|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS 6 conflict using port 443 for NON-SSL trafficsame web server, with one IP set up to handle NON ssl traffic (http://), and the other set up with a certificate to handle SSL (https://) traffic. IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When you try to start the non-https site it complains that it is in use. There is definately a conflict due to IIS somehow locking port 443 exclusively for HTTPS traffic. Under IIS 5.0 I was able to succesfully work around this conflict by disabling socket pooling. However under IIS 6 disabling socket spooling does not work. Here is an example of what I am trying to do: On Web Server "A" I need to configure it like this: Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL Port = <blank> Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port = 443 with installed SSL certificate So traffic coming in as http://x.x.x.2:443/something.htm gets responded to as regular http (non-https) traffic over port 443 for this IP. And traffic coming in as https://x.x.x.3/something.htm gets responded to as https traffic over port 443 as usual. I realize it is unusual to have to pass NON https traffic over port 443, but due to special circumstances this is a core requirement. If I remove virtual web site #2 than virtual site #1 works great - it will pass non-https traffic just fine over port 443, but ONLY IF there is no web site configured on the server to use HTTPS (even if such https web sites are configured on a different IP). The work around would be to set up a second dedicated web server for virtual web site #1 so that it runs without a web site configured to really use HTTPS. Unfortunately this is not a possibility as I only have one physical production web server I can use, and I cannot avoid having a site on that server configured to use HTTPS. Can anyone offer some advice or tips on how I may be able to work around this? Anyone know if IIS 7 will work the same way? Thank you very much in advance! Richard For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting.
http://support.microsoft.com/kb/813368/EN-US/ Cheers Ken Show quoteHide quote "Richard Dixson" <re***@hereonlyplease.com> wrote in message news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com... :I need IIS to respond to HTTP requests on port 443 for different IPs on the : same web server, with one IP set up to handle NON ssl traffic (http://), and : the other set up with a certificate to handle SSL (https://) traffic. : : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When you : try to start the non-https site it complains that it is in use. There is : definately a conflict due to IIS somehow locking port 443 exclusively for : HTTPS traffic. : : Under IIS 5.0 I was able to succesfully work around this conflict by : disabling socket pooling. However under IIS 6 disabling socket spooling : does not work. : : Here is an example of what I am trying to do: On Web Server "A" I need to : configure it like this: : : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL Port = : <blank> : : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port = : 443 with installed SSL certificate : : So traffic coming in as http://x.x.x.2:443/something.htm gets responded to : as regular http (non-https) traffic over port 443 for this IP. And traffic : coming in as https://x.x.x.3/something.htm gets responded to as https : traffic over port 443 as usual. : : I realize it is unusual to have to pass NON https traffic over port 443, but : due to special circumstances this is a core requirement. : : If I remove virtual web site #2 than virtual site #1 works great - it will : pass non-https traffic just fine over port 443, but ONLY IF there is no web : site configured on the server to use HTTPS (even if such https web sites are : configured on a different IP). : : The work around would be to set up a second dedicated web server for virtual : web site #1 so that it runs without a web site configured to really use : HTTPS. Unfortunately this is not a possibility as I only have one physical : production web server I can use, and I cannot avoid having a site on that : server configured to use HTTPS. : : Can anyone offer some advice or tips on how I may be able to work around : this? Anyone know if IIS 7 will work the same way? : : Thank you very much in advance! : : Richard : : Unfortunately I tried that as well without success. I tried several ways.
