|
Home > Archive > IIS Server Security > April 2005 > IIS 6 conflict using port 443 for NON-SSL traffic
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 6 conflict using port 443 for NON-SSL traffic
|
|
| Richard Dixson 2005-04-08, 5:51 pm |
| I need IIS to respond to HTTP requests on port 443 for different IPs on the
same web server, with one IP set up to handle NON ssl traffic (http://), and
the other set up with a certificate to handle SSL (https://) traffic.
IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When you
try to start the non-https site it complains that it is in use. There is
definately a conflict due to IIS somehow locking port 443 exclusively for
HTTPS traffic.
Under IIS 5.0 I was able to succesfully work around this conflict by
disabling socket pooling. However under IIS 6 disabling socket spooling
does not work.
Here is an example of what I am trying to do: On Web Server "A" I need to
configure it like this:
Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL Port =
<blank>
Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port =
443 with installed SSL certificate
So traffic coming in as http://x.x.x.2:443/something.htm gets responded to
as regular http (non-https) traffic over port 443 for this IP. And traffic
coming in as https://x.x.x.3/something.htm gets responded to as https
traffic over port 443 as usual.
I realize it is unusual to have to pass NON https traffic over port 443, but
due to special circumstances this is a core requirement.
If I remove virtual web site #2 than virtual site #1 works great - it will
pass non-https traffic just fine over port 443, but ONLY IF there is no web
site configured on the server to use HTTPS (even if such https web sites are
configured on a different IP).
The work around would be to set up a second dedicated web server for virtual
web site #1 so that it runs without a web site configured to really use
HTTPS. Unfortunately this is not a possibility as I only have one physical
production web server I can use, and I cannot avoid having a site on that
server configured to use HTTPS.
Can anyone offer some advice or tips on how I may be able to work around
this? Anyone know if IIS 7 will work the same way?
Thank you very much in advance!
Richard
| |
| Ken Schaefer 2005-04-11, 2:50 am |
| For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting.
http://support.microsoft.com/kb/813368/EN-US/
Cheers
Ken
--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Richard Dixson" <reply@hereonlyplease.com> wrote in message
news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com...
:I need IIS to respond to HTTP requests on port 443 for different IPs on the
: same web server, with one IP set up to handle NON ssl traffic (http://),
and
: the other set up with a certificate to handle SSL (https://) traffic.
:
: IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When
you
: try to start the non-https site it complains that it is in use. There is
: definately a conflict due to IIS somehow locking port 443 exclusively for
: HTTPS traffic.
:
: Under IIS 5.0 I was able to succesfully work around this conflict by
: disabling socket pooling. However under IIS 6 disabling socket spooling
: does not work.
:
: Here is an example of what I am trying to do: On Web Server "A" I need to
: configure it like this:
:
: Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL Port
=
: <blank>
:
: Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port =
: 443 with installed SSL certificate
:
: So traffic coming in as http://x.x.x.2:443/something.htm gets responded to
: as regular http (non-https) traffic over port 443 for this IP. And
traffic
: coming in as https://x.x.x.3/something.htm gets responded to as https
: traffic over port 443 as usual.
:
: I realize it is unusual to have to pass NON https traffic over port 443,
but
: due to special circumstances this is a core requirement.
:
: If I remove virtual web site #2 than virtual site #1 works great - it will
: pass non-https traffic just fine over port 443, but ONLY IF there is no
web
: site configured on the server to use HTTPS (even if such https web sites
are
: configured on a different IP).
:
: The work around would be to set up a second dedicated web server for
virtual
: web site #1 so that it runs without a web site configured to really use
: HTTPS. Unfortunately this is not a possibility as I only have one
physical
: production web server I can use, and I cannot avoid having a site on that
: server configured to use HTTPS.
:
: Can anyone offer some advice or tips on how I may be able to work around
: this? Anyone know if IIS 7 will work the same way?
:
: Thank you very much in advance!
:
: Richard
:
:
| |
| Richard Dixson 2005-04-11, 2:50 am |
| Unfortunately I tried that as well without success. I tried several ways.
