← Back to ColdFusion Administrator Reference

Security - Allowed IP Addresses

Control access to ColdFusion Administrator by IP address

Last updated: October 27, 20256 min read

Overview

The Allowed IP Addresses security feature provides IP-based access control for the ColdFusion Administrator. By restricting which IP addresses can access the admin interface, you add an essential layer of defense against unauthorized access, even if credentials are compromised.

This feature supports both whitelisting (allow specific IPs) and blacklisting (deny specific IPs), with support for individual IP addresses, IP ranges, and CIDR notation.

IP Access Control Settings

Configure which IP addresses can access the ColdFusion Administrator interface.

Allowed IP Addresses (Whitelist)

PurposeSpecify IP addresses that are permitted to access the administrator
DefaultEmpty (all IPs allowed)
RecommendationProduction: Whitelist only trusted IPs (office, VPN, admin workstations)
FormatComma-separated list of IPs, ranges, or CIDR blocks
Examples: 192.168.1.100, 10.0.0.0-10.0.0.255, 172.16.0.0/16
Warning: Always include your current IP address before saving. If you lock yourself out, you'll need server console access to modify the configuration file directly.
Best Practices:
  • Always include localhost (127.0.0.1) for local administration
  • Use VPN endpoints rather than individual workstation IPs
  • Document which IPs belong to which users/locations
  • Review and update the list when staff changes occur
  • Test access from allowed IPs before removing broader access

Denied IP Addresses (Blacklist)

PurposeBlock specific IP addresses from accessing the administrator
DefaultEmpty (no IPs blocked)
RecommendationUse for blocking known malicious IPs or failed login sources
FormatSame as whitelist: individual IPs, ranges, or CIDR notation
Use Cases:
  • Block IPs showing repeated failed login attempts
  • Block known malicious IP ranges from threat intelligence
  • Temporarily block during active security incidents
  • Block entire country IP ranges if no legitimate access expected

Priority and Evaluation Order

OrderBlacklist is evaluated first, then whitelist
BehaviorIf an IP is on both lists, it will be denied (blacklist wins)
Understanding Access Logic:
  • No restrictions: All IPs allowed (default)
  • Whitelist only: Only listed IPs allowed, all others denied
  • Blacklist only: Listed IPs denied, all others allowed
  • Both lists: Blacklist checked first (deny wins), then whitelist

IP Address Format Examples

Supported formats for specifying IP addresses and ranges.

Single IP Address

Format
192.168.1.100
Use Case
Specific workstation or server

Most restrictive - only one specific IP address

IP Range

Format
10.0.0.1-10.0.0.50
Use Case
Continuous range of addresses

Allows all IPs from start to end of range

CIDR Notation

Format
172.16.0.0/16
Use Case
Entire subnet or network

Most flexible - allows all IPs in the subnet

Localhost

Format
127.0.0.1
Use Case
Local server access only

Always include this for local administration

Multiple Entries

Format
127.0.0.1,192.168.1.0/24
Use Case
Multiple IPs or ranges

Comma-separated list of any format combination

Configuration Examples

Example 1: Office Network Only

Restrict access to office IP range and VPN endpoint:

Office Network Whitelist Configuration
Allowed IP Addresses (Whitelist):
127.0.0.1,192.168.1.0/24,203.0.113.50

Explanation:
- 127.0.0.1         → Local server access
- 192.168.1.0/24    → Office network (192.168.1.1-192.168.1.254)
- 203.0.113.50      → VPN endpoint public IP

Denied IP Addresses (Blacklist):
(leave empty)

Result:
✓ Office network users can access
✓ VPN users can access
✗ All other IPs denied

Example 2: Block Known Attackers

Block specific IPs showing malicious activity while allowing broader access:

Blacklist Malicious IPs
Allowed IP Addresses (Whitelist):
(leave empty - allow all except blacklist)

