No remote management of IIS on Server Core
Hi, I have three VMs running on a Server 2022 Hyper-V host: Windows 11 for management, Server 2022 as a domain controller and Server 2022 Core for Exchange 2019. On the DC I installed the optional feature "IIS Management" and downloaded and installed "IIS Manager for Remote Administration 1.2". Access to IIS on Exchange server works without problem. But if I do the same on the Windows 11 VM, I get an error message when trying to connect: An unexpected error occurred, connection was reset. I have tried the following without success: 1. use host name or FQDN of the mail server 2. use IP address of the mail server 3. use ports 80 and 443 (e.g. mailhost:443) 4. complete shutdown of all firewall profiles on both the Windows 11 client and the mail server The mail server's certificate is the original self-signed certificate that is created when Exchange/IIS is installed - I would expect to be asked about the trustworthiness of the certificate, but apparently the connection fails even before the SSL handshake. All four machines are domain members, name resolution and ping work fine. The Windows and IIS logs contain no clues. Several hours of web research have not yet yielded any results. Does anyone have an idea / a starting point? Many thanks in advance and best regards Stefano
How to prevent Malicious HTTP Redirections on an Exchange server
Hello All! I am attempting to assist a customer who is trying to pass PCI scans. By default, their IP addresses redirects any HTTPS (443) requests to the Exchange server's OWA. This is fine, except the scan states that the server does not pass a couple of vulnerabilities, one of them being "Redirection via Arbitrary Host Header Manipulation". As a solution, they recommended whitelisting domains, only allow permitted domains to be included in the Host header. I (for the life of me) cannot figure out how to get this to work on a server who's default website is the Exchange OWA. Every time I try to implement a rule in IIS (see: https://techcommunity.microsoft.com/t5/iis-support-blog/host-header-vulnerability/ba-p/1031958) that would redirect any requests that don't match the supplied string to the desired domain name, the page won't load and I get "ERR_TOO_MANY_REDIRECTS" presumably because of Exchange's automatic OWA redirection. Is there a way I can prevent malicious HTTP redirections without breaking OWA? To clarify: there are two domain names on our DNS that lead to the IP address of the Exchange server: mail.domain.com and vpn.otherdomain.com, obviously one is meant for mail and the other one is meant for vpn access over port 8443. The main domain (domain.com) leads to a completely different IP address that hosts their public website. I would like to change the IIS settings on the Exchange server so that mail.domain.com is the only domain allowed to be requested through an HTTP request.