IIS7 IPv4 address and domain restrictions - Deny public Internet [Answered]RSS

3 replies

Last post Oct 23, 2009 05:41 AM by Leo Tang - MSFT

  • IIS7 IPv4 address and domain restrictions - Deny public Internet

    Oct 20, 2009 01:19 AM|Keep it Simple|LINK

    At the web server level, (i.e. not taking into consideration routers and firewalls etc), how do you allow computers on you network to access IIS 7 (serving as an intranet) but block all public IP access?

    I'm assuming:

    1. Allow IP address range: 192.168.10.0 with a subnet mask of 255.255.255.0

    2. Deny IP address range: 0.0.0.0 with a subnet mask of 0.0.0.0

    Not entirley sure, please advise ... thanks

  • Re: IIS7 IPv4 address and domain restrictions - Deny public Internet

    Oct 20, 2009 02:53 AM|lextm|LINK

    Suggest you use a white list approach,

    1. In IIS Manager, click on IP Address and Domain Restrictions.

    2. click Edit Feature Settings in the right panel.

    3. Choose Deny from the list, and click OK.

    4. Click Add Allow Entry and add IP addresses and/or ranges.

    In this way all unknown IP addresses will be forbidden.

    Regards,

    Lex Li
    IIS Consulting Services at https://support.lextudio.com/services/consulting.html
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.
  • Re: IIS7 IPv4 address and domain restrictions - Deny public Internet

    Oct 22, 2009 09:41 PM|Keep it Simple|LINK

    In Step 3, choose Deny etc. What IP Address range do I enter? Is it 0.0.0.0 with mask 0.0.0.0? Please advise ...

    Also, my understanding is that Step 3 and 4 should be swapped becuase as per your suggestion, if the Deny rule is hit first, nobody will gain access. So it should have an Allow rule for the legitimate IP addresses followed by the Deny rule for all others. Please correct me if I'm wrong ...

  • Re: IIS7 IPv4 address and domain restrictions - Deny public Internet

    Oct 23, 2009 05:41 AM|Leo Tang - MSFT|LINK

    Hi,

    You can add an Allow Entry :

    address range: 192.168.10.0 with a subnet mask of 255.255.255.0

    Then, click the Edit Feature Settings… on the Actions panel, selected Deny Access for unspecified clients, click OK.

    Please mark the replies as answers if they help or unmark if not.
    Feedback to us