We have IP restrictions on access to iMIS web services (for third party connections/applications, SSO, Informz, etc.) How will the WAF affect these?

Web services that are secured by IP restrictions will require some adjustments to ensure requests continue to be allowed for the specified IPs, while being routed through the WAF.  These adjustments include adding the region-specific WAF internal IP address(es) to the allowed list of IP addresses, and enabling Proxy Mode (see screenshot below) for the IP restrictions settings.  When a request for the web service comes through the WAF, the source IP will be sent through (via the X-Forwarded-For request header) to the iMIS server, and IIS will check those source IPs against the list of allowed IPs.

Please submit a hosting support ticket for further details if you have this type of configuration in place, so that we can provide the WAF internal IP address(es) and other details as needed.

Enabling Proxy Mode in the IIS IP and Domain Restrictions Settings:

  • In IIS (for the directory being protected), select  'IP Address and Domain Restrictions' from the Features View:
blobid0.jpg
  • In the Actions Pane on the right side choose 'Edit Feature Settings':

blobid1.jpg

  • Configure settings as below (Deny, Enable Proxy Mode, Forbidden):

mceclip0.png

  • In addition to your existing allowed source IP(s), add allow entries for:
    • The loopback address (127.0.0.1)
    • The internal IP(s) of the WAF for your hosting region (provided by ASI Cloud Services) 

Below is an example of what the IP restrictions would look like for a website hosted in the U.S., with 2 allowed source IPs, the loopback, and the 2 internal U.S. WAF IPs allowed:

mceclip0.png

This is how enabled Proxy Mode will appear in the <ipsecurity> section of a web.config file (allowed IPs would be listed underneath):

<ipSecurity allowUnlisted="false" enableProxyMode="true">

 

NOTE: In order to view the source IP addresses (X-Forwarded-For request header) in IIS logging, you will need to add a custom field to the logging configuration, as shown below:

mceclip1.png

 

 

 

 

 

0 Comments

Please sign in to leave a comment.
Powered by Zendesk