SSL problems

We seem to have run into a problem with our SSL scheme.

We have multiple web sites (www.site1.com, www.site2.com, www.site3.com) and
need to run SSL pages on each site (for credit card purposes).

The problem is you can't set up multiple sites in IIS with the same SSL
port, it seems.

What we did was create a port for each site (https://www.site1.com:4433,
https://www.site2.com:4434, https://www.site3.com:4435 ) and this seemed to
work.

We just found out that if you have an ISA Proxy server, you will get a 502
error.

We are having connection issuse using secure connection if we hit a site
with an ISA Proxy server. Not sure if other proxies would have this problem.
I had a friend at Microsoft try to access our secure pages and he got a 502
error. I had another friend try it and he got the same error. Both had an
ISA Proxy server. When my other friend went around the Proxy server, it
worked fine.

I got the following from googling:

***************************************************************************************************************************

"Error 502 returned by a HTTP proxy (Proxy Error (The specified Secure
Sockets Layer (SSL) port is not allowed. ISA Server is not configured to
allow SSL requests from this port. Most Web browsers use port 443 for SSL
requests.))."

This is caused by the default behavior of Microsoft ISA server, which only
allows requests to ports 443 and 563 using its HTTP Connect method. (Primary
use of HTTP Connect is to allow SSL connections to HTTPS servers).

The Microsoft Knowledge Base article Q283284 addresses this issue.

To access FTP sites through ISA server's HTTP proxy, access to all ports
must be allowed. FTP's control connection port is 21 by default, but data
connections can use virtually any port, because it is assigned by the FTP
server. (Although allowing port 21 and ports >1024 should be enough, there
might be exceptions.)

To allow connections to all ports through the HTTP proxy, following VB
script must be run on the ISA server:

set isa=CreateObject("FPC.Root")

set arraypolicy=isa.Arrays.GetContainingArray.ArrayPolicy

set tprange=arraypolicy.WebProxy.TunnelPortRanges

set tmp=tprange.AddRange("FTP", 1, 65535)

tprange.Save

***************************************************************************************************************************

We are also using SiteUpTime.com to test our pages, periodically. Everything
was fine until Sunday. Since then it can't see the pages. I assume something
changed on their end but can't be sure until we hear back from them.

The problem is we need to solve the issue if this is going a problem with
some of our clients or potential clients.

The only other way we can see to solve this problem would be to put a
different server in for each web site. This would be pretty expensive and
would like to get around that if possible.

I don't think we can ask our potential clients to change their Proxy Servers
to allow our pages in.

Any other ways around this?

Thanks,

Tom

Consultant
Mon Jun 26 16:05:20 CDT 2006

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true


"tshad" <tscheiderich@ftsolutions.com> wrote in message
news:esy7DhVmGHA.748@TK2MSFTNGP02.phx.gbl...
> We seem to have run into a problem with our SSL scheme.
>
> We have multiple web sites (www.site1.com, www.site2.com, www.site3.com)
> and need to run SSL pages on each site (for credit card purposes).
>
> The problem is you can't set up multiple sites in IIS with the same SSL
> port, it seems.
>
> What we did was create a port for each site (https://www.site1.com:4433,
> https://www.site2.com:4434, https://www.site3.com:4435 ) and this seemed
> to work.
>
> We just found out that if you have an ISA Proxy server, you will get a 502
> error.
>
> We are having connection issuse using secure connection if we hit a site
> with an ISA Proxy server. Not sure if other proxies would have this
> problem. I had a friend at Microsoft try to access our secure pages and he
> got a 502 error. I had another friend try it and he got the same error.
> Both had an ISA Proxy server. When my other friend went around the Proxy
> server, it worked fine.
>
> I got the following from googling:
>
> ***************************************************************************************************************************
>
> "Error 502 returned by a HTTP proxy (Proxy Error (The specified Secure
> Sockets Layer (SSL) port is not allowed. ISA Server is not configured to
> allow SSL requests from this port. Most Web browsers use port 443 for SSL
> requests.))."
>
> This is caused by the default behavior of Microsoft ISA server, which only
> allows requests to ports 443 and 563 using its HTTP Connect method.
> (Primary use of HTTP Connect is to allow SSL connections to HTTPS
> servers).
>
> The Microsoft Knowledge Base article Q283284 addresses this issue.
>
> To access FTP sites through ISA server's HTTP proxy, access to all ports
> must be allowed. FTP's control connection port is 21 by default, but data
> connections can use virtually any port, because it is assigned by the FTP
> server. (Although allowing port 21 and ports >1024 should be enough, there
> might be exceptions.)
>
> To allow connections to all ports through the HTTP proxy, following VB
> script must be run on the ISA server:
>
> set isa=CreateObject("FPC.Root")
>
> set arraypolicy=isa.Arrays.GetContainingArray.ArrayPolicy
>
> set tprange=arraypolicy.WebProxy.TunnelPortRanges
>
> set tmp=tprange.AddRange("FTP", 1, 65535)
>
> tprange.Save
>
> ***************************************************************************************************************************
>
> We are also using SiteUpTime.com to test our pages, periodically.
> Everything was fine until Sunday. Since then it can't see the pages. I
> assume something changed on their end but can't be sure until we hear back
> from them.
>
> The problem is we need to solve the issue if this is going a problem with
> some of our clients or potential clients.
>
> The only other way we can see to solve this problem would be to put a
> different server in for each web site. This would be pretty expensive and
> would like to get around that if possible.
>
> I don't think we can ask our potential clients to change their Proxy
> Servers to allow our pages in.
>
> Any other ways around this?
>
> Thanks,
>
> Tom
>

