Managing your Plone Sites in Windows with Enfold Proxy

« Return to page index

This article shows how a Microsoft administrator can manage and configure Plone sites from Windows (regardless of whether the Zope clients are are on Linux or Windows boxes). It also shows how to configure caching, load balancing and integration of non-Plone content with Plone content in the same domain.

Introduction: Plone, IIS and the Enterprise

How a commercial product makes Plone a realistic choice for the Microsoft Administrator

CMS for the Enterprise

Plone needs to be used with a high performance web server and probably a proxy server. What are our choices?

The most popular deployment scenario involves running Plone on a linux box with Apache server. This offers advantages. You gain the advantages of a UNIX control environment as well as the wide availability of open source tools. Apache server, for example, contains many free configurable modules and log analyzers. The typical hosting company might have a LAMP (Linux, Apache, Mysql, Php) hosting environment already set up, even if it offers a python hosting plan.

In the meantime, enterprise networks are still (for the most part) Windows-based. Workers still use Windows desktops and laptops (though Macs and Ubuntu has certainly made significant inroads over the last few years). Company administrators usually have substantial background and experience configuring servers in a Windows environment and connecting them to users and groups with Active Directory. In addition, a large number of third party tools have emerged to assist system administrators in routine tasks. Many Microsoft administrators are comfortable configuring Internet Information Services (IIS) and integrating different kinds of websites under IIS. For these kinds of organizations, being able to integrate well with the rest of the Windows corporate network is an important criteria for selecting a CMS.

This article shows how a system administrator could configure multiple Plone sites in a Windows enterprise environment using a commercial product called Enfold Proxy. Enfold Proxy is a lightweight plugin to IIS that lets you handle Plone sites more easily. We will start with a quick tour of how to use the wysiwig configuration tool to set up IIS to handle Plone site(s). Later, we'll cover how Enfold Proxy uses built-in functionality in IIS to accomplish these tasks and how to customize them for your needs. Note: this is not an open source product, and it is not free (it costs a few hundred dollars, depending on your support plan).

With Enfold Proxy, Zope clients and servers can still run from Linux boxes (or Windows boxes) and still be able to harness the site administration and performance-enhancing features of IIS. Using Plone with IIS and Enfold Proxy not only provides a caching solution, it also makes it easy to integrate non-Plone material on the same domain as a Plone site.

IIS 7 and Vista Support

The 4.5 release of Enfold Proxy will be available in the first half of September 2008. Version 4.5 will include official support for IIS 7 on Vista 32 bit. Previously IIS 7 worked, but it was not officially supported by Enfold. (Read more about how Enfold Proxy works with IIS 7 ). IIS 7 on 64 bit is still being tested.

Proxy Definitions: Using a GUI tool to manage virtual hosts and load balancing

Enfold Proxy uses "proxy definitions" to manage multiple virtual IIS hosts and load balancing of multiple Zope clients

In many respects, setting up virtual hosts is the same in Apache and IIS, except that in IIS you use a series of dialog boxes instead of a configuration file.

IIS 6 version (and above) let you set up multiple IIS servers. As a general practice, you should create a new IIS web server for each Internet host you use. For example, if you wish to host two separate Internet hosts (i.e., www.myplonesite.com and backupplone.mysite.com), you should set up 2 separate IIS web servers. You do this by selecting New Server on the right click menu.

Creating a new IIS Site

Next you configure the host headers on each IIS web server to correspond to the Internet host you want for your website.

The next step is to launch the Enfold Proxy control panel. (Since Enfold Proxy operates whenever IIS is running, you do not actually need to start it--you merely need to launch the control panel).

Before you create a proxy definition in Enfold Proxy, you should confirm three things.

Configure your first IIS host (that's what you just did).
Verify that your IIS host resolves correctly. If you type www.originalfunsite.com , does IIS show a default page? (Read more about resolving IIS hosts).
Make sure that your Plone site is running by checking its management port. (i.e., try http://localhost:8080 , http://localhost:8080 or http://localhost:8080/Plone ; do you see something?)

Creating a proxy definition

A proxy definition is a set of instructions specific about how Enfold Proxy should proxy (or redirect or cache) http requests from one IIS host. Generally, with one important exception, you declare your hosts in IIS and use "proxy definitions" to connect these hosts with Plone sites on Enfold Server.