The bottom line seems to be that something about port 443 is treated quite specially by IIS 6 and it does not want to allow it to share port 443 by non-SSL on one IP with SSL on another IP. I am wondering if anyone else has run into this or is aware of it, and how I may be able to work around it. Richard Show quoteHide quote "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl... > For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting. > > http://support.microsoft.com/kb/813368/EN-US/ > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > "Richard Dixson" <re***@hereonlyplease.com> wrote in message > news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com... > :I need IIS to respond to HTTP requests on port 443 for different IPs on the > : same web server, with one IP set up to handle NON ssl traffic (http://), > and > : the other set up with a certificate to handle SSL (https://) traffic. > : > : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When > you > : try to start the non-https site it complains that it is in use. There is > : definately a conflict due to IIS somehow locking port 443 exclusively for > : HTTPS traffic. > : > : Under IIS 5.0 I was able to succesfully work around this conflict by > : disabling socket pooling. However under IIS 6 disabling socket spooling > : does not work. > : > : Here is an example of what I am trying to do: On Web Server "A" I need to > : configure it like this: > : > : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL Port > = > : <blank> > : > : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port = > : 443 with installed SSL certificate > : > : So traffic coming in as http://x.x.x.2:443/something.htm gets responded to > : as regular http (non-https) traffic over port 443 for this IP. And > traffic > : coming in as https://x.x.x.3/something.htm gets responded to as https > : traffic over port 443 as usual. > : > : I realize it is unusual to have to pass NON https traffic over port 443, > but > : due to special circumstances this is a core requirement. > : > : If I remove virtual web site #2 than virtual site #1 works great - it will > : pass non-https traffic just fine over port 443, but ONLY IF there is no > web > : site configured on the server to use HTTPS (even if such https web sites > are > : configured on a different IP). > : > : The work around would be to set up a second dedicated web server for > virtual > : web site #1 so that it runs without a web site configured to really use > : HTTPS. Unfortunately this is not a possibility as I only have one > physical > : production web server I can use, and I cannot avoid having a site on that > : server configured to use HTTPS. > : > : Can anyone offer some advice or tips on how I may be able to work around > : this? Anyone know if IIS 7 will work the same way? > : > : Thank you very much in advance! > : > : Richard > : > : > > Did you restart http.sys after you made the change?
Cheers Ken Show quoteHide quote "Richard Dixson" <re***@hereonlyplease.com> wrote in message news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com... : Unfortunately I tried that as well without success. I tried several ways. : : The bottom line seems to be that something about port 443 is treated quite : specially by IIS 6 and it does not want to allow it to share port 443 by : non-SSL on one IP with SSL on another IP. : : I am wondering if anyone else has run into this or is aware of it, and how I : may be able to work around it. : : Richard : : "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message : news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl... : > For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting. : > : > http://support.microsoft.com/kb/813368/EN-US/ : > : > Cheers : > Ken : > : > -- : > Blog: www.adopenstatic.com/cs/blogs/ken/ : > Web: www.adopenstatic.com : > : > : > "Richard Dixson" <re***@hereonlyplease.com> wrote in message : > news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com... : > :I need IIS to respond to HTTP requests on port 443 for different IPs on : the : > : same web server, with one IP set up to handle NON ssl traffic (http://), : > and : > : the other set up with a certificate to handle SSL (https://) traffic. : > : : > : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When : > you : > : try to start the non-https site it complains that it is in use. There : is : > : definately a conflict due to IIS somehow locking port 443 exclusively : for : > : HTTPS traffic. : > : : > : Under IIS 5.0 I was able to succesfully work around this conflict by : > : disabling socket pooling. However under IIS 6 disabling socket spooling : > : does not work. : > : : > : Here is an example of what I am trying to do: On Web Server "A" I need : to : > : configure it like this: : > : : > : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL : Port : > = : > : <blank> : > : : > : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port : = : > : 443 with installed SSL certificate : > : : > : So traffic coming in as http://x.x.x.2:443/something.htm gets responded : to : > : as regular http (non-https) traffic over port 443 for this IP. And : > traffic : > : coming in as https://x.x.x.3/something.htm gets responded to as https : > : traffic over port 443 as usual. : > : : > : I realize it is unusual to have to pass NON https traffic over port 443, : > but : > : due to special circumstances this is a core requirement. : > : : > : If I remove virtual web site #2 than virtual site #1 works great - it : will : > : pass non-https traffic just fine over port 443, but ONLY IF there is no : > web : > : site configured on the server to use HTTPS (even if such https web sites : > are : > : configured on a different IP). : > : : > : The work around would be to set up a second dedicated web server for : > virtual : > : web site #1 so that it runs without a web site configured to really use : > : HTTPS. Unfortunately this is not a possibility as I only have one : > physical : > : production web server I can use, and I cannot avoid having a site on : that : > : server configured to use HTTPS. : > : : > : Can anyone offer some advice or tips on how I may be able to work around : > : this? Anyone know if IIS 7 will work the same way? : > : : > : Thank you very much in advance! : > : : > : Richard : > : : > : : > : > : : This is a known limitation in HTTP.SYS in Windows Server 2003 and there is
