Hosting Multiple SSL Sites Using Server Proxy in Proxy 2.0 (250510)



The information in this article applies to:

  • Microsoft Proxy Server 2.0

This article was previously published under Q250510

SUMMARY

The Server Proxy feature is the recommended method for publishing data from a Web server that is placed "behind" a Microsoft Proxy Server 2.0-based computer when SSL encryption is required.

The alternative way to publish a site behind a Microsoft Proxy Server 2.0-based computer is to use Reverse Proxy (also known as Web Publishing). This works well for HTTP traffic, but not for HTTPS traffic. As Reverse Proxy works at the application layer and SSL is an end-to-end encryption, the only way to fully achieve encryption between the client and the hosting Web server is to use the Server Proxy feature from the Winsock Proxy Service.

If you require multiple SSL sites hosted behind a single Microsoft Proxy Server 2.0-based computer, perform the steps in the MORE INFORMATION section of this article. If just one SSL site is required, the steps included in the following article in the Microsoft Knowledge Base should be sufficient:

184030 Using Server Proxy with SSL in Proxy Server 2.0

MORE INFORMATION

To successfully run multiple SSL Sites using Server Proxy you should have a Microsoft Proxy Server 2.0-based computer with at least two network adapters (one internal and one external adapter). For additional information about network adapter configuration and restrictions, click the article number below to view the article in the Microsoft Knowledge Base:

243078 Proxy Server Network Interface Configuration

As Host Header Names are not supported with SSL, you must distinguish the internal SSL sites you want to host either by IP address or TCP ports. If you want to distinguish the SSL sites by IP address, you must provide a separate physical computer for each SSL site you want to host. This is not necessary if you choose to distinguish the SSL Sites by TCP ports.

Depending on if you want to host both HTTP and HTTPS using Server Proxy and if you also want to use the default ports for these protocols, you may need to change the HTTP and HTTPS listening port for the default Web site or any other sites using these ports on the Proxy Server 2.0-based computer.

How to Configure Multiple SSL Sites Running IIS 4.0 Distinguished by IP Address

In this example you want to host multiple sites using Server Proxy for both HTTP and HTTPS. This requires a separate physical computer for each pair of HTTP/HTTPS sites you want to Host.
  1. Install Microsoft Proxy Server 2.0 Service Pack 1 on the Proxy Server 2.0-based computer. For additional information about Service Pack 1, click the article number below to view the article in the Microsoft Knowledge Base:

    238375 Proxy Server 2.0 Service Pack 1: List of Fixes

  2. For every site you want to host, a separate IP address must be configured on the external network adapter on the Proxy Server 2.0-based computer. DNS host entries should also be configured, resolving to the address of the external IP address on the Proxy Server 2.0 computer you want the internal site to bind to. The DNS name should also match the common name for the certificate you install on the internal SSL sites.
  3. Install the Winsock Proxy Client on all HTTP/HTTPS Servers, and then verify that the Winsock Proxy Client is working properly:

    1. Run the chkwsp32 /f command at a command prompt. This command should generate the following confirmation message:
      Client control protocol matches the server control protocol.
    2. Test connectivity with a Winsock 1.1-based program, for example, command-line FTP.
  4. Install the update listed in the following article in the Microsoft Knowledge Base:

    232588 Winsock Proxy Client Fails to Bind Remotely to Proxy Server

    This update is not part of Microsoft Proxy Server 2.0 Service Pack 1. It permits you to bind multiple ports from the same service using the ProxyBindIp parameter. It includes an updated Wspsrv.exe file and an updated Wspwsp.dll file. The updated Wspsrv.exe file should be installed on the computer running Proxy Server 2.0. The updated Wspwsp.dll is a client side update and should be installed on all computers you plan to host.

    NOTE: If you plan to host HTTP using Reverse Proxy instead of Server Proxy, this update may not be needed. For additional information about what this update resolves, click the article number below to view the article in the Microsoft Knowledge Base:

    232588 Winsock Proxy Client Fails to Bind Remotely to Proxy Server

  5. On the computer running Proxy Server 2.0, use the netstat -an command from a command prompt to check if port 80 and 443 are in use. Normally these ports will be in use when the Web Proxy Service is running and should therefore be changed to (for example) 8080 for HTTP and 4443 for HTTPS. If you cannot change the SSL port from the Internet Information Server Snap-in in the Microsoft Management Console, you can change the port by using one of the available Metabase utilities. For example, if you have Windows Scripting Host installed you can change the port by running the following command:

    WARNING: Stop the IISAdmin Service before running this command.

