?
Solved

concept and method of network setup implementing multiple secure websites with UCC SSL

Posted on 2011-04-27
17
Medium Priority
?
527 Views
Last Modified: 2012-05-11
Wow, you made it past that incredibly specific title!
In simple terms, I want to set up a couple of secure web sites, and I've got the economy pack of SSL certficates, the UCC SSL.
The ucc has 5 urls possible, and in my case I have Small Business Server 2011, so already I've given one to remote (or remote.domain.com) which uses port 80 and 443.
I've also got 2 websites on port 80, and I want to let them have an https page, so I can implement a paypal page.

It all seemed so easy, but then I ran into a huge gotcha! - there seems to be a rule about ucc ssl that they can only secure one ip address at a time.
So, doesn't this fly in the face of the concept of having 5 urls together? And it appears the other urls (like the server name, or x.local) seem to coexisit with remote.x.com
But it refuses to secure x.com on the same ip and port. That's the problem I want to solve in this question!

I'll need lots of help and ideas, and it isn't an easy problem. So far I've investigated using multiple ip on the same nic, but got blocked because my router will only support one ip per nic. I need some guidance on SSL to know the loophole in the rules, so I can secure 3 websites on one server.

Context SBS2011, ISS 7.5, Linksys Dir-825 router.
0
Comment
Question by:JeReLo
  • 11
  • 6
17 Comments
 
LVL 5

Expert Comment

by:oneitnz
ID: 35480598
Ok this should be entirely possible you just need to use Host Headers for your SSL pages in IIS7 and have the one Digital Cert Assinged to that IP address.

Obviously you'll want to have all the sites that would need to be connected to using SSL setup on your CERT.

Here is a starter
remote.domain.com
www.site1.com (or secure.site1.com)
www.site2.com (or secure.site2.com)

2 other possibilities could be
servername.domain.local
mail.domain.com

If you need anything else let me know
Regards
Brett
One IT
www.oneit.co.nz
0
 

Author Comment

by:JeReLo
ID: 35481342
Brett, your confidence inspires some hope here, but I might need to get more specific.
How would site1 coexist with remote.domain.com if I only have one ip, and ssl can only be assigned to one ip per site? In your starter explanation, were you saying that the first 3 would be on the same ip, even though they have individual host headers? Are you sure that works?
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35481356
Yes thats right you can only use 1 SSL Cert per IP Address.

So you would either need 3 IP's and 3 Certs or what you have 1 IP and 1 Cert that covers all SSL Sites.

Then Host Headers will be configured for all the sites that need it.

I'm not saying it'll be easy but I'm fairly confident its doable.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 

Author Comment

by:JeReLo
ID: 35481414
Are you interested in working with me as I try to implement "1 IP and 1 Cert that covers all SSL Sites"?

Currently I have remote.domain.com secured with the cert, and it was installed with sbs wizard.
And I have site1.com working fine using http.

To test, I added a new site binding for site1. In "edit site bindings" I set the new binding type as https, on port 443, and chose the 3rd party ssl certificate.

Then I chose, to browse to the site from iis. The regular site using http still works normally. When I choose the https site from iis, the browser says there's a problem with the certificate. If I continue on, I see there's a mismatched address. This is probably a result of the way iis gave the url as the ip address, whereas the certificate is using the url. So, I set the url to https://site1.com.

The result is "Internet Explorer cannot display the webpage".

Can you see any error I've made, or have any ideas on how to reveal the problem?
0
 
LVL 5

Accepted Solution

by:
oneitnz earned 2000 total points
ID: 35481546
Hi JeReLo

Please try following this tutorial and let me know how you get on.
http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html
0
 

Author Comment

by:JeReLo
ID: 35481893
Thanks, the tutorial is very clear. I ran the command, and it completed successfully. For one of the sites, that only had an http binding, I could see the new https binding after the command.

But still I get the "internet explorer cannot display the webpage" page when I browse to https://domain.com 

This is happening on both the sites.

Oddly, it affected remote.domain.com (which was working before) such that the physical path of the remote site files got switched to the path of the second site (site1.com).

