Jabber Windows VDI via Expressway Auth Question

rchaseling · ‎06-07-2022

Customer uses Jabber VDI on Citrix from in office and at home....they currently just use CUCM local passwords for authentication but need to move to LDAP and are concerned about brute force password attacks via Expressway. I know Expressway has its own inbuilt IPS which will blacklist IPs entering wrong password a few times but customer is looking for a bit more without enabling SSO

Basically what the customer is looking for is to only allow Citrix MRA logins (eg only allow logins from their Citrix server IPs) and not logins from anywhere else as all users have dedicated Thin Clients for Jabber. I don't see how this is possible so thought I'd just throw the question out here in case someone has had a similar request as

Thanks

Adam Pawlowski · ‎06-08-2022

You can modify the firewall rules on the Expressway E , to only permit your management and client addresses. That's fairly straight forward, though ideally if this is internal to your network it's not in a place to be exposed from elsewhere. There's control in the UCM to allow MRA authentication, but it is not granular to location in any way.

rchaseling · ‎06-08-2022

Hi,

Thanks for response. Yeah I was looking at firewall rules but I'm let down by my knowledge of how Jabber registers via Citrix/Expressway. My understanding was that the VDI client just offloads the audio to the local machine but to do this it must login and authenicate fully via Expressway as you can see Jabber's registered IP in CUCM is Expressway C - thus adding firewall rules - we'd need to add in all the users home public IPs which defeats the purpose -- unless my original hope was we could block the login/signalling ports on E and only allow media ports but doesn't seem to work that way