I'd like to set up IIS to listen on 127.0.0:80, and on *:443, so http connections are allowed from localhost only, while anyone from the net will have to use SSL. (This part is no problem). Also, i want to require the SSL connections to use client certificates, but not the HTTP connections. This is what i can't seem to be able to do.
The IIS is a 8.5.9600.16384 running on Windows Server 6.2 (2012 R2).
Background, not required to answer the question
We have a site that our IT security requires us to use smartcard client certificates for. The software has a native admin UI, that does HTTP/XML/Soap/whatever calls to the web server. This native admin UI can't be configured to use client certificates; also, even if it could, IT security wouldn't allow us to create a "static" certificate that doesn't need a smartcard+pin. So, i want the admin software to use http on 127.0.0.1 only - without certificate - while still requiring users to use https and certificates. Being able to run the admin software on the web server only doesn't hurt much. And yes, i'm aware that i have to double-check nothing is running on the server that could act as a proxy to fool the 'localhost-only' check.
I tried to set up a second site as described in the "Extra Localhost-Only IIS Site" section for moveit (different software but same problem), but this broke my software completely. The software is trying to read the IIS configuration to configure itself, and gets confused horribly if it's running on two web sites. So i'm stuck with "one web site, two bindings", but with this, IIS doesn't allow me to "require client certificates, but only on the SSL port".