0
 

Author Comment

by:JeReLo
ID: 35481957
As I try to step back, I went to remove the https binding on site1. IIS warns me, saying "The certificate associated with this binding is also assigned to another site's binding. Deleting this binding will cause the HTTPS binding of the othe site to be unusable. Do you still want to continue?"

So, this first site with the binding is important...

I did remove the https bindings on the two site, and then went back an reset things on default web site. I removed the https binding, then reinstated it, set the certificate, and tested. It was ok again.

Then I ran the commands again, and the second site still won't run with https. But at least now, the remote site is fine.

The only difference I'm aware of, between the context of the tutorial and my situation, is that my first site is the default web site and it has been set up by SBS 2011. I suppose that's minor, but that's all that's coming to mind here.
0
 

Author Comment

by:JeReLo
ID: 35482156
In one of the comments on that tutorial, it explains how to use the * in the friendly name of the certificate, and then it is possible to select the htttps binding within IIS, and set the host header, all within the GUI.

So, anyway, I've got the remote site working fine, and the second and third sites are set up with identical bindings (just different host names). The second and third sites will not display if I use https protocol, but work fine with http.

These sites were built with Asp.net v4. Would there be any configuration needed within the website project I wonder? My understanding is that an http site can work as is, and that its just a case of substituting https for http in the url.

But, some unknown bit is getting in the way...
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35487326
Hi JeReLo

Can you please send through a screen shot of the Sites menu showing all the Websites and their Bindings I think I know what might be wrong.

Regards
Brett
0
 

Author Comment

by:JeReLo
ID: 35489827
0
 

Author Comment

by:JeReLo
ID: 35489922
0
 

Author Comment

by:JeReLo
ID: 35489933
In addition to the sites bindings, I popped in the status, with an unknown set of protocols.
I've no idea what net (tcp,pipe,and msmq) and msmq.formatname are, but they are also unknown to this IIS setup. If you have a clue, I'd be interested in what they are briefly...
0
 

Author Comment

by:JeReLo
ID: 35501947
Did you see what you thought you might find?
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35502033
Oh Sorry JeReLo
Forgot to get back to you.

Your site is working properly what you may find is that you've been trying to type for instance: https://www.depthbydistance.com but you haven't actually configured this you've set it to https://depthbydistance.com which does work.

So what you need to do is change the Bindings to both www.depthbydistance.com and depthbydistance.com that way both https sites will work.

However I have just noticed an issue with your Certificate.
DNS Name=depthbydistance.com
DNS Name=www.depthbydistance.com
DNS Name=remote.depthbydistance.com
DNS Name=CORE.depthbydistance.local
DNS Name=depthbydistance.local
DNS Name=jeffleese.com

For the https://www.jeffleese.com site to work you'll need to add that as an additional Subject Alternative name or just use https://jeffleese.com for the secure pages.

Normally secure sites will have a domain name like https://secure.domain.com and then you would have that added as the Subject Alternative Name in your UCC Cert so in your case it would be:

DNS Name=depthbydistance.com
DNS Name=SECURE.depthbydistance.com
DNS Name=remote.depthbydistance.com
DNS Name=CORE.depthbydistance.local
DNS Name=depthbydistance.local
DNS Name=SECURE.jeffleese.com

Hope that answers all your questions.
0
 

Author Comment

by:JeReLo
ID: 35508976
Thanks, it took a while before I was able to test it from offsite. It's unfortunate I can't test the site from inside the domain.

Thanks for clarifying the issues, it was a great help.
0
 
LVL 5

Expert Comment

by:oneitnz
ID: 35509054
You should be able to test the site from inside the domain however you'll need to configure the DNS for the two other domains to point to the Local IP of the IIS Server.

Thanks for awarding the points.
Regards
Brett Smith
0
 

Author Comment

by:JeReLo
ID: 35510084
Brett, I've posted a followup question at http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Microsoft_IIS/Q_26990513.html
in case you are able to elaborate on the last dns configuration issue.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question