Solved

How do I setup IIS virtual directory for external access.

Posted on 2011-02-17
10
961 Views
Last Modified: 2012-06-21
I am inexperienced with IIS so I hope that you will bear with me here.  We are running IIS 7.5 on Windows Server 2008 R2.  We have a site that we need both external and internal access to.  We are using SSL and I have successfully installed the cert and the site seems to be working fine internally.  The external dns resolution of the external address is working fine and I am port forwarding the static IP to the internal IIS server.  I can get to the IIS start page via SSL fine but when i try to type in a virtual directory like "https://xxx.domain.com/virtual_path", I recieve "internet explorer cannot display the webpage".  Any help is much appreciated.
0
Comment
Question by:jwiang4u
  • 4
  • 4
  • 2
10 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34916945
You need to set a defaul page for the virtual directory.  That is, if you typed in "https://xxx.domain.com/virtual_path/somepage.aspx", you'd probably be okay, but IIS doesn't know what to do if you don't specify what page you want served.

In this case, select the virtual directory in the treeview, then specify the default document using the icon on the right.
0
 
LVL 1

Author Comment

by:jwiang4u
ID: 34917049
There is a default document select called "index.cfm".  If i navigate to this directory "https://xxx.domain.com/virtual_path/index.cfm", the page has only a few elements on it and IE shows me some errors.  When I look at the errors, they point to "Permission denied" on index.cfm.

This site was created by the installation of a document management product.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34917071
Does index.cfm exist?  Does the virtual directory allow anonymous access, or do visitors have to be authenticated?  Does index.cfm have NTFS permissions on it so only authenticated users can view it?
0
 
LVL 1

Author Comment

by:jwiang4u
ID: 34917695
The virtual directory doesn't allow anonymous access so i guess that is probably my problem.  I am contacting the vendor of the software that was installed to find out what they recommend.

In normal scenarios, would you provide anonymous access to virtual directory when it is an external website?

I will update as soon as I hear back from the software vendor.
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 34917747
To follow what paulmacd says, I bet that you are using IE internally which can automatically authenticate to an internal IIS server. That doesn't happen externally. Some of the elements of that document management product are requiring access as someone other than anonymous, but IIS is allowing anonymous access. You probably need to remove anonymous access to the web site, but you should check with the vendor for the specifics.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 250 total points
ID: 34917758
Most public web sites allow for "anonymous" access.  In the case of IIS, the anonymous account is by default a dedicated user account for the asp.net worker process (IUSR_something).  It's this account - by default - that anonymous visitors map to when they visit your site.
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 250 total points
ID: 34919497
You would normally allow anonymous access for things that don't require that you authenticate the users who are accessing the content. If the documents are not meant to be public (ie searchable via Google) and if there is any administrative function available, those should be secured by some sort of mechanism such as NTFS permissions on the files themselves or some sort or mechanism within the application to handle access control.
0
 
LVL 1

Author Comment

by:jwiang4u
ID: 34920516
I think you guys have pointed me in the right direction.  I noticed that when the application was installed, the virtual directories it created under the default site don't have the IUSR_something user in the permissions but do have the domain users.  The default site itself does have the IUSR_somthing user which is the reason why i could reach the IIS Welcome page externally but not any of the virtual directories.  The files that are housed in the doc-mgt system are protected via encryption in a flat file structure.  I am guessing that i need to grant the IUSR_something user permissions booth in IIS on the virtual directories and in NTFS in the inetpub directory.

I am still waiting back to hear from the vendor as this system requires validation and I don't want to do anything outside of spec.  I will let you guys know what i find out.  Thanks for the quick responses.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 34920532
No problem.  Hope you get it sorted.
0
 
LVL 1

Author Comment

by:jwiang4u
ID: 35001163
I finally worked with the vendor to resolve the issue today.  The problem was that the IUSR user didn't have permission on the virtual directories under the default site.  Thanks for the help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now