<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z00008MN8snCADOkta Classic EngineAdministrationAnswered2022-11-15T10:32:22.000Z2022-11-12T08:10:49.000Z2022-11-15T10:32:22.000Z

PaulG.75072 (Customer) asked a question.

November 12, 2022 at 8:10 AM
How to use Network Zones with Split VPN

Hello,

 

I am looking to use our split VPN which currently only redirects internal traffic to our server estate, to also redirect traffic to Okta so we can use the various features that it allows.

 

There is a list of IPs here: https://s3.amazonaws.com/okta-ip-ranges/ip_ranges.json

 

  1. It provides a list of IPs for our cell. If we route these through the VPN, that is all that is required for Okta to recognise the IP inside a zone?
  2. Is there a mailing list or some other way to know if this range changes?
  3. Is this available in other formats (e.g. AWS Client VPN friendly)?

 

Thanks everyone.

Paul.

  • 4 answers
  • 528 views

  • Mihai N. (Okta, Inc.)

     Thanks for the additional details! Understandable in the current global context.  

     

    In this case you would protect you Okta resources with various sign-in policies as needed, gated or distributed among employees as needed via specific network zones and groups defined in Okta. 

    Typically you would have to add the VPN providers IP lists in the Okta Network Zone, so that our service would recognize the user as being "on network". 

    I strongly recommend the use of test groups first for the policies to avoid any unwanted downtime. 

     

    For example: 

     

    1. Create a test group ex. "VPN ACCESS" and add couple of test users. 
    2. Create a Network zone ex. "VPN IPs" in Okta with the IPs or IP ranges from the VPN provider.
    3. Create a sign on policy to "DENY access IF not in ZONE" and assign it only to the test group - make sure to put the policy in top priority so it will be evaluated first. 
    4. Create a sign on policy to "ALLOW access IF in ZONE" and assign it only to the test group - make sure to put the policy in second priority. 

     

    This should result in the following: 

    1. user goes to Okta site from personal IP - if they are in the dedicated group, their access will be denied. (if they are not in the dedicated group, other policies may be evaluated in order of priority)
    2. user turns on VPN - IP is detected as being from the "VPN IPs" zone and the user is in the appropriate group - access is granted. 

     

     

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @PaulG.75072 (Customer)​ , Thank you for reaching out to the Okta Community!

     

     

    To answer your questions: 

    1. I might be misunderstanding your use case, but the Okta IPs don't need to be routed through the VPN to be recognized as inside of a zone - if you are referring to the Okta Network Zones. In the Zones, you would configure your own company network IPs or perhaps VPN IPs to be recognized by Okta. The IP ranges mentioned above are used for Firewall allow-listing, to ensure that the Okta services have access in case your network is configured to have certain restrictions. 
    2. Unfortunately, there currently is no such mailing list as the ranges are maintained by our third-party provider (AWS). You can suggest the implementation of mailing lists on the Okta Community page by going to the Community Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented.  

    More details here: https://support.okta.com/help/s/blog/a674z000001cj7YAAQ/okta-ideas-faq?language=en_US

     

      3. It's currently only available in the mentioned JSON format. 

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

    --------------------------------

    The Okta Community November newsletter is here. Get product updates and see our top contributing members.

     

     

    Expand Post

    • PaulG.75072 (Customer)

      Thanks Mihai,

       

      All useful information. The issue for number 1 is that we have no office, we're 100% remote, and no one has static IPs etc. We do have a VPN though, so I can route people through the VPN if I know the IP ranges that Okta uses, we can route those IPs through.

       

      It sounds like this is a solution, to use this list of IPs?

       

      Tba kms

       

      Expand Post

      • Mihai N. (Okta, Inc.)

         Thanks for the additional details! Understandable in the current global context.  

         

        In this case you would protect you Okta resources with various sign-in policies as needed, gated or distributed among employees as needed via specific network zones and groups defined in Okta. 

        Typically you would have to add the VPN providers IP lists in the Okta Network Zone, so that our service would recognize the user as being "on network". 

        I strongly recommend the use of test groups first for the policies to avoid any unwanted downtime. 

         

        For example: 

         

        1. Create a test group ex. "VPN ACCESS" and add couple of test users. 
        2. Create a Network zone ex. "VPN IPs" in Okta with the IPs or IP ranges from the VPN provider.
        3. Create a sign on policy to "DENY access IF not in ZONE" and assign it only to the test group - make sure to put the policy in top priority so it will be evaluated first. 
        4. Create a sign on policy to "ALLOW access IF in ZONE" and assign it only to the test group - make sure to put the policy in second priority. 

         

        This should result in the following: 

        1. user goes to Okta site from personal IP - if they are in the dedicated group, their access will be denied. (if they are not in the dedicated group, other policies may be evaluated in order of priority)
        2. user turns on VPN - IP is detected as being from the "VPN IPs" zone and the user is in the appropriate group - access is granted. 

         

         

        Expand Post
        Selected as Best
This question is closed.
Loading
How to use Network Zones with Split VPN