Solved

IIS7 IP Restriction via Load Balancer

Posted on 2016-09-08
23
60 Views
Last Modified: 2016-09-23
Hi,

I have been spending far too much time trying to work this out. I would like to IP restrict certain IP addresses from gaining access to the web server, however this is not possible because the traffic comes through a load balancer (ZEN). So I attempted to use Dynamic IP Restriction Proxy Mode however I add the ZEN Load Balancer IP address to the allowed list, by doing this it allows all traffic from the load balancer regardless.

I have also enabled X-FORWARDED-FOR header form the load balancer which I have identified in the logs using advance logging within IIS and I can see the external IP address.

So I need to pick this X-FORWARDED-FOR IP address and make a rule that if IP address xx.xx.xx.xx then deny/allow.

I have seen many advice on this using Rewrite module but I have failed and need help on this.

Thanks,

introlux
0
Comment
Question by:introlux
  • 10
  • 8
  • 5
23 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
Comment Utility
And the people who manage the load balancer cannot or will not set this filter up on their end - the appropriate place to put it?

You can use ModSecurity, which has the capability to intercept XFF, parse it, and respond to the traffic as desired through a set of rules.
0
 

Author Comment

by:introlux
Comment Utility
Well we have access to the Zen load balancer but I cannot see an option within this to make the sort of change to restrict IP addresses, hence why I am looking to make this change on IIS.
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
Comment Utility
Are you using the Community or Enterprise version of Zen?
0
 

Author Comment

by:introlux
Comment Utility
Community
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
Comment Utility
Do you have an edge firewall?

Do these IP addresses you want to block from accessing the web server need to access other services or resources passed the firewall?  Passed the Zen?  If not, for what reason do they need to be allowed inside at all?
0
 

Author Comment

by:introlux
Comment Utility
We do have a firewall in place however I was hoping to sort this between the Zen Load Balancer and IIS.

The web servers need to be locked down to selected IP addresses.
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
Comment Utility
One other thing to consider:  If these IP addresses may be suspect, have you considered creating NAT rules on the firewall for connections coming to these IPs to go to a honeypot instead of simply denying them access.
This way you could log their activity and see what they're attempting to do.  I would implement this by creating a Honeypot farm on the Zen pointed to a separate virtual IIS server with a site specifically designed to capture information on hostile activities.
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
Comment Utility
Okay - why not use defence-in-depth - lock down permitted IPs at the webserver - only the load balancer and select internal machines may access the IIS servers from the internal network.

Use ModSecurity on top of IIS to inspect the XFF headers and only allow traffic to the real web site from permitted IP address ranges.

What session state methods is the Zen configured to use to implement sessions state?  If one of those methods is IP, you can block those at the Zen's host's firewall or on the Zen's virtual firewall - a bit more tricky than just configuring Zen.
0
 

Author Comment

by:introlux
Comment Utility
So from what you are saying there is a way to configure this from the Zen load balancer?
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
Are you trying to block known IPs for known/detected activity?  Or is this an effort to increase the security of your web apps?

- what type of activity are your trying to detect/block

If you know the undesired activity coming from specific IPs, you could redirect those specific URLs and forward them to a dummy page.  This is where URL Rewrite would come in.

IMO, the best place to block this type of activity is at the firewall, FWs are specifically designed to provide protect edge assets and are super efficient in doing so.

Dan
0
 

Author Comment

by:introlux
Comment Utility
Yep we are looking to raise a ticket with the networking team to get this sorted however would have been nice we could achieve this via the application level.

Access is via port 80, 443. The load balancer has its own internal IP it comes through however carries an x-forwarder address which is the visitor address i want monitored and controlled who is allowed into the web server.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
If you have enabled the X-Forwarded-For on the LB and you set Dynamic IP Striction into Proxy Mode, you should be able to block IPs based on the original IP in the header.

Have you enabled advanced logging to verify that your IIS server(s) are seeing the header?  Advanced logging has its own log (unfortunately).

