We have developed a web application to display sensitive information over our company's intranet. We had initially planned to implement sufficient security to allow remote access via the intranet to the application through a browser. But, due to an unforeseen requirements from our security team, we have decided not to allow remote access. We would still like a small number of users to be able to access the application, so here's the question. How can you host a web application in IIS visible only to users logged into the hosting machine? (The machine is both the host of the web app, and the only machine where the web app would be visible.)
I'm relatively new to IIS, so please speak as plainly as possible.
It seems like their must exist some setting in IIS to limit incoming and outgoing requests to the current machine.
It's possible to block all IP addresses with the following:
Which can be found in IIS 7 at this location:
Related
Assuming a Windows Server 2012 VPS:
It seems that many tutorials include the setting up of DNS Server (setup of forward lookup zones, and A record) as part of the basic steps to deploy and run an ASP.NET web application on IIS.
I'm slightly confused, because within IIS manager you can set the bindings ( IP address, URL, SSL, port) of a web application. Wouldn't this alone not suffice to correctly route incoming requests to the correct web application?
What would be the advantage to running DNS Server?
IIS Manager can only manage IIS related Windows settings, but to make a site work you need much more settings than that.
DNS settings are critical to direct web browsers to your side. Nobody uses IP addresses to access a site, so a typical URL uses domain name. That requires DNS to translate the domain name to an IP address so that browsers can send HTTP packets to the proper location.
IIS Manager could not manage that for you, as which DNS product to use or how to configure it is usually vendor specific and out of IIS's scope.
I have a weird case here at work.
The customer(telecommunication firm) has a server which we publish asp.net web service codes which we designed for them. We use that server and web service to get data from the customers own web service and give out for client(telephone) to use it.
The customer does not allow us to code on the remote server, so we have to work on local computer.
The customer has 2 IPs for its own web services. One of them can be reached only from the remote server, this is an internal IP. Second IP is public which I can reach from my local computer. They address the same methods. For security reasons, they divided IPs.
Everything is fine while developing on local. But when I need to publish web service to the server, I need to change web service URLs to remote servers internal IP. But the local Visual Studio web reference doesn't change web service URLs because it can't reach to service as it is only permitted to reach from the server. So I cannot get a build and publish my code.
Somehow I need to change my visual studio reference URLs to internal IP(so far nobody can reach from local), in order
Hope I am clear.
Thanks
It can be changed from the web.config of your local project.
Here's the desired setup:
Service with wsHttpBinding is on IIS 6 on Machine 1 behind the firewall.
Client is front end website on IIS 6 on Machine 2 on a DMZ.
We are currently able to authenticate the client using Windows authentication, but with impersonation
<identity impersonate="true" userName="OurCompany\Me" password="Blahblahblah" />
since the website would use the "ASPNET" as username, which is not in the domain.
We now want to move away from this method, because of safety issue; we don't want to expose this kind of info on the DMZ.
Is there any way to get authenticated properly without using
the impersonate on the client
config?
If we changed so that we use
certificate authentication, would it
affect service operations that
require impersonations (needed
impersonations for file access on
the network for example)?
thanks.
This has been resolved now, and I think it'd be constructive to share the solutions.
In terms of my original question - whether it's able to do impersonation without setting it explicitly in the config or in the front end code. As mentioned by the above, the App Pool method does work, but only when both the client and server are on the same domain.
Since the web site client being situated in the DMZ has no access of the local network at all, meaning we are unable to impersonate any network user (this is a flaw in my original question, saying the impersonation works - it was actually not working).
So the only way to go was using certificate. Since this is internal communications, I have generated a test certificate on each of the server / client sides with the makecert. Using peer trust certificate authentications, I am able to get the communication working between the client and the server. This will ensure that no Windows / network user account information is presented in the DMZ zone.
I have a situation very similar to the one in this question:
Selective Cache clearing across load balanced servers (ASP.Net)
The difference is that due to our hosting configuration, I am unable to address individual servers by IP address. Assuming I cannot access specific servers via web requests, is it possible to access the HttpContext of a web application running on the same machine? I'm thinking I could accomplish this with a windows service that I could address by machine name, or alternately a console application, I just don't know if I can gain access to the web application cache either way.
You can expose content of the WebCache of an app through some Remoting/WCF code built into the web app. I hope you can use localhost to access it from an app on the same box.
I have an ASP.NET 2.0 application that I am deploying to an IIS 6.0 web server. My ASP.NET application is being deployed as a virtual directory. Currently, this ASP.NET application is publicly visible on the internet. However, I need the ASP.NET application to run only inside of my corporate firewall.
How do I configure my application so that individuals outside of my company canNOT access/use the web application?
Thank you,
I would do one of the following:
if your app is standalone
1: create separate site for your application with DNS host name that is internal
if not
2: apply security to your virtual directory (windows auth can be seamless)
I suggest,
Use the corporate firewall to block all external requests to this IIS server. Consult your IT guys, as that's quite easy for them to do that for you.
Or use IP policy in IIS Manager to allow internal IP range but block all others. This is simply a workaround, which has worse performance than 1.
Probably a question best suited for ServerFault but you will need to have an IP address that is only internally viewable from the corporate firewall. You probably have an IT department so ask them for a internal only IP address and then assign the IP address they give you in IIS.