introlux
asked on
IIS7 IP Restriction via Load Balancer
Hi,
I have been spending far too much time trying to work this out. I would like to IP restrict certain IP addresses from gaining access to the web server, however this is not possible because the traffic comes through a load balancer (ZEN). So I attempted to use Dynamic IP Restriction Proxy Mode however I add the ZEN Load Balancer IP address to the allowed list, by doing this it allows all traffic from the load balancer regardless.
I have also enabled X-FORWARDED-FOR header form the load balancer which I have identified in the logs using advance logging within IIS and I can see the external IP address.
So I need to pick this X-FORWARDED-FOR IP address and make a rule that if IP address xx.xx.xx.xx then deny/allow.
I have seen many advice on this using Rewrite module but I have failed and need help on this.
Thanks,
introlux
I have been spending far too much time trying to work this out. I would like to IP restrict certain IP addresses from gaining access to the web server, however this is not possible because the traffic comes through a load balancer (ZEN). So I attempted to use Dynamic IP Restriction Proxy Mode however I add the ZEN Load Balancer IP address to the allowed list, by doing this it allows all traffic from the load balancer regardless.
I have also enabled X-FORWARDED-FOR header form the load balancer which I have identified in the logs using advance logging within IIS and I can see the external IP address.
So I need to pick this X-FORWARDED-FOR IP address and make a rule that if IP address xx.xx.xx.xx then deny/allow.
I have seen many advice on this using Rewrite module but I have failed and need help on this.
Thanks,
introlux
ASKER
Well we have access to the Zen load balancer but I cannot see an option within this to make the sort of change to restrict IP addresses, hence why I am looking to make this change on IIS.
Are you using the Community or Enterprise version of Zen?
ASKER
Community
Do you have an edge firewall?
Do these IP addresses you want to block from accessing the web server need to access other services or resources passed the firewall? Passed the Zen? If not, for what reason do they need to be allowed inside at all?
Do these IP addresses you want to block from accessing the web server need to access other services or resources passed the firewall? Passed the Zen? If not, for what reason do they need to be allowed inside at all?
ASKER
We do have a firewall in place however I was hoping to sort this between the Zen Load Balancer and IIS.
The web servers need to be locked down to selected IP addresses.
The web servers need to be locked down to selected IP addresses.
One other thing to consider: If these IP addresses may be suspect, have you considered creating NAT rules on the firewall for connections coming to these IPs to go to a honeypot instead of simply denying them access.
This way you could log their activity and see what they're attempting to do. I would implement this by creating a Honeypot farm on the Zen pointed to a separate virtual IIS server with a site specifically designed to capture information on hostile activities.
This way you could log their activity and see what they're attempting to do. I would implement this by creating a Honeypot farm on the Zen pointed to a separate virtual IIS server with a site specifically designed to capture information on hostile activities.
Okay - why not use defence-in-depth - lock down permitted IPs at the webserver - only the load balancer and select internal machines may access the IIS servers from the internal network.
Use ModSecurity on top of IIS to inspect the XFF headers and only allow traffic to the real web site from permitted IP address ranges.
What session state methods is the Zen configured to use to implement sessions state? If one of those methods is IP, you can block those at the Zen's host's firewall or on the Zen's virtual firewall - a bit more tricky than just configuring Zen.
Use ModSecurity on top of IIS to inspect the XFF headers and only allow traffic to the real web site from permitted IP address ranges.
What session state methods is the Zen configured to use to implement sessions state? If one of those methods is IP, you can block those at the Zen's host's firewall or on the Zen's virtual firewall - a bit more tricky than just configuring Zen.
ASKER
So from what you are saying there is a way to configure this from the Zen load balancer?
Are you trying to block known IPs for known/detected activity? Or is this an effort to increase the security of your web apps?
- what type of activity are your trying to detect/block
If you know the undesired activity coming from specific IPs, you could redirect those specific URLs and forward them to a dummy page. This is where URL Rewrite would come in.
IMO, the best place to block this type of activity is at the firewall, FWs are specifically designed to provide protect edge assets and are super efficient in doing so.
Dan
- what type of activity are your trying to detect/block
If you know the undesired activity coming from specific IPs, you could redirect those specific URLs and forward them to a dummy page. This is where URL Rewrite would come in.
IMO, the best place to block this type of activity is at the firewall, FWs are specifically designed to provide protect edge assets and are super efficient in doing so.
Dan
ASKER
Yep we are looking to raise a ticket with the networking team to get this sorted however would have been nice we could achieve this via the application level.
