Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

IIS7 IP Restriction via Load Balancer

Hi,

I have been spending far too much time trying to work this out. I would like to IP restrict certain IP addresses from gaining access to the web server, however this is not possible because the traffic comes through a load balancer (ZEN). So I attempted to use Dynamic IP Restriction Proxy Mode however I add the ZEN Load Balancer IP address to the allowed list, by doing this it allows all traffic from the load balancer regardless.

I have also enabled X-FORWARDED-FOR header form the load balancer which I have identified in the logs using advance logging within IIS and I can see the external IP address.

So I need to pick this X-FORWARDED-FOR IP address and make a rule that if IP address xx.xx.xx.xx then deny/allow.

I have seen many advice on this using Rewrite module but I have failed and need help on this.

Thanks,

introlux
0
introlux
Asked:
introlux
  • 10
  • 8
  • 5
1 Solution
 
WalkaboutTiggerCommented:
And the people who manage the load balancer cannot or will not set this filter up on their end - the appropriate place to put it?

You can use ModSecurity, which has the capability to intercept XFF, parse it, and respond to the traffic as desired through a set of rules.
0
 
introluxAuthor Commented:
Well we have access to the Zen load balancer but I cannot see an option within this to make the sort of change to restrict IP addresses, hence why I am looking to make this change on IIS.
0
 
WalkaboutTiggerCommented:
Are you using the Community or Enterprise version of Zen?
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
introluxAuthor Commented:
Community
0
 
WalkaboutTiggerCommented:
Do you have an edge firewall?

Do these IP addresses you want to block from accessing the web server need to access other services or resources passed the firewall?  Passed the Zen?  If not, for what reason do they need to be allowed inside at all?
0
 
introluxAuthor Commented:
We do have a firewall in place however I was hoping to sort this between the Zen Load Balancer and IIS.

The web servers need to be locked down to selected IP addresses.
0
 
WalkaboutTiggerCommented:
One other thing to consider:  If these IP addresses may be suspect, have you considered creating NAT rules on the firewall for connections coming to these IPs to go to a honeypot instead of simply denying them access.
This way you could log their activity and see what they're attempting to do.  I would implement this by creating a Honeypot farm on the Zen pointed to a separate virtual IIS server with a site specifically designed to capture information on hostile activities.
0
 
WalkaboutTiggerCommented:
Okay - why not use defence-in-depth - lock down permitted IPs at the webserver - only the load balancer and select internal machines may access the IIS servers from the internal network.

Use ModSecurity on top of IIS to inspect the XFF headers and only allow traffic to the real web site from permitted IP address ranges.

What session state methods is the Zen configured to use to implement sessions state?  If one of those methods is IP, you can block those at the Zen's host's firewall or on the Zen's virtual firewall - a bit more tricky than just configuring Zen.
0
 
introluxAuthor Commented:
So from what you are saying there is a way to configure this from the Zen load balancer?
0
 
Dan McFaddenSystems EngineerCommented:
Are you trying to block known IPs for known/detected activity?  Or is this an effort to increase the security of your web apps?

- what type of activity are your trying to detect/block

If you know the undesired activity coming from specific IPs, you could redirect those specific URLs and forward them to a dummy page.  This is where URL Rewrite would come in.

IMO, the best place to block this type of activity is at the firewall, FWs are specifically designed to provide protect edge assets and are super efficient in doing so.

Dan
0
 
introluxAuthor Commented:
Yep we are looking to raise a ticket with the networking team to get this sorted however would have been nice we could achieve this via the application level.

Access is via port 80, 443. The load balancer has its own internal IP it comes through however carries an x-forwarder address which is the visitor address i want monitored and controlled who is allowed into the web server.
0
 
Dan McFaddenSystems EngineerCommented:
If you have enabled the X-Forwarded-For on the LB and you set Dynamic IP Striction into Proxy Mode, you should be able to block IPs based on the original IP in the header.

Have you enabled advanced logging to verify that your IIS server(s) are seeing the header?  Advanced logging has its own log (unfortunately).

