I have a web service that will only be called from the same box. In IIS 7 I have used named pipe endpoints for security and speed. the project I am working on now has the same requirements but will be on server 2003 IIS 6. What are my options to restrict access to only the local machine? Thanks!
IIS6 only supports http and wshttp protocols. You could run your WCF in a Windows Service and control everything as you do now (however that may be). There are tons of ways to secure it as well.
Self Signed certificates between the two (popular over the internet)
Windows Authentication and control list (easy on same network/domain)
UserName Password (also easy).
But if you have it working now, I would attempt to rehost into a Windows Service, which should not take away your current functionality.
You should know by the way that if use named pipes over a network, it is actually just remoting via TCP.
Related
Enviroment
Consider the following production environment setup for a web application:
End user --Internet--> web server in DMZ --Firewall--> WCF hosted on app server --> DB Server
Constraint:
Also consider that we cannot change anything from the infrastructure point of view. For example, open ports, change any firewall setting etc.
Problem:
We want to expose the WCF, which is hosted on the app server, to external clients. We are trying to solve this as follows:
End user --Internet--> Router WCF in DMZ --Firewall--> WCF hosted on app server --> DB Server
Please note that we cannot establish a db connection from the DMZ environment where the WCF needs to be hosted so that the external clients can consume it. We have developed a "Router WCF" which passes through all messages to the internal WCF and vice-versa.
This solution adds an unnecessary overhead of serializing and de-serializing data. There must a better and proper way of doing this. We are looking forward to the community for guidance. Thank you.
In DMZ the bibliography tells you: always create an intermediate layer. This means another machine on the internet will be the point of connection and it will proxy the connection back to WCF.
The machine is the web server you seem to mention, that is stupid, has no data, and (to be a proper DMZ) has a firewall between it and all the machines (WCF and the others) it serves that permits only IP:PORTS used on such machines.
In this scenario, usually Apache on the public web server with a URL-rewrite rule (i.e if it is /x/y send it to servera.internal.com:9900 - if it is /x/z send it to serverb.internal.com:9901 etc...) is enough, but there are plenty of solutions of course.
It seems you are doing exactly this, why do you say it is not the proper solution?
DMZs could seem a bit dated as protection mechanism (I agree) but you have to think when servers like your WCF machine had dozens of ports opened, and you wanted to lower the risk of random ports on web-facing machines, a giant attack surface. Nowadays everything can work with couple of ports opened, so it can seem "silly" to do all of this just to forward a TCP port. But it is still valuable as (for example) if servers behind the web server in DMZ do not have internet access, even when WCF is compromised, the attacker cannot use its own reverse shell to deploy what it is nowadays called an APT (yesterday backdoor). The attacker "won't see" his own machine from WCF as the DMZ provides the connection to the external world.
i am new in wcf and started learning. i got one confusion like that i create a small wcf service and just do not host it in IIS,console apps or win service but from another apps i can add the service reference of svc file and found it is working. if wcf can work without hosting in any place like "IIS,console apps or win service " then why people would alway host wcf service in IIS,console apps or win service. can anyone tell me the reason.
people use IIS and windows services in general because they are simpler to setup and run more consistently. they can also be hosted more easily on servers where the services can be configured to start automatically, and as usually wcf is used as a server communication method it is usually this that you want to do.
hosting in console applications is generally easier to setup for simple examples for testing purposes, when you want to test your services locally.
Whilst hosting in applications as possible it's a less common scenario to use wcf to communicate between 2 applications on the same machine.
EDIT:
Your original question asked why people always talk about IIS, services etc. The point I was making was that usually wcf is used for web services, and is usually run on a server other than the local machine. Even though it can be used for inter process communication on the same machine this is not the most common use case. This is why you see a lot of examples using IIS and not too many hosting it in a Windows forms app.
I've got a working WCF service and a working Delphi client. On a normal PC, they work nicely. On a VM that's "Bridged" they work nicely if I log onto the domain (but not if I logon locally to the VM as administrator). If the VM is NATed, the connection attempt times out.
I would love to hear people's thoughts on what could be making such a difference to whether the client can successfully connect to the WCF service. Bear in mind I'm connecting with basicHttpBinding with no security.
