Sign in with
Sign up | Sign in
Your question

Configure two different IP addresses for http and https

Last response: in Windows 2000/NT
Share
Anonymous
August 6, 2004 4:18:14 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi all,

I am trying to configure the DNS for my internal network. Basically I want
all http traffic (port 80) to route to IP address 10.12.22.5 and I want all
https traffic (port 443) to route to 10.12.22.6. I thought I could just set
up SRV records for 443 but its not working, maybe I am doing something
wrong.

Any ideas?

Thanks,
Joe
Anonymous
August 6, 2004 4:18:15 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23x0vsx2eEHA.1424@tk2msftngp13.phx.gbl,
Joe Coppola <jocojr@hotmail.com> wrote their comments
Then Kevin replied below:
> Hi all,
>
> I am trying to configure the DNS for my internal network.
> Basically I want all http traffic (port 80) to route to
> IP address 10.12.22.5 and I want all https traffic (port
> 443) to route to 10.12.22.6. I thought I could just set
> up SRV records for 443 but its not working, maybe I am
> doing something wrong.

IE won't query for SRV records, you'll have to give the records different
names or they'll get published using round robin.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
Anonymous
August 6, 2004 6:01:17 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Joe Coppola" <jocojr@hotmail.com> wrote in message
news:#x0vsx2eEHA.1424@tk2msftngp13.phx.gbl...
> Hi all,
>
> I am trying to configure the DNS for my internal network. Basically I
want
> all http traffic (port 80) to route to IP address 10.12.22.5 and I want
all
> https traffic (port 443) to route to 10.12.22.6. I thought I could just
set
> up SRV records for 443 but its not working, maybe I am doing something
> wrong.

Very few clients support server records to discover services;
HTTP and most of the tranditional "Internet" protocols do not.

You cannot distinguish the same website name for different
purposes (services) this way.

You can certainly put a reference page or even an ISAPI filter
on the HTTP server so that it refers the clients to another
address/name however.

Is the HTTPS expected to run on a different machine?
(What is the actual purpose of your wishin gto do this?)

Maybe we can help with you real goal....
Related resources
Anonymous
August 6, 2004 7:28:22 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks for the info.

Basically, it kinda works like this. my regular port 80 site is a test
site. However, my 443 site does some live transaction processing.

So when someone hits the 443 site they need to be able to access the
transaction server, where as everyone else just sees the normal 80 site.

I guess another question would be, how do you configure multiple websites on
a IIS server (probably not related to this group)



"Herb Martin" <news@LearnQuick.com> wrote in message
news:o jfixT4eEHA.3028@TK2MSFTNGP12.phx.gbl...
> "Joe Coppola" <jocojr@hotmail.com> wrote in message
> news:#x0vsx2eEHA.1424@tk2msftngp13.phx.gbl...
> > Hi all,
> >
> > I am trying to configure the DNS for my internal network. Basically I
> want
> > all http traffic (port 80) to route to IP address 10.12.22.5 and I want
> all
> > https traffic (port 443) to route to 10.12.22.6. I thought I could just
> set
> > up SRV records for 443 but its not working, maybe I am doing something
> > wrong.
>
> Very few clients support server records to discover services;
> HTTP and most of the tranditional "Internet" protocols do not.
>
> You cannot distinguish the same website name for different
> purposes (services) this way.
>
> You can certainly put a reference page or even an ISAPI filter
> on the HTTP server so that it refers the clients to another
> address/name however.
>
> Is the HTTPS expected to run on a different machine?
> (What is the actual purpose of your wishin gto do this?)
>
> Maybe we can help with you real goal....
>
>
Anonymous
August 6, 2004 9:23:22 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Joe Coppola" <jocojr@hotmail.com> wrote in message
news:e3$z9b4eEHA.3200@TK2MSFTNGP09.phx.gbl...
> Thanks for the info.
>
> Basically, it kinda works like this. my regular port 80 site is a test
> site. However, my 443 site does some live transaction processing.
>
> So when someone hits the 443 site they need to be able to access the
> transaction server, where as everyone else just sees the normal 80 site.