Advanced Logging link:

- http://blogs.iis.net/deanc/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs

Using X-Forwarded-For header with Dynamic IP Restriction Proxy Mode link:

- http://blogs.iis.net/wadeh/dynamic-ip-restriction-proxy-mode

Dan
0
 
introluxAuthor Commented:
Hi Dan,

Yes did this however it still didnt work. I think this feature works on IIS8 and not on IIS7, IIS7.5

I have seen from the advance logging that x-forwarder address is passing through.
0
 
Dan McFaddenSystems EngineerCommented:
So, with Dynamic IP Restriction in Proxy Mode and X-Forwarded-For header coming in from the LB, you configured the following:

1.  An ALLOW rule for the known LB
2.  A DENY rule for the undesired IP received in the header

This didn't work?

From all that I can see and find, there is no indication that IIS7 and DIPR+Proxy Mode, does not function as expected.  The article below was written before Server 2012 was released and references using the X header for DIPR in proxy mode.

Link:  http://www.iis.net/learn/manage/configuring-security/using-dynamic-ip-restrictions

Can you post your config?

Also, is there a specific URL pattern you are looking to block?

Dan
0
 
introluxAuthor Commented:
I have placed this config on the root applicationHost file:

        <security>

            <access sslFlags="None" />

            <applicationDependencies>
                <application name="Active Server Pages" groupId="ASP" />
            </applicationDependencies>

            <authentication>

                <anonymousAuthentication enabled="true" userName="IUSR" />

                <basicAuthentication enabled="false" />

                <clientCertificateMappingAuthentication />

                <digestAuthentication />

                <iisClientCertificateMappingAuthentication />

                <windowsAuthentication />

            </authentication>

            <authorization />

            <ipSecurity allowUnlisted="false">
                <clear />
                <add ipAddress="66.100.32.55" allowed="true" />
                <add ipAddress="192.168.11.7" allowed="true" />
            </ipSecurity>

            <isapiCgiRestriction>
                <add path="%windir%\system32\inetsrv\asp.dll" allowed="true" groupId="ASP" description="Active Server Pages" />
                <add path="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
                <add path="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
                <add path="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />
                <add path="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />
            </isapiCgiRestriction>

            <requestFiltering>
                <fileExtensions allowUnlisted="true" applyToWebDAV="true">
                    <add fileExtension=".asa" allowed="false" />
                    <add fileExtension=".asax" allowed="false" />
                    <add fileExtension=".ascx" allowed="false" />
                    <add fileExtension=".master" allowed="false" />
                    <add fileExtension=".skin" allowed="false" />
                    <add fileExtension=".browser" allowed="false" />
                    <add fileExtension=".sitemap" allowed="false" />
                    <add fileExtension=".config" allowed="false" />
                    <add fileExtension=".cs" allowed="false" />
                    <add fileExtension=".csproj" allowed="false" />
                    <add fileExtension=".vb" allowed="false" />
                    <add fileExtension=".vbproj" allowed="false" />
                    <add fileExtension=".webinfo" allowed="false" />
                    <add fileExtension=".licx" allowed="false" />
                    <add fileExtension=".resx" allowed="false" />
                    <add fileExtension=".resources" allowed="false" />
                    <add fileExtension=".mdb" allowed="false" />
                    <add fileExtension=".vjsproj" allowed="false" />
                    <add fileExtension=".java" allowed="false" />
                    <add fileExtension=".jsl" allowed="false" />
                    <add fileExtension=".ldb" allowed="false" />
                    <add fileExtension=".dsdgm" allowed="false" />
                    <add fileExtension=".ssdgm" allowed="false" />
                    <add fileExtension=".lsad" allowed="false" />
                    <add fileExtension=".ssmap" allowed="false" />
                    <add fileExtension=".cd" allowed="false" />
                    <add fileExtension=".dsprototype" allowed="false" />
                    <add fileExtension=".lsaprototype" allowed="false" />
                    <add fileExtension=".sdm" allowed="false" />
                    <add fileExtension=".sdmDocument" allowed="false" />
                    <add fileExtension=".mdf" allowed="false" />
                    <add fileExtension=".ldf" allowed="false" />
                    <add fileExtension=".ad" allowed="false" />
                    <add fileExtension=".dd" allowed="false" />
                    <add fileExtension=".ldd" allowed="false" />
                    <add fileExtension=".sd" allowed="false" />
                    <add fileExtension=".adprototype" allowed="false" />
                    <add fileExtension=".lddprototype" allowed="false" />
                    <add fileExtension=".exclude" allowed="false" />
                    <add fileExtension=".refresh" allowed="false" />
                    <add fileExtension=".compiled" allowed="false" />
                    <add fileExtension=".msgx" allowed="false" />
                    <add fileExtension=".vsdisco" allowed="false" />
                    <add fileExtension=".rules" allowed="false" />
                </fileExtensions>
                <verbs allowUnlisted="true" applyToWebDAV="true" />
                <hiddenSegments applyToWebDAV="true">
                    <add segment="web.config" />
                    <add segment="bin" />
                    <add segment="App_code" />
                    <add segment="App_GlobalResources" />
                    <add segment="App_LocalResources" />
                    <add segment="App_WebReferences" />
                    <add segment="App_Data" />
                    <add segment="App_Browsers" />
                </hiddenSegments>
            </requestFiltering>
            <dynamicIpSecurity enableProxyMode="true" />

