The Solution: I create the 4 sites in SharePoint: ports 8000, 4444, 3333 and 5555. For each of these new web applications I enabled SSL in IIS (certificates later on). For each of these sites I’ve extended the web applications on port 80 with the desired host headers (portal.domainname.com; mysites.domainname.com, etc). On each of these sites on port 80, I would redirect (in IIS, on the Home Directory) the sites to the https site (which is the main sites on ports 8000, 4444, 3333 and 5555. On these sites on these ports (which are listening as well on port 443 as mentioned before), in IIS I check “require secure channel in the directory security tab. Now let’s deal with the certificates for this site.
The way to do it is to create the certificate and add to it the necessary “subject alternative Name” (please check MS KB931351). So, basically in one certificate you are adding https://portal.domainname.com, https://mysites.domainname.com, etc).
Then you have to configure the server Bindings for SSL Host Headers. To configure the secure bindings metabase property either use metabase explorer or type cscript.exe adsutil.vbs set /w3svc/
The AAM are very simple: default will be https://portal.domainname.com to https://portal.domainname.com and the extended (internet p. ex) will be http://portal.domainname.com to http://portal.domainname.com.
What happens: what really happens is that you now have 4 sites all using SSL and running through 4 different ISA server rules but addressing them to the same server (I will write more on the ISA rules for this soon). The user places a request HTTP or HTTPS (it doesn’t matter) and the ISA receives it and sends it as an HTTPS request (why we forced HTTPS in IIS is because we can also access the site from inside where it does not go through the ISA server). Now the SharePoint server receives it and according AAM it sends the request to IIS as HTTPS (if internal, it could send as HTTP if the user so typed, but IIS will anyway internally redirect it to HTTPS, so it is the same effect). Because IIS only allows 1 SSL site on the IP address, that SSL site receives the request (in my case above, portal on port 8000 which is listening on SSL, has no metabase set for SecureBindings and has the certificate with the Subject Alternative Name attached). Check if the certificate matches the request (which will) and it then addresses to the 443 corresponding site (if the request was https://mysites.domainname.com it will address it to the site 3333 with the SecureBinding metabase equal to 443:mysites.domainname.com. The extension of this site on port 80 is only to redirect internal HTTP requests to HTTPS.
Hope it helps someone else.
Cheers,
GS
No comments:
Post a Comment