That should be doable in the web server and or on the pages.

At worst you could do it with an ISAPI filter but that is non-trivial
(not to "write" one but to write a reliable and secure filter.)

You could also just move the "TEST" site to a different
port or different name (with or without changing the address.)

> I guess another question would be, how do you configure multiple websites
on
> a IIS server (probably not related to this group)

Right click on the server HTTP and define the new site by one (or more) of:

1) IP address
2) Host header
3) Port

Add the content directories you defined in the new site properties.

It's pretty much the same as defining the first site except
the "default/first" site gets all undefined requests in most
cases and the other defined sites get only matching requests.


--
Herb Martin


>
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:o jfixT4eEHA.3028@TK2MSFTNGP12.phx.gbl...
> > "Joe Coppola" <jocojr@hotmail.com> wrote in message
> > news:#x0vsx2eEHA.1424@tk2msftngp13.phx.gbl...
> > > Hi all,
> > >
> > > I am trying to configure the DNS for my internal network. Basically I
> > want
> > > all http traffic (port 80) to route to IP address 10.12.22.5 and I
want
> > all
> > > https traffic (port 443) to route to 10.12.22.6. I thought I could
just
> > set
> > > up SRV records for 443 but its not working, maybe I am doing something
> > > wrong.
> >
> > Very few clients support server records to discover services;
> > HTTP and most of the tranditional "Internet" protocols do not.
> >
> > You cannot distinguish the same website name for different
> > purposes (services) this way.
> >
> > You can certainly put a reference page or even an ISAPI filter
> > on the HTTP server so that it refers the clients to another
> > address/name however.
> >
> > Is the HTTPS expected to run on a different machine?
> > (What is the actual purpose of your wishin gto do this?)
> >
> > Maybe we can help with you real goal....
> >
> >
>
>
Anonymous
August 6, 2004 12:59:53 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:e3$z9b4eEHA.3200@TK2MSFTNGP09.phx.gbl,
Joe Coppola <jocojr@hotmail.com> wrote their comments
Then Kevin replied below:
> Thanks for the info.
>
> Basically, it kinda works like this. my regular port 80
> site is a test site. However, my 443 site does some live
> transaction processing.
>
> So when someone hits the 443 site they need to be able to
> access the transaction server, where as everyone else
> just sees the normal 80 site.
>
> I guess another question would be, how do you configure
> multiple websites on a IIS server (probably not related
> to this group)

It sorta is related to this group, you can put multiple websites in IIS on
one IP address, but you can only have one secure site on that same IP
address. Secure sites will ignore the the host header, but if the name you
access the secure site by does not match the name of the certificate, users
will recieve a warning that the certificate does not match.
Is all the content in the same virtual website?
Just mark the directory or page that SSL is required on the page or
directory, then make all links to the page or directory include https://
instead of just a relative link, if some one tries to hit the page without
the https they will get a page that says SSL required. This can be done all
in one website on one IP address. Usually though, you would make the secure
pages in its own website with a different name and IP address.

But from what I gather there are two different sites, correct?
It is possible to have the both sites on one IP address, so long as only one
is on port 443. You must give the main site without SSL a host header, such
a www.example.com (whatever the name you access the site by) but do not give
the second site a host header on port 80 and set it to require SSL. That way
if someone tries to access by IP without https they only get the SSL
required page. The SSL site can still be known as www.example.com but it
must be accessed by https://www.example.com the SSL certificate must be
named www.example.com.




--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
Anonymous
August 6, 2004 3:40:00 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Ok, but how do I handle this.

The SSL site is on a different server 10.12.22.6 and the non-ssl Site is on
Server 10.12.22.5

So the problem is I need to resolve it differently depending on port.

