Solved

How to get multiple SSL sites working on IIS5 with NLB.

Posted on 2001-07-25
6
278 Views
Last Modified: 2007-12-19
I am running 2 x Win2k Adv. Servers with NLB. I have multiple sites on the servers, most sharing an IP address.
I now need a few of those sites to use SSL, so I have got SSL certs from VeriSign, and moved those sites to a unique IP address.

However, I have NAT going on in the firewall, which points the external IP addresses to a single NLB IP address inside. I think however, that IIS may want the SSL sites to have a unique internal IP address as well, I'm not sure.
When I enable SSL for a site, it only works if I get it to use the (All Unassaigned) IP address. After that, all SSL traffic for all sites ends up at the one that catches the Unassagined IP's.
Assigning SSL to it's unique external IP address doesn't seem to do the trick, prob. because the external IP address is now only available in the hostname, which is encrypted in SSL, and unavailable?

I think the solution lies in mapping the unique external IP's to unique internal IP's. Unfortunately, there is only 1 NLB IP address, so unless I can add more, I don't know what to do.

Anyone know how to get around this?
0
Comment
Question by:roddy
6 Comments
 
LVL 5

Expert Comment

by:dredge
ID: 6318088
listening.
0
 
LVL 9

Accepted Solution

by:
TTom earned 300 total points
ID: 6319707
Can you map the (many) external IP addresses to the (single) internal IP address, but using different ports and configure IIS for each of the sites to use the same IP address, but a different port?

(Not sure I really understand the problem, so this may be off base.)

Tom
0
 
LVL 5

Expert Comment

by:dredge
ID: 6319744
perhaps when the internal user wants to log onto the secure port, you'll simply have to send them through your firewall and allow them to point at the public IP address.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 37

Expert Comment

by:meverest
ID: 6320965
SSL requires a unique IP address/port because the protocol does not support http1.1-like hostname headers to identify the virtual host.

now if you are using a port map on the NAT router, then you can only have one address per port, so to get multiple ssl sites working on your internal web server, you have two options:

1. use a different port for each virtual server, and then set up additional port-to-internal-address maps on the NAT, eg,
assuming your NAT router address is 1.2.3.4 and the internal web server is 192.168.1.1, add these maps:

1.2.3.4 port 443 -> 192.168.1.1 port 443
1.2.3.4 port 1443 -> 192.168.1.1 port 1443
1.2.3.4 port 2443 -> 192.168.1.1 port 2443

2.  set up the NAT with multiple public addresses, and map port 443 to multiple virtual servers on the internal; network, eg:

assuming your NAT router address has 1.2.3.4, 1.2.3.5, and 1.2.3.6 and the internal web server has 3 virtual servers mapped to 192.168.1.1, 192.168.1.2, 192.168.1.3, add these maps:

1.2.3.4 port 443 -> 192.168.1.1 port 443
1.2.3.5 port 443 -> 192.168.1.2 port 443
1.2.3.6 port 443 -> 192.168.1.3 port 443

your main problem is to get access to additional address space, or you will need to use different ports, so that when accessing, it will look like this in the browser:

https://server1.domain.com
https://server2.domain.com:1443
https://server3.domain.com:2443

etc.

cheers.


 
0
 

Author Comment

by:roddy
ID: 6321414
I'm going to try using different ports for each external IP address. Just looking at this idea makes me very confident it will work.
IIS actually seems designed with this in mind, now that I look at it this way. Specifying your secure port is very easy.

This will take me a few hours to implement, so points will be given afterwards.

TTom got in first with this answer, and while meverest gave a very complete answer, it wasn't exactly what I wanted. These are the mappings that TTom had in mind, and is what I'll be trying.

1.2.3.4 port 443 -> 192.168.1.1 port 443
1.2.3.5 port 443 -> 192.168.1.1 port 1443
1.2.3.6 port 443 -> 192.168.1.1 port 2443
0
 

Author Comment

by:roddy
ID: 6337496
Yep, this is working fine. I just feel stupid I didn't think of it myself...

Anyway, thanks for your help. Sorry for the delay in giving points.

Rod
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
Need to grow your business through quality cloud solutions? With everything required to build a cloud platform and solution, you may feel like the distance between you and the cloud is quite long. Help is here. Spend some time learning about the Con…
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now