This seems like one of those questions that has a simple answer I am not seeing.
We have an IIS server hosting multiple websites, each site on a separate IP. Some of these sites are running ASP and ASP.NET applications. I have one site whose primary purpose in life is to serve updates for Sophos antivirus, which are basically static file sets. The OS X package for Sophos contains a file that ends with a .config extension. IIS refuses to serve this file (which is key to the update process) because it believes that it is part of an application. The error IIS returns is 403.1.
What I want to do is configure this single IIS site / virtual directory such that files ending with .config are served as regular text or similar so that the Sophos client can update properly. Preferably this would be set so that other sites on the same server would not be affected (i.e. no turning the ASP.NET extensions off). So far, specifying that .config is text/text and application/octet-stream in MIME has not helped (MIME is otherwise set to ".* All"). Neither has setting permissions for the site's virtual directory to read-only and removing script running permissions (that simply changes the error from 403.1 to "Service Unavailable").
Other than just admitting defeat and setting up Apache on a Linux box somewhere, what should I be doing here? Thanks in advance.
I called Sophos Support, thinking that they should have seen this situation previously but apparently they had not (which, I suppose, indicates how many folks they have updating OS X machines from an IIS CID). They did a little bit of research and found this thread: http://forums.iis.net/t/1159987.aspx which indicates that, because exposing .config files could naturally lead to inadvertently exposing web.config, Microsoft does not allow .config files to be accessible via IIS (at least on 6 and higher). The thread mentioned contains a link to a workaround but, per good policy, Sophos will not recommend the workaround since it violates Microsoft's recommended security practices. In short, the answer is that there is no supported way to use IIS 6 and above as an update repository for Sophos on OS X.
The solution that I am going to deploy is to create a CID on an instance of Apache somewhere instead.