<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Proxy IP Usage in Okta Network Zones

Last Updated:

Integrations
Administration
Okta Classic Engine
Okta Identity Engine

Overview

This article discusses the use of Network zones to define security perimeters and limit access based on certain parameters.

Applies To

  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Network Zones
  • Authentication Policies
  • VPN Notifications
  • Integrated Windows Authentication (IWA)

Solution

Okta will capture an IP chain and evaluate sign-on policies based on all the IP addresses. This may result in undesired/unauthorized logins, contrary to the sign-on policies. By adding an IP address to the Proxy IP of a network zone, Okta will ignore those IP addresses in evaluating the policy.

  • For example, a user logs in to a VPN client going through the Okta RADIUS Agent. The IP address of the RADIUS Agent and the VPN client will show in the IP chain, and Okta will evaluate both. By adding the RADIUS Agent IP address to the Trusted Proxy IPs in the network zone, Okta will evaluate authentication policies only based on the VPN client.

IP zone evaluation

 

Related References

Recommended content

Still looking for help?
Loading
Okta Support - Proxy IP Usage in Okta Network Zones