IP Restrictions: Unable to access or use service or webservice files

  • Updated

After you upgrade or apply a Service Pack, you may be unable to access asmx, svc, and wcf service files located in the /Workarea/WebServices and /Workarea/Services/ folders, or anything referencing the /workarea/servercontrolws.asmx file(for 9.1 and lower versions with a security patch). The following error indicates that access may be blocked: HTTP 403 Forbidden.

Update:

In versions 9.2 and up, the ServerControlWS.asmx file was removed from the site's workarea folder for security reasons. While the wspath is still used, it does not actually use the full path.

e.g. the application only uses http://<SiteURL>/Workarea/, not http://<SiteURL>/Workarea/ServerControlWS.asmx). 

There is no need to remove ServerControlWS.asmx from the wspath even though it is not used in 9.2+ versions.

HTTP Error 403.503 - Forbidden

Ektron functionality is locked to localhost IP (127.0.0.1) for security reasons. Frequently communication happens using the server IP(s), so it is not enough to just whitelist 127.0.0.1. To allow communication over other IP addresses for these servers, add them to the allowed IP list as shown in the Solution. 

Some impacted product areas are:

  • Search
  • DxH
  • Esync
  • Load Balancing
  • 3-Tier
  • Notification Service

As of 9.10 the installer determines whether you have IP restrictions in place and requires you to accept or decline adding these restrictions at that time. Installing REQUIRES at least some form of IP restriction or you cannot upgrade or install. The following messages appears in the installer: 

IP Restrict Installer 1  

The following message is displayed if you click  No .

IP Restrict Installer 2

As part of the 9.10 installation and the previous security patch to 8.02 SP5, 8.7 SP2, and later releases, files in the service/webservice folders and specifically the /workarea/ServerControlWS.asmx file in the Workarea(if on 9.2+ see update above) cannot be accessed without deliberate measures to expose them. By doing so, Ektron is trying to prevent unauthorized access to your CMS site, and the potential for malicious usage of the API methods contained in these files.

To enable access to the webservices or service folders, follow these steps.

  1. Run the command ipconfig from the web server. Identify the server's IP(s).
  2. Open IIS on your webserver.
  3. Go to /workarea/webservices .
  4. Click on the folder in the left panel, and double-click the IP Address and Domain Restrictions option from the IIS section of the middle pane. (If this is not an option, enable it through your server's Roles, or by adding it as a Windows Feature. The following command line script can also be run to enable it.
    Dism.exe /online /enable-Feature /FeatureName:IIS-IPSecurity
    

    IpRestrict1

  5. Create an Allow Entry for the IP addresses or IP address range that will connect to the server to access the webservice/webservice APIs. You need to add all IPs for each server, not just the primary. (If any code from this server uses WebServices, you also need to add an entry for its own IP address.)
  6. Click Add Allow Entry... from the right panel, define your options, and click OK to create the entry.

    IpRestrict2

  7. Repeat steps 2 through 5 for the /workarea/services folder (ignore this for 8.02 SP5 where the folder is not present) and the /workarea/servercontrolws.asmx file if using 9.1 or lower.
  8. Test connections again to ensure access to the services.