Advertisements

How to block external access to the XenMobile Self Help Portal and NetScaler Gateway Page

XenMobile 10 is mostly configured with the Citrix NetScaler to load balance Mobile Device Management (MDM) traffic to the XenMobile Servers (XMS), as well as to host the micro VPN connectivity utilizing the NetScaler Gateway.  One of the features that is enabled by default is the Self-Help Portal which is typically utilized to  allow users to manage their own devices.

While this is helpful and usually cuts down on the administrative overhead, it does not however allow for second factor authentication and also exposes single factor LDAP logins externally though the MDM LoadBalancer VIP on 443.  From a security perspective this raises a red flag and can be a challenge to fix.

The first part to remedy this is to leverage NetScaler responder policies to block specific portions of the MDM sites when traffic is coming from the outside, however still allow internal access to the sites based on specific LAN subnets defined.

The second part is to hide the NetScaler Gateway Page, which by default will simply display your traditional NetScaler Gateway authentication with user name and LDAP password.   You can use another responder policy that will respond with a blank HTML page, yet still allow the devices to VPN and enroll.

Blocking External Sites:

Create a new SSL offload MDM VIP.  By default, the NetScaler Wizard creates an SSL Bridge where responder policies cannot be applied 😦

Follow this article from Citrix (CTX218327) on how to apply the XenMobile MDM SSL Offload Configuration.

Once your configuration on the XMS and NetScaler MDM VIP is set to SSL Offload, we need to create a responder policy and apply it to the new MDM SSL 443 offload VIP just created.

XenMobile SSL Offload VIPs

add policy patset XMS_UrlSet

bind policy patset XMS_UrlSet “/zdm/shp/console” -index 6
bind policy patset XMS_UrlSet “/zdm/login_xdm_uc.jsp” -index 5
bind policy patset XMS_UrlSet “/zdm/helper.jsp” -index 4
bind policy patset XMS_UrlSet “/zdm/log.jsp” -index 3
bind policy patset XMS_UrlSet “/zdm/login.jsp” -index 2
bind policy patset XMS_UrlSet “/zdm/console” -index 1

add responder policy resp_xms_admin_shp_drop_pol “CLIENT.IP.SRC.IN_SUBNET(10.10.1.0/24).NOT && CLIENT.IP.SRC.IN_SUBNET(172.10.1.0/24).NOT && HTTP.REQ.URL.STARTSWITH_ANY(\”XMS_UrlSet\”)” DROP -comment “Created by Daniel Ruiz”

bind lb vserver _XM_LB_MDM_XenMobileMDM_443 -policyName resp_xms_admin_shp_drop_pol -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver _XM_LB_MDM_XenMobileMDM_8443 -policyName resp_xms_admin_shp_drop_pol -priority 100 -gotoPriorityExpression END -type REQUEST

In the syntax above, I am specifying 2 subnets (10.10.1.0/24 and 172.10.1.0/24), if the traffic does not originate from both subnets, the traffic will simply be dropped.

Once the responder is set, you simply bind it to the 2 new MDM SSL Offload VIPs for 443 and 8443

Hiding the XenMobile NetScaler Gateway Site:

A responder action needs to be set in order to respond with an HTML page, which in this case it simply presents a blank page when connecting to the NetScaler Gateway

The responder policy below will be binded to the action and its looking for the /vpn/index.html page of the XenMobile NetScaler Gateway

add responder action block_MAM_nsgtw_action respondwithhtmlpage block_mam_nsgtw -comment “Block XenMobile NetScaler Gateway Page – Daniel Ruiz”

add responder policy block_MAM_nsgtw_pol “HTTP.REQ.URL.EQ(\”/vpn/index.html\”)&& HTTP.REQ.HEADER(\”User-Agent\”).CONTAINS(\”Mozilla\”)” block_MAM_nsgtw_action -comment “Block XenMobile NetScaler Gateway – Daniel Ruiz”

bind vpn vserver _XM_XenMobileGateway -policy block_MAM_nsgtw_pol -priority 100 -gotoPriorityExpression END -type REQUEST

 

Below is a screenshot of the end result.  When accessing the XenMobile Page, the HTML content of the responder action will be displayed.

XenMobile NetScaler Blank Page

XenMobile Responder Action

XenMobile NetScaler Gateway Responder HTML Page

XenMobile Responder PolicyHope this helps 🙂

Disclaimer:

I do not accept any responsibility or liability for the accuracy, content, completeness, legality, or reliability of the information contained on this website.

Advertisements

About CyberRuiz
Highly motivated with over 12 years experience on Citrix/VMWare/Microsoft/technologies. Exceptional communication skills and team player. CCIA – Citrix Certified Integration Architect. CCEA – Citrix Certified Enterprise Administrator. VCP – VMWare Certified Professional in ESX 2.x, VI3, VI4 MCSE – Microsoft Certified Systems Engineer

6 Responses to How to block external access to the XenMobile Self Help Portal and NetScaler Gateway Page

  1. Javier Pena says:

    Glad you are back! We been trying to do this months! Thank you for the post Daniel

  2. Xavi IT Guy says:

    Daniel we been pulling our hair over this. Thank you for posting. It works like a charm!

  3. IT Girl says:

    Hi Daniel. Glad to see you back and blogging. You really impress me with your skills. This worked very well. By the way you are CUTE!

  4. Mike says:

    Thank you for the post. We been waiting on a solution on this for some time. Why doesn’t Citrix provide this functionality out of the box?! Wait it is Citrix, that is why!

  5. Brayson says:

    Daniel does this work with the latest XenMobile release of 10.8.20?

    • CyberRuiz says:

      Brayson thanks for commenting on my blog.
      The SSL offloading part is primarily done on the NetScaler where the responder policies take place.

      The only XMS server change is to modify the firewall inside the XMS configuration and enable port 80.

      This way you can configure the SSL offload on the NetScaler VIPS and route traffic internally to the XMS servers via port 80.

      Daniel

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: