I'm looking to restrict access by IP address to the EPiServer edit / admin suite. We have a load balanced environment with 4 front end web servers. I've seen quite a few posts on this subject but everything we've tried doesn't seem to work. Is there a definitive way of restricting access to all EPiServer tools including /secure/, /utils/ etc
What we have done for a few clients (and I know it is a common way to solve this) is to have one publishing server and 3 public servers. On the publishing server you restrict all traffic so only editors from your IP range can access the server. On the public server you remove the edit capabilities (just remove the roles from the web.config or you can also delete login.aspx, util files etc.). And if you want to make it a little more secure you can also stick a firewall between the publishing and public servers, just remember to test cache invalidation.
-Alexander HanengMaking Waves
We have solved it with help of our hardware loadbalancer (we had Netscaler before and now we use Cisco Ace) there we put access rules where /ui/edit/* and /ui/admin/* are prohibited from "external IP" adresses.