Enfold Proxy originally arose out of the need to simplify the URL mapping process within Plone in a Windows environment. However, because Enfold Proxy is essentially a plugin for IIS (it is an ISAPI filter for IIS), you can use proxy definitions to wrap a non-Plone site into a Plone site and vice-versa. That makes it easy to integrate a java application or Django application together with a Plone site together under the same domain.

For instance you could use EP to set up these mappings:

www.funsite1.com (and recursive URL web directories) could be used to serve Plone content.
www.funsite1.com/payroll could be used to serve a java servlet you added inside IIS.
www.funsite1.com/media/ could be used to serve videos (from a media server you added to IIS).

When should you NOT create a proxy definition? Exactly one proxy definition should correspond to one IIS site. You should not need a second proxy definition to point to the same IIS site (unless you're running IIS 5).

Basic Steps

Make sure your Zope client(s) are running, and that the management port is accessible (i.e., type www.myfunsite.com:8080/plone in the browser).
Open the Enfold Proxy control panel. (Start --> Enfold Proxy --> Enfold Proxy)
Click the folder on the left panel Proxy.
Choose Add a Proxy Definition. Give your proxy definition any name you want.
Adjust the basic settings if necessary. By default, the new host comes with the most common defaults:
```
Local host= /
Virtual host root = /Plone
```
The setting above will cause the root (/) of your URL to go to the Plone site automatically created within your Zope client. The Plone site object should be visible inside the Zope Management Interface (ZMI). Change these values when necessary. You can verify the value for Virtual host root by logging into the ZMI application root and verifying that a folder corresponds to this value already exists. For more, see Adding a Plone site with the ZMI.
Add the Virtual Host that corresponds to your management port of your Zope client. The virtual host can be an IP address or a resolvable host. Examples: 127.0.0.1:8080, 192.168.1.150:8080, localhost:8080
In your Proxy Definition, select the Site tab on the top. When you come to that screen, you will see a dropdown screen for the Site screen. Choose the IIS site which is serving the host/domain you will be using. For this, we shall use Default Web Site (which uses the www.originalfunsite.com host headers) The initial site created by IIS is called Default Web site, but in IIS you can give a website any name you want).
After you press save for the last time, you will be able to see a "virtual folder" appear under the IIS which this proxy definition will be matched with. This virtual folder will be called _plone by default.

Note: This proxy definition you created or edited in Enfold Proxy will not take effect until you see the _plone folder in your IIS website. EP will automatically make sure this virtual folder exists in the IIS whenever you save or update your Proxy Definition. If you do not see the folder which says _plone, try one or all of the options listed below:

        * refresh the web site by typing F5 or using the Refresh icon the toolbar (in most cases this is sufficient).
        * restart the specific IIS site
        * restart the IIS server entirely.
        * make a minor edit to the proxy definition and press Save again (you can undo this later).

To host multiple sites, you would create another IIS site, and then create a separate IIS proxy definition and link them (as mentioned above).

Load Balancing with Enfold Proxy

Note: Load balancing assumes that all Zope clients are connected to the same Zope object database (ZODB).

After you create a proxy definition for your host, you can add load-balancing clients with one step: add another entry in the Virtual host field. This Virtual host field is located on the Basic tab of your proxy definition. Add multiple entries if you wish to load balance multiple Zope clients.

Here are examples of Virtual Hosts to include in your proxy definition (on the Basic tab). All formats listed here are acceptable:

localhost:8080
localhost:8090
192.168.1.150:8080
192.168.1.151:8080
www.originalfunsite.com:8080

Notes:

In most cases, these URLs will be a Zope client. They can be running from Linux boxes or Windows boxes (from Enfold Proxy's standpoint, it doesn't matter).
Omit the http:// prefix. Always include the port number.
The Virtual Host can be on the same machine or (more commonly) on different machine(s).
You can use IP addresses and/or host names.
Load balancing will not work unless you have 2 or more Virtual hosts listed here.
Each entry must be a URL for a unique host. One host should not simply be an alias for another.

After you push save, load balancing should work immediately.

