What header does IIS check when IP Address blocking is enabled?

I am trying to configure a site that uses IP blocking in IIS to work with Akamai and have not been successful.  I have searched and have not found the answer to what header or how does IIS check that an IP is allowed based on the blocked list in a virtual directory?  Is there a way to change what header is checked if indeed that is how it is done?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Matthew EnglandTechnology ConsultantCommented:
Would I be correct to assume you're trying to restrict the site to the IP of the Akamai system, in order to prevent users from bypassing it?
  1. Which version of IIS are you running?
  2. Which Akamai solution are you using?
You can determine the IP address(es) seen by IIS, but looking at the Web Site logs, if you haven't disabled them. To find the location (assuming IIS6:
  1. Open the properties for the site in question.
  2. On the Web Site tab, click the Properties button.
  3. Make a note of the Log file directory & Log file name.
  4. Click on the Advanced tab, and ensure that "Client IP (c-ip)" is checked (being logged).
Now you can go open the log file, either with Notepad or a log reader, and find out what IP IIS sees when clients access your site. (This is most likely the internal IP of the Akamai system.)
If you're attempting to set up IP Blocking on a web site that's being proxied, with the intent of blocking specific external IP addresses, you would need to configure that from the Akamai system itself.
I hope this helps. Please let me know if I misunderstood your problem or desired result.
olivesoftwareAuthor Commented:
We are using Akamai Site Delivery and our IIS version is 6.

The issue is the customer is using the same domain name for several sites and based on Virtual Directory we are blocking different IP's.  One Virtual directory does not have any IP blocking on it and it works properly with the caching at Akamai.  

The problem is once a user requests to go to the blocked virtual directories they go through Akamai and the IP address hitting our origin server is now an Akamai one and our server returns a page that your IP address is blocked.  

Akamai can pass the users IP in a header, but that will not work unless I can change the value that our IIS server checks to block that IP.  I am thinking the only way around this is to not use the built in IIS blocking but to develop a code solution.
Matthew EnglandTechnology ConsultantCommented:
Okay that makes a little more since. Unfortunately, IIS's IP blocking doesn't use the header information to determine the IP as those could be forged. Hopefully someone can chime in who has more expertise with Akamai Site Delivery. My experience is more with Citrix NetScaler, Sun Web Proxy and Microsoft IIS/TMG.

I think, in short, the problem you're having is that it's all the same domain... or in other words, that your trying to implement the restrictions on virtual directories, vice separate sites. Generally, when I'm deploying sites with distinct security requirements, they would be deployed as a separate IIS site with a distinct URL. You could then set the IP blocking at the Site level and the Akamai solution would be able to recognize the block's properly for each URL/domain. You could still have virtual directories, set up for navigational purposes but rather than hosting the content in them, have them set to redirect to the new site.

So that, for example:

http://www.mysite.com/privatesite/, would be redirected to http://privatesite.mysite.com.
The IP Blocking would be established at the Site level, (http://privatesite.mysite.com) on IIS.

Because it's a separate URL Akamai, would still cache the error page, but present it only to future requests for that site.

Also, since they're distinct URL's, you could potentially configure the blocking at the Akamai Site Delivery solution point. (You may also be able to do this with the virtual directories, depending on the level of granular control it allows you to have.) Of course if you change the URL's, and are dealing with Secure pages, you would either need a separate certificate for each or (if Akamai allows it, and you're not using Extended Validation), a wild card certificate for your top level domain.

Using a code driven solution would work also, but keep in mind that it's less secure since header info can be spoofed relatively easily.

A last option, would be to enable content expiration and set it to Immediate the sites using IIS IP Blocking. This can be done in the IIS Site or Virtual Directory properties, and SHOULD prevent proxy servers from caching any response from IIS. Although, there are some complications with using content expiration on HTTPS sites, such as Flash content not being delivered.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.