The bottom line seems to be that something about port 443 is treated quite
specially by IIS 6 and it does not want to allow it to share port 443 by
non-SSL on one IP with SSL on another IP.
I am wondering if anyone else has run into this or is aware of it, and how I
may be able to work around it.
Richard
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl...
> For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting.
>
> http://support.microsoft.com/kb/813368/EN-US/
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Richard Dixson" <reply@hereonlyplease.com> wrote in message
> news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com...
> :I need IIS to respond to HTTP requests on port 443 for different IPs on
the
> : same web server, with one IP set up to handle NON ssl traffic (http://),
> and
> : the other set up with a certificate to handle SSL (https://) traffic.
> :
> : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When
> you
> : try to start the non-https site it complains that it is in use. There
is
> : definately a conflict due to IIS somehow locking port 443 exclusively
for
> : HTTPS traffic.
> :
> : Under IIS 5.0 I was able to succesfully work around this conflict by
> : disabling socket pooling. However under IIS 6 disabling socket spooling
> : does not work.
> :
> : Here is an example of what I am trying to do: On Web Server "A" I need
to
> : configure it like this:
> :
> : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL
Port
> =
> : <blank>
> :
> : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port
=
> : 443 with installed SSL certificate
> :
> : So traffic coming in as http://x.x.x.2:443/something.htm gets responded
to
> : as regular http (non-https) traffic over port 443 for this IP. And
> traffic
> : coming in as https://x.x.x.3/something.htm gets responded to as https
> : traffic over port 443 as usual.
> :
> : I realize it is unusual to have to pass NON https traffic over port 443,
> but
> : due to special circumstances this is a core requirement.
> :
> : If I remove virtual web site #2 than virtual site #1 works great - it
will
> : pass non-https traffic just fine over port 443, but ONLY IF there is no
> web
> : site configured on the server to use HTTPS (even if such https web sites
> are
> : configured on a different IP).
> :
> : The work around would be to set up a second dedicated web server for
> virtual
> : web site #1 so that it runs without a web site configured to really use
> : HTTPS. Unfortunately this is not a possibility as I only have one
> physical
> : production web server I can use, and I cannot avoid having a site on
that
> : server configured to use HTTPS.
> :
> : Can anyone offer some advice or tips on how I may be able to work around
> : this? Anyone know if IIS 7 will work the same way?
> :
> : Thank you very much in advance!
> :
> : Richard
> :
> :
>
>
| |
| Ken Schaefer 2005-04-11, 2:50 am |
| Did you restart http.sys after you made the change?
Cheers
Ken
--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Richard Dixson" <reply@hereonlyplease.com> wrote in message
news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com...
: Unfortunately I tried that as well without success. I tried several ways.
:
: The bottom line seems to be that something about port 443 is treated quite
: specially by IIS 6 and it does not want to allow it to share port 443 by
: non-SSL on one IP with SSL on another IP.
:
: I am wondering if anyone else has run into this or is aware of it, and how
I
: may be able to work around it.
:
: Richard
:
: "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
: news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl...
: > For IIS6 use httpcfg rather than "disableSocketPooling" metabase
setting.
: >
: > http://support.microsoft.com/kb/813368/EN-US/
: >
: > Cheers
: > Ken
: >
: > --
: > Blog: www.adopenstatic.com/cs/blogs/ken/
: > Web: www.adopenstatic.com
: >
: >
: > "Richard Dixson" <reply@hereonlyplease.com> wrote in message
: > news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com...
: > :I need IIS to respond to HTTP requests on port 443 for different IPs on
: the
: > : same web server, with one IP set up to handle NON ssl traffic
(http://),
: > and
: > : the other set up with a certificate to handle SSL (https://) traffic.
: > :
: > : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this.
When
: > you
: > : try to start the non-https site it complains that it is in use. There
: is
: > : definately a conflict due to IIS somehow locking port 443 exclusively
: for
: > : HTTPS traffic.
