How to IP restrict access to a website in IIS8,5 (Windows 2012R2)

iis-8.5 windows-server-2012-r2

I have read that to IP-restrict a website in IIS8 to allow only one or more IPs and deny everybody else, you do this:

  1. Set "Access for unspecified clients" to "Deny"
  2. Add IP-address for "Allow"

(as specified in below screenshot)

However, when I do this (as specified in below screenshot), I am still able to access the site from other IPs.

What is missing here? Is there something else, that needs to be done?

enter image description here

I tried iisreset and the page is not browser cached on the test-machines, that should not have access.


Solution 1:

If the IP Security under IIS Windows Features is installed you could add this to your web.config to block IP's:

<location path="Default Web Site">
   <system.webServer>
      <security>
         <ipSecurity allowUnlisted="false"><!-- this line blocks everybody, except those listed below -->                
            <clear/> <!-- removes all upstream restrictions -->
            <add ipAddress="192.168.100.1" />
            <add ipAddress="169.254.0.0" subnetMask="255.255.0.0" />
         </ipSecurity>
      </security>
   </system.webServer>
</location>

Solution 2:

After a lot of messing about, I found the following worked for me (IIS 8.5.X on win server 2012 R2)

Ensure Feature enabled for web.config management

  • In IIS
  • Click on the root server
  • Double click Feature Delegation (under management)
  • Scroll down to IP Address and Domain Restrictions
  • Change to Read/Write

(in my case it was Read Only, which was the issue)

Then edit web.config to include 

<system.webServer>
        <security>
            <!-- this line blocks everybody, except those listed below -->                
            <ipSecurity allowUnlisted="false">
                <!-- removes all upstream restrictions -->            
                <clear />
                <add ipAddress="X.X.X.X" allowed="true" />
                <add ipAddress="127.0.0.1" allowed="true" /> 
            </ipSecurity>
        </security>
</system.webServer>

Where X.X.X.X is the IP you wish to allow (add a line like this for every IP or IP subnet combo you wish to allow)

Noteworthy is the the documentation seems to miss the allowed="true" and any mention of the requirement to allow the feature to be delegated. Thanks to @Summit for that tip here

Solution 3:

Do you have a proxy between Clients and your IIS Server? You can show in IIS Logs with which IP your Client is coming.

Related

how to avoid timeouts during server reboot
Should I need to provide a root certificate when setting SSL cert on nginx
how to choose the correct repository for new software on Centos
Is file /etc/hostname ever used for host name resolution?
What is VSS and what is it used for?
How do I shut down a Windows XP box remotely from a Linux box?
finding user's documents folder in .bat script
What is the best way to backup a Linux webserver? [closed]
Configure DNS to forward email to google
How to analyze space used by tables, indexes
panorama photos on iPhone 6 are too narrow
TiVo videos on a Mac?