tshad
Mon Jun 26 17:23:50 CDT 2006

We looked at Host Headers and Wildcards before, but if I am correct,
Wildcards use the same site name (site1.com, abc.site1.com, xyz.site1.com).

My problem is that the sites are completely different (abc.com, def.com,
xyz.com).


Thanks,

Tom

"Consultant" <consultant_mcngp@yahoo.com> wrote in message
news:%23lkA9QWmGHA.1488@TK2MSFTNGP02.phx.gbl...
> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
>
>
> "tshad" <tscheiderich@ftsolutions.com> wrote in message
> news:esy7DhVmGHA.748@TK2MSFTNGP02.phx.gbl...
>> We seem to have run into a problem with our SSL scheme.
>>
>> We have multiple web sites (www.site1.com, www.site2.com, www.site3.com)
>> and need to run SSL pages on each site (for credit card purposes).
>>
>> The problem is you can't set up multiple sites in IIS with the same SSL
>> port, it seems.
>>
>> What we did was create a port for each site (https://www.site1.com:4433,
>> https://www.site2.com:4434, https://www.site3.com:4435 ) and this seemed
>> to work.
>>
>> We just found out that if you have an ISA Proxy server, you will get a
>> 502 error.
>>
>> We are having connection issuse using secure connection if we hit a site
>> with an ISA Proxy server. Not sure if other proxies would have this
>> problem. I had a friend at Microsoft try to access our secure pages and
>> he got a 502 error. I had another friend try it and he got the same
>> error. Both had an ISA Proxy server. When my other friend went around the
>> Proxy server, it worked fine.
>>
>> I got the following from googling:
>>
>> ***************************************************************************************************************************
>>
>> "Error 502 returned by a HTTP proxy (Proxy Error (The specified Secure
>> Sockets Layer (SSL) port is not allowed. ISA Server is not configured to
>> allow SSL requests from this port. Most Web browsers use port 443 for SSL
>> requests.))."
>>
>> This is caused by the default behavior of Microsoft ISA server, which
>> only allows requests to ports 443 and 563 using its HTTP Connect method.
>> (Primary use of HTTP Connect is to allow SSL connections to HTTPS
>> servers).
>>
>> The Microsoft Knowledge Base article Q283284 addresses this issue.
>>
>> To access FTP sites through ISA server's HTTP proxy, access to all ports
>> must be allowed. FTP's control connection port is 21 by default, but data
>> connections can use virtually any port, because it is assigned by the FTP
>> server. (Although allowing port 21 and ports >1024 should be enough,
>> there might be exceptions.)
>>
>> To allow connections to all ports through the HTTP proxy, following VB
>> script must be run on the ISA server:
>>
>> set isa=CreateObject("FPC.Root")
>>
>> set arraypolicy=isa.Arrays.GetContainingArray.ArrayPolicy
>>
>> set tprange=arraypolicy.WebProxy.TunnelPortRanges
>>
>> set tmp=tprange.AddRange("FTP", 1, 65535)
>>
>> tprange.Save
>>
>> ***************************************************************************************************************************
>>
>> We are also using SiteUpTime.com to test our pages, periodically.
>> Everything was fine until Sunday. Since then it can't see the pages. I
>> assume something changed on their end but can't be sure until we hear
>> back from them.
>>
>> The problem is we need to solve the issue if this is going a problem with
>> some of our clients or potential clients.
>>
>> The only other way we can see to solve this problem would be to put a
>> different server in for each web site. This would be pretty expensive
>> and would like to get around that if possible.
>>
>> I don't think we can ask our potential clients to change their Proxy
>> Servers to allow our pages in.
>>
>> Any other ways around this?
>>
>> Thanks,
>>
>> Tom
>>
>
>

Daniel
Tue Jun 27 03:16:05 CDT 2006

tshad wrote on Mon, 26 Jun 2006 12:39:38 -0700:

> We seem to have run into a problem with our SSL scheme.
>
> We have multiple web sites (www.site1.com, www.site2.com, www.site3.com)
> and need to run SSL pages on each site (for credit card purposes).
>
> The problem is you can't set up multiple sites in IIS with the same SSL
> port, it seems.

