Restricting SOA access via IP address

By default, iMIS SOA provides three levels of security to customer data:

■ Secure Sockets Layer (SSL)

■ a required user name and password

■ user type access rights (ClaimsMap)

In addition, you can protect your customer data by disabling external access altogether or by restricting SOA access to use by internal systems and trusted partners only. To achieve this, use your Microsoft IIS server to restrict access to SOA services by IP address. Regardless of which IIS server version you have, the approach centers on the EntityService.svc file in the web root. Choose one of two strategies:

[1] DISABLE - If you do not need outside access to your database, disable external access entirely by simply renaming EntityService.svc.

[2] RESTRICT - Otherwise, add a fourth level of security, by applying the specific IP address restrictions to EntityService.svc.

[1] Disabling all external access via SOA services

1. Locate the file EntityService.svc in the web root.

2. Rename the file (such as *.bak).

Important: There is a second EntityService.svc in the directory /NetTcp. Do not rename or delete this second file, as it is provides internal-only access (using a protocol not available to external users), and it is required for the operation of iMIS.

[2] Restricting SOA access via IP address

By default, IIS 7 installations do not enable IP restrictions, so restricting IPs requires a few more steps.

To restrict SOA access by IP on IIS 7

1. Ensure that your server has IP security enabled.

Windows 2008/R2:

□ Select Start > Administrative Tools > Server Manager.

□ Select Roles > Web Server.

□ Select Add Role Services.

□ Ensure IP and Domain Restrictions is checked.

Windows 7:

□ Select Start > Control Panel > Programs and Features.

□ Select Turn Windows features on and off.

□ Navigate to World Wide Web Services > Security.

□ Ensure IP Security is checked.

□ OK and close.

2. Enable read/write on IIS IPv4 Address and Domain Restrictions:

a Open Internet Information Service Manager.

b Click on the machine name in the Connection panel.

c At the bottom, click on Feature Delegation.

d Ensure that IIS IPv4 Address and Domain Restrictions are set to Read/Write.

3. Add IP restrictions to the web.config file:

a Locate the file web.config in the root of the website.

b Ensure that the read-only flag is turned off.

■ Right-click on web.config.

■ Ensure the Read-only check box is clear.

c Open web.config with a text editor (such as Notepad).

d At the bottom of the file and above the </configuration> line add IP restrictions.

<system.webServer>

</ipSecurity>

</security>

</system.webServer>

</location>

</configuration>

For example, the above restricts external/http/soap access to only the local computer.

To restrict SOA access by IP on IIS 6

IIS 6.0 IP restrictions are made by using the IIS manager to apply IP restrictions (via IIS 6 metadata), directly to the EntityService.svc in the root directory.

1. Open Internet Information Service Manager.

2. Navigate to the iMIS website.

3. Navigate to the file EntityService.svc within the website root.

4. Right-click on EntityService.svc and select Properties.

5. Select File Security.

6. Select Edit.

7. Select the radio button Denied access.

8. Add any selected IP addresses that should have access. To deny all external access, do not enter any addresses.

9. OK all windows and close.

To test external access to SOA services

A simple test determines if external web access is allowed to your site with a browser. It is important to make such a test to ensure the procedure has been applied correctly.

1. Navigate your browser to your main iMIS web site.

2. Select the address, such as: www.mywebsite.com/EntityService.svc

□ If access is allowed, a simple display starting with EntityService Service should appear.

□ If you have restricted access, a form of an "access denied" message should appear.

Note that username and password are still required to actually access data.