IP Security for IIS 7.5 not working correctly need assitance?

I have been instructed to first set the default for 'unspecified clients' to deny then add an allow entry and set it to secure.xx.com.  It restricts the entire site when I do this.

from default web site I select IP Address & Restrictions, select features and say deny for unspecified clients then select the enable domain restrictions.  This does not list anything in the interface. Then I go to the allow option and add the domain secure.xx.com and that shows up in the interface list.  

Results are you do not have permisson to view this site from the home page.  The only way I can get this to work is go back and change the unsepcified clients back to allow.  I also tried doing this the other way around  setting access before deny and same results.   Do I need a second alllow for the server IP address if so that seems like it defeats the purpose.

I am doing something wrong but not sure what.
kdschoolAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
How have you built your allow rule?

Does the domain name look like this:

1. secure.xx.com

- or -

2. *.secure.xx.com

You allow rule for the domain should be for #2.

Dan
0
kdschoolAuthor Commented:
The instructions say to first set the default for 'unspecified clients' to deny then do the allow entry for *.secure.xx.com.

I also added my IP as a allow entry and still permission denied to see the site.

The 'unspecified client' deny does not show up in the list as that is under features.
0
Dan McFaddenSystems EngineerCommented:
The first item is to configure how the feature setting handles "unspecified clients" and will not show in the rules list.  What do you have as a Deny Action Type configured?

Is it Forbidden or something else.  If it is not Forbidden, set it to Forbidden and type again.

It should look like this:

IIS-IP-Domain-Restrictions.PNG
Dan
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

kdschoolAuthor Commented:
I only have this setting on IIS 7.0
see attachement don't have an option to use the forbidden selection.
IPSettingsBox.docx
0
kdschoolAuthor Commented:
The option I used was deny the image shows allowed because I had to reset it back for the site to be viewable.
0
kdschoolAuthor Commented:
What I think is happening is that they are only using the allow for the *.secure.xx.com that means all the web pages that are not secured are not being servered they are denied.  To get to a secure link you have to see the page that is not secured.  Unspecified clients is blocking everyone because you would have to have a range of allowed IP addresses for anyone to see the pages that are not under the secured allow.  Does this seem right to you?
0
Dan McFaddenSystems EngineerCommented:
If you are doing this on the root of the website, then yes, you are blocking access for everyone... by default.  The allow rule should then permit access if a DNS lookup resolves your IP address to a host in the domain listed in the rule.

So, with *.secure.xx.com being allowed, anything with = computername.secure.xx.com should be let in.

Can you look into your site's web.config and see if there is a section called <ipsecurity>?  Can you post it if exists.

Also, try this method:

1. make sure the site is accessible and turn off ip & domain restrictions
2. create an allow rule for the domain *.secure.xx.com
3. now enable the deny rule by editing the feature settings.

Dan
0
kdschoolAuthor Commented:
here are the app host setting that have ipsecurity in them.  

<sectionGroup name="security">
                <section name="ipSecurity" overrideModeDefault="Deny" />
                <section name="requestFiltering" overrideModeDefault="Deny" />
                <section name="authorization" overrideModeDefault="Deny" />
            </sectionGroup>

<ipSecurity allowUnlisted="true">
            </ipSecurity>

<security>
                <authentication>
                    <anonymousAuthentication enabled="true" />
                </authentication>
                <ipSecurity enableReverseDns="true" allowUnlisted="true">
                    <add ipAddress="xxx.xx.xxx.xx" allowed="true" />
                    <add domainName="*.secure.xx.com" allowed="true" />
                </ipSecurity>
            </security>

<ipSecurity />
            <requestFiltering>
                <hiddenSegments>
                    <add segment="_vti_bin" />
                </hiddenSegments>
            </requestFiltering>
            <authorization />
        </security>
0
kdschoolAuthor Commented:
I did try that sequence you gave me and still get message you do not have permissions to view this site on web page.
0
Dan McFaddenSystems EngineerCommented:
This is a direct cut & paste from the web.config?

