January 2007 - Posts
Stop! Have you read my previous post on “Multiple Web Sites in IIS – Part 1”? If you have not, I strongly recommend that you spend some time reading my previous post.
As I’ve discussed in my previous post, you can configure IIS to host multiple web sites in varieties of techniques. The next thing you might want to do is to configure SSL on those web sites.
If you are using unique IP addresses for each web site, you can have port 443, default SSL port, for all the web sites at the cost of maintaining and securing multiple IP addresses on the server.
If you are using a single shared IP address, then you will have to configure different SSL ports on each web site, which will result in unfriendly URL addresses, such as “https://www.maungphyo.com:444/default.aspx”.
If you are not keen in managing multi-home web server, or dislike the idea of having unfriendly URL addresses, the last implementation technique you can depend on is to use custom host headers. But how? If you go to Web Site Properties dialog and click on “Advanced” button on “Web Site” tab, you will instantly realize that there is no place for you to configure custom host header for SSL bindings.
You can configure custom host header for SSL bindings only using command line tool (technically speaking, it is the script file provided with default IIS installation), or other tools such as Metabase Explorer from IIS Resource Kit.
Here is the procedure for enabling custom host headers in SSL sites.
1) Firstly, find out the Metabase Path of the site to be configured. "iisweb.vbs" is in %SystemRoot%\System32.
C:\>iisweb.vbs /query
For instance, metabase path for “Default Web Site” is “W3SVC/1”.
2) Navigate to folder where the Visual Basic admin scripts are stored.
C:\>CD\Inetpub\AdminScripts
3) Set the metabase property “SecureBindings” using “AdsUtil.vbs” to any desired value. Take note of the starting character “:”.
C:\Inetpub\ AdminScripts>AdsUtil.vbs SET W3SVC/1/SecureBindings “:443:www.maungphyo.com”
4) You can repeat it for all the sites, using the default SSL port 443 with different custom host headers.
Just remember one thing, on Windows Server 2003 with Service Pack 1, you will need to add all the custom host headers to “BackConnectionHostNames” registry key in order to work with Integrated Windows Authentication on those host headers enable site. Read my previous post "IIS Security Enhancement in Windows Server 2003 SP1"on this issue.
Good luck!
I am not really a big fan of virtualization technologies and I have been waiting for the installable bit of Visual Studio codename 'Orcas'. Yes! Finally...
I am very glad to see Microsoft has released installable bit of the next version of Visual Studio codename 'Orcas' together with the usual Virtual PC image release.
Installable Bit download: http://www.microsoft.com/downloads/details.aspx?FamilyID=69055927-458B-4129-9047-FCC4FACAE96C&displaylang=en
Virtual PC Image download: http://www.microsoft.com/downloads/details.aspx?FamilyId=1FF0B35D-0C4A-40B4-915A-5331E11C39E6&displaylang=en
Above are the links for the public downloads which are divided into multiple parts for your own convenience. The filenames says it is Dec2006 CTP although the heading clearly stated that it is January 2007. But who cares...
Microsoft Internet Information Services can be configured to host multiple web sites. I knew everybody knew this. 
So why am I wasting my time writing this? Or why should you waste your time reading this? Well... I am just trying to make sure that you are ready for my Part 2, in which I will be discussing multiple SSL sites configuration on the same server. You should read this to understand the basics before proceeding to part 2.
Multiple web sites can be hosted in IIS using one of the following techniques.
1) Using a single IP address with different port numbers assigned to each site, meaning that you can only have one site running with the default TCP port 80. Other sites using non-default port will have to be accessed using unfriendly URLs, such as http://www.mydomain.com:70. Another drawback of this technique is that it violates the security best practices as your firewall will be required to allow all the incoming traffics for all the ports that are used by your server. To implement this technique, assign an unique port number to each site in the Web Site Properties dialog.
2) Another technique is to use multiple IP addresses with different sites running on the default port. Firstly, you will need to configure your server with multiple IP addresses in Network Connection properties. Then, assign an unique IP address to each site in the Web Site Properties dialog. Managing of multiple addresses allocation for the server requires additional administrative task. The more IP addresses the server is allocated, the larger is the attack surface, thus, it is not recommended (by me 
). Furthermore, if you are using public IP addresses, you will have to waste additional IP addresses for the server.
3) The last one is my favorite as we can use a single IP address and yet all the sites running with the default TCP port 80. All we need is to configure an unique host header for each site. Click "Advanced..." button on Web Site Properties dialog to configure host header for each site. You will just need to register multiple host records in the DNS server to map all the host names to the same IP address. But using this technique will have an issue using Integrated Windows Authentication on the web site due to Windows Server 2003 Service Pack 1 enhancement. I have posted something on IIS Security Enhancement in Windows Server 2003 Service Pack 1 for your reference.
Try these out and see which one best fits your requirements!
Stay tuned for Part 2 on which I will be discussing the options to host multiple SSL sites on the same IIS server.
Ever wonder why Integrated Windows Authentication (IWA) does not work or stops working for custom host header enabled sites after installing Windows Server 2003 Service Pack 1?
You have ensured that you did include the site URL in the Local Intranet site list in your browser configuration and yet it still doesn't work!!!
Keep receiving HTTP error 401.1 even if you typed in the correct user name and password when prompted?
IWA will not be successful on custom host header enabled sites due to the loopback check security feature of Windows Server 2003 SP 1. Worry not! Check out this must-to-read Knowledge Base article for more details. http://support.microsoft.com/kb/896861.
Remember one thing before you try the trick. Back up your registry .