Configuration of IP Address / Domain Based Rules in Microsoft IIS

You are here:
< Back

I put this process together for securing ActiveSync traffic to IIS when using a MobileIron Sentry.  When managing mobile devices it is important not to leave “back doors” in your configuration.  If ActiveSync traffic is allowed from anywhere, an end-user could easily configure the connection directly to the Exchange CAS on the mobile device bypassing the Sentry security appliance.  To prevent this, but still allow OWA(Outlook Web Access) communication, the following should be applied to all CAS servers in the environment.

This process can be applied generically for many different applications, Securing ActiveSync communication to run through a MobileIron Sentry is only an example.  This process is leveraged to block traffic from an Exchange CAS for ActiveSync traffic only while still allowing Outlook Web Access traffic.  If all traffic on port 443 is unnecessary, using a simple rule on the firewall would be a better way to accomplish this.

To begin, open the IIS Management MMC from the start menu  This may be found on the recent applications list, or it is also under “Administrative Tools”.

iismanager-start
Figure 1 – Internet Information Services (IIS) Manager in “recent applications list”

Once the Management Console is open, drill down the tree on the left side of the console by expanding the ”[servername]”, then “Sites”, then “Default Web Site”.  Locate the “Microsoft-Server-ActiveSync” virtual directory and highlight it.

locate-msas-in-tree
Figure 2 – Locating “Microsoft-Server-ActiveSync” in the tree structure

 

On the middle pane, under IIS, locate the listing / icon for “IP Address and Domain Restrictions”.  This is the option used to set ACLs based on IP address or domain name.

ipanddomainrestrictions
Figure 3 – IP Address and Domain Restrictions Icon

Double clicking the icon will open the settings pane.  On the “Actions” pane on the right side of the console, select the link titled “Add Allow Entry….”.

addallowentry
Figure 4 – “Add Allow Entry…” Link

This will open a dialog box that will allow the input of the IP address or range of addresses that should be allowed.  Enter the Sentry address(es) to the window and click “OK”.

setallowedip
Figure 5 – Dialog to enter allowed IP Address / Addresses

This hasn’t really changed anything yet as traffic is allowed from everywhere currently.  However the next step is to prevent the traffic from everywhere else.  By default traffic is allowed from everywhere.  To change this, click the link “Edit Feature Settings….” In the right pane.

editfeaturesettings
Figure 6 – “Edit Feature Settings…” Link

Again, a dialog window will open.  Changing the “Access for unspecified clients:” drop down to “Deny” will prevent any access to this virtual site except what is listed in the middle pane, in our case the sentry server(s).  Click OK on the dialog window.

setdeny
Figure 7 – Select “Deny” to prevent all other traffic.

The final step is to perform a restart of the IIS server.  This can be done by opening a command prompt and issuing the command “iisreset”.  To open a command prompt, click start then select “Run …” from the list.  When the “Run …” dialog window appears, type “cmd” in the box and press “Enter”.  You will see a “DOS” like window.  Type “iisreset” and press “Enter”.

iisreset
Figure 8 – IIS reset from the command prompt

Once the services have restarted, the ActiveSync server will not be accessible from any location other than the specified IP addresses.

Download these instructions in PDF format.

Last Updated On October 24, 2017