#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2009
    Posts
    335
    Rep Power
    246

    Multiple domains on SSL IIS7


    I seem to be going round in circles trying to run more than one website (sub domains) with a wildcard SSL certificate on port 443.

    At first it won't let me bing to 443 because of another website using that port.

    I added another internal IP to the server NIC, but as their is no NAT and we only have one external IP it doens't work!

    Is it possible to have one public IP , run multiple websites in IIS7 using a wildcard SSL and port 443?

    I've heard the word 'SSL aggregator' , but understand them to be stupidly expensive.

    Why is what seems to be something really simple so hard to implement?
    Free MP3 Dance Music Downloads

    To err is human; To really balls things up you need Microsoft!
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Why is what seems to be something really simple so hard to implement?
    You've read your signature right?

    Open command prompt and navigate to: C:\inetpub\adminscripts (You will need to find out what the identifier is for each site) Open IIS, click on "Web Sites"... the identifers will show up in the window to the right. Now in the command prompt type: cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings :443:<host header>

    source
    Last edited by seack79; May 25th, 2012 at 06:38 PM.
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2009
    Posts
    335
    Rep Power
    246
    Thanks seack79,

    If you can 'override' this apparent security feature in IIS7 GUI with a command line why won't IIS let you perform this process via the GUI?

    Does this break any security or open up potential SSL holes?

    When I spoke with the hosting compnay they explained to me the reason each SSL binding has to be on a unique IP address is due to the SSL security ensuring integrity of the communication.

    Is this true?

    I'm no expert on communication and networking, but as I understand the way a computer can have so many concurrent connections is as communication request comes in on say port 80 for a website, the computer moves that request to a free port and continues the comunication over the newly assigned port.

    This leaves port 80 open so the computer can 'listen' for further requests while continuing communication with the previous request over the allocated port.

    This is why a single computer can only deal with (i could be wrong here) @ 64,000 connections.

    Obviously not all ports are available as they are used for particular comunications for the OS and other system functions (25-SMTP, 21-FTP, 1433- SQL) etc.

    Is this correct?

    If it is, then one assumes the same process is used on port 443 and so sharing the port for 'listening' purposes should not be an issue - right?

    Which one assumes it is doing for all 443 comunication for the single currently bound website.

    I also assume the fact you are using virtual host headers for mutiple sites, makes no different, as that is the point of IIS host header multipe domain functionality?

    I also think I saw a thread that said port 443 SSL sharing is comming in IIS8?

    Does that mean only IIS8 is capable of sharring port 443 for mutiple domains over SSL securley due to some fundamental change to the way IIS works, or have they simply added your provided method via command line to the IIS8 GUI?

    Your input would be appreciated.

    1DMF.
    Last edited by 1DMF; May 26th, 2012 at 05:58 AM.
    Free MP3 Dance Music Downloads

    To err is human; To really balls things up you need Microsoft!
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2004
    Location
    surfing the interwebz
    Posts
    2,410
    Rep Power
    2005
    Not really sure on that part of it, you may want to post the question in the Security forum and see if you get a response.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    If you are doing multple domain names, look into getting a UCC ssl certificate

    If you want multple subdomains, then wildcard is what you want.

    This assumes you are using 1 ip address. Either scenario can be using in a shared hosting arrangement hosting several sites.
  10. #6
  11. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,440
    Rep Power
    4539
    Please watch the original posting date, this thread is over 6 months old.
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    sure I found this thread through google and decided to add a little more info so others who might stumble upon this thread looking for a solution might gain just a bit more info, but I will look for fresher threads next time.
  14. #8
  15. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2009
    Posts
    335
    Rep Power
    246
    Thanks Guys,

    I got it sorted by assinging additional IP's to the server NIC and binding the subdomains needing to use the wildcard SSL to the relevant IP address.

    I even have one delveopment Catalyst site on a subdomain using the wildcard SSL certificate assigned to it's own internal IP on the server NIC and using NAT/port forwading on the firewall for the port number the application is listening on as it isn't 443 standard SSL.

    I know you can run a command line to assign more than one website (subdomain) to the same IP to use the wildcard SSL, but as it wasn't recommended by my hosting company and nor can it be done through the IIS GUI, this is a better solution.

    Regards,
    1DMF
    Last edited by 1DMF; November 4th, 2012 at 02:25 AM.
    Free MP3 Dance Music Downloads

    To err is human; To really balls things up you need Microsoft!

IMN logo majestic logo threadwatch logo seochat tools logo