0

(I'll approach this very broadly. I've tried a few things in the Firewall that haven't shaken out)

Problem

I am having difficulty setting up a private application and a public application in the same Site.


Description

I have a Windows Server (2012 R2) running in our DMZ. I have a system that involves several service applications and I would like all of these services to be bound to the same port. But one of these applications is the external entry point (name it [public]) and the other applications are supporting applications (let's name one [private] for discussion).

Assume that I have created a Site in IIS called [com] which is bound to port 9713. 2 applications are added to this Site

I want [public] available on 0.0.0.0:9713 I want [private] available only on 127.x.x.x:9713

Can someone point me in the direction of documentation, examples, tutorials, etc that would accomplish this? My research is turning up sparse results.

I tried stacking 2 Inbound Rules, One that denied application [IIS:\com\private] and one that opened port 9713, but in a test from a separate machine, both applications were made available across the external interface. I tried fiddling with the order of the rules to see if the Allow Port rule was precluding the Deny Application rule but the result was the same.

(maybe they didn't actually get reordered??)

Community
  • 1
K. Alan Bates
  • 223
  • 2
  • 12
  • Note that I typically solve this problem outside of IIS by self-hosting the private services declaratively on the localhost adapter. It would be handy to know [`how to do`/`if it is possible to do`] this in IIS though. – K. Alan Bates Jan 28 '16 at 21:56

2 Answers2

0

Generally 0.0.0.0 stands for the broadcast (meaning everything including 127.0.0.0/8).

What this means for you is that the combination you want to achieve is not possible. You will need to explicitely list the IPs you want to listen on if you want to do it IP based.

serverhorror
  • 6,478
  • 2
  • 25
  • 42
  • I was using `0.0.0.0` as a stand-in for "all interfaces" and `127.x.x.x` for "local interface" `re:IP` I'm not really wanting to do this IP-based, if at all possible. If my usage improperly limited your ideas to IP-based solutions, does this information change any of your recommendations? I want [public] to be on the external adapter and [private] to be on the internal adapter on the same port. That is the goal. Perhaps splitting the site into two sites ("public" and "private") and using a host header would make it possible? – K. Alan Bates Jan 28 '16 at 17:46
  • So assign `[public]`to the IPs of the external adaptor and `[private]` to the IPs of the internal adaptor? The thing is with IP based on that level I'm not talking about IP based VHost but your question simply evolves around IP. You can choose a different path and let all sites listen on all interfaces and limit by saying that only requests *from* `127.0.0.0/8` are allowed... – serverhorror Jan 28 '16 at 17:49
  • (following your second path) [assuming 1 site still] ...so, how would I manipulate a binding for an individual application so that the public application allowed requests from all addresses but all of the private ones only served to `127.0.0.0/8`? I'm only aware of methods of configuring the binding at the site level. That's why I was trying to bind it "open throttle" and then use the firewall to restrict external traffic at the application level. (I wasn't sure if I could refer to an application inside `IIS:\ ` for my restrictions, but I thought it was worth a shot.) – K. Alan Bates Jan 28 '16 at 18:01
0

The basic way to approximate what I wanted was to split the application host into two separate sites

  1. com.mycompany
  2. com.mycompany.private

so that I could split the binding to apply *:9713:* to Site 1 and 127.0.0.1:9713:* to Site 2.

Readded the "private" service to the private host and everything is behaving as I desired.

I am still curious to know if it is possible to handle this at the Firewall with application filtering.

K. Alan Bates
  • 223
  • 2
  • 12