DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Stream

How to Install and Configure Web Deployment on IIS 7.x

— ny_wk

How to Install and Configure Web Deployment on IIS 7.x

IIS Web Deploy (the Web Deployment Tool, also called MsDeploy) lets you push a packaged ASP.NET web application onto a remote IIS 7.x server without manually copying files or fiddling with the metabase. This guide walks through installing Web Deploy, enabling remote connections, and configuring both supported server-side endpoints — the Remote Agent Service and the IIS Web Deploy Handler — so you can publish reliably from Visual Studio or the command line.

What IIS Web Deploy Does and Which Method to Use

When you publish to a remote server with IIS Web Deploy, the tool synchronizes content, application pools, configuration, ACLs, and even databases between a source and a destination. Instead of zipping a folder and remoting in, you run one publish action and Web Deploy figures out the deltas. There are three server-side ways to receive a deployment, and the right choice depends on who owns the server.

MethodListens onWho runs the deployBest for
Remote Agent Service (MsDepSvc)Port 80 (HTTP), via WMSvc data pathA Windows local administratorServer admins who control the box
Web Deploy HandlerPort 8172 (HTTPS, WMSvc)A non-admin IIS Manager userShared/hosted servers, least-privilege
Web Deploy On Demand (temp agent)Started per-sessionAn administrator, no service installOne-off ad-hoc syncs

This guide covers the first two — the agent and the handler — because those are what you set up once and reuse. The Remote Agent requires the deploying account to be a local administrator and always runs commands with administrative rights. The Web Deploy Handler is the more secure, delegated option: it lets ordinary IIS Manager users deploy only to their own site through WMSVC over HTTPS, which is exactly how shared hosting works.

Prerequisites for Installing IIS Web Deploy on IIS 7.x

Before you install IIS Web Deploy, confirm the target server meets these requirements. Missing one of them is the single most common reason a publish silently fails later.

  • Operating system: Windows Server 2008 (IIS 7.0) or Windows Server 2008 R2 (IIS 7.5), with the Web Server (IIS) role installed and at least one working website or application.
  • .NET Framework: .NET 2.0 SP1 or later present on the server (it ships with the IIS role on these OS versions).
  • Web Management Service (WMSVC): the IIS Management Service role service. The Web Deploy Handler runs inside WMSVC, so this is mandatory for the handler and useful for the agent path too.
  • Administrative access to the server to install roles and software, plus the Windows or IIS Manager account you intend to deploy with.
  • The Web Deploy installer. Use Web Deploy 3.x — it is fully compatible with IIS 7.x and is the last version that supports these platforms. (On modern Windows Server 2016/2019/2022 with IIS 10, use Web Deploy 3.6 or 4.0 from the official Microsoft download or the Web Platform Installer; the steps below are otherwise identical.)

Note on legacy status: IIS 7.0/7.5 and Windows Server 2008/2008 R2 are past end of support. Keep these servers off the public internet, fully patched to their final updates, and plan a migration to a supported IIS 10 / Windows Server 2019+ host. The Web Deploy concepts here carry over unchanged to current versions.

Step 1 — Install the Web Management Service (WMSVC)

WMSVC is what allows remote management and hosts the deploy handler on port 8172.

  1. Open Server Manager and expand Roles → Web Server (IIS).
  2. Under Role Services, click Add Role Services.
  3. Tick Management Service (under Management Tools), click Next, then Install.
  4. Wait for the install to finish and click Close.

You can confirm the service exists with PowerShell:

  1. Open an elevated PowerShell window.
  2. Run Get-Service WMSVC — you should see a service named Web Management Service.

Step 2 — Install IIS Web Deploy on the Server

With the prerequisites in place, install the Web Deployment Tool itself.

  1. Copy the Web Deploy installer (WebDeploy_amd64_en-US.msi for 64-bit) to the server.
  2. Right-click the installer and choose Install (running as administrator).
  3. Click Next, accept the license agreement, and click Next again.
  4. On the setup type screen choose Complete. This installs every provider plus the IIS integration and the Remote Agent Service — do not pick Typical, which omits components you need.
  5. Click Install, wait for it to finish, then click Finish.

Prefer an unattended install? From an elevated command prompt run:

  1. msiexec /i WebDeploy_amd64_en-US.msi /qn ADDLOCAL=ALL

ADDLOCAL=ALL is the command-line equivalent of the Complete option and guarantees the handler, the agent, and all providers are present.

Step 3 — Enable IIS Remote Connections

By default WMSVC does not accept remote connections. You enable that in IIS Manager.

