I have a web server (IIS using ASP .NET 2.0) behind a broadband router.
I cannot get the web server to be visible on the internet. I can run the web site from the computer it is hosted on though.
On the router I have opened the port 80 to allow the traffic through (using port forwarding), and also tried to run it in DMZ mode, but neither seem to work.
I ran 'netstat -ano' and it seemed to suggest when I connected to the web site (internet IP #) that other ports were needed as well as 80, perhaps 2676, 2483, 2677. I thought this wouldn't be the case, but perhaps these ports relate to me using MSSQL server 2005 in my web site
(MSSQL is running on the same computer as IIS so that is not an issue).
I am also running zone alarm, but when I kill that app it doesn't make any difference.
Well, so what are you saying? Did you access the IIS WEB server using LocalHost or did you access IIS on the machine from another machine on the LAN/Intranet?
You don't do this unless you're able to do this from the protected environment on the LAN first. If it doesn't work on the Intranet the Web server or your applications, then it's not going to work in the Internet either.
SQL Server has nothing do to with this. I think SQL 6.0 to 2005 the SQL server ports are 1433 and 1434. And you should NOT be exposing SQL Server to the Internet. And besides, SQL server should be running on another box on the LAN with your applications being able to access SQL server on the LAN/network. Again, you should not be running SQL on the same machine with IIS, if you're trying to expose IIS to the Internet.
Yeah, you're right.
You should not be trying to protect a machine running IIS with a personal FW solution.
You may have some authentication issues with credentials or something with accessing IIS. Your WEB solution should ONLY be concerned with TCP port 80 SOAP over HTTP or Binary over HTTP and no other port but that port.
Have you done your homework in exposing an IIS Web server on a NT based O/S to the Internet?
If the NT based O/S, file system, user accounts, registry, and IIS are not secured, which there is information on how to do this, then the site is just hack bait no more or no less and a possible jumping off point by hackers to attack other sites on the Internet.
Is your ASP.NET application even secure enough to face the Internet as a hacker can hack right through the WEB solution if secure WEB programming is not applied.
Please do not treat me like an idiot. I know SQL server has nothing to do with this. I just made the point that maybe that is why I was getting the other port readings using netstat.
I am not going to expose this web site to the internet without first securing everything, and making sure the SQL server is on another box.
I am just starting out, and will do the rest of my homework on security when I get the first few steps working.
It is actually working on the lan side by doing this, http://localhost and http://10.0.0.6 (local lan number). I am not concerned about that, the wan side is what is not working.
Thanks for your help, but I don't think that gets me anywhere.
What other reasons would it not be working if I have opened up port 80 on the router?
Anyway, I take your point that IIS is very insecure. What else do you suggest I use? Apache? I take it no ASP .NET programming would work with Apache? If not then what would?
Anyway, I take your point that IIS is very insecure. What else do you suggest I use? Apache? I take it no ASP .NET programming would work with Apache? If not then what languages would?
Whether or not the SQL server is on the same server is irrelevant: just make sure 1433 is closed from the internet.
My guess is that either your port forwarding isn't set up properly, or the port still is closed. I dunno about your firewall, but in most BSD (unix) NAT (the forward is a kind of NAT) is done *before* firewalling, and that might confuse you when setting up firewall rules.
Hope this helps. Without more info I cannot give more hints.
IIS is only as insure as the platform O/S it's running on. If you take care of the security aspects of locking down the NT based O/S as to what I was talking about, keep security updates applied and lock down IIS, then you should not have any problems.
So, if you can access it on the Intranet, then you should be able to access over the Internet. I'll assume that you're using the anonymous logon account to access IIS and the .Net Framework has been applied to both the server and client machines.
http://localhost/localstart.asp OR
http://LAN-IP/localstart.asp I'll assume that if you can do that above locally on the machine running IIS or from another machine on the LAN, then IIS is being contacted.
If you cannot make contact with the IIS server over port 80 via the Internet, then something is blocking access to the Web Server.
IBTD. Even IIS6 has shown to still have big problems with Unicode and Escaping in combination with variants of Directory Traversal. This has actually led to making Microsoft strongly recommend the URLScan tool for security, trying to fix the symptoms rather than the underlying problems.
