IIS7 IP Restriction via Load Balancer


I have been spending far too much time trying to work this out. I would like to IP restrict certain IP addresses from gaining access to the web server, however this is not possible because the traffic comes through a load balancer (ZEN). So I attempted to use Dynamic IP Restriction Proxy Mode however I add the ZEN Load Balancer IP address to the allowed list, by doing this it allows all traffic from the load balancer regardless.

I have also enabled X-FORWARDED-FOR header form the load balancer which I have identified in the logs using advance logging within IIS and I can see the external IP address.

So I need to pick this X-FORWARDED-FOR IP address and make a rule that if IP address xx.xx.xx.xx then deny/allow.

I have seen many advice on this using Rewrite module but I have failed and need help on this.


Who is Participating?
Dan McFaddenSystems EngineerCommented:
To reset the feature configuration:

In IIS Manager, go to the website and make sure that the site is using the server's setup.  Do this by opening the feature and click "Revert to Parent" in the actions panel (right hand upper corner).

Then go to the server and open the feature, remove all custom configuration.  This is effectively a reset.


Now, in IIS Manager, at the server scope, open the feature and setup DIPR in proxy mode as described above, and at the server scope, add your LB IPs.  Apply the settings.

At this point, the server scope settings will be automatically inherited by all websites hosted on this IIS server.

As for editing the applicationHost.config file directly (by hand), unless you are well versed on what elements go where and their exact attribute settings, I would not recommend changing the setting with notepad.  Only make these changes by using the IIS Manager.

The only way an unsupported element could have gotten into your server's applicationHost.config file is by you either editing it in a text editor or you copied it from a server running IIS8+.

My recommendation to not edit the file directly was for future reference.

Darrell PorterEnterprise Business Process ArchitectCommented:
And the people who manage the load balancer cannot or will not set this filter up on their end - the appropriate place to put it?

You can use ModSecurity, which has the capability to intercept XFF, parse it, and respond to the traffic as desired through a set of rules.
introluxAuthor Commented:
Well we have access to the Zen load balancer but I cannot see an option within this to make the sort of change to restrict IP addresses, hence why I am looking to make this change on IIS.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Darrell PorterEnterprise Business Process ArchitectCommented:
Are you using the Community or Enterprise version of Zen?
introluxAuthor Commented:
Darrell PorterEnterprise Business Process ArchitectCommented:
Do you have an edge firewall?

Do these IP addresses you want to block from accessing the web server need to access other services or resources passed the firewall?  Passed the Zen?  If not, for what reason do they need to be allowed inside at all?
introluxAuthor Commented:
We do have a firewall in place however I was hoping to sort this between the Zen Load Balancer and IIS.

The web servers need to be locked down to selected IP addresses.
Darrell PorterEnterprise Business Process ArchitectCommented:
One other thing to consider:  If these IP addresses may be suspect, have you considered creating NAT rules on the firewall for connections coming to these IPs to go to a honeypot instead of simply denying them access.
This way you could log their activity and see what they're attempting to do.  I would implement this by creating a Honeypot farm on the Zen pointed to a separate virtual IIS server with a site specifically designed to capture information on hostile activities.
Darrell PorterEnterprise Business Process ArchitectCommented:
Okay - why not use defence-in-depth - lock down permitted IPs at the webserver - only the load balancer and select internal machines may access the IIS servers from the internal network.

Use ModSecurity on top of IIS to inspect the XFF headers and only allow traffic to the real web site from permitted IP address ranges.

What session state methods is the Zen configured to use to implement sessions state?  If one of those methods is IP, you can block those at the Zen's host's firewall or on the Zen's virtual firewall - a bit more tricky than just configuring Zen.
introluxAuthor Commented:
So from what you are saying there is a way to configure this from the Zen load balancer?
Dan McFaddenSystems EngineerCommented:
Are you trying to block known IPs for known/detected activity?  Or is this an effort to increase the security of your web apps?