    "cscript %sytemroot%\system32\inetsrv\adminsamples\adsutil.vbs set w3svc/Web Server instance/SecureBindings :4443:"

    where Web Server instance is the Web Server instance. On a Proxy Server 2.0-based computer this should always be the Default Web Site. For additional information about integration between the proxy services and the default Web site, click the article number below to view the article in the Microsoft Knowledge Base:

    246101 Issues with Microsoft Proxy 2.0 and the Internet Information Server 4.0

    NOTE: Web Browsers using the Web Proxy Service must be reconfigured to use the new 8080 port number.
  6. Install the SSL certificates on the internal sites you want to host.
  7. Configure the internal sites you plan to host to "All Unassigned" under Properties for the site using the Internet Information Server Snap-in in the Microsoft Management Console.
  8. On the internal sites you want to host, create a Wspcfg.ini file and place it in the %systemroot%\system32\inetsrv folder where you find the Inetinfo.exe file. The file should look similar to the following example:

    IMPORTANT: The 192.168.1.10 IP address is an example that will not work in actual use because it is one of the IP addresses that is part of the assigned Private Ranges.

    [Inetinfo]
    ProxyBindIp=80:192.168.1.10,443:192.168.1.10
    ServerBindTcpPorts=80,443
    Persistent=1
    KillOldSession=1
    ForceCredentials=1

    A similar Wspcfg.ini file should be created on all internal sites you plan to host. The IP address specified for the ProxyBindIp parameter must be different on all hosts and correspond to the IP address you want it to bind to on the external Proxy Server 2.0 network adapter.

    If Access Control is disabled for the Winsock Proxy Service, then the ForceCredentials parameter is not required. However, if you use Access Control you must include the ForceCredentials parameter in the Wspcfg.ini file, and also perform the following steps:

    1. View the Properties for the Winsock Proxy Service, and then create a new protocol definition for all ports you are hosting using Server Proxy. For example, if you host both HTTP and HTTPS on the default ports, create two new protocol definitions. Name the first HTTP Hosting 80. Under Initial Connection, type 80 in the Port box, and then select Inbound as the Direction. Name the second protocol definition HTTPS Hosting 443. Type 443 in the Port box, and then select Inbound as the Direction.
    2. Create a user account, and then grant it Access on the Winsock Proxy Service Permissions tab for the protocol definitions you created in the step A.
    3. On the internal hosts use the Credtool.exe utility installed with the Winsock Proxy Client so that the Inetinfo Service is able to authenticate with the Winsock Proxy Service. For example, if you named the account "sslauth" with the password "SuperSecret" in a domain named "webdomain", run the following command:

      credtool -w -n inetinfo -c sslauth webdomain SuperSecret

      For this example, the command should generate the following output:

      User: [sslauth]
      Domain: [webdomain]
      Password: [SuperSecret]
  9. Start the Proxy Services on the Proxy Server 2.0-based computer. After the service has been started, verify that port 80 and 443 are not in use by running the netstat -an command at a command prompt.
  10. Start the Web Service on the internal hosts. Run the netstat -an command at a command prompt on the internal hosts, and then verify that they are all "listening" on port 80 and 443 for local address 0.0.0.0.
  11. Run the netstat -an command at a command prompt on the Proxy Server 2.0-based computer, and then verify that it is listening on port 80 and 443 for all IP addresses on the external network adapter that you have bound the internal hosts to.
  12. Using a Web browser program, test the connectivity by connecting to the DNS name that resolves to the IP address of the external Proxy Server IP address you want to connect to. For each DNS name you should be able to "see" the corresponding internal site that is bound to the external adapter on the Proxy Server.

Additional Information

If you plan to distinguish the different sites by TCP ports instead of IP addresses, only one physical computer is required, and the Wspcfg.ini file on the internal host should look similar to the following example:

[Inetinfo]
ServerBindTcpPorts=8081,8082,4444,4445
Persistent=1
KillOldSession=1
ForceCredentials=1

Remember that each internal site needs a unique port for both HTTP and HTTPS in the Wspcfg.ini file. The ports must also be different from the ports you use on the Proxy Server 2.0-based computer. In addition to specifying the ports in the Wspcfg.ini file, remember to specify the same port for the Web site you want to host under the Internet Information Server Snap-in in the Microsoft Management Console.

If Access Control is enabled for the Winsock Proxy Service, remember to create new protocol definitions and assign permissions for all the ports you plan to use.

After this is done, restart the Web Services. Use the netstat -an command on both the internal host and on the Proxy Server to verify that it is listening on the ports you specified. Finally, connect with a client by specifying the port in the URL similar to the following URL:

HTTPS://mysslserver:4444/default.asp


Modification Type:MajorLast Reviewed:8/6/2002
Keywords:kbinfo kbnetwork KB250510