To remove a client from load balancing, delete the appropriate line in the Virtual Host field.

Even though load balancing provides a kind of insurance policy against failures, you still need a monitoring tool like Big Brother to make sure individual machines are online. A load-balanced cluster might have four virtual hosts/Zope clients and still work if three of them go offline. But if you are never notified about this occurrence, you would be at risk if the fourth goes offline also.

Customizing Load Balancing

When you go to a proxy definition in your GUI, there will be a tab for load balancing with settings you can change. For example, you choose to use round robin, random, or least connections as the method to determine which Zope client will handle the requests. These changes take effect when you press Save.

Caching and purging content

How Enfold Proxy caches and purges Plone content in Windows

In the previous section, we saw how the commercial product Enfold Proxy can be configured to proxy one or more Plone sites. This section examines how the Microsoft system administrator can use Enfold Proxy to implement caching (using the GUI control panel) and purge content when needed.

To summarize the main steps:

Create an EP proxy definition to link your Plone site with IIS. (That's what you did in the previous section).
Select one of the available caching products for Plone. Install and enable it.
Edit the cache settings for your proxy definition.
Verify that Your Cache Settings are in Effect

Caching increases Plone's performance significantly, so most deployments feature a caching solution of some kind. Enfold Proxy (EP) offers a caching solution which is easy to configure and track. They can't handle all requests -- personalized pages and dynamic content require Zope -- but when they can handle a request, they should.

Before trying caching, you should review the tutorial about how to view and test cache settings with your browser. That can get tricky.

Enfold Proxy lets you set up caching for each proxy definition. Each proxy definition will store the files for caching in a separate directory (typically C:\Program Files\Enfold Proxy\cache). This table of caching options contains a description of each option which you can configure through EP's configuration utility.

What is a cacheable item?

First, let's cover the kind of web items that can and should be cached.

static content (images and JavaScript)
content for anonymous users. Items (such as Plone-generated HTML) can be cached with little danger.
selected content for logged in users.

Warning Incorrect configuration of caching has the potential for authenticated requests being cached (which is bad). Generally, the two Plone products discussed below have sensible policies about not caching authenticated requests. Nonetheless, if you are creating a customized CacheFu policy or using another caching product for Plone, it's a good idea to confirm that authenticated requests are not being cached.

First Step: Install and Activate a Caching Product

Before you can cache, you must install and activate a product in Plone specifically for caching. With this product you can configure and customize cache settings.

Install a Caching Product

(these are generic instructions for installing any Plone product).

Choose which caching product you wish to use (see below).
If necessary, download the product and place inside the Products directory of Plone/Enfold Server(typically C:\Program Files\Enfold Server\Products in Windows).
Go to the Plone control panel (i.e., http://www.originalfunsite.com/plone_control_panel) and select Add/Remove Products. You should see the name of your Product(s) on the Products available for install list.
In the Plone control panel, look for a link under Add-on Product Configuration. One of these links should lead you to a configuration menu for the caching product you have chosen to install.
From the product configuration options, make sure caching has been enabled/turned on.

Available Caching Products

CacheFu is an open source product with a wide variety of features. Actually, it consists of 4 separate products (CacheSetup, PageCacheManager, CMFSquidTool, and PolicyHTTPCacheManager) which are dropped into the Products directory. CacheFu offers a lot more granular control over caching. It lets you set policies and configure headings and cache rules for different content types in Plone.

Important: you need to enable a caching policy for CacheFu to work in EP. On the first tab, you need to choose Zope Behind Squid as the Active Cache Policy.

Chasseur is a Plone product included with Enfold Server (a commercial product). It was designed for ease-of-use and simplicity. (Read more about Chasseur). The main two settings are Normal (cache images, js, css for one hour) and Aggressive (cache js, css, images for one hour and also cache content for anonymous users for 1 hour).
- CacheFu will use cache headers different from chasseur. But EP is able to process both of them.
- Normal is generally risk-free and unlikely to cause problems, especially if image files are unlikely to change.
- Aggressive is generally not recommended because it interferes with EP's ability to purge content. When that happens, an individual browser might use private cache instead of checking with EP/ES to make sure it has fresh content.