: > :
: > : Under IIS 5.0 I was able to succesfully work around this conflict by
: > : disabling socket pooling. However under IIS 6 disabling socket
spooling
: > : does not work.
: > :
: > : Here is an example of what I am trying to do: On Web Server "A" I need
: to
: > : configure it like this:
: > :
: > : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL
: Port
: > =
: > : <blank>
: > :
: > : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL
Port
: =
: > : 443 with installed SSL certificate
: > :
: > : So traffic coming in as http://x.x.x.2:443/something.htm gets
responded
: to
: > : as regular http (non-https) traffic over port 443 for this IP. And
: > traffic
: > : coming in as https://x.x.x.3/something.htm gets responded to as https
: > : traffic over port 443 as usual.
: > :
: > : I realize it is unusual to have to pass NON https traffic over port
443,
: > but
: > : due to special circumstances this is a core requirement.
: > :
: > : If I remove virtual web site #2 than virtual site #1 works great - it
: will
: > : pass non-https traffic just fine over port 443, but ONLY IF there is
no
: > web
: > : site configured on the server to use HTTPS (even if such https web
sites
: > are
: > : configured on a different IP).
: > :
: > : The work around would be to set up a second dedicated web server for
: > virtual
: > : web site #1 so that it runs without a web site configured to really
use
: > : HTTPS. Unfortunately this is not a possibility as I only have one
: > physical
: > : production web server I can use, and I cannot avoid having a site on
: that
: > : server configured to use HTTPS.
: > :
: > : Can anyone offer some advice or tips on how I may be able to work
around
: > : this? Anyone know if IIS 7 will work the same way?
: > :
: > : Thank you very much in advance!
: > :
: > : Richard
: > :
: > :
: >
: >
:
:
| |
| David Wang [Msft] 2005-04-11, 8:49 pm |
| This is a known limitation in HTTP.SYS in Windows Server 2003 and there is
no work-around.
HTTP.SYS does not support re-using the same PORT with different protocols,
nor does it support binding exclusive IP:Port combination.
In other words, suppose you have one website with IP1:Port1:Host1 over HTTP:
1. IP2:Port1 over SSL is not allowed
2. IP2:Port2:Host2 over HTTP prevents IP1:Port2 or IP2:Port1 from being
bound by another server.
Both issues are inside of HTTP.SYS so IIS version doesn't make a difference,
but I will see whether these issues in HTTP.SYS can be addressed in the IIS7
timeframe.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Richard Dixson" <reply@hereonlyplease.com> wrote in message
news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com...
Unfortunately I tried that as well without success. I tried several ways.
The bottom line seems to be that something about port 443 is treated quite
specially by IIS 6 and it does not want to allow it to share port 443 by
non-SSL on one IP with SSL on another IP.
I am wondering if anyone else has run into this or is aware of it, and how I
may be able to work around it.
Richard
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl...
> For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting.
>
> http://support.microsoft.com/kb/813368/EN-US/
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Richard Dixson" <reply@hereonlyplease.com> wrote in message
> news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com...
> :I need IIS to respond to HTTP requests on port 443 for different IPs on
the
> : same web server, with one IP set up to handle NON ssl traffic (http://),
> and
> : the other set up with a certificate to handle SSL (https://) traffic.
> :
> : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When
> you
> : try to start the non-https site it complains that it is in use. There
is
> : definately a conflict due to IIS somehow locking port 443 exclusively
for
> : HTTPS traffic.
> :
> : Under IIS 5.0 I was able to succesfully work around this conflict by
> : disabling socket pooling. However under IIS 6 disabling socket spooling
> : does not work.
> :
> : Here is an example of what I am trying to do: On Web Server "A" I need
to
> : configure it like this:
> :
> : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL
Port
> =
> : <blank>
> :
> : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port
=
> : 443 with installed SSL certificate
> :
> : So traffic coming in as http://x.x.x.2:443/something.htm gets responded
to
> : as regular http (non-https) traffic over port 443 for this IP. And
> traffic
> : coming in as https://x.x.x.3/something.htm gets responded to as https
> : traffic over port 443 as usual.