no work-around. HTTP.SYS does not support re-using the same PORT with different protocols, nor does it support binding exclusive IP:Port combination. In other words, suppose you have one website with IP1:Port1:Host1 over HTTP: 1. IP2:Port1 over SSL is not allowed 2. IP2:Port2:Host2 over HTTP prevents IP1:Port2 or IP2:Port1 from being bound by another server. Both issues are inside of HTTP.SYS so IIS version doesn't make a difference, but I will see whether these issues in HTTP.SYS can be addressed in the IIS7 timeframe. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Richard Dixson" <re***@hereonlyplease.com> wrote in message Unfortunately I tried that as well without success. I tried several ways.news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com... The bottom line seems to be that something about port 443 is treated quite specially by IIS 6 and it does not want to allow it to share port 443 by non-SSL on one IP with SSL on another IP. I am wondering if anyone else has run into this or is aware of it, and how I may be able to work around it. Richard Show quoteHide quote "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl... > For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting. > > http://support.microsoft.com/kb/813368/EN-US/ > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > "Richard Dixson" <re***@hereonlyplease.com> wrote in message > news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com... > :I need IIS to respond to HTTP requests on port 443 for different IPs on the > : same web server, with one IP set up to handle NON ssl traffic (http://), > and > : the other set up with a certificate to handle SSL (https://) traffic. > : > : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When > you > : try to start the non-https site it complains that it is in use. There is > : definately a conflict due to IIS somehow locking port 443 exclusively for > : HTTPS traffic. > : > : Under IIS 5.0 I was able to succesfully work around this conflict by > : disabling socket pooling. However under IIS 6 disabling socket spooling > : does not work. > : > : Here is an example of what I am trying to do: On Web Server "A" I need to > : configure it like this: > : > : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL Port > = > : <blank> > : > : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port = > : 443 with installed SSL certificate > : > : So traffic coming in as http://x.x.x.2:443/something.htm gets responded to > : as regular http (non-https) traffic over port 443 for this IP. And > traffic > : coming in as https://x.x.x.3/something.htm gets responded to as https > : traffic over port 443 as usual. > : > : I realize it is unusual to have to pass NON https traffic over port 443, > but > : due to special circumstances this is a core requirement. > : > : If I remove virtual web site #2 than virtual site #1 works great - it will > : pass non-https traffic just fine over port 443, but ONLY IF there is no > web > : site configured on the server to use HTTPS (even if such https web sites > are > : configured on a different IP). > : > : The work around would be to set up a second dedicated web server for > virtual > : web site #1 so that it runs without a web site configured to really use > : HTTPS. Unfortunately this is not a possibility as I only have one > physical > : production web server I can use, and I cannot avoid having a site on that > : server configured to use HTTPS. > : > : Can anyone offer some advice or tips on how I may be able to work around > : this? Anyone know if IIS 7 will work the same way? > : > : Thank you very much in advance! > : > : Richard > : > : > > Ok, I got word that this will be addressed in the IIS7 timeframe by
HTTP.SYS. It actually has nothing to do with port 443 -- it could be any port. HTTP.SYS in WS03 did not allow one port number to be used for both HTTP and HTTPS. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Richard Dixson" <re***@hereonlyplease.com> wrote in message Unfortunately I tried that as well without success. I tried several ways.news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com... The bottom line seems to be that something about port 443 is treated quite specially by IIS 6 and it does not want to allow it to share port 443 by non-SSL on one IP with SSL on another IP. I am wondering if anyone else has run into this or is aware of it, and how I may be able to work around it. Richard Show quoteHide quote "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl... > For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting. > > http://support.microsoft.com/kb/813368/EN-US/ > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > "Richard Dixson" <re***@hereonlyplease.com> wrote in message > news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com... > :I need IIS to respond to HTTP requests on port 443 for different IPs on the > : same web server, with one IP set up to handle NON ssl traffic (http://), > and > : the other set up with a certificate to handle SSL (https://) traffic. > : > : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When > you > : try to start the non-https site it complains that it is in use. There is > : definately a conflict due to IIS somehow locking port 443 exclusively for > : HTTPS traffic. > : > : Under IIS 5.0 I was able to succesfully work around this conflict by > : disabling socket pooling. However under IIS 6 disabling socket spooling > : does not work. > : > : Here is an example of what I am trying to do: On Web Server "A" I need to > : configure it like this: > : > : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL Port > = > : <blank> > : > : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port = > : 443 with installed SSL certificate > : > : So traffic coming in as http://x.x.x.2:443/something.htm gets responded to > : as regular http (non-https) traffic over port 443 for this IP. And > traffic > : coming in as https://x.x.x.3/something.htm gets responded to as https > : traffic over port 443 as usual. > : > : I realize it is unusual to have to pass NON https traffic over port 443, > but > : due to special circumstances this is a core requirement. > : > : If I remove virtual web site #2 than virtual site #1 works great - it will > : pass non-https traffic just fine over port 443, but ONLY IF there is no > web > : site configured on the server to use HTTPS (even if such https web sites > are > : configured on a different IP). > : > : The work around would be to set up a second dedicated web server for > virtual > : web site #1 so that it runs without a web site configured to really use > : HTTPS. Unfortunately this is not a possibility as I only have one > physical > : production web server I can use, and I cannot avoid having a site on that > : server configured to use HTTPS. > : > : Can anyone offer some advice or tips on how I may be able to work around > : this? Anyone know if IIS 7 will work the same way? > : > : Thank you very much in advance! > : > : Richard > : > : > > Thank you very much for the follow up David.
