Using ipSecurity to open /sitecore/admin pages


Sitecore best practice states that pages under /sitecore/admin should be disabled on content delivery instances. However, sometimes it is really important to have at least some of those pages be available on CD (e.g. cache.aspx and stats.aspx).

That can be importnat and useful due to quite few reasons:

  • investigating of performance problem
  • audit of Sitecore setup
  • continuous monitoring
  • and so on...
Obviously, these pages should be exposed in secured way. As an example, IIS ipSecurity module can be used for that

Step 1. Make sure ipSecurity is installed on Windows Server (install if not)

Just follow simple steps described in this article

Step 2. Allow overriding ipSecurity configuration on site level

This is optional step, which depends on your requirements. By default ipSecurity is configured on application host level. However, in my case, it is better to have those site specific settings to be stored in web.config file in Sitecore root.

To do this, open "%WINDIR%\system32\inetsrv\config\applicationHost.config" and change following setting to "Allow":

Step 3. Whitelist IP addresses in Sitecore web.config file

Go to web.config file and whitelist IP addresses as it is showed on example below.
Make sure to add property allowUnlisted="false"

Step 4. Try it out

Restart IIS, login to backend and try to open any of the pages under /sitecore/admin.
Expected result from when opening website from whitelisted URL would be success.
From not whitelisted URL - it would be "403 - Forbidden" (can be changed to another respone code)

What about Sitecore on Azure PaaS?

IP Security should work on Azure App Service, therefore no need to perform any extra steps to install it. You should be able to proceed from step #3 above.