Multiple domains on SSL IIS7
I seem to be going round in circles trying to run more than one website (sub domains) with a wildcard SSL certificate on port 443.
At first it won't let me bing to 443 because of another website using that port.
I added another internal IP to the server NIC, but as their is no NAT and we only have one external IP it doens't work!
Is it possible to have one public IP , run multiple websites in IIS7 using a wildcard SSL and port 443?
I've heard the word 'SSL aggregator' , but understand them to be stupidly expensive.
Why is what seems to be something really simple so hard to implement?
You've read your signature right?
Open command prompt and navigate to: C:\inetpub\adminscripts (You will need to find out what the identifier is for each site) Open IIS, click on "Web Sites"... the identifers will show up in the window to the right. Now in the command prompt type: cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “:443:<host header>”
Last edited by seack79; May 25th, 2012 at 06:38 PM.
If you can 'override' this apparent security feature in IIS7 GUI with a command line why won't IIS let you perform this process via the GUI?
Does this break any security or open up potential SSL holes?
When I spoke with the hosting compnay they explained to me the reason each SSL binding has to be on a unique IP address is due to the SSL security ensuring integrity of the communication.
Is this true?
I'm no expert on communication and networking, but as I understand the way a computer can have so many concurrent connections is as communication request comes in on say port 80 for a website, the computer moves that request to a free port and continues the comunication over the newly assigned port.
This leaves port 80 open so the computer can 'listen' for further requests while continuing communication with the previous request over the allocated port.
This is why a single computer can only deal with (i could be wrong here) @ 64,000 connections.
Obviously not all ports are available as they are used for particular comunications for the OS and other system functions (25-SMTP, 21-FTP, 1433- SQL) etc.
Is this correct?
If it is, then one assumes the same process is used on port 443 and so sharing the port for 'listening' purposes should not be an issue - right?
Which one assumes it is doing for all 443 comunication for the single currently bound website.
I also assume the fact you are using virtual host headers for mutiple sites, makes no different, as that is the point of IIS host header multipe domain functionality?
I also think I saw a thread that said port 443 SSL sharing is comming in IIS8?
Does that mean only IIS8 is capable of sharring port 443 for mutiple domains over SSL securley due to some fundamental change to the way IIS works, or have they simply added your provided method via command line to the IIS8 GUI?
Your input would be appreciated.
Last edited by 1DMF; May 26th, 2012 at 05:58 AM.
Not really sure on that part of it, you may want to post the question in the Security forum and see if you get a response.
November 3rd, 2012, 10:06 AM
If you are doing multple domain names, look into getting a UCC ssl certificate
If you want multple subdomains, then wildcard is what you want.
This assumes you are using 1 ip address. Either scenario can be using in a shared hosting arrangement hosting several sites.
November 3rd, 2012, 09:43 PM
Please watch the original posting date, this thread is over 6 months old.
I've never been able to appreciate the sublime arrogance of folks who feel they were put on earth just to save other folks from themselves .." - Donald Hamilton
November 3rd, 2012, 09:47 PM
sure I found this thread through google and decided to add a little more info so others who might stumble upon this thread looking for a solution might gain just a bit more info, but I will look for fresher threads next time.
November 4th, 2012, 02:23 AM
I got it sorted by assinging additional IP's to the server NIC and binding the subdomains needing to use the wildcard SSL to the relevant IP address.
I even have one delveopment Catalyst site on a subdomain using the wildcard SSL certificate assigned to it's own internal IP on the server NIC and using NAT/port forwading on the firewall for the port number the application is listening on as it isn't 443 standard SSL.
I know you can run a command line to assign more than one website (subdomain) to the same IP to use the wildcard SSL, but as it wasn't recommended by my hosting company and nor can it be done through the IIS GUI, this is a better solution.
Last edited by 1DMF; November 4th, 2012 at 02:25 AM.