Access The Same Website Locally And Remotely By Binding It To Port 443

Question

There is a requirement to implement IIS 10.0 Site STIG V-218748.

As per the STIG's fix text, for the site hosted under IIS Server, assignment of hostname entries and unique IP addresses to port 80 for HTTP and port 443 for HTTPS, has to be done. Other approved and documented ports may be used.

Below are the system details where this scenario has to be incorporated:

Windows Version: Microsoft Windows 10 Version 21H2 (OS Build 19044.4651)

Microsoft Edge Version: 128.0.2739.79 (Official build) (64-bit)

In our organization, we have many systems, each of which has IIS and just one Default website set to say, https://localhost/details.

At present, this website is accessible locally in MS Edge using https://localhost/details and remotely, via hostname of this system, https://inh8181wc/details or via IP, https://192.168.1.2/details.

Additionally, we have made appropriate setting to redirect http to https for local access of the website so setting anything in the binding for port 80 does not matter.

Please find attached the screenshot which is currently working but as per the STIG's requirement, hostname and unique IP has to be assigned- if I set 194.168.1.2 IP in the port 443 binding, remote access of website works via hostname (https://inh8181wc/details) but https://localhost/details does not work.

I read in many places that we cannot set more than one IIS binding for port 443.

For example, I tried the co-existence of the following binding but with this only the remote access of the website works: -

Hostname Port IP

======== ====== ===

localhost 443 127.0.0.1 or 192.168.1.2 (for accessing the website in the same system where IIS is present)

inh8181wc 443 192.168.1.2 (for accessing the website remotely)

Please let me know if it is possible to access the website both locally and remotely, keeping in view the STIG's requirement.

Thank you in advance.

Answer 1

Can you run ping localhost at command prompt and verify which IP address is used? I believe that can explain why local access failed in your case.

On my machine I can see that localhost is resolved to ::1 which is the loopback address for IPv6. Clearly in that situation, the site binding 127.0.0.1:443:localhost won't serve any requests on https://localhost, because the IP address comparison fails (::1 doesn't equal to 127.0.0.1). The right site binding to configure should be [::1]:443:localhost.

Answer 2

Hello,

 

Thank you for posting in Q&A forum.

Yes, to achive the configuration purpose, you will need to:

1.Assign hostname and IP to TCP.Port 443 to allow the remote access.

2.Meanwhile please ensure the SSL certificate is correctly bount to TCP.Port 443.

3.When you access the website locally you can enter by IP address 127.0.0.1 or private IP.

 

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

 

Best regards，

Jill Zhou

 

---

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 3

For example, I tried the co-existence of the following binding but with this only the remote access of the website works:

Try this.

If you don't already have one, generate a self-signed certificate for "localhost". Set the expiration date for a long time in the future.

https://learn.microsoft.com/en-us/powershell/module/pki/new-selfsignedcertificate?view=windowsserver2019-ps

https://stackoverflow.com/questions/8169999/how-can-i-create-a-self-signed-cert-for-localhost

In the bindings add an entry for localhost and inh8181wc. For each entry assign the certificate that corresponds to the name.

The pages in your web site should use relative paths for links, css, images, etc. In other words, they can't have https://inh8181wc hardcoded in the page (absolute file path).

https://www.w3schools.com/Html/html_filepaths.asp

If that doesn't work, please share details about what error you get and what you have configured.