Configuring IIS Bindings to include host headers with https on Windows Server 2008 (for SharePoint)

NOTE: We use a wildcard SSL certificate which makes our life much easier when dealing with multiple hostnames. I have not tested this approach with multiple SSL certificates for specific sites.

We’ve been reconfiguring our SharePoint 2007 farm over the past couple of days and it’s now hosted on Windows Server 2008 and using NLB (network load balancing). The load balancer has been configured with a single public IP address and all our previous DNS CNAME registrations have been replaced with hostname A registrations pointing at the address. With our previous configuration we had multiple IP addresses on the server, one for each web application. Each IIS web site was then configured with a host header and ip address to allow for secure traffic over HTTPS.

With our new configuration, I didn’t want to specify an IP address on the web site. Handily, IIS 7 makes that scenario possible (and even relatively straightforward). The only snag is that you can’t configure the necessary bindings through the IIS Manager GUI. You can do it through an xml config file, however:

  1. Look in c:\windows\system32\inetsrv\config and edit the applicationHost.config file. Make sure you take a backup first!
  2. Find the <sites> section in the file. In there you will find a <site> element for each IIS web site. Each of those has a <bindings> element with each port/protocol binding listed. Our main site looked like this:
    <bindings>
    <binding protocol=”https” bindingInformation=”*:443:” />
    </bindings>

    and we changed it to look like this:
    <bindings>
    <binding protocol=”https” bindingInformation=”*:443:myhost.mydomain.com” />
    </bindings>
  3. Repeat for each web application. If you have more than one web application on the same IP address using either http or https you need to configure a host header or you’ll have problems.
  4. Execute an iisreset.

We now have all our content web applications, the SSP and the central administration web sites all running on a single IP address, many on the same port and using SSL.

As I said at the start of this post, we use a wildcard certificate which makes my initial IIS configuration easier. I haven’t tried multiple certificates, and I’m interested to know if that works or not.

6 Replies to “Configuring IIS Bindings to include host headers with https on Windows Server 2008 (for SharePoint)”

  1. I have a WFE server name “myWFEserver”    ip address is 127.16.37.44  (not real ip num)

    It is intranet.  Currently, when I type  mywfeserver/default.aspx   in the url,  I can access the MOSS web site home page.   2000 is the port.  

    So, I have set up DNS point to 127.16.37.44  as “teamwork”   and would like if someone type  http://teamwork.my.com”>http://teamwork.my.com will access to the MOSS web site home page.

    My Application server ip address is 127.16.37.45

    and then now when I type http://teamwork , it brings up    inetpub/wwwroot/iisstart.htm.   It is not the MOSS home page as I plan to.

    I am confused with the Alternative Access Mapping and do not know what step that I should take in order to accomplish this.  

    Do you think if I change applicationHost.config file as you described, I can accomplish what I need and no need to change AAM ?

    Thanks for you help

  2. CFW, you’ve encountered a situation I see a great deal. You are seeing two issues: Firstly, IIS is not actually listening on port 80 for your SharePoint content web application. Pointing your dns at the correct IP address is great, but you still need to specify the port in the url (e.g. http://teamwork.my.com:2000/). Alterning the bindings on the SharePoint web site actually wont help much, because your problem is that you are talking to the default web site on port 80 and it knows nothing about the SharePoint web site. Secondly, SharePoint doesn’t know that the teamwork url is one that is used for that site. You need to add a new AAM to the teamwork web application for an additional zone (I’d use intranet, given that’s what you use it for) with the url http://teamwork.my.com and you may also want to add http://teamwork while you’re at it. You’ll still need to specify a port in the url, though. You could work around that by switching off the default web site and creating a redirect site on port 80 that sends traffic to the port 2000 url. Your query motivated me to write this situation up in more detail. Expect a more detailed blog post in the next few days to cover in more detail what I would do in this situation.

  3. Rik

    I tried to specify the port in the url teamwork.my.com/default.aspx ,   I got the error page and no success at all.  I am looking forward to seeing in more detail that you are going to cover.  I have been searching around.  There are a lot of suggestions, but so far mine is not working…  Thanks in advance.  

    With the redirect from port 80, I got it work, but it exposed the old url on the address line.  Is there anyway to convert?  ( I did not touch AAM at all)

    the following is the  verbage on the error page:

    Go back to site  

    Error  

    An unexpected error has occurred.

    Web Parts Maintenance Page: If you have permission, you can use this page to temporarily close Web Parts or remove personal settings. For more information, contact your site administrator.

    Troubleshoot issues with Windows SharePoint Services.

  4. CRW, what you see is what I’d expect. Because you don’t have an alternate access mapping for the teamwork URL sharepoint responds to all requests with a page on the original url. What you now need to do are add AAMs to your web application for http://teamwork.my.com and http://teamwork and hopefully you’ll find it all works. Note that you may need to specify the port on the AAM, although you mayget away without.

  5. Sorry, I didn’t address the error, did I? That looks like it is unrelated to the access/url issues. You managed to get to the double-secret maintenance page where you can delete web parts that are causing the page itself to fail. It’s a handy tool to know about and you can access it by adding contents=1 to a url (e.g. http://teamwork/default.aspx?contents=1). If you have a web part which is killing the page render you can forcibly delete it from here.

  6. Sorry I wasn’t clear with my question:

    When I type http://teamwork.my.com:2000/default.aspx”>teamwork.my.com/default.aspx

    I got the error page.  It looks like some web part issues.

    However if I just type http://teamwork  it works and redirect to my old url myservername/default.aspx.

    I type http://teamwork:2000/default.aspx?contents=1

    here is the error message

    Go back to site  

    Error  

    Unknown Error

    Troubleshoot issues with Windows SharePoint Services.

Leave a Reply

Your email address will not be published. Required fields are marked *