"yaponamat" <yapona***@discussions.microsoft.com> wrote in message
news:D2D37BFC-3D3A-4EC4-95C8-F9B80A143F90@microsoft.com...
> Hello,
>
> I`d appreciate help with the following scenario:
>
> I have a Sharepoint installation, obviously on top of IIS. We generated
> several sites via Sharepoint, that are accessible as third level domains:
> home.ourdomain.com project1.ourdomain.com, project2.ourdomain.com etc.
> They
> are all hosted out of one IIS server, DNS for all these domains points to
> IIS
> server and then IIS determines which site to present to end users based on
> host headers.
>
> We would like to enable SSL on all of these sites. However, there is the
> known requirement for unique ip/port combination for each secure site.
> Hosting SSL on alternate ports for each site is not an option for us, so
> we
> are faced with assigning multiple IPs to the IIS server, creating NAT
> entries
> on the firewall for each IP, registering A records for each individual
> domain
> and pointing them to different IPs – a lot of admin nad maintenance
> overhead.
>
> Now, I read here: http://www.sitepoint.com/forums/showthread.php?t=231424
> about a possible solution with using wildcard certificates:
>
> “Another, more expensive (but reliable) alternative is to have a
> wildcard
> ssl and offer sub-domains that share the same SSL certificate, in this
> situation you do not have to buy additional IP addresses (but have to pay
> a
> lot for these certificates)!”
>
> We do have a wildcard certificate for our root domain *.ourdomain.com. All
> the websites under IIS are using this wildcard certificate. As per
> proposed
> solution quoted above, we should be able to skip using multiple IPs.
> However,
> it doesn`t seem to work: if I specify default 443 port for two SSL
> websites
> and set IP to either “default” or the primary IP of the server for
> both of
> them, when I try to load home.ourdomain.com over SSL it does load, but
> then
> if I try project1.ourdomain.com over SSL, it loads home.ourdomain.com
> content
> instead. There are separate A records for home.ourdomain.com and
> project1.ourdomain.com, both pointing to the same IP.
>
> Could someone please tell if wildcard certificate solution is of any help
> as
> claimed on this forum:
> http://www.sitepoint.com/forums/showthread.php?t=231424
>
> If it does help to work around assigning multiple IPs to the IIS server,
> what might I be doing wrong?
>
> If wildcard certificate deal doesn`t help, are there any alternatives,
> perhaps plugins by third parties or something like that? I`d very much
> like
> to avoid having multiple IPs, since we may have 40 or 50 different third
> level domain based websites under Sharepoint and managing all of this is a
> bit of a pain.
>
> Thanks in advance for any help.
>

"Bernard" wrote:

> Sharepoint is just webapp sitting on IIS, and I tested wildcard before and
> it works.
> Did you configure the cert in 2nd or 3rd sites as well ?
>
> at the 2nd site property, directory security tab. can you view the
> certificate ?
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
> "yaponamat" <yapona***@discussions.microsoft.com> wrote in message
> news:D2D37BFC-3D3A-4EC4-95C8-F9B80A143F90@microsoft.com...
> > Hello,
> >
> > I`d appreciate help with the following scenario:
> >
> > I have a Sharepoint installation, obviously on top of IIS. We generated
> > several sites via Sharepoint, that are accessible as third level domains:
> > home.ourdomain.com project1.ourdomain.com, project2.ourdomain.com etc.
> > They
> > are all hosted out of one IIS server, DNS for all these domains points to
> > IIS
> > server and then IIS determines which site to present to end users based on
> > host headers.
> >
> > We would like to enable SSL on all of these sites. However, there is the
> > known requirement for unique ip/port combination for each secure site.
> > Hosting SSL on alternate ports for each site is not an option for us, so
> > we
> > are faced with assigning multiple IPs to the IIS server, creating NAT
> > entries
> > on the firewall for each IP, registering A records for each individual
> > domain
> > and pointing them to different IPs – a lot of admin nad maintenance
> > overhead.
> >
> > Now, I read here: http://www.sitepoint.com/forums/showthread.php?t=231424
> > about a possible solution with using wildcard certificates:
> >
> > “Another, more expensive (but reliable) alternative is to have a
> > wildcard
> > ssl and offer sub-domains that share the same SSL certificate, in this
> > situation you do not have to buy additional IP addresses (but have to pay
> > a
> > lot for these certificates)!”
> >
> > We do have a wildcard certificate for our root domain *.ourdomain.com. All
> > the websites under IIS are using this wildcard certificate. As per
> > proposed
> > solution quoted above, we should be able to skip using multiple IPs.
> > However,
> > it doesn`t seem to work: if I specify default 443 port for two SSL
> > websites
> > and set IP to either “default” or the primary IP of the server for
> > both of
> > them, when I try to load home.ourdomain.com over SSL it does load, but
> > then
> > if I try project1.ourdomain.com over SSL, it loads home.ourdomain.com
> > content
> > instead. There are separate A records for home.ourdomain.com and
> > project1.ourdomain.com, both pointing to the same IP.
> >
> > Could someone please tell if wildcard certificate solution is of any help
> > as
> > claimed on this forum:
> > http://www.sitepoint.com/forums/showthread.php?t=231424
> >
> > If it does help to work around assigning multiple IPs to the IIS server,
> > what might I be doing wrong?
> >
> > If wildcard certificate deal doesn`t help, are there any alternatives,
> > perhaps plugins by third parties or something like that? I`d very much
> > like
> > to avoid having multiple IPs, since we may have 40 or 50 different third
> > level domain based websites under Sharepoint and managing all of this is a
> > bit of a pain.
> >
> > Thanks in advance for any help.
> >
>
>
>