Joe


"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:o Yf4q27eEHA.4092@TK2MSFTNGP10.phx.gbl...
> In news:e3$z9b4eEHA.3200@TK2MSFTNGP09.phx.gbl,
> Joe Coppola <jocojr@hotmail.com> wrote their comments
> Then Kevin replied below:
> > Thanks for the info.
> >
> > Basically, it kinda works like this. my regular port 80
> > site is a test site. However, my 443 site does some live
> > transaction processing.
> >
> > So when someone hits the 443 site they need to be able to
> > access the transaction server, where as everyone else
> > just sees the normal 80 site.
> >
> > I guess another question would be, how do you configure
> > multiple websites on a IIS server (probably not related
> > to this group)
>
> It sorta is related to this group, you can put multiple websites in IIS on
> one IP address, but you can only have one secure site on that same IP
> address. Secure sites will ignore the the host header, but if the name you
> access the secure site by does not match the name of the certificate,
users
> will recieve a warning that the certificate does not match.
> Is all the content in the same virtual website?
> Just mark the directory or page that SSL is required on the page or
> directory, then make all links to the page or directory include https://
> instead of just a relative link, if some one tries to hit the page without
> the https they will get a page that says SSL required. This can be done
all
> in one website on one IP address. Usually though, you would make the
secure
> pages in its own website with a different name and IP address.
>
> But from what I gather there are two different sites, correct?
> It is possible to have the both sites on one IP address, so long as only
one
> is on port 443. You must give the main site without SSL a host header,
such
> a www.example.com (whatever the name you access the site by) but do not
give
> the second site a host header on port 80 and set it to require SSL. That
way
> if someone tries to access by IP without https they only get the SSL
> required page. The SSL site can still be known as www.example.com but it
> must be accessed by https://www.example.com the SSL certificate must be
> named www.example.com.
>
>
>
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ================================================
> --
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ================================================
> http://www.lonestaramerica.com/
> ================================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ================================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ================================================
>
>
Anonymous
August 6, 2004 5:13:16 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:e6U9qu8eEHA.704@TK2MSFTNGP09.phx.gbl,
Joe Coppola <jocojr@hotmail.com> wrote their comments
Then Kevin replied below:
> Ok, but how do I handle this.
>
> The SSL site is on a different server 10.12.22.6 and the
> non-ssl Site is on Server 10.12.22.5
>
> So the problem is I need to resolve it differently
> depending on port.
>

Is there going to be access internally or is this going externally accessed
and NATed to the correct machine?
For the external users I don't think it is a problem, just NAT incoming
request on port 443 to the correct machine, internally it is another story
and I don't think it can be done, atleast if you access both sites by the
same name.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
================================================
--
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
================================================
http://www.lonestaramerica.com/
================================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
================================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
================================================
Anonymous
August 6, 2004 9:02:13 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

On Fri, 6 Aug 2004 03:28:22 -0400, "Joe Coppola" <jocojr@hotmail.com>
wrote:

>Thanks for the info.
>
>Basically, it kinda works like this. my regular port 80 site is a test
>site. However, my 443 site does some live transaction processing.
>
>So when someone hits the 443 site they need to be able to access the
>transaction server, where as everyone else just sees the normal 80 site.
>
>I guess another question would be, how do you configure multiple websites on
>a IIS server (probably not related to this group)

It's not, and there is an IIS group. You can't control this with DNS,
but fortunately, with two sites answering on one IP address on the
same physical system, you don't need to. The HTTPS protocol is
directed to the SSL site, and the HTTP protocol to the non-SSL site
automatically. The sites may be same IP, but they only respond on
their respective ports.

