Setting Up Wildcard DNS and Wildcard SSL (Windows SharePoint Services 2.0)

The Internet Platform and Operations deployment of Windows SharePoint Services hosts many sites, but the sites share the same Domain Name System (DNS) and Secure Sockets Layer (SSL) settings. The Internet Platform and Operations group accomplished this by using wildcards to make the settings apply to all sites on the server farm.

Wildcard DNS

A major benefit of host-header mode for Windows SharePoint Services is that many user sites can be served by one IIS virtual server, but each sites have its own DNS name. For example, in STSBeta environment, each customer has his or her own URL in the format https://username.stsbeta.iponet.net. These Web sites are actually all on the same virtual server on the IIS Web server. The DNS system must resolve the different URLs to the same server farm.

For example, the following two example URLs resolve to the same IP address:

• abc.stsbeta.iponet.net resolves to 200.100.1.22

• xyz.stsbeta.iponet.net resolves to 200.100.1.22

There are about 15,000 sites in STSBeta hosting. Instead of creating 15,000 DNS entries in the DNS server for zone iponet.net, the server farm uses a wildcard DNS entry:

• *.stsbeta.iponet.net resolves to 200.100.1.22

This way, only one entry is needed for the entire server farm and all of its sites.

Different steps are needed for entering the DNS entry, depending on whether the DNS server is running Windows Server 2003 or Windows 2000 Server.

Enter DNS entry in Windows Server 2003

1. Click Start, click Control Panel, click Administrative Tools, and then click DNS.

2. On the Action menu, click Connect to DNS Server.

3. In Connect to DNS Server, click The following computer.

4. Type the DNS computer name with the wildcard: *.stsbeta.iponet.net.

5. Select the Connect to the specified computer now check box, and then click OK.

Enter DNS entry in Windows 2000 Server

1. In the DNS administration tool, create a child domain "*" under stsbeta.iponet.net

2. In the "*" domain, create an entry with an empty node name and IP address 65.54.319.336. You will get warning that the node name is empty. You can ignore this warning.

Wildcard SSL

Because this deployment uses HTTP proxy servers, it must use Basic Authentication. However, Basic Authentication allows malicious users easier access to user passwords than other authentication methods if the malicious user can sniff the network. Secure Sockets Layer (SSL) helps hide the network from malicious users. To set up SSL in a Windows SharePoint Services host-header environment, the Internet Platform and Operations group applied an SSL certificate for the whole server farm by using the wildcard URL *.stsbeta.iponet.net and installing it on all front-end Web servers. For detailed steps for applying SSL certificates, see IIS 6.0 Online Help.

There are some issues to be aware of when using wildcard URLs with SSL:

• Users will get an IP address when resolving site.stsbeta.iponet.net by using PING or Nslookup.

• Search results might point to the wrong address. This is discussed in section 2.7 of RFC 1912 and a documented case in RFC 1535.

• The wildcard SSL certification will produce a warning if the user is accessing the site by using any Internet Explorer version on the first released version of Windows 2000. The issue does not occur on Windows 2000 SP1 and later. For more information, see Microsoft Knowledge Base Article 257873 (https://go.microsoft.com/fwlink/?LinkId=104154\&clcid=0x409).