harbar.net component based software & platform hygiene

Multiple SSL Web Applications on Port 443

Print | posted on Monday, May 11, 2009 4:34 PM

On a number of occasions I’ve been asked for my “cheat sheet” for setting up multiple SharePoint Web Applications using SSL and listening on Port 443. Whilst this might seem a straightforward task there are a few key things about SSL which are not well enough known, and surprise surprise, SharePoint makes life a little more difficult due to it’s total ignorance of correct addressing. This article is basically a tidied up version of the cheat sheet, along with a little bit of further explanation. This is primarily so I have something to point people to when asked about the procedure.

The steps detailed below show how to setup two Web Applications, but of course you can rinse and repeat if you need more than two.

 

Running multiple SSL Web Sites on IIS on Port 443.
Firstly IIS does support running multiple SSL Web Sites on the same port. However doing so requires a unique, fixed IP address for each Virtual Web Site. Otherwise obviously the service cannot bind to a port already in use.

It is also possible to run multiple SSL web sites on 443 using a shared IP address by making use of Host Headers, however this requires a Wildcard Certificate (wildcard certs are evil, pure and simple) and a metabase configuration change.

I will detail both of these approaches, and how you need to do things so that SharePoint doesn’t get all confused and make a mess of your IIS configuration for you. Both work on either IIS 6 or IIS 7 although the UI is a little different of course.

 

Intended Web Applications
For the scenario detailed here we wish to create two Web Applications, which we have already configured host (A) Records for in DNS. In case you’ve missed me mention this before, don’t use CNames!

  1. intranet.sharepoint.com = 192.168.0.16
  2. my.sharepoint.com = 192.168.0.17

 

Steps to create using Fixed IP Addresses

  1. Create a new Web Application for intranet.sharepoint.com (Central Administration)
    1. Description: SharePoint Intranet
    2. Port: 443
    3. Host Header: intranet.sharepoint.com
      (this is actually ignored for SSL apps but it helps – see below, and prevents the duplicate error)
    4. Note the above fixes the Path location for us
    5. Use SSL: select this
    6. Load Balanced URL: https://intranet.sharepoint.com
      this is auto populated by the host header above. The 443 bit doesn’t matter at all using this approach
    7. All other settings: as you wish
  2. Create a new Web Application for my.sharepoint.com (Central Administration)
    1. Description: SharePoint My Sites
    2. Port: 443
    3. Host Header: my.sharepoint.com
      this is actually ignored for SSL apps but it helps – see below, and prevents the duplicate error
    4. Note the above fixes the Path location for us
    5. Use SSL: select this
    6. Load Balanced URL: https://my.sharepoint.com
      this is auto populated by the host header above. The 443 bit doesn’t matter at all using this approach
    7. All other settings: as you wish
  3. Configure IIS bindings (Inetmgr.exe)
    1. Note that one of the apps (Intranet) will be stopped at this point.
    2. Note that both apps have a TCP Port of 0 (idjut, idjut SharePoint!!!)
    3. Note that neither site has a host header.
    4. Right click the SharePoint Intranet Virtual Web Site, choose Properties
    5. Note that it corrects the TCP Port to now be 80
    6. Click the Directory Security tab and install a certificate (you must do this to enable the next step)
    7. Click the Web Site tab and click Advanced
    8. Click the SSL identity and Edit
    9. Change the IP Address to 192.168.0.16
    10. Do the same for the TCP Port as well
    11. OK twice
    12. Right click the SharePoint My Sites Virtual Web Site, choose Properties
    13. Note that it corrects the TCP Port to now be 80
    14. Click the Directory Security tab and install a certificate (you must do this to enable the next step)
    15. Click the Web Site tab and click Advanced
    16. Click the SSL identity and Edit
    17. Change the IP Address to 192.168.0.17
    18. Do the same for the TCP Port as well
    19. OK twice
    20. You can now start the SharePoint Intranet Web Site – and both can be running simultaneously.

 

Using Host Headers and Wildcard Certificate (evil)

You need to go through the same steps as I outlined above to set up the Web Applications in SharePoint. However, before you start you need to install the wildcard cert using the Certificates MMC.

When you are at the stage where you need to configure the SSL cert, use the following command:

cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings ":443:<host header>"

<site identifier> is the horrible eight digit number detailed in IIS Manager
<host header> is your URL, e.g. intranet.sharepoint.com

You need to do this for each of your Web Applications.  All other steps remain the same.