App Control: What Items are Required to be Enabled for IIS?
search cancel

App Control: What Items are Required to be Enabled for IIS?

book

Article ID: 288948

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

When configuring IIS for App Control server builds, what items within IIS need to be configured?

Environment

  • App Control Server (formerly CB Protection): All Supported Versions
  • Microsoft Windows Server: All Supported Versions

Resolution

The below are common requirements for configuring IIS to support an App Control Server:
  • Common HTTP Features:
    • Static Content
    • Default Document
    • HTTP Errors
    • HTTP Redirection
  • Application Development:
    • ASP.NET (version 4.5)
    • .NET Extensibility (version 4.5)
    • CGI
    • ISAPI Extensions
    • ISAPI Filters
  • Health & Diagnostics
    • HTTP Logging
    • Logging Tools
    • Request Monitor
    • Tracing
  • Security:
    • URL Authorization
    • Request Filtering
    • IP and Domain Restrictions
  • Performance: NONE
  • Management Tools:
    • IIS Management Console
    • IIS Management Scripts and Tools
    • Management Service
  • FTP Publishing Service: NONE

Additional Information

Beginning with v8.0.0, the console relies on the App Control API. An incorrectly configured IIS server can prevent console access, some of these errors manifest themselves as 500 errors, Access denied, and API call errors that appear as a red error message at the top of the page

To confirm API functionality, go to System Configuration > Advanced Options in your current console and check the “API Access Enabled” box. If a green dot appears next to the checkbox, then you can assume that IIS is configured correctly. Otherwise, make sure you meet the following restrictions:
  • Site Bindings:
App control API will not connect to localhost if the console web application is bound to a specific IP address instead of ‘*’. Make sure that ‘*’ is added to the list of bindings
  • IP Address and Domain Restrictions:
Limit console access to specific IP addresses, be sure that the IPv6 localhost address is added to the list
  • Application Pools:
App Control must be run within the DefaultAppPool application pool. Using a different app pool results in the App Control Server not having the appropriate credentials to access the SQL Server database
  • Authentication:
Must disable Basic Authentication and Windows Authentication so the App Control Server handles authentication. Otherwise, users will not be able to log into the server.