0

One of our department is working with an internal web application.

Short overview about the actual state of the web application:

  • The web application was developed by external company
  • The web application is running on a VM in our environment
  • The web application is installed with Windows Server 2016 and does include the role IIS
  • The web application URL is accessible over LAN from each domain user (around 500 user)

Our request:

This application has high security relevance for us. That's why we would like to activate all possible security settings for accessing this web application only by allowed users.

What we want:

  • Even this application does have a Web Login, this website should not be accessible for 500 users in our domain from everywhere in our network.
  • We would like to eliminate accessing this website over our Citrix environment (even it's trying by one member of the small team)
  • There is a small team, which are working with this web application and do have access to this web application over URL. We should only make accessible this website for these few users. (this should happen, without changing the application (code or whatever) – even we would like that, we couldn't because it's not developed by us)

What we imagine:

  • Something where we can define on server side, that it should only accept requests from a specific IP address / IP Range.

or

  • Something where we can define a list of Domain User, if they request this website, it should be allowed. But only if they have an internally IP address / Range which is XYZ.

The question is:

  • How could we do that?
  • Is this something that we should do in the Windows Server Firewall, if yes, what would you propose?
  • Is there some setting under the IIS options, that we can set?
  • Something over GPO?

Thank you in advance.

Baku Bakar
  • 107
  • 2
  • You could use a [Nginx reverse proxy](https://stackoverflow.com/questions/31320737/nginx-proxy-how-to-allow-connection-from-a-specific-ip) to control the connection. And use firewall rule on the VM to allow only connections from the Nginx proxy. This would also stop users knowing what's the actual VM IP instead, all they know is the IP for the Nginx proxy. – Prav Feb 21 '18 at 21:45
  • @PraveenP Thank you for your reply. This sounds interessting. But it requires an additional VM. Do you know, if its possible to add different web applications on one NGINX reverse proxy VM? So let say we would have an additional Web Application, which is running on another VM with different IP address. Does this need an addintional NGINX VM? Thnaks – Baku Bakar Feb 22 '18 at 11:40
  • If I understood your question correct, we have around 20 Web and API's using this single Nginx proxy. It uses the URL to determine which site file in the `sites-available` folder to use. I.E, you can have `test.intranet.local` and `admin.intranet.local` in the same proxy, it determine where to get the data from the URL you enter to the browser. If you try the IP of the Nginx server. It will ignore it – Prav Feb 22 '18 at 12:51
  • Ideally, you should have the Nginx proxy on a VM of its own and add other machines as a `sites-available` to the proxy. [Internet <===> Nginx <===> Servers.](https://www.nginx.com/blog/10-tips-for-10x-application-performance/) – Prav Feb 22 '18 at 13:07
  • @PraveenP Yes, you did unstand me correctly. OK, cool, I will have look in it. Maybe there is also a solution without an additional VM. However thank you for your proposed solution. – Baku Bakar Feb 22 '18 at 17:17
  • Have a look at these two articles. [Set up Nginx Reverse Proxy](https://www.techandme.se/set-up-nginx-reverse-proxy/) and [How To Configure Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 16.04 Server](https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-web-server-and-reverse-proxy-for-apache-on-one-ubuntu-16-04-server). Digital Ocean one has pretty similar example of what you're looking for, but not necessarily need to use that approach to achieve that. You can simply use the first articles approach as well and it would be pretty neat. – Prav Feb 22 '18 at 18:31

0 Answers0