none
Web Role SNI configuration SDK 1.8 Server 2012

    Question

  • Is there a way to specify SNI endpoints in web role configuration?

    We are using SDK 1.8 on server 2012.

    Tuesday, January 15, 2013 9:34 PM

Answers

All replies

  • Hi,

    It's not supported out of box at this moment so you probably need to write some script/code to achieve this (using startup tasks, for instance). Set the site binding should work:

    http://blogs.msdn.com/b/kaushal/archive/2012/09/04/server-name-indication-sni-in-iis-8-windows-server-2012.aspx

    http://dotnetspeak.com/index.php/2012/09/setting-up-site-bindings-in-iis-on-windows-8/

    (I suggest you deploy directly and after it's in ready status, RDP to the VM and try to use appcmd to see whether it works. If it does then go back to use startup tasks to execute the same command) 

    If you have questions regarding appcmd you can ask in the IIS forum:

    http://forums.iis.net/


    Allen Chen
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.





    Wednesday, January 16, 2013 8:28 AM
    Moderator
  • Hello,

    sorry, but Allen Chen unfortunately did't get the point, I think! Some weeks ago I had the same Idea like Allen but after implementing some logic in the OnStart() of my WebRole class, just finished some minutes ago, I got a very big shock!!! Yes, we can change the bindings of the deployed WebSite INSIDE the WebRole instance to support SNI but what about the load balancer??? The load balancer does not support SNI! Or am I wrong?

    Allen, please tell me that I am wrong! Otherwise I cannot use Windows Azure for two big upcoming projects of SaaS-Web-Applications.

    Greetings from Germany,

    Tobias

    Thursday, January 24, 2013 10:59 AM
  • Hello,

    sorry, but Allen Chen unfortunately did't get the point, I think! Some weeks ago I had the same Idea like Allen but after implementing some logic in the OnStart() of my WebRole class, just finished some minutes ago, I got a very big shock!!! Yes, we can change the bindings of the deployed WebSite INSIDE the WebRole instance to support SNI but what about the load balancer??? The load balancer does not support SNI! Or am I wrong?

    Allen, please tell me that I am wrong! Otherwise I cannot use Windows Azure for two big upcoming projects of SaaS-Web-Applications.

    Greetings from Germany,

    Tobias


    I think what the load balancer does is routing TCP packages to a specific VM. What's the problem when you try to enable SNI (which is a concept of the HTTP layer that is on top of TCP. As a result in theory it should has nothing to do with the load balancer)? 

    Allen Chen
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.


    Friday, January 25, 2013 1:18 AM
    Moderator
  • Hello Allen,

    you are totally right and I am very glad about it! I had a strange constellation of input endpoints and certificates in my cloud project which leads me to my daffy conclusion.

    Greetings from Germany,

    Tobias

    Saturday, January 26, 2013 6:15 PM
  • @Tobias, any chance you could describe the steps you took to get SNI working on web roles?

    We have the same kinds of issues (multiple tenants with their own SSL certs and domains that we want to point at our web role service) and it seems that due to the unfathomable lack of multiple IP support on Azure that SNI is our only chance.

    Any guidance would be appreciated.

    Tuesday, February 26, 2013 11:44 PM
  • Hi Paul,

    as you probably know an instance of a web role is nothing else than a virtual machine with Windows Server and IIS on it. IIS introduced support for SNI with version 8 which is available since Windows Server 2012. So the requirement for SNI on Windows Azure is at least Guest OS Family 3 (http://msdn.microsoft.com/en-us/library/windowsazure/ee924680.aspx). These are the prerequisites. Now you have to know how to configure the IIS to support SNI. Play around with this feature on your local developer machine to become acquainted with. You need at least Windows 8 because of IIS 8! If you know how to configure IIS manually to support SNI you know what to do on Windows Azure web role instances in an automated way:

    • Somewhere you have to manage your tenants. Save your information about your tenants in an Azure SQL Database for example. Save the SSL certificate (PFX file) for each tenant on blob storage. Bear in mind that you have to store the certificates in a secure way!!!
    • Implement at least RoleEntryPoint.OnStart in your WebRole class as you would do in a worker role.
    • In RoleEntryPoint.OnStart get all your tenants from your tenant repository (database) and their SSL certificates (blob storage). Install all certificates in the local machine certificate store.
    • Now you can use the managed IIS API in Microsoft.Web.Administration.dll and add a SSL/SNI binding to the IIS Website of your web role for each tenant.

    Don't forget that depending on your on-boarding process (adding/deleting tenants at runtime) you have to update all existing web role instances (add new certs/bindings for new tenants to IIS).

    For quite some time I plan to write a detailed article on my blog about this topic. If something of my explanation above is unclear let me know and I will hurry up with the article.

    Kind regards from Germany,

    Tobias

    • Edited by Tobias Jamin Wednesday, February 27, 2013 6:55 AM
    Wednesday, February 27, 2013 6:52 AM
  • Hi Tobias,

    Thanks for those details - especially the pointer to the Administration.dll - makes the process much clearer.

    From here I should be able to figure it out, though any code samples you could post are always welcome :)

    If you do end up writing a blog post, hit me up on Twitter (@pauldbau) - I'd be keen to read it!

    Cheers

    Paul Du Bois

    Monday, March 11, 2013 5:56 AM