<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How are the Proxy IPs in the Network Zones Used in Okta
Sep 3, 2025
Integrations
Okta Classic Engine
Okta Identity Engine
Administration
Overview

This article discusses the use of Network zones to define security perimeters and limit access based on certain parameters.

Applies To
  • Okta sign-on policies
  • App sign-on policies
  • VPN Notifications
  • Integrated Windows Authentication (IWA)
  • Okta Classic Engine
Solution

Okta will capture an IP chain and evaluate sign-on policies based on all the IP addresses. This may result in undesired/unauthorized logins, contrary to the sign-on policies. By adding an IP address to the Proxy IP of a network zone, Okta will ignore those IP addresses in evaluating the policy.

  • For example, a user logs into a VPN client going through the Okta RADIUS Agent. The IP address of the RADIUS Agent and the VPN client will show in the IP chain, and Okta will evaluate both. By adding the RADIUS Agent IP address to the Proxy IPs in the network zone, Okta will only evaluate the sign-on policy based on the VPN client.

IP zone evaluation

 

Related References

Recommended content

Still looking for help?
Loading
How are the Proxy IPs in the Network Zones Used in Okta