The Network page allows admins to identify their network perimeter to Okta. Public Gateway IP addresses and IP Zones allow Okta to gate certain features to on or off premises impacts. Any IP address that is not included in the list is considered off network, and subject to any off-network security policies you might create.
Note: IP Zones supersedes the Public Gateway IP Addresses feature.
Okta offers authentication whitelisting and blacklisting based on zones. Zones are set of IP address ranges, a single IP address, or geolocations defined by an admin. Zones are used in policies, application sign in rules, VPN Notifications, and Integrated Windows Authentication (IWA). If a zone definition is updated, any policy or rule that uses it is automatically updated to the new specification.
Zones replace the earlier concept of Public Gateway IPs in which you could only specify one set of IP addresses. The terms on network and off network are replaced by in zone and not in zone.
A zone can either define IP addresses or geographical locations. You can set up to 100 zones. Each zone can contain up to 150 specifications.
The following table describes specifications for IP address zones.
Note: The Gateway IP field must be populated in order for the Zone to be evaluated properly.
If you have the Geolocations feature enabled, you can also use geographical specifications. The following table describes specifications for geographic location zones.
You cannot define a country as a specification and then add another specification that defines a region within that country. The following combination of specifications is valid:
The following combination of specifications is invalid:
Note: You cannot specify cities or IPv6 addresses.
Use the Security > Networks > Add Zone button for new zones. Use the Edit or Delete icons next to existing zones to change or remove them. If you have a legacy zone, you cannot edit or delete it.
When entering rules for sign-on policies, under Security > Authentication, specify zone information from the selection shown below.
Choices for the location are Anywhere, In zone, and Not in zone.
After selecting In zone or Not in zone, the following zone selection options appear.
If you check All Zones, all of your defined zones are selected, and the box below it is no longer visible, as shown below.
If you do not check All Zones, you can begin typing a zone name in the Zones box. A dropdown list appears that contains all existing zones that contain the text you entered anywhere in the zone name. You can choose any number of zones. The following example shows a search for all zones that contain the letter t. In this case, only one zone is found. You still must select it to make it active.
When entering rules for VPN notifications, you cannot list specific zones for these notifications; you can specify Inside Any Zones or Outside All Zones.
Note: You can jump to the Zone setup screens anytime by choosing the Network link shown above.
When evaluating IWA logins, Okta checks that the login is from the configured zones. You can edit the configuration and choose any desired zones, or choose All Zones as you do in policies.
When an IWA agent is configured, the IP address of the client is added to the LegacyIPZone. The LegacyIPZone is the only zone configured by default, as shown below.
Note: You can define up to 20 network zones in IWA network zones.
When an IP or Location Zone is deleted, all rules that use the deleted zone are affected.
If you have already defined Public Gateway IP Addresses, the information is migrated to a zone named LegacyIpZone. You cannot delete this zone, but you can edit it.
For existing rules, LegacyIpZone retains the previous settings. This zone is still active and can be used in new assignments.
Note: You can define a maximum of 5000 legacy network zones.
Blacklist an Entire Zone
Entire zones can be marked as blacklisted. Clients from these zones cannot access any URL for the org. To mark a zone as blacklisted, check Blacklist access from IPs listed in this zones in the Add IP Zone screen.
Note: Two network zones are created by default when the Multiple Network Zones feature is enabled. One of them can be used for blacklisting IPs. Creating multiple network zones is currently an EA feature; contact Okta support to enable it.
A dynamic zone defines both a location and a proxy. The zone can be blacklisted or whitelisted.
You can define a location, or use any location.
You can define a proxy type, from Any, TorAnonymizer, or NotTorAnonymizer, or leave proxy unchecked to ignore any proxy.
Public Gateway IP Addresses (Superseded by IP Zones)
To set these IP addresses,
Okta Features Using Public Gateway IPs
Desktop SSO – Prevents the SSO redirect (to the IWA site) from occurring when accessed off premises.
Multifactor Authentication – Permits an admin to require MFA only when the system is accessed off premises.
App Sign On Policies – Permits denial of access to certain applications when accessed off premises.
Support for Trusted Proxies
To specify trusted proxies, use see Setting up Zones in the IP Zones section, above.