Multiple (SSL) Web Sites in IIS (Part 2)
Stop! Have you read my previous post on “Multiple Web Sites in IIS – Part 1”? If you have not, I strongly recommend that you spend some time reading my previous post.
As I’ve discussed in my previous post, you can configure IIS to host multiple web sites in varieties of techniques. The next thing you might want to do is to configure SSL on those web sites.
If you are using unique IP addresses for each web site, you can have port 443, default SSL port, for all the web sites at the cost of maintaining and securing multiple IP addresses on the server.
If you are using a single shared IP address, then you will have to configure different SSL ports on each web site, which will result in unfriendly URL addresses, such as “https://www.maungphyo.com:444/default.aspx”.
If you are not keen in managing multi-home web server, or dislike the idea of having unfriendly URL addresses, the last implementation technique you can depend on is to use custom host headers. But how? If you go to Web Site Properties dialog and click on “Advanced” button on “Web Site” tab, you will instantly realize that there is no place for you to configure custom host header for SSL bindings.
You can configure custom host header for SSL bindings only using command line tool (technically speaking, it is the script file provided with default IIS installation), or other tools such as Metabase Explorer from IIS Resource Kit.
Here is the procedure for enabling custom host headers in SSL sites.
1) Firstly, find out the Metabase Path of the site to be configured. "iisweb.vbs" is in %SystemRoot%\System32.
C:\>iisweb.vbs /query
For instance, metabase path for “Default Web Site” is “W3SVC/1”.
2) Navigate to folder where the Visual Basic admin scripts are stored.
C:\>CD\Inetpub\AdminScripts
3) Set the metabase property “SecureBindings” using “AdsUtil.vbs” to any desired value. Take note of the starting character “:”.
C:\Inetpub\ AdminScripts>AdsUtil.vbs SET W3SVC/1/SecureBindings “:443:www.maungphyo.com”
4) You can repeat it for all the sites, using the default SSL port 443 with different custom host headers.
Just remember one thing, on Windows Server 2003 with Service Pack 1, you will need to add all the custom host headers to “BackConnectionHostNames” registry key in order to work with Integrated Windows Authentication on those host headers enable site. Read my previous post "IIS Security Enhancement in Windows Server 2003 SP1"on this issue.
Good luck!