I typically receive from 50 to 100 reader questions per day. Most of them inquire about a variety of topics, but a few questions come up repeatedly. When I see the same question several times, I realize that it's fodder for a column. The Microsoft IISrelated question that readers ask most often is, How can I host two or more separate sites on one Web server? For example, suppose you have one IIS server and you want to use it to run two unrelated Web sites: www.apples.com and www.oranges.com. How can you do that?
The answer seems to be fairly simple. IIS has a Web Site Creation Wizard that covers the basics nicely (in the Microsoft Management Console—MMC—Internet Information Services snap-in, right-click the Web server's icon, then choose New, Web Site). But the wizard doesn't help you figure out how to host two sites on one server.
Building multiple sites on one Web server requires three steps. First, you must physically separate the two sites' HTML files in different directories. Second, choose one of three methods to tell the Web server how to determine whether a visitor wants to go to www.apples.com or www.oranges.com. Finally, you must set up DNS so that your visitor's Web browser can find your Web server.
Secure Directories for Separate Sites
The first step is easy. Simply create a directory for each Web site on your Web server's hard disk. To help you keep the directories straight without requiring your brain to do any heavy lifting, give each directory a descriptive name—for example Apples and Oranges. (Put these folders outside the Inetpub folder and on a drive other than the system drive.)
While I'm on the topic of directories on Web servers, let's discuss a basic bit of security. Any system on which you install IIS or Personal Web Server gets a local account called IUSR_servername, and anyone who visits that site logs on under that account. For example, if I set up IIS on a server named T21.acme.com, the server will have an account named IUSR_T21 and all visitors to the Web site will log on to the server under that name. The IUSR account is a member of the Guests group, and by default that group has access to a lot of things on your server. Anonymous Web users don't typically do a domain logon or directly access file shares. Instead, those users access your computer through the IIS server software, and that software should control their access to the site's directories. But the IIS software has holes, and users have found ways to use it as a jumping-off point to gain broader access to your network.
To help avoid problems, set NTFS permissions to explicitly lock the IUSR account out of the places that you don't want Web site visitors to go. This approach enlists NTFS as a second line of defense should the first line—IIS—fail. I also strongly recommend that you stay up-to-date with security hotfixes.
Tell IIS About Your Web Sites
After you set up the directories, you need to tell IIS about the two sites. Start the Web Site Creation Wizard, then click Next to reach the panel that asks you for a name for the new Web site. This name shows up only in the administrative tool, so you can use any name that you want. If you're building the Apples site, you'd type Apples in the Description field, then click Next.
On the next panel, which Figure 1, page 106, shows, you tell IIS how to determine which site's content the visitor wants. You can choose among three approaches, but I'm pretty sure you'll want to use just one of them. Two of the approaches—separate IP addresses and separate—have worked on every Web server that I've used since 1994. Although you usually won't employ these methods, I'll summarize how they work.
In the Enter the IP address to use for this Web site drop-down list, you'll see the IP addresses assigned to your Web server. Most of your Web servers will probably have only one IP address because they probably have just one NIC and you've assigned only one IP address to the NIC. However, you can give a NIC extra IP addresses—an unlimited number of them, according to Windows 2000's Help. When you assign multiple IP addresses to a NIC, that NIC will respond to communications sent to any of those IP addresses. So, if you give your Web server's NIC two addresses (e.g., 126.96.36.199 and 188.8.131.52), you could use the wizard's IP Address and Port Settings panel to associate www.apples.com with 184.108.40.206 and www.oranges.com with 220.127.116.11. (You'd also need to do some DNS work, as I discuss later.)
But IP addresses are precious, so you might not want to dole out a separate address to each Web site. As another approach, you can maintain two separate Web sites on one IP address by telling your Web server to use more than one TCP port.
For those who haven't heard of TCP ports, here's an explanation. Because a server might be running several different pieces of server software—a Web server, a mail server, and a time server, for example—simply telling a piece of client software to go to www.acme.com doesn't give the client software all the information it needs to contact the appropriate server software. By default, a Web site runs on port 80, so when you point a Web client, such as Microsoft Internet Explorer (IE), to a particular DNS name, such as www.acme.com, the Web client assumes that you want it to contact the Web server at www.acme.com and at port 80. When the client software is Microsoft Outlook and it wants to download Internet email, the client needs to ask for port 110 on www.acme.com. When the client software is a program that synchronizes the client's clock with the server's clock, the client needs to ask for port 123 on the server. But those port numbers are default values, and most server and client software will let a client and server choose to use a nonstandard port instead of the default port.
Figure 1's TCP port this web site should use field lets you change the default port for your Web site. Let's say you decide to run www.oranges.com on the standard port 80 and to put www.apples.com on port 10000. If the Web server has the IP address 18.104.22.168, you'd create DNS entries that point both www.apples.com and www.oranges.com to 22.214.171.124. However, to override the default port, visitors to www.apples.com would have to use the URL http://www.apples.com:10000.
Requiring visitors to remember to add a port address to the URL isn't likely to pump up your daily Web traffic, so you're left with the third approach, which uses host header records. The Host Header for this site field lets the Web client—the browser—tell your Web server which site it wants to see. With host header records, you can host any number of Web sites on one Web server's port 80. The Web server can tell which Web site your visitor is looking for by examining what the Web browser asks it. Rather than simply saying, "Hey, Web server, would you show me default.htm?" the browser says, "Hey, Web server, would you show me default.htm on your www.oranges.com site?" The extra bit of information that identifies the particular site is called the host header record.
So why don't all Web sites use host header records? Nowadays, I'd guess that most sites do. But Web servers have understood host header records for only about 3 years, and even if your Web server understood host header records, early Web browsers (e.g., IE 2.0, Netscape 1.0) weren't smart enough to send them. Virtually every Web browser in use today knows about them, however, so you're safe with host headers on your site.
After you've gotten past that page in the wizard, the rest is easy. The wizard will ask you which directory holds your content and how to set security on the site (you can take the defaults).
Set Up DNS
Your Web sites are almost ready now, except for one more thing: DNS. Although your servers are prepared to respond to browsers near and far, those browsers can't send you requests if they can't find you. DNS's job is to make sure browsers can find your sites.
You need to register the apples.com and oranges.com domains with the Internet authorities, of course. Part of the domain registration process requires you to provide the names of two DNS servers that will host the address information for apples.com and oranges.com. Because those DNS servers must be connected to the Internet 24 * 7 * 365, many people choose not to run their own DNS servers but rather to let their ISP's DNS servers host their domains. Either way, you must put into the apples.com and oranges.com zones a host record that points to your Web server's IP address.
For the sake of completeness, I should mention that if you use separate IP addresses instead of host header records to segregate your Web sites, you must point each site's DNS record to the IP address that's associated with that site (in my example, 126.96.36.199 for www.apples.com and 188.8.131.52 for www.oranges.com). If you use separate ports at one IP address or host header records, you must point the Web sites' DNS records to the same IP address.