Access is via port 80, 443. The load balancer has its own internal IP it comes through however carries an x-forwarder address which is the visitor address i want monitored and controlled who is allowed into the web server.
Access is via port 80, 443. The load balancer has its own internal IP it comes through however carries an x-forwarder address which is the visitor address i want monitored and controlled who is allowed into the web server.
If you have enabled the X-Forwarded-For on the LB and you set Dynamic IP Striction into Proxy Mode, you should be able to block IPs based on the original IP in the header.
Have you enabled advanced logging to verify that your IIS server(s) are seeing the header? Advanced logging has its own log (unfortunately).
Advanced Logging link:
- http://blogs.iis.net/deanc/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs
Using X-Forwarded-For header with Dynamic IP Restriction Proxy Mode link:
- http://blogs.iis.net/wadeh/dynamic-ip-restriction-proxy-mode
Dan
Have you enabled advanced logging to verify that your IIS server(s) are seeing the header? Advanced logging has its own log (unfortunately).
Advanced Logging link:
- http://blogs.iis.net/deanc/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs
Using X-Forwarded-For header with Dynamic IP Restriction Proxy Mode link:
- http://blogs.iis.net/wadeh/dynamic-ip-restriction-proxy-mode
Dan
ASKER
Hi Dan,
Yes did this however it still didnt work. I think this feature works on IIS8 and not on IIS7, IIS7.5
I have seen from the advance logging that x-forwarder address is passing through.
Yes did this however it still didnt work. I think this feature works on IIS8 and not on IIS7, IIS7.5
I have seen from the advance logging that x-forwarder address is passing through.
So, with Dynamic IP Restriction in Proxy Mode and X-Forwarded-For header coming in from the LB, you configured the following:
1. An ALLOW rule for the known LB
2. A DENY rule for the undesired IP received in the header
This didn't work?
From all that I can see and find, there is no indication that IIS7 and DIPR+Proxy Mode, does not function as expected. The article below was written before Server 2012 was released and references using the X header for DIPR in proxy mode.
Link: http://www.iis.net/learn/manage/configuring-security/using-dynamic-ip-restrictions
Can you post your config?
Also, is there a specific URL pattern you are looking to block?
Dan
1. An ALLOW rule for the known LB
2. A DENY rule for the undesired IP received in the header
This didn't work?
From all that I can see and find, there is no indication that IIS7 and DIPR+Proxy Mode, does not function as expected. The article below was written before Server 2012 was released and references using the X header for DIPR in proxy mode.
Link: http://www.iis.net/learn/manage/configuring-security/using-dynamic-ip-restrictions
Can you post your config?
Also, is there a specific URL pattern you are looking to block?
Dan
ASKER
I have placed this config on the root applicationHost file:
<security>
<access sslFlags="None" />
<applicationDependencies>
<application name="Active Server Pages" groupId="ASP" />
</applicationDependencies>
<authentication>
<anonymousAuthentication enabled="true" userName="IUSR" />
<basicAuthentication enabled="false" />
<clientCertificateMappingAuthentication />
<digestAuthentication />
<iisClientCertificateMappingAuthentication />
<windowsAuthentication />
</authentication>
<authorization />
<ipSecurity allowUnlisted="false">
<clear />
<add ipAddress="66.100.32.55" allowed="true" />
<add ipAddress="192.168.11.7" allowed="true" />
</ipSecurity>
<isapiCgiRestriction>
<add path="%windir%\system32\inetsrv\asp.dll" allowed="true" groupId="ASP" description="Active Server Pages" />
<add path="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
<add path="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
<add path="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />
<add path="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />
</isapiCgiRestriction>
<requestFiltering>
<fileExtensions allowUnlisted="true" applyToWebDAV="true">
<add fileExtension=".asa" allowed="false" />
<add fileExtension=".asax" allowed="false" />
<add fileExtension=".ascx" allowed="false" />
<add fileExtension=".master" allowed="false" />
<add fileExtension=".skin" allowed="false" />
<add fileExtension=".browser" allowed="false" />
<add fileExtension=".sitemap" allowed="false" />
<add fileExtension=".config" allowed="false" />
<add fileExtension=".cs" allowed="false" />
<add fileExtension=".csproj" allowed="false" />
<add fileExtension=".vb" allowed="false" />
<add fileExtension=".vbproj" allowed="false" />
