Skip to content
Last update: 2022-06-30

Configure the Sophos Mobile web server

Sophos Mobile includes a web server component for providing the content of the Sophos Mobile Admin and Sophos Mobile Self Service Portal web applications. You can configure the web server to adjust it to your environment.

HTTP requests to a web server include a Host field in the request header, specifying the web application to process the request. An attacker can potentially manipulate the value of that Host field to provoke unintended behavior.

After installation, the web server component of Sophos Mobile doesn’t verify the value of the Host field. We recommend you configure the web server so that it only accepts requests directed to your domain name.

  1. On the computer on which you’ve installed the Sophos Mobile server, run the script %MDM_HOME%\tools\HostValidationUndertowFilter\addModule.bat

    Replace %MDM_HOME% by your Sophos Mobile installation folder.

  2. Open the file %MDM_HOME%\wildfly\standalone\configuration\smc-config.xml in a text editor and search for the following section:

        <filter name="hostheadervalidation" ...>
            <param name="allowedHosts" value="localhost"/>
  3. After localhost, add your domain name for Sophos Mobile Admin and for the Sophos Mobile Self Service Portal.

    For example if your domain name is, change the line as follows:

    <param name="allowedHosts" value="localhost,"/>

    If your Sophos Mobile server can be accessed under more than one domain name, enter all names separated by commas.

  4. Save the file smc-config.xml.

  5. Restart the Sophos Mobile service.
Back to top