Run Multiple Sites on Your IIS Server

3 steps to hosting 2 or more Web sites on 1 piece of hardware

I typically receive from 50 to 100 reader questions per day. Most of them inquire about a variety of topics, but a few questions come up repeatedly. When I see the same question several times, I realize that it's fodder for a column. The Microsoft IISrelated question that readers ask most often is, How can I host two or more separate sites on one Web server? For example, suppose you have one IIS server and you want to use it to run two unrelated Web sites: www.apples.com and www.oranges.com. How can you do that?

The answer seems to be fairly simple. IIS has a Web Site Creation Wizard that covers the basics nicely (in the Microsoft Management Console—MMC—Internet Information Services snap-in, right-click the Web server's icon, then choose New, Web Site). But the wizard doesn't help you figure out how to host two sites on one server.

Building multiple sites on one Web server requires three steps. First, you must physically separate the two sites' HTML files in different directories. Second, choose one of three methods to tell the Web server how to determine whether a visitor wants to go to www.apples.com or www.oranges.com. Finally, you must set up DNS so that your visitor's Web browser can find your Web server.

Secure Directories for Separate Sites
The first step is easy. Simply create a directory for each Web site on your Web server's hard disk. To help you keep the directories straight without requiring your brain to do any heavy lifting, give each directory a descriptive name—for example Apples and Oranges. (Put these folders outside the Inetpub folder and on a drive other than the system drive.)

While I'm on the topic of directories on Web servers, let's discuss a basic bit of security. Any system on which you install IIS or Personal Web Server gets a local account called IUSR_servername, and anyone who visits that site logs on under that account. For example, if I set up IIS on a server named T21.acme.com, the server will have an account named IUSR_T21 and all visitors to the Web site will log on to the server under that name. The IUSR account is a member of the Guests group, and by default that group has access to a lot of things on your server. Anonymous Web users don't typically do a domain logon or directly access file shares. Instead, those users access your computer through the IIS server software, and that software should control their access to the site's directories. But the IIS software has holes, and users have found ways to use it as a jumping-off point to gain broader access to your network.

To help avoid problems, set NTFS permissions to explicitly lock the IUSR account out of the places that you don't want Web site visitors to go. This approach enlists NTFS as a second line of defense should the first line—IIS—fail. I also strongly recommend that you stay up-to-date with security hotfixes.

Tell IIS About Your Web Sites
After you set up the directories, you need to tell IIS about the two sites. Start the Web Site Creation Wizard, then click Next to reach the panel that asks you for a name for the new Web site. This name shows up only in the administrative tool, so you can use any name that you want. If you're building the Apples site, you'd type Apples in the Description field, then click Next.

On the next panel, which Figure 1, page 106, shows, you tell IIS how to determine which site's content the visitor wants. You can choose among three approaches, but I'm pretty sure you'll want to use just one of them. Two of the approaches—separate IP addresses and separate—have worked on every Web server that I've used since 1994. Although you usually won't employ these methods, I'll summarize how they work.

In the Enter the IP address to use for this Web site drop-down list, you'll see the IP addresses assigned to your Web server. Most of your Web servers will probably have only one IP address because they probably have just one NIC and you've assigned only one IP address to the NIC. However, you can give a NIC extra IP addresses—an unlimited number of them, according to Windows 2000's Help. When you assign multiple IP addresses to a NIC, that NIC will respond to communications sent to any of those IP addresses. So, if you give your Web server's NIC two addresses (e.g., 1.1.1.1 and 1.1.1.2), you could use the wizard's IP Address and Port Settings panel to associate www.apples.com with 1.1.1.1 and www.oranges.com with 1.1.1.2. (You'd also need to do some DNS work, as I discuss later.)

But IP addresses are precious, so you might not want to dole out a separate address to each Web site. As another approach, you can maintain two separate Web sites on one IP address by telling your Web server to use more than one TCP port.

Previous [1] 2 Next

Inside Out to the Rescue 
You have a unique talent of figuring out what I need to do, just before I do. I wanted to reserve the domain name of my homeowner's association but wondered how I'd set it up on my existing Web server. Then, I read Mark Minasi's Inside Out: "Run Multiple Sites on Your IIS Server" (September 2001), which told me just what I needed to know. Thanks for saving me hours trying to figure out what to do.<brbr>
Carol Anne Ogdin 
caogdin@deepwoods.com 

Carol Anne Ogdin January 18, 2002

This is a grat article,however I got stumped when I reached the Host Header section, because I have an SSL option instead in the wizard, and not enough server knowledge to figure it out myself! :)

Joy Hunsberger April 23, 2002

This doesn't seem to work for Windows XP Professional. I'm running IIS 5.1 and it won't allow me to create another website. There is no New -> Web Site option. I even went as far as using the ASDI Object to create abother server instance, but all I get then is "the request is not supported" when I try to start it (after configuring it all). What do you think?

Drakier Dominaeus December 20, 2002

This article has missed a few steps that are crucial to doing it the right way with host headers.

Ray Ranson June 04, 2003

I have an IIS webserver serving multiple hosts for multiple clients, all of whom have access to their web files via either FTP or frontpage and all have ASP scripting enabled.

Their individual accounts are restricted to viewing only their files, but the webserver runs all sites as IUSR_{machine_name}.

My worry is that one user will be able to write an ASP script which when running under IUSR will be able to read the sources of other users scripts (scripts whose sources may contain sensitive passwords etc), and write to other users access databases (whose permissions have been set by Frontpage Extensions to allow writing by IUSR)

I have been experimenting with Ensim for windows, and this product seems to add a separate IUSR account for each website on the machine. It doesn't set up IIS to use this account for IIS anonymous access or even set the file permissions correctly to allow the individual IUSR to access the website files but it's opened my eyes to the advantages of using multiple IUSR accounts.

I envisage each site having it's own IUSR who is made a member of the Frontpage Browsers group for that site. That way scripts that run anonomously are only able to access files in a single site.

Is this the way to go, or is their a better / simpler way?

Richard Wall October 30, 2003

Re my previous comment; I've now found an answer, which might be worth appending to your article...
http://www.bugnet.com/alerts/bugalert_2800.html

Hope that helps,

Richard Wall October 30, 2003

Dear Sir

I created two web sites in my IIS server (Windows 2000). In my LAN there is 3 Domains and I access these sites through other domain work stations.only one site is coming and my other site is not coming.

Please send me the sollution via email...

Regards

prashanth November 26, 2003

I wonder how many of the people asking this question were trying to do this with IIS 5.1 -- because apparently Microsoft removed the ability to create new websites. Any advice for us?

Greg December 12, 2003

Dude, you should really say what software is required for this article. I read the whole article and then spent hours trying to implement it. You could have saved everbody a lot of time if you said it only works on windows 2000 server. how friggin basic is that where is your brain.

tomandlis July 24, 2004 (Article Rating:

)

Are you guys idiots...look at the post date, this article was written 1 month prior to the release of XP. Do a little research on your own part before flaming another.

tHe.iR1sH October 08, 2004 (Article Rating:

)

See More Comments 1 2

You must log on before posting a comment.

If you don't have a username & password, please register now.