> :
> : I realize it is unusual to have to pass NON https traffic over port 443,
> but
> : due to special circumstances this is a core requirement.
> :
> : If I remove virtual web site #2 than virtual site #1 works great - it
will
> : pass non-https traffic just fine over port 443, but ONLY IF there is no
> web
> : site configured on the server to use HTTPS (even if such https web sites
> are
> : configured on a different IP).
> :
> : The work around would be to set up a second dedicated web server for
> virtual
> : web site #1 so that it runs without a web site configured to really use
> : HTTPS. Unfortunately this is not a possibility as I only have one
> physical
> : production web server I can use, and I cannot avoid having a site on
that
> : server configured to use HTTPS.
> :
> : Can anyone offer some advice or tips on how I may be able to work around
> : this? Anyone know if IIS 7 will work the same way?
> :
> : Thank you very much in advance!
> :
> : Richard
> :
> :
>
>
| |
| David Wang [Msft] 2005-04-13, 2:52 am |
| Ok, I got word that this will be addressed in the IIS7 timeframe by
HTTP.SYS.
It actually has nothing to do with port 443 -- it could be any port.
HTTP.SYS in WS03 did not allow one port number to be used for both HTTP and
HTTPS.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Richard Dixson" <reply@hereonlyplease.com> wrote in message
news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com...
Unfortunately I tried that as well without success. I tried several ways.
The bottom line seems to be that something about port 443 is treated quite
specially by IIS 6 and it does not want to allow it to share port 443 by
non-SSL on one IP with SSL on another IP.
I am wondering if anyone else has run into this or is aware of it, and how I
may be able to work around it.
Richard
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl...
> For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting.
>
> http://support.microsoft.com/kb/813368/EN-US/
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
> "Richard Dixson" <reply@hereonlyplease.com> wrote in message
> news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com...
> :I need IIS to respond to HTTP requests on port 443 for different IPs on
the
> : same web server, with one IP set up to handle NON ssl traffic (http://),
> and
> : the other set up with a certificate to handle SSL (https://) traffic.
> :
> : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When
> you
> : try to start the non-https site it complains that it is in use. There
is
> : definately a conflict due to IIS somehow locking port 443 exclusively
for
> : HTTPS traffic.
> :
> : Under IIS 5.0 I was able to succesfully work around this conflict by
> : disabling socket pooling. However under IIS 6 disabling socket spooling
> : does not work.
> :
> : Here is an example of what I am trying to do: On Web Server "A" I need
to
> : configure it like this:
> :
> : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL
Port
> =
> : <blank>
> :
> : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port
=
> : 443 with installed SSL certificate
> :
> : So traffic coming in as http://x.x.x.2:443/something.htm gets responded
to
> : as regular http (non-https) traffic over port 443 for this IP. And
> traffic
> : coming in as https://x.x.x.3/something.htm gets responded to as https
> : traffic over port 443 as usual.
> :
> : I realize it is unusual to have to pass NON https traffic over port 443,
> but
> : due to special circumstances this is a core requirement.
> :
> : If I remove virtual web site #2 than virtual site #1 works great - it
will
> : pass non-https traffic just fine over port 443, but ONLY IF there is no
> web
> : site configured on the server to use HTTPS (even if such https web sites
> are
> : configured on a different IP).
> :
> : The work around would be to set up a second dedicated web server for
> virtual
> : web site #1 so that it runs without a web site configured to really use
> : HTTPS. Unfortunately this is not a possibility as I only have one
> physical
> : production web server I can use, and I cannot avoid having a site on
that
> : server configured to use HTTPS.
> :
> : Can anyone offer some advice or tips on how I may be able to work around
> : this? Anyone know if IIS 7 will work the same way?
> :
> : Thank you very much in advance!
> :
> : Richard
> :
> :
>
>
| |
| Richard Dixson 2005-04-25, 2:52 am |
| Thank you very much for the follow up David.
Just to make sure I am understanding you correctly, after this enhancement
is made it will be possible to have IIS answering for a 443 regular http
traffic for IP X and 443 HTTPS traffic on port 443 for a different IP on the
same machine - is this right?
