Ongoing
|
Case #
|
10015
|
|
Affiliated Job:
|
All Job History
|
|
Opened:
|
Unknown
|
|
Closed:
|
N/A
|
Total Hit Count:
|
40168
|
|
Last Hit:
|
Wednesday, December 11, 2024 1:22:31 PM
|
Unique Hit Count:
|
7968
|
|
Last Unique Hit:
|
Wednesday, December 11, 2024 1:22:31 PM
|
Case Type(s):
|
Server, Client Project, Development
|
|
Case Notes(s):
|
All cases are posted for review purposes only. Any implementations should be performed at your own risk.
|
|
|
Project:
|
Across multiple clients, both internal and outsourced, I have worked with Information Internet Services (IIS) to some extent. Since Windows NT v4.0 to present day IIS 7.0, one of my many roles in nearly every company has been to manage and administer these services to host, manage performance, develop and review the logs for a number of clients.
I have integrated Tomcat for ISAPI proxy of JSP deployment, PHP integrated code, asp & asp.net code, Coldfusion integration, log reporting through Web Trends & Web Expert, development in all the above languages and assisted the web development staff with their site container needs. While at ASCI we had a shared web server that hosted over 100 web sites all over a single IP shared among them by separating them out via their host headers. I have also, by using a wildcard/SAN SSL certificate, setup multiple site containers, sharing a single IP while each using a SSL certificate. Administration of the underlying configurations dependent on each site is much easier now in IIS version 7.0 and while with New Trier have configured and consolidated the IIS infrastructure as well as migrated to the IIS 7.0 platform.
|
|
Action(s) Performed:
|
Total Action(s): 3
|
Action #
|
Recorded Date
|
Type
|
Hit(s)
|
User
|
Expand Details
|
10057
|
2/12/2010 12:04:14 PM
|
Server
|
3449
|
contact@danieljchu.com
|
One issue I occasionally find is installing IIS on a DC, this occurs many t More ...
|
10056
|
2/12/2010 11:13:56 AM
|
Server
|
3441
|
contact@danieljchu.com
|
Setting Tomcat up on either Windows 2003 or 2008 under IIS is well document More ...
|
10055
|
2/12/2010 10:30:02 AM
|
Server
|
3535
|
contact@danieljchu.com
|
An example Multi-SSL Single IP configuration under IIS 6.0 can easily be ac Collapse ...
|
Last Hit: Wednesday, December 11, 2024 6:06:24 AM
An example Multi-SSL Single IP configuration under IIS 6.0 can easily be accomplished as such:
In my cases, many used an internal Certificate Authority (CA) to deploy a wildcard/Subject Name Alternative (SAN) certificate. Both on Windows 2003 and 2008 this can be accomplished and further details may be found in [KB931351].
1st, obtain a Wildcard/SAN certificate, in my example I will use the internal CA:
- | Enable the CA to permit SAN certificates | | o | certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 | o | net stop certsvc | o | net start certsvc |
| - | The default "Web Server" template does not allow the private key to be exported, I found this to be a nuisance and created a new template, copied from the existing Web Server template that allows exporting of the private key. This can be accomplished but if your CA is not Windows Enterprise, you will need to change the version of the copied & revised template back in order to deploy it. This can be accomplished using ADSI editor. | | o | Configuration/Services/Public Key Services/Certificate Templates | o | Right-click "Properties" of the template already changed to allow private key export | o | Change the "msPKI-Template-Minor-Revision" to 0 | o | Change the "msPKI-Template-Schema-Version" to 1 | o | After these changes, you will see the new template available for deployment. Only do this if your CA environment is on 2003/2008 Standard |
| - | Proceed to http://localhost/certsrv/ on your CA, Request a certificate, advanced certificate request, Create and submit a request to this CA, Select the Certificate Template created and enter all the details. | | o | For the "Name," enter the common name of the certificate, this can be a normal (secure.domain.com) or wildcard (*.domain.com) - I typically will use a normal type here and enter the wildcards into the SAN. | o | To make this certificate to offer multiple domains, this is where you create your SAN request as part of the certificate, in the area marked "Attributes" place "san:dns=secure.domain.com&dns=*.domain.com&dns=*.anotherdomain.com&" etc. of course replacing "domain.com" with the domain you plan to host |
| - | Create, download your certificate, and install it onto your computer's personal certificate container | - | Open IIS and assign the certificate to all affiliated site containers, this will take sites offline until you adjust the bindings which is done differently in 2003 vrs 2008: | | o | 2003: open a command prompt and go into the inetpub\adminscripts folder | o | Replace the present binding of a site container with the command: cscript.exe adsutil.vbs set /w3svc/[Site#]/SecureBindings ":443:secure.domain.com" ":443:secure.anotherdomain.com" | o | You may assign as many as you want so long as they do not duplicate into another site container, there may only be 1 blank header assigned to a port | o | To review from the command line the currently assigned bindings use this command: cscript.exe adsutil.vbs get /w3svc/[Site#]/SecureBindings | o | Replace "[Site#]" with the appropriate site number assigned to a web site. | o | 2008: Configuration is done in the Windows\System32\inetsrv\config\applicationHost.config file | o | Find the <binding protocol="https" bindingInformation="*:443:" /> added to your site(s) and simply adjust it to include the header information, one line per entry. | o | i.e. <binding protocol="https" bindingInformation="secure.domain.com:443:" /> | o | <binding protocol="https" bindingInformation="secure.anotherdomain.com:443:" /> |
|
|
|
|
|
|
|
|
|
|