Just to make sure I am understanding you correctly, after this enhancement is made it will be possible to have IIS answering for a 443 regular http traffic for IP X and 443 HTTPS traffic on port 443 for a different IP on the same machine - is this right? Also - do you know how this updated HTTPS.SYS will be distributed? Do you think it may be possible to use this enhanced HTTPS.SYS with IIS 6 on WS03? Or will it only ship with files installed with IIS 7.0? Thanks again for all your help with this. Richard Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:OsSPgo9PFHA.3880@tk2msftngp13.phx.gbl... > Ok, I got word that this will be addressed in the IIS7 timeframe by > HTTP.SYS. > > It actually has nothing to do with port 443 -- it could be any port. > HTTP.SYS in WS03 did not allow one port number to be used for both HTTP and > HTTPS. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Richard Dixson" <re***@hereonlyplease.com> wrote in message > news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com... > Unfortunately I tried that as well without success. I tried several ways. > > The bottom line seems to be that something about port 443 is treated quite > specially by IIS 6 and it does not want to allow it to share port 443 by > non-SSL on one IP with SSL on another IP. > > I am wondering if anyone else has run into this or is aware of it, and how I > may be able to work around it. > > Richard > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message > news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl... > > For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting. > > > > http://support.microsoft.com/kb/813368/EN-US/ > > > > Cheers > > Ken > > > > -- > > Blog: www.adopenstatic.com/cs/blogs/ken/ > > Web: www.adopenstatic.com > > > > > > "Richard Dixson" <re***@hereonlyplease.com> wrote in message > > news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com... > > :I need IIS to respond to HTTP requests on port 443 for different IPs on > the > > : same web server, with one IP set up to handle NON ssl traffic (http://), > > and > > : the other set up with a certificate to handle SSL (https://) traffic. > > : > > : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When > > you > > : try to start the non-https site it complains that it is in use. There > is > > : definately a conflict due to IIS somehow locking port 443 exclusively > for > > : HTTPS traffic. > > : > > : Under IIS 5.0 I was able to succesfully work around this conflict by > > : disabling socket pooling. However under IIS 6 disabling socket spooling > > : does not work. > > : > > : Here is an example of what I am trying to do: On Web Server "A" I need > to > > : configure it like this: > > : > > : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL > Port > > = > > : <blank> > > : > > : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port > = > > : 443 with installed SSL certificate > > : > > : So traffic coming in as http://x.x.x.2:443/something.htm gets responded > to > > : as regular http (non-https) traffic over port 443 for this IP. And > > traffic > > : coming in as https://x.x.x.3/something.htm gets responded to as https > > : traffic over port 443 as usual. > > : > > : I realize it is unusual to have to pass NON https traffic over port 443, > > but > > : due to special circumstances this is a core requirement. > > : > > : If I remove virtual web site #2 than virtual site #1 works great - it > will > > : pass non-https traffic just fine over port 443, but ONLY IF there is no > > web > > : site configured on the server to use HTTPS (even if such https web sites > > are > > : configured on a different IP). > > : > > : The work around would be to set up a second dedicated web server for > > virtual > > : web site #1 so that it runs without a web site configured to really use > > : HTTPS. Unfortunately this is not a possibility as I only have one > > physical > > : production web server I can use, and I cannot avoid having a site on > that > > : server configured to use HTTPS. > > : > > : Can anyone offer some advice or tips on how I may be able to work around > > : this? Anyone know if IIS 7 will work the same way? > > : > > : Thank you very much in advance! > > : > > : Richard > > : > > : > > > > > > > I talked with members on the HTTP.SYS team, and both restrictions that I
