Multiple web applications on same port

Question

I have read alot different about this "issue", to create multiple web applications on the same port, for me it is on 443.

I found this article, and this approach looks the easiest to implement. But how possible is it?

My task is, I got acces to a SP CA and there is a Web Application running on port 443. I want to create a new web application, because it has to be independent from the first. If I am to use Host Header on my Web Application, does it require the first Web Application to have a Host Header too?

Answer 1

No, it may not be a requirement that an existing web application has a host header before you create a new web application that does, however it depends on the configuration. Using SSL, depending upon the certificate and IIS configuration (specifically whether you use SNI, Server Name Indication), you may need to bind each web application to a separate IP address on the server so that you can use separate certificates.

If you use a wildcard certificate for all SSL web applications, you can use a single IP address as the certificate that is used for decryption will be the same for all web applications.

If you use multiple certificates (one per web application URL), and don't implement SNI, you'll need multiple IP addresses for the server and each web application will have to be bound to a separate IP address in IIS Manager to allow IIS to determine which certificate to use for decryption.

If you implement SNI, then you can use multiple certificates with a single IP address as SNI forces information on the requested web application to be sent in the HTTP header so IIS knows which web application to serve, and therefore which certificate to use. Note that a web application without a host header CANNOT use SNI, however you can have all of your host header web applications using SNI and your non-host-header web application not using SNI if required (this setup is typical for SharePoint 2013 Apps configuration whereby you have to have a web application without a host header to receive apps traffic). As an example, for a SharePoint 2013 implementation using apps, you could use a wildcard certificate for all of the web applications, so they could all be bound to 'all unasigned' IP addresses in IIS Manager using the same certificate and SNI required. The 'app listener' web application, which doesn't have a host header, can also be bound to the same 'all unassigned' IP addresses in IIS Manager but SNI is disabled for this web application and it has its own domain certificate (a wildcard for the apps domain). Traffic arriving for a specific web application requires SNI, so IIS knows what to do with the traffic (i.e. send it to the appropriate web application), while all other traffice (in this case app traffic) would be sent to the web application with no host header (this accepts all other traffic) to process, and the apps domain certificate would be used to decrypt traffic.

Plan what you want to achieve up-front and you should be able to follow the article to create the new web application, specifying a host header during the creation. Just be sure to double-check the bindings and certificate assignments in IIS Manager!