Does IIS support wildcard host header? Can I capture and redirect *.mydomain.com to one web site?
The answer is Yes/No. Yes, because you are able to redirect *.mydomain.com to one web site. No, because the magic is in DNS and not IIS.
Here's how you do it:
At IIS MMC, configure a web site with NO host header, then assign an IP address to the site. (if you have one IP address in the box, then you can skip this). With this, the web site will bound to the specific IP and will listen to all HTTP requests send to the IP, and you are done :)
Next step is to make sure your name resolution works for the wildcard query and reply with the correct IP address. If you using Microsoft DNS service, it won't allow you to create a '*' A record (assuming you already created the domain zone in DNS MMC), you need to do the following:
- Navigate to
- Find the zone file. E.g.
mydomain.com.dns, open it with Notepad
- Add an entry. E.g.
- Save the zone data file
- Reload the zone data in DNS MMC.
Take note that by doing this, all * will response to the IP that you configured earlier. E.g. abc.mydomain.com, www.mydomain.com, K2k.mydomain.com and etc.
To verify that it is working, try ping utility and you should get replies from IP.IP.IP.IP
Then try browsing, http:// (insert anything here).mydomain.com/, you should get the same web page that you have configured.
Internet Explorer site to zone assignments - is it valid and why not?
Time for a new post finally... Recently, I got involved in a discussion about IE zone assignments via Group Policy. This post discusses which entries are valid or not.
How to assign a site to a zone?
There are two possible ways to assign a security zone to a URL:
- Native Group Policy - MVP colleague Alan Burchill has a nice tutorial on that: http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/
- Registry (through Group Policy Preferences Registry) - MVP colleague Joseph Moody has a nice tutorial on that: https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/
What can I add as a site?Site to zone assignments (s2z) takes URLs. A URL basically has up to 5 parts:
- Protocol (http, ftp, file...)
- User and password (ftp://johndoe:email@example.com)
- Hostname (www.bing.com) or IP address
- Port (wsus.intern.com:8531)
- Path (evilgpo.blogspot.de/2012/02/loopback-demystified.html)
If a hostname is provided, it must be either a plain hostname (no domain part) or a FQDN that consists of at least 3 parts. Hosts in root domains are not possible. If the FQDN consists of 3 parts only, the second level domain must have more than 2 characters in Windows versions prior to 10.
In addition, s2z supports wildcards. To be precise, it supports exactly 2 asterisk wildcards - one for the protocol and one for the plain host name in a FQDN or for the last part of an IP address. Repeat that: It is only 2 * wildcards (no ?), and they are only allowed for the protocol and for the plain host name or last IP address part - nowhere else.
If you have invalid entries, all valid entries will be still processed. s2z will log an event to the group policy eventlog with ID 1085 and error code 87 ("The parameter is incorrect"). Unfortunately, it will not add the site that caused the error to the event nor will it add the GPO that contained that entry.
So in case of errors it is up to you, the busy admin, to identify the invalid entries. To do so, check all GPOs for s2z entries and validate them. To assist you with this task, Microsoft provides some valid and invalid patterns here:
And to further assist you, here are some more comprehensive samples of s2z entries and explanations why they are valid or not.
www.microsoft.comValid entry - consist of a fully qualified host name (FQDN). Since no protocol is specified, it will be applied for all protocols.
https://intranetValid entry - consist of a protocol and a plain host name. Since no domain is specified, it will be applied to a host sitting in the primary dns suffix domain.
https://www.mycorp.com:8080Partially valid entry - consist of protocol, host and port. The port will be transparently stripped, it will be applied for all ports on that host.
http://www.mycorp.com/index.htmlPartially valid entry - consist of protocol, host and path. The path will be transparently stripped, it will be applied for all paths on that host.
*://www.microsoft.comValid entry - since the protocol is a wildcard, it is identical to specifying www.microsoft.com (without a protocol)
*.mycorp.comValid entry - since the plain hostname is a wildcard, it applies to all hosts in the domain mycorp.com.
192.168.1.15Valid entry - IP addresses are allowed as well as hostnames.
192.168.1-255.*Valid entry - consists of an IP range and a wildcard for all hosts in that range.
http://microsoft.comValid entry - but be aware that this is not an entry for the host microsoft in the domain com, but s2z converts this to *.microsoft.com. This is an implication of one of the rules above: If you use a FQDN, it must consist of at least 3 parts. Since we have only 2 parts here, s2z assumes this to be a domain.
*hosts.mycorp.comInvalid entry - a wildcard is not allowed as a part of the hostname, but for the whole hostname only.
www.mycorp.*Invalid entry - the wildcard replaces a part of the domain.
www.*.mycorp.comInvalid entry (same as above) - the wildcard replaces a part of the domain.
http*://www.mycorp.comInvalid entry - a wildcard is not allowed as a part of the protocol, but for the whole protocol only (which of course is the same as omitting the protocol at all).
192.168.*.1Invalid entry - a wildcard for IP addresses can only be used in the last position.
*.*.mycorp.comInvalid entry - only one wildcard is allowed, and only for the hostname.
CreditsThe discussion I mentioned above involved those two guys I wish to give credits:
MVP Jeremy Moskowitz - http://www.policypak.com and http://www.gpanswers.com
IT Consultant Carl Webster - http://carlwebster.com, specifically http://carlwebster.com/troubleshooting-microsoft-group-policy-site-to-zone-mapping/ which was the first result of our discussion. Thanks Carl for clarifying the thing about ports and paths that get stripped and the second level domain auto-wildcarding :)