The problem you are having with the responses you've been getting are because you posted this to a firewall group, although your question is about Microsoft Internet Information Server. You are getting "firewall-type-guys" responses (all about security, not about functionality).
Try posting this in the MS IIS group.
Questions...
Have you forwarded port 80 from the public IP of your router to the private IP of your webserver?
Does your ISP block inbound port 80 connections? (i.e. no web servers allowed)
If you are using a dynamic public IP, are you attempting to access your web server from the Internet using the proper public IP address? Are you sure it didn't change?
Yeah, I know. But I was trying to avoid name resolution and get to the bottom of the problem using the IP. As stated, I doubt that name resolution is the immediate issue.
Well, if set up right it will. But could be the issue. No tellin' from the post.
Yes, that what it means. I would suggest that you use IUSR_Computer Internet Guest Account, which is the NT-OS account provided by the NT based O/S. You configure IIS to use that account as the anonymous logon account authentication method to use, along with Windows NT authentication.
Also, the machine's ASPNET account may need to be on the Inetpub virtual directory for the application if it's not there. The ASPNET machine account must be accounted for when the ASP.NET application is accessing folders, SQL Server databases, tables or otherwise.
Win 2K pro or Win XP pro it makes no difference for the NT class O/S(s). If the O/S, files system, which should be NTFS, user accounts, registry and IIS are not properly secured for a NT O/S class machine that is being exposed to the public Internet, then you will have problems. There are books and information out Google on how to properly do this.
You should be using a packet filtering FW router or FW appliance that can stop inbound and outbound traffic that has a syslog where you can use something like Wallwatcher or KWIW Syslog Daemon to watch traffic to from the router. They have low-end FW appliances like Watchguard, Sonicwall, Cisco, SnapGear and others, which you can buy a used one if need be that has a full warrantee the whole nine yards. Or you can get a FW router that is ICSA certified. NetGear has a router that is ICSA certified and there are others.
Yes, do understand what an Internet FW is and what FW solutions are about, like host based software solutions that use two network interface cards. One NIC that faces the Internet and the other one that faces the LAN or a hardware based solutions.
ZA or a personal FW/host based packet filter is not a FW solution as it doesn't separate two networks usually that's the Internet it's protecting from and the other one in the LAN it is protecting.
Some home based NAT routers that do not meet the specs in the first link are not FW solutions but they are better than nothing.
formatting link
But the most important thing is to secure or harden the NT based O/S to face the Internet.
Here is a little start but there is more information to secure the NT based O/S and IIS and you should find it.
formatting link
You do know that you can only have 10 concurrent connection to IIS running on the Pro versions of those O/S(s).
Oh, one other thing, you could use a secure Web hosting service for your ASP.NET solutions and upload your solutions to it, which you should be able to get this information from the .NET IDE Online Resources/Web Hosting tab.
Would it work to use an old 'windows 2000 server' box as a firewall (with 2 network cards) and set up rules for it? Or is that a security risk in itself?
Maybe a linux box would be good.
I know it would be cheaper to buy a hardware router, but I have some old computers sitting around.
Thanks for all your help. Just thinking everything through.
I have seen one of these second hand, what do you reckon,
this vendor makes a FW solution that only works on the server edition of any NT based O/S using two NIC's. There are other solutions as well but you'll have to find them.
I used the trial version of ViacomSoft long ago and was impressed with its ability.
However, it comes back to securing/hardening the NT based O/S to attack when the machine is facing the Internet running the FW solution, just like it must be done when exposing a machine running the NT based O/S with a Web server IIS or otherwise facing the Internet.
If the O/S platform is not secured by *you* taking the necessary steps to make the O/S secure by shutting down services that close ports, remove exe(s), DLL(s), ect, ect off of the machine that could allow it to be attacked, then it makes no difference. If the O/S has not been made secured, then nothing running with the O/S is secure and is the bottom line.
Maybe, but again it takes you knowing how to secure that O/S too and on top of that, how to set-up the FW solution as well. You got the time for that learning curve?
Not to be smart here, but it may be that you got enough on your plate just learning how to use .NET solutions, which is a tremendous learning curve in itself.
That is where you might want to head based on the above information and the learning curve as a FW router or FW appliance for the most part are plug it up and go devices that need little configuration on your part.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.