Whitelisting

Does anyone know how to create an effective "whitelist" in IIS??

I know I can do distinct and specific IPs
And I know I can restrict a set of ambiguous IPs and dynamic IPs in an open portal. (subnets, etc)

But I'm unaware if you can open for a set or dynamic IPs within an otherwise restricted/closed portal.

Any insights from our other IT gurus out there??

 

FYI...my research so far has not led to anything easy.

Everything else requires experimentation and some risk, which I don't have time or mind for...and no opening for risk.

Or settings within the networking equipment, which are group has no control over...and the other group has no interest in our agenda or purpose. Again, no time for negotiation.

 

That thread title isn't very descriptive.

I don't know IIS, but this looks fairly straightforward:

TheRealTimeWeb.com: IIS 7: Allow One IP Address, Block All Others

In Apache I'd do this with a .htaccess file, which apparently is equivalent to a web.config file for you. I'd suggest maybe reading up on that as well.

Translate .htaccess Content to IIS web.config : The Official Microsoft IIS Site

Ultimately I'm pretty clueless when it comes to the Windows stuff, mostly intentionally so. You might have better luck on /r/sysadmin or something.

If you don't have a lab environment to test this shit out in first then you need to create one. Like, today. Testing changes on production servers is madness.

 

Sorry, I was writing and thinking on the fly...running out of time.

The concept and mechanisms are fairly similar between IIS and Apache, both of them have the same limits.

Yes, you can open individual static IPs (or block them)
And you can block a set or range of dynamic IPs.
But you cannot easily close your portal, then open a certain set of dynamic IPs
So a broad changing version of the article.

In my quick and dirty research, you may be able to do it with some tweaking and experimentation. (but we don't have the time...nor can afford the risk...agreed, testing on production is madness )
And this is much better to do on network hardware and firewalls.

We're closing a portal so the public can't get in during our production deployment and load testing.
But it was envisioned to test outside access to the app with cells, tablets, etc and see the results. (yes, this is silly at this level...but I'm not the one who made the decision)
Problem is while the devices may have a distinct IP...most pass thru into dynamic IPs hitting the server, you get what you get from the provider. (again, you could request it/purchase it but No time)

Yes, they waited until the last minute...and are cheap bastards.
And the govt security system is a lumbering elephant to get anything approved and installed (god forbid on the fly...)

So since the damned network lead won't let me simply disable the accounts temporarily (a simple update statement) if they want it...they'll just have open the portal for abitwhile we pound on the keyboard.
Yes, it is absurd. Don't get me into it...

 

Match the UA string? Google should be able to tell you what a UserAgent for an Android or iDevice looks like. Convert it into a regex and key off of that for your match.

Or Google the provider(s) in question and figure out what their IP ranges are. The IPs might be dynamic but they're going to come from the same pool. You ought to be able to match against a subnet.

This is not an intractable problem.

 

Thanks much @Martian , I'll keep it in mind...but in the end, since this is a new environment to me...I'll probably not want to fiddle with it for a simple test right before a national scale release.
Too many variables, not enough time or resources...and I don't even have the weekend available.
I'm not James Bond...unless I'm forced to be.

 

Followup on this...

Turns out I was right on the call. They weren't able to do it quickly or safely, if at all in this environment.
In a surreal play, they opted to fully open the portal for the test...
and got client authority and acknowledgement that any changes made would be reverted back when we restored everything to original specs.

After all that they made me go through to try the alternative noted above.
But at least they weren't mad enough to experiment in production.

The release went well, opened on time.
But the real fun won't happen until we get closer to the deadline in a month...when everyone decides to jump into the pool at once. (and it already has people playing in it with other games)

Hopefully, they take my recommendation to separate things out...for next year.
Too many beasties drinking from the same pond.