be in the enabled state.
10. Again using the IIS management console, add the ISAPI redirector as a filter to your web site. Select your web site and then double-click ISAPI Filters. From the action pane, click Add.... For the filter name use tomcat and the executable should be the full path to isapi_redirect.dll. Once configured, click OK.
11. Still using the IIS management console, configure the ISAPI redirector as allowed. Select your server (not the web site) and then double-click on ISAPI and CGI Restrictions. From the action pane, click Add.... Select the isapi_redirect.dll, add a descripion (e.g. tomcat) and select the Allow extension path to execute and then click OK.
12. Restart IIS (stop + start the IIS service).

That's all, you should now start Tomcat and ask IIS to serve you the /examples context. Try http://localhost/examples/ for example and execute some of the Servlet or JSP examples.

If this does not work successfully, refer to the Troubleshooting section below for help on correcting the problem.

If the IIS access logs show entries such as /jakarta/isapi_redirect.dll rather than /examples/servlets then this can be corrected via the IIS management console. Select your server (not the web site) and then double-click on Modules. In the Actions pane, click View Ordered List..., select the IsapiFilterModule and move it up until it is above the HttpLoggingModule.

As an alternative to using the isapi_redirector.properties file, the ISAPI redirector may be configured via the registry. To do this, follow these steps:

1. In the registry, create a new registry key named "HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Jakarta Isapi Redirector\1.0"
2. Add a string value with the name extension_uri and a value of /jakarta/isapi_redirect.dll
3. Add a string value with the name log_file and a value pointing to where you want your log file to be (for example c:\tomcat\logs\isapi.log).
4. Add a string value with the name log_level and a value for your log level (can be debug, info, error or emerg).
5. Add a string value with the name worker_file and a value which is the full path to your workers.properties file (for example c:\tomcat\conf\workers.properties)
6. Add a string value with the name worker_mount_file and a value which is the full path to your uriworkermap.properties file (for example c:\tomcat\conf\uriworkermap.properties)

In a 64-bit environment the IIS Application Pool should have "Enable 32-bit Applications" set to "False". To check this, select Application Pools in the IIS management console, then right-click on the pool you are using and select Set Application Pool Defaults.... Enable 32-bit Applications may be found in the General section. If this is not configured correctly, the redirector will not be called and IIS will return an HTTP code 404.

You must use the 64-bit version of the ISAPI redirector on 64-bit operating systems. If you attempt to use the 32-bit version, you will get an HTTP code 500 for every request because the library is not loadable into a 64-bit IIS.

The examples context is useful for verifying your installation, but you will also need to add your own contexts. Adding a new context requires two operations:

1. Adding the context to Tomcat (not discussed here).
2. Adding the context to the ISAPI redirector.

Adding a context to the ISAPI redirector is simple, all you need to do is to edit your uriworkermap.properties and to add a line that looks like:

/context/*=worker_name

Workers and their name are defined in workers.properties. As an example, if you want to add a context named "shop", to be served by the worker named "tomcat01" the line that you should add to uriworkermap.properties will be:

/shop/*=tomcat01

The above should be all you need for IIS to pass through to Tomcat any request for any URI which corresponds to a Tomcat context (webapp).

If your website is very busy (more than 100 requests/second, or more than 100 simultaneous client connections), it might sometimes be desirable to have IIS serve static content (html, gif, jpeg etc.) directly, even if these files are part of a context served by Tomcat. Allowing IIS to serve such files directly may avoid the small overhead consisting of passing the request to Tomcat via the redirector, and may free up Tomcat somewhat, by using it only to process requests that only Tomcat can handle (e.g. requests to JSP pages and java servlets).

For example, consider the html and gif files in the examples context: you could serve these files directly with IIS; there is no need to serve them from the Tomcat process.

Making IIS serve static files that are part of the Tomcat contexts requires the following:

1. Configuring IIS to know about the Tomcat contexts
2. Configuring the redirector to leave the static files for IIS

Adding a Tomcat context to IIS requires the addition of a new IIS virtual directory that covers the Tomcat context. For example adding a /example IIS virtual directory that covers the c:\tomcat\webapps\examples directory.

Configuring the redirector is somewhat harder, you will need to specify the exact URL-Path pattern(s) which you want Tomcat to handle (usually only JSP files and servlets). This requires a change to the uriworkermap.properties:

For the examples context it requires to replace the following line
/examples/*=tomcat01
with the following two lines
/examples/*.jsp=tomcat01
/examples/servlet/*=tomcat01

As you can see the second configuration is more explicit, it actually instruct the redirector to redirect only requests to resources under /examples/servlet/ and resources under /examples/ whose name ends with .jsp.

You can even be more explicit and provide lines such as:

/example/servlets/chat=tomcat01

that instructs the redirector to redirect all requests whose URL-path matches the leading string "/example/servlets/chat" to the worker named tomcat01.

Once again, be aware that by allowing IIS to access the content of your Tomcat context directly, you are potentially bypassing Tomcat's protection of that content. You should thus make sure to protect this content at the IIS level if needed, by using the corresponding IIS management console functions.

In particular, each servlet application (context) has a special directory named WEB-INF, which contains sensitive configuration data and Java classes, and which should always be kept hidden from web users. Using the IIS management console it is possible to protect the WEB-INF directory from user access, but considering that this is a general requirement, and considering that it is easy to forget to implement this protection at the IIS level, the ISAPI redirector plugin does it automatically for you, and it will reject any request which contains WEB-INF in its URL path. It will also reject any request which contains META-INF in its URL path.

Sometimes you may want to serve different contexts with different Tomcat processes (for example to spread the load among different machines). To achieve such a goal you will need to define several workers and assign each context to its own worker.

Defining additional workers is done in the workers.properties file. This file includes two types of entries:

# An entry that lists all the workers defined
worker.list=worker1, worker2
# Entries that define the host and port associated with each of these workers
worker.worker1.host=localhost
worker.worker1.port=8009
worker.worker1.type=ajp13
worker.worker2.host=otherhost
worker.worker2.port=8009
worker.worker2.type=ajp13

The above example defined two workers, now we can use these workers to serve two different contexts each with its own worker:

example uriworkermap.properties fragment
/examples/*=worker1
/webpages/*=worker2

As you can see the examples context is served by worker1 while the webpages context is served by worker2.

More information on using and configuring workers in the Workers HowTo and in the worker.properties configuration reference.

Delete (or move elsewhere) the ISAPI redirector log file if present.

Start the IIS service and Tomcat.

Check for the presence of the ISAPI redirector log file at the specified location. If not found, that indicates that the ISAPI redirector has not started correctly. This is usually caused by incorrect configuration settings.

• Check your configuration carefully against the installation instructions, particularly the location, name and contents of the ${tomcat_home}\isapi\isapi_redirect.properties file.
• If using the registry based configuration, check the path, name and values of the registry keys. Registry names are not case sensitive.
• Check that the directory specified for the log file exists and that the file permissions have been configured as per the installation instructions.

Invoke the URL http://localhost/examples/ in your browser. Case is important in URLs. The characters following "localhost" in the URL must be lower case. If the page fails to appear, stop the IIS service (required to view the IIS log file). Then examine the last line in the IIS log file in found in C:\inetpub\logs\LogFiles\W3SVC1:

If the last line contains:

GET "/examples/ HTTP/1.1" 404

If the last line contains something like:

GET "/jakarta/isapi_redirect.dll HTTP1.1"

Check the following:

• Check your configuration carefully against the installation instructions, particularly the name of the virtual directory and the location, name and contents of the ${tomcat_home}\isapi\uriworkermap.properties and ${tomcat_home}\isapi\workers.properties files.
If these are set correctly, the ISAPI redirector should recognise that it should handle requests for the "/examples" context.

If the browser shows a 503 error page then the ISAPI redirector is recognising that it should handle the request but is not receiving a timely response from Tomcat. Check the following:

• Check your configuration carefully against the installation instructions, particularly the location, name and ${tomcat_home}\isapi\workers.properties file.
• Check the AJP connector configuration in Tomcta matches the configuration in the ${tomcat_home}\isapi\workers.properties file.

If the browser shows a 500 error page then an internal error has occurred within IIS or the ISAPI redirector when trying to serve the request. There should be a textual description of the error towards the top of the page and an 8-digit hex error code towards the end of the page. The last four digits should be the standard windows error code associated with the problem.

A common cause of 500 errors is Windows creating configuration files with hidden ".txt" file extensions that are not shown in Windows Explorer. Even if file extensions are shown for other files, double check to make sure that Windows Explorer is configured to show file extensions for all files.

If the error message is Calling GetFilterVersion on ISAPI filter "...isapi_redirect.dll" failed and the code is 0x8007047e then the code translates to an error code 0x047e or 1150 which is "The specified program requires a newer version of Windows". Together these indicate that the initialisation of the ISAPI redirector failed because the configuration could not be read - either from ${tomcat_home}\isapi\isapi_redirect.properties of from the registry. Check the name location and contents of the ${tomcat_home}\isapi\isapi_redirect.properties file or the registry keys as appropriate.

If the above settings are correct, the index.html page should appear in your browser. You should also be able to click the links to execute some Servlet or JSP examples.