Enable Cache in your Proxy Definition

By default, when you create a proxy definition in EP, caching is enabled. However, you might need to change your settings to suit your hardware.

Enfold Proxy will keep a lot of "stale" cached files inside the cache directory corresponding to a specific proxy definition. These stale cache files will accumulate in the cache directory until it approaches the maximum cache size. That is actually a good thing. In Chasseur, for example (Enfold's own caching product in Enfold Server), a lot of content is cached for one hour. After one hour (or even after five years), whenever the browser requests the same resource, EP will check with Plone and ask, "is this stale item still valid?" Plone will give one of two responses. Either:

Plone will reply, "it's still good." (In this case, EP will return the stale item to the browser and update its own records to indicate that this stale cache is now valid. This process is called, revalidating the cache). The HTTP headers to the user will say: X-Cache: HIT from www.originalfunsite.com
Plone will reply, "Nope. That's an outdated version." (In this case, Enfold Server or Plone will send the updated version to Enfold Proxy, which will pass it on to the browser and also replace the outdated version with the newer version). X-Cache: MISS from www.originalfunsite.com .

Next Step: Verify that Your Cache Settings are in Effect

To verify that caching is taking place, look for this line in your HTTP response header: X-Cache: HIT from www.originalfunsite.com

If you see X-Cache: HIT, then yes, caching is occurring.
If you see X-Cache: MISS, then this particular item was NOT cached.

Generally HIT's indicate successful caching.

Keep in mind that X-Cache: MISS is not always a bad thing. For example, if logged in as an administrator, many resources will not be cached on purpose. It's best to test as an anonymous web surfer (i.e., someone who is not logged in). If an item contains a modification, then a MISS reply is mandatory.

Careful: When testing, it's a good idea to use two different browsers. In Browser A (such as Internet Explorer), log in as Admin. In Browser B (i.e., Firefox), log in as anonymous or as a logged in user. It's also important to clear cache the right way and even to close the browser entirely (if you don't, the http headers you see won't be accurate). Consult the troubleshooting checklist for caching.

To see the HTTP headers directly, see Tools for Viewing Headers . You should probably pick two or three sample items to check for headers. Anything will do, but at least one should be a graphic and one should be a Zope page (such as http://www.originalfunsite.com/events ). In Chasseur, the maximum age is

Cache-Control: max-age=3600 X-Cache: HIT from www.originalfunsite.com

Optimize Cache Settings and Measure Caching Performance

Many of your cache settings can be tweaked in whatever Plone product you are using to cache web items. The CacheFu Plone product, for example, offers a lot of fine-grained controls and the ability to create caching rules.

But EP also offers some cache settings to tweak. (By the way, there are actually separate screens for the Caching and the (Adv) link at the top. The screenshot below only shows what you see when you press the (Adv) screen.

advanced cache settings Enfold proxy

Here are some default settings for each proxy definition as set by Enfold Proxy:

Maximum Size of the Cache: 10 gigabytes for each proxy definition
Maximum number of items in the cache for each proxy definition: 50,000
Maximum size of an item which can be cached: 100K
Default-Age: 0

The main thing you can adjust here is storage amount and item size. The larger the storage amount you have, the more cacheable items EP can keep at once. Increasing maximum item size is recommended if your Plone server returns a lot of web items (which is not the same thing as "web pages") over 100K. If the maximum is increased to a very large size, this will also consume RAM on the machine with EP. Also, when you cache larger files, that will cause the maximum size of the cache to fill up more quickly. Theoretically, if your cache directory for your proxy definition is always at maximum and the hit percentage is declining, that could indicate you need to increase your maximum here.

Default-age=0 will cause EP to store cacheable items in the cache and always check to make sure if it is current before serving cached content to the browser. (This is the default and generally recommended). Even so, EP will not cache an item which is forbidden to be cached (according to Plone or whatever Plone Product is setting these commands).

