I have a multitenant windows 2012 machine running several IIS WebSites, each running it's own application pool with its own windows user identity, and I need to restrict the all outbound network access from each application pool.
I've been searching for a solution but with little success. I would think that one can either restrict the connection per windows user, or "map" an IP to a windows user and restrict by IP. But there doesn't seem anything that allows me to do either of the approaches. I've investigated:
- Using Windows Firewall -> doesn't allow to create rules per user, only per IP/Port/process name
- Using ASP.NET/IIS security restrictions -> They are all inbound and not outbound.
- Using multiple IPs -> cannot assign an Outbound IP to the correspondent application pool
- Using Containers -> Typically containers share same IPs as well ... and it's still Technology Preview for Windows 2016
- Using .net proxy settings -> doesn't cover non-http/https connections, like ado.net.
I did found in Linux (iptables module ipt_owner) exactly what I need, but switching operating system is not an option. I need the same but for Windows.
I'm open to developing some IIS module or system service that runs in the machine to achieve this, but I don't see how an IIS module can manage the worker process outbound connections, and implementing a system service that manages processes network connections seems to me a very big project, with high risk of causing network issues in the machine ...
Do you have any other ideas worth investigating?
Thanks in advance for any help you can provide.
Cheers