Denied IP Addresses (Blacklist):
198.51.100.45,198.51.100.46,203.0.113.0/24

Explanation:
- 198.51.100.45     → Blocked individual attacker IP
- 198.51.100.46     → Blocked individual attacker IP
- 203.0.113.0/24    → Blocked entire malicious subnet

Result:
✗ Listed IPs/ranges denied
✓ All other IPs allowed (not recommended for production)

Example 3: Maximum Security

Strict whitelist with additional blacklist protection:

Maximum Security Configuration
Allowed IP Addresses (Whitelist):
127.0.0.1,10.0.0.0/8,172.16.0.100

Denied IP Addresses (Blacklist):
10.0.50.0/24

Explanation:
Whitelist:
- 127.0.0.1         → Local access
- 10.0.0.0/8        → Internal network
- 172.16.0.100      → Admin workstation

Blacklist (within whitelist):
- 10.0.50.0/24      → Guest network within internal network

Result:
✓ Internal network (except guest subnet)
✓ Admin workstation
✗ Guest network (even though in whitelist range)
✗ All external IPs

Emergency Access Recovery

What to do if you lock yourself out of the administrator.

Manual Configuration File Edit

File Location{cf_root}/lib/neo-security.xml
Access RequiredDirect server access (SSH, RDP, or console)
Steps1. Stop ColdFusion service
2. Edit neo-security.xml
3. Find allowedIPAddresses section
4. Add your IP or clear restrictions
5. Save file
6. Start ColdFusion service
Important: Always backup neo-security.xml before editing. Invalid XML syntax can prevent ColdFusion from starting.
Manual XML Edit Example
<!-- Find this section in neo-security.xml -->
<var name='allowedIPAddresses'>
  <string>127.0.0.1,192.168.1.0/24</string>
</var>

<!-- Option 1: Add your IP -->
<var name='allowedIPAddresses'>
  <string>127.0.0.1,192.168.1.0/24,203.0.113.100</string>
</var>

<!-- Option 2: Temporarily remove all restrictions -->
<var name='allowedIPAddresses'>
  <string></string>
</var>

Common Issues & Solutions

Locked Out of Administrator

Symptom: Cannot access administrator, getting "Access Denied" or connection refused
Solutions:
  • Verify your current IP address hasn't changed (check whatismyip.com)
  • Check if accessing through proxy/VPN that changes your IP
  • Use direct server console access to edit neo-security.xml
  • SSH to server and modify configuration file manually
  • Contact hosting provider if no direct access available

Restrictions Not Working

Symptom: IP restrictions configured but users from denied IPs can still access
Solutions:
  • Verify settings saved correctly in administrator
  • Restart ColdFusion service to apply changes
  • Check if users accessing via load balancer (see X-Forwarded-For header)
  • Verify proxy configuration isn't bypassing restrictions
  • Review web server logs for actual connecting IP addresses
  • Consider additional web server level IP restrictions (Apache/IIS)

Dynamic IP Addresses

Symptom: Admin access works sometimes but not others due to changing IP
Solutions:
  • Use VPN with static endpoint IP instead of workstation IP
  • Request static IP from ISP for admin workstations
  • Allow entire ISP subnet range (less secure, not recommended)
  • Use bastion host/jump server with static IP
  • Implement additional authentication layer (2FA, client certificates)

Security Best Practices

Defense in Depth Strategy:
  • Layer 1: Network firewall blocking admin port from internet
  • Layer 2: Web server IP restrictions (Apache/IIS/Nginx)
  • Layer 3: ColdFusion IP whitelist (this setting)
  • Layer 4: Strong administrator passwords and username
  • Layer 5: Multi-factor authentication if available
  • Layer 6: Regular security audits and access reviews
Production Requirements: Never expose ColdFusion Administrator directly to the internet. Use VPN, bastion hosts, or at minimum strict IP whitelisting combined with strong authentication.

Related Resources

Security - AdministratorAdministrator login settings and password securitySecurity - Sandbox SecurityFile system and resource access restrictionsColdFusion Administrator ReferenceComplete administrator guide and settings reference