Serving external traffic with WebMatrix Beta

You will notice in WebMatrix Beta that the default website as well as new ones you create are bound to localhost. In other words, they can service local traffic only. This default behavior makes a lot of sense since we want users to explicitly opt into the security risk that comes with running over the network. You can verify this is the case by navigating to the Settings section in the Site workspace, as shown below:

image

The URL shown above is editable so you can try and replace localhost with your machine name (which happens to be vaidesg1 in my case). However IIS Developer Express will error out saying you need administrative rights (see bottom of screenshot below).

image

You can circumvent this by restarting WebMatrix as an Administrator, but this is a very bad idea for security reasons, especially for external facing sites. For the future, we are looking at adding an option in WebMatrix. However, you can manually configure this to work as shown below.

Step 1 – Configure HTTP.SYS (requires elevation)

In case you weren’t aware, HTTP.SYS is the OS component that both IIS and IIS Developer Express use to handle HTTP requests. By default, HTTP.SYS won’t allow an application running as a standard user to listen over the wire. It is possible to explicitly configure HTTP.SYS to allow external traffic as shown below. However you will need to be an administrator. For more details look at Configuring HTTP and HTTPS. The commands you will need to run in this situation are as follows.

On Vista and Win7, run the following command from an administrative prompt:

netsh http add urlacl url=http://vaidesg:8080/ user=everyone

For XP, first install Windows XP Service Pack 2 Support Tools. Then run the following command from an administrative prompt:

httpcfg set urlacl /u http://vaidesg1:8080/ /a D:(A;;GX;;;WD)

Obviously, you’ll need to replace vaidesg:8080 in the URL with the combo for your site. Also, you’ll need to do this for every URL you want to expose over the wire.

In HTTP.SYS parlance, you are adding a namespace reservation for your URL. If you ever need to get rid of the reservation you added previously, run the following command from an administrative prompt. You should do this if you delete your site, move it to a different port or decide to run it locally.

On Vista and Win7, run

netsh http delete urlacl url=http://vaidesg1:8080/

On XP, run

httpcfg delete urlacl /u http://vaidesg1:8080/

 

Step 2 – Configure URL binding in WebMatrix

If you haven’t already, go ahead and edit your URL binding to use your machine name instead of localhost. You should now be able to successfully start the website and browse to it from your local machine. There is one additional step to browse to your website from a different machine.

Step 3 – Configure your firewall

Finally, you’ll need to punch a hole in your firewall. The exact steps will vary depending on what firewall product you have running on your computer.

It takes a bit of work but hopefully gets you going for now. We are looking to address this in the future, as I mentioned.

7 Comments

  • One thing you have to understand before you enable external traffic is that IIS Express worker process runs under the logged-on user's identity. So if you are opening your process to external traffic, ensure that user is not an administrator and that there is no pesonal/sensitive information stored in directories accessible to him, so that it is not compromized in the rare case of security vulnerability (or IIS express misconfiguration).

  • Do you mean a command line option in iisexpress.exe to enable external traffic? No that is not currently supported.

  • I tried the method suggested but using Visual Studio 2010 w/ SP1:

    Step 1:

    On Vista and Win7, run
    netsh http add urlacl url=http://vaidesg:8080/ user=everyone

    (replacing vaidesg1:8080 with your hostname and port)

    Step 2:

    Change the url binding to use your machine name instead of localhost

    In the project properties, web tab, I have the "Use Local IIS Web server" radio selected and the "Use IIS Express" checkbox checked. In the "Project Url:" textbox, I entered _http://vaisdesg:8080_, replacing that with hostname:port, and saved the project properties, and then was prompted to create a virtual directory, clicked YES and I get the following error:

    "Unable to create the virtual directory. _http://vaidesg:8080/_"

    I also tried keeping the Project Url to it's original setting and changing the "Override application root URL" textbox to _http://vaidesg:8080_ and got the following error:

    "Unable to launch the IIS Express Web Server.

    The start URL specified is not valid. _http://vaidesg:8080/_"


    ----------


    **Does anyone have any advice?**

  • Instead of replacing the existing binding, you can add a new binding for external traffic in applicationhost.config. The bindings element (under ) will then look like this:






  • Both your bindings are configured to require a hostname. Try appending a binding for your IP as well,



    Test this out locally first and then remotely.

  • Hello, I am running Windows 7 SP1. I followed the following steps:

    Step 1

    netsh http add urlacl url=http://192.168.1.100:8000/ user=Everyone
    netsh http add urlacl url=https://192.168.1.100:44300/ user=Everyone

    Step 2

    applicationhost.config











    Step 3

    netsh advfirewall firewall add rule name="IIS Express (non-SSL)" action=allow protocol=TCP dir=in localport=8000
    netsh advfirewall firewall add rule name="IIS Express (SSL)" action=allow protocol=TCP dir=in localport=44300

    Then I procedded to run WebMatrix without elevated privileges. It binds to 192.168.1.100 without any errors, and the page loads just fine. However when I attempt to access it from my external ip address, the page times out despite having the ports forwarded to my ip and even putting myself in dmz.

  • Sorry about that, I changed





    to




    I assume it was looking for hostname requests titled 192.168.1.100 in the first part?

Comments have been disabled for this content.