"yaponamat" <yapona***@discussions.microsoft.com> wrote in message
news:22EC8BEA-889D-4619-807F-FAB5EF46FA22@microsoft.com...
> Bernard,
>
> thanks for your reply. yes, the cert is configured for all websites and I
> can view it under 2nd or 3rd site`s directory security.
>
> However, the stuff doesn`t work on single ip/port combination. it would
> load
> one site`s content only. here`s a good explanation of the process I found
> in
> this newsgroup:
>
> ---------------------------------------------------------
> Here's a quick description, to demonstrate why:
>
> 1. The client takes the URL and resolves the name into an IP address, and
> a
> port (usually a default port).
> 2. The client connects to that IP address, on the requested port
> 3. The server running at that IP address and port answers.
> 4. The client sends a "hello" message, asking the server to send its
> certificate.
> 5. The server sends the certificate to the client.
> 6. The client checks the name in the certificate against the name it had
> in
> step 1.
> 7.1. If the certificate matches, the client and server start encrypted
> exchanges.
> 7.2. If the certificate doesn't match, the client displays an error to the
> user and stops.
> 8. The client sends HTTP request headers, encrypted, to the server.
> 9. The server sends back HTTP responses, encrypted, containing content
> requested.
>
> Note that host headers are sent in step 8, but the server has to pick a
> certificate to send in step 5, and that certificate must have the server
> name that the user asked for.  The server has no clue as to which
> certificate it must pick, so it must have a single certificate to send
> back
> on that IP address and port.
>
> There is work under way to produce a "next version" of TLS, that will
> allow
> a client to send the host name it wants in step 4, so that the server can
> choose among several certificates, but it is not clear exactly when (if
> ever) this will be implemented in browsers or web servers - and it has to
> be
> implemented, and enabled, in both if it is to work.
> ----------------------------------------------------------------------------------------
>
> I`m still curious whether it`s possible to get it to work with wildcard
> certificate...
>
>
> "Bernard" wrote:
>
>> Sharepoint is just webapp sitting on IIS, and I tested wildcard before
>> and
>> it works.
>> Did you configure the cert in 2nd or 3rd sites as well ?
>>
>> at the 2nd site property, directory security tab. can you view the
>> certificate ?
>>
>> --
>> Regards,
>> Bernard Cheah
>> http://www.tryiis.com/
>> http://support.microsoft.com/
>> http://www.msmvps.com/bernard/
>>
>>
>> "yaponamat" <yapona***@discussions.microsoft.com> wrote in message
>> news:D2D37BFC-3D3A-4EC4-95C8-F9B80A143F90@microsoft.com...
>> > Hello,
>> >
>> > I`d appreciate help with the following scenario:
>> >
>> > I have a Sharepoint installation, obviously on top of IIS. We generated
>> > several sites via Sharepoint, that are accessible as third level
>> > domains:
>> > home.ourdomain.com project1.ourdomain.com, project2.ourdomain.com etc.
>> > They
>> > are all hosted out of one IIS server, DNS for all these domains points
>> > to
>> > IIS
>> > server and then IIS determines which site to present to end users based
>> > on
>> > host headers.
>> >
>> > We would like to enable SSL on all of these sites. However, there is
>> > the
>> > known requirement for unique ip/port combination for each secure site.
>> > Hosting SSL on alternate ports for each site is not an option for us,
>> > so
>> > we
>> > are faced with assigning multiple IPs to the IIS server, creating NAT
>> > entries
>> > on the firewall for each IP, registering A records for each individual
>> > domain
>> > and pointing them to different IPs – a lot of admin nad
>> > maintenance
>> > overhead.
>> >
>> > Now, I read here:
>> > http://www.sitepoint.com/forums/showthread.php?t=231424
>> > about a possible solution with using wildcard certificates:
>> >
>> > “Another, more expensive (but reliable) alternative is to have a
>> > wildcard
>> > ssl and offer sub-domains that share the same SSL certificate, in this
>> > situation you do not have to buy additional IP addresses (but have to
>> > pay
>> > a
>> > lot for these certificates)!”
>> >
>> > We do have a wildcard certificate for our root domain *.ourdomain.com.
>> > All
>> > the websites under IIS are using this wildcard certificate. As per
>> > proposed
>> > solution quoted above, we should be able to skip using multiple IPs.
>> > However,
>> > it doesn`t seem to work: if I specify default 443 port for two SSL
>> > websites
>> > and set IP to either “default” or the primary IP of the
>> > server for
>> > both of
>> > them, when I try to load home.ourdomain.com over SSL it does load, but
>> > then
>> > if I try project1.ourdomain.com over SSL, it loads home.ourdomain.com
>> > content
>> > instead. There are separate A records for home.ourdomain.com and
>> > project1.ourdomain.com, both pointing to the same IP.
>> >
>> > Could someone please tell if wildcard certificate solution is of any
>> > help
>> > as
>> > claimed on this forum:
>> > http://www.sitepoint.com/forums/showthread.php?t=231424
>> >
>> > If it does help to work around assigning multiple IPs to the IIS
>> > server,
>> > what might I be doing wrong?
>> >
>> > If wildcard certificate deal doesn`t help, are there any alternatives,
>> > perhaps plugins by third parties or something like that? I`d very much
>> > like
>> > to avoid having multiple IPs, since we may have 40 or 50 different
>> > third
>> > level domain based websites under Sharepoint and managing all of this
>> > is a
>> > bit of a pain.
>> >
>> > Thanks in advance for any help.
>> >
>>
>>
>>