[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 649
  • Last Modified:

can't assign SSL to one site...

I have two web sites running right now and one is using port 85 and the default is using 80. I setup SSL so that I wouldn't have to type in :85 after the web address for the first site. However, if I put in 443 in the SSL port for the second site, it adds it to the first site as well. Then, because they're both trying to use 443 it will stop one of the two sites.

What is the proper procedure for setting up one site to use http and then have another one on the same machine running off https: ?

If I try to take 443 off the default site in the advanced setting it isn't possible to highlight it and remove it. It only dissapears from the default site if I take it off the other site.
0
wlandymore
Asked:
wlandymore
  • 8
  • 5
  • 2
1 Solution
 
Rich RumbleSecurity SamuraiCommented:
With IIS in order to run 2 SSL sites (if ther is a seperate cert for each) you must have 2 different IP address's to use.
http://64.233.179.104/search?q=cache:dbstyqM9fnQJ:www.instantssl.com/ssl-certificate-support/cert_installation/iis_ssl_certificate_4x.html+IIS+ssl+separate+ip+address&hl=en
-rich
0
 
wlandymoreAuthor Commented:
Well I already bound another IP to the NIC so one site is 192.168.10.5 and the other site is 192.168.10.6.
However, I don't want to use SSL for both, I just want to use 80 for one and 443 for the other. That way if I was to you something like a router with one external IP I could point people to one web site using SSL or 443 and then to the other one on http or port 80.
That way getting two web servers to work by using different ports.

However, like I said above, I'm having some problems with the ports because when I assign an SSL port for web site #2, the SSL port shows up for the default web site as well. Then because they're using the same port it will shut one of the web sites off.

I need to get one to use ONLY 80 and the other to use ONLY 443, but I can't seem to get it setup right.
0
 
Rich RumbleSecurity SamuraiCommented:
So you have the same page... which you can reach by http://example.com:80 as well as http://example.com:443 ??

SSL diagnostic tool that may be of use
http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&displaylang=en


When you create new sites in the MMC for IIS, the SSL port is not automatically configured. To do this, configure the Advanced area of the Web site properties with Port 443. This is the default SSL protocol port. http://support.microsoft.com/kb/q228991/
http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2000/en/server/iis/htm/core/iisslsc.htm
http://support.microsoft.com/?id=187504
-rich
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
wlandymoreAuthor Commented:
No, two pages.

Because we have a router working and one of the pages already uses port 80 I need another port open to the other web page so users on the outside can hit it.
I set up SSL so people could go to https://webpage1.domain.com for one page and the router would forward it on 443
and then they could go to http://webpage2.domain.com for the other page and it would go through port 80.

That way there would be 2 web pages accessable from outside and all they would need to do to access the other page would be to use https instead of regular http.

However, because it keeps on harrassing me about the port already being in use (443), I need a way to make website1 use ONLY port 80 and website2 to use ONLY 443.
0
 
Leon FesterCommented:
In your IIS configuration, make sure that website1 does not have SSL enabled. Otherwise it will by default assume port 443, even if you don't have anything bound to it. Also check that ther website that you've setup are only listening on their own IP's if they're trying to listen to all IP's then IIS will bind the ports to every IP available, that is by design. I'd also suggest configured host headers in IIS to differenciate between the two sites. Using host headers should then allow your system to overcome the limitations and provide an additional level of checking on the pages thus ensuring that the correct server/port gets the correct pages. I've got an IIS server running with 7 IP's and 3 of the sites are both SSL and and HTTP enabled with their own Thawte certificates. So that shouldn't be a limitation at all. Probably just a setting somewhere that hasn't been optimally configured.
0
 
wlandymoreAuthor Commented:
Okay, I have made some headway here....

I found out that someone had put an apache web server on there and that was why it was saying that the port was already in use. So I left the default web site stopped because I didn't need it, but the certificate won't work. When I go to https://website2.domain.com or https://192.168.10.6 it will give me a 'page cannot be displayed' error.

I have the certificate installed, I clicked on the edit and checked the 'requre SSL', I put in the 443 for the port. I'm not sure what I'm missing here that won't allow the https to work.
0
 
wlandymoreAuthor Commented:
Also tried without the 'require SSL' option checked and the IP set to 'unassigned', but that doesn't work either...
0
 
Leon FesterCommented:
See if you can stop the Apache server completely, since you've stopped the default website on it, it may still be holding port 443. Change the unassigned to the correct IP for the site. You can also d/load Aports( http://www.softpile.com/Internet/Utilities/Review_07354_index.html ) to see what ports are currently open on the system and which application is using them. This could help you identify if the port is infact available.
0
 
wlandymoreAuthor Commented:
Well I've got the ports sorted out now. It was just because I thought that the IIS default web site should be running, but someone else wanted the apache running. I'm fine with the IIS default website being stopped as long as that won't effect the SSL for the other site that is still running in IIS.

I feel like this is becoming unclear so...

The site in apache is using port 80 without 443....and that's good.
The site in IIS is using 443....and that's good.

However, I just can't get the SSL to work with the site in IIS. Even though I seem to have all the settings worked out the https://website2.domain.com won't show up. It's just gives me the 'page cannot be displayed' error. It's not a port in use problem anymore, it's just that the https won't work. The cert's installed, and the port is free and the website (I want to be working), is working.

Sorry about the confusion...
0
 
Leon FesterCommented:
If you're using Internet Explorer, then disable "Show friendly http error messages" in the Tools, Internet Options, Advanced section. See if you get a more intelligent error message and take it from there. Sadly I won't be in the office until Tuesday, so good luck, and hope you get it sorted out.
0
 
Leon FesterCommented:
1 last thing.

In IIS under the "web site" tab. You need to have the following fields filled in.(*took this from my own servers).
Description: Site_name(or whatever)
IP: IP_Address_of_site CLICK ADVANCED: in the box "Multiple SSL identitied on this website", add the IP address and the port(443) ... Click "OK"
TCP port: 80
SSL Port: 443

On the "Directory Security" Tab only select "Ignore client certificates"
0
 
wlandymoreAuthor Commented:
yeah, I already have that.

If I put in the require SSL (just to test the SSL)...
When I typed in http://website2.domain.com (without the s) it gave me the proper error about needing to type in https instead. But then when I type in the https it just says page cannot be displayed.

it's not a problem with the page because if I put in http://website2.domain.com it will display the page. It's just if I try to use the https
0
 
wlandymoreAuthor Commented:
okay, I got the certificates working, but only on the inside. I enabled the browse directory under the security on the CertSrv virtual directory and that fixed it. It seems when it was trying to go to get the certificate it was being denied.
However, I set up the router that I have it on to forward anything on port 443 to the internal address of the server, but it won't work. When I try to telnet from outside using: telnet <external address of router> 443 it will time out.

I have this setup working on another router....why won't it work here?
0
 
wlandymoreAuthor Commented:
forget it....found out that the properties of the site had the IP listed to all unasigned, and because there was a second IP bound to the card I needed to have the IP there not 'all unasigned'.
As soon as I did this it went through.
0
 
Leon FesterCommented:
Psst... I mentioned listening on the own IP's in the site configuration during my first post. hmmm, maybe I should use paragraphs to make it easier to read.   What do think?
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 8
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now