IIS on 2012 R2 server local access works, remote does not

I setup a iis server for our application.  i got a certificate app.domain.com and bound it to 443. I had our isp  nat a public ip our private ip.

When i try to connect to app.domain.com remotely i get 404 error
when i try and connect to nat public ip remotely  i get a cert error, click proceed, 404 error
when i connect using host name (https://app) i get cert error, click proceed, works.

I disabled firewall on all network types (for now)
I put app.domain.com in the host file
what else could i be missing here?

domain.com is NOT a name our DC's have zones for. its public only. all the testing i did remotely i used a mobile phone, or remote desktop from a pc off our network. I am not concerned at this point about local machines connecting using the public dns or cert.

I'm wondering if its some new IIS features I am not familiar with restricting public access?
LVL 11
EricIT ManagerAsked:
Who is Participating?
 
DrDave242Connect With a Mentor Commented:
The host header tells the website to only respond if the name in the HTTP request matches the name in the host header. So if https://app is the only header on the site, it'll only respond when someone browses to that exact URL, even if other names (app.domain.com, for example) resolve to the same IP address.

If you remove the host header completely, the site will respond to all requests that come in, so you'd be able to connect using the IP address or any name that resolves to that address. (Host headers allow you to have more than one website bound to the same IP address.)
0
 
David Johnson, CD, MVPOwnerCommented:
at your domain registrar what are your dns settings? do you have an A record pointing to your public ip.  You are probably behind a NAT at your modem and is port 80/443 being redirected to your web server?
0
 
El FierroNetwork EngineerCommented:
did you check your dns settings ? right binded ip on iis configured? on some host providers you have to set the dns setttings within your account
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
EricIT ManagerAuthor Commented:
We use DNSMadeEasy.  i added a host record pointing to the public ip provided.  Our isp hosts our firewall on a cisco asa. they created a NAT to point to our internal ip. our internal ip is a private ip.  We do not have internet at our sites, just MPLS.

The fact i get a cert error hints that the forward is working?
0
 
DrDave242Commented:
When i try to connect to app.domain.com remotely i get 404 error

when i try and connect to nat public ip remotely  i get a cert error, click proceed, 404 error
when i connect using host name (https://app) i get cert error, click proceed, works.

It sounds like there's more than one thing going on here. Since you get a cert error when connecting from outside using the IP address but not the name, it appears that the public DNS host record mapping that name to that IP address is either wrong or nonexistent.

Further, since you can connect from inside using https://app, the host header on the site may be wrong as well. Is there a host header for https://app.domain.com on the site?
0
 
EricIT ManagerAuthor Commented:
It sounds like there's more than one thing going on here. Since you get a cert error when connecting from outside using the IP address but not the name, it appears that the public DNS host record mapping that name to that IP address is either wrong or nonexistent.

Further, since you can connect from inside using https://app, the host header on the site may be wrong as well. Is there a host header for https://app.domain.com on the site?

If i do a nslookup publicly or locally i get the correct public ip address.  As a matter of fact thats how i tried the ip. nslookup.  copied and pasted the ip in place of the name.

How do i verify a host header?... clicking around not finding anything.
I have hostname "app"  in the site bindings.  all unassigned, and my cert selected.
0
 
EricIT ManagerAuthor Commented:
oh mother of god. i just realized the issue by typing above.  "app"  should be the fqdn. though not sure why the ip did not still work?
0
 
DrDave242Commented:
Does it work now using the FQDN after changing the host header (that's the hostname in the site bindings)?
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
Correct it is the host name.  remember that you can't use the ip address now or you will get the default website
0
 
EricIT ManagerAuthor Commented:
If you remove the host header completely, the site will respond to all requests that come in, so you'd be able to connect using the IP address or any name that resolves to that address. (Host headers allow you to have more than one website bound to the same IP address.)

I knew about the 2nd part as far as multiple sites per server.  However i did not realize it went this far.  So, does that make it more secure? seems like it would unless most iis vulnerabilities only require hitting the IP in general.  if nothing else i guess it reduces brute force attacks

HOw do i add a second host header so https://app/  works again for my local users w/o allowing all requests
0
 
EricIT ManagerAuthor Commented:
Does it work now using the FQDN after changing the host header (that's the hostname in the site bindings)?

yes, but https://app no longer works which makes sense based on the comment above.
0
 
EricIT ManagerAuthor Commented:
Thanks for the help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.