Jeff


>"Herb Martin" <news@LearnQuick.com> wrote in message
>news:o jfixT4eEHA.3028@TK2MSFTNGP12.phx.gbl...
>> "Joe Coppola" <jocojr@hotmail.com> wrote in message
>> news:#x0vsx2eEHA.1424@tk2msftngp13.phx.gbl...
>> > Hi all,
>> >
>> > I am trying to configure the DNS for my internal network. Basically I
>> want
>> > all http traffic (port 80) to route to IP address 10.12.22.5 and I want
>> all
>> > https traffic (port 443) to route to 10.12.22.6. I thought I could just
>> set
>> > up SRV records for 443 but its not working, maybe I am doing something
>> > wrong.
>>
>> Very few clients support server records to discover services;
>> HTTP and most of the tranditional "Internet" protocols do not.
>>
>> You cannot distinguish the same website name for different
>> purposes (services) this way.
>>
>> You can certainly put a reference page or even an ISAPI filter
>> on the HTTP server so that it refers the clients to another
>> address/name however.
>>
>> Is the HTTPS expected to run on a different machine?
>> (What is the actual purpose of your wishin gto do this?)
>>
>> Maybe we can help with you real goal....
>>
>>
>
Anonymous
August 6, 2004 9:02:14 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Your other option is to pick up a hardware load balancer and utilize a VIP
for your web interfaces. Then simply build out the https traffic to route
to whatever server you like. There are a ton of products that do this
(including a simple NAT/PAT device if you don't want a lot of inspection
into the traffic). You could do this with any device that will do port
redirects. They just point the DNS to the VIP and you are done. Nothing
the software has to do at all.

Regards,
Ed

"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:4118b918.1405450621@msnews.microsoft.com...
> On Fri, 6 Aug 2004 03:28:22 -0400, "Joe Coppola" <jocojr@hotmail.com>
> wrote:
>
> >Thanks for the info.
> >
> >Basically, it kinda works like this. my regular port 80 site is a test
> >site. However, my 443 site does some live transaction processing.
> >
> >So when someone hits the 443 site they need to be able to access the
> >transaction server, where as everyone else just sees the normal 80 site.
> >
> >I guess another question would be, how do you configure multiple websites
on
> >a IIS server (probably not related to this group)
>
> It's not, and there is an IIS group. You can't control this with DNS,
> but fortunately, with two sites answering on one IP address on the
> same physical system, you don't need to. The HTTPS protocol is
> directed to the SSL site, and the HTTP protocol to the non-SSL site
> automatically. The sites may be same IP, but they only respond on
> their respective ports.
>
> Jeff
>
>
> >"Herb Martin" <news@LearnQuick.com> wrote in message
> >news:o jfixT4eEHA.3028@TK2MSFTNGP12.phx.gbl...
> >> "Joe Coppola" <jocojr@hotmail.com> wrote in message
> >> news:#x0vsx2eEHA.1424@tk2msftngp13.phx.gbl...
> >> > Hi all,
> >> >
> >> > I am trying to configure the DNS for my internal network. Basically
I
> >> want
> >> > all http traffic (port 80) to route to IP address 10.12.22.5 and I
want
> >> all
> >> > https traffic (port 443) to route to 10.12.22.6. I thought I could
just
> >> set
> >> > up SRV records for 443 but its not working, maybe I am doing
something
> >> > wrong.
> >>
> >> Very few clients support server records to discover services;
> >> HTTP and most of the tranditional "Internet" protocols do not.
> >>
> >> You cannot distinguish the same website name for different
> >> purposes (services) this way.
> >>
> >> You can certainly put a reference page or even an ISAPI filter
> >> on the HTTP server so that it refers the clients to another
> >> address/name however.
> >>
> >> Is the HTTPS expected to run on a different machine?
> >> (What is the actual purpose of your wishin gto do this?)
> >>
> >> Maybe we can help with you real goal....
> >>
> >>
> >
>
Anonymous
August 7, 2004 8:43:28 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

JC> I am trying to configure the DNS for my internal network.

No, you aren't.

JC> Basically I want all http traffic (port 80) to route to
JC> IP address 10.12.22.5 and I want all https traffic (port 443)
JC> to route to 10.12.22.6.

This is nothing to do with DNS. This is an IP routing issue, and is
addressed by configuring your IP routing.

Is setting up interception proxy HTTP and HTTPS servers *really* what
you are trying to do ? If so, be aware that interception proxy HTTP(S)
servers are widely regarded to be a menace, and you won't find many
people willing to help you to set up yet another such menace for free.
If not, why not tell us what your *actual* goal is ?
!