<add fileExtension=".webinfo" allowed="false" />
<add fileExtension=".licx" allowed="false" />
<add fileExtension=".resx" allowed="false" />
<add fileExtension=".resources" allowed="false" />
<add fileExtension=".mdb" allowed="false" />
<add fileExtension=".vjsproj" allowed="false" />
<add fileExtension=".java" allowed="false" />
<add fileExtension=".jsl" allowed="false" />
<add fileExtension=".ldb" allowed="false" />
<add fileExtension=".dsdgm" allowed="false" />
<add fileExtension=".ssdgm" allowed="false" />
<add fileExtension=".lsad" allowed="false" />
<add fileExtension=".ssmap" allowed="false" />
<add fileExtension=".cd" allowed="false" />
<add fileExtension=".dsprototype" allowed="false" />
<add fileExtension=".lsaprototype" allowed="false" />
<add fileExtension=".sdm" allowed="false" />
<add fileExtension=".sdmDocument" allowed="false" />
<add fileExtension=".mdf" allowed="false" />
<add fileExtension=".ldf" allowed="false" />
<add fileExtension=".ad" allowed="false" />
<add fileExtension=".dd" allowed="false" />
<add fileExtension=".ldd" allowed="false" />
<add fileExtension=".sd" allowed="false" />
<add fileExtension=".adprototype" allowed="false" />
<add fileExtension=".lddprototype" allowed="false" />
<add fileExtension=".exclude" allowed="false" />
<add fileExtension=".refresh" allowed="false" />
<add fileExtension=".compiled" allowed="false" />
<add fileExtension=".msgx" allowed="false" />
<add fileExtension=".vsdisco" allowed="false" />
<add fileExtension=".rules" allowed="false" />
</fileExtensions>
<verbs allowUnlisted="true" applyToWebDAV="true" />
<hiddenSegments applyToWebDAV="true">
<add segment="web.config" />
<add segment="bin" />
<add segment="App_code" />
<add segment="App_GlobalResources" />
<add segment="App_LocalResources" />
<add segment="App_WebReferences" />
<add segment="App_Data" />
<add segment="App_Browsers" />
</hiddenSegments>
</requestFiltering>
<dynamicIpSecurity enableProxyMode="true" />
</security>
Where is the deny access rule from the proxy mode?
Reference link for the <ipSecurity> element: https://www.iis.net/configreference/system.webserver/security/ipsecurity
I would expect the <ipSecurity> element to look something like this:
Dan
Reference link for the <ipSecurity> element: https://www.iis.net/configreference/system.webserver/security/ipsecurity
I would expect the <ipSecurity> element to look something like this:
<ipSecurity allowUnlisted="false" enableProxyMode="true">
<add ipAddress="66.100.32.55" allowed="true" />
<add ipAddress="192.168.11.7" allowed="true" />
</ipSecurity>
Dan
ASKER
Its right at the bottom:
I tried adding your line and it caused an error
<dynamicIpSecurity enableProxyMode="true" />
I tried adding your line and it caused an error
That's just it... the <dynamicIpSecurity> element is not supported until IIS 8.
Reference Link: https://www.iis.net/configreference/system.webserver/security/dynamicipsecurity
You mentioned that you are running IIS7(7.5).
- What was the error thrown?
Dan
Reference Link: https://www.iis.net/configreference/system.webserver/security/dynamicipsecurity
You mentioned that you are running IIS7(7.5).
- What was the error thrown?
Dan
ASKER
Error: Unrecognized attribute 'enableProxyMode'
Yeah, well error message could be coming from either of the elements.
Based on the docs at Microsoft, the <dynamicIpSecurity> element is not supported until IIS8, meaning that your applicationHost.config is setup incorrectly.
I would make a backup of the applicationHost.config, delete the <dynamicIpSecurity> element and use IIS Manager to reset the IP Restriction feature. Editing the applicationHost.config file by hand is not really recommended.
Dan
Based on the docs at Microsoft, the <dynamicIpSecurity> element is not supported until IIS8, meaning that your applicationHost.config is setup incorrectly.
I would make a backup of the applicationHost.config, delete the <dynamicIpSecurity> element and use IIS Manager to reset the IP Restriction feature. Editing the applicationHost.config file by hand is not really recommended.
Dan
ASKER
"reset the IP Restriction feature"
What do you mean by this? Also you mention "Editing the applicationHost.config file by hand is not really recommended."
So you are saying edit and then you shouldnt? little confused here.
What do you mean by this? Also you mention "Editing the applicationHost.config file by hand is not really recommended."
So you are saying edit and then you shouldnt? little confused here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Has this information helped?
Dan
Dan
You can use ModSecurity, which has the capability to intercept XFF, parse it, and respond to the traffic as desired through a set of rules.