« Previous Next »

Thread: SSL pages inaccessible from LAN

Last post 04-28-2008 3:59 PM by Laker Netman. 2 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (3 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 04-28-2008, 2:13 PM

    SSL pages inaccessible from LAN

    Reply Contact

    Setup: IIS 6.0 on W2K3 server hosting multiple web site domains, each with it's own SSL certificate. The server has two NICs; one connected to our LAN, one connected to the DMZ. Our firewall maps the site public addresses to the DMZ private addresses assigned to each domain. Internal NIC has a single IP bound to it in the LAN IP range.

    When we add the LAN IP to the "Multiple SSL identities for this site" section under "Web Site identification | Advanced" to any of the sites then we can get to the SSL pages from the LAN. However, this appears to have the side effect of causing the incorrect SSL certificate to sporadically be selected when people are accessing the public site address secure areas. So they get a Certificate Error warning.

    Removing the (single) LAN IP address, assigned to the internal NIC, seems to remedy this, but cuts off access to SSL pages internally.

    What is the solution to this issue? And is my diagnosis of the SSL mis-association correct?

    Thanks in advance,

    Laker
     

  • 04-28-2008, 2:37 PM In reply to

    • tomkmvp
    • Top 10 Contributor
    • Joined on 03-20-2003, 6:27 AM
    • Central NJ
    • Posts 6,186
    • IIS MVPs

    Re: SSL pages inaccessible from LAN

    Reply Contact

    Have you disabled socket pooling?
    http://support.microsoft.com/kb/238131

    Tom Kaminski IIS MVP
    http://mvp.support.microsoft.com/
    http://blogs.iis.net/tomkmvp/
    http://www.linkedin.com/pub/8/690/408
    http://www.bluesrepublic.org/

  • 04-28-2008, 3:59 PM In reply to

    Re: SSL pages inaccessible from LAN

    Reply Contact

     I followed the instructions in the article and the results were, well, ugly. I added all of the sites' IP addresses as follows:

    httpcfg set iplisten -i 10.x.y.a

    httpcfg set iplisten -i 10.x.y.b

    httpcfg set iplisten -i 10.x.y.c

    and none of the sites would start afterwards! 

    The event viewer indicated (for every site): "Cannot register the URL prefix" for http://www.domain.com:80/10.x.y.a for site '1234512345'. Clicking on the link to MS's site for more info yielded the dreaded: "No more information is available for this error message."

    Then I tried adding port 443 explicitly on the sites that have SSL cert's, too. As in:

    httpcfg set iplisten -i 10.x.y.a:443

    A httpcfg query iplisten confirmed the entries were present and correct.

    No joy. I had to delete all of the IPs I added and explicitly re-add 0.0.0.0 to get things running again.

    PLEASE NOTE: I have obfuscated all of the info above. On my end I type real IPs where x, y, etc is referenced above and the error messages contained ten-digit decimal numbers that I presume are the equivalents to the IP octets (?).

    Other ideas?

    Laker
     
Page 1 of 1 (3 items)
Microsoft Communities