We have a partner company that we provide some services for (mail, desktop, etc). We are also rolling out MFA to google apps using RSA as the second factor. The MFA is setup to only enforce off prem. Users in the partner company should not get MFA enforced when they are on their network. If I add their gateway IP addresses to the Network definition, they get errors because they can't resolve the sync server in our network. Is there a way to resolve this within Okta or do I have to get the two network teams to work out a trust model?
Unfortunately Okta does not have control over how the IPs are resolved. You could check whether enabling the 'Obey X-Forwarded-For header for specified Public Gateway IPs' option solves the issue (this option can be found under Security>Network).
However, there is the workaround to add the affected users (from the partner company) in a separate group and then target app sign-on rules to it - in order to exempt them from the MFA prompt. It will however beat the purpose of targeting them as being on network.
Turns out the issue was actually with IWA. Putting the partner's gateway IPs in a separate zone, then defining the IWA for our own IP zone solves the sync server issue. MFA is enabled for all "on prem" zones, enforced with rules in any app requiring MFA.