You can, if each site is on it's own IP address. I've got IIS6 running here
with 3 sites on 3 IPs with an SSL certificate on each, running http on port
80 and https on port 443 for each of them.

Dan

Consultant
Tue Jun 27 09:27:00 CDT 2006

have you heard of sub-alt-naming?

Subject Alternative Naming is an X.509 extension on a certificate. It
allows a certificate to host multiple common names. These domain names DO
NOT have to be from the same domain. But, have to be owned and on the
account; i.e. yahoo can issue www.yahoo.com, support.yahoo.com,
www.myyahoo.com, support.myyahoo.com, etc.



It works like WildCard in the sense of one certificate hosting multiple
domain names.


"tshad" <tscheiderich@ftsolutions.com> wrote in message
news:Of6H08WmGHA.4696@TK2MSFTNGP05.phx.gbl...
> We looked at Host Headers and Wildcards before, but if I am correct,
> Wildcards use the same site name (site1.com, abc.site1.com,
> xyz.site1.com).
>
> My problem is that the sites are completely different (abc.com, def.com,
> xyz.com).
>
>
> Thanks,
>
> Tom
>
> "Consultant" <consultant_mcngp@yahoo.com> wrote in message
> news:%23lkA9QWmGHA.1488@TK2MSFTNGP02.phx.gbl...
>> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
>>
>>
>> "tshad" <tscheiderich@ftsolutions.com> wrote in message
>> news:esy7DhVmGHA.748@TK2MSFTNGP02.phx.gbl...
>>> We seem to have run into a problem with our SSL scheme.
>>>
>>> We have multiple web sites (www.site1.com, www.site2.com, www.site3.com)
>>> and need to run SSL pages on each site (for credit card purposes).
>>>
>>> The problem is you can't set up multiple sites in IIS with the same SSL
>>> port, it seems.
>>>
>>> What we did was create a port for each site (https://www.site1.com:4433,
>>> https://www.site2.com:4434, https://www.site3.com:4435 ) and this seemed
>>> to work.
>>>
>>> We just found out that if you have an ISA Proxy server, you will get a
>>> 502 error.
>>>
>>> We are having connection issuse using secure connection if we hit a site
>>> with an ISA Proxy server. Not sure if other proxies would have this
>>> problem. I had a friend at Microsoft try to access our secure pages and
>>> he got a 502 error. I had another friend try it and he got the same
>>> error. Both had an ISA Proxy server. When my other friend went around
>>> the Proxy server, it worked fine.
>>>
>>> I got the following from googling:
>>>
>>> ***************************************************************************************************************************
>>>
>>> "Error 502 returned by a HTTP proxy (Proxy Error (The specified Secure
>>> Sockets Layer (SSL) port is not allowed. ISA Server is not configured to
>>> allow SSL requests from this port. Most Web browsers use port 443 for
>>> SSL requests.))."
>>>
>>> This is caused by the default behavior of Microsoft ISA server, which
>>> only allows requests to ports 443 and 563 using its HTTP Connect method.
>>> (Primary use of HTTP Connect is to allow SSL connections to HTTPS
>>> servers).
>>>
>>> The Microsoft Knowledge Base article Q283284 addresses this issue.
>>>
>>> To access FTP sites through ISA server's HTTP proxy, access to all ports
>>> must be allowed. FTP's control connection port is 21 by default, but
>>> data connections can use virtually any port, because it is assigned by
>>> the FTP server. (Although allowing port 21 and ports >1024 should be
>>> enough, there might be exceptions.)
>>>
>>> To allow connections to all ports through the HTTP proxy, following VB
>>> script must be run on the ISA server:
>>>
>>> set isa=CreateObject("FPC.Root")
>>>
>>> set arraypolicy=isa.Arrays.GetContainingArray.ArrayPolicy
>>>
>>> set tprange=arraypolicy.WebProxy.TunnelPortRanges
>>>
>>> set tmp=tprange.AddRange("FTP", 1, 65535)
>>>
>>> tprange.Save
>>>
>>> ***************************************************************************************************************************
>>>
>>> We are also using SiteUpTime.com to test our pages, periodically.
>>> Everything was fine until Sunday. Since then it can't see the pages. I
>>> assume something changed on their end but can't be sure until we hear
>>> back from them.
>>>
>>> The problem is we need to solve the issue if this is going a problem
>>> with some of our clients or potential clients.
>>>
>>> The only other way we can see to solve this problem would be to put a
>>> different server in for each web site. This would be pretty expensive
>>> and would like to get around that if possible.
>>>
>>> I don't think we can ask our potential clients to change their Proxy
>>> Servers to allow our pages in.
>>>
>>> Any other ways around this?
>>>
>>> Thanks,
>>>
>>> Tom
>>>
>>
>>
>
>

tshad
Tue Jun 27 11:40:31 CDT 2006

But wouldn't you need multiple Nic Cards for this?

