IP Filtering - Admin UI
The IP Filtering - Admin UI feature adds an extra layer of protection by controlling which network addresses are permitted to access UDMG Admin UI.
With this feature, administrators can define allowlists and blocklists of IPv4 or IPv6 addresses (including CIDR ranges) to restrict access to trusted networks and prevent connections from unauthorized or potentially risky locations.
Unlike User or protocol-level authentication, which occur after a session is established, IP filtering is applied earlier in the connection flow, at the TCP socket level. This means that connections from disallowed IPs are terminated immediately, before any protocol handshake or authentication occurs.
By enforcing IP-based access controls, you can:
- Limit access to UDMG Admin UI from trusted networks or VPN ranges.
- Block connection attempts from untrusted public networks.
- Strengthen the security perimeter of the UDMG Admin UI.
Before You Begin
IP Address Rules
IP Filtering works by adding individual IP Address Rules, which specify an IP Address or Range and an Action that controls access:
- The IP Address or Range can be a single IPv4 or IPv6 address, or a canonical CIDR range.
- The Action determines the outcome:
- Allow: permits connections from the source.
- Block: denies connections from the source.
Rule Evaluation and Zero-Trust Model
IP Filtering - Admin UI follows a strict zero-trust approach, as any IP address or range must be explicitly allowed; otherwise, it is denied.
Rules are evaluated in the following order:
- Block rules are evaluated first. If the source IP matches a block rule, the connection is immediately rejected.
- If no block rule applies, allow rules are evaluated. The connection is permitted only if the source IP matches an allow rule.
- If there are no matching allow rules, the connection is denied by default.
Because of this evaluation order, block rules always override overlapping allow rules.
IP Filtering Common Scenarios
| Intended Result | Configuration Approach |
|---|---|
| Deny a specific IP or range | Add a block IP Address Rule for the unwanted IP or range, combined with an allow rule that covers all addresses (0.0.0.0/0 for IPv4 or ::/0 for IPv6). |
| Allow only a specific IP or range | Add an allow IP Address Rule for the desired IP or range. All other sources will be denied by default. |
Lockout Recovery
If you've locked yourself out of the UDMG Admin UI, you can temporarily disable IP Filtering by setting the security.ignoreSystemUserIPFilter HCL argument to true and restarting UDMG Server. This allows blocked connections with warning logs.
security {
ignoreSystemUserIPFilter = false
}
After changing the Configuration File, you need to restart UDMG Server by running the following command in the Server's host:
sudo systemctl restart udmg-server
You can now access and sign in to the UDMG Admin UI to modify your IP Rules. After completing your changes, reset the variable to false to restore the standard access policy.
This HCL argument only disables the filtering feature; your IP Rules remain assigned and unchanged.
Adding an IP Address Rule
IP Filtering is enabled as soon as you add the first IP Rule. Because any IP not explicitly allowed is blocked, you can accidentally lock yourself out of the Admin UI. To avoid lockouts, add allow rules for your current admin IP, corporate/VPN ranges, and any bastion hosts before saving. If you are already locked out, see Lockout Recovery.
IP Filtering - Admin UI is configured through individual IP Address Rules. To add an IP Address Rule, follow these steps:
- From the Sidebar, click Global > Settings.
- Click the IP Filtering - Admin UI card.
- Click the Add IP Rule button.
- Fill out the fields for the new IP Address Rule settings using the Field Descriptions table as a guide.
- Click Save.
Only Users with System Administrator role can configure IP Filtering for the Admin UI at the primary domain level. IP filtering cannot be configured in sub-domains for User access, but can be configured for Accounts access.
Field Descriptions
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the IP Address Rule. |
| Yes |
| IP Address or Range | An IPv4 or IPv6 address to block or allow. CIDR ranges are supported, but only in canonical form (network base address required). | Yes | |
| Action | Select the action to apply to the specified IP Address or Range. Options:
| Yes | |
| Description | The description of the IP Address Rule. | No |
Editing an IP Address Rule
- From the Sidebar, click Global > Settings.
- Click the IP Filtering - Admin UI card.
- Click the name of the IP Address Rule you want to edit.
- Fill out the fields for the IP Address Rule using the Field Descriptions table as a guide.
- Click Save.
Managing an IP Address Rule
Viewing IP Address Rule Details
To view the details of an IP Address Rule, follow these steps:
- From the Sidebar, click Global > Settings.
- Click the IP Filtering - Admin UI card.
- Click the name of the IP Address Rule you want to view.
IP Address Rule Metadata
IP Address Rule details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this IP Address Rule. |
| Added By | The Username of the User that created this IP Address Rule. |
| Version | Version number of the latest configuration of the IP Address Rule. |
| Created | Date and time this IP Address Rule was created. |
| Updated | Date and time this IP Address Rule was last updated. |
Testing Specific IPs
To test a specific IP address to see if it is allowed or blocked by UDMG, follow these steps:
- From the Sidebar, click Global > Settings.
- Click the IP Filtering - Admin UI card.
- Click the Test IP button.
- Complete the IP Filter Test field with the IP you want to test.
- Click Continue.
Deleting an IP Address Rule
To delete an IP Address Rule, follow these steps:
- From the Sidebar, click Global > Settings.
- Click the IP Filtering - Admin UI card.
- Click the name of the IP Address Rule you want to delete.
- Click the Delete button above the IP Address Rule details.
- You will be asked to confirm the deletion. Click Delete.