|
Home > Archive > IIS Server > July 2005 > https and IP's
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Hello,
This has been a long time thought of mine I never really tried to do but was
very interested in how it could be done?
If IIS cannot host multiple SSL URL's on 1 IP without changing the port
How in the world does a hosting company get those SSL URL's to work?
I thought about a router assigning IP's but the ports would run out unless
there is a router or switch I am unaware of?
Anyone know the answer to this general question?
Thank you
Very Curious
| |
| Brad Ticehurst 2005-06-30, 2:53 am |
|
Hi Joe,
As far as i'm aware (and someone will correct me if i'm wrong)
An SSL certificate must be assigned to a unique IP address.
I work for an ISP. We assign a new live IP to any site that requires an SSL
certificate and other hosts that I know do the same thing.
Regards,
Brad
"Joe" <Joe@discussions.microsoft.com> wrote in message
news:82119F20-F1D9-4DEB-ADC5-53E4CB3C4593@microsoft.com...
> Hello,
>
> This has been a long time thought of mine I never really tried to do but
> was
> very interested in how it could be done?
>
> If IIS cannot host multiple SSL URL's on 1 IP without changing the port
>
> How in the world does a hosting company get those SSL URL's to work?
>
> I thought about a router assigning IP's but the ports would run out unless
> there is a router or switch I am unaware of?
>
> Anyone know the answer to this general question?
> Thank you
> Very Curious
| |
|
| Hello Brad,
I would think so too, as you said, about adding a unique IP. But what
happens after the router? You get the 10.10's 0r the 192.168's and it seems
as if the public IP looses it's signifigance. This is the confusing part to
me. Your router can assign many IP's but only one public would be needed? I
ask because I am thinking of adding another e-commerce site but never thought
about this for real until now.
Thank you for your reply
Joe
"Brad Ticehurst" wrote:
>
> Hi Joe,
>
> As far as i'm aware (and someone will correct me if i'm wrong)
> An SSL certificate must be assigned to a unique IP address.
>
> I work for an ISP. We assign a new live IP to any site that requires an SSL
> certificate and other hosts that I know do the same thing.
>
> Regards,
> Brad
>
>
> "Joe" <Joe@discussions.microsoft.com> wrote in message
> news:82119F20-F1D9-4DEB-ADC5-53E4CB3C4593@microsoft.com...
>
>
>
| |
| Frankster 2005-06-30, 2:53 am |
| You cannot use SSL on multiple websites using the same public IP via host
headers. You *can* do it if each site has it's own public IP assigned.
-Frank
"Joe" <Joe@discussions.microsoft.com> wrote in message
news:82119F20-F1D9-4DEB-ADC5-53E4CB3C4593@microsoft.com...
> Hello,
>
> This has been a long time thought of mine I never really tried to do but
> was
> very interested in how it could be done?
>
> If IIS cannot host multiple SSL URL's on 1 IP without changing the port
>
> How in the world does a hosting company get those SSL URL's to work?
>
> I thought about a router assigning IP's but the ports would run out unless
> there is a router or switch I am unaware of?
>
> Anyone know the answer to this general question?
> Thank you
> Very Curious
| |
| Brad Ticehurst 2005-06-30, 2:53 am |
|
Hi Joe,
It sounds like you are using a single IP connection such as DSL or cable and
you have your router providing access to your local computers on 192.168.x.x
or 10.10.x.x using NAT.
You will need to get a subnet (block of multiple IPs) assigned to your
connection to do this.
You would typically obtain something like a /29 (8 IPs) which gives 6
usable.
You assign the first usable to the LAN interface on your router, assign an
IP for each of your machines and do whatever you wish with the rest (assign
as many as you need to your web server).
Don't forget to disable NAT and make the appropriate firewall
considerations.
That would be a quick and easy solution to your problem.
I hope this helps.
One static IP
"Joe" <Joe@discussions.microsoft.com> wrote in message
news:738C01A7-3E25-454A-BAF2-FD121BE65C52@microsoft.com...[vbcol=seagreen]
> Hello Brad,
>
> I would think so too, as you said, about adding a unique IP. But what
> happens after the router? You get the 10.10's 0r the 192.168's and it
> seems
> as if the public IP looses it's signifigance. This is the confusing part
> to
> me. Your router can assign many IP's but only one public would be needed?
