2021 Annual Petri Reader Survey - We want to know what's important to you! 2021 Annual Petri Reader Survey - We want to know what's important to you!

How to Host Multiple SSL Sites on a Server with One IP Address and Port

How can I host multiple SSL sites on a server with only one IP address and one port?

Windows Server 2012 Internet Information Services 8 (IIS) includes support for the Server Name Indication (SNI) extension. To establish a secure channel with a webserver, clients request certificates from the server so that data can be encrypted. When multiple website domains are present on a virtual host server with a single IP address and port, the server doesn’t know which certificate to send to the client because HTTP headers are not available during the SSL handshake. Only the IP address and port can be established from the TCP header. SNI solves this problem by adding server information to the Client Hello message.

Web Browser Support

Browsers need to support the SNI extension to successfully connect to a server that requires it. Internet Explorer 7 (and later) support SNI, but it is worth noting that it’s not supported in any version of IE running on Windows XP (or earlier). Windows Phone 7 (and later) supports SNI, as does Safari 2.1 (or later) on MAC OS X 10.5.6 or Windows Vista (and later).

Enable SNI on an IIS Website

IIS 8 on Windows Server 2012 has SNI support enabled out-of-the-box. You need to specify on individual SSL site bindings if they will require Server Name Indication, also known as Hostname:Port binding. Additionally, you must specify a host name so that client requests can be matched to websites on the server.

If the Client Hello doesn’t include the server name extension, connection to the server will fail; unless a legacy IP:Port SSL binding exists for the site, and IIS will attempt to complete the connection.

To require Server Name Indication for a new site in IIS8:

  • Log in to your Windows Server 2012 webserver with an account that has permission to manage IIS.
  • Open IIS Manager from the Start screen.
  • Expand your webserver in the left pane of IIS Manager, right-click the Sites folder and select Add Website from the menu.
  • In the Add Website dialog, make sure that Require Server Name Indication is checked in the Binding section.
  • Type the site’s domain name in the Host name box.
  • Configure other necessary settings and click OK.

Host Multiple SSL Sites with One IP Address: SNI in IIS8

To add a new SSL binding with Server Name Indication on an existing SSL site in IIS8:

  • Expand your webserver and the Sites folder in the left pane of IIS Manager.
  • Right-click your website and select Edit Bindings from the menu.
  • Click Add in the Site Bindings dialog.
  • Check Require Server Name Indication in the Add Site Binding dialog.
  • Type the site’s domain name in the Host name box.
  • Configure other necessary settings and click OK.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.