How to Host Multiple SSL Sites on a Server with One IP Address and Port

How can I host multiple SSL sites on a server with only one IP address and one port?

Windows Server 2012 Internet Information Services 8 (IIS) includes support for the Server Name Indication (SNI) extension. To establish a secure channel with a webserver, clients request certificates from the server so that data can be encrypted. When multiple website domains are present on a virtual host server with a single IP address and port, the server doesn’t know which certificate to send to the client because HTTP headers are not available during the SSL handshake. Only the IP address and port can be established from the TCP header. SNI solves this problem by adding server information to the Client Hello message.

Web Browser Support

Browsers need to support the SNI extension to successfully connect to a server that requires it. Internet Explorer 7 (and later) support SNI, but it is worth noting that it’s not supported in any version of IE running on Windows XP (or earlier). Windows Phone 7 (and later) supports SNI, as does Safari 2.1 (or later) on MAC OS X 10.5.6 or Windows Vista (and later).

Enable SNI on an IIS Website

IIS 8 on Windows Server 2012 has SNI support enabled out-of-the-box. You need to specify on individual SSL site bindings if they will require Server Name Indication, also known as Hostname:Port binding. Additionally, you must specify a host name so that client requests can be matched to websites on the server.

If the Client Hello doesn’t include the server name extension, connection to the server will fail; unless a legacy IP:Port SSL binding exists for the site, and IIS will attempt to complete the connection.

To require Server Name Indication for a new site in IIS8:

  • Log in to your Windows Server 2012 webserver with an account that has permission to manage IIS.
  • Open IIS Manager from the Start screen.
  • Expand your webserver in the left pane of IIS Manager, right-click the Sites folder and select Add Website from the menu.
  • In the Add Website dialog, make sure that Require Server Name Indication is checked in the Binding section.
  • Type the site’s domain name in the Host name box.
  • Configure other necessary settings and click OK.

Host Multiple SSL Sites with One IP Address: SNI in IIS8

To add a new SSL binding with Server Name Indication on an existing SSL site in IIS8:

  • Expand your webserver and the Sites folder in the left pane of IIS Manager.
  • Right-click your website and select Edit Bindings from the menu.
  • Click Add in the Site Bindings dialog.
  • Check Require Server Name Indication in the Add Site Binding dialog.
  • Type the site’s domain name in the Host name box.
  • Configure other necessary settings and click OK.