> I
> ask because I am thinking of adding another e-commerce site but never
> thought
> about this for real until now.
>
> Thank you for your reply
> Joe
>
> "Brad Ticehurst" wrote:
>
| |
| Egbert Nierop \(MVP for IIS\) 2005-06-30, 2:53 am |
| "Joe" <Joe@discussions.microsoft.com> wrote in message
news:738C01A7-3E25-454A-BAF2-FD121BE65C52@microsoft.com...
> Hello Brad,
>
> I would think so too, as you said, about adding a unique IP. But what
> happens after the router? You get the 10.10's 0r the 192.168's and it
> seems
> as if the public IP looses it's signifigance. This is the confusing part
> to
> me. Your router can assign many IP's but only one public would be needed?
> I
The 'single IP' requirement is -not- meant to garantee that a https
connection is comming from a specific IP address. If that were true, no
NAT-router could route HTTPS traffic was it?
It is -because- https traffic -really- is encoded and that also applies to
http document headers. The HTTP 1.1 specs allow multiple sites to be hosted
on one server, the server looks at the http request and 'knows' to which
website to redirect the request.
Well, IIS does -not- know this at network level for SSL traffic.
--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm
[vbcol=seagreen]
> ask because I am thinking of adding another e-commerce site but never
> thought
> about this for real until now.
>
> Thank you for your reply
> Joe
>
> "Brad Ticehurst" wrote:
>
| |
|
| Hello Frankster,
Yes I am aware of this. This was in my first post. The question is how to
get multiple ssl sites? So it appears as if I would need a number of IP's
assigned to me via my ISP and then I am not sure.
e.g. Use a router? Do not use a router? Can you use one NIC? it seems as if
you could. But what about firewall protection I am using a commercial grade
hardware firewall router now.
Thank you
Joe
"Frankster" wrote:
> You cannot use SSL on multiple websites using the same public IP via host
> headers. You *can* do it if each site has it's own public IP assigned.
>
> -Frank
>
> "Joe" <Joe@discussions.microsoft.com> wrote in message
> news:82119F20-F1D9-4DEB-ADC5-53E4CB3C4593@microsoft.com...
>
>
>
| |
|
| Hello Egbert.
I have one site port forwarded now on 443 and it is fine.I am not sure about
the answer here accept I would need to be able to have a router forward 80
and 443 to multiple machines.
Thank you
Joe
"Egbert Nierop (MVP for IIS)" wrote:
> "Joe" <Joe@discussions.microsoft.com> wrote in message
> news:738C01A7-3E25-454A-BAF2-FD121BE65C52@microsoft.com...
>
> The 'single IP' requirement is -not- meant to garantee that a https
> connection is comming from a specific IP address. If that were true, no
> NAT-router could route HTTPS traffic was it?
>
> It is -because- https traffic -really- is encoded and that also applies to
> http document headers. The HTTP 1.1 specs allow multiple sites to be hosted
> on one server, the server looks at the http request and 'knows' to which
> website to redirect the request.
> Well, IIS does -not- know this at network level for SSL traffic.
>
> --
> compatible web farm Session replacement for Asp and Asp.Net
> http://www.nieropwebconsult.nl/asp_session_manager.htm
>
>
>
>
| |
|
| Hello Brad
I am not sure how this is done on a router routers I have seen do not allow
this (or I just think it it that way) I have 10 static IP's now but they are
not done the way I wanted from my ISP.
You cannot disable NAT and I am not using it on the servers.
All of my machines are using a static internal IP that I set 192.168.x.x
I am understanding just a portion of what you say here.
ISP to the router would be the Public IP's correct? How many?
This is where I get confused after the router or inside the router.
Thank you Brad you have helped I hope you can help a little more = )
Joe
"Brad Ticehurst" wrote:
>
> Hi Joe,
>
> It sounds like you are using a single IP connection such as DSL or cable and
> you have your router providing access to your local computers on 192.168.x.x
> or 10.10.x.x using NAT.