Also - do you know how this updated HTTPS.SYS will be distributed? Do you
think it may be possible to use this enhanced HTTPS.SYS with IIS 6 on WS03?
Or will it only ship with files installed with IIS 7.0?
Thanks again for all your help with this.
Richard
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OsSPgo9PFHA.3880@tk2msftngp13.phx.gbl...
> Ok, I got word that this will be addressed in the IIS7 timeframe by
> HTTP.SYS.
>
> It actually has nothing to do with port 443 -- it could be any port.
> HTTP.SYS in WS03 did not allow one port number to be used for both HTTP
and
> HTTPS.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Richard Dixson" <reply@hereonlyplease.com> wrote in message
> news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com...
> Unfortunately I tried that as well without success. I tried several ways.
>
> The bottom line seems to be that something about port 443 is treated quite
> specially by IIS 6 and it does not want to allow it to share port 443 by
> non-SSL on one IP with SSL on another IP.
>
> I am wondering if anyone else has run into this or is aware of it, and how
I
> may be able to work around it.
>
> Richard
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl...
setting.[vbcol=seagreen]
> the
(http://),[vbcol=seagreen]
When[vbcol=seagreen]
> is
> for
spooling[vbcol=seagreen]
> to
> Port
Port[vbcol=seagreen]
> =
responded[vbcol=seagreen]
> to
443,[vbcol=seagreen]
> will
no[vbcol=seagreen]
sites[vbcol=seagreen]
use[vbcol=seagreen]
> that
around[vbcol=seagreen]
>
>
>
| |
| David Wang [Msft] 2005-04-25, 8:48 pm |
| I talked with members on the HTTP.SYS team, and both restrictions that I
named earlier are planned to be addressed in HTTP.SYS on Longhorn, which is
within the IIS7 timeframe.
1. HTTP over IP1:Port1 and HTTPS over IP2:Port1 will be allowed
2. IP1:Port1 and IP2:Port2 will not prevent IP1:Port2 and IP2:Port1 from
being bound by another server
These changes are planned in HTTP.SYS on Longhorn. Having customer usage
scenario helps tremendously, so the next time you do not like something, be
sure to report it; if you stay silent, no one knows you don't like it.
The only chance to get it on HTTP.SYS on Windows Server 2003 is to open a
support case and make a request for it. This puts it on the radar of things
to consider backporting but is no guarantee. It is a matter of cost/benefit
when it comes to post RTM changes.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Richard Dixson" <reply@hereonlyplease.com> wrote in message
news:I9Wdnf4XHpD47PHfRVn-ow@comcast.com...
Thank you very much for the follow up David.
Just to make sure I am understanding you correctly, after this enhancement
is made it will be possible to have IIS answering for a 443 regular http
traffic for IP X and 443 HTTPS traffic on port 443 for a different IP on the
same machine - is this right?
Also - do you know how this updated HTTPS.SYS will be distributed? Do you
think it may be possible to use this enhanced HTTPS.SYS with IIS 6 on WS03?
Or will it only ship with files installed with IIS 7.0?
Thanks again for all your help with this.
Richard
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OsSPgo9PFHA.3880@tk2msftngp13.phx.gbl...
> Ok, I got word that this will be addressed in the IIS7 timeframe by
> HTTP.SYS.
>
> It actually has nothing to do with port 443 -- it could be any port.
> HTTP.SYS in WS03 did not allow one port number to be used for both HTTP
and
> HTTPS.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Richard Dixson" <reply@hereonlyplease.com> wrote in message
> news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com...
> Unfortunately I tried that as well without success. I tried several ways.
>
> The bottom line seems to be that something about port 443 is treated quite
> specially by IIS 6 and it does not want to allow it to share port 443 by
> non-SSL on one IP with SSL on another IP.
>
> I am wondering if anyone else has run into this or is aware of it, and how
I
> may be able to work around it.
