Forum Discussion

user_03's avatar
user_03
Icon for Nimbostratus rankNimbostratus
Sep 10, 2014

VS config with multiple IIS sites

Hi,

 

I have 2 sites on an IIS server.

 

1 - Listening on port 443 abc.xyz.com Server1 - working

 

1 - Listening on port 80 abc12.xyz.com Server1 -new

 

I have a VS statement that listens on 80 and redirects to 443. The 443 VS has a default pool/with Auth with Server1 in it. Everything works fine with abc.xyz.com. Now I am trying to have abc12.xyz.com go to the same server but use port 80 instead. The IIS site is configured with host name abc12.xyz.com:80.

 

If a user tries to access abc.xyz.com on port 80 – redirect to 443 then go to Server1 port 443. -Working

 

If a user tries to access abc12.xyz.com on port 80 – redirect to 443 then go to Server1 port 80. – How do I get this to work?

 

Can I do this with an irule or should I just add another IP to the IIS site and create a separate VS and pool with that IP. What is the best way to handle this?

 

Thanks

 

application delivery
devops
iRules
LTM

3 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Sep 10, 2014

    Separate VIPs and pools are certainly one way, but this is what it might look like otherwise:

    1. Port 80 VIP and simple iRule to redirect all requests to port 443 VIP.

    2. Port 443 VIP (same IP address), a client and server SSL profile, 2 pools, and an iRule:

      when HTTP_REQUEST {
    switch [string tolower [HTTP::host]] {
        "abc.xyz.com" {
            pool abc_pool
        }
        "abc12.xyz.com" {
            pool abc12_pool
            SSL::disable serverside
        }
    }
}

    The abc_pool would contain your port 443 servers and the enabled serverssl profile would appropriately re-encrypt to these servers. The abc12_pool would contain your port 80 servers and the iRule would disable the serverssl profile.

  • MiLK_MaN's avatar
    MiLK_MaN
    Icon for Nimbostratus rankNimbostratus
    Sep 11, 2014

    Why don't you just have abc.xyz.com and abc12.xyz.com DNS addresses resolve to different IP addresses so they hit separate VS on the BIG-IP, therefore allowing you to do the different things you're looking for.

     

    Either that, or you need to have an iRule that selects a different pool and also disables serverside SSL. Something like:

     

    when HTTP_REQUEST { if { [HTTP::host] eq "abc12.xyz.com" } { pool SSL::disable serverside } }

     

    But separating to two separate VS is the easiest thing to do, unless you have a certificate that has the multiple hostnames in it (SAN or wildcard).

     

  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Sep 11, 2014

    In addition to wildcard and SAN certs you could use SNI. However, separate VIPs would be the easiest to configure/troubleshoot/maintain in my opinion.

     

    Disabling SSL serverside will expose your traffic in the DMZ - this may constitute a security policy violation.

     

    By the way, is there a specific reason the IIS instances are bound to specific hostnames?