If you check Enfold Proxy's cache.log messages for your proxy definition (and set the log level to Information), you will see every minute or so some statistics about caching:

2008-02-18 10:31:45,250|cache.host originalfunsite|STATS|3500|2856|Cache statistics:
        gets: 88, hits: 65 (33 validated), misses: 23 (0 uncachable)
        hitrate: 73% (58% excluding validations)
        size: 1943668 bytes, 324 items

The most important number here is the 58% in parenthesis. The higher, the better. This number refers to requests that EP returned without forwarding it to Enfold Server or Plone (thus resulting in the most time-saving). The 73% number includes those occasions when the item was stale and EP needed to make a conditional request to Enfold Server/Plone. So 15% (i.e., 73-58) is the percentage of times when EP had to revalidate stale cache by checking with Enfold Server or Plone. These revalidation requests generally do not result in significant time savings, so for all practical purposes the only number you need to worry about is the number in parenthesis.

The cache directory

The proxy allows you to configure the directory where cached items are stored for a particular proxy definition.

Open EP configuration tool.
Select your proxy definition. Select the Caching tab.
Leave this blank if you want your cache directory to exist under the application directory. The directory will be created if it does not exist. If you wish to put your cache files elsewhere, you should copy the complete path to the directory here (e.g., C:\My Documents\proxy definition 1\cache).

IIS must be restarted before a change to this option will take effect.

When you change the cache_directory, the old cache is not migrated to the new location (i.e., the old cache remains and a new empty cache is created at the new location.)

Migrating your cache to a different place:

Stop IIS.
Move the cache directory into a new location.
Copy the absolute path into the Cache Directory field of your proxy definition.
restart IIS.

Purging from a Remote Machine

PURGE is a specialized HTTP command. This command is comprehensible to proxy servers like Squid, Varnish and Enfold Proxy; it orders the proxy server to evict the item from cache so future requests will fetch a fresh new copy. On the machine with Enfold Proxy, files will essentially be deleted from C:\Program Files\Enfold Proxy\cache\host www.originalfunsite.com\data .

Important: Purging will not work if you are using Chasseur caching product and using the Aggressive caching profile.

Enfold Proxy (EP) has controls to prevent purging commands from being issued by anyone. Generally, before you can do any purging, you need to explicitly declare which I.P. addresses are allowed to issue a PURGE command.

To do this, start the EP configuration utility from the start menu, select Settings --> Caching purge sources and type the I.P. address of any computer which will issue a PURGE command. At minimum, you need to type the IP address corresponding to your Plone or Enfold Server. This is required if you are going to run a PURGE command from within a Plone product. If you intend using a local command-line tool (like cURL) along with a remote Plone server, you must include the I.P. addresses of both the localhost (127.0.0.1) and the Plone host.

Note In many cases, it is necessary to type in 2 IP addresses here. First, 127.0.0.1 (which is localhost) and second, the actual IP address of your machine (such as 192.168.1.1). If you are testing when logged on as a domain user on the machine itself, sometimes IIS will treat domain requests as coming from outside the machine itself. If you are unsure which IP address is making the PURGE request, examine your IIS HTTP access logs and verify the IP address which made the PURGE request.

Special Note about Windows authentication (NTLM) and Purging. Enfold Server (ES) lets you use NTLM authentication to automatically log users in. If you are using NTLM with Enfold Server, you might not be able to run purge commands successfully. This is a known bug with Enfold Proxy 4.

Purge Cache within Enfold Proxy

Version 4x of Enfold Proxy includes a way to purge cache. To do this, select the Purge option on the left panel of EP's configuration utility. By checking or unchecking each proxy definition, you can delete the cache for one or multiple proxy definitions. Here is the result screen after you click the purge button.

Integrating non-Plone content on IIS

Demonstration of how Enfold Proxy lets Microsoft system administrator integrate non-Plone content with Plone on IIS

In the previous section, we saw how the Microsoft system administrator can use the commercial product Enfold Proxy (EP) to cache Plone content with Internet Information Services(IIS). This section shows how Enfold Proxy allows you to integrate non-Plone content with Plone on IIS. The process of proxying content, implementing a caching mechanism and integrating applications is an inherently complex undertaking. Enfold Proxy tries to "simplify" this complexity by putting everything inside a single GUI interface, providing simple instructions and lots of troubleshooting documentation.