Also, we have a firewall that we come in on, with one IP for each server.
How would we deal with that?

I assume that the IPs have to be public IP addresses.

Thanks,

Tom

"Daniel Crichton" <msnews@worldofspack.com> wrote in message
news:uYhMxHcmGHA.4212@TK2MSFTNGP03.phx.gbl...
> tshad wrote on Mon, 26 Jun 2006 12:39:38 -0700:
>
>> We seem to have run into a problem with our SSL scheme.
>>
>> We have multiple web sites (www.site1.com, www.site2.com, www.site3.com)
>> and need to run SSL pages on each site (for credit card purposes).
>>
>> The problem is you can't set up multiple sites in IIS with the same SSL
>> port, it seems.
>
> You can, if each site is on it's own IP address. I've got IIS6 running
> here with 3 sites on 3 IPs with an SSL certificate on each, running http
> on port 80 and https on port 443 for each of them.
>
> Dan
>

tshad
Tue Jun 27 11:38:28 CDT 2006

Hadn't heard of that.

Our domains are:

www.staffworkshop.com, www.refworkshop.com, benworkshop.com - would that
qualify?

Thanks,

Tom
"Consultant" <consultant_mcngp@yahoo.com> wrote in message
news:eXt1BXfmGHA.492@TK2MSFTNGP05.phx.gbl...
> have you heard of sub-alt-naming?
>
> Subject Alternative Naming is an X.509 extension on a certificate. It
> allows a certificate to host multiple common names. These domain names DO
> NOT have to be from the same domain. But, have to be owned and on the
> account; i.e. yahoo can issue www.yahoo.com, support.yahoo.com,
> www.myyahoo.com, support.myyahoo.com, etc.
>
>
>
> It works like WildCard in the sense of one certificate hosting multiple
> domain names.
>
>
> "tshad" <tscheiderich@ftsolutions.com> wrote in message
> news:Of6H08WmGHA.4696@TK2MSFTNGP05.phx.gbl...
>> We looked at Host Headers and Wildcards before, but if I am correct,
>> Wildcards use the same site name (site1.com, abc.site1.com,
>> xyz.site1.com).
>>
>> My problem is that the sites are completely different (abc.com, def.com,
>> xyz.com).
>>
>>
>> Thanks,
>>
>> Tom
>>
>> "Consultant" <consultant_mcngp@yahoo.com> wrote in message
>> news:%23lkA9QWmGHA.1488@TK2MSFTNGP02.phx.gbl...
>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
>>>
>>>
>>> "tshad" <tscheiderich@ftsolutions.com> wrote in message
>>> news:esy7DhVmGHA.748@TK2MSFTNGP02.phx.gbl...
>>>> We seem to have run into a problem with our SSL scheme.
>>>>
>>>> We have multiple web sites (www.site1.com, www.site2.com,
>>>> www.site3.com) and need to run SSL pages on each site (for credit card
>>>> purposes).
>>>>
>>>> The problem is you can't set up multiple sites in IIS with the same SSL
>>>> port, it seems.
>>>>
>>>> What we did was create a port for each site
>>>> (https://www.site1.com:4433, https://www.site2.com:4434,
>>>> https://www.site3.com:4435 ) and this seemed to work.
>>>>
>>>> We just found out that if you have an ISA Proxy server, you will get a
>>>> 502 error.
>>>>
>>>> We are having connection issuse using secure connection if we hit a
>>>> site with an ISA Proxy server. Not sure if other proxies would have
>>>> this problem. I had a friend at Microsoft try to access our secure
>>>> pages and he got a 502 error. I had another friend try it and he got
>>>> the same error. Both had an ISA Proxy server. When my other friend went
>>>> around the Proxy server, it worked fine.
>>>>
>>>> I got the following from googling:
>>>>
>>>> ***************************************************************************************************************************
>>>>
>>>> "Error 502 returned by a HTTP proxy (Proxy Error (The specified Secure
>>>> Sockets Layer (SSL) port is not allowed. ISA Server is not configured
>>>> to allow SSL requests from this port. Most Web browsers use port 443
>>>> for SSL requests.))."
>>>>
>>>> This is caused by the default behavior of Microsoft ISA server, which
>>>> only allows requests to ports 443 and 563 using its HTTP Connect
>>>> method. (Primary use of HTTP Connect is to allow SSL connections to
>>>> HTTPS servers).
>>>>
>>>> The Microsoft Knowledge Base article Q283284 addresses this issue.
>>>>
>>>> To access FTP sites through ISA server's HTTP proxy, access to all
>>>> ports must be allowed. FTP's control connection port is 21 by default,
>>>> but data connections can use virtually any port, because it is assigned
>>>> by the FTP server. (Although allowing port 21 and ports >1024 should be
>>>> enough, there might be exceptions.)
>>>>
>>>> To allow connections to all ports through the HTTP proxy, following VB
>>>> script must be run on the ISA server:
>>>>
>>>> set isa=CreateObject("FPC.Root")
>>>>
>>>> set arraypolicy=isa.Arrays.GetContainingArray.ArrayPolicy
>>>>
>>>> set tprange=arraypolicy.WebProxy.TunnelPortRanges
>>>>
>>>> set tmp=tprange.AddRange("FTP", 1, 65535)
>>>>
>>>> tprange.Save
>>>>
>>>> ***************************************************************************************************************************
>>>>
>>>> We are also using SiteUpTime.com to test our pages, periodically.
>>>> Everything was fine until Sunday. Since then it can't see the pages. I
>>>> assume something changed on their end but can't be sure until we hear
>>>> back from them.
>>>>
>>>> The problem is we need to solve the issue if this is going a problem
>>>> with some of our clients or potential clients.
>>>>
>>>> The only other way we can see to solve this problem would be to put a
>>>> different server in for each web site. This would be pretty expensive
>>>> and would like to get around that if possible.
>>>>
>>>> I don't think we can ask our potential clients to change their Proxy
>>>> Servers to allow our pages in.
>>>>
>>>> Any other ways around this?
>>>>
>>>> Thanks,
>>>>
>>>> Tom
>>>>
>>>
>>>
>>
>>
>
>

