Skip to main content

Multiple Web Sites and SSL

More
18 years 1 month ago #17707 by tfs
We have a server at work that handles 4 web sites. We are running IIS6 and have to have at least on secure page on each web site.

Standard Port for SSL is 443. The problem is that you can only have one Web Site (application) using an SSL port.

We solved the problem by using non-standard ports 8443, 8444,8445,8446 - one for each site.

This works fine for most cases. The problem is that we now find that you will have problems with companies that have Proxy servers. They apparently have only 443 open for SSL by default. So any company that signs up with us that have a Proxy Server would have to modify the Proxy to allow one of these non-standard ports. Not really a good idea.

The only way around this problem (that I can figure out) is to have one Server for each Web Site. Very expensive. Especially since a couple of these sites have very little traffice (at the moment).

So if I have 6 web sites I would need 6 servers.

Is there a better way around this problem?

Thanks,

Tom
More
18 years 1 month ago #17708 by d_jabsd
You don't need 6 servers, but you do need 6 IPs and you need to specify which site is listening on each IP. By default, IIS listens on all interfaces and addresses for every site you configure.

The default works great for non-ssl sites, as it is just name-based hosting, but ssl doesn't work with name-based hosting.
More
18 years 1 month ago #17712 by Smurf
Another way that may work with this is if you publish through ISA Server. If you terminate the SSL connections on the ISA Server you can then publish to the correct host header on HTTP only on the inside, then the host headers will take over. I have never really tested it but i believe this is easy to acheive.

Hope that makes sense.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
18 years 1 month ago #17741 by d_jabsd
Smurf,

Thats not a bad idea and its how SSL Accelerators (like the ones offered by F5) usually work, soo it shouldn't be too difficult to do. You could probably share the cert between 2 ISA boxen for redunancy if it allows it.
Time to create page: 0.132 seconds