        </security>

Open in new window

0
 
Dan McFaddenSystems EngineerCommented:
Where is the deny access rule from the proxy mode?

Reference link for the <ipSecurity> element:  https://www.iis.net/configreference/system.webserver/security/ipsecurity

I would expect the <ipSecurity> element to look something like this:

<ipSecurity allowUnlisted="false" enableProxyMode="true">
    <add ipAddress="66.100.32.55" allowed="true" />
    <add ipAddress="192.168.11.7" allowed="true" />
</ipSecurity>

Open in new window


Dan
0
 
introluxAuthor Commented:
Its right at the bottom:

<dynamicIpSecurity enableProxyMode="true" />

Open in new window


I tried adding your line and it caused an error
0
 
Dan McFaddenSystems EngineerCommented:
That's just it...  the <dynamicIpSecurity> element is not supported until IIS 8.

Reference Link:  https://www.iis.net/configreference/system.webserver/security/dynamicipsecurity

You mentioned that you are running IIS7(7.5).

- What was the error thrown?

Dan
0
 
introluxAuthor Commented:
Error: Unrecognized attribute 'enableProxyMode'
0
 
Dan McFaddenSystems EngineerCommented:
Yeah, well error message could be coming from either of the elements.

Based on the docs at Microsoft, the <dynamicIpSecurity> element is not supported until IIS8, meaning that your applicationHost.config is setup incorrectly.

I would make a backup of the applicationHost.config, delete the <dynamicIpSecurity> element and use IIS Manager to reset the IP Restriction feature.  Editing the applicationHost.config file by hand is not really recommended.

Dan
0
 
introluxAuthor Commented:
"reset the IP Restriction feature"

What do you mean by this? Also you  mention "Editing the applicationHost.config file by hand is not really recommended."

So you are saying edit and then you shouldnt? little confused here.
0
 
Dan McFaddenSystems EngineerCommented:
To reset the feature configuration:

In IIS Manager, go to the website and make sure that the site is using the server's setup.  Do this by opening the feature and click "Revert to Parent" in the actions panel (right hand upper corner).

Then go to the server and open the feature, remove all custom configuration.  This is effectively a reset.

Do an IISRESET.

Now, in IIS Manager, at the server scope, open the feature and setup DIPR in proxy mode as described above, and at the server scope, add your LB IPs.  Apply the settings.

At this point, the server scope settings will be automatically inherited by all websites hosted on this IIS server.

As for editing the applicationHost.config file directly (by hand), unless you are well versed on what elements go where and their exact attribute settings, I would not recommend changing the setting with notepad.  Only make these changes by using the IIS Manager.

The only way an unsupported element could have gotten into your server's applicationHost.config file is by you either editing it in a text editor or you copied it from a server running IIS8+.

My recommendation to not edit the file directly was for future reference.

Dan
0
 
Dan McFaddenSystems EngineerCommented:
Has this information helped?

Dan
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 10
  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now