Consultant
Tue Jun 27 12:08:17 CDT 2006

should

"tshad" <tscheiderich@ftsolutions.com> wrote in message
news:uLrMgggmGHA.4064@TK2MSFTNGP02.phx.gbl...
> Hadn't heard of that.
>
> Our domains are:
>
> www.staffworkshop.com, www.refworkshop.com, benworkshop.com - would that
> qualify?
>
> Thanks,
>
> Tom
> "Consultant" <consultant_mcngp@yahoo.com> wrote in message
> news:eXt1BXfmGHA.492@TK2MSFTNGP05.phx.gbl...
>> have you heard of sub-alt-naming?
>>
>> Subject Alternative Naming is an X.509 extension on a certificate. It
>> allows a certificate to host multiple common names. These domain names
>> DO NOT have to be from the same domain. But, have to be owned and on the
>> account; i.e. yahoo can issue www.yahoo.com, support.yahoo.com,
>> www.myyahoo.com, support.myyahoo.com, etc.
>>
>>
>>
>> It works like WildCard in the sense of one certificate hosting multiple
>> domain names.
>>
>>
>> "tshad" <tscheiderich@ftsolutions.com> wrote in message
>> news:Of6H08WmGHA.4696@TK2MSFTNGP05.phx.gbl...
>>> We looked at Host Headers and Wildcards before, but if I am correct,
>>> Wildcards use the same site name (site1.com, abc.site1.com,
>>> xyz.site1.com).
>>>
>>> My problem is that the sites are completely different (abc.com, def.com,
>>> xyz.com).
>>>
>>>
>>> Thanks,
>>>
>>> Tom
>>>
>>> "Consultant" <consultant_mcngp@yahoo.com> wrote in message
>>> news:%23lkA9QWmGHA.1488@TK2MSFTNGP02.phx.gbl...
>>>> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx?mfr=true
>>>>
>>>>
>>>> "tshad" <tscheiderich@ftsolutions.com> wrote in message
>>>> news:esy7DhVmGHA.748@TK2MSFTNGP02.phx.gbl...
>>>>> We seem to have run into a problem with our SSL scheme.
>>>>>
>>>>> We have multiple web sites (www.site1.com, www.site2.com,
>>>>> www.site3.com) and need to run SSL pages on each site (for credit card
>>>>> purposes).
>>>>>
>>>>> The problem is you can't set up multiple sites in IIS with the same
>>>>> SSL port, it seems.
>>>>>
>>>>> What we did was create a port for each site
>>>>> (https://www.site1.com:4433, https://www.site2.com:4434,
>>>>> https://www.site3.com:4435 ) and this seemed to work.
>>>>>
>>>>> We just found out that if you have an ISA Proxy server, you will get a
>>>>> 502 error.
>>>>>
>>>>> We are having connection issuse using secure connection if we hit a
>>>>> site with an ISA Proxy server. Not sure if other proxies would have
>>>>> this problem. I had a friend at Microsoft try to access our secure
>>>>> pages and he got a 502 error. I had another friend try it and he got
>>>>> the same error. Both had an ISA Proxy server. When my other friend
>>>>> went around the Proxy server, it worked fine.
>>>>>
>>>>> I got the following from googling:
>>>>>
>>>>> ***************************************************************************************************************************
>>>>>
>>>>> "Error 502 returned by a HTTP proxy (Proxy Error (The specified Secure
>>>>> Sockets Layer (SSL) port is not allowed. ISA Server is not configured
>>>>> to allow SSL requests from this port. Most Web browsers use port 443
>>>>> for SSL requests.))."
>>>>>
>>>>> This is caused by the default behavior of Microsoft ISA server, which
>>>>> only allows requests to ports 443 and 563 using its HTTP Connect
>>>>> method. (Primary use of HTTP Connect is to allow SSL connections to
>>>>> HTTPS servers).
>>>>>
>>>>> The Microsoft Knowledge Base article Q283284 addresses this issue.
>>>>>
>>>>> To access FTP sites through ISA server's HTTP proxy, access to all
>>>>> ports must be allowed. FTP's control connection port is 21 by default,
>>>>> but data connections can use virtually any port, because it is
>>>>> assigned by the FTP server. (Although allowing port 21 and ports >1024
>>>>> should be enough, there might be exceptions.)
>>>>>
>>>>> To allow connections to all ports through the HTTP proxy, following VB
>>>>> script must be run on the ISA server:
>>>>>
>>>>> set isa=CreateObject("FPC.Root")
>>>>>
>>>>> set arraypolicy=isa.Arrays.GetContainingArray.ArrayPolicy
>>>>>
>>>>> set tprange=arraypolicy.WebProxy.TunnelPortRanges
>>>>>
>>>>> set tmp=tprange.AddRange("FTP", 1, 65535)
>>>>>
>>>>> tprange.Save
>>>>>
>>>>> ***************************************************************************************************************************
>>>>>
>>>>> We are also using SiteUpTime.com to test our pages, periodically.
>>>>> Everything was fine until Sunday. Since then it can't see the pages. I
>>>>> assume something changed on their end but can't be sure until we hear
>>>>> back from them.
>>>>>
>>>>> The problem is we need to solve the issue if this is going a problem
>>>>> with some of our clients or potential clients.
>>>>>
>>>>> The only other way we can see to solve this problem would be to put a
>>>>> different server in for each web site. This would be pretty expensive
>>>>> and would like to get around that if possible.
>>>>>
>>>>> I don't think we can ask our potential clients to change their Proxy
>>>>> Servers to allow our pages in.
>>>>>
>>>>> Any other ways around this?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Tom
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Consultant
Tue Jun 27 12:09:04 CDT 2006

