IIS ipSecurity not blocking outside IPs

Question

We are running a web site on IIS with Windows Server 2016. We want the web site to be public, but one folder we want accessible to only internal IP addresses. applicationHost.config contains these lines:

    <location path="mywebsite/private">
        <system.webServer>
            <security>
                <ipSecurity allowUnlisted="false">
                    <add ipAddress="192.168.1.0" subnetMask="255.255.255.0" allowed="true" />
                </ipSecurity>
            </security>
        </system.webServer>
    </location>

When accessing a page within this folder from an IP address that is outside of 192.168.1.x, I expect to be blocked, but the page loads successfully.

Also, I get an error in IIS Manager. I'm not sure if it is related. When I navigate to mywebsite > private and open the IP Address and Domain Restrictions feature, I see the same settings as in applicationHost.config. Under Edit Feature Settings, it is set to Access=Deny, domain name restrictions=disabled, Proxy mode=disabled, Deny action type=Forbidden. When I change Access to Allow, I get this error message:

Filename: \\?\D:\mywebsite\private\web.config
Error: The configuration section 'system.webServer/security/dynamicIpSecurity' 
cannot be read because it is missing a section declaration

We do not have anything about dynamicIpSecurity in applicationHost.config or in any web.config file. ipSecurity is not in web.config.

Any suggestions about why outside IP addresses are not being blocked?

UPDATE: Still not totally fixed but I figured out what is happening and have used this information to implement a workaround. In our network, we have 3 zones: web servers, workstations, and the internet. It turns out that if a web request comes from a workstation, the IP Address and Domain Restrictions feature sees the actual client IP address and allows or denies as expected. But if the request comes from the internet, this IIS feature sees the interface IP address of our firewall appliance. It's strange because web applications see the client IP and the log file logs the client IP. It seems to be only the IP Address and Domain Restrictions feature. Is there something that can be done to IIS to make it more likely to look at the actual client IP?

Answer 1

On my side, the same problem occurred. However, the Domain name rules worked when I enable the below option.



The IP rule does not work. It may be that the IPV6 address is popular now, causing the IpV4 address to not match.
I suggest you try to set up it the IIS GUI instead of the webconfig due to that it doesn’t override the default settings.
Feel free to let me know if the problem still exists.
Updated.
Through the website log, I found the client browser access record(I have selected the field to record the client IP). I found that the entries are all based on IPV6.

2020-08-17 06:10:19 fe80::a4fe:6d79:f2b8:d031%6 GET /swagger-ui-bundle.js - 4432 - fe80::dc4d:9de5:9382:ebe2%6 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/84.0.4147.125+Safari/537.36 https://vabqia969vm:448/index.html 200 0 0 30

Therefore, I added the IPV6 as a restricted entry, it worked.
Note: please don’t forget the suffix “%6”.

Answer 2

Perhaps by now you've solved this other issue you mentioned, but as for the error you get regarding the dynamicipsecurity element, that's for a feature separate from the "ip address and domain" feature you are primarily focused on. This other feature is for adding options like blocking too many requests in a short time from a given ip address. For more see:

https://learn.microsoft.com/en-us/iis/configuration/system.webServer/security/dynamicIpSecurity/

And I suspect the issue there is that your configuration files have reference to that even though you don't have the feature installed. Perhaps the config files came from a server where that iis feature was installed. (It is not, by default.)

So you can either install that additional feature (see the doc) or remove the config file reference to that element, whether in your web.config or applicationhost.config.