How to implement SSL with host header mapping in MCMS 2002 (810315)


The information in this article applies to:

  • Microsoft Content Management Server 2002

SUMMARY

This step-by-step article describes how to host more than one Secure Sockets Layer (SSL) site on one Microsoft Content Management Server (MCMS) computer.

Although you cannot use host headers in Microsoft Internet Information Services (IIS) with SSL, MCMS includes a host header mapping feature that makes the use of host headers possible. Because MCMS receives the request after IIS has decrypted the SSL stream, SSL encryption is transparent to MCMS. With host header mapping in MCMS, every SSL site must have a unique certificate, but IIS permits you to bind only one certificate per Web site.

This article assumes that name resolution is already correctly implemented. For MCMS to correctly resolve a domain name, the IP address that is bound to the site that is using an SSL certificate must be listed either with a Domain Name System (DNS) server or by a Windows Internet Name Service (WINS) server so that a request for an SSL-secured item can be correctly returned to the user. The domain name must correspond directly to the common name that the certificate uses. Microsoft recommends that you use a unique IP address for each SSL site that is hosted in MCMS, but you do not have to do this.

The example that this article describes uses the following configuration:
  • IIS Web Site 1
    • Name: www.adatum.com
    • IP address: 10.10.10.1
    • HTTP port: 80
    • SSL port: 443
  • IIS Web Site 2
    • Name: www.contoso.com
    • IP address: 10.10.10.2
    • HTTP port: 80
    • SSL port: 443
back to the top

Create the Web sites in IIS

  1. Start Internet Service Manager.
  2. Right-click the computer name, click New, and then click Web site to start the Web Site Creation Wizard.
  3. In the Web Site Description dialog box, type a short description for the Web site, and then click Next. For example, you may type the host name (www.adatum.com or www.contoso.com).
  4. In the IP Address and Port Settings dialog box, type a unique IP address and a unique port for the Web site. In this example, the www.adatum.com site uses 10.10.10.1 as the IP address, and the www.adatum.com site uses 80 as the port. The www.contoso.com site uses 10.10.10.2 as the IP address, and the www.contoso.com site uses 80 as the port. Do not type a host header name. IIS host header mapping does not work with SSL traffic.
  5. Click Next.
  6. In the Web Site Home Directory dialog box, type the physical path that contains the data for this Web site, and then click Next.
  7. In the Web Site Access Permissions dialog box, click Next.
  8. Repeat steps 2 through 7 for every SSL Web site that you want to host on this MCMS server.
  9. Click Finish to close the wizard.
back to the top

Bind the SSL certificates to the Web sites

Use Internet Server Manager to bind the SSL certificates to the correct Web site. In this example, you bind the certificate for www.adatum.com to the Web site that listens to 10.10.10.1, and you bind the certificate for www.contoso.com to the Web site that listens to 10.10.10.2.

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

299875 HOW TO: Implement SSL on a Windows 2000 IIS 5.0 computer

back to the top

Enable host header mapping in MCMS

  1. Start the MCMS Server Configuration Application (SCA). To do this, click Start, point to All Programs, click Microsoft Content Management Server, and then click Server Configuration Application.
  2. On the General tab, click Configure.
  3. In the Map Channel Names To Host Header Names list, click Yes.
  4. Click OK, and then close the SCA.
back to the top

Configure the MCMS Web entry points

  1. In the SCA, click the Web tab, and then click Configure.
  2. Locate the MCMS column in the list of available entry points, and then locate the drop-down list next to the Web site that you want. Make sure that either Yes - Read Write or Yes - Read Only is selected. Make sure that you use Yes - Read Write only if you want authoring to be enabled for the Web entry point.
  3. Click OK, and then close the SCA.
back to the top

Use Site Manager to create the channel structure

  1. Start Site Manager in Channels view. To do this, click Start, point to All Programs, click Microsoft Content Management Server, and then click Site Manager.
  2. Create a channel below the root channel for every site that will be hosted. In this example, you must create one channel that is named "www.adatum.com" and one channel that is named "www.contoso.com."
  3. Create the channel structure for every site that is listed below these channels.
back to the top

Use HTTP or SSL to access hosted sites

You can now use either HTTP or SSL to access all hosted sites. A request to https://www.adatum.com is resolved to 10.10.10.1 - Port 443, and the request arrives at the IIS Web Site 1. The correct certificate is bound to IIS Web Site 1, and IIS Web Site 1 can decrypt the SSL stream. Because this IIS Web site is enabled for MCMS, the decoded request is forwarded to MCMS, and the MCMS host header channel mapping routes the request to the www.adatum.com channel.

The same thing occurs if a request is made to https://www.contoso.com. The request is resolved to 10.10.10.2 - Port 443, and the request arrives at IIS Web Site 2. The correct certificate is bound to IIS Web Site 2, and IIS Web Site 2 can decrypt the SSL stream. Because this IIS Web site is also MCMS-enabled, the decoded request is forwarded to MCMS, and MCMS host header channel mapping routes the request to the www.contoso.com channel.

back to the top
Modification Type:MinorLast Reviewed:3/11/2004
Keywords:kbHOWTOmaster kbhowto KB810315 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.