There are a few entries that should not be there, the bolded ones:


<sectionGroup name="security">
                 <section name="ipSecurity" overrideModeDefault="Deny" />
                 <section name="requestFiltering" overrideModeDefault="Deny" />
                 <section name="authorization" overrideModeDefault="Deny" />
             </sectionGroup>

<ipSecurity allowUnlisted="true">
             </ipSecurity>


 <security>
                 <authentication>
                     <anonymousAuthentication enabled="true" />
                 </authentication>
                 <ipSecurity enableReverseDns="true" allowUnlisted="true">
                     <add ipAddress="xxx.xx.xxx.xx" allowed="true" />
                     <add domainName="*.secure.xx.com" allowed="true" />
                 </ipSecurity>
             </security>

<ipSecurity />
             <requestFiltering>
                 <hiddenSegments>
                     <add segment="_vti_bin" />
                 </hiddenSegments>
             </requestFiltering>
             <authorization />
         </security>

It should look like this:

<sectionGroup name="security">
     <section name="ipSecurity" overrideModeDefault="Deny" />
     <section name="requestFiltering" overrideModeDefault="Deny" />
     <section name="authorization" overrideModeDefault="Deny" />
</sectionGroup>

<security>
     <authentication>
         <anonymousAuthentication enabled="true" />
     </authentication>
     <ipSecurity enableReverseDns="true" allowUnlisted="true">
         <add ipAddress="xxx.xx.xxx.xx" allowed="true" />
         <add domainName="*.secure.xx.com" allowed="true" />
     </ipSecurity>
 </security>

<requestFiltering>
     <hiddenSegments>
         <add segment="_vti_bin" />
     </hiddenSegments>
 </requestFiltering>
<authorization />

Open in new window


Can you try the following:

1. make a copy/backup of the existing web.config
2. remove the <security> section
3. remove the bolded items highlighted above
4. save the web.config
5. test

Dan
0
kdschoolAuthor Commented:
Ok I will try that.  It looks like they are identical except the two items in bold so I will remove those and see what happens.
0
Dan McFaddenSystems EngineerCommented:
3 items need to be removed.

1.<ipSecurity allowUnlisted="true">
              </ipSecurity>
2. <ipSecurity />
3. </security>

Dan
0
kdschoolAuthor Commented:
The code is not all together in the file.  Its spaced out over the file.  Does that matter.
0
Dan McFaddenSystems EngineerCommented:
As long as it is only those specific entries.

Dan
0
kdschoolAuthor Commented:
Well it did not like that said malformed xml and threw a 505 server error.  I pulled the file back from my back up before I made the IP changes.  I redid them exactly like the instructions they gave me and here is what the code looks like now.  Same error however about permissions.


 <security>
                <authentication>
                    <anonymousAuthentication enabled="true" />
                </authentication>
                <access sslFlags="SslNegotiateCert" />
                <ipSecurity enableReverseDns="true" allowUnlisted="true">
                    <add domainName="*.secure.xx.com" allowed="true" />
                    <add ipAddress="xxx.xx.xxx.xxx" allowed="true" />
                </ipSecurity>
            </security>


 <security>
            <ipSecurity />
            <requestFiltering>
            </requestFiltering>
            <authorization />
        </security>
0
Dan McFaddenSystems EngineerCommented:
Can you check what NTFS permissions on the site directory and the Oracle Plugin location?

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kdschoolAuthor Commented:
Dan I am awarding this question to you.  Thank you for all this amazing information that helped me figure this out.  There was one permission missing on the ntfs folder and also it made me make the changes at the server level not the web site level.  It would never work at the web site level.  I have the wsso folks asking about why it could not be done at the web site level since the microsoft instructions say to do it at that level.  I appreicate all the time you spent helping me figure this out.
0
kdschoolAuthor Commented:
Dan did amazing job of providing very good information on this issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.