Hi All
I've been trying for the past 24 hours to get IP restrictions working on my Windows 2008 R2 server with IIS 7.5 with no joy.
My client is running a windows 2008 R2 server (DC) with a bespoke database web app running in a virtual directory under the default website which they access viahttp://<server>/<v-dir>
We have now installed exchange 2103 on this server which has required up opening up ports 80/443 to the internet to get OWA working. Unfortunately this means their bespoke web app is also now accessible from the internet.
I wanted to create an IP restriction on the virtual directory blocking all but internal addresses. (Clients internal IP range is 192.168.1.1-254)
I've used the same whitelisting method as described in this post https://forums.iis.net/p/1161903/1921836.aspx
I took the following steps (all actions including tests were done on the server)
- In IE go to http://<server>/<v-dir> to check site is running
- Verify IIS has IP restrictions module installed. Open IIS manager, Navigate to Server->Sites->Default Web Site -> <V-DIR>
- Double click IP Address & Doman Restrictions. Allow/Deny list is empty. Click Edit Feature Settings -> Select Deny -> Click Ok
- Retest Website in IE -> HTTP error 403.6 Forbidden. So far so good!
- Back to IIS, click Add Allow Entry -> IP Address Range -> IP Address : 192.168.1.0 Mask 255.255.255.0 ->Click OK
- Verify Allow Range appears in list.
- Now Retest Website in IE -> Still get HTTP error 403.6 Forbidden.
![Cry]( "Cry")
I have even tried adding additional Allow Entries for the individual addresses the server uses (192.168.1.1,2 &3) as well as loopback addresses 127.0.0.0 & 127.0.0.1 but I still get error 403.6 Forbidden when accessing the site.
It seems as if the allow entries are being ignored.
For the time being I have had to lock the VDIR down by switching off anon users and using authorization rules to restrict access to domain users only. Unfortunately when you try and access externally you get a login box which I don't really want. IP restriction is my preferred method.
Thanks
Mark