Unchecking "Allow unlisted file name extensions" causes IAAS service registration failures
Request filters restrict the types of HTTP requests that IIS processes. By blocking specific HTTP requests, request filters help prevent potentially harmful requests from reaching the server. The request filter module scans incoming requests and rejects request that is unwanted based upon the rules that you set up
For example, if you set the allowUnlisted attribute to false, all requests for files with extensions that are not contained in the list of allowed extensions will be denied.
When request filtering blocks an HTTP request because of a denied file name extension, IIS will return an HTTP 404 error to the client and log the following HTTP status with a unique sub status that identifies the reason that the request was denied
When request filtering is enabled
Infrastructure as a Service component of vRealize Automation 7.x needs this option to be checked or enabled.
IaaS uses .jar , .dll , .aspx .config .workflow and many more file extensions which ensures it's IIS functionality is intact and it serves it's application pools as expected.
By no means, this setting has to be disabled. The moment you disallow unlisted file name extensions your Manager Service would go down as the extensions needed to run your application are not whitelisted and would be blocked.
[UTC:2020-05-21 10:22:41 Local:2020-05-21 10:22:41] [Error]: [sub-thread-Id="100" context="" token=""] <?xml version="1.0" encoding="utf-16"?><boolean>false</boolean>CollectedDataImportService: Ignoring exception: System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. ---> System.Data.Services.Client.DataServiceClientException: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>IIS 10.0 Detailed Error - 404.7 - Not Found</title> * * * </head> <body> <div id="content"> <div class="content-container"> <h3>HTTP Error 404.7 - Not Found</h3> <h4>The request filtering module is configured to deny the file extension.</h4></div> <div class="content-container"> <fieldset><h4>Most likely causes:</h4> <ul> <li>Request filtering is configured for the Web server and the file extension for this request is explicitly denied.</li> </ul> </fieldset> </div> <div class="content-container"> <fieldset><h4>Things you can try:</h4> <ul> <li>Verify the configuration/system.webServer/security/requestFiltering/fileExtensions settings in applicationhost.config and web.config.</li> </ul> </fieldset> </div>
The moment you re-enable "Allow Unlisted File Name Extensions" your Manager Service would automatically start functioning
[UTC:2020-05-21 10:22:41 Local:2020-05-21 10:22:41] [Error]: [sub-thread-Id="100" context="" token=""] Error occurred writing to the repository tracking logSystem.Net.WebException: The remote server returned an error: (404) Not Found. at System.Data.Services.Client.BatchSaveResult.BatchRequest()at System.Data.Services.Client.DataServiceContext.SaveChanges(SaveChangesOptions options)at DynamicOps.Repository.RepositoryServiceContext.SaveChanges(SaveChangesOptions options) [UTC:2020-05-21 10:22:42 Local:2020-05-21 10:22:42] [Info]: [sub-thread-Id="7" context="" token=""] Processing ping report, report queue depth is 0 [UTC:2020-05-21 10:23:12 Local:2020-05-21 10:23:12] [Info]: [sub-thread-Id="7" context="" token=""] Processing ping report, report queue depth is 0 [UTC:2020-05-21 10:23:18 Local:2020-05-21 10:23:18] [Debug]: [sub-thread-Id="49" context="" token=""] DC: Created data collection item, WorkitemID 89c645a6-21c1-4086-857b-466d74fc32af, Task state, Agent premvc.prem.com, Entity primary, StatusID = f95f216b-ca19-41ef-9565-60326cdc94cd
VMware's IIS hardening recommendation states that one has to go contact Microsoft
for vendor's hardening guidelines
VMware does not provide a list of extensions that have to be whitelisted. This is how it is from vCAC 4.x days.
So if your hardening your IAAS system ensure you do not deselect "Allow unlisted file name extensions" and get into a problem
!!! I hope this helps !!!