Server Name Indication (SNI) in Win 2012 Server / IIS 8.0

What is SNI?

On Windows Server 2012, IIS supports Server Name Indication (SNI), which is a TLS extension to include a virtual domain as a part of SSL negotiation. What this effectively means is that the virtual domain name, or a hostname, can now be used to identify the network end point

What is the Problem with Win 2008 R2 Or IIS 7.0 / 7.5?
It is not possible When I want multiple https sites to be hosted using 443 port on Win 2008 R2 (IIS 7.0/7.5) server which has single IP. While trying to host so, IIS won’t allow doing so and if we force then the SSL cert will be replaced on another site already on 443 port. So the only solution is to get additional IPs and bind the same to https sites on 443 port.
Let’s see this in action…
Below is an IIS Site running on 443 port, just think of as a typical SharePoint’s web application.

Here we have single IP and https binded to 443.
Now if I want to create another site with same IP and https on 443, not possible. We will get into below mess up.

Note – even though you provide different host header with 443 and same IP combination, it won’t work!
What is the Solution?
On Windows Server 2012, IIS supports Server Name Indication (SNI), which is a TLS extension to include a virtual domain as a part of SSL negotiation. What this effectively means is that the virtual domain name, or a hostname, can now be used to identify the network end point. In addition, a highly scalable WebHosting store has been created to complement SNI. The result is that the secure site density is much higher on Windows Server 2012 and it is achieved with just one IP address.
It should be noted that in order for this feature to be used, your client browsers have to support SNI. Most modern browsers support SNI; however, Internet Explorer (of any version) on Windows XP does not support SNI.
Let’s see the same in action.
Below is an IIS Site running on 443 port, just think of as a typical SharePoint’s web application.


Here we have single IP and https binded to 443.
Now if I want to create another site with same IP and https on 443, it is possible with the use of SNI a as shown below. Ensure you check “Required Name Indication”.

The same way you can create any number of https sites through SharePoint with the combination of “same IP:443 port”.

SCENARIOS

Try deploying the following scenarios:
·         SNI is designed to scale for a multi-tenanted environment. Try configuring thousands of secure sites using SNI.
·         Unlike previous versions of Windows Server, the certificates on Windows Server 2012 are loaded in memory on-demand. After configuring thousands of secure sites using SNI, send a GET request to one of the secure sites and observe the memory usage. It is negligible. On previous versions of Windows Server, if hundreds of secure sites are configured, sending just one GET request would cause the Windows Server to load all certificates, resulting in a high memory usage, and further limits the scalability.
·         Configure Windows Server 2012 with both SNI and traditional secure sites. They are designed to co-exist.

Reference

http://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-server-name-indication-sni-ssl-scalability


http://www.orcsweb.com/blog/fred/host-different-ssls-on-one-ip-with-iis-8-sni/

Comments

Post a Comment

Popular posts from this blog

SharePoint Locale ID (LCID) Table

SharePoint Locale ID (LCID) Table Windows uses a Locale Identifier (LCID) to determine the language and culture to use when displaying information to a user.  The users LCID is picked up from his/her regional settings within windows or from the language settings for the browser.  The application then displays resources, number and date formatting according to the the local.  This post lists a table of LCID's, the short name and full name of each locale. All products, such as SharePoint, SQL, .NET all use this to assist with formatting.  As this post is focusing on LCIDS in SharePoint, there are several folders within the 12 hive that allow you to globalise and localise your application. \BIN\ LCID SharePoint deploys local specific dll's for custom messages used within the SharePoint framework.  You will typically not be updating this folder with your own DLL's. \HCCab \ LCID You are able to create and deploy your own help files that integrate into th...
Read more

What are difference between Default instance and Named instance in SQL Server?

A SQL Server installation is referred to as an instance. Up to and including SQL Server 7.0, only one installation of SQL Server was possible on a server, but that restriction didn’t suit a number of deployment scenarios that customers required, including high-availability and consolidation. With the release of SQL Server 2000, multiple installations of SQL Server were possible on a single server and were known as SQL Server instances. SQL Server 2008 continues with this model and with very few changes. A default instance has much the same profile that SQL Server installations have had in past; you install SQL Server and then connect using the computer name of the server. Your Windows Server can only have one computer name, so you can only use it to connect to one SQL Server instance. This is called the default instance. If you install additional instances of SQL Server, these are referred to as named instances. You connect to them using the <computername><instanc...
Read more

Singapore Visa - Types and Its Basics

Singapore Visas Singapore is a popular employment destination for nationals of both underdeveloped and top-tier countries, not only for the well-educated top earners but also for people looking for a simple though decently paid job. Singapore’s advanced employment legislation, multiethnic society, high quality of life and security urged lots of foreigners to pursue employment in this country even now after the government of Singapore has made qualification for all working visas a more complex undertaking.  Visa Types Employment Pass (EP) : Designed for Most skilled foreign man power. Suits for professional, manager, executives SG based company only doesn’t have a quota that would limit the number of hires on the EP Issued EP is bound to a specific SG-based company, and the employee cannot swap jobs: he/she would need a new EP for every new employer. Maximum validity of the first visa issuance is 1-2 years. Later, it can be prolonged for 3 years more if the company and t...
Read more