no multiple nics needed, you can bind many ip's to a single nic in the
advanced tcp/ip properties, then assign each to different sites within iis


"tshad" <tscheiderich@ftsolutions.com> wrote in message
news:uZqPphgmGHA.508@TK2MSFTNGP03.phx.gbl...
> But wouldn't you need multiple Nic Cards for this?
>
> Also, we have a firewall that we come in on, with one IP for each server.
> How would we deal with that?
>
> I assume that the IPs have to be public IP addresses.
>
> Thanks,
>
> Tom
>
> "Daniel Crichton" <msnews@worldofspack.com> wrote in message
> news:uYhMxHcmGHA.4212@TK2MSFTNGP03.phx.gbl...
>> tshad wrote on Mon, 26 Jun 2006 12:39:38 -0700:
>>
>>> We seem to have run into a problem with our SSL scheme.
>>>
>>> We have multiple web sites (www.site1.com, www.site2.com, www.site3.com)
>>> and need to run SSL pages on each site (for credit card purposes).
>>>
>>> The problem is you can't set up multiple sites in IIS with the same SSL
>>> port, it seems.
>>
>> You can, if each site is on it's own IP address. I've got IIS6 running
>> here with 3 sites on 3 IPs with an SSL certificate on each, running http
>> on port 80 and https on port 443 for each of them.
>>
>> Dan
>>
>
>

tshad
Tue Jun 27 13:11:22 CDT 2006

But then how do you tell IIS6.0 to use a particular address for a particular
Domain?

Would that be in the Host Header area?

Also, If I am Nating coming in at say 67.x.x.5, 67.x.x.6, 67.x.x.7 and the
Nat addresses are 10.0.0.10, 10.0.0.11, 10.0.0.12, will this work? The host
header area only shows the local addresses. How would you set up the
Certificate? Would you use the public addresses (67.x.x.5, etc) or the
private addresses (10.0.0.10,etc)?

