How to Configure Request Filtering for IIS in SCCM 2012
By default, IIS blocks several file name extensions and folder locations from access by HTTP or HTTPS communication. If package source files contain extensions that are blocked in IIS, these must configure in the request Filtering section of the applicationHost.config file on distribution point /Points Server.
The following file name extensions are used by SCCM / Configuration Manager for packages and applications. Allow the following file name extensions on distribution points:
· .PCK
· .PKG
· .STA
· .TAR
For example, there might be source files for a software deployment that include a folder named bin, or that contain a file with the .mdb file name extension. By default, IIS request filtering blocks access to these elements. When using the default IIS configuration on a distribution point, clients that use BITS fail to download this software deployment from the distribution point. In this scenario, the clients indicate that they are waiting for content. To enable the clients to download this content by using BITS, on each applicable distribution point, edit the requestFiltering section of the applicationHost.config file to allow access to the files and folders in the software deployment.
Important: Modifications to the requestFiltering section apply to all websites on that server. This configuration increases the attack surface of the computer. The security best practice is to run Configuration Manager on a dedicated web server. If other applications must run on the web server, use a custom website for Configuration Manager.
Configure request filtering for IIS on distribution points if required
1. On[SL1] the distribution point computer, open the applicationHost.config file located in the %Windir%\System32\Inetsrv\Config\ directory
2. Search for the <requestFiltering> section
3. Determine the file name extensions and folder names that will be in the packages on this distribution point. For each extension and folder name required, perform the following steps
· If it is listed as a fileExtension element, set the value for allowed to true
For example, if content contains a file with an .mdb extension, change the line <add fileExtension=".mdb" allowed="false" /> to <add fileExtension=".mdb" allowed="true" />
Note: Allow only the file name extensions required for content
· If it is listed as a <hiddenSegments> element, delete the entry that matches the file name extension or folder name from the file
For example, if content contains a folder with the label of bin, remove the line <add segment=”bin” /> from the file
4. Save and close the applicationHost.config file to complete the configuration
Allow Double Spacing if Required
1. Launch Internet Information Services (IIS) Manager and navigate to Default Web Site
2. In the middle section, scroll down to Management section and double click on Configuration Editor
3. In the Section drop down list select system.webServer/security/requestFiltering and change allowDoubleEscaping to True
4. In the Actions pane click Apply then close IIS
No comments:
Post a Comment