IP Address and Domain Restrictions
Applies To: Windows Server 2012 R2, Windows Server 2012
Use the IP Address and Domain Restrictions feature page to define and manage rules that allow or deny access to content for a specific IP address, a range of IP addresses, or a domain name or names.
Sort the list by clicking one of the column headings on the feature page, or select a value from the Group by drop-down list to group similar items.
Related scenarios
In this document
The following tables describe the UI elements that are available on the feature page and in the Actions pane.
Element Name |
Description |
---|---|
Mode |
Displays the type of rule. Values are either Allow or Deny. The Mode value indicates whether the rule is designed to allow or deny access to content. |
Requester |
Displays a specific IP address, range of IP addresses, or domain name that is defined in the Add Allow Restriction Rule and Add Deny Restriction Rule dialog boxes. You can specifically allow or deny a requester access to content. |
Entry Type |
Displays whether the item is local or inherited. Local items are read from the current configuration file, and inherited items are read from a parent configuration file. |
Element Name |
Description |
||
---|---|---|---|
Add Allow Entry |
Opens the Add Allow Restriction Rule dialog box from which you can define rules that allow access to content for a specific IP address, a range of IP addresses, or a DNS domain name. |
||
Add Deny Entry |
Opens the Add Deny Restriction Rule dialog box from which you can define rules that allow access to content for a specific IP address, a range of IP addresses, or a DNS domain name. |
||
Remove |
Removes the item that is selected from the list on the feature page. |
||
Edit Feature Settings |
Opens the Edit IP and Domain Restrictions Settings dialog box from which you can configure settings that apply to the entire IP and domain name restrictions feature. |
||
Revert to Inherited |
Reverts the feature to inherit settings from the parent configuration. This action deletes local configuration settings, including items from the list, for this feature. This action is not available at the server level. |
||
View Ordered List |
Displays the list in order of configuration. When you select the ordered list format, you can only move items up and down in the list. Other actions in the Actions pane do not appear until you select the unordered list format. |
||
Move Up |
Moves up a selected item in the list. This action is available only when viewing items in the ordered list format.
|
||
Move Down |
Moves a selected item down in the list. This action is available only when viewing items in the ordered list format. Note When items in the list are reordered at a child level, the child no longer inherits settings from the parent level. This loss of inheritance includes any items that are added to or removed from the list at the parent level. If you want to inherit settings from a parent level, revert all of the changes at the child level by using the Revert to Inherited action in the Actions pane. |
||
View Unordered List |
Displays the list in an unordered format. When you select the unordered list format, you can sort and group items in the list, and perform actions in the Actions pane. |
||
Edit Dynamic Restriction Settings |
Displays the Dynamic IP Restriction Setting dialog box from which you can restrict IP addresses that have too many concurrent requests or too many requests for a given time period. |
Use either the Add Allow Restriction Rule or the Add Deny Restriction Rule dialog box to define rules that allow or deny access to content for a specific IP address, a range of IP addresses, or a DNS domain name.
Element Name |
Description |
---|---|
Specific IP Address |
Add Allow Restriction Rule - Type an IP address in the Specific IP Address box in the Add Allow Restriction Rule dialog box when you want to allow access to content for a specific IP address. Add Deny Restriction Rule - Type an IP Address in the Specific IP Address box in the Add Deny Restriction Rule dialog box when you want to deny access to content for a specific IP address. |
IP address range |
Add Allow Restriction Rule - Type the lowest value of the range of IP addresses that you have chosen to use in the IP Address range box in the Add Allow Restriction Rule dialog box. Do this action when you want to allow access to content for a range of IP addresses. Next, enter the subnet mask. Add Deny Restriction Rule - Type the lowest value of the range of IP addresses that you have chosen to use in the IP address range box in the Add Deny Restriction Rule dialog box. Do this action when you want to deny access to content for a range of IP address. Next, enter the subnet mask. |
Mask |
Add Allow Restriction Rule - Type a subnet mask in the Mask box in the Add Allow Restriction Rule dialog box. Do this action when you want to allow access to content for a range of IP address. When IIS evaluates this subnet mask with the IP address entered in the IP address range box, the upper and lower boundaries of an IP address space are defined. Add Deny Restriction Rule - Type the subnet mask associated with the range of IP addresses in the Mask box in the Add Deny Restriction Rule dialog box. Do this action when you want to deny access to content for a range of IP address. When IIS evaluates this subnet mask with the IP address entered in the IP address range box, the upper and lower boundaries of an IP address space are defined. |
Domain name |
Add Allow Restriction Rule - Type a fully qualified DNS domain name in the Domain name box in the Add Allow Restriction Rule dialog box when you want to allow access to content for a DNS domain. Add Deny Restriction Rule - Type a fully qualified DNS domain name in the Domain name box in the Add Deny Restriction Rule dialog box when you want to deny access to content for a DNS domain. To see the Domain name option, first enable domain name restrictions, using Edit Feature Settings. |
Use the Edit IP and Domain Restrictions dialog box to define access restrictions for unspecified clients or to enable domain name restrictions for all rules.
Element Name |
Description |
---|---|
Access for unspecified clients |
Defines access restrictions for unspecified clients. This setting defines whether to allow or deny access to clients not specified by any other rule. |
Enable domain name restrictions |
Enables rules that restrict access by domain name. This rule significantly affects server performance because it requires a DNS lookup for every request. |
Enable Proxy Mode |
Enables requests to come through a proxy server. |
Deny Action Type |
Selects the type of action to be taken when a request is denied. The following list shows the available actions:
|
Use the Dynamic IP Restriction Settings dialog box to restrict IP addresses that have too many concurrent requests or too many requests for a given time period.
Element Name |
Description |
---|---|
Deny IP Address based on the number of concurrent requests |
Denies requests from an IP address when the number of concurrent requests exceeds the specified Maximum number of concurrent requests. |
Deny IP based on the number of requests over a period of time |
Denies requests from an IP address when the number of requests exceeds the specified Maximum number of requests for a given Time Period (in milliseconds). |
Enable Logging Only Mode |
Specifies that if one of the previous rules is exceeded the event is logged and the request is allowed rather than denied. |