  1. Open IIS Manager and select the top-level server node in the Connections pane.
  2. In Features View, double-click Management Service.
  3. Tick Enable remote connections. If the checkbox is greyed out, the service is already running — click Stop in the Actions pane first, then the checkbox becomes editable.
  4. Leave the identity credentials at Windows credentials or IIS Manager credentials if you plan to use the handler with IIS Manager users (see Step 5).
  5. Click Apply, then Start the service. Confirm the status reads Started.

WMSVC now listens on TCP 8172. Open that port in Windows Firewall if a firewall is active:

  1. Run netsh advfirewall firewall add rule name="WMSVC 8172" dir=in action=allow protocol=TCP localport=8172

Step 4 — Configure the Web Deployment Agent Service

Use this path when the deploying account is a trusted Windows administrator. The Remote Agent (MsDepSvc) executes deployments with full rights, so it is powerful but blunt.

4.1 Grant administrator rights

  1. Add the deploying Windows account to the Local Administrators group on the web server (lusrmgr.msc → Groups → Administrators → Add).
  2. Confirm the agent is running: Get-Service MsDepSvc should show Running. Start it with Start-Service MsDepSvc if needed.

4.2 Allow the user to manage the site

  1. In IIS Manager, expand Sites and select your website.
  2. Double-click IIS Manager Permissions, then click Allow User in the Actions pane.
  3. Choose Windows as the user type, click Select, type the account name, and click OK.

4.3 Set folder ACLs

  1. Right-click the site's physical folder → PropertiesSecurity tab → EditAdd.
  2. Click Locations, pick the correct domain or the local machine, click OK, type the user ID, and click OK.
  3. Grant Read, Write, and Modify (effectively read/write/execute) on the folder and click OK.

4.4 Test the agent connection

  1. In IIS Manager click File → Connect to a Site.
  2. Type the server name and site name, click Next, enter the Windows credentials, click Next, then Finish.
  3. The site should appear under Connections — that confirms the agent is reachable.

Step 5 — Configure the IIS Web Deploy Handler

The handler is the recommended, least-privilege endpoint. It runs inside WMSVC on HTTPS 8172 and lets a non-admin IIS Manager user deploy only to a delegated scope.

5.1 Create an IIS Manager user

  1. Select the server node, double-click IIS Manager Users, and click Add User.
  2. Enter a username and password and click OK. This account exists only inside IIS — it is not a Windows account.

5.2 Allow the user on the site

  1. Select the website, double-click IIS Manager Permissions, and click Allow User.
  2. Choose IIS Manager as the type, click Select, pick the user you just created, and click OK.

5.3 Give WMSVC's identity access to the folder

Because the handler runs under the WMSVC service identity, that identity needs file access to write the deployed content.

  1. Right-click the site folder → PropertiesSecurityEditAdd.
  2. Click Locations, select the local server, click Advanced → Find Now, choose LOCAL SERVICE, and click OK.
  3. Grant Modify (or Full Control if your policy allows) and click OK twice. LOCAL SERVICE is the default WMSVC account; if you changed WMSVC to run as a custom account, grant that account instead.

5.4 Create the delegation rules

Delegation rules define which Web Deploy providers a non-admin may use. For self-service deployment you typically enable four templates: Deploy Applications with Content, Mark Folders as Applications, Deploy Databases, and Set Permissions.

  1. Select the server node and double-click Management Service Delegation.
  2. If contentPath and iisApp are not listed, click Add Rule in the Actions pane.
  3. Pick the Deploy Applications with Content template and click OK twice. This creates a rule allowing any WMSVC-authorized user to use the contentPath and iisApp providers within their own scope.
  4. When prompted in Add User to Rule, type an asterisk (*) so each user can deploy to their own scope, then click OK.
  5. Repeat for the Mark Folders as Applications (createApp), Deploy Databases (dbFullSql / dbDacFx), and Set Permissions (setAcl) templates, again using * as the allowed user.
  6. Expand each rule and confirm * shows as the permitted identity.

5.5 Test the handler in IIS Manager

  1. Click File → Connect to a Site, type the server and site name, and click Next.
  2. Enter the IIS Manager user credentials this time, click Next, then Finish. The site should appear under Connections.
  3. Right-click the site → Deploy → Export Application, accept the defaults, and click Finish to produce a package.
  4. Click Import Application, point at the package, change the application name to a new value on the Parameters page, and complete the wizard. A clean import proves the delegation rules let the user create applications.

Step 6 — Publish from Visual Studio (or the Command Line)

With the handler configured, publishing an ASP.NET app from a developer machine is straightforward.

