locked
IP Address Restriction Not Working RRS feed

  • Question

  • User-1306880496 posted

    I've been trying to get IP Address restrictions working on a website. When I change the feature settings for unspecified clients to deny, on one server it works fine and immediately blocks everyone but on the other it has no effect. I feel like I'm missing something really simple?

    Both servers are patched up to date running 2012R2 and IIS 8.5. The only differences are that the server it works on is stand alone and hosted locally. The server it doesn't work on is hosted in Azure, it was part of a shared configuration cluster but I've removed that now.

    Any ideas?

    Sunday, July 16, 2017 11:03 AM

Answers

  • User-1306880496 posted

    Finally figured it out. 

    Looks like when the shared configuration was created the IP Address restriction module was not installed, so it wasn't listed in the shared config. Re-created the shared config and everything now working ok.

    Thanks for the help.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, July 19, 2017 10:05 AM

All replies

  • User-460007017 posted

    Hi jonn7219,

    Now that the IP address restriction is not working in Azure, have you tried to enable the proxy mode in IIS manager->site node->Enable proxy mode. If you don't enable the proxy mode, then when you access the azure site, the IP address will be the proxy IP address. So if you need the IIS to block the IP address behind proxy via x-forwarded-for.

    https://blogs.iis.net/wadeh/dynamic-ip-restriction-proxy-mode

    Best Regards,

    Yuk Ding

    Monday, July 17, 2017 3:13 AM
  • User-1306880496 posted

    I've tried the Enable Proxy Mode option but it makes no difference. But at the moment as I'm trying to block everything (so no IP address entries and Unspecific Clients set to Deny), the proxy mode shouldn't be relevant anyway should it?

    Monday, July 17, 2017 8:15 AM
  • User-460007017 posted

    Hi jonn7219,

    Which level did you set the IP restriction, if you set the access for unspecified clients in server node, it could not work. So please ensure the IP restriction is set in site level. Or you could go to system.webServer/security/ipSecurity in configuration editor to check whether allowunlisted is set to false.

    If the steps above is not working, you could try to reinstall the ipsecurity feature in server manager.

    Best Regards,

    Yuk Ding

    Tuesday, July 18, 2017 8:42 AM
  • User-1306880496 posted

    Hi Yuk

    I set the IP restriction at the site level and I've confirmed it was showing correctly in the configuration file as well.

    I've also tried accessing the website internally/directly rather than going through the Azure endpoint and got the same result.

    I'll try uninstalling and reinstalling the IP security feature.

    Thanks Jon

    Tuesday, July 18, 2017 10:10 AM
  • User-1306880496 posted

    Finally figured it out. 

    Looks like when the shared configuration was created the IP Address restriction module was not installed, so it wasn't listed in the shared config. Re-created the shared config and everything now working ok.

    Thanks for the help.

    • Marked as answer by Anonymous Tuesday, September 28, 2021 12:00 AM
    Wednesday, July 19, 2017 10:05 AM
  • User-460007017 posted

    Hi jonn7219,

    Thanks for sharing your experience.It will be appreciated if you could mark yourself as answer.

    Best Regards,

    Yuk Ding

    Friday, July 21, 2017 6:12 AM