Solved

IIS7 IP Restriction via Load Balancer

Posted on 2016-09-08
23
98 Views
Last Modified: 2016-09-23
Hi,

I have been spending far too much time trying to work this out. I would like to IP restrict certain IP addresses from gaining access to the web server, however this is not possible because the traffic comes through a load balancer (ZEN). So I attempted to use Dynamic IP Restriction Proxy Mode however I add the ZEN Load Balancer IP address to the allowed list, by doing this it allows all traffic from the load balancer regardless.

I have also enabled X-FORWARDED-FOR header form the load balancer which I have identified in the logs using advance logging within IIS and I can see the external IP address.

So I need to pick this X-FORWARDED-FOR IP address and make a rule that if IP address xx.xx.xx.xx then deny/allow.

I have seen many advice on this using Rewrite module but I have failed and need help on this.

Thanks,

introlux
0
Comment
Question by:introlux
  • 10
  • 8
  • 5
23 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41789982
And the people who manage the load balancer cannot or will not set this filter up on their end - the appropriate place to put it?

You can use ModSecurity, which has the capability to intercept XFF, parse it, and respond to the traffic as desired through a set of rules.
0
 

Author Comment

by:introlux
ID: 41790008
Well we have access to the Zen load balancer but I cannot see an option within this to make the sort of change to restrict IP addresses, hence why I am looking to make this change on IIS.
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41790019
Are you using the Community or Enterprise version of Zen?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:introlux
ID: 41790020
Community
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41790023
Do you have an edge firewall?

Do these IP addresses you want to block from accessing the web server need to access other services or resources passed the firewall?  Passed the Zen?  If not, for what reason do they need to be allowed inside at all?
0
 

Author Comment

by:introlux
ID: 41790031
We do have a firewall in place however I was hoping to sort this between the Zen Load Balancer and IIS.

The web servers need to be locked down to selected IP addresses.
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41790034
One other thing to consider:  If these IP addresses may be suspect, have you considered creating NAT rules on the firewall for connections coming to these IPs to go to a honeypot instead of simply denying them access.
This way you could log their activity and see what they're attempting to do.  I would implement this by creating a Honeypot farm on the Zen pointed to a separate virtual IIS server with a site specifically designed to capture information on hostile activities.
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41790040
Okay - why not use defence-in-depth - lock down permitted IPs at the webserver - only the load balancer and select internal machines may access the IIS servers from the internal network.

Use ModSecurity on top of IIS to inspect the XFF headers and only allow traffic to the real web site from permitted IP address ranges.

What session state methods is the Zen configured to use to implement sessions state?  If one of those methods is IP, you can block those at the Zen's host's firewall or on the Zen's virtual firewall - a bit more tricky than just configuring Zen.
0
 

Author Comment

by:introlux
ID: 41790056
So from what you are saying there is a way to configure this from the Zen load balancer?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41790874
Are you trying to block known IPs for known/detected activity?  Or is this an effort to increase the security of your web apps?

- what type of activity are your trying to detect/block

If you know the undesired activity coming from specific IPs, you could redirect those specific URLs and forward them to a dummy page.  This is where URL Rewrite would come in.

IMO, the best place to block this type of activity is at the firewall, FWs are specifically designed to provide protect edge assets and are super efficient in doing so.

Dan
0
 

Author Comment

by:introlux
ID: 41790890
Yep we are looking to raise a ticket with the networking team to get this sorted however would have been nice we could achieve this via the application level.

Access is via port 80, 443. The load balancer has its own internal IP it comes through however carries an x-forwarder address which is the visitor address i want monitored and controlled who is allowed into the web server.
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41790921
If you have enabled the X-Forwarded-For on the LB and you set Dynamic IP Striction into Proxy Mode, you should be able to block IPs based on the original IP in the header.

Have you enabled advanced logging to verify that your IIS server(s) are seeing the header?  Advanced logging has its own log (unfortunately).