  1. In Visual Studio, right-click the web project and choose Publish.
  2. Select the Web Deploy method and fill in the fields:
    • Server / Service URL: https://your-server:8172/MsDeploy.axd
    • Site name: the IIS site name, e.g. Default Web Site/MyApp
    • User name / Password: the IIS Manager credentials from Step 5
  3. If the server uses a self-signed certificate, tick Allow untrusted certificate. For production, install a certificate from a trusted CA so this is not needed.
  4. Click Validate Connection, then Publish.

You can do the same from the command line with the msdeploy executable, which is what scripted and CI/CD pipelines use:

  1. "%ProgramFiles%\IIS\Microsoft Web Deploy V3\msdeploy.exe" -verb:sync -source:package=C:\packages\MyApp.zip -dest:auto,computerName="https://your-server:8172/MsDeploy.axd?site=MyApp",userName=deployuser,password=*****,authtype=Basic -allowUntrusted

A successful publish ends with output similar to Publish is successfully deployed and a build summary of Publish: 1 succeeded, 0 failed, 0 skipped.

Common Pitfalls When Configuring IIS Web Deploy

Most failures come from a handful of repeat offenders. Check these before opening a support ticket.

  • ERROR_DESTINATION_NOT_REACHABLE / connection refused on 8172. WMSVC is stopped, remote connections were never enabled, or the firewall blocks 8172. Re-run Step 3 and add the firewall rule.
  • ERROR_USER_UNAUTHORIZED (401). The IIS Manager user has no permission on that site, or you set the service to accept only Windows credentials. Re-check Step 5.2 and the Management Service identity setting.
  • 403 access denied writing files. The WMSVC identity (LOCAL SERVICE by default) lacks ACLs on the site folder — redo Step 5.3.
  • "Typical" install gotcha. A Typical install omits the handler and several providers. If delegation rules or the handler are missing, repair the install and select Complete / ADDLOCAL=ALL.
  • Self-signed certificate errors. Without Allow untrusted certificate (or a real CA cert), the HTTPS handshake to 8172 fails. Install a proper certificate for production.
  • Agent vs. handler confusion. The Remote Agent uses HTTP and the computerName server name directly; the handler uses the https://.../MsDeploy.axd URL. Mixing the two endpoints in your publish profile produces misleading errors.

Verification — Confirm the Deployment Worked

Do not trust the wizard alone; verify end to end.

  1. Service health: Get-Service WMSVC, MsDepSvc — the ones you use should be Running.
  2. Port listening: netstat -ano | findstr 8172 should show a LISTENING entry.
  3. Files on disk: open the site's physical folder and confirm the new build, the bin assemblies, and the transformed Web.config are present.
  4. Browse the app: hit http://your-server/ (or the app path) in a browser and confirm the expected page renders.
  5. Logs: if anything looks off, check the WMSVC log and Windows Application event log for Web Management Service entries.

Key Takeaways

  • IIS Web Deploy synchronizes content, configuration, ACLs, and databases to a remote IIS server in one publish action.
  • Choose the Remote Agent for admin-controlled servers and the Web Deploy Handler (WMSVC, port 8172, HTTPS) for least-privilege, delegated deployments.
  • Always install with the Complete option (ADDLOCAL=ALL) so the handler and every provider are present.
  • The handler runs as LOCAL SERVICE — that identity, not just the IIS user, needs write ACLs on the site folder.
  • IIS 7.x and Windows Server 2008/2008 R2 are end-of-life; keep them isolated and plan a move to IIS 10 / Windows Server 2019+ where these same steps apply.

Frequently Asked Questions

What port does IIS Web Deploy use?

The Web Deploy Handler runs inside the Web Management Service and listens on TCP 8172 over HTTPS. The Remote Agent Service (MsDepSvc) instead uses HTTP on port 80 through the standard data path. Open 8172 in the firewall when you use the handler.

What is the difference between the Web Deploy Agent and the Handler?

The Remote Agent Service requires the deploying account to be a local administrator and runs every operation with full rights. The Web Deploy Handler lets a non-admin IIS Manager user deploy only to a delegated scope via WMSVC, which is far safer and is how shared hosting works.

Which version of Web Deploy works with IIS 7.x?

Web Deploy 3.x is the right choice for IIS 7.0/7.5 on Windows Server 2008 and 2008 R2 and is fully compatible. On modern IIS 10 servers, use Web Deploy 3.6 or 4.0 — the configuration steps are identical.

Why does my Web Deploy publish fail with 401 or 403 errors?

A 401 means the IIS Manager user lacks permission on the site or the Management Service only accepts Windows credentials. A 403 usually means the WMSVC identity (LOCAL SERVICE) does not have write ACLs on the site's physical folder. Fix the permission and the ACL respectively.

For more Windows Server and IIS walkthroughs, subscribe on YouTube @explorenystream.