5

I am looking to move our hosting environment to Azure and by doing so have created a sandpit VM to figure things out. We host around 300-400 websites in IIS and about 2% of these sites have unique, non wildcard certificates all requiring a unique public IP in our current setup.

Can you get a range of IPs pointing to 1 VM/Endpoint? Or is it possible to create an SSL proxy?

I've never created an SSL proxy but like the idea of it. I'd need advise here on how to proceed if this is the best option.

Sorry if this has been answered! Sorry also if my question isn't worded eloquently.

timmah.faase
  • 233
  • 1
  • 5
  • 1
    Sounds like you need [SNI](http://en.wikipedia.org/wiki/Server_Name_Indication) - it's supported in IIS 8, so it should be usable in Azure with a Windows Server 2012 VM. But keep in mind that Windows XP clients (and a few other marginal OS/browser combinations) doesn't support SNI. – Shane Madden Nov 21 '12 at 05:33
  • Thx for the reply @ShaneMadden. Looks interesting! Do you have a feeling on how prolific pre XP SP2 use is? – timmah.faase Nov 21 '12 at 07:20
  • @ShaneMadden - just to confirm, this is what the Wiki says: Browsers with support for TLS server name indication - Internet Explorer 7 or later, on Windows Vista or higher. Does not work on Windows XP before Service Pack 3, even Internet Explorer 8. **Does work on Windows XP Service Pack 3 and Internet Explorer 8 (TLS 1.0 protocol must be enabled)**. Do you mean the registry change is the "must be enabled"? – timmah.faase Nov 21 '12 at 20:22
  • Actually, I just checked the one Windows XP system that I have on hand and TLS 1.0 is enabled - but it's 64-bit Windows XP, which never got SP3. I believe that the SNI extension to TLS 1.0 is simply completely unsupported on Windows XP, and that the [wikipedia edit from a couple weeks back that added that bit](http://en.wikipedia.org/w/index.php?title=Server_Name_Indication&diff=521556297&oldid=520572747) is wrong. Do you have an XP SP3 system to test with and verify, by chance? – Shane Madden Nov 22 '12 at 01:30
  • It is possible to do but you will need to use a third party tool to make it happen. I'd help you myself but apparently I can't advertise myself on stack. Ie. I can't give you my email. I have a bullet proof solution but you will need to contact me to get it. – Middletone Feb 10 '13 at 05:47

1 Answers1

5

(as discussed in comments on the question):

SNI on IIS 8 is a potential solution to this problem, but depends on being able to actually use SNI, which is not supported in the Windows XP cryptographic libraries.

The Wikipedia edit that states that Windows XP SP3 with IE8 supports SNI is incorrect.

Per this Microsoft blog post, it's not present on Windows XP, regardless of service pack:

Unfortunately, SNI support isn’t available on Windows XP, even in IE8. IE relies on SChannel for the implementation of all of its HTTPS protocols. SChannel is an operating system component, and it was only updated with support for TLS extension on Windows Vista and later.

Further, I was able to enlist the help of Journeyman Geek to verify this in the real world, on an XP SP3 system with IE8, using this SNI test site:

IE 8 SNI Test

So, you can use SNI on IIS 8, but Windows XP clients still make up about 40% of browsers on the internet according to one measurement as of August 2012; it's still probably not appropriate for most public sites.

Once mid-2014 rolls around and XP falls out of support, hopefully it starts to drop off and it'll be much more practical to use SNI.

Community
  • 1
Shane Madden
  • 114,520
  • 13
  • 181
  • 251