The service is setup to use System Account (interact with desktop is NOT checked), and it starts automatically. The service URI doesn't change, the port is open, and can be telnet'd to in all scenarios.
Any ideas or pointers?
Within the VM, open Internet Explorer and verify that you can view the WSDL of the WCF service. If you can't, then your issue is connectivity and has nothing to do with your Delphi code.
Group Policies and Enterprise Security solutions that swap certificates or require certificates to be registered (we're using a UTM called CyberRoam) make a difference.
Also when Virtual Machines join a domain, their ComputerNames are added to a list maintained by the Domain Controller. When the same Virtual Machine is "moved" or "copied", its ComputerName should be changed to avoid DNS resolution issues.
I'm not claiming this as the definitive answer, however it does explain the issues I noticed in this instance.
Summary:
Does anybody know if there are known issues or configuration gotchas with an IIS service connecting to an Azure based service?
Scenario:
I currently have a scenario that requires me to host two web-services, one in Azure, and one on a server running IIS. The IIS hosted service (a WCF service) connects to the Azure hosted service (actually the Azure storage API) in order to fetch certain information. This information is manipulated and returned to the client.
Client -> IIS Service -> Azure Storage Service
Issue:
I'm running into issues with the IIS service connecting to the Azure Service. The hostname cannot be resolved. I'm using the Azure Storage client from my code, but have actually tried this using the azure API calls, and they also do not work from IIS. I captured the requests using Fiddler (on a different machine), they match the azure REST API calls, as expected. These requests, when made outside of IIS on the host machine execute properly. It is only when they are issued by the IIS service that they fail.
In my research other people have been running into this issue when there's a firewall problem, but since I can hit the service properly from the machine, that doesn't seem to fit the bill. My hunch is that there's a configuration issue I need to sort out in IIS, but I've failed to find anything useful with my searches.
Does anyone have any information on why this might be occuring (known bugs, gotchas etc)? Any workarounds? From a SOA perspective, this seems fairly critical to understand.
Any assitance anyone has would be helpful. Thank you.
Sounds like a proxy configuration issue. Check how your IIS server connected to Internet. If you are using some sort of proxy to get to Internet, that connection has to be configured correctly.
Specifically, if your proxy servers are Microsoft ISA server, or Microsoft Forefront TMG, then you need to check two things:
ISA server client or Forefront TMG client software is installed on the server
The account used by IIS application pool is domain user. ISA Server/TMG are designed to work only with user account, not service account. Alternative workaround for this limitation is using "defaultProxy" configuration in web.config, however it only wokrs for HTTP/HTTPS.
If you use different proxy server, then other issues might be involved, for example proxy might require authentication.
I am struggling with a WCF issue relating to name resolution-or something like so. When I consume a wcf service (netTcpBinding) on an application server via a web application on the web server it doesn't work. Ok it doesn't work in most situations. If you access the web application from the web server itself using localhost or 127.0.0.1 it works. However accessing it through the web server via another client machine or accessing the web application locally on the web server using the host name or IP address does not work. In both instances you get a socket connection aborted error.
What makes it more interesting is that switching all the security to 'none' as opposed to 'transport' resolves the issue.
My question is, is it possible to access wcf services using your web server and still use transport security? Or is this a bug/designed behaviour?
Many thanks for any insight,
Steve
The default NetTcpBinding security option is Kerberos / Windows Authentication. If your client and service are not on the same domain it will not work. You may need to look at certificate based authentication.
If you your service is running under a domain account, try changing it to LocalService or NetworkService to see if it resolves the issue.
Transport security typically only works point-to-point - when the client connects directly to the server.
If you have clients that come in from the internet, you have no control over how many intermediary hops they go through - so Transport security, even if you get it to work, will most likely not work at all, e.g. your message might be protected from the client to the first hop, and from the last hop to your server - but not in between hops.
For an internet scenario, typically, Transport security is not a valid option - use Message Security for those cases.
I'm not 100% sure why the connection wouldn't work at all - but in any case, if you're not behind a corporate firewall, I wouldn't be using netTcp with transport security in such a scenario.
Could you please add your server side config (anything inside <system.serviceModel>) to your question to see how you set up Transport security?