Skip to main content

Restrict Access to KFS Admin Console to Internal Network

Article # 3034533 - Page views: 75


How to restrict access to the Kofax Front Office Server (KFS) Administration Console to only users that access it from the internal network.

How to block access to the Koafx Front Office Server (KFS) Administration Console from the external network when Thin Client, MFP, and Mobile connections can be accessed from the external network.


Hosting the Kofax Front Office Server in a way that makes it accessible to those outside of a corporate network exposes the Thin Client, Web Services, and Administration Console to connections from outside the network.



Microsoft offers an IIS extension called the URL Rewrite Module that allows the admin to block access to certain URLs when certain conditions are met.  A URL Rewrite Rule can block access to the KFS Administration Console from all access attempts except for those that access it from the internal network

To restrict access to the KFS Admin Console to internal network connections:

  1. Download the IIS URL Rewrite Module installer from the following website:
  2. On the KFS server, install the URL Rewrite Module by running the downloaded rewrite_amd64_en-US.msi
  3. Navigate to C:\inetpub\wwwroot
  4. Open web.config in a text editor such as Notepad
  5. Edit web.config so it looks like the following (replacing the pattern value IPADDRESS with the internal hostname or internal IP Address of the KFS server:
    <?xml version="1.0" encoding="UTF-8"?>
                    <rule name="BlockAdminAccessFromOutside">
                        <match url="Kofax/KFS/Admin" />
                            <add input="{HTTP_HOST}" pattern="IPADDRESS" negate="true" />
                        <action type="AbortRequest" />

  6. Save the changes to web.config
  7. Open the Internet Information Systems (IIS) Manager
  8. In the Connections pane, navigate to <Server> | Sites | Default Web Site
  9. Right-click Default Web Site and select Manage Website | Restart
  10. Attempt to access the KFS Administration Console using its public Fully Qualified Domain Name and confirm that the browser cannot connect
  11. From within the internal network, attempt to access the KFS Administration Console using the hostname or IP Address that was indicated in the web.config file.  Confirm that the browser can connect.

Level of Complexity 



Applies to  

Product Version Build Environment Hardware
Kofax Front Office Server 4.3


Article # 3034533
  • Was this article helpful?