Setting Up Wildcard DNS and Wildcard SSL
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
The Internet Platform and Operations deployment of WindowsSharePoint Services hosts many sites, but the sites share the sameDomain Name System (DNS) and Secure Sockets Layer (SSL) settings.The Internet Platform and Operations group accomplished this byusing wildcards to make the settings apply to all sites on theserver farm.
A major benefit of host-header mode for Windows SharePointServices is that many user sites can be served by one IIS virtualserver, but each sites have its own DNS name. For example, inSTSBeta environment, each customer has his or her own URL in theformat http:// username .stsbeta.iponet.net. These Web sitesare actually all on the same virtual server on the IIS Web server.The DNS system must resolve the different URLs to the same serverfarm.
For example, the following two example URLs resolve to the sameIP address:
abc.stsbeta.iponet.net resolves to 126.96.36.199
xyz.stsbeta.iponet.net resolves to 188.8.131.52
There are about 15,000 sites in STSBeta hosting. Instead ofcreating 15,000 DNS entries in the DNS server for zone iponet.net,the server farm uses a wildcard DNS entry:
*.stsbeta.iponet.net resolves to 184.108.40.206
This way, only one entry is needed for the entire server farmand all of its sites.
Different steps are needed for entering the DNS entry, dependingon whether the DNS server is running Windows Server 2003 or Windows2000 Server.
Enter DNS entry in Windows Server 2003
Click Start, click Control Panel, click Administrative Tools,and then click DNS.
On the Action menu, click Connect to DNS Server.
In Connect to DNS Server, click The following computer.
Type the DNS computer name with the wildcard:*.stsbeta.iponet.net.
Select the Connect to the specified computer now check box, andthen click OK.
Enter DNS entry in Windows 2000 Server
In the DNS administration tool, create a child domain"*" under stsbeta.iponet.net
In the "*" domain, create an entry with an empty node name and IP address 65.54.319.336. You will getwarning that the node name is empty. You can ignore thiswarning.
Because this deployment uses HTTP proxy servers, it must useBasic Authentication. However, Basic Authentication allowsmalicious users easier access to user passwords than otherauthentication methods if the malicious user can sniff the network.Secure Sockets Layer (SSL) helps hide the network from malicioususers. To set up SSL in a Windows SharePoint Services host-headerenvironment, the Internet Platform and Operations group applied anSSL certificate for the whole server farm by using the wildcard URL*.stsbeta.iponet.net and installing it on all front-end Webservers. For detailed steps for applying SSL certificates, see IIS6.0 Online Help.
There are some issues to be aware of when using wildcard URLswith SSL:
Users will get an IP address when resolving site .stsbeta.iponet.net by using PING or Nslookup.
Search results might point to the wrong address. This isdiscussed in section 2.7 of RFC 1912 and a documented case in RFC1535.
The wildcard SSL certification will produce a warning if theuser is accessing the site by using any Internet Explorer versionon the first released version of Windows 2000. The issue does notoccur on Windows 2000 SP1 and later. For more information, see Microsoft Knowledge Base Article 257873 .