Forum Discussion
VS config with multiple IIS sites
Hi,
I have 2 sites on an IIS server.
1 - Listening on port 443 abc.xyz.com Server1 - working
1 - Listening on port 80 abc12.xyz.com Server1 -new
I have a VS statement that listens on 80 and redirects to 443. The 443 VS has a default pool/with Auth with Server1 in it. Everything works fine with abc.xyz.com. Now I am trying to have abc12.xyz.com go to the same server but use port 80 instead. The IIS site is configured with host name abc12.xyz.com:80.
If a user tries to access abc.xyz.com on port 80 – redirect to 443 then go to Server1 port 443. -Working
If a user tries to access abc12.xyz.com on port 80 – redirect to 443 then go to Server1 port 80. – How do I get this to work?
Can I do this with an irule or should I just add another IP to the IIS site and create a separate VS and pool with that IP. What is the best way to handle this?
Thanks
- Kevin_StewartEmployee
Separate VIPs and pools are certainly one way, but this is what it might look like otherwise:
-
Port 80 VIP and simple iRule to redirect all requests to port 443 VIP.
-
Port 443 VIP (same IP address), a client and server SSL profile, 2 pools, and an iRule:
when HTTP_REQUEST { switch [string tolower [HTTP::host]] { "abc.xyz.com" { pool abc_pool } "abc12.xyz.com" { pool abc12_pool SSL::disable serverside } } }
The abc_pool would contain your port 443 servers and the enabled serverssl profile would appropriately re-encrypt to these servers. The abc12_pool would contain your port 80 servers and the iRule would disable the serverssl profile.
-
- MiLK_MaNNimbostratus
Why don't you just have abc.xyz.com and abc12.xyz.com DNS addresses resolve to different IP addresses so they hit separate VS on the BIG-IP, therefore allowing you to do the different things you're looking for.
Either that, or you need to have an iRule that selects a different pool and also disables serverside SSL. Something like:
when HTTP_REQUEST { if { [HTTP::host] eq "abc12.xyz.com" } { pool SSL::disable serverside } }
But separating to two separate VS is the easiest thing to do, unless you have a certificate that has the multiple hostnames in it (SAN or wildcard).
- ArieAltostratus
In addition to wildcard and SAN certs you could use SNI. However, separate VIPs would be the easiest to configure/troubleshoot/maintain in my opinion.
Disabling SSL serverside will expose your traffic in the DMZ - this may constitute a security policy violation.
By the way, is there a specific reason the IIS instances are bound to specific hostnames?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com