here is my setup. I have 4 servers
ARR
Node1
Node2
Node3
I have set the nodes up to use a shared configuration and have set the ARR box up to have a central certificate store ( followed the docs on msdn ). On the ARR box there is a DefaultWebsite as per the standard IIS installation. It has a binding that matches all HTTP traffic ( ie no domain specified ). There is also a ARR rule ( set up by default ) that points all requests to my server farm. Everything is working perfectly for normal HTTP traffic, but when I try HTTPS the requests fail ( browser gives ERR_CONNECTION ). I have stuck to all the defaults an no joy. I have multiple sites with multiple certificates, so I have made sure that all HTTPS bindings on the node are set to use SNI and the CCS. Still HTTPS does not work. However, if I add the HTTPS binding on the ARR box, then the requests go through correctly.
Surely that behavior is not correct? I can't manage https bindings on the ARR box and then all other bindings through a shared config setup? I was under the impression that the ARR box should not even need to have a single site configured, it should simply pick up the request, match the ARR rule and then delegate off to one of the nodes?
Am I missing something here, any help would be greatly appreciated
I think it might have something to do with SSL offloading. When I disable that, I get an error 502 response.
Could it have something to do with compression? I zip all responses using a filter, but surely then even http traffic would fail?
so things always look better in the morning. After a couple hours of googling and several re-installs of IIS I finally found the issue. I had deleted the "Default Website". Then in order to get ARR back up I added back a default website. This allowed all wildcard HTTP traffic through to the server farm. When I tried to add a default HTTPS binding however, the IIS config management console forces you to put in a domain name, which doesn't work if you want a "default" implementation.
So to get around this, I simple manually edited the applicationHost.config file and removed the domain name from the binding entry :
<binding protocol="https" bindingInformation="*:443:" sslFlags="3" />
and that's it....happiness!