Thanks,

Tom

"Consultant" <consultant_mcngp@yahoo.com> wrote in message
news:epEtlxgmGHA.508@TK2MSFTNGP03.phx.gbl...
> no multiple nics needed, you can bind many ip's to a single nic in the
> advanced tcp/ip properties, then assign each to different sites within iis
>
>
> "tshad" <tscheiderich@ftsolutions.com> wrote in message
> news:uZqPphgmGHA.508@TK2MSFTNGP03.phx.gbl...
>> But wouldn't you need multiple Nic Cards for this?
>>
>> Also, we have a firewall that we come in on, with one IP for each server.
>> How would we deal with that?
>>
>> I assume that the IPs have to be public IP addresses.
>>
>> Thanks,
>>
>> Tom
>>
>> "Daniel Crichton" <msnews@worldofspack.com> wrote in message
>> news:uYhMxHcmGHA.4212@TK2MSFTNGP03.phx.gbl...
>>> tshad wrote on Mon, 26 Jun 2006 12:39:38 -0700:
>>>
>>>> We seem to have run into a problem with our SSL scheme.
>>>>
>>>> We have multiple web sites (www.site1.com, www.site2.com,
>>>> www.site3.com)
>>>> and need to run SSL pages on each site (for credit card purposes).
>>>>
>>>> The problem is you can't set up multiple sites in IIS with the same SSL
>>>> port, it seems.
>>>
>>> You can, if each site is on it's own IP address. I've got IIS6 running
>>> here with 3 sites on 3 IPs with an SSL certificate on each, running http
>>> on port 80 and https on port 443 for each of them.
>>>
>>> Dan
>>>
>>
>>
>
>

Consultant
Tue Jun 27 13:44:49 CDT 2006

add host header to site and assign it the appropriate ip address from the
drop down in the iis snapin

"tshad" <tscheiderich@ftsolutions.com> wrote in message
news:e1YlaUhmGHA.2112@TK2MSFTNGP04.phx.gbl...
> But then how do you tell IIS6.0 to use a particular address for a
> particular Domain?
>
> Would that be in the Host Header area?
>
> Also, If I am Nating coming in at say 67.x.x.5, 67.x.x.6, 67.x.x.7 and the
> Nat addresses are 10.0.0.10, 10.0.0.11, 10.0.0.12, will this work? The
> host header area only shows the local addresses. How would you set up the
> Certificate? Would you use the public addresses (67.x.x.5, etc) or the
> private addresses (10.0.0.10,etc)?
>
> Thanks,
>
> Tom
>
> "Consultant" <consultant_mcngp@yahoo.com> wrote in message
> news:epEtlxgmGHA.508@TK2MSFTNGP03.phx.gbl...
>> no multiple nics needed, you can bind many ip's to a single nic in the
>> advanced tcp/ip properties, then assign each to different sites within
>> iis
>>
>>
>> "tshad" <tscheiderich@ftsolutions.com> wrote in message
>> news:uZqPphgmGHA.508@TK2MSFTNGP03.phx.gbl...
>>> But wouldn't you need multiple Nic Cards for this?
>>>
>>> Also, we have a firewall that we come in on, with one IP for each
>>> server. How would we deal with that?
>>>
>>> I assume that the IPs have to be public IP addresses.
>>>
>>> Thanks,
>>>
>>> Tom
>>>
>>> "Daniel Crichton" <msnews@worldofspack.com> wrote in message
>>> news:uYhMxHcmGHA.4212@TK2MSFTNGP03.phx.gbl...
>>>> tshad wrote on Mon, 26 Jun 2006 12:39:38 -0700:
>>>>
>>>>> We seem to have run into a problem with our SSL scheme.
>>>>>
>>>>> We have multiple web sites (www.site1.com, www.site2.com,
>>>>> www.site3.com)
>>>>> and need to run SSL pages on each site (for credit card purposes).
>>>>>
>>>>> The problem is you can't set up multiple sites in IIS with the same
>>>>> SSL port, it seems.
>>>>
>>>> You can, if each site is on it's own IP address. I've got IIS6 running
>>>> here with 3 sites on 3 IPs with an SSL certificate on each, running
>>>> http on port 80 and https on port 443 for each of them.
>>>>
>>>> Dan
>>>>
>>>
>>>
>>
>>
>
>

Daniel
Wed Jun 28 02:28:01 CDT 2006

tshad wrote on Tue, 27 Jun 2006 09:40:31 -0700:

> But wouldn't you need multiple Nic Cards for this?

I've got one running 15 IPs.

> Also, we have a firewall that we come in on, with one IP for each server.
> How would we deal with that?
> I assume that the IPs have to be public IP addresses.

Yes. I've got a subnetted range of 32 addresses, of which a number are
mapped in my firewall to the private IPs on my web server. Port 80 and 443
are then opened at the firewall for these public IPs. Been working like this
for nearly 10 years (back in the old days it was NT3.51, then NT4, then
finally W2K with ORA WebSite, finally moved to IIS6 on W2K3 a few months
ago).

