Run Multiple Sites on Your IIS Server

I typically receive from 50 to 100 reader questions per day. Most of them inquire about a variety of topics, but a few questions come up repeatedly. When I see the same question several times, I realize that it's fodder for a column. The Microsoft IIS­related question that readers ask most often is, How can I host two or more separate sites on one Web server? For example, suppose you have one IIS server and you want to use it to run two unrelated Web sites: www.apples.com and www.oranges.com. How can you do that?

The answer seems to be fairly simple. IIS has a Web Site Creation Wizard that covers the basics nicely (in the Microsoft Management Console—MMC—Internet Information Services snap-in, right-click the Web server's icon, then choose New, Web Site). But the wizard doesn't help you figure out how to host two sites on one server.

Building multiple sites on one Web server requires three steps. First, you must physically separate the two sites' HTML files in different directories. Second, choose one of three methods to tell the Web server how to determine whether a visitor wants to go to www.apples.com or www.oranges.com. Finally, you must set up DNS so that your visitor's Web browser can find your Web server.

Secure Directories for Separate Sites
The first step is easy. Simply create a directory for each Web site on your Web server's hard disk. To help you keep the directories straight without requiring your brain to do any heavy lifting, give each directory a descriptive name—for example Apples and Oranges. (Put these folders outside the Inetpub folder and on a drive other than the system drive.)

While I'm on the topic of directories on Web servers, let's discuss a basic bit of security. Any system on which you install IIS or Personal Web Server gets a local account called IUSR_servername, and anyone who visits that site logs on under that account. For example, if I set up IIS on a server named T21.acme.com, the server will have an account named IUSR_T21 and all visitors to the Web site will log on to the server under that name. The IUSR account is a member of the Guests group, and by default that group has access to a lot of things on your server. Anonymous Web users don't typically do a domain logon or directly access file shares. Instead, those users access your computer through the IIS server software, and that software should control their access to the site's directories. But the IIS software has holes, and users have found ways to use it as a jumping-off point to gain broader access to your network.

To help avoid problems, set NTFS permissions to explicitly lock the IUSR account out of the places that you don't want Web site visitors to go. This approach enlists NTFS as a second line of defense should the first line—IIS—fail. I also strongly recommend that you stay up-to-date with security hotfixes.

Tell IIS About Your Web Sites
After you set up the directories, you need to tell IIS about the two sites. Start the Web Site Creation Wizard, then click Next to reach the panel that asks you for a name for the new Web site. This name shows up only in the administrative tool, so you can use any name that you want. If you're building the Apples site, you'd type Apples in the Description field, then click Next.

On the next panel, which Figure 1, page 106, shows, you tell IIS how to determine which site's content the visitor wants. You can choose among three approaches, but I'm pretty sure you'll want to use just one of them. Two of the approaches—separate IP addresses and separate—have worked on every Web server that I've used since 1994. Although you usually won't employ these methods, I'll summarize how they work.

In the Enter the IP address to use for this Web site drop-down list, you'll see the IP addresses assigned to your Web server. Most of your Web servers will probably have only one IP address because they probably have just one NIC and you've assigned only one IP address to the NIC. However, you can give a NIC extra IP addresses—an unlimited number of them, according to Windows 2000's Help. When you assign multiple IP addresses to a NIC, that NIC will respond to communications sent to any of those IP addresses. So, if you give your Web server's NIC two addresses (e.g., 1.1.1.1 and 1.1.1.2), you could use the wizard's IP Address and Port Settings panel to associate www.apples.com with 1.1.1.1 and www.oranges.com with 1.1.1.2. (You'd also need to do some DNS work, as I discuss later.)

But IP addresses are precious, so you might not want to dole out a separate address to each Web site. As another approach, you can maintain two separate Web sites on one IP address by telling your Web server to use more than one TCP port.