9 Replies Latest reply on Feb 21, 2013 3:39 AM by steve.winter

    Restrict IPs in IIS7 on default fm site

    kiwikaty

      Hi

       

      Does anyone have a set of instuctions on restricting IPs in IIS7 for the default fm site? I have been able to do this on a site where I use fm and CWP but not for the default site.

       

      Many thanks

      Katy

        • 1. Re: Restrict IPs in IIS7 on default fm site
          steve.winter

          Hi Katy

           

          I'm not sure what you mean by 'the default fm website', but take a look at http://support.microsoft.com/kb/324066 Although it's written as if you're trying to migrate existing access rules from Apache, if you look down to the section 'Define Access Control for Specific Folder or Site' it provides step-by-step instructions to allow you to configure IP-based security on IIS…

           

          HTH

           

          Cheers

          Steve

          • 2. Re: Restrict IPs in IIS7 on default fm site
            kiwikaty

            Hi Steve

             

            Thank you so much for your reply, those instructions work well in IIS v6 but they made things a little more complicated in IIS v7. After not being able to get it work for that other CWP site I finally found an article on the net that showing me how to get the contents view and apply the restrictions to the site folder or file/page. (once you have located the correct folder/file under contents view you then right click it and go back to features view and set the IP restrictions in IPv4 Address and Domain Restrictions – if you just try to set it from the site Home like I initially was it was not working on our server).

             

            Unfortunately when I try to repeat the same things for the fm default site I have not had any luck. Perhaps I am digging too deep. I just thought there might be someone who has server 2008 and IIS who has had to restrict the IP access to the default site and might know which folder/file I need to locate under contents view?. I am wondering if it is the “Jakarta “folder which is the virtual directory under the home site?

             

            I will have another go when I can next take the server offline – last time I played with this I created a bit of mayhem so thought might try and approach it with a better understanding of what it was I was meant to be doing this time! ☺

             

            Kind regards

            Katy

             

            P.S Thanks again for all your wonderful help at devcon last year Steve, I would not have got the CWP site off the ground without all your amazing assistance!

            • 3. Re: Restrict IPs in IIS7 on default fm site
              steve.winter

              Hi Katy

               

              Now I understand what you mean by the fm default site, you mean access to the URLs which begin /fmi/ and include the access to the XML interface, IWP etc don't you…?

               

              One what which I've unintentionally very effectively prevented access to this in the past is to use the URL rewrite module for IIS. Essentially what you do is set a rewrite rule which captures any traffic which is not a real file, not a real folder, and not from a specified address (or addresses) and redirect them to a given file.

               

              I usually develop web apps which use a single index.php file, and pass all URLs through that, so even things like http://site/folder/action aren't really folders, they just get redirected to index.php which works out what to do with them. To enable that, I use the URL rewrite module, which creates the necessary redirect, and if I forget to tell it to ignore activity from the local host it also cut off access to the FMS running on the same machine.

               

              I've attached a screenshot of the relevant parts of a rule which you could implement to do exactly that, otherwise I'm not really sure how you would go about it, since although it is the 'Jakarta' icon in IIS which provides the mapping to the /fmi/ folders, it will not take security parameters (as you've discovered)…

               

               

              The 'pattern' says 'match everything' the 'conditions' prevent it from matching for an existing file, an existing directory, and for connections from the local machine, the Rewrite URL sends everything else to index.php.

               

              You could replace/modify the to match whichever machines were allowed access to /fmi and modify index.php with 'forbidden.php' and have a message on there which says 'not from where you are'…

               

              If you do decide to do this, proceed with caution, since the IIS Web Installer, which one would normally use to install the URL rewrite module has a nasty habit of destroying the FileMaker ISAPI filter, and thereby completely removing all access to your FMS from the web - ensure that you record the settings for that so that if it happens you can (manually) put it back (no amount of redeploying FMS will resolve it, if you break the ISAPI filter using the web installer, then you either have to put it back manually, or reinstall both IIS and FMS from scratch to get it all back

               

              Hope this makes sense, and helps...

               

              Cheers

              Steve

               

              PS _ I did wonder if kiwikaty was you

              • 4. Re: Restrict IPs in IIS7 on default fm site
                kiwikaty

                Hi Steve

                 

                I back revisiting this and was wondering if I could seek your advice again? The php for the 4 cwp sites we run are sitting on 4 virtual servers each of which have their own IP and I am not sure what web server software they use as they are centrally managed. The cwp all point to this shared fm server which is running IIS but there is no php located on it. It is simply running the default jakarta site.

                 

                The screen shot you posted 6 months ago does not seem to be available and maybe this would be helpful... as I am not sure where the redirect would need to be placed given that the php for the sites are not actually on this server. I want to be able to limit it to just the 4 IP'd but this does not seem to be an easy thing to do; especially with my limited knowledge!

