Forum Discussion

user_03's avatar
user_03
Icon for Nimbostratus rankNimbostratus
Sep 10, 2014

VS config with multiple IIS sites

Hi,

 

I have 2 sites on an IIS server.

 

1 - Listening on port 443 abc.xyz.com Server1 - working

 

1 - Listening on port 80 abc12.xyz.com Server1 -new

 

I have a VS statement that listens on 80 and redirects to 443. The 443 VS has a default pool/with Auth with Server1 in it. Everything works fine with abc.xyz.com. Now I am trying to have abc12.xyz.com go to the same server but use port 80 instead. The IIS site is configured with host name abc12.xyz.com:80.

 

If a user tries to access abc.xyz.com on port 80 – redirect to 443 then go to Server1 port 443. -Working

 

If a user tries to access abc12.xyz.com on port 80 – redirect to 443 then go to Server1 port 80. – How do I get this to work?

 

Can I do this with an irule or should I just add another IP to the IIS site and create a separate VS and pool with that IP. What is the best way to handle this?

 

Thanks

 

  • Separate VIPs and pools are certainly one way, but this is what it might look like otherwise:

    1. Port 80 VIP and simple iRule to redirect all requests to port 443 VIP.

    2. Port 443 VIP (same IP address), a client and server SSL profile, 2 pools, and an iRule:

      when HTTP_REQUEST {
          switch [string tolower [HTTP::host]] {
              "abc.xyz.com" {
                  pool abc_pool
              }
              "abc12.xyz.com" {
                  pool abc12_pool
                  SSL::disable serverside
              }
          }
      }
      

    The abc_pool would contain your port 443 servers and the enabled serverssl profile would appropriately re-encrypt to these servers. The abc12_pool would contain your port 80 servers and the iRule would disable the serverssl profile.

  • Why don't you just have abc.xyz.com and abc12.xyz.com DNS addresses resolve to different IP addresses so they hit separate VS on the BIG-IP, therefore allowing you to do the different things you're looking for.

     

    Either that, or you need to have an iRule that selects a different pool and also disables serverside SSL. Something like:

     

    when HTTP_REQUEST { if { [HTTP::host] eq "abc12.xyz.com" } { pool SSL::disable serverside } }

     

    But separating to two separate VS is the easiest thing to do, unless you have a certificate that has the multiple hostnames in it (SAN or wildcard).

     

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus

    In addition to wildcard and SAN certs you could use SNI. However, separate VIPs would be the easiest to configure/troubleshoot/maintain in my opinion.

     

    Disabling SSL serverside will expose your traffic in the DMZ - this may constitute a security policy violation.

     

    By the way, is there a specific reason the IIS instances are bound to specific hostnames?