How to Host Multiple SSL Sites on a Server with One IP Address and Port

How can I host multiple SSL sites on a server with only one IP address and one port?

Windows Server 2012 Internet Information Services 8 (IIS) includes support for the Server Name Indication (SNI) extension. To establish a secure channel with a webserver, clients request certificates from the server so that data can be encrypted. When multiple website domains are present on a virtual host server with a single IP address and port, the server doesn’t know which certificate to send to the client because HTTP headers are not available during the SSL handshake. Only the IP address and port can be established from the TCP header. SNI solves this problem by adding server information to the Client Hello message.

Web Browser Support

Browsers need to support the SNI extension to successfully connect to a server that requires it. Internet Explorer 7 (and later) support SNI, but it is worth noting that it’s not supported in any version of IE running on Windows XP (or earlier). Windows Phone 7 (and later) supports SNI, as does Safari 2.1 (or later) on MAC OS X 10.5.6 or Windows Vista (and later).

Enable SNI on an IIS Website

IIS 8 on Windows Server 2012 has SNI support enabled out-of-the-box. You need to specify on individual SSL site bindings if they will require Server Name Indication, also known as Hostname:Port binding. Additionally, you must specify a host name so that client requests can be matched to websites on the server.

If the Client Hello doesn’t include the server name extension, connection to the server will fail; unless a legacy IP:Port SSL binding exists for the site, and IIS will attempt to complete the connection.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

To require Server Name Indication for a new site in IIS8:

  • Log in to your Windows Server 2012 webserver with an account that has permission to manage IIS.
  • Open IIS Manager from the Start screen.
  • Expand your webserver in the left pane of IIS Manager, right-click the Sites folder and select Add Website from the menu.
  • In the Add Website dialog, make sure that Require Server Name Indication is checked in the Binding section.
  • Type the site’s domain name in the Host name box.
  • Configure other necessary settings and click OK.

Host Multiple SSL Sites with One IP Address: SNI in IIS8

To add a new SSL binding with Server Name Indication on an existing SSL site in IIS8:

  • Expand your webserver and the Sites folder in the left pane of IIS Manager.
  • Right-click your website and select Edit Bindings from the menu.
  • Click Add in the Site Bindings dialog.
  • Check Require Server Name Indication in the Add Site Binding dialog.
  • Type the site’s domain name in the Host name box.
  • Configure other necessary settings and click OK.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Download this eBook!

External Sharing and Guest User Access in Microsoft 365 and Teams

his eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure. The eBook will also outline some of the major decision points across four general-purpose guest access policy scenarios for how an organization can set this up with standard licensing.

Download Now

Sponsored By