                I  very much appreciate your time and advice.  Kind regards Katy

                • 5. Re: Restrict IPs in IIS7 on default fm site
                  steve.winter

                  Kia ora Katy...!

                   

                  As I understand it your FMS is running IIS, but none of the websites you want to deliver have their PHP on that server. Is that correct...? And you want to restrict access to IIS on the FMS to the IP addresses of the four machines on which the PHP for the sites is running. Also correct...?

                   

                  If so, then rather than using the URL rewrite module, take a look at http://www.hrzdata.com/node/46 which has a step-by-step description of how to go about achieving what you're trying to.

                   

                  If either of my assumptions above are incorrect, let me know and I'll provide an alternative suggestion.

                   

                  Cheers

                  Steve

                  • 6. Re: Restrict IPs in IIS7 on default fm site
                    kiwikaty

                    Hi Steve

                     

                    Thank you so much for this. I do have this IIS role installed and am using it effectively for another fm website being served by the IIS using another IP but last time I played with this I could only get it to work if you applied the restrictions to the site “page” but when applied it to a site it did not have any effect e.g it allowed all IP’s through despite the restrictions in place. It is only because the default fm site has no physical pages as such that I have had no prior success applying the IP restrictions. I did have the default for the feature set to DENY so this was not the issue.

                     

                    I will try to find a time when the websites are not being accessed heavily and have another go at this and in the meantime will approach the network admin to put some firewall restrictions in place.

                     

                    I really appreciate your time in replying.

                     

                    Kind Regards

                     

                    Katy Butterworth

                    Database Developer/Analyst

                    Faculty of Education

                    University of Auckland

                    Private Bag 92602, Symonds Street, Auckland 1150

                    +64 9 6238899

                     

                    The information contained in this email message is intended only for the named recipient(s). If you are not the intended recipient please accept our apologies for any error and note that any use, disclosure, storage or copying of this email is strictly prohibited. If you receive this email in error please immediately notify the sender and delete the original message.

                    • 7. Re: Restrict IPs in IIS7 on default fm site
                      steve.winter

                      Hi Katy

                       

                      In that case the alternative is the URL rewrite module in conjunction with restrictions.

                       

                      If you visit http://www.iis.net/downloads/microsoft/url-rewrite from the server and install the extension, then set up a rule which redirects all traffic to the server to a single page unless it's from one of the IP addresses that you want to allow. Then apply the same security rules to that page, such that everything will be redirected to that page, but that page is set to deny from all.

                       

                      In the URL rewrite module, start with a blank rule, give it any name you like, then the key things you'd need are;

                      Screen Shot 2013-02-19 at 08.52.08.png

                       

                      This pattern will match all traffic to the server - this is what you want, since you want to prevent all but permitted access.

                       

                      Add a condition such that the REMOTE_ADDR does not match each of the four IP addresses that you want to allow to access the site.

                      Screen Shot 2013-02-19 at 08.57.22.png

                       

                      Then lastly a condition which allows any 'real' files which exit to be accessed - this will let the redirect below function and prevent an infinite loop from forming.

                      Screen Shot 2013-02-19 at 08.55.25.png

                       

                      In c:\inetpub\wwwroot create a page called no access.html (or whatever you like). This page can either be an HTML page which says 'Forbidden' (or anything else you want), or you can then apply access rules to that page which deny access from everywhere. Then redirect all traffic which gets 'caught' by tis rule to that page.

                       

                      Now you've got a 'trap' into which all traffic which doesn't match the IP addresses will fall.

                       

                      Of course firewall rules are also a great way of doing this (in many respects a better way) but that does take their management our of your hands…

                       

                      Hope this helps.

                       

                      Cheers

                      Steve

                       

                      Message was edited by: steveWinter

                      • 8. Re: Restrict IPs in IIS7 on default fm site
                        kiwikaty

                        All I can say is “Wow”! You are so kind and generous with your advice. Thank you so much Steve.

                         

                        Kind Regards

                         

                        Katy Butterworth

                        Database Developer/Analyst

                        Faculty of Education

                        University of Auckland

                        Private Bag 92602, Symonds Street, Auckland 1150

                        +64 9 6238899

                         

                        The information contained in this email message is intended only for the named recipient(s). If you are not the intended recipient please accept our apologies for any error and note that any use, disclosure, storage or copying of this email is strictly prohibited. If you receive this email in error please immediately notify the sender and delete the original message.

                        • 9. Re: Restrict IPs in IIS7 on default fm site
                          steve.winter

                          Katy

                           

                          Just seen this on the website and realised that all the images hadn't survived through to the web - I've added them in now, which makes the text make a lot more sense...

                           

                          Hope you get things working ok...

                           

                          Cheers

                          Steve