>
> You will need to get a subnet (block of multiple IPs) assigned to your
> connection to do this.
>
> You would typically obtain something like a /29 (8 IPs) which gives 6
> usable.
> You assign the first usable to the LAN interface on your router, assign an
> IP for each of your machines and do whatever you wish with the rest (assign
> as many as you need to your web server).
>
> Don't forget to disable NAT and make the appropriate firewall
> considerations.
>
> That would be a quick and easy solution to your problem.
>
> I hope this helps.
>
>
> One static IP
> "Joe" <Joe@discussions.microsoft.com> wrote in message
> news:738C01A7-3E25-454A-BAF2-FD121BE65C52@microsoft.com...
>
>
>
| |
| Frankster 2005-06-30, 6:01 pm |
| 1 public IP per NIC. You need multiple NICs. They can each be in their own
computer or they can all be in one computer, no matter.
-Frank
"Joe" <Joe@discussions.microsoft.com> wrote in message
news:91194F6F-F88F-442C-8A0A-F5C9F0881530@microsoft.com...[vbcol=seagreen]
> Hello Frankster,
>
> Yes I am aware of this. This was in my first post. The question is how to
> get multiple ssl sites? So it appears as if I would need a number of IP's
> assigned to me via my ISP and then I am not sure.
> e.g. Use a router? Do not use a router? Can you use one NIC? it seems as
> if
> you could. But what about firewall protection I am using a commercial
> grade
> hardware firewall router now.
>
> Thank you
> Joe
>
> "Frankster" wrote:
>
| |
| Sparky Polastri 2005-06-30, 6:01 pm |
|
"Frankster" <Frank@SPAM2TRASH.com> wrote in message
news:KKmdnbxkdPiuZF7fRVn-og@giganews.com...
>1 public IP per NIC. You need multiple NICs. They can each be in their
>own computer or they can all be in one computer, no matter.
>
NO. That is WRONG. You can assign quite a few IPs per NIC. What, you
thinking there are servers out there with 256 NICs in them?
[vbcol=seagreen]
> "Joe" <Joe@discussions.microsoft.com> wrote in message
> news:91194F6F-F88F-442C-8A0A-F5C9F0881530@microsoft.com...
You must have ONE IP per SSL SITE. PERIOD. That means if you have a server
with 10 IPs on it, you can have up to 10 SSL sites. (Or 9 SSL sites and a
bunch of non-SSL sites on the remaining IP.) If you use a router and
translate addresses, you need ONE IP per SSL ON EACH DEVICE. So,
192.168.1.2 - 12 on the server, and 10 translated IPs on the router (that
still must be uniquely used).
So it appears as if I would need a number of IP's[vbcol=seagreen]
Yes, you do. ONE IP per SSL site on the outside of your router.
Think about it this way, the SSL certificate ensures data is encrypted
between the web server software and the web browser software. ALL OTHER
DEVICES INBETWEEN CANT INTERPRET THE DATA. They can only go by the IP. So
the router, server hardware, server operating system, client operating
system, client router, client firewall and your firewall only deal with the
packet with an IP on it for routing.
| |
|
| Hello Sparky,
WOW this is what I was thinking and you explained it very well. (Brad you too)
Can I ask what do you do in this case such as mine
I have two routers but one with the webserver on it and the router can only
forward one set of port 80's and 443's The webserver has one NIC.
Let me get this clear inside my mind please Sparky
Public IP 69.65.81.xxx
comes into router A and the webserver internal IP is 192.168.0.4
I can now port forward 80 and 443 to this IP and get the web. I have this
done just as this now and it works fine.
So now I want to host my other ecommerce on the same webserver IIS6.0
and Public IP 69.65.81.13x
comes into router A and then how would I assign the other IP on the same NIC?
Also I cannot port forward more than one IP on the same port on this router.
Is there something I can do?
Thanks a million
Joe
"Sparky Polastri" wrote:
>
> "Frankster" <Frank@SPAM2TRASH.com> wrote in message
> news:KKmdnbxkdPiuZF7fRVn-og@giganews.com...
