IP Filtering - Endpoints
The IP Filtering - Endpoints feature adds an extra layer of protection by controlling which network addresses are permitted to access UDMG Server Endpoints.
With this feature, administrators can define allowlists and blocklists of IPv4 or IPv6 addresses (including CIDR ranges) to restrict access to trusted networks and prevent connections from unauthorized or potentially risky locations.
Unlike Account or protocol-level authentication, which occur after a session is established, IP filtering is applied earlier in the connection flow, at the TCP socket level. This means that connections from disallowed IPs are terminated immediately, before any protocol handshake or authentication occurs.
By enforcing IP-based access controls, you can:
- Limit access to UDMG Server Endpoints from trusted networks or VPN ranges.
- Block connection attempts from untrusted public networks.
- Strengthen the security perimeter of your file transfer services.
Before You Begin
IP Address Rules
IP Filtering works by adding individual IP Address Rules, which specify an IP Address or Range and an Action that controls access:
- The IP Address or Range can be a single IPv4 or IPv6 address, or a canonical CIDR range.
- The Action determines the outcome:
- Allow: permits connections from the source.
- Block: denies connections from the source.
Rule Evaluation and Zero-Trust Model
IP Filtering - Endpoints follows a strict zero-trust approach, as any IP address or range must be explicitly allowed; otherwise, it is denied.
Rules are evaluated in the following order:
- Block rules are evaluated first. If the source IP matches a block rule, the connection is immediately rejected.
- If no block rule applies, allow rules are evaluated. The connection is permitted only if the source IP matches an allow rule.
- If there are no matching allow rules, the connection is denied by default.
Because of this evaluation order, block rules always override overlapping allow rules.
IP Filtering Common Scenarios
| Intended Result | Configuration Approach |
|---|---|
| Deny a specific IP or range | Add a block IP Address Rule for the unwanted IP or range, combined with an allow rule that covers all addresses (0.0.0.0/0 for IPv4 or ::/0 for IPv6). |
| Allow only a specific IP or range | Add an allow IP Address Rule for the desired IP or range. All other sources will be denied by default. |
Integration with USP
When UDMG is deployed behind the UDMG Secure Proxy (USP), UDMG sees only the proxy's IP on incoming connections; the original client source IP is not available. As a result, Endpoint-level IP filters in UDMG cannot distinguish individual partner networks.
Therefore, IP Filtering - Endpoints is primarily effective when:
- UDMG is deployed without USP.
- Internal connections do not traverse USP.
When using USP, this is the recommended setup:
- In UDMG, add a single Allow rule for the USP host IP (or IPs) so the proxy can reach your Endpoints.
- Define all partner-facing allow and block rules in USP, where the true client IP is available.
- Continue using UDMG Endpoint IP filtering only for traffic that bypasses USP (for example, connections that originate and terminate within the same domain).
Adding an IP Address Rule
IP Filtering - Endpoints is configured through individual IP Address Rules. To add an IP Address Rule, follow these steps:
- From the Sidebar, click General > Domain.
- Click the IP Filtering - Endpoints card.
- Click the Add IP Rule button.
- Fill out the fields for the new IP Address Rule settings using the Field Descriptions table as a guide.
- Click Save.
Only Domain Admin and Pipeline Users can configure IP Filtering - Endpoints.
Field Descriptions
| Name | Description | Specifications | Required |
|---|---|---|---|
| Name | The name of the IP Address Rule. |
| Yes |
| Description | The description of the IP Address Rule. | No | |
| IP Address or Range | An IPv4 or IPv6 address to block or allow. CIDR ranges are supported, but only in canonical form (network base address required). | Yes | |
| Action | Select the action to apply to the specified IP Address or Range. Options:
| Yes |
Editing an IP Address Rule
- From the Sidebar, click General > Domain.
- Click the IP Filtering - Endpoints card.
- Click the name of the IP Address Rule you want to edit.
- Fill out the fields for the IP Address Rule using the Field Descriptions table as a guide.
- Click Save.
- Changes take effect immediately for new TCP connections; no server restart is required.
- Active sessions are not affected (rules do not apply retroactively).
- In HA clusters, updates propagate to all nodes shortly after you save; a brief delay is expected.
Managing an IP Address Rule
Viewing IP Address Rule Details
To view the details of an IP Address Rule, follow these steps:
- From the Sidebar, click General > Domain.
- Click the IP Filtering - Endpoints card.
- Click the name of the IP Address Rule you want to view.
IP Address Rule Metadata
IP Address Rule details include all parameters given in the Field Descriptions table above, plus the following read-only metadata:
| Name | Description |
|---|---|
| UUID | Universally Unique Identifier of this IP Address Rule. |
| Added By | The Username of the User that created this IP Address Rule. |
| Version | Version number of the latest configuration of the IP Address Rule. |
| Created | Date and time this IP Address Rule was created. |
| Updated | Date and time this IP Address Rule was last updated. |
Testing Specific IPs
To test a specific IP address to see if it is allowed or blocked by UDMG, follow these steps:
- From the Sidebar, click General > Domain.
- Click the IP Filtering - Endpoints card.
- Click the Test IP button.
- Complete the IP Filter Test field with the IP you want to test.
- Click Continue.
Deleting an IP Address Rule
To delete an IP Address Rule, follow these steps:
- From the Sidebar, click General > Domain.
- Click the IP Filtering - Endpoints card.
- Click the name of the IP Address Rule you want to delete.
- Click the Delete button above the IP Address Rule details.
- You will be asked to confirm the deletion. Click Delete.