Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

IIS on 2012 R2 server local access works, remote does not

Posted on 2016-10-24
12
Medium Priority
?
115 Views
Last Modified: 2016-10-26
I setup a iis server for our application.  i got a certificate app.domain.com and bound it to 443. I had our isp  nat a public ip our private ip.

When i try to connect to app.domain.com remotely i get 404 error
when i try and connect to nat public ip remotely  i get a cert error, click proceed, 404 error
when i connect using host name (https://app) i get cert error, click proceed, works.

I disabled firewall on all network types (for now)
I put app.domain.com in the host file
what else could i be missing here?

domain.com is NOT a name our DC's have zones for. its public only. all the testing i did remotely i used a mobile phone, or remote desktop from a pc off our network. I am not concerned at this point about local machines connecting using the public dns or cert.

I'm wondering if its some new IIS features I am not familiar with restricting public access?
0
Comment
Question by:Eric
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 41857744
at your domain registrar what are your dns settings? do you have an A record pointing to your public ip.  You are probably behind a NAT at your modem and is port 80/443 being redirected to your web server?
0
 
LVL 4

Expert Comment

by:El Fierro
ID: 41857745
did you check your dns settings ? right binded ip on iis configured? on some host providers you have to set the dns setttings within your account
0
 
LVL 11

Author Comment

by:Eric
ID: 41857752
We use DNSMadeEasy.  i added a host record pointing to the public ip provided.  Our isp hosts our firewall on a cisco asa. they created a NAT to point to our internal ip. our internal ip is a private ip.  We do not have internet at our sites, just MPLS.

The fact i get a cert error hints that the forward is working?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 27

Expert Comment

by:DrDave242
ID: 41858811
When i try to connect to app.domain.com remotely i get 404 error

when i try and connect to nat public ip remotely  i get a cert error, click proceed, 404 error
when i connect using host name (https://app) i get cert error, click proceed, works.

It sounds like there's more than one thing going on here. Since you get a cert error when connecting from outside using the IP address but not the name, it appears that the public DNS host record mapping that name to that IP address is either wrong or nonexistent.

Further, since you can connect from inside using https://app, the host header on the site may be wrong as well. Is there a host header for https://app.domain.com on the site?
0
 
LVL 11

Author Comment

by:Eric
ID: 41860362
It sounds like there's more than one thing going on here. Since you get a cert error when connecting from outside using the IP address but not the name, it appears that the public DNS host record mapping that name to that IP address is either wrong or nonexistent.

Further, since you can connect from inside using https://app, the host header on the site may be wrong as well. Is there a host header for https://app.domain.com on the site?

If i do a nslookup publicly or locally i get the correct public ip address.  As a matter of fact thats how i tried the ip. nslookup.  copied and pasted the ip in place of the name.

How do i verify a host header?... clicking around not finding anything.
I have hostname "app"  in the site bindings.  all unassigned, and my cert selected.
0
 
LVL 11

Author Comment

by:Eric
ID: 41860366
oh mother of god. i just realized the issue by typing above.  "app"  should be the fqdn. though not sure why the ip did not still work?
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 41860497
Does it work now using the FQDN after changing the host header (that's the hostname in the site bindings)?
0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 1000 total points
ID: 41860625
Correct it is the host name.  remember that you can't use the ip address now or you will get the default website
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 1000 total points
ID: 41860662
The host header tells the website to only respond if the name in the HTTP request matches the name in the host header. So if https://app is the only header on the site, it'll only respond when someone browses to that exact URL, even if other names (app.domain.com, for example) resolve to the same IP address.

If you remove the host header completely, the site will respond to all requests that come in, so you'd be able to connect using the IP address or any name that resolves to that address. (Host headers allow you to have more than one website bound to the same IP address.)
0
 
LVL 11

Author Comment

by:Eric
ID: 41860749
If you remove the host header completely, the site will respond to all requests that come in, so you'd be able to connect using the IP address or any name that resolves to that address. (Host headers allow you to have more than one website bound to the same IP address.)

I knew about the 2nd part as far as multiple sites per server.  However i did not realize it went this far.  So, does that make it more secure? seems like it would unless most iis vulnerabilities only require hitting the IP in general.  if nothing else i guess it reduces brute force attacks

HOw do i add a second host header so https://app/  works again for my local users w/o allowing all requests
0
 
LVL 11

Author Comment

by:Eric
ID: 41860757
Does it work now using the FQDN after changing the host header (that's the hostname in the site bindings)?

yes, but https://app no longer works which makes sense based on the comment above.
0
 
LVL 11

Author Closing Comment

by:Eric
ID: 41861147
Thanks for the help
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question