I received an email from a colleague asking if it was possible to restrict access to the View Admin console (https://<viewserver>/admin) to specific IP addresses. It was not something I’d come across but was an interesting requirement. I knew that it runs on tomcat so a quick bit of searching and I found the answer.
Firstly we need the web.xml file for the admin console which is located at (by default):
C:\Program Files\VMware\VMware View\Server\broker\webapps\admin\WEB-INF\web.xml
Now we need to insert the filter for the IP Addresses. I inserted it at the end of the existing filters, which was just above the <!– MessageBroker Servlet –> line.
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>10\.0\.0\.21</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The <param-value>10\.0\.0\.21</param-value> is where we define addresses and we include multiple addresses or wild cards, for example <param-value>10\.0\.0\.21|10\.0\.0\.22</param-value>
In the above example not even the localhost would be able to access the admin console. More details for people far more experienced than myself with tomcat can be found here:
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Remote_Address_Filter
Again this is unsupported, but that’s never stopped people in the past!