We have a legacy app that is hosted on an IIS7 web server on our LAN. I'd like to embed it in our Salesforce org so that remote employees can access it without using VPN as some of the customer sites they work at do not allow the ports the VPN requires. If I use an iframe is there a way in IIS to limit the requesting "source" to a specific URL? I don't want the app accessible anywhere but, from within Salesforce.
I mistakenly tried limiting the firewall pass through/NAT rule to only allow SF IP addresses but, in that case the requesting source is actually the IP of the client not SF so that doesn't work.
Related
Some of my apps are not working from some customers site, I later discovered that this was because I am using the default websites for my app hosting that is the url is myapp.azurewebsites.net which was not whitelisted on the customers firewall. The customer whitelisted my website domain name and its sub domain names .i.e mywebsite.com and *.mywebsite.com are all whitelisted.
If i were to create CNAME record which has a CNAME pointer to the azure default web app for example myapp.mywebsite.com points to myapp.azurewebsites.net, will this get around the issue ? Or do I need to whitelist myapp.azurewebsites.net Or its IP address that is the IP address of myapp.azurewebsites.net ?
Firstly, by default, apps hosted in App Service are accessible directly through the internet and can reach only internet-hosted endpoints. So, typically, anyone with the URL without any specific local network/firewall/proxy restrictions can access the WebApp URL.
As I understand, your WebApp is open to the public and only a few users (on a specific network), have trouble accessing the site. Plus, there are no access restrictions that you have implemented from the WebApp side.
Just to highlight,
Network administrators often deploy proxy servers, firewalls, or other
devices, which can help secure and give control over how users access
the internet. Rules designed to protect users can sometimes block or
slow down legitimate business-related internet traffic. This traffic
includes communications between you and Azure over the URLs listed
here.
Reference : Allow the Azure portal URLs on your firewall or proxy server
So, on case-case basis, for the affected network, you may have them add appservice.azure.com (Azure App Services) in the allowed list.
Or
As your customer performed – “The customer whitelisted my website domain name and its sub domain names .i.e mywebsite.com and *.mywebsite.com are all whitelisted.” have them add the URLs to allowedlist.
Or
Since IP address of your WebApp (see the reasons for the change), the best route would be for you to set up a custom domain for your WebApp.
Kindly check this doc - Tutorial: Map an existing custom DNS name to Azure App Service
The CNAME maps to the app's default hostname instead, which is less susceptible to change. | | Wildcard | *.contoso.com | CNAME record. |
-- As a side note (as indicated above), by setting up access restrictions, you can define a priority-ordered allow/deny list that controls network access to your app. Which is the opposite of your scenario, just sharing as FYI, in case you wish to know about access restrictions from WebApp side. Set up Azure App Service access restrictions
We have a few Web Apps that need to access database on VM that behind Network Security Group. How do we allow Web App through Network Security Group?
Web App will use a set of outbound Public IP addresses to reach Internet. You can get those IP address by navigating to the Properties of the Web App.
In your NSG, you can use the Source IP as the list of IP that you got from Properties blade to allow traffic to your database. Also make sure to only open the port used by the database, and nothing else.
I want to deploy a website on azure IIS by using server 2016(Azure VM), and want to access it anywhere on the internet. How can I do this?
Which ip address I've to use for this purpose?
There are several steps to acheive this deployment on IIS.
1.Install IIS on azure VM.
https://devblogs.microsoft.com/premier-developer/set-up-iis-on-windows-virtual-machine/
2.Create a website for publish
Please remember to grant permission for authenticated user like IUSR and application pool identity
https://support.microsoft.com/en-gb/help/323972/how-to-set-up-your-first-iis-web-site
3.Set Azure VM firewall to allow your port like 80
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal
4.Publish your website.
You could achieve this via simple copy action in Remote desktop or VS web deployment
Just ensure your website can be accessed via telnet or tcping.exe. I remember ping is blocked by Azure VM.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/publish-web-app-from-visual-studio
5.Try to access from both internal IP address and external firewall IP address.
If you could access from internal IP which means your IIS site has been built correctly.
If the website can be access from external. Then you have finished the publish.
6.If you want to access website from public domain.
Then you have to purchase domain name from public domain provider. Then bind your domain to your public IP address on their portal. As long as the website can be accessed from external. It would work with domain name.
I am new to networking and routing.
I have hosted my website (enabled https) in azure vm having firewall settings. Have opened the ports for the websites.
But still unable to access my website from internet.
I have 2 sites running. the main website which is running on port 443. To access this site , it is directed to openid oauth2 identity site running on port 44300. Both the ports are opened. The site is running perfect when i access from the hosted server and also other servers.
I am trying to access this main site from my home internet. It is not working.I want to access this site from internet as well.
additional info:
Main website hosted in server which is connected to internet with a Connection which has got a IPv4 Default Gateway - eg; A
My own pc connected to internet with a different connection with different IPv4 Default Gateway.
With this above setup, it is possible to achieve my requirement?
Can anyone help what has to be done to access my website from outside world?
Thanks
My Azure web role can, using remote desktop, connect with a browser (IE) to google.com and to a DMZ server on our corporate network.
My web role cannot connect via HTTP GET (IE) to a non-DMZ box behind the firewall. My web role cannot ping this box either. My service is hosted in north/central, allegedly all published IP ranges of north/central have been granted access to the target IP by our CorpIT people. They claim they are seeing no traffic via their sniffer from my compute instance IP when I attempt to ping or HTTP GET against the target local IP.
CorpIT wants help from the Microsoft side but we have no Microsoft relationship. I'm convinced this is the outcome of months of slapdash thirdhand firewall rules applied to the target environment in question. What can I do to further elucidate this for CorpIT?
thx in advance!
You can try to run a trace route or get a network trace from the Azure instance and see what you get back from where. You could also create a support case with microsoft:
https://support.microsoft.com/oas/default.aspx?&c1=501&gprid=14928&&st=1&wfxredirect=1&sd=gn
I wouldn't bet on using the IP ranges to make your applications work correctly. Windows Azure already provides you with some services that allow you to solve these types of issues:
Windows Azure Connect: Allows you to create an IPSec secured connection between your servers and your hosted services. This means you won't need to add rules to the firewall for incoming traffic.
Windows Azure Service Bus Relay: Allows you to expose WCF services to the cloud without having to add rules to the firewall for incoming traffic. Choosing this option might add some extra work for you to do, you might need to create a WCF service if you don't already have one and change the code in your Web Role to connect to this WCF Service.