Advanced Logging link:

- http://blogs.iis.net/deanc/iis7-8-logging-the-real-client-ip-in-the-iis-hit-logs

Using X-Forwarded-For header with Dynamic IP Restriction Proxy Mode link:

- http://blogs.iis.net/wadeh/dynamic-ip-restriction-proxy-mode

Dan
0
 

Author Comment

by:introlux
Comment Utility
Hi Dan,

Yes did this however it still didnt work. I think this feature works on IIS8 and not on IIS7, IIS7.5

I have seen from the advance logging that x-forwarder address is passing through.
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
So, with Dynamic IP Restriction in Proxy Mode and X-Forwarded-For header coming in from the LB, you configured the following:

1.  An ALLOW rule for the known LB
2.  A DENY rule for the undesired IP received in the header

This didn't work?

From all that I can see and find, there is no indication that IIS7 and DIPR+Proxy Mode, does not function as expected.  The article below was written before Server 2012 was released and references using the X header for DIPR in proxy mode.

Link:  http://www.iis.net/learn/manage/configuring-security/using-dynamic-ip-restrictions

Can you post your config?

Also, is there a specific URL pattern you are looking to block?

Dan
0
 

Author Comment

by:introlux
Comment Utility
I have placed this config on the root applicationHost file:

        <security>

            <access sslFlags="None" />

            <applicationDependencies>
                <application name="Active Server Pages" groupId="ASP" />
            </applicationDependencies>

            <authentication>

                <anonymousAuthentication enabled="true" userName="IUSR" />

                <basicAuthentication enabled="false" />

                <clientCertificateMappingAuthentication />

                <digestAuthentication />

                <iisClientCertificateMappingAuthentication />

                <windowsAuthentication />

            </authentication>

            <authorization />

            <ipSecurity allowUnlisted="false">
                <clear />
                <add ipAddress="66.100.32.55" allowed="true" />
                <add ipAddress="192.168.11.7" allowed="true" />
            </ipSecurity>

            <isapiCgiRestriction>
                <add path="%windir%\system32\inetsrv\asp.dll" allowed="true" groupId="ASP" description="Active Server Pages" />
                <add path="%windir%\Microsoft.NET\Framework64\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
                <add path="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" allowed="true" groupId="ASP.NET v2.0.50727" description="ASP.NET v2.0.50727" />
                <add path="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />
                <add path="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" allowed="false" groupId="ASP.NET v4.0.30319" description="ASP.NET v4.0.30319" />
            </isapiCgiRestriction>

            <requestFiltering>
                <fileExtensions allowUnlisted="true" applyToWebDAV="true">
                    <add fileExtension=".asa" allowed="false" />
                    <add fileExtension=".asax" allowed="false" />
                    <add fileExtension=".ascx" allowed="false" />
                    <add fileExtension=".master" allowed="false" />
                    <add fileExtension=".skin" allowed="false" />
                    <add fileExtension=".browser" allowed="false" />
                    <add fileExtension=".sitemap" allowed="false" />
                    <add fileExtension=".config" allowed="false" />
                    <add fileExtension=".cs" allowed="false" />
                    <add fileExtension=".csproj" allowed="false" />
                    <add fileExtension=".vb" allowed="false" />
                    <add fileExtension=".vbproj" allowed="false" />
                    <add fileExtension=".webinfo" allowed="false" />
                    <add fileExtension=".licx" allowed="false" />
                    <add fileExtension=".resx" allowed="false" />
                    <add fileExtension=".resources" allowed="false" />
                    <add fileExtension=".mdb" allowed="false" />
                    <add fileExtension=".vjsproj" allowed="false" />
                    <add fileExtension=".java" allowed="false" />
                    <add fileExtension=".jsl" allowed="false" />
                    <add fileExtension=".ldb" allowed="false" />
                    <add fileExtension=".dsdgm" allowed="false" />
                    <add fileExtension=".ssdgm" allowed="false" />
                    <add fileExtension=".lsad" allowed="false" />
                    <add fileExtension=".ssmap" allowed="false" />
                    <add fileExtension=".cd" allowed="false" />
                    <add fileExtension=".dsprototype" allowed="false" />
                    <add fileExtension=".lsaprototype" allowed="false" />
                    <add fileExtension=".sdm" allowed="false" />
                    <add fileExtension=".sdmDocument" allowed="false" />
                    <add fileExtension=".mdf" allowed="false" />
                    <add fileExtension=".ldf" allowed="false" />
                    <add fileExtension=".ad" allowed="false" />
                    <add fileExtension=".dd" allowed="false" />
                    <add fileExtension=".ldd" allowed="false" />
                    <add fileExtension=".sd" allowed="false" />
                    <add fileExtension=".adprototype" allowed="false" />
                    <add fileExtension=".lddprototype" allowed="false" />
                    <add fileExtension=".exclude" allowed="false" />
                    <add fileExtension=".refresh" allowed="false" />
                    <add fileExtension=".compiled" allowed="false" />
                    <add fileExtension=".msgx" allowed="false" />
                    <add fileExtension=".vsdisco" allowed="false" />
                    <add fileExtension=".rules" allowed="false" />
                </fileExtensions>
                <verbs allowUnlisted="true" applyToWebDAV="true" />
                <hiddenSegments applyToWebDAV="true">
                    <add segment="web.config" />
                    <add segment="bin" />
                    <add segment="App_code" />
                    <add segment="App_GlobalResources" />
                    <add segment="App_LocalResources" />
                    <add segment="App_WebReferences" />
                    <add segment="App_Data" />
                    <add segment="App_Browsers" />
                </hiddenSegments>
            </requestFiltering>
            <dynamicIpSecurity enableProxyMode="true" />

