IIS7 Redirects

A request was made on IRC today by Austin for how we setup our redirects to deal with Arena and different site/portal names. We just finished our Server 2008 / SQL 2008 install the day before, so it is still pretty fresh in my mind.

First, some information about the base server.  We use a wildcard certificate (*.highdesertchurch.com) that we obtained from digicert.com. You can use these certificates on any number of servers for any number of sites/uses.  They are fast to get, I think it took us only 2 days to get the certificate after we signed up and sent the CSR. The price is right too, at $395 / year (if you do 3 years at a time, $495 per year individually). We had never personally heard of DigiCert, but saw some good reviews on them and after a short chat about SSL and security, decided we didn’t care if we had heard of them.  We were getting an SSL certificate to encrypt data, not to prove we are who we say we are.

Second, the real name of the server is lawrence.highdesertchurch.com. We have portals setup to deal with arena.highdesertchurch.com (staff, internal); members.highdesertchurch.com (public, external); and arenamobile.highdesertchurch.com (iphone, blackberry, etc.). We also use a single IP address and virtual host names to differentiate between sites.

Everything on the server is installed on C drive.  So here is what I did.  After installing IIS7 (with just about every option imaginable) I had the stock C:\Inetpub folder. I created a new folder under that called “Redirects”. Now IIS7 has the single “Default Website” which has the Reporting Services stuff, the default Arena application, and the beautiful welcome to IIS7 index page.

Rename the “Default Website” to “Lawrence” and Edit the Bindings to be “http / lawrence.highdesertchurch.com / 80 / *“. Here is what this does and why.  Since nobody in their right mind knows the real name of the machine, it gives me a fairly safe “back door” into Arena as well as Reporting Services.  I ran into trouble getting RS to work over SSL, it kept trying to send me to non-SSL links and would get screwed up by the redirects sending it back to the SSL site.

Next I create the SSL site. Create a new website, using the default application pool, called Arena SSL. Set the Physical Path to the Arena installation, i.e. C:\Program Files (x86)\Arena Chms\Arena. Change the binding type to https and then select your wildcard SSL certificate. Because I have a wildcard certificate, and all my portals fall into that wildcard match, this is all I need to do to make Arena over SSL work.  If you do not have a wildcard, but instead a different certificate/IP for each site, you will have to do this for each portal.  But seriously, get a wildcard certificate.  They are wonderful.

Now it is time to setup the sites that will redirect non-SSL traffic over to the appropriate SSL site.

For each portal you have, do the following:

  1. Create a directory for the site under (let’s do Members in this example): C:\Inetpub\wwwroot\Redirects\Members.  If you don’t give each redirect site a different folder to reside in then the each site will share settings, thus making redirects useless, since the settings are stored in a web.config file in each folder.
  2. Add a new website with the name “Members Redirect” and point it to the path created above. Set the Binding information to “http / All Unassigned / 80 / members.highdesertchurch.com“.
    1. For your “default” site, that is the one you want all unknown names to redirect to (for us that is the members site), leave the “Host Name” portion blank.
  3. Select the new website and edit the “HTTP Redirect” option.
    1. Turn on the Redirect requests and set the target to https://members.highdesertchurch.com/
    2. Turn on the Redirect all requests to exact destination (this makes sure everybody lands at the homepage instead of some random path)
    3. Click the Apply button.
  4. Make sure the website has started.

When all is said and done, we have the following websites:

  • Arena SSL – This site handles all the SSL traffic, again since we have a wildcard certificate this works just fine. The Arena Portal host name will automatically match the correct portal to load.
  • Checkin Redirect – This redirects all requests to the non-secure check-in site back to the SSL Check-in site.
  • Staff Redirect – This redirects all requests to the non-secure staff site back to the SSL Staff site.
  • Lawrence – This handles our Reporting Services, and is non-secure.
  • Members Redirect (Default) – This handles “everything else” that does not match one of the other sites and sends them to the public-facing Member portal. I actually put “(Default)” in the site name so it is easy to spot the default website.

Leave a Reply

Your email address will not be published. Required fields are marked *