Advanced Logging link:

- http://blogs.iis.net/deanc/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs

Using X-Forwarded-For header with Dynamic IP Restriction Proxy Mode link:

- http://blogs.iis.net/wadeh/dynamic-ip-restriction-proxy-mode

Dan
0
 

Author Comment

by:introlux
ID: 41791025
Hi Dan,

Yes did this however it still didnt work. I think this feature works on IIS8 and not on IIS7, IIS7.5

I have seen from the advance logging that x-forwarder address is passing through.
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41791033
So, with Dynamic IP Restriction in Proxy Mode and X-Forwarded-For header coming in from the LB, you configured the following:

1.  An ALLOW rule for the known LB
2.  A DENY rule for the undesired IP received in the header

This didn't work?

From all that I can see and find, there is no indication that IIS7 and DIPR+Proxy Mode, does not function as expected.  The article below was written before Server 2012 was released and references using the X header for DIPR in proxy mode.

Link:  http://www.iis.net/learn/manage/configuring-security/using-dynamic-ip-restrictions

Can you post your config?

Also, is there a specific URL pattern you are looking to block?

Dan
0
 

Author Comment

by:introlux
ID: 41791069
I have placed this config on the root applicationHost file:

        <security>

            <access sslFlags="None" />

            <applicationDependencies>
                <application name="Active Server Pages" groupId="ASP" />
            </applicationDependencies>

            <authentication>

                <anonymousAuthentication enabled="true" userName="IUSR" />

                <basicAuthentication enabled="false" />

                <clientCertificateMappingAuthentication />

                <digestAuthentication />

                <iisClientCertificateMappingAuthentication />

                <windowsAuthentication />

            </authentication>

            <authorization />

            <ipSecurity allowUnlisted="false">
                <clear />
                <add ipAddress="66.100.32.55" allowed="true" />
                <add ipAddress="192.168.11.7" allowed="true" />
            </ipSecurity>

            <isapiCgiRestriction>
                <add path="%windir%\system32\inetsrv\asp.dll" allowed="true" groupId="ASP" description="Active Server Pages" />
                <add path="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
                <add path="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
                <add path="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />
                <add path="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />
            </isapiCgiRestriction>

            <requestFiltering>
                <fileExtensions allowUnlisted="true" applyToWebDAV="true">
                    <add fileExtension=".asa" allowed="false" />
                    <add fileExtension=".asax" allowed="false" />
                    <add fileExtension=".ascx" allowed="false" />
                    <add fileExtension=".master" allowed="false" />
                    <add fileExtension=".skin" allowed="false" />
                    <add fileExtension=".browser" allowed="false" />
                    <add fileExtension=".sitemap" allowed="false" />
                    <add fileExtension=".config" allowed="false" />
                    <add fileExtension=".cs" allowed="false" />
                    <add fileExtension=".csproj" allowed="false" />
                    <add fileExtension=".vb" allowed="false" />
                    <add fileExtension=".vbproj" allowed="false" />
                    <add fileExtension=".webinfo" allowed="false" />
                    <add fileExtension=".licx" allowed="false" />
                    <add fileExtension=".resx" allowed="false" />
                    <add fileExtension=".resources" allowed="false" />
                    <add fileExtension=".mdb" allowed="false" />
                    <add fileExtension=".vjsproj" allowed="false" />
                    <add fileExtension=".java" allowed="false" />
                    <add fileExtension=".jsl" allowed="false" />
                    <add fileExtension=".ldb" allowed="false" />
                    <add fileExtension=".dsdgm" allowed="false" />
                    <add fileExtension=".ssdgm" allowed="false" />
                    <add fileExtension=".lsad" allowed="false" />
                    <add fileExtension=".ssmap" allowed="false" />
                    <add fileExtension=".cd" allowed="false" />
                    <add fileExtension=".dsprototype" allowed="false" />
                    <add fileExtension=".lsaprototype" allowed="false" />
                    <add fileExtension=".sdm" allowed="false" />
                    <add fileExtension=".sdmDocument" allowed="false" />
                    <add fileExtension=".mdf" allowed="false" />
                    <add fileExtension=".ldf" allowed="false" />
                    <add fileExtension=".ad" allowed="false" />
                    <add fileExtension=".dd" allowed="false" />
                    <add fileExtension=".ldd" allowed="false" />
                    <add fileExtension=".sd" allowed="false" />
                    <add fileExtension=".adprototype" allowed="false" />
                    <add fileExtension=".lddprototype" allowed="false" />
                    <add fileExtension=".exclude" allowed="false" />
                    <add fileExtension=".refresh" allowed="false" />
                    <add fileExtension=".compiled" allowed="false" />
                    <add fileExtension=".msgx" allowed="false" />
                    <add fileExtension=".vsdisco" allowed="false" />
                    <add fileExtension=".rules" allowed="false" />
                </fileExtensions>
                <verbs allowUnlisted="true" applyToWebDAV="true" />
                <hiddenSegments applyToWebDAV="true">
                    <add segment="web.config" />
                    <add segment="bin" />
                    <add segment="App_code" />
                    <add segment="App_GlobalResources" />
                    <add segment="App_LocalResources" />
                    <add segment="App_WebReferences" />
                    <add segment="App_Data" />
                    <add segment="App_Browsers" />
                </hiddenSegments>
            </requestFiltering>
            <dynamicIpSecurity enableProxyMode="true" />