named earlier are planned to be addressed in HTTP.SYS on Longhorn, which is within the IIS7 timeframe. 1. HTTP over IP1:Port1 and HTTPS over IP2:Port1 will be allowed 2. IP1:Port1 and IP2:Port2 will not prevent IP1:Port2 and IP2:Port1 from being bound by another server These changes are planned in HTTP.SYS on Longhorn. Having customer usage scenario helps tremendously, so the next time you do not like something, be sure to report it; if you stay silent, no one knows you don't like it. The only chance to get it on HTTP.SYS on Windows Server 2003 is to open a support case and make a request for it. This puts it on the radar of things to consider backporting but is no guarantee. It is a matter of cost/benefit when it comes to post RTM changes. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Richard Dixson" <re***@hereonlyplease.com> wrote in message Thank you very much for the follow up David.news:I9Wdnf4XHpD47PHfRVn-ow@comcast.com... Just to make sure I am understanding you correctly, after this enhancement is made it will be possible to have IIS answering for a 443 regular http traffic for IP X and 443 HTTPS traffic on port 443 for a different IP on the same machine - is this right? Also - do you know how this updated HTTPS.SYS will be distributed? Do you think it may be possible to use this enhanced HTTPS.SYS with IIS 6 on WS03? Or will it only ship with files installed with IIS 7.0? Thanks again for all your help with this. Richard Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:OsSPgo9PFHA.3880@tk2msftngp13.phx.gbl... > Ok, I got word that this will be addressed in the IIS7 timeframe by > HTTP.SYS. > > It actually has nothing to do with port 443 -- it could be any port. > HTTP.SYS in WS03 did not allow one port number to be used for both HTTP and > HTTPS. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang > This posting is provided "AS IS" with no warranties, and confers no rights. > // > "Richard Dixson" <re***@hereonlyplease.com> wrote in message > news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com... > Unfortunately I tried that as well without success. I tried several ways. > > The bottom line seems to be that something about port 443 is treated quite > specially by IIS 6 and it does not want to allow it to share port 443 by > non-SSL on one IP with SSL on another IP. > > I am wondering if anyone else has run into this or is aware of it, and how I > may be able to work around it. > > Richard > > "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message > news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl... > > For IIS6 use httpcfg rather than "disableSocketPooling" metabase setting. > > > > http://support.microsoft.com/kb/813368/EN-US/ > > > > Cheers > > Ken > > > > -- > > Blog: www.adopenstatic.com/cs/blogs/ken/ > > Web: www.adopenstatic.com > > > > > > "Richard Dixson" <re***@hereonlyplease.com> wrote in message > > news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com... > > :I need IIS to respond to HTTP requests on port 443 for different IPs on > the > > : same web server, with one IP set up to handle NON ssl traffic (http://), > > and > > : the other set up with a certificate to handle SSL (https://) traffic. > > : > > : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this. When > > you > > : try to start the non-https site it complains that it is in use. There > is > > : definately a conflict due to IIS somehow locking port 443 exclusively > for > > : HTTPS traffic. > > : > > : Under IIS 5.0 I was able to succesfully work around this conflict by > > : disabling socket pooling. However under IIS 6 disabling socket spooling > > : does not work. > > : > > : Here is an example of what I am trying to do: On Web Server "A" I need > to > > : configure it like this: > > : > > : Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL > Port > > = > > : <blank> > > : > > : Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL Port > = > > : 443 with installed SSL certificate > > : > > : So traffic coming in as http://x.x.x.2:443/something.htm gets responded > to > > : as regular http (non-https) traffic over port 443 for this IP. And > > traffic > > : coming in as https://x.x.x.3/something.htm gets responded to as https > > : traffic over port 443 as usual. > > : > > : I realize it is unusual to have to pass NON https traffic over port 443, > > but > > : due to special circumstances this is a core requirement. > > : > > : If I remove virtual web site #2 than virtual site #1 works great - it > will > > : pass non-https traffic just fine over port 443, but ONLY IF there is no > > web > > : site configured on the server to use HTTPS (even if such https web sites > > are > > : configured on a different IP). > > : > > : The work around would be to set up a second dedicated web server for > > virtual > > : web site #1 so that it runs without a web site configured to really use > > : HTTPS. Unfortunately this is not a possibility as I only have one > > physical > > : production web server I can use, and I cannot avoid having a site on > that > > : server configured to use HTTPS. > > : > > : Can anyone offer some advice or tips on how I may be able to work around > > : this? Anyone know if IIS 7 will work the same way? > > : > > : Thank you very much in advance! > > : > > : Richard > > : > > : > > > > > > > Thanks for the excellent support David. When the new HTTPS.SYS and IIS 7
