I've just completed installing a new Multi tenant SharePoint Server 2013 farm and have added a couple of tenants to a single Web Application using Host Named Site Collections, but have had some difficulty in getting access to the tenant sites through our hardware Load balancers which are set up to perform SSL Offloading.
Accessing a tenant created using HTTP works fine, so basic configuration is good (all logs are clean).
A couple of things appear to not be functioning as I would expect (but I might be missing something - that's why I'm here...):-
- Using Wireshark to capture traffic on the SharePoint server, it looks like SharePoint is performing a redirect immediately after login, to an HTTP URL, not an HTTPS URL (the actual redirect is expected behaviour - it's sending the user to the 'pick a site template' page). This is despite the fact that the Web Application Default zone Public URL is configured as HTTPS and there is also a separate Default zone AAM mapping the HTTPS public URL through to an identical HTTP internal URL. This configuration works great in another Foundation 2010 Server Farm running through the same Load Balancer and also in a WSS 3.0 farm and makes sense. In short, SharePoint isn't writing the return URLs as per the Default zone Public URL setting as I would expect, based on the recomendations in this TechNet article (for SP2010. I don't entirely agree with the wording in part of this article though, but thats another story.)
- When the Hosting Web App Default zone Public URL is configured as HTTP in AAM, Central Administration lists the Hosting Web App as listening on Port 80. When I change the Default zone Public URL to HTTPS in Central Admin AAM, the Web Application then lists the Web App as listening on Port 443. BUT, checking in IIS shows that there is NO port 443 binding, only a port 80 binding, which never changes, no matter how I update the Default zone Public URL. I.e. SharePoint looks like it is changing the port it says it is listening on based on the protocol configured in the Default Zone Public URL, but it never updates IIS.
I wouldn't have thought that changing the protocol portion of the Default zone public URL should update the port SharePoint listens on (in IIS or otherwise) - after all, I would have though that this is one of the requirements for off-box SSL termination to work. SharePoint needs to listen on port 80 for the decrypted traffic from the Load Balancer/Proxy device BUT it needs to write all URL's as per the protocol portion of the Default Zone public URL: In this case as HTTPS so that links work for the client.
I can't see how to force the port back to 80 either after setting the Defalt Zone Public URL to HTTPS changes it to 443. I looked at using Set-SPWebApplication but there doesn't appear to be a -Port option in the Powershell command.
When the hosting Web Application was created, I didn't enable the -SecureSocketsLayer switch as I don't want SSL encryption being performed on the server itself. I didn't specify a Host Header as you don't want one if you are going to be using Host Named Site Collections. I did specify Port 80 as the port to listen on: also desirable in that the Load Balancer will be forwarding the un-encrypted HTTP traffic to SharePoint.
I then edited the Default Zone Public URL to use HTTPS as after creation and the addition of an empty root site collection, it had defaulted to an internal HTTP URL.
If you're still reading this then thanks for sticking with it!
Any ideas?
Thanks, Glenn