        </security>

Open in new window

0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
Where is the deny access rule from the proxy mode?

Reference link for the <ipSecurity> element:  https://www.iis.net/configreference/system.webserver/security/ipsecurity

I would expect the <ipSecurity> element to look something like this:

<ipSecurity allowUnlisted="false" enableProxyMode="true">
    <add ipAddress="66.100.32.55" allowed="true" />
    <add ipAddress="192.168.11.7" allowed="true" />
</ipSecurity>

Open in new window


Dan
0
 

Author Comment

by:introlux
Comment Utility
Its right at the bottom:

<dynamicIpSecurity enableProxyMode="true" />

Open in new window


I tried adding your line and it caused an error
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
That's just it...  the <dynamicIpSecurity> element is not supported until IIS 8.

Reference Link:  https://www.iis.net/configreference/system.webserver/security/dynamicipsecurity

You mentioned that you are running IIS7(7.5).

- What was the error thrown?

Dan
0
 

Author Comment

by:introlux
Comment Utility
Error: Unrecognized attribute 'enableProxyMode'
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
Yeah, well error message could be coming from either of the elements.

Based on the docs at Microsoft, the <dynamicIpSecurity> element is not supported until IIS8, meaning that your applicationHost.config is setup incorrectly.

I would make a backup of the applicationHost.config, delete the <dynamicIpSecurity> element and use IIS Manager to reset the IP Restriction feature.  Editing the applicationHost.config file by hand is not really recommended.

Dan
0
 

Author Comment

by:introlux
Comment Utility
"reset the IP Restriction feature"

What do you mean by this? Also you  mention "Editing the applicationHost.config file by hand is not really recommended."

So you are saying edit and then you shouldnt? little confused here.
0
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
Comment Utility
To reset the feature configuration:

In IIS Manager, go to the website and make sure that the site is using the server's setup.  Do this by opening the feature and click "Revert to Parent" in the actions panel (right hand upper corner).

Then go to the server and open the feature, remove all custom configuration.  This is effectively a reset.

Do an IISRESET.

Now, in IIS Manager, at the server scope, open the feature and setup DIPR in proxy mode as described above, and at the server scope, add your LB IPs.  Apply the settings.

At this point, the server scope settings will be automatically inherited by all websites hosted on this IIS server.

As for editing the applicationHost.config file directly (by hand), unless you are well versed on what elements go where and their exact attribute settings, I would not recommend changing the setting with notepad.  Only make these changes by using the IIS Manager.

The only way an unsupported element could have gotten into your server's applicationHost.config file is by you either editing it in a text editor or you copied it from a server running IIS8+.

My recommendation to not edit the file directly was for future reference.

Dan
0
 
LVL 26

Expert Comment

by:Dan McFadden
Comment Utility
Has this information helped?

Dan
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now