are available, will it still be necessary to disable socket pooling and such to be able to have the same port answer for SSL on one IP and non-SSL on another IP (as we have been talking about)? For example as I recall what I am after did work on Win 2000 with IIS, but you had to disable socket pooling. It would be nice if they made the whole process much easier. Seems some assumptions are being made for the benefit of better performance which is good in some cases but can complicate things for special cases such as this. Richard Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:O5vTJHgSFHA.1396@TK2MSFTNGP10.phx.gbl... > I talked with members on the HTTP.SYS team, and both restrictions that I > named earlier are planned to be addressed in HTTP.SYS on Longhorn, which is > within the IIS7 timeframe. > 1. HTTP over IP1:Port1 and HTTPS over IP2:Port1 will be allowed > 2. IP1:Port1 and IP2:Port2 will not prevent IP1:Port2 and IP2:Port1 from > being bound by another server > > These changes are planned in HTTP.SYS on Longhorn. Having customer usage > scenario helps tremendously, so the next time you do not like something, be > sure to report it; if you stay silent, no one knows you don't like it. > > The only chance to get it on HTTP.SYS on Windows Server 2003 is to open a > support case and make a request for it. This puts it on the radar of things > to consider backporting but is no guarantee. It is a matter of cost/benefit > when it comes to post RTM changes. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang FYI: The details of how it works/implemented as well as default value is
really not ready for discussion at this point in time. My suspicion is that pooling will remain the default. You realize that the default settings are usually for the benefit of the broader customer base. Special cases usually require special configuration. It is better to have 90% of customers see things magically work than for 10% of customers to NOT have to disable pooling. We also assume that users with special configuration needs also read special documentation to know how to make the special configuration. -- //David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "Richard Dixson" <re***@hereonlyplease.com> wrote in message Thanks for the excellent support David. When the new HTTPS.SYS and IIS 7news:_4idnTMKN5yAL_DfRVn-tA@comcast.com... are available, will it still be necessary to disable socket pooling and such to be able to have the same port answer for SSL on one IP and non-SSL on another IP (as we have been talking about)? For example as I recall what I am after did work on Win 2000 with IIS, but you had to disable socket pooling. It would be nice if they made the whole process much easier. Seems some assumptions are being made for the benefit of better performance which is good in some cases but can complicate things for special cases such as this. Richard Show quoteHide quote "David Wang [Msft]" <some***@online.microsoft.com> wrote in message news:O5vTJHgSFHA.1396@TK2MSFTNGP10.phx.gbl... > I talked with members on the HTTP.SYS team, and both restrictions that I > named earlier are planned to be addressed in HTTP.SYS on Longhorn, which is > within the IIS7 timeframe. > 1. HTTP over IP1:Port1 and HTTPS over IP2:Port1 will be allowed > 2. IP1:Port1 and IP2:Port2 will not prevent IP1:Port2 and IP2:Port1 from > being bound by another server > > These changes are planned in HTTP.SYS on Longhorn. Having customer usage > scenario helps tremendously, so the next time you do not like something, be > sure to report it; if you stay silent, no one knows you don't like it. > > The only chance to get it on HTTP.SYS on Windows Server 2003 is to open a > support case and make a request for it. This puts it on the radar of things > to consider backporting but is no guarantee. It is a matter of cost/benefit > when it comes to post RTM changes. > > -- > //David > IIS > http://blogs.msdn.com/David.Wang 
Other interesting topics
IIS 5 Compromisation
client certificates Strange IIS 5 problem with client certificates ASP.NET making COM calls on IIS6 NTFS permissions Permission denied: 'CreateObject' - error '800a0046' Indexing Service, web page, no results... Permissions? prevent local security policy override update databse encrypting and signing |
|||||||||||||||||||||||