- what type of activity are your trying to detect/block

If you know the undesired activity coming from specific IPs, you could redirect those specific URLs and forward them to a dummy page.  This is where URL Rewrite would come in.

IMO, the best place to block this type of activity is at the firewall, FWs are specifically designed to provide protect edge assets and are super efficient in doing so.

introluxAuthor Commented:
Yep we are looking to raise a ticket with the networking team to get this sorted however would have been nice we could achieve this via the application level.

Access is via port 80, 443. The load balancer has its own internal IP it comes through however carries an x-forwarder address which is the visitor address i want monitored and controlled who is allowed into the web server.
Dan McFaddenSystems EngineerCommented:
If you have enabled the X-Forwarded-For on the LB and you set Dynamic IP Striction into Proxy Mode, you should be able to block IPs based on the original IP in the header.

Have you enabled advanced logging to verify that your IIS server(s) are seeing the header?  Advanced logging has its own log (unfortunately).

Advanced Logging link:

- http://blogs.iis.net/deanc/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs

Using X-Forwarded-For header with Dynamic IP Restriction Proxy Mode link:

- http://blogs.iis.net/wadeh/dynamic-ip-restriction-proxy-mode

introluxAuthor Commented:
Hi Dan,

Yes did this however it still didnt work. I think this feature works on IIS8 and not on IIS7, IIS7.5

I have seen from the advance logging that x-forwarder address is passing through.
Dan McFaddenSystems EngineerCommented:
So, with Dynamic IP Restriction in Proxy Mode and X-Forwarded-For header coming in from the LB, you configured the following:

1.  An ALLOW rule for the known LB
2.  A DENY rule for the undesired IP received in the header

This didn't work?

From all that I can see and find, there is no indication that IIS7 and DIPR+Proxy Mode, does not function as expected.  The article below was written before Server 2012 was released and references using the X header for DIPR in proxy mode.

Link:  http://www.iis.net/learn/manage/configuring-security/using-dynamic-ip-restrictions

Can you post your config?

Also, is there a specific URL pattern you are looking to block?

introluxAuthor Commented:
I have placed this config on the root applicationHost file:


            <access sslFlags="None" />

                <application name="Active Server Pages" groupId="ASP" />


                <anonymousAuthentication enabled="true" userName="IUSR" />

                <basicAuthentication enabled="false" />

                <clientCertificateMappingAuthentication />

                <digestAuthentication />

                <iisClientCertificateMappingAuthentication />

                <windowsAuthentication />


            <authorization />

            <ipSecurity allowUnlisted="false">
                <clear />
                <add ipAddress="" allowed="true" />
                <add ipAddress="" allowed="true" />

                <add path="%windir%\system32\inetsrv\asp.dll" allowed="true" groupId="ASP" description="Active Server Pages" />
                <add path="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
                <add path="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
                <add path="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />
                <add path="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />

                <fileExtensions allowUnlisted="true" applyToWebDAV="true">
                    <add fileExtension=".asa" allowed="false" />
                    <add fileExtension=".asax" allowed="false" />
                    <add fileExtension=".ascx" allowed="false" />
                    <add fileExtension=".master" allowed="false" />
                    <add fileExtension=".skin" allowed="false" />
                    <add fileExtension=".browser" allowed="false" />
                    <add fileExtension=".sitemap" allowed="false" />
                    <add fileExtension=".config" allowed="false" />
                    <add fileExtension=".cs" allowed="false" />
                    <add fileExtension=".csproj" allowed="false" />
                    <add fileExtension=".vb" allowed="false" />
                    <add fileExtension=".vbproj" allowed="false" />
                    <add fileExtension=".webinfo" allowed="false" />
                    <add fileExtension=".licx" allowed="false" />
                    <add fileExtension=".resx" allowed="false" />
                    <add fileExtension=".resources" allowed="false" />
                    <add fileExtension=".mdb" allowed="false" />
                    <add fileExtension=".vjsproj" allowed="false" />
                    <add fileExtension=".java" allowed="false" />
                    <add fileExtension=".jsl" allowed="false" />
                    <add fileExtension=".ldb" allowed="false" />
                    <add fileExtension=".dsdgm" allowed="false" />
                    <add fileExtension=".ssdgm" allowed="false" />
                    <add fileExtension=".lsad" allowed="false" />
                    <add fileExtension=".ssmap" allowed="false" />
                    <add fileExtension=".cd" allowed="false" />
                    <add fileExtension=".dsprototype" allowed="false" />
                    <add fileExtension=".lsaprototype" allowed="false" />
                    <add fileExtension=".sdm" allowed="false" />
                    <add fileExtension=".sdmDocument" allowed="false" />
                    <add fileExtension=".mdf" allowed="false" />
                    <add fileExtension=".ldf" allowed="false" />
                    <add fileExtension=".ad" allowed="false" />
                    <add fileExtension=".dd" allowed="false" />
                    <add fileExtension=".ldd" allowed="false" />
                    <add fileExtension=".sd" allowed="false" />
                    <add fileExtension=".adprototype" allowed="false" />
                    <add fileExtension=".lddprototype" allowed="false" />
                    <add fileExtension=".exclude" allowed="false" />
                    <add fileExtension=".refresh" allowed="false" />
                    <add fileExtension=".compiled" allowed="false" />
                    <add fileExtension=".msgx" allowed="false" />
                    <add fileExtension=".vsdisco" allowed="false" />
                    <add fileExtension=".rules" allowed="false" />
                <verbs allowUnlisted="true" applyToWebDAV="true" />
                <hiddenSegments applyToWebDAV="true">
                    <add segment="web.config" />
                    <add segment="bin" />
                    <add segment="App_code" />
                    <add segment="App_GlobalResources" />
                    <add segment="App_LocalResources" />
                    <add segment="App_WebReferences" />
                    <add segment="App_Data" />
                    <add segment="App_Browsers" />
            <dynamicIpSecurity enableProxyMode="true" />


Open in new window

Dan McFaddenSystems EngineerCommented:
Where is the deny access rule from the proxy mode?

Reference link for the <ipSecurity> element:  https://www.iis.net/configreference/system.webserver/security/ipsecurity

I would expect the <ipSecurity> element to look something like this:

<ipSecurity allowUnlisted="false" enableProxyMode="true">
    <add ipAddress="" allowed="true" />
    <add ipAddress="" allowed="true" />

Open in new window

introluxAuthor Commented:
Its right at the bottom:

<dynamicIpSecurity enableProxyMode="true" />

Open in new window

I tried adding your line and it caused an error
Dan McFaddenSystems EngineerCommented:
That's just it...  the <dynamicIpSecurity> element is not supported until IIS 8.

Reference Link:  https://www.iis.net/configreference/system.webserver/security/dynamicipsecurity

You mentioned that you are running IIS7(7.5).

- What was the error thrown?

introluxAuthor Commented:
Error: Unrecognized attribute 'enableProxyMode'
Dan McFaddenSystems EngineerCommented:
Yeah, well error message could be coming from either of the elements.

Based on the docs at Microsoft, the <dynamicIpSecurity> element is not supported until IIS8, meaning that your applicationHost.config is setup incorrectly.

I would make a backup of the applicationHost.config, delete the <dynamicIpSecurity> element and use IIS Manager to reset the IP Restriction feature.  Editing the applicationHost.config file by hand is not really recommended.

introluxAuthor Commented:
"reset the IP Restriction feature"

What do you mean by this? Also you  mention "Editing the applicationHost.config file by hand is not really recommended."

So you are saying edit and then you shouldnt? little confused here.
Dan McFaddenSystems EngineerCommented:
Has this information helped?

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.