>
> Richard
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl...
setting.[vbcol=seagreen]
> the
(http://),[vbcol=seagreen]
When[vbcol=seagreen]
> is
> for
spooling[vbcol=seagreen]
> to
> Port
Port[vbcol=seagreen]
> =
responded[vbcol=seagreen]
> to
443,[vbcol=seagreen]
> will
no[vbcol=seagreen]
sites[vbcol=seagreen]
use[vbcol=seagreen]
> that
around[vbcol=seagreen]
>
>
>
| |
| Richard Dixson 2005-04-26, 2:49 am |
| Thanks for the excellent support David. When the new HTTPS.SYS and IIS 7
are available, will it still be necessary to disable socket pooling and such
to be able to have the same port answer for SSL on one IP and non-SSL on
another IP (as we have been talking about)? For example as I recall what I
am after did work on Win 2000 with IIS, but you had to disable socket
pooling. It would be nice if they made the whole process much easier.
Seems some assumptions are being made for the benefit of better performance
which is good in some cases but can complicate things for special cases such
as this.
Richard
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:O5vTJHgSFHA.1396@TK2MSFTNGP10.phx.gbl...
> I talked with members on the HTTP.SYS team, and both restrictions that I
> named earlier are planned to be addressed in HTTP.SYS on Longhorn, which
is
> within the IIS7 timeframe.
> 1. HTTP over IP1:Port1 and HTTPS over IP2:Port1 will be allowed
> 2. IP1:Port1 and IP2:Port2 will not prevent IP1:Port2 and IP2:Port1 from
> being bound by another server
>
> These changes are planned in HTTP.SYS on Longhorn. Having customer usage
> scenario helps tremendously, so the next time you do not like something,
be
> sure to report it; if you stay silent, no one knows you don't like it.
>
> The only chance to get it on HTTP.SYS on Windows Server 2003 is to open a
> support case and make a request for it. This puts it on the radar of
things
> to consider backporting but is no guarantee. It is a matter of
cost/benefit
> when it comes to post RTM changes.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
| |
| David Wang [Msft] 2005-04-26, 2:49 am |
| FYI: The details of how it works/implemented as well as default value is
really not ready for discussion at this point in time. My suspicion is that
pooling will remain the default.
You realize that the default settings are usually for the benefit of the
broader customer base. Special cases usually require special configuration.
It is better to have 90% of customers see things magically work than for 10%
of customers to NOT have to disable pooling. We also assume that users with
special configuration needs also read special documentation to know how to
make the special configuration.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Richard Dixson" <reply@hereonlyplease.com> wrote in message
news:_4idnTMKN5yAL_DfRVn-tA@comcast.com...
Thanks for the excellent support David. When the new HTTPS.SYS and IIS 7
are available, will it still be necessary to disable socket pooling and such
to be able to have the same port answer for SSL on one IP and non-SSL on
another IP (as we have been talking about)? For example as I recall what I
am after did work on Win 2000 with IIS, but you had to disable socket
pooling. It would be nice if they made the whole process much easier.
Seems some assumptions are being made for the benefit of better performance
which is good in some cases but can complicate things for special cases such
as this.
Richard
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:O5vTJHgSFHA.1396@TK2MSFTNGP10.phx.gbl...
> I talked with members on the HTTP.SYS team, and both restrictions that I
> named earlier are planned to be addressed in HTTP.SYS on Longhorn, which
is
> within the IIS7 timeframe.
> 1. HTTP over IP1:Port1 and HTTPS over IP2:Port1 will be allowed
> 2. IP1:Port1 and IP2:Port2 will not prevent IP1:Port2 and IP2:Port1 from
> being bound by another server
>
> These changes are planned in HTTP.SYS on Longhorn. Having customer usage
> scenario helps tremendously, so the next time you do not like something,
be
> sure to report it; if you stay silent, no one knows you don't like it.
>
> The only chance to get it on HTTP.SYS on Windows Server 2003 is to open a
> support case and make a request for it. This puts it on the radar of
things
> to consider backporting but is no guarantee. It is a matter of
cost/benefit
> when it comes to post RTM changes.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
|
|
|
|
|