ColdFusion Administrator, IIS, and Deployment

Learn the configuration outside the CFML files that determines whether a legacy application can actually run and be recovered.

ColdFusion Administrator is privileged infrastructure. Restrict it by network, use a strong unique password, remove public mappings, and do not leave RDS or sample applications exposed.

What ColdFusion Administrator Controls

Server Settings

  • Request timeouts
  • Template caching
  • Whitespace management
  • Debugging output
  • Error handling

Datasources

  • JDBC drivers
  • Connection details
  • Connection pooling
  • Validation queries
  • Database permissions

Runtime Services

  • Mail server
  • Scheduled tasks
  • Mappings
  • Custom-tag paths
  • Verity collections

Java and Integration

  • JVM heap arguments
  • Java class paths
  • J2EE sessions
  • Web services
  • Event gateways in MX 7 Enterprise

Web-Server Connector

IIS or Apache must route ColdFusion file extensions to the application server. A connector problem can make static HTML work while .cfm requests return 404, 500, or hang.

IIS 6 Concepts in a Period Lab

  • Web sites and host headers
  • Application pools and identities
  • ISAPI mappings and extensions
  • Virtual directories such as CFIDE
  • NTFS permissions for the ColdFusion service and IIS worker

Do not copy a permissive IIS 6 configuration into a current production environment. The purpose is to understand how the legacy deployment was wired.

Datasource Checklist

  1. Create a dedicated database login for the application.
  2. Grant only the tables and operations the application requires.
  3. Configure the datasource in ColdFusion Administrator.
  4. Test the connection from Administrator.
  5. Run a small query from a diagnostic template.
  6. Remove the diagnostic template after testing.
<cfquery name="healthCheck" datasource="support_portal">
    SELECT 1 AS database_ok
</cfquery>

<cfoutput>Database result: #healthCheck.database_ok[1]#</cfoutput>

JVM Memory

ColdFusion MX runs on Java, so heap configuration matters. Increasing heap is not a substitute for finding large queries, unbounded application/session data, file-processing spikes, or memory leaks.

Record before changing: Current JVM path, minimum heap, maximum heap, other JVM arguments, ColdFusion edition, updater level, and available physical memory.

Deployment Inventory

ItemQuestions
SourceWhere is the authoritative copy? Is production different from source control or backup?
ConfigurationWhich DSNs, mappings, mail settings, tasks, and Java classes exist only in Administrator?
FilesWhich directories need write permission? Which contain uploads or generated documents?
DependenciesWhich CFX tags, COM objects, JARs, web services, or network shares are required?
RecoveryCan the exact app, config, database, and uploaded files be restored to a clean server?

Safer Deployment Pattern for a Legacy App

  1. Place a current reverse proxy or load balancer in front of the legacy server.
  2. Allow traffic only from the proxy to the legacy web server.
  3. Block direct access to Administrator, RDS, internal diagnostics, and source backups.
  4. Terminate current TLS at the proxy while preserving correct host and protocol headers.
  5. Centralize access logs and health checks.
  6. Maintain a tested rebuild and rollback procedure.