Practically speaking, one common business need is to use IIS to host different web applications for one or more domains. Sure, rewrite rules in Apache let you do this, but that can get hairy if you are using too many. Actually it can get hairy in Enfold Proxy as well (let's be honest). But certain aspects of the EP interface provide a more usable view. First, Enfold Proxy uses "proxy definitions" (discussed in a previous section) to keep options for each Internet host in its own separate "compartment" but still easily accessible (on the left side of the panel). Second, each proxy definition contains two tabs (labeled Includes and Excludes) with options relevant to site integrators. Here is the Excludes screen for a proxy definition TextDef (without any values filled in).

enfold proxy excludes

Includes and Excludes

Includes and Excludes allows you to tailor which URLs are to be processed by Enfold Proxy (EP) and which are to be processed by Internet Information Services (IIS). Using Includes and Excludes lets you accomplish these things without causing URL conflicts. This is useful for several scenarios:

an application already existed in IIS before you installed Enfold Server or Plone.
you have directories of static content from previous websites which need to be included under the same domain.
you wish to install a separate non-Plone application and place it inside a directory inside the domain for your Plone application.
you wish to wrap a Plone site inside a nonPlone site
You need to keep existing nonPlone content at the root of your domain, but also let Plone/Enfold serve most of the content.

To add Excludes or Includes, open the EP configuration tool, choose your proxy definition and select the tab for Excludes or Includes .

You use Excludes when you want your Plone site to use ALL of the domain except the things you have explicitly excluded. You use Includes when you want your Plone site to use NONE of the domain except the files or directories you have explicitly included.

Important: Includes and Excludes should not be used as a way to prevent access to parts of sites. In fact, these options simply block people typing the www URL; they do not block access for those typing in a port and IP address. To harden your websites, it's more effective to set up security within the Plone application itself and/or to set up user authentication in Enfold Server using LDAP.

Integrating Non-Plone Content: Testing and Deployment

Create a test IIS site with www.fakedomain.com (a site only for testing).
Verify that you can access the server root of www.fakedomain.com (by setting DNS or editing your HOST file).
Add the web application into this IIS site. Steps may vary depending on the application, but you basically need to add a directory (real or virtual) into IIS. This directory should correspond to the directory (i.e., URL path) you wish to use when you integrate it with your Plone site.
Create proxy definition (s) to allow Plone to be served for the same web domain. In your Proxy Definition, select the IIS site for fakedomain (in the Site tab).
Add excludes and includes to the appropriate Proxy Definition(s) as needed.
After you have verified that everything works with the IIS site that serves www.fakedomain.com, you can go live simply by modifying your Proxy Definition(s) so that they stop using the IIS site for www.fakedomain.com and start using www.realdomain.com .

Using Excludes

Usually, Enfold Proxy handles all the traffic to a host or domain, but what if you wish to prevent Plone from handling a certain directory or set of files? The solution is to use Excludes.

The Exclude tab of your proxy definition lets you specify Exclude directories or specific files from being handled by Plone. Suppose you need to integrate a java application (let's call it "java application") into your Plone site. Your end goal is to have http://www.originalfunsite.com/java_application/ go to your Java application, while every other directory is handled by Plone/Enfold.

Any listed names in this section must match the initial path specification of the request exactly - case is sensitive and substrings are not matched.

Assumptions: you have a Plone site which is located at the root of http://www.originalfunsite.com . (See adding a proxy definition to learn how to do that).

Open IIS and confirm that the IIS site has a directory (or virtual directory) for your non-Plone application. If you don't have an index.htm or index.html file, create one. (Right click the IIS site --> New --> Virtual Directory).
Verify that this directory can be accessed when the proxy definition for the domain or host is inactive. (If you are dealing with a live site, you may need to use a fakedomain to test this (See the previous section).
Edit the Exclude tab of your proxy definition. Add the directory java_application (without a slash at the end) to the field Local Excludes.
After pressing save, type http://www.originalfunsite.com/java_application/ in your browser. You should see whatever is in the index.html file for your java_application directory.

Testing and Troubleshooting: You can run a command line utility eep_check utility with a --show-excludes argument to print a list of all items found by this auto-exclude processing. See also the troubleshooting checklist.

Note: When you list something in the Exclude field, you cannot use a slash (/). For that reason, you are not able to exclude deep folders (i.e., paths with more than one level: /java_application/small_applet/ ).

