Solved

IIS on 2012 R2 server local access works, remote does not

Posted on 2016-10-24
12
50 Views
Last Modified: 2016-10-26
I setup a iis server for our application.  i got a certificate app.domain.com and bound it to 443. I had our isp  nat a public ip our private ip.

When i try to connect to app.domain.com remotely i get 404 error
when i try and connect to nat public ip remotely  i get a cert error, click proceed, 404 error
when i connect using host name (https://app) i get cert error, click proceed, works.

I disabled firewall on all network types (for now)
I put app.domain.com in the host file
what else could i be missing here?

domain.com is NOT a name our DC's have zones for. its public only. all the testing i did remotely i used a mobile phone, or remote desktop from a pc off our network. I am not concerned at this point about local machines connecting using the public dns or cert.

I'm wondering if its some new IIS features I am not familiar with restricting public access?
0
Comment
Question by:Eric
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 41857744
at your domain registrar what are your dns settings? do you have an A record pointing to your public ip.  You are probably behind a NAT at your modem and is port 80/443 being redirected to your web server?
0
 
LVL 4

Expert Comment

by:El Fierro
ID: 41857745
did you check your dns settings ? right binded ip on iis configured? on some host providers you have to set the dns setttings within your account
0
 
LVL 11

Author Comment

by:Eric
ID: 41857752
We use DNSMadeEasy.  i added a host record pointing to the public ip provided.  Our isp hosts our firewall on a cisco asa. they created a NAT to point to our internal ip. our internal ip is a private ip.  We do not have internet at our sites, just MPLS.

The fact i get a cert error hints that the forward is working?
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 41858811
When i try to connect to app.domain.com remotely i get 404 error

when i try and connect to nat public ip remotely  i get a cert error, click proceed, 404 error
when i connect using host name (https://app) i get cert error, click proceed, works.

It sounds like there's more than one thing going on here. Since you get a cert error when connecting from outside using the IP address but not the name, it appears that the public DNS host record mapping that name to that IP address is either wrong or nonexistent.

Further, since you can connect from inside using https://app, the host header on the site may be wrong as well. Is there a host header for https://app.domain.com on the site?
0
 
LVL 11

Author Comment

by:Eric
ID: 41860362
It sounds like there's more than one thing going on here. Since you get a cert error when connecting from outside using the IP address but not the name, it appears that the public DNS host record mapping that name to that IP address is either wrong or nonexistent.

Further, since you can connect from inside using https://app, the host header on the site may be wrong as well. Is there a host header for https://app.domain.com on the site?

If i do a nslookup publicly or locally i get the correct public ip address.  As a matter of fact thats how i tried the ip. nslookup.  copied and pasted the ip in place of the name.

How do i verify a host header?... clicking around not finding anything.
I have hostname "app"  in the site bindings.  all unassigned, and my cert selected.
0
 
LVL 11

Author Comment

by:Eric
ID: 41860366
oh mother of god. i just realized the issue by typing above.  "app"  should be the fqdn. though not sure why the ip did not still work?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 25

Expert Comment

by:DrDave242
ID: 41860497
Does it work now using the FQDN after changing the host header (that's the hostname in the site bindings)?
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 41860625
Correct it is the host name.  remember that you can't use the ip address now or you will get the default website
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 250 total points
ID: 41860662
The host header tells the website to only respond if the name in the HTTP request matches the name in the host header. So if https://app is the only header on the site, it'll only respond when someone browses to that exact URL, even if other names (app.domain.com, for example) resolve to the same IP address.

If you remove the host header completely, the site will respond to all requests that come in, so you'd be able to connect using the IP address or any name that resolves to that address. (Host headers allow you to have more than one website bound to the same IP address.)
0
 
LVL 11

Author Comment

by:Eric
ID: 41860749
If you remove the host header completely, the site will respond to all requests that come in, so you'd be able to connect using the IP address or any name that resolves to that address. (Host headers allow you to have more than one website bound to the same IP address.)

I knew about the 2nd part as far as multiple sites per server.  However i did not realize it went this far.  So, does that make it more secure? seems like it would unless most iis vulnerabilities only require hitting the IP in general.  if nothing else i guess it reduces brute force attacks

HOw do i add a second host header so https://app/  works again for my local users w/o allowing all requests
0
 
LVL 11

Author Comment

by:Eric
ID: 41860757
Does it work now using the FQDN after changing the host header (that's the hostname in the site bindings)?

yes, but https://app no longer works which makes sense based on the comment above.
0
 
LVL 11

Author Closing Comment

by:Eric
ID: 41861147
Thanks for the help
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now