        </security>

Open in new window

0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41791117
Where is the deny access rule from the proxy mode?

Reference link for the <ipSecurity> element:  https://www.iis.net/configreference/system.webserver/security/ipsecurity

I would expect the <ipSecurity> element to look something like this:

<ipSecurity allowUnlisted="false" enableProxyMode="true">
    <add ipAddress="66.100.32.55" allowed="true" />
    <add ipAddress="192.168.11.7" allowed="true" />
</ipSecurity>

Open in new window


Dan
0
 

Author Comment

by:introlux
ID: 41791183
Its right at the bottom:

<dynamicIpSecurity enableProxyMode="true" />

Open in new window


I tried adding your line and it caused an error
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41791194
That's just it...  the <dynamicIpSecurity> element is not supported until IIS 8.

Reference Link:  https://www.iis.net/configreference/system.webserver/security/dynamicipsecurity

You mentioned that you are running IIS7(7.5).

- What was the error thrown?

Dan
0
 

Author Comment

by:introlux
ID: 41791203
Error: Unrecognized attribute 'enableProxyMode'
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41791227
Yeah, well error message could be coming from either of the elements.

Based on the docs at Microsoft, the <dynamicIpSecurity> element is not supported until IIS8, meaning that your applicationHost.config is setup incorrectly.

I would make a backup of the applicationHost.config, delete the <dynamicIpSecurity> element and use IIS Manager to reset the IP Restriction feature.  Editing the applicationHost.config file by hand is not really recommended.

Dan
0
 

Author Comment

by:introlux
ID: 41791246
"reset the IP Restriction feature"

What do you mean by this? Also you  mention "Editing the applicationHost.config file by hand is not really recommended."

So you are saying edit and then you shouldnt? little confused here.
0
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 41791271
To reset the feature configuration:

In IIS Manager, go to the website and make sure that the site is using the server's setup.  Do this by opening the feature and click "Revert to Parent" in the actions panel (right hand upper corner).

Then go to the server and open the feature, remove all custom configuration.  This is effectively a reset.

Do an IISRESET.

Now, in IIS Manager, at the server scope, open the feature and setup DIPR in proxy mode as described above, and at the server scope, add your LB IPs.  Apply the settings.

At this point, the server scope settings will be automatically inherited by all websites hosted on this IIS server.

As for editing the applicationHost.config file directly (by hand), unless you are well versed on what elements go where and their exact attribute settings, I would not recommend changing the setting with notepad.  Only make these changes by using the IIS Manager.

The only way an unsupported element could have gotten into your server's applicationHost.config file is by you either editing it in a text editor or you copied it from a server running IIS8+.

My recommendation to not edit the file directly was for future reference.

Dan
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 41812508
Has this information helped?

Dan
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question