Using Auto-Excludes to Maintaining Existing URLs

The main function of auto-excludes is to maintain existing URLs from IIS after you add a Plone site. Suppose you want Plone to handle most of a domain, but you have legacy content still at the root that need to work. Auto-excludes lets EP check first if IIS content already exists for that URL; if it does, IIS will serve it; otherwise, Plone/Enfold will handle it.

Note: Be careful that existing/legacy IIS content is not preventing people from accessing important parts of the Plone site.

To set up an Auto-Exclude, select your proxy definition and choose the Excludes tab. If you use Auto-Excludes, you have to choose what kinds of web content will cause IIS to ignore Plone. (If you want an Auto-Exclude, more than likely you will want to choose All). The dropdown box for Auto-exclude shows these options:

Choosing (All) will check to see if there are any virtual directories, file system directories or files for a URL under the IIS site. If yes, then the IIS site will handle it. If no, then Enfold/Plone will handle it. This is probably the most common choice if you plan to set up auto-excludes.
Choosing (webdirs) will only exclude virtual directories specified within the IIS site. A virtual directory does not physically exist in the file system underneath the IIS root. Instead it may refer to an application or a directory in another location (analogous to a Windows short cut).
Choosing (fsdir) will only exclude file directories on the file system existing underneath the root for the IIS site. These directories actually appear in Windows Explorer (and not merely IIS).
Choosing (files)will tell IIS to serve files inside IIS document root instead of Plone whenever such a file or files exist.

Choosing (None) will deactivate all auto-excludes and just cause Enfold Proxy to assume that all HTTP requests should be handled by Plone.

Other Features: Includes, Regular Expressions, Etc

The Enfold website contains more detail about other advanced features for Plone integration tasks for IIS.

Here are some other advanced features of Enfold Proxy:

Includes. The main rationale for using Includes is to hide most of a Plone site except for one or more selected directories or one or more URLs. This can be useful if a certain directory is a domain is using a Plone application for a site which is otherwise almost completely non-Plone. Configuring includes can be tricky because once you make one setting, Enfold Proxy presumes that all Plone content will be excluded except pages you explicitly include. You may be able to do this more simply by modifying the Virtual host root and Local host root in your proxy definition. For example, suppose you have an IIS site and you have a directory in Plone (http://192.168.1.150:8080/Plone/salesdirectory/) which you wish to be called up whenever someone types www.originalfunsite.com/salesdirectory/ . Rather than putting 'salesdirectory' in EP's include field for your proxy definition, it's more direct to try this instead:

Local Host Root: /salesdirectory
Virtual Host Root: /Plone/salesdirectory
Virtual Hosts: 192.168.1.150:8080

excludes_regex. This lets you use regular expressions for excludes. For example, if you wished to exclude all .jpg files from the plone site (thereby causing all requests for such images to be handled by IIS itself), you could specify .*\.jpg (which will match any URL ending in .jpg).
includes_regex. Basically this lets you use regular expressions for includes. See the help on the Enfold website for more detailed instructions.
simple rewrite_mode. Instead of Virtual Host Monster, Enfold Proxy can change to a more generic rewriting mode which works with other applications besides Plone. (Read more).
caching XSL. It's possible to cache XSL and XML docs using in-memory cache. This kind of caching works differently from most Plone caching. (Read more).
syntax checking tool. Clicking check will analyze your current proxy definitions for configuration problems. (Read more).

Troubleshooting

Because proxying and caching can be a complicated subject, the Enfold site has an extensive troubleshooting checklist and FAQ page.

Conclusion

In this tutorial, we have looked at the commercial product Enfold Proxy and showed how it performs many of the complex system administration tasks which are required to run Plone. We have shown how it functions with IIS. This is not an open-source solution, and it is not free. But it has been commercially available for several years and fairly easy to learn how to use ..and well-tested and documented. Even though it's a Windows-only solution, Enfold Proxy can be used to proxy/cache Zope clients running on Linux boxes or Windows (as long as they connect to the same ZEO Server). While the Linux/Apache/Varnish toolchain might have flexibility and control for a qualified UNIX administrator, Enfold Proxy offers comparable flexibility and control (with a Plone-specific interface).