Dan

tshad
Wed Jun 28 11:45:26 CDT 2006

"Daniel Crichton" <msnews@worldofspack.com> wrote in message
news:OX18kRomGHA.856@TK2MSFTNGP03.phx.gbl...
> tshad wrote on Tue, 27 Jun 2006 09:40:31 -0700:
>
>> But wouldn't you need multiple Nic Cards for this?
>
> I've got one running 15 IPs.
>
>> Also, we have a firewall that we come in on, with one IP for each server.
>> How would we deal with that?
>> I assume that the IPs have to be public IP addresses.
>
> Yes. I've got a subnetted range of 32 addresses, of which a number are
> mapped in my firewall to the private IPs on my web server. Port 80 and 443
> are then opened at the firewall for these public IPs. Been working like
> this for nearly 10 years (back in the old days it was NT3.51, then NT4,
> then finally W2K with ORA WebSite, finally moved to IIS6 on W2K3 a few
> months ago).

So when I buy the certificate I would give them one of the Public IPs
(67.x.x.7), but in IIS, in the Host Header section I would use one of the
Private address (10.x.x.12). Right now the Host Header for my sites might
be:

Site1.com (SSL Certificate would have Site1.com and port 4433 and address of
67.x.x.7)
IP address: Default
TCP Port: 80
Host Header value: Site1.com
Host Header value: www.Site1.com
SSL IP Address: Default
SSL Port: 4433

Site2.com (SSL Certificate would have Site2.com and port 4434 and address of
67.x.x.7)
IP address: Default
TCP Port: 80
Host Header value: Site2.com
Host Header value: www.Site2.com
SSL IP Address: Default
SSL Port: 4434

If I have 67.x.x.7 -> 10.0.0.7 and 67.x.x.8 -> 10.0.0.8

Would I change the Host Header section as:

Site1.com (SSL Certificate would have Site1.com and 67.x.x.7)
IP address: 10.0.0.7
TCP Port: 80
Host Header value: Site1.com
Host Header value: www.Site1.com
SSL IP Address: 10.0.0.7
SSL Port: 443

Site2.com (SSL Certificate would have Site2.com and 67.x.x.8)
IP address: 10.0.0.8
TCP Port: 80
Host Header value: Site2.com
Host Header value: www.Site2.com
SSL IP Address: 10.0.0.8
SSL Port: 443

Would that be correct?

Thanks,

Tom
>
> Dan
>

Daniel
Thu Jun 29 02:03:16 CDT 2006

tshad wrote on Wed, 28 Jun 2006 09:45:26 -0700:

> "Daniel Crichton" <msnews@worldofspack.com> wrote in message news:OX18kRomGHA.856@TK2MSFTNGP03.phx.gbl...
>> tshad wrote on Tue, 27 Jun 2006 09:40:31 -0700:
>>
>>> But wouldn't you need multiple Nic Cards for this?
>>
>> I've got one running 15 IPs.
>>
>>> Also, we have a firewall that we come in on, with one IP for each
>>> server. How would we deal with that? I assume that the IPs have to be
>>> public IP addresses.
>>
>> Yes. I've got a subnetted range of 32 addresses, of which a number are
>> mapped in my firewall to the private IPs on my web server. Port 80 and
>> 443 are then opened at the firewall for these public IPs. Been working
>> like this for nearly 10 years (back in the old days it was NT3.51, then
>> NT4, then finally W2K with ORA WebSite, finally moved to IIS6 on W2K3 a
>> few months ago).
>
> So when I buy the certificate I would give them one of the Public IPs
> (67.x.x.7), but in IIS, in the Host Header section I would use one of the
> Private address (10.x.x.12). Right now the Host Header for my sites might
> be:

When you buy a certificate you provide the host name - the IP address is
irrelevant.

> Site1.com (SSL Certificate would have Site1.com and port 4433 and address
> of 67.x.x.7)
> IP address: Default
> TCP Port: 80
> Host Header value: Site1.com
> Host Header value: www.Site1.com
> SSL IP Address: Default
> SSL Port: 4433
>
> Site2.com (SSL Certificate would have Site2.com and port 4434 and address
> of 67.x.x.7)
> IP address: Default
> TCP Port: 80
> Host Header value: Site2.com
> Host Header value: www.Site2.com
> SSL IP Address: Default
> SSL Port: 4434
>
> If I have 67.x.x.7 -> 10.0.0.7 and 67.x.x.8 -> 10.0.0.8
>
> Would I change the Host Header section as:
>
> Site1.com (SSL Certificate would have Site1.com and 67.x.x.7)
> IP address: 10.0.0.7
> TCP Port: 80
> Host Header value: Site1.com
> Host Header value: www.Site1.com
> SSL IP Address: 10.0.0.7
> SSL Port: 443
>
> Site2.com (SSL Certificate would have Site2.com and 67.x.x.8)
> IP address: 10.0.0.8
> TCP Port: 80
> Host Header value: Site2.com
> Host Header value: www.Site2.com
> SSL IP Address: 10.0.0.8
> SSL Port: 443
>
> Would that be correct?

Yes, that looks right, except that the SSL certs won't have IP addresses.

Dan