After installing and configuring the Citrix XenMobile MDM server you can logon to the console from any place you like… even from any external address. In some cases this could lead to a security breach.
Unfortunately the XenMobile MDM console provides no options to filter access to the console within the graphical interface at this time. I can imagine that some companies only want console access within the corporate network, so a filter on source IP address is very desirable.
The good news is that there is a way to configure such filters, you only have to edit the auth.jsp file.
To do this, open the auth.jsp file located in “C:\Program Files (x86)\Citrix\XenMobile Device Manager\tomcat\webapps\zdm” and scroll all the way down.
By default it looks like this:
<%!
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// // Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â // //
// // Â Â HERE YOUR CONFIGURATION Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â // //
// // Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â // //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// This code will filter the ports and IP addresses allowed to access XenMobile Device Manager admin console
// Authorized IP addresses
//Â Â Â private static final IAccessController accessController =
//Â Â Â Â Â Â Â new ORController(
//Â Â Â Â Â Â Â Â Â Â Â // connect to SHP console
//Â Â Â Â Â Â Â Â Â Â Â new SHPConsoleController(),
//
//Â Â Â Â Â Â Â Â Â Â Â // or:
//Â Â Â Â Â Â Â Â Â Â Â //Â Â Â Â port is 8443
//Â Â Â Â Â Â Â Â Â Â Â //Â Â Â Â and IP is: 127.0.0.1 or 168.159.0.0/255.255.0.0 or 17.0.0.0/255.0.0.0
//Â Â Â Â Â Â Â Â Â Â Â new ANDController(
//Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â // connection must have this port
//Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â new PortController(8443),
//
//Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â // connection must come from one of this host (with mask)
//Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â new ORController(
//Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â new IPController(“127.0.0.1”),
//
//Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â new MaskIPController(“168.159.0.0”, “255.255.0.0”),
//                   new MaskIPController(“17.0.0.0”,   “255.0.0.0” )
//Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â )
//Â Â Â Â Â Â Â Â Â Â Â )
//Â Â Â Â Â Â Â );
private static final IAccessController accessController = new YesController(“yes”);
%>
Stop the XenMobile Device Manager services before editing this file. By default all connection are allowed to the console by having the command on the last row active (in bold), so remove it.
In this example I will edit the file so only connections from my internal network are allowed to logon to the XenMobile MDM Console while keeping the ability to enroll devices outside my network.
Change the IP address range in bold with with the IP address range that is applicable in your environment.
<%!
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// // Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â // //
// // Â Â HERE YOUR CONFIGURATION Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â // //
// // Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â // //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// /////////////////////////////////////////////////////////////////////////////////////////////////// //
// This code will filter the ports and IP addresses allowed to access XenMobile Device Manager admin console
// Authorized IP addresses
private static final IAccessController accessController =
new ORController(
      new ANDController(
    // connect to SHP console
        new SHPConsoleController(),
        // on any predefined SSL Port
  new SecureController(),
  // coming from 192.168.0.0 – 192.168.0.255
  new MaskIPController(“192.168.0.0″, “255.255.0.0“)
  ),
  new ANDController(
     // Connect to Admin console
     new AdminConsoleController(),
    new ORController(
     // on Port 80
     new PortController (80),
   // or Port 443
   new PortController (443)
   ),
    new ORController(
     // from localhost
     new IPController (“127.0.0.1”),
   // or 192.168.0.0 – 192.168.0.255
   new MaskIPController(“192.168.0.0″, “255.255.0.0“)
   )
      )
 );
%>
After saving this file, start the XenMobile Device Manager services. With this configuration, access to the console is only posible from the internal network but you can still enroll mobile devices outside the company netowrk.
Hi Robin,
This was quite useful and had a little more detail than the Citrix docs. Thought I’d share what we’ve done to secure the web services url externally. We are presenting internal and external traffic through different pairs of NetScalers which allows us to have this configuration only on the external NetScaler devices.
We’ve created a responder policy to drop traffic to /zdm/services similar to below.
add responder policy zdm_services_drop_rsp_policy “HTTP.REQ.URL.PATH.GET(2).CONTAINS(\”services\”)”
Hi,
We are dealing with auth issues after implementing this instructions on XenMobile 9.
Is this article also compatible for Version 9.00?
Thanks,
Miki