Re: IIS 6 conflict using port 443 for NON-SSL traffic

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 04/26/05 

Date: Mon, 25 Apr 2005 18:46:22 -0700

I talked with members on the HTTP.SYS team, and both restrictions that I
named earlier are planned to be addressed in HTTP.SYS on Longhorn, which is
within the IIS7 timeframe.
1. HTTP over IP1:Port1 and HTTPS over IP2:Port1 will be allowed
2. IP1:Port1 and IP2:Port2 will not prevent IP1:Port2 and IP2:Port1 from
being bound by another server

These changes are planned in HTTP.SYS on Longhorn. Having customer usage
scenario helps tremendously, so the next time you do not like something, be
sure to report it; if you stay silent, no one knows you don't like it.

The only chance to get it on HTTP.SYS on Windows Server 2003 is to open a
support case and make a request for it. This puts it on the radar of things
to consider backporting but is no guarantee. It is a matter of cost/benefit
when it comes to post RTM changes. 

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Richard Dixson" <reply@hereonlyplease.com> wrote in message
news:I9Wdnf4XHpD47PHfRVn-ow@comcast.com...
Thank you very much for the follow up David.
Just to make sure I am understanding you correctly, after this enhancement
is made it will be possible to have IIS answering for a 443 regular http
traffic for IP X and 443 HTTPS traffic on port 443 for a different IP on the
same machine - is this right?
Also - do you know how this updated HTTPS.SYS will be distributed?  Do you
think it may be possible to use this enhanced HTTPS.SYS with IIS 6 on WS03?
Or will it only ship with files installed with IIS 7.0?
Thanks again for all your help with this.
Richard
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:OsSPgo9PFHA.3880@tk2msftngp13.phx.gbl...
> Ok, I got word that this will be addressed in the IIS7 timeframe by
> HTTP.SYS.
>
> It actually has nothing to do with port 443 -- it could be any port.
> HTTP.SYS in WS03 did not allow one port number to be used for both HTTP
and
> HTTPS.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> //
> "Richard Dixson" <reply@hereonlyplease.com> wrote in message
> news:bZWdnVdDb-ntY8TfRVn-oA@comcast.com...
> Unfortunately I tried that as well without success.  I tried several ways.
>
> The bottom line seems to be that something about port 443 is treated quite
> specially by IIS 6 and it does not want to allow it to share port 443 by
> non-SSL on one IP with SSL on another IP.
>
> I am wondering if anyone else has run into this or is aware of it, and how
I
> may be able to work around it.
>
> Richard
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:O8rwUYkPFHA.2252@TK2MSFTNGP15.phx.gbl...
> > For IIS6 use httpcfg rather than "disableSocketPooling" metabase
setting.
> >
> > http://support.microsoft.com/kb/813368/EN-US/
> >
> > Cheers
> > Ken
> >
> > --
> > Blog: www.adopenstatic.com/cs/blogs/ken/
> > Web: www.adopenstatic.com
> >
> >
> > "Richard Dixson" <reply@hereonlyplease.com> wrote in message
> > news:E6KdnZMKkb9dGsvfRVn-1g@comcast.com...
> > :I need IIS to respond to HTTP requests on port 443 for different IPs on
> the
> > : same web server, with one IP set up to handle NON ssl traffic
(http://),
> > and
> > : the other set up with a certificate to handle SSL (https://) traffic.
> > :
> > : IIS 6.0 (using Win2K3 latest updates/patches) will NOT allow this.
When
> > you
> > : try to start the non-https site it complains that it is in use.  There
> is
> > : definately a conflict due to IIS somehow locking port 443 exclusively
> for
> > : HTTPS traffic.
> > :
> > : Under IIS 5.0 I was able to succesfully work around this conflict by
> > : disabling socket pooling.  However under IIS 6 disabling socket
spooling
> > : does not work.
> > :
> > : Here is an example of what I am trying to do: On Web Server "A" I need
> to
> > : configure it like this:
> > :
> > :  Virtual web site #1: IP=x.x.x.2: Configured for TCP Port = 443, SSL
> Port
> > =
> > : <blank>
> > :
> > :  Virtual web site #2: IP=x.x.x.3: Configured for TCP Port = 80, SSL
Port
> =
> > : 443 with installed SSL certificate
> > :
> > : So traffic coming in as http://x.x.x.2:443/something.htm gets
responded
> to
> > : as regular http (non-https) traffic over port 443 for this IP.  And
> > traffic
> > : coming in as https://x.x.x.3/something.htm gets responded to as https
> > : traffic over port 443 as usual.
> > :
> > : I realize it is unusual to have to pass NON https traffic over port
443,
> > but
> > : due to special circumstances this is a core requirement.
> > :
> > : If I remove virtual web site #2 than virtual site #1 works great - it
> will
> > : pass non-https traffic just fine over port 443, but ONLY IF there is
no
> > web
> > : site configured on the server to use HTTPS (even if such https web
sites
> > are
> > : configured on a different IP).
> > :
> > : The work around would be to set up a second dedicated web server for
> > virtual
> > : web site #1 so that it runs without a web site configured to really
use
> > : HTTPS.  Unfortunately this is not a possibility as I only have one
> > physical
> > : production web server I can use, and I cannot avoid having a site on
> that
> > : server configured to use HTTPS.
> > :
> > : Can anyone offer some advice or tips on how I may be able to work
around
> > : this?  Anyone know if IIS 7 will work the same way?
> > :
> > : Thank you very much in advance!
> > :
> > : Richard
> > :
> > :
> >
> >
>
>
>

Relevant Pages

  • Re: IIS 6 conflict using port 443 for NON-SSL traffic
    ... :I need IIS to respond to HTTP requests on port 443 for different IPs on the ... : Here is an example of what I am trying to do: On Web Server "A" I need to ... I realize it is unusual to have to pass NON https traffic over port 443, ... web site #1 so that it runs without a web site configured to really use ...
    (microsoft.public.inetserver.iis.security)
  • IIS 6 conflict using port 443 for NON-SSL traffic
    ... I need IIS to respond to HTTP requests on port 443 for different IPs on the ... HTTPS traffic. ... Here is an example of what I am trying to do: On Web Server "A" I need to ...
    (microsoft.public.inetserver.iis.security)
  • Re: Creating a Web Site and publishing it
    ... To what application do I have to allow access in my firewall. ... (usually port 80 for IIS, but it's random using the built in VS web server ...
    (microsoft.public.dotnet.general)
  • Re: iis is not running
    ... There are a couple of possibilities, depending on the message. ... and set to another port. ... uninstall IIS and reinstall and then run aspnet_regiis /i to make ... start the web server before proceeding. ...
    (microsoft.public.dotnet.general)
  • Re: IIS 6 conflict using port 443 for NON-SSL traffic
    ... This is a known limitation in HTTP.SYS in Windows Server 2003 and there is ... HTTP.SYS does not support re-using the same PORT with different protocols, ... Both issues are inside of HTTP.SYS so IIS version doesn't make a difference, ... >: HTTPS traffic. ...
    (microsoft.public.inetserver.iis.security)