krlaw6
asked on
"This web server leaks a private IP address through its HTTP headers" - OWA problem.
This relates directly to this post:
https://www.experts-exchange.com/questions/24906199/SBS-2003-fails-Security-Metrics-scan-because-it-leaks-the-internal-IP-address-because-it-does-not-have-host-header.html?sfQueryTermInfo=1+10+30+address+header+http+ip+it+leak+privat+server+through+web
Had the same problem as in the post listed above. PCI compliance scan returned the error quoted in the title. I used the accepted solution given by JerrytheGreat, and it worked - I reran the PCI compliance scan, and passed. However, now I'm unable to access Outlook Web Access from within my network, using either the mail.mydomain.com/exchange URL, or the internal IP/exchange address. Outside the network, OWA is working fine. I did restart IIS after applying the solution, like the post indicated.
The post I linked to mentions problems with OWA, but says that the script in the Accepted Solution doesn't cause any problems with OWA. In my case, it appears to have caused a problem.
Any help is appreciated.
Thanks.
https://www.experts-exchange.com/questions/24906199/SBS-2003-fails-Security-Metrics-scan-because-it-leaks-the-internal-IP-address-because-it-does-not-have-host-header.html?sfQueryTermInfo=1+10+30+address+header+http+ip+it+leak+privat+server+through+web
Had the same problem as in the post listed above. PCI compliance scan returned the error quoted in the title. I used the accepted solution given by JerrytheGreat, and it worked - I reran the PCI compliance scan, and passed. However, now I'm unable to access Outlook Web Access from within my network, using either the mail.mydomain.com/exchange
The post I linked to mentions problems with OWA, but says that the script in the Accepted Solution doesn't cause any problems with OWA. In my case, it appears to have caused a problem.
Any help is appreciated.
Thanks.
What is the error you get when you access the OWA internally?
ASKER
shreedhar:
No error. The first time I tested it, a login dialog box popped up, and I put in my UN and PW, and got nothing but a blank white screen. Every time I tried after that, I just got a blank screen - no login prompt.
No error. The first time I tested it, a login dialog box popped up, and I put in my UN and PW, and got nothing but a blank white screen. Every time I tried after that, I just got a blank screen - no login prompt.
ASKER
shreedhar:
The article you linked to was one I had already read. And in it, the only difference from the script I used was that it used the "UseHostName" command, which apparently definitely "broke" OWA, and later, if you read the comments, someone else suggests the "SetHostName" instead, which is the command I used. And the person who used Set instead of Use seems to be indicating that this took care of the IP leaking problem without any adverse effects on OWA. But that hasn't been the case for me.
The article you linked to was one I had already read. And in it, the only difference from the script I used was that it used the "UseHostName" command, which apparently definitely "broke" OWA, and later, if you read the comments, someone else suggests the "SetHostName" instead, which is the command I used. And the person who used Set instead of Use seems to be indicating that this took care of the IP leaking problem without any adverse effects on OWA. But that hasn't been the case for me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To confirm, you left the usehostname setting alone, right?
If not, you need to run:
C:\Inetpub\AdminScripts> cscript.exe adsutil.vbs set w3svc/1/UseHostName false
To put it back
JTG
If not, you need to run:
C:\Inetpub\AdminScripts> cscript.exe adsutil.vbs set w3svc/1/UseHostName false
To put it back
JTG
ASKER
JerrytheGreat -
I did leave Use alone, and only used Set. (Read through all the comments in the refernced question, and saw that Use created problems, and Set didn't.) And I do have one of the firewalls you referenced.
As far as creating the zone in the DNS server, based on what I've been told by a colleague, I think that may be exactly what I need to do. However, I have zero experience with it, and my attempts have failed to resolve the issue. (Tried just now, and it was promising at first - I got a login prompt rather than just the blank white screen I've been getting, but when I tried to log in, got an Error: Access Denied message.)
Any chance of getting a little more of a walk-through with creating the DNS zone?
Thanks.
I did leave Use alone, and only used Set. (Read through all the comments in the refernced question, and saw that Use created problems, and Set didn't.) And I do have one of the firewalls you referenced.
As far as creating the zone in the DNS server, based on what I've been told by a colleague, I think that may be exactly what I need to do. However, I have zero experience with it, and my attempts have failed to resolve the issue. (Tried just now, and it was promising at first - I got a login prompt rather than just the blank white screen I've been getting, but when I tried to log in, got an Error: Access Denied message.)
Any chance of getting a little more of a walk-through with creating the DNS zone?
Thanks.
In DNS, you want to create a new zone. this would be a standard, primary zone, not active directory integrated.
Name th ezone you public domain, e.g. joesribs.com
Then right-click in the new zone and select "new A record"
the first host name is "www" (your web server), and then put the ip of you website in, and click add. To look up these ip addresses, just open a command prompt and ping them, (e.g. ping www.joesribs.com) and read the address from the command prompt.Now do the same for "mail" and any other names you may have for your domain.
That's it.
JTG
Name th ezone you public domain, e.g. joesribs.com
Then right-click in the new zone and select "new A record"
the first host name is "www" (your web server), and then put the ip of you website in, and click add. To look up these ip addresses, just open a command prompt and ping them, (e.g. ping www.joesribs.com) and read the address from the command prompt.Now do the same for "mail" and any other names you may have for your domain.
That's it.
JTG
ASKER
To clarify, I was able to fix the problem by adding a rule to my firewall. The idea was suggested to me by this comment mentioning the firewall. However, I was never able to successfully create the DNS zone that fixed the problem.
So, to recap, the problem was fixed, but not by the DNS entry. Rather it was fixed by a firewall fix, which was suggested in this answer.
So, to recap, the problem was fixed, but not by the DNS entry. Rather it was fixed by a firewall fix, which was suggested in this answer.
Refer this:
https://www.experts-exchange.com/questions/24483642/This-web-server-leaks-a-private-IP-address-through-its-HTTP-headers.html
Hope this helps,
Shree