Harden on-premises XenMobile appliance(s)

Published by Jeroen Tielen on

The Citrix XenMobile (Citrix Endpoint Management) on-premises appliance comes default with no hardening. This means that running SSLLabs against the mdm ssl_bridge you will get the following score:

As you can see not the best setup 😉 I noticed that a lot of XenMobile, on-premises, environments aren’t hardend. So here is the simple guide to fix this.

Launch an ssh session (or console via the hypervisor) to the first XenMobile appliance and log in.

Go to: 2. System -> 12. Advanced Settings -> 2. Custom Ciphers.

Here you see, in yellow, the default ciphers which are enabled. We need to change them to: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Dont restart the system yet. Go to menu option: 3. SSL protocols.

Here you will see that default TLS1, 1.1 and 1.2 are enabled. We need to change this to: TLSv1.2

Restart the box and do the same on the second node of the hazelcast cluster.

Run SSLLabs and the results would be:

Don’t forget to harden the gateway seperate.

Here are the original ciphers and protocols so you can copy/paste when needed te revert:

Original Ciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Original Protocols: TLSv1.2,TLSv1.1,TLSv1


Jeroen Tielen

Experienced Consultant/Architect with a demonstrated history of working in the information technology and services industry. Skilled in Citrix, Microsoft, VMware, Ivanti, etc.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux