IP Security for IIS 7.5 how to set allow for *.secure.xx.com in interface?

I have been asked to create a deny rule on my web site for 'unspecified clients' then add an allow entry and set it to *.secure.xx.com.   I can do the deny rule but the allow will only take a specific IP address  OR a range of IP address and then there is the option for a mask or prefix with the range option.  When I use my IP address and try to type this in the mask section I get an error that says invalid subnet mask must be IP address or integer value IPV4 0-128.  I tried with and without the iP and I can't see anywhere to add this value that works as an allow.  Can someone tell me how to add this *.secure.xx.com to my allow entry?
kdschoolAsked:
Who is Participating?
 
Dan McFaddenSystems EngineerCommented:
You have to have the IIS Feature "IP and Domain Restrictions" installed/enabled in order to best accomplish this.  In order to build rules based on actual domain names, you need to modify the feature settings.

1. in IIS Manager, select the site you want to restrict/limit access to
2. open the IP and Domain Restrictions feature
3. in the Actions column (right-hand column), click Edit Feature Settings
4. check "Enable domain name restrictions"
5. click ok
6. add a new rule and you will now have "Domain name" as an option.

a warning.... using this feature may impact the performance of the site.  Microsoft recommends not enabling the functionality and restricting based on IP/network range.

reference link:  https://support.microsoft.com/en-us/kb/324066

Dan
0
 
kdschoolAuthor Commented:
They are telling me that the only files on my server that would be impacted are those secured folders where they log on via oracle plug in WSSO.  Is this correct and if not what argument should I use to not do the change.  I did have someone else tell me there was minimal gain doing this especially since the server is behind the firewall.  Performance is important as this server get's a lot of hits.
0
 
Dan McFaddenSystems EngineerCommented:
I don't know what Oracle WSSO does, so it would be hard for me to know what they may or may not be doing or accessing.

If the Oracle plugin WSSO is just installed and looks like normal content, you must make this change at the site level.  If the Oracle app is installed as a virtual application and hangs off a parent web site, then the Oracle plugin WSSO has its own web.config and can be configured separate from the parent website's config.

Just because a server is behind a firewall, doesn't mean its secure.  You have opened the http port (or even https) to the server, that means anonymous people can access the content there.  If you do not want unknown entities (people and bots) accessing a section of your site, you can build in a logon process or lock it down to either an IP address range or a domain name.  So, yes, there is value... if the business functionality warrants it.

So the questions are...

1. have you set this up and tried this config on a test web server?
1a. if not, I suggest you make this a recommendation... better to break a test setup, then to take down Production servers because you didn't test.  Just saying...
2. how is the web server's hardware setup?  RAM wise?  CPU wise? Bandwidth?
3. what does your server's performance look like now?
4. how much traffic is "get's a lot of hits?"
5. what percentage of the traffic will be due to this Oracle plugin?
5a. is the Oracle plugin integral to the functionality of the website?

Before using this part of the IP and Domain Restrictions feature, I would answer all of these questions.  Honestly answer them.  Plus this will help you understand your server setup better and aid you in bringing suggestions and concerns to the table when discussing the web site and server.

Dan
0
 
kdschoolAuthor Commented:
Excellent recommendations and information to help me determine what to do in regards to this issue.  Will do this in develoment before moving to production. Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.