Error: IIS Website not listening on 0.0.0.0:443

We had this situation other day with one of the IIS websites. We were troubleshooting SSL on the site, and after that we were able to resolve that SSL issue. However, we found that the site only works from within the server. But from outside, we were getting connection refused. We checked and re-checked certificates, certificate trust store, windows firewall rules, event logs and firewall logs, SNI, bindings but still same issue.

While checking ports, we observed that port 443 is in listening state only for IP address 127.0.0.1 but not for 0.0.0.0 (Note that 0.0.0.0 means all possible IP address,  only ipv4). So it would require to be listening on the same, so that clients can connect to it.

Below was the output of netstat -an:

C:\Windows\system32>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49676          0.0.0.0:0              LISTENING
  TCP    10.109.211.155:139     0.0.0.0:0              LISTENING
  TCP    10.109.211.155:3389    10.109.219.148:21406   ESTABLISHED
  TCP    10.109.211.155:61485   10.10.5.18:8080        ESTABLISHED
  TCP    10.109.211.155:61557   10.10.5.18:8080        ESTABLISHED
  TCP    10.109.211.155:62749   134.170.53.29:443      TIME_WAIT
  TCP    10.109.211.155:62753   10.10.5.18:8080        ESTABLISHED
  TCP    127.0.0.1:80           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:443          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5001         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5357         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5939         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:5985         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:9005         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:47001        0.0.0.0:0              LISTENING
  TCP    127.0.0.1:61449        127.0.0.1:61450        ESTABLISHED
  TCP    127.0.0.1:61450        127.0.0.1:61449        ESTABLISHED
  TCP    [::]:135               [::]:0                 LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  TCP    [::]:3389              [::]:0                 LISTENING
  TCP    [::]:49664             [::]:0                 LISTENING
  TCP    [::]:49665             [::]:0                 LISTENING
  TCP    [::]:49666             [::]:0                 LISTENING
  TCP    [::]:49667             [::]:0                 LISTENING
  TCP    [::]:49668             [::]:0                 LISTENING
  TCP    [::]:49671             [::]:0                 LISTENING
  TCP    [::]:49676             [::]:0                 LISTENING
  TCP    [::1]:9005             [::]:0                 LISTENING
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:3389           *:*
  UDP    0.0.0.0:3702           *:*
  UDP    0.0.0.0:3702           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    0.0.0.0:5050           *:*
  UDP    0.0.0.0:5353           *:*
  UDP    0.0.0.0:5355           *:*
  UDP    0.0.0.0:49664          *:*
  UDP    0.0.0.0:51642          *:*
  UDP    10.109.211.155:137     *:*
  UDP    10.109.211.155:138     *:*
  UDP    10.109.211.155:1900    *:*
  UDP    10.109.211.155:47808   *:*
  UDP    10.109.211.155:51824   *:*
  UDP    127.0.0.1:1900         *:*
  UDP    127.0.0.1:5353         *:*
  UDP    127.0.0.1:51825        *:*
  UDP    127.0.0.1:63580        *:*
  UDP    [::]:500               *:*
  UDP    [::]:3389              *:*
  UDP    [::]:3702              *:*
  UDP    [::]:3702              *:*
  UDP    [::]:4500              *:*
  UDP    [::]:5353              *:*
  UDP    [::]:5355              *:*
  UDP    [::]:49665             *:*
  UDP    [::]:51643             *:*
  UDP    [::1]:1900             *:*
  UDP    [::1]:51823            *:*

As you can see above, it was not listening on port 443. Since we already checked for IIS configuration settings previously, we finally decided to check HTTP IP listeners. For this, we used below command:

C:\Windows\system32>netsh
netsh>http
netsh http>show listen
The following command was not found: show listen.
netsh http>show iplisten

IP addresses present in the IP listen list:
-------------------------------------------

    127.0.0.1

So, there was the culprit. There was an explicit entry pointing to 127.0.0.1. The next obvious step was to remove this explicit listener (which in turn would make it to listen on all IP address, including loopback):

netsh http>delete iplisten ipaddress=127.0.0.1

IP address successfully deleted

netsh http>show iplisten

IP addresses present in the IP listen list:
-------------------------------------------


netsh http>exit

After that, we again ran netstat -an and got below output:

C:\Windows\system32>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5001           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:49676          0.0.0.0:0              LISTENING
  TCP    10.109.211.155:139     0.0.0.0:0              LISTENING
  TCP    10.109.211.155:3389    10.109.219.148:21406   ESTABLISHED
  TCP    10.109.211.155:61485   10.10.5.18:8080        ESTABLISHED
  TCP    10.109.211.155:61557   10.10.5.18:8080        ESTABLISHED
  TCP    10.109.211.155:62761   52.177.206.73:443      TIME_WAIT
  TCP    10.109.211.155:62772   10.109.211.251:53001   TIME_WAIT
  TCP    10.109.211.155:62774   10.109.211.251:53001   TIME_WAIT
  TCP    10.109.211.155:62777   10.109.211.252:53002   TIME_WAIT
  TCP    127.0.0.1:5939         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:9005         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:61449        127.0.0.1:61450        ESTABLISHED
  TCP    127.0.0.1:61450        127.0.0.1:61449        ESTABLISHED
  TCP    [::]:80                [::]:0                 LISTENING
  TCP    [::]:135               [::]:0                 LISTENING
  TCP    [::]:443               [::]:0                 LISTENING
  TCP    [::]:445               [::]:0                 LISTENING
  TCP    [::]:3389              [::]:0                 LISTENING
  TCP    [::]:5001              [::]:0                 LISTENING
  TCP    [::]:5357              [::]:0                 LISTENING
  TCP    [::]:5985              [::]:0                 LISTENING
  TCP    [::]:47001             [::]:0                 LISTENING
  TCP    [::]:49664             [::]:0                 LISTENING
  TCP    [::]:49665             [::]:0                 LISTENING
  TCP    [::]:49666             [::]:0                 LISTENING
  TCP    [::]:49667             [::]:0                 LISTENING
  TCP    [::]:49668             [::]:0                 LISTENING
  TCP    [::]:49671             [::]:0                 LISTENING
  TCP    [::]:49676             [::]:0                 LISTENING
  TCP    [::1]:9005             [::]:0                 LISTENING
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:3389           *:*
  UDP    0.0.0.0:3702           *:*
  UDP    0.0.0.0:3702           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    0.0.0.0:5050           *:*
  UDP    0.0.0.0:5353           *:*
  UDP    0.0.0.0:5355           *:*
  UDP    0.0.0.0:49664          *:*
  UDP    0.0.0.0:51642          *:*
  UDP    10.109.211.155:137     *:*
  UDP    10.109.211.155:138     *:*
  UDP    10.109.211.155:1900    *:*
  UDP    10.109.211.155:47808   *:*
  UDP    10.109.211.155:51824   *:*
  UDP    127.0.0.1:1900         *:*
  UDP    127.0.0.1:5353         *:*
  UDP    127.0.0.1:51825        *:*
  UDP    127.0.0.1:63580        *:*
  UDP    [::]:500               *:*
  UDP    [::]:3389              *:*
  UDP    [::]:3702              *:*
  UDP    [::]:3702              *:*
  UDP    [::]:4500              *:*
  UDP    [::]:5353              *:*
  UDP    [::]:5355              *:*
  UDP    [::]:49665             *:*
  UDP    [::]:51643             *:*
  UDP    [::1]:1900             *:*
  UDP    [::1]:51823            *:*

As you can see above, we now have a port opening and site was accessible from outside world to all users.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s