sign in

Exposing Microix Workflow Modules Modern Web Application to the WAN

Creation date: 2/18/2026 8:23 AM    Updated: 2/18/2026 9:12 AM   email approval firewall html approval network wan access
Print...

⚠️ Disclaimer

This document provides general technical recommendations only. Microix does not secure, manage, audit, or maintain customer infrastructure.

Customers are solely responsible for securing:

  • IIS Server
  • Windows Server Operating System
  • SQL Server
  • Firewall and reverse proxy configuration
  • Authentication systems
  • Patch management and compliance

Microix assumes no liability for security breaches, data loss, infrastructure misconfiguration, or improper exposure of services to the internet.

Customers should engage their internal IT department or a qualified network/security professional when exposing a web application to the WAN.

📘 Overview

Microix Workflow Modules is a stateful ASP.NET Core 10 Blazor Server application requiring:

  • Local SQL Server 2017 or higher access
  • IIS Application Pool using a domain service account (None Administrator)
  • Local storage for attachments using Application Pool account with read/write/change permissions
  • Secure access from LAN and WAN using the same URL

🔒 Required Configuration

HTTPS Enforcement

    • TLS 1.2 or higher
    • Valid public SSL certificate
    • Expose HTTPS (TCP 443) only
    • Disable HTTP (TCP 80) for WAN access (redirect optional if required)

SQL Server Protection

    • Never expose SQL Server externally
    • Restrict SQL access to the IIS server only
    • Use Windows Authentication (recommended)
    • Apply least privilege permissions to the domain service account
    • Do not grant sysadmin permissions to the application account

IIS Configuration

    • IIS Application Pool must run under a dedicated domain service account
    • Deny interactive logon for the service account
    • Apply least privilege to file system permissions on the web server
    • Keep Windows Server fully patched
    • Remove unused IIS modules and default IIS sites

File Share Protection (Attachments)

    • Grant explicit NTFS + share permissions to the application pool domain account
    • Avoid granting broad access to “Everyone”, “Domain Users”, or “Authenticated Users”
    • Restrict SMB access so only the IIS server can access the share
    • Ensure the file server is not exposed externally

DNS Configuration

Use Split DNS:

    • External DNS → Public IP
    • Internal DNS → Internal IP
    • Same FQDN used internally and externally

🛡 Recommended

  • Deploy a reverse proxy (or firewall publishing service) in a DMZ to expose the application externally while keeping the IIS application server internal and domain-joined
  • Enable a Web Application Firewall (WAF) or equivalent edge protections (rate limiting, bot filtering, geo/IP restrictions)
  • Require Multi-Factor Authentication (MFA) for all WAN users
  • Implement centralized logging and monitoring for IIS, reverse proxy/WAF, Windows Server, and SQL Server security events

🚫 Not Recommended

  • Do not expose SQL Server (TCP 1433) externally
  • Do not expose SMB/file shares (TCP 445) externally
  • Exposing RDP publicly
  • Anonymous public access without additional authentication controls

📌 Summary

To securely expose Microix Workflow Modules to the internet:

  • Use HTTPS only
  • Protect SQL Server
  • Secure IIS using least privilege principles
  • Use VPN or MFA for external access
  • Implement reverse proxy and firewall best practices

Infrastructure security remains the responsibility of the customer.

Get help for this page