Re-IP All SNI Sites to new IPRSS

6 replies

Last post Aug 15, 2019 10:33 PM by RBlackburn

  • Re-IP All SNI Sites to new IP

    Aug 12, 2019 10:03 PM|RBlackburn|LINK

    For disaster recovery we have secondary IP's for the webserver.  In a disaster recovery scenario, we need to change the SNI IP for about 160 sites.   I have not found any method for re-binding (or effectively changing) all IP's to a new IP.   I see powershell options for re-binding to new certificates, but not to a new SNI IP.   Anyone know a method?

  • Rovastar Rovastar

    5406 Posts

    MVP

    Moderator

    Re: Re-IP All SNI Sites to new IP

    Aug 12, 2019 10:59 PM|Rovastar|LINK

    You need to set the sslflag for the SNI setting.


    Have a look at these docs
    https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/bindings/binding

    https://blogs.msdn.microsoft.com/timomta/2013/06/22/iis-ssl-how-to-powershell-script-client-cert-required/
    Troubleshoot IIS in style
    https://www.leansentry.com/
  • Re: Re-IP All SNI Sites to new IP

    Aug 13, 2019 01:15 AM|lextm|LINK

    There is nothing called "SNI IP", as SNI bindings in HTTP API are bind to domain names (host names),

    https://docs.jexusmanager.com/tutorials/https-binding.html#sni-based-bindings

    Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Re-IP All SNI Sites to new IP

    Aug 14, 2019 05:38 PM|RBlackburn|LINK

    Thanks - this pointed me to an option I had not considered that does not involve Powershell.    I need to do testing before I can confirm this will work, but my plan is to 

    1.Stop IIS

    2. As Admin, go to c:\Windows\System32\inetsrv\config\applicationHost.config

    3. Under <sites>  <bindings>  replace the bindingInformation="xxx.xxx.xxx.128:443:siteURL"  with the new disaster recovery IP

    4. Save

    5. Restart IIS

    I am hoping that the restart picks up on the changes in the applicationHost.config and registers the sites using SNI under the new IP address.

    I will post success or failure here for anyone looking for this in the future.

  • Re: Re-IP All SNI Sites to new IP

    Aug 15, 2019 05:57 AM|lextm|LINK

    Why do you need to modify the binding? You can use two bindings (old and new IPs) together.

    Lex Li
    https://lextudio.com
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: Re-IP All SNI Sites to new IP

    Aug 15, 2019 10:09 PM|RBlackburn|LINK

    Lex,  I'm not sure how one would bind a site to an IP Address that no longer belongs to the server.   Our disaster recovery network is in a separate location with different IP's for the web server (it has a management IP and an SNI IP - all sites are bound to the SNI IP).    The production server, including config files, are replicated and the applicationHost.config has the bindings for each site as the production SNI IP address.

    When we switch to the disaster recovery environment, both the management IP and the IP used for SNI are different.  We don't want to manually re-bind every site (170+) to the new, disaster recovery, SNI IP.   We want to change that IP for all sites at one time.   I have found our preferred method for this and will post that as a follow up in case it is useful for someone else searching.  It is also the same method one can employ if simply changing a server's IP on a webserver with multiple sites all using the same IP and SNI.

  • Re: Re-IP All SNI Sites to new IP

    Aug 15, 2019 10:33 PM|RBlackburn|LINK

    As a follow up,  I was able to successfully change all sites (170+) using a single SNI IP from one IP to a different IP in a single process.   I have not found much online regarding changing an IP used across multiple sites (SNI) without a labor-intensive process in the IIS Management Console.   If anyone finds this useful, here goes.

    The c:\Windows\System32\inetsrv\config\ApplicationHost.config  contains all the sites and bindings in XML form and can be updated with a find/replace, finding the current IP and replacing with the new IP.   You should make a copy of this file before making any changes in case you need to roll back.  We followed these steps:

    1.  Open Powershell as Admin

    2.  Stop IIS ...  C:\>iisreset /stop

    3.  Open  c:\Windows\System32\inetsrv\config\ApplicationHost.config  in Notepad or Notepad++

    4.  Do a find/replace -  old IP/new IP,   then SAVE.

    5.  Restart IIS ... C:\>iisreset /start

    6.  Verify in IIS Management Console that your sites now show bound to the new IP ... xxx.xxx.xxx.xxx:443:siteURL

    7.  Do a reset of IIS (yes, a second time, not sure why, but was required before sites would work in every test we did) ... C:\>iisreset

    When we completed these steps, including a second restart of IIS, all sites were now bound to the new IP and responding.

    Last, just as an example, this is the portion of the config XML file being changed in the find/replace:

    <sites>

    <site name="siteabc" id="160" serverAutoStart="true">

    <application path="/" applicationPool=" siteabc">

    <virtualDirectory path="/" physicalPath="H:\ siteabc" />

    </application>

    <bindings>

    <binding protocol="https" bindingInformation="xxx.xxx.xxx.xxx:443:siteabc.somecompany.com" sslFlags="1" />

    </bindings>

    </site>

    </sites>