>
> NO. That is WRONG. You can assign quite a few IPs per NIC. What, you
> thinking there are servers out there with 256 NICs in them?
>
>
> You must have ONE IP per SSL SITE. PERIOD. That means if you have a server
> with 10 IPs on it, you can have up to 10 SSL sites. (Or 9 SSL sites and a
> bunch of non-SSL sites on the remaining IP.) If you use a router and
> translate addresses, you need ONE IP per SSL ON EACH DEVICE. So,
> 192.168.1.2 - 12 on the server, and 10 translated IPs on the router (that
> still must be uniquely used).
>
>
> So it appears as if I would need a number of IP's
>
> Yes, you do. ONE IP per SSL site on the outside of your router.
>
> Think about it this way, the SSL certificate ensures data is encrypted
> between the web server software and the web browser software. ALL OTHER
> DEVICES INBETWEEN CANT INTERPRET THE DATA. They can only go by the IP. So
> the router, server hardware, server operating system, client operating
> system, client router, client firewall and your firewall only deal with the
> packet with an IP on it for routing.
>
>
>
| |
| Jeff Cochran 2005-06-30, 8:50 pm |
| On Thu, 30 Jun 2005 07:52:50 -0600, "Frankster" <Frank@SPAM2TRASH.com>
wrote:
>1 public IP per NIC. You need multiple NICs. They can each be in their own
>computer or they can all be in one computer, no matter.
Bummer. Means my systems haven't been working for the last decade.
Mulrtiple IP's can be assigned per NIC, public or private.
Jeff
>"Joe" <Joe@discussions.microsoft.com> wrote in message
>news:91194F6F-F88F-442C-8A0A-F5C9F0881530@microsoft.com...
>
| |
| Jeff Cochran 2005-07-01, 2:48 am |
| On Thu, 30 Jun 2005 14:38:03 -0700, Joe
<Joe@discussions.microsoft.com> wrote:
>Can I ask what do you do in this case such as mine
>
>I have two routers but one with the webserver on it and the router can only
>forward one set of port 80's and 443's The webserver has one NIC.
Buy a new router/firewall.
You're entering the realm beyond your basic
Linksys/Belkin/Netgear/Whatever broadband Cable/DSL router.
Personally, I'd opt for a Watchguard or SonicWall firewall, route all
the public IP's to it and use it to handle the IP assignments per
machine as well as firewall duties. But ask your ISP, some don't
supply a Cable/DSL router that can route an IP range, they simply pass
DHCP requests through. Fortunately, most have commercial service
available as well as home, with appropriate equipment.
Jeff
[vbcol=seagreen]
>Let me get this clear inside my mind please Sparky
>
>Public IP 69.65.81.xxx
>comes into router A and the webserver internal IP is 192.168.0.4
>I can now port forward 80 and 443 to this IP and get the web. I have this
>done just as this now and it works fine.
>
>So now I want to host my other ecommerce on the same webserver IIS6.0
>and Public IP 69.65.81.13x
>comes into router A and then how would I assign the other IP on the same NIC?
>
>Also I cannot port forward more than one IP on the same port on this router.
>Is there something I can do?
>
>Thanks a million
>Joe
>
>"Sparky Polastri" wrote:
>
| |
|
| Hello Jeff,
This answered my question perfectly =)
I thought that there was another type of hardware. Damn! I asked and asked
but could not get an answer on this.
I can get the firewall myself Watchgaurd etc... Now what I do not like
however is my ISP's crappy way of assigning IP's. I have commercial service
for business. However they marry the MAC address to the device so this
situation with this ISP will not do. I am going to have to move to another
any suggestions?
Somehow I knew you were going to get into the mix ;)
Thank you
Joe
"Jeff Cochran" wrote:
> On Thu, 30 Jun 2005 14:38:03 -0700, Joe
> <Joe@discussions.microsoft.com> wrote:
>
>
> Buy a new router/firewall.
>
> You're entering the realm beyond your basic
> Linksys/Belkin/Netgear/Whatever broadband Cable/DSL router.
