By now, most folks know that there are some major changes between IIS 6 (included with Windows Server 2003) and IIS 7 (included in Windows Server 2008) and now IIS 7.5 (included in Windows Server 2008 R2). This of course directly relates to and affects BITS enabled distribution points in Configuration Manager 2007 and the underlying IIS configuration because BITS on the server side is essentially a function of IIS. Actual configuration of IIS 7 and 7.5 in preparation for BITS enabled DPs is covered in TechNet: http://technet.microsoft.com/en-us/library/cc431377.aspx.
Near the bottom of the above linked page is a section that generally tells you to loosen some of the security restrictions in IIS to accommodate BITS distribution of software. This is the result of the inclusion of most of the features of the IISLockdown security tool directly into IIS. These security features prevent IIS from responding to requests using malformed URL strings, which could lead to elevated access or running commands that should not be allowed, or serving restricted content like configuration files or database files. The requestFiltering section described in the article specifically deals with the later and is the usual suspect when BITS is having issues providing content to clients. The ConfigMgr team recently posted a great article on troubleshooting the BITS process:
I ran into both the bin folder being blocked and the double escape sequence being blocked as described in step 6 of the above linked article. At the time though, I had no idea what was actually causing the problem. My first step was to open the IIS log on the DP and look for any errors. In reviewing the log, I noticed that many of the files were being transferred successfully as indicated by a success code of 200. However, there were numerous files failing with a code of 404 — content not found in HTTP error code terms. The only commonality for the failures I found was that the URLs contained Program+Files — checking the source files reveled that there indeed was a Programs Files folder there — BITS adds the plus to encode the space. Not being an IIS expert I didn’t know exactly how to correct this issue even though I knew what the symptoms were.
I copied the URLs into IE on a client system and received similar results, a generic 404 for the files with Program Files in their path and a download attempt on the others. Just because (call it intuition), I did the same on the DP itself and the error page returned gave me the cause of the symptoms: double escaping is disabled. Although I had forgotten and got a little lucky, the thing to point out here is that IIS (by default) will return extended error information to the web client (IE in this case) if the request was local to the IIS system. Thus, if you are having issues downloading content using BITS, locate the URL in the IIS log and enter it into IE on the DP itself and IIS should tell you exactly what’s going on.