Multiple Information Internet Services (IIS) Implementations
Ongoing     Case # 10015     Affiliated Job:  All Job History
Opened:  Unknown     Closed:  N/A
Total Hit Count:  16310     Last Hit:  Friday, July 21, 2017 6:08:13 AM
Unique Hit Count:  3249     Last Unique Hit:  Friday, July 21, 2017 6:08:13 AM
Case Type(s):  Server, Client Project, Development
Case Notes(s):  All cases are posted for review purposes only. Any implementations should be performed at your own risk.

Project:
Across multiple clients, both internal and outsourced, I have worked with Information Internet Services (IIS) to some extent. Since Windows NT v4.0 to present day IIS 7.0, one of my many roles in nearly every company has been to manage and administer these services to host, manage performance, develop and review the logs for a number of clients.

I have integrated Tomcat for ISAPI proxy of JSP deployment, PHP integrated code, asp & asp.net code, Coldfusion integration, log reporting through Web Trends & Web Expert, development in all the above languages and assisted the web development staff with their site container needs. While at ASCI we had a shared web server that hosted over 100 web sites all over a single IP shared among them by separating them out via their host headers. I have also, by using a wildcard/SAN SSL certificate, setup multiple site containers, sharing a single IP while each using a SSL certificate. Administration of the underlying configurations dependent on each site is much easier now in IIS version 7.0 and while with New Trier have configured and consolidated the IIS infrastructure as well as migrated to the IIS 7.0 platform.

Action(s) Performed:
Total Action(s): 3
Action # Recorded Date Type Hit(s) User Expand Details
10057 2/12/2010 12:04:14 PM Server 1478 contact@danieljchu.com One issue I occasionally find is installing IIS on a DC, this occurs many t  More ...
10056 2/12/2010 11:13:56 AM Server 1562 contact@danieljchu.com Setting Tomcat up on either Windows 2003 or 2008 under IIS is well document  More ...
10055 2/12/2010 10:30:02 AM Server 1622 contact@danieljchu.com An example Multi-SSL Single IP configuration under IIS 6.0 can easily be ac  Collapse ...
Last Hit: Friday, July 21, 2017 4:12:37 AM

An example Multi-SSL Single IP configuration under IIS 6.0 can easily be accomplished as such:

In my cases, many used an internal Certificate Authority (CA) to deploy a wildcard/Subject Name Alternative (SAN) certificate. Both on Windows 2003 and 2008 this can be accomplished and further details may be found in [KB931351].

1st, obtain a Wildcard/SAN certificate, in my example I will use the internal CA:
-   Enable the CA to permit SAN certificates
   o   certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
   o   net stop certsvc
   o   net start certsvc
-   The default "Web Server" template does not allow the private key to be exported, I found this to be a nuisance and created a new template, copied from the existing Web Server template that allows exporting of the private key. This can be accomplished but if your CA is not Windows Enterprise, you will need to change the version of the copied & revised template back in order to deploy it. This can be accomplished using ADSI editor.
   o   Configuration/Services/Public Key Services/Certificate Templates
   o   Right-click "Properties" of the template already changed to allow private key export
   o   Change the "msPKI-Template-Minor-Revision" to 0
   o   Change the "msPKI-Template-Schema-Version" to 1
   o   After these changes, you will see the new template available for deployment. Only do this if your CA environment is on 2003/2008 Standard
-   Proceed to http://localhost/certsrv/ on your CA, Request a certificate, advanced certificate request, Create and submit a request to this CA, Select the Certificate Template created and enter all the details.
   o   For the "Name," enter the common name of the certificate, this can be a normal (secure.domain.com) or wildcard (*.domain.com) - I typically will use a normal type here and enter the wildcards into the SAN.
   o   To make this certificate to offer multiple domains, this is where you create your SAN request as part of the certificate, in the area marked "Attributes" place "san:dns=secure.domain.com&dns=*.domain.com&dns=*.anotherdomain.com&" etc. of course replacing "domain.com" with the domain you plan to host
-   Create, download your certificate, and install it onto your computer's personal certificate container
-   Open IIS and assign the certificate to all affiliated site containers, this will take sites offline until you adjust the bindings which is done differently in 2003 vrs 2008:
   o   2003: open a command prompt and go into the inetpub\adminscripts folder
   o   Replace the present binding of a site container with the command: cscript.exe adsutil.vbs set /w3svc/[Site#]/SecureBindings ":443:secure.domain.com" ":443:secure.anotherdomain.com"
   o   You may assign as many as you want so long as they do not duplicate into another site container, there may only be 1 blank header assigned to a port
   o   To review from the command line the currently assigned bindings use this command: cscript.exe adsutil.vbs get /w3svc/[Site#]/SecureBindings
   o   Replace "[Site#]" with the appropriate site number assigned to a web site.
   o   2008: Configuration is done in the Windows\System32\inetsrv\config\applicationHost.config file
   o   Find the <binding protocol="https" bindingInformation="*:443:" /> added to your site(s) and simply adjust it to include the header information, one line per entry.
   o   i.e. <binding protocol="https" bindingInformation="secure.domain.com:443:" />
   o   <binding protocol="https" bindingInformation="secure.anotherdomain.com:443:" />



Profile IMG: Footer Left Profile IMG: Footer Right