Solved

How do I setup IIS virtual directory for external access.

Posted on 2011-02-17
10
958 Views
Last Modified: 2012-06-21
I am inexperienced with IIS so I hope that you will bear with me here.  We are running IIS 7.5 on Windows Server 2008 R2.  We have a site that we need both external and internal access to.  We are using SSL and I have successfully installed the cert and the site seems to be working fine internally.  The external dns resolution of the external address is working fine and I am port forwarding the static IP to the internal IIS server.  I can get to the IIS start page via SSL fine but when i try to type in a virtual directory like "https://xxx.domain.com/virtual_path", I recieve "internet explorer cannot display the webpage".  Any help is much appreciated.
0
Comment
Question by:jwiang4u
  • 4
  • 4
  • 2
10 Comments
 
LVL 33

Expert Comment

by:paulmacd
ID: 34916945
You need to set a defaul page for the virtual directory.  That is, if you typed in "https://xxx.domain.com/virtual_path/somepage.aspx", you'd probably be okay, but IIS doesn't know what to do if you don't specify what page you want served.

In this case, select the virtual directory in the treeview, then specify the default document using the icon on the right.
0
 
LVL 1

Author Comment

by:jwiang4u
ID: 34917049
There is a default document select called "index.cfm".  If i navigate to this directory "https://xxx.domain.com/virtual_path/index.cfm", the page has only a few elements on it and IE shows me some errors.  When I look at the errors, they point to "Permission denied" on index.cfm.

This site was created by the installation of a document management product.
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34917071
Does index.cfm exist?  Does the virtual directory allow anonymous access, or do visitors have to be authenticated?  Does index.cfm have NTFS permissions on it so only authenticated users can view it?
0
 
LVL 1

Author Comment

by:jwiang4u
ID: 34917695
The virtual directory doesn't allow anonymous access so i guess that is probably my problem.  I am contacting the vendor of the software that was installed to find out what they recommend.

In normal scenarios, would you provide anonymous access to virtual directory when it is an external website?

I will update as soon as I hear back from the software vendor.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 34917747
To follow what paulmacd says, I bet that you are using IE internally which can automatically authenticate to an internal IIS server. That doesn't happen externally. Some of the elements of that document management product are requiring access as someone other than anonymous, but IIS is allowing anonymous access. You probably need to remove anonymous access to the web site, but you should check with the vendor for the specifics.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 33

Accepted Solution

by:
paulmacd earned 250 total points
ID: 34917758
Most public web sites allow for "anonymous" access.  In the case of IIS, the anonymous account is by default a dedicated user account for the asp.net worker process (IUSR_something).  It's this account - by default - that anonymous visitors map to when they visit your site.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 34919497
You would normally allow anonymous access for things that don't require that you authenticate the users who are accessing the content. If the documents are not meant to be public (ie searchable via Google) and if there is any administrative function available, those should be secured by some sort of mechanism such as NTFS permissions on the files themselves or some sort or mechanism within the application to handle access control.
0
 
LVL 1

Author Comment

by:jwiang4u
ID: 34920516
I think you guys have pointed me in the right direction.  I noticed that when the application was installed, the virtual directories it created under the default site don't have the IUSR_something user in the permissions but do have the domain users.  The default site itself does have the IUSR_somthing user which is the reason why i could reach the IIS Welcome page externally but not any of the virtual directories.  The files that are housed in the doc-mgt system are protected via encryption in a flat file structure.  I am guessing that i need to grant the IUSR_something user permissions booth in IIS on the virtual directories and in NTFS in the inetpub directory.

I am still waiting back to hear from the vendor as this system requires validation and I don't want to do anything outside of spec.  I will let you guys know what i find out.  Thanks for the quick responses.
0
 
LVL 33

Expert Comment

by:paulmacd
ID: 34920532
No problem.  Hope you get it sorted.
0
 
LVL 1

Author Comment

by:jwiang4u
ID: 35001163
I finally worked with the vendor to resolve the issue today.  The problem was that the IUSR user didn't have permission on the virtual directories under the default site.  Thanks for the help.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now