Allow only local network access to WCF services - wcf

I have two WCF services host in IIS: PublicService.svc and PrivateService.svc. The IIS server has two Ethernet adapter (for internet and local network).
How can I make the PrivateService.svc available only in local network by configuration file? Or there is simplest way to restrict access to PrivateService.svc from internet?
I don't wan't to change code so hope that I can found a simple way to do what I need by change s in configuration file.
Thanks

Just make the local binding(127.0.0.1 or localhost) or concrete IP addres of the local network adapter(192.168..). In this way your services won't be accessible from external network.

Related

WCF VPN endpoint and internet endpoint

The laptops of our company have a WCF sync/client installed which communicates with the Server.
The data transfer works as long as they do not connect with the VPN.
When they connect with the VPN, I can make the WCF client Sync again if I add the "proxyaddress" paramater to the .config file.
Question : how can I make it work in both scenario's? Is there a way the WCF client makes a "smart selection" of multiple endpoints?
This issue more relates to network, route, instead of WCF.
When we connect to VPN, an extra virtual network interface is created on the local machine. At the same time, the local routing table is changed, which caused the issue that the internal network address could not be accessed. We can solve this by setting up a proxy address. A more general way is to set a static route on the local machine.
Route add –p 172.17.10.0 mask 255.255.255.0 172.17.16.1
The first address is a destination network address. the last address is a local gateway, which can be routed by a local network interface. This will lead to the data packages sent to the destination network to be addressed from the specified network interface.
Here is a related link.
https://docs.oracle.com/cd/E53394_01/html/E54745/gmyag.html
Feel free to let me know if there is anything I can help with.

Hosting server farm begind VPN

I have a set up I would like to implement but just not sure on the details. As you can see in the image below I have a single VPS in the web which I would like to use as a gateway to a number of locally running web servers. Im using the VPN to hide the IP/location of the server farm while maintaining the ability to host locally.
What I am not sure on is the implementation as I have never used a VPN before. My understanding is that I can host the VPN server on the server farm, have the VPS connect to it which will give me another 'local' network interface which I can then use apache to proxy traffic through?
The server farm is basically a small Kubernetes cluster give or take a little.
Is my understanding correct and can you offer any advice on implementaion?
Thanks in advance!
server farm example image
The VPN server should have two network interfaces. The first is the public interface that connects to the Internet and the second is the local interface that connects to the server farm. All the servers in the farm should connect only to the local interface and have the gateway set as the VPN server.
You can use the Reverse Proxy functionality in Apache to route incoming traffic to the appropriate server. See Reverse Proxy Guide

WCF security scenario

I have a WCF service, and two apps behind the Firewall, and third app connect remotely through internet. I host the service on IIS.
If I restrict the IPs to local IP, and that remote server IP using IIS, would that be sufficient? if yes, Is that a bad idea for another reason rather than security.
Given that the remote server will connect through HTTPs and credentials.
thanks
Securing using IP is a good idea only if you are sure that IPs are static and unlikely to change. For example, local IPs can easily change (typically, they get auto assigned). So, I will go via this route if what you are securing is a critical/sensitive.

WCF DiscoveryClient returns references to localhost from remote machines

I have an app with a self-hosted WCF service.
My WCF service gets published under the URI "net.tcp://localhost:8004/DocumentService". When I run the service on a remote machine and try to discover the service with the new .NET 4 class DiscoveryClient, the found services all have the URI "net.tcp://localhost:8004/DocumentService" too without any information about the actual machine where the service is hosted.
Obviously this is useless if I want to access the service on the remote machine. But I can't find any reference to the actual remote machine (IP address or server name) in the arguments passed to FindProgressChanged.
Is there a way to get the information about the remote machine or do I have to publish my service with the machine name of the remote machine? Or is DiscoveryClient just broken?
I hope this make sense.
I spent a lot of time investigating this problem. Building base addresses in the code was not acceptable for me, as it implies hardcoding transport scheme and port (the latter, of course, can be stored in a separate config section, but then why not just to use the existing section?). I wanted to have an ability to just configure the base address in config as usual. And it turns out that a base address like <add baseAddress="net.tcp://*:8731/"/> will perfectly work. I think the same is true for programmatic configuration.

How do I host a wcf service on the internet?

This is probably a basic networking issue, but I am new to this stuff and just do not know the answer.
I have written a wcf service and client. I can use one of the http bindings and get the service to work correctly when I put my machine's network IP address as the endpoint address and run the client and server from the same machine. Now, I want to be able to connect to this service from a different machine over the internet. Clearly it does not work when I use my network IP address in this scenario, but simply putting in my router's broadband IP address does not seem to be doing the trick, either. Am I just missing a firewall port that I need to open up, or am I trying to do something that should not be possible?
If you want users from the internet to be able to connect to your service, you'll have to consider a few points:
binding: the lowest common denominator is the basicHttpBinding which is SOAP 1.1 with basically no additional features available - just like ASMX webservices. Just about anyone can connect to that. For more advanced clients, you might also want to expose a wsHttpBinding endpoint on your service
security: how (if at all) do you want to secure access to your web service? Do you have username/password credentials that callers must supply? Check out the WCF Security Guidance for a whole slew of information bits on the various security scenarios
authenticating your service: typically, you should strive to make your service authenticate itself to the rest of the world - this requires a server certificate and enables secured communication (messages signed + encrypted) on the wire
make sure your service endpoint(s) is reachable from the internet, through all firewalls and proxies and everything :-)
Hope that helps a bit!
You need to set up port forwarding on your router. Perhaps someone on ServerFault or SuperUser would be able to help you. Or even a google search now that you know what it's called. The instructions will be different depending on the router. The port you need to forward will be the port you've picked in the WCF config file.
I host WCF services through IIS, but it took me ages to work out how. At the moment I put the files on the webserver and enable websharing on the root folder. Then you can assign them to an appropriate Application Pool in IIS, and add a service reference to any client projects using the URL of the wsdl.
I'm not sure if this is the best way to do it but its the only way I've worked out so far.
Here's the simple solution.
I am assuming that you have made a working WCF application and hosted over the IIS.
The next thing to do is to browse the application from the IIS. It will give you url in the address bar something like:
http://localhost/myservice/service.svc
Next go to www.whatismyip.com. this will give you your system's WAN IP (say, 45.34.56.200).
Replace the URL you got in step 2 with: http://45.34.56.200/myservice/service.svc
Now you can use this URL any where in this world to consume your service.
I found a good Article and it is working fine for me, on the following the Main steps:
1-First you should create WCF Service.
2-add application on IIS and give alias for your virtual directory and set path from your local drive.
3-Make sure your default app pool set to .NET CLR V4.0.
4-test your WCF service is running successfully on localhost.
5-To access the same via LAN (Local Area Network) you must disable Firewall for you Private network.
6- try to use ngrok.com, you will get Temp URL to use via internet to access your LocalHost anywhere.
Then Everything will be fine.
For More Information Check the following Link:
https://www.codeproject.com/Tips/813650/Host-WCF-on-LocalHost-and-access-via-Internet