For disaster recovery we have secondary IP's for the webserver. In a disaster recovery scenario, we need to change the SNI IP for about 160 sites. I have not found any method for re-binding (or effectively changing) all IP's to a new IP. I see powershell
options for re-binding to new certificates, but not to a new SNI IP. Anyone know a method?
Thanks - this pointed me to an option I had not considered that does not involve Powershell. I need to do testing before I can confirm this will work, but my plan is to
1.Stop IIS
2. As Admin, go to c:\Windows\System32\inetsrv\config\applicationHost.config
3. Under <sites> <bindings> replace the bindingInformation="xxx.xxx.xxx.128:443:siteURL" with the new disaster recovery IP
4. Save
5. Restart IIS
I am hoping that the restart picks up on the changes in the applicationHost.config and registers the sites using SNI under the new IP address.
I will post success or failure here for anyone looking for this in the future.
Lex, I'm not sure how one would bind a site to an IP Address that no longer belongs to the server. Our disaster recovery network is in a separate location with different IP's for the web server (it has a management IP and an SNI IP - all sites are bound
to the SNI IP). The production server, including config files, are replicated and the applicationHost.config has the bindings for each site as the production SNI IP address.
When we switch to the disaster recovery environment, both the management IP and the IP used for SNI are different. We don't want to manually re-bind every site (170+) to the new, disaster recovery, SNI IP. We want to change that IP for all sites at one
time. I have found our preferred method for this and will post that as a follow up in case it is useful for someone else searching. It is also the same method one can employ if simply changing a server's IP on a webserver with multiple sites all using the
same IP and SNI.
As a follow up, I was able to successfully change all sites (170+) using a single SNI IP from one IP to a different IP in a single process. I have not found much online regarding changing an IP used across multiple sites (SNI) without a labor-intensive
process in the IIS Management Console. If anyone finds this useful, here goes.
The c:\Windows\System32\inetsrv\config\ApplicationHost.config contains all the sites and bindings in XML form and can be updated with a find/replace, finding the current IP and replacing with the new IP. You should make a copy of this file before making
any changes in case you need to roll back. We followed these steps:
1. Open Powershell as Admin
2. Stop IIS ... C:\>iisreset /stop
3. Open c:\Windows\System32\inetsrv\config\ApplicationHost.config in Notepad or Notepad++
4. Do a find/replace - old IP/new IP, then SAVE.
5. Restart IIS ... C:\>iisreset /start
6. Verify in IIS Management Console that your sites now show bound to the new IP ... xxx.xxx.xxx.xxx:443:siteURL
7. Do a reset of IIS (yes, a second time, not sure why, but was required before sites would work in every test we did) ... C:\>iisreset
When we completed these steps, including a second restart of IIS, all sites were now bound to the new IP and responding.
Last, just as an example, this is the portion of the config XML file being changed in the find/replace:
4 Posts
Re-IP All SNI Sites to new IP
Aug 12, 2019 10:03 PM|RBlackburn|LINK
For disaster recovery we have secondary IP's for the webserver. In a disaster recovery scenario, we need to change the SNI IP for about 160 sites. I have not found any method for re-binding (or effectively changing) all IP's to a new IP. I see powershell options for re-binding to new certificates, but not to a new SNI IP. Anyone know a method?
5377 Posts
MVP
Moderator
Re: Re-IP All SNI Sites to new IP
Aug 12, 2019 10:59 PM|Rovastar|LINK
Have a look at these docs
https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/bindings/binding
https://blogs.msdn.microsoft.com/timomta/2013/06/22/iis-ssl-how-to-powershell-script-client-cert-required/
https://www.leansentry.com/
8472 Posts
MVP
Re: Re-IP All SNI Sites to new IP
Aug 13, 2019 01:15 AM|lextm|LINK
There is nothing called "SNI IP", as SNI bindings in HTTP API are bind to domain names (host names),
https://docs.jexusmanager.com/tutorials/https-binding.html#sni-based-bindings
https://lextudio.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
4 Posts
Re: Re-IP All SNI Sites to new IP
Aug 14, 2019 05:38 PM|RBlackburn|LINK
Thanks - this pointed me to an option I had not considered that does not involve Powershell. I need to do testing before I can confirm this will work, but my plan is to
1.Stop IIS
2. As Admin, go to c:\Windows\System32\inetsrv\config\applicationHost.config
3. Under <sites> <bindings> replace the bindingInformation="xxx.xxx.xxx.128:443:siteURL" with the new disaster recovery IP
4. Save
5. Restart IIS
I am hoping that the restart picks up on the changes in the applicationHost.config and registers the sites using SNI under the new IP address.
I will post success or failure here for anyone looking for this in the future.
8472 Posts
MVP
Re: Re-IP All SNI Sites to new IP
Aug 15, 2019 05:57 AM|lextm|LINK
Why do you need to modify the binding? You can use two bindings (old and new IPs) together.
https://lextudio.com
---------------------------
This posting is provided "AS IS" with no warranties, and confers no rights.
4 Posts
Re: Re-IP All SNI Sites to new IP
Aug 15, 2019 10:09 PM|RBlackburn|LINK
Lex, I'm not sure how one would bind a site to an IP Address that no longer belongs to the server. Our disaster recovery network is in a separate location with different IP's for the web server (it has a management IP and an SNI IP - all sites are bound to the SNI IP). The production server, including config files, are replicated and the applicationHost.config has the bindings for each site as the production SNI IP address.
When we switch to the disaster recovery environment, both the management IP and the IP used for SNI are different. We don't want to manually re-bind every site (170+) to the new, disaster recovery, SNI IP. We want to change that IP for all sites at one time. I have found our preferred method for this and will post that as a follow up in case it is useful for someone else searching. It is also the same method one can employ if simply changing a server's IP on a webserver with multiple sites all using the same IP and SNI.
4 Posts
Re: Re-IP All SNI Sites to new IP
Aug 15, 2019 10:33 PM|RBlackburn|LINK
As a follow up, I was able to successfully change all sites (170+) using a single SNI IP from one IP to a different IP in a single process. I have not found much online regarding changing an IP used across multiple sites (SNI) without a labor-intensive process in the IIS Management Console. If anyone finds this useful, here goes.
The c:\Windows\System32\inetsrv\config\ApplicationHost.config contains all the sites and bindings in XML form and can be updated with a find/replace, finding the current IP and replacing with the new IP. You should make a copy of this file before making any changes in case you need to roll back. We followed these steps:
1. Open Powershell as Admin
2. Stop IIS ... C:\>iisreset /stop
3. Open c:\Windows\System32\inetsrv\config\ApplicationHost.config in Notepad or Notepad++
4. Do a find/replace - old IP/new IP, then SAVE.
5. Restart IIS ... C:\>iisreset /start
6. Verify in IIS Management Console that your sites now show bound to the new IP ... xxx.xxx.xxx.xxx:443:siteURL
7. Do a reset of IIS (yes, a second time, not sure why, but was required before sites would work in every test we did) ... C:\>iisreset
When we completed these steps, including a second restart of IIS, all sites were now bound to the new IP and responding.
Last, just as an example, this is the portion of the config XML file being changed in the find/replace:
<sites>
<site name="siteabc" id="160" serverAutoStart="true">
<application path="/" applicationPool=" siteabc">
<virtualDirectory path="/" physicalPath="H:\ siteabc" />
</application>
<bindings>
<binding protocol="https" bindingInformation="xxx.xxx.xxx.xxx:443:siteabc.somecompany.com" sslFlags="1" />
</bindings>
</site>
</sites>