XenMobile: Restrict access to MAM

If you have implemented Xenmobile solutions you probably have been asked or ask yourself how can the MAM part can be restrict.

I mean by default you can access the MAM portal, for example: https://mam.domain.com which can be access by a browser

It can be useful to check the XenMobile configuration as 404 is expected after successful authentication:

 

 

However this page is publicly available for different possible security attacks: XSS, SQL Injection, Brute Forcing, …

Here after are some steps to secure and restrict the MAM page:

  • Enable Responder feature on your NetScaler (under System / Settings / Configure Advanced Features)
  • Create a Responder HTML Page (under AppExpert / Responder / HTML Page Imports, click on Add). Provide a Name and select Import From: Text, click on Continue

  • Then you can put HTML code,  here after an example

Click on Done

  • Create a Responder Action (under AppExpert / Responder / Actions, click on Add). Provide a Name, select Type Respond with HTML Page, select the HTML Page previously created and click on Create

  • Create a Responder Policy (under AppExpert / Responder / Policy, click on Add). Provide a Name for the Policy, select the Action previously created.

Under Expression, add the following:

HTTP.REQ.URL.EQ("/vpn/index.html")&& HTTP.REQ.HEADER("User-Agent").CONTAINS("Mozilla")

Click on Create

  • Assign Responder Policy to the MAM NetScaler Gateway (under NetScaler Gateway / Virtual Servers, edit your XenMobile NetScaler Gateway)

  • Click on the + sign

  • Select Policy type Responder and click on Continue

  • Select the Policy previously created and click on Bind

  • Verify that the Responder Policy is bound and test

Now when a user will try to connect to https://mam.domain.com he will see the following screen:

It’s based on the HTML code I provided in this article and this can be changed.