> Personally, I'd opt for a Watchguard or SonicWall firewall, route all
> the public IP's to it and use it to handle the IP assignments per
> machine as well as firewall duties. But ask your ISP, some don't
> supply a Cable/DSL router that can route an IP range, they simply pass
> DHCP requests through. Fortunately, most have commercial service
> available as well as home, with appropriate equipment.
>
> Jeff
>
>
>
| |
| Frankster 2005-07-01, 5:57 pm |
| You're right. I was just trying to explain it in the simplest terms that the
OP might be able to understand. Obviously I could have done better. Yes,
IPs don't require a NIC in a computer. The Network interface can be
anywhere (router, firewall device, computer, etc). Also, I am aware that
single NICs can be assigned more than one IP. I was just trying to get the
thought process going that *functionally*, each site needs it's own
dedicated public IP.
Anyway, this subject usually comes up because IIS will now allow SSL if you
are hosting multiple sites via the host header method on a single IP.
Therefore I was approaching it with that mindset.
Sorry for any confusion.
-Frank
"Sparky Polastri" <jafiwam@MuNGEDyahoo.com> wrote in message
news:42c400fd$1_3@newspeer2.tds.net...
>
> "Frankster" <Frank@SPAM2TRASH.com> wrote in message
> news:KKmdnbxkdPiuZF7fRVn-og@giganews.com...
>
> NO. That is WRONG. You can assign quite a few IPs per NIC. What, you
> thinking there are servers out there with 256 NICs in them?
>
>
> You must have ONE IP per SSL SITE. PERIOD. That means if you have a
> server with 10 IPs on it, you can have up to 10 SSL sites. (Or 9 SSL
> sites and a bunch of non-SSL sites on the remaining IP.) If you use a
> router and translate addresses, you need ONE IP per SSL ON EACH DEVICE.
> So, 192.168.1.2 - 12 on the server, and 10 translated IPs on the router
> (that still must be uniquely used).
>
>
> So it appears as if I would need a number of IP's
>
> Yes, you do. ONE IP per SSL site on the outside of your router.
>
> Think about it this way, the SSL certificate ensures data is encrypted
> between the web server software and the web browser software. ALL OTHER
> DEVICES INBETWEEN CANT INTERPRET THE DATA. They can only go by the IP.
> So the router, server hardware, server operating system, client operating
> system, client router, client firewall and your firewall only deal with
> the packet with an IP on it for routing.
>
| |
| Frankster 2005-07-01, 5:57 pm |
| >>1 public IP per NIC. You need multiple NICs. They can each be in their
>
> Bummer. Means my systems haven't been working for the last decade.
>
>
> Mulrtiple IP's can be assigned per NIC, public or private.
>
> Jeff
You're right. See my reply to "Sparky".
-Frank
| |
|
| Hello Frank,
Thank you for your help,
I know this comes up alot I am using host headers. I have about 10 sites
now and 1 SSL ecommerce and I knew about the single IP per SSL site and
multiple sites on 1 IP. My questioning was my loss at how you could host a
multitude of SSL sites on few servers as a host. actually Sparky mentioned
what was going on in my head at the start of the thread. Servers do not have
256 NIC's in them so How do you get the multiple IP's.
Thank you =)
Joe
"Frankster" wrote:
> You're right. I was just trying to explain it in the simplest terms that the
> OP might be able to understand. Obviously I could have done better. Yes,
> IPs don't require a NIC in a computer. The Network interface can be
> anywhere (router, firewall device, computer, etc). Also, I am aware that
> single NICs can be assigned more than one IP. I was just trying to get the
> thought process going that *functionally*, each site needs it's own
> dedicated public IP.
>
> Anyway, this subject usually comes up because IIS will now allow SSL if you
> are hosting multiple sites via the host header method on a single IP.
> Therefore I was approaching it with that mindset.
>
> Sorry for any confusion.
>
> -Frank
>
> "Sparky Polastri" <jafiwam@MuNGEDyahoo.com> wrote in message
> news:42c400fd$1_3@newspeer2.tds.net...
