The IP and Domain Restrictions Role Service feature must be installed as part of Web Server (IIS) on the Apex One server.

To install it, click Start > Server Manager > Add Roles and Features > Server Selection > Server Roles > Web Server (IIS) > Web Server > Security > IP and Domain Restrictions > Next > Next > Install.

To restrict Apex One web console access:

1. On the Apex One server computer, launch Internet Information Services (IIS) Manager.
2. Expand SERVERNAME > Sites > OfficeScan website > officescan and then click the console directory.
3. Double-click IP Address and Domain Restrictions under IIS group.

   

4. To deny all access, select "Deny action under Access for unspecified clients: setting".

   

   Restricting all access will have the following limitation, which is addressed in Apex One Patch 2 Build 2146 or later builds:

   • The Sample Submission and Suspicious Object List settings will fail to upload samples and sync settings from the Apex One server to Security Agents

     

     

     

     

5. Add the IP addresses of allowed devices e.g. system administrator computer and then click Add Allow Entry… action on the upper-right section.
6. Input the target Specific IP address or IP address range and then click OK.
    

   • Add both IPv4 and IPv6 addresses of the allowed computers. The following should have allowed access:
     • System administrator
     • Apex One server
     • Apex Central server
     • Apex One Edge server
   • Allow localhost IP to ensure any internal Apex One communication within the console. Below are the default localhost IP values:
     • 127.0.0.1
     • ::1
   • If you get logged out after allowing the necessary IP address when you are accessing Apex One web console, clear the browser cache and restart the web browser.

     

     

   If you are using the default action type (forbidden), an easy way to identify the IPv6 addresses would be to check the Apex One website’s IIS logs.

   

   You can search all “error 403” and back-check the restricted IPv6 addresses of the allowed computers.

   

    

   Allowing or restricting domain names access is not recommended as this rule may significantly affect server performance because it requires a DNS lookup for every request.

   

7. The "Enable Proxy Mode" setting can be enabled to filter clients that access IIS through one or more firewalls, load-balancing, or proxy servers. Administrators can configure their servers to examine the X-Forwarded-For HTTP header in order to determine which requests to block.

   

   To enable X-Forwarded-For logging in IIS:

   1. Expand SERVERNAME > Sites > OfficeScan website directory.
   2. Double-click Logging under IIS group.

      

   3. Click the Select Fields button under Log File Format.

      

   4. In the W3C Logging Fields menu, click Add Field… and then input “X-Forwarded-For” on both the Field Name and Source sections.

      

   5. The Custom Fields section should show the entry after you click OK.

      

   6. Restart IIS Admin Service.

      

      

      The log file name should append a ”_x” at the end and show X-Forwarded-For in the header.

Below is the default message that the restricted IP/domain gets when the Apex One web console is accessed:

403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

In IIS 8.0, administrators can configure to deny access in several additional ways.

IP Address and Domain Restrictions by Microsoft