Solved

IIS on 2012 R2 server local access works, remote does not

Posted on 2016-10-24
12
87 Views
Last Modified: 2016-10-26
I setup a iis server for our application.  i got a certificate app.domain.com and bound it to 443. I had our isp  nat a public ip our private ip.

When i try to connect to app.domain.com remotely i get 404 error
when i try and connect to nat public ip remotely  i get a cert error, click proceed, 404 error
when i connect using host name (https://app) i get cert error, click proceed, works.

I disabled firewall on all network types (for now)
I put app.domain.com in the host file
what else could i be missing here?

domain.com is NOT a name our DC's have zones for. its public only. all the testing i did remotely i used a mobile phone, or remote desktop from a pc off our network. I am not concerned at this point about local machines connecting using the public dns or cert.

I'm wondering if its some new IIS features I am not familiar with restricting public access?
0
Comment
Question by:Eric
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 41857744
at your domain registrar what are your dns settings? do you have an A record pointing to your public ip.  You are probably behind a NAT at your modem and is port 80/443 being redirected to your web server?
0
 
LVL 4

Expert Comment

by:El Fierro
ID: 41857745
did you check your dns settings ? right binded ip on iis configured? on some host providers you have to set the dns setttings within your account
0
 
LVL 11

Author Comment

by:Eric
ID: 41857752
We use DNSMadeEasy.  i added a host record pointing to the public ip provided.  Our isp hosts our firewall on a cisco asa. they created a NAT to point to our internal ip. our internal ip is a private ip.  We do not have internet at our sites, just MPLS.

The fact i get a cert error hints that the forward is working?
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 26

Expert Comment

by:DrDave242
ID: 41858811
When i try to connect to app.domain.com remotely i get 404 error

when i try and connect to nat public ip remotely  i get a cert error, click proceed, 404 error
when i connect using host name (https://app) i get cert error, click proceed, works.

It sounds like there's more than one thing going on here. Since you get a cert error when connecting from outside using the IP address but not the name, it appears that the public DNS host record mapping that name to that IP address is either wrong or nonexistent.

Further, since you can connect from inside using https://app, the host header on the site may be wrong as well. Is there a host header for https://app.domain.com on the site?
0
 
LVL 11

Author Comment

by:Eric
ID: 41860362
It sounds like there's more than one thing going on here. Since you get a cert error when connecting from outside using the IP address but not the name, it appears that the public DNS host record mapping that name to that IP address is either wrong or nonexistent.

Further, since you can connect from inside using https://app, the host header on the site may be wrong as well. Is there a host header for https://app.domain.com on the site?

If i do a nslookup publicly or locally i get the correct public ip address.  As a matter of fact thats how i tried the ip. nslookup.  copied and pasted the ip in place of the name.

How do i verify a host header?... clicking around not finding anything.
I have hostname "app"  in the site bindings.  all unassigned, and my cert selected.
0
 
LVL 11

Author Comment

by:Eric
ID: 41860366
oh mother of god. i just realized the issue by typing above.  "app"  should be the fqdn. though not sure why the ip did not still work?
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41860497
Does it work now using the FQDN after changing the host header (that's the hostname in the site bindings)?
0
 
LVL 82

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 41860625
Correct it is the host name.  remember that you can't use the ip address now or you will get the default website
0
 
LVL 26

Accepted Solution

by:
DrDave242 earned 250 total points
ID: 41860662
The host header tells the website to only respond if the name in the HTTP request matches the name in the host header. So if https://app is the only header on the site, it'll only respond when someone browses to that exact URL, even if other names (app.domain.com, for example) resolve to the same IP address.

If you remove the host header completely, the site will respond to all requests that come in, so you'd be able to connect using the IP address or any name that resolves to that address. (Host headers allow you to have more than one website bound to the same IP address.)
0
 
LVL 11

Author Comment

by:Eric
ID: 41860749
If you remove the host header completely, the site will respond to all requests that come in, so you'd be able to connect using the IP address or any name that resolves to that address. (Host headers allow you to have more than one website bound to the same IP address.)

I knew about the 2nd part as far as multiple sites per server.  However i did not realize it went this far.  So, does that make it more secure? seems like it would unless most iis vulnerabilities only require hitting the IP in general.  if nothing else i guess it reduces brute force attacks

HOw do i add a second host header so https://app/  works again for my local users w/o allowing all requests
0
 
LVL 11

Author Comment

by:Eric
ID: 41860757
Does it work now using the FQDN after changing the host header (that's the hostname in the site bindings)?

yes, but https://app no longer works which makes sense based on the comment above.
0
 
LVL 11

Author Closing Comment

by:Eric
ID: 41861147
Thanks for the help
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question