Setting up IP Address restrictions on IIS7

No Comments May 5, 2010

Media/Default/images/

I was asked to setup one of our Web Servers to only Restrict all but a certain subset of IP addresses to have access to the site since this is a server that sits in our DMZ, I have basically two sets of addresses to allow in; our internal subnet of addresses and the clients’ external IP address.

The first step is to make sure the IP and Domain Restrictions Role has been installed on the server

image

clip_image004

If it hasn’t, you can click the “Add Role Service” link, check the box and it the install will commence.

clip_image006

[I’d already installed it when I thought to do the screen caps, so your screen may vary… but it is pretty self explanatory.]

Once you have installed the roll, make sure you restart the IIS Manager so it will take effect and for the website (or Application) you want to restrict, you should now see the IPv4 Address and Domain Restrictions Icon.

clip_image002[4]

When you select that, you will see the window appear…

clip_image004[7]

Assuming you are not trying to block a small number of addresses, you need to deny access to ALL addresses first. This is done through the Edit Feature Settings… link.

When you click the link, you will see the Edit IP and Domain Restrictions Settings dialog appear

clip_image006[7]

At this point, you will select ‘Deny’ and click OK. Anyone accessing the site will now get a 403 – Forbidden error:

clip_image008[5]

Since you definitely need to let some IP addresses in, you can add a single or range of addresses specifically.

For instance, if I wanted to let only my development PC into the server and its IP address is 10.160.30.90 then I would add an Allow Restriction Rule for my specific IP address:

clip_image010[5]

If I needed a less specific range, I could also add the full range of my internal office network addresses.

My addresses are in the 10.160.30.xxx range, so that is what I’m going to add:

clip_image012[4]

This will be the entire class ‘C’ range (255.255.255.0) of the 10.160.30.0 subnet.

Since the client needs access to this site too, I need to find out what their external IP address is and then allow an Allow Restriction for that address.

This assumes that the external address is static – if its dynamic and it changes, then you will have to Delete and Re-add the rule with the new IP address before they will have access again

[TODO: Experiment to see if this applies to domain restrictions that have dynamic DNS entries]

On one of the client computers, I had them go to their web browser and visit “www.whatIsMyIP.com”** this will give you the external IP address on your router (if you are using NAT this is important) so we will know what address to allow on the IIS.
[** this is just one of many services out there that do the same thing, no specified preference or endorsement, just the one that I use – there are plenty of other ways, too: http://www.wikihow.com/Find-out-Your-IP-Address ]

clip_image014[4]

I then created the rule and added the new IP address…

clip_image016[4]

Et volià! – only my internal network and anyone on the client’s network have access to the site – for the rest of the internet, it is a 403 error.

Next Up, I need to build a custom error page to set the users on the right path, in case they hit the test site in error.

Related Links:

More information is here, straight from Microsoft:
http://technet.microsoft.com/en-us/library/cc770819(WS.10).aspx

The original post I saw that got me going:
http://omensblog.blogspot.com/

Getting your IP address:
http://www.wikihow.com/Find-out-Your-IP-Address


No Comments