>
>
>
| |
| Jeff Cochran 2005-07-02, 5:50 pm |
| On Thu, 30 Jun 2005 20:20:04 -0700, Joe
<Joe@discussions.microsoft.com> wrote:
>I can get the firewall myself Watchgaurd etc... Now what I do not like
>however is my ISP's crappy way of assigning IP's. I have commercial service
>for business. However they marry the MAC address to the device so this
>situation with this ISP will not do. I am going to have to move to another
>any suggestions?
Don't know if there's a solution to that with your current ISP. Many
ISP's using broadband deliver commercial service using dynamic IP's
that have long lease times. It means your IP will rarely change, not
that it will never change. That doesn't lend itself to your using the
service for multiple SSL web sites.
What you want to look into is an ISP that delivers true static IP's,
preferably one who will assign a class C block to you. Depending on
where you are, you might get a full T-1 with 256 addresses and a
router for $500 a month, quite reasonable when your business expands
but a tough nut when you're just starting out.
I have seen a small hosting company use commercial DSL, incoming to a
switch and five cheap Linksys routers from garage sales, each pulling
a dynamic Ip and each box holding a couple dozen sites. Obviously low
volume, but the guy had a bill of about $100 a month and colleted
$3-400 on the hosting, so it was worth it for him. As sites grew
larger or more demanding he moved them to a hosting company.
Personally, a dedicated server at a hosting company is cheaper and
better in my mind.
Jeff
[vbcol=seagreen]
>Somehow I knew you were going to get into the mix ;)
>Thank you
>Joe
>
>"Jeff Cochran" wrote:
>
| |
|
| Hello Jeff,
you might get a full T-1 with 256 addresses and a
> router for $500 a month, quite reasonable when your business expands
> but a tough nut when you're just starting out.
You are not kidding the tough nut to crack.
I am goiing to a full T-1. I am interested in some hosting but more for
multiple ecommerce sites for myself.
> I have seen a small hosting company use commercial DSL, incoming to a
> switch and five cheap Linksys routers from garage sales, each pulling
> a dynamic Ip and each box holding a couple dozen sites. Obviously low
> volume, but the guy had a bill of about $100 a month and colleted
> $3-400 on the hosting, so it was worth it for him. As sites grew
> larger or more demanding he moved them to a hosting company.
I have commercial routers now but won't do what I need now. ;(
This is what I was kinda doing but see the profit. This is roughly 60,000 a
year more than whatever if he was working on the side. I have much better
equipment and willing to pay the reasonable price to go the distance. Like
buying the correct router and the correct connection. I have some pretty
strong servers ;) however they are useless without a good/correct connection.
I shopped my a** off and my area is limited. (secluded portion of Florida)
T-1 is available =)
So I must tell you one of my greatest assets in this whole venture is Your
input on many things I have posted here.
I thank you and please don't abandon us here you are fantastic.
Joe
"Jeff Cochran" wrote:
> On Thu, 30 Jun 2005 20:20:04 -0700, Joe
> <Joe@discussions.microsoft.com> wrote:
>
>
> Don't know if there's a solution to that with your current ISP. Many
> ISP's using broadband deliver commercial service using dynamic IP's
> that have long lease times. It means your IP will rarely change, not
> that it will never change. That doesn't lend itself to your using the
> service for multiple SSL web sites.
>
> What you want to look into is an ISP that delivers true static IP's,
> preferably one who will assign a class C block to you. Depending on
> where you are, you might get a full T-1 with 256 addresses and a
> router for $500 a month, quite reasonable when your business expands
> but a tough nut when you're just starting out.
>
> I have seen a small hosting company use commercial DSL, incoming to a
> switch and five cheap Linksys routers from garage sales, each pulling
> a dynamic Ip and each box holding a couple dozen sites. Obviously low
> volume, but the guy had a bill of about $100 a month and colleted
> $3-400 on the hosting, so it was worth it for him. As sites grew
> larger or more demanding he moved them to a hosting company.
>
> Personally, a dedicated server at a hosting company is cheaper and
> better in my mind.
>
> Jeff
>
>
>
>
|
|
|
|
|