MartinZ.70015 (Customer) asked a question.
Is there a way to block logins from any VPN (ex. Nord). Does the "Any proxy" block cover that space?
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
We use cookies to provide the best website experience and to help understand marketing efforts. We may also share data with ad partners to reach potential customers across the web. To learn more, visit our Privacy Policy. Click here for Your Privacy Choices. You may also opt out of this sharing by signaling your preference via GPC, applicable only to the browser signaling the opt-out.
More information
These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Select All
May Okta Community Buzz
Stay ahead of the curve with Okta for AI Agents, new Okta Learning live sessions and labs, shout-outs, and top trending topics—all aimed at enriching your Okta journey.
www.fingerprint.com can detect the user from vpn by timezone. our customer add it by add nginix before okta, This increases the complexity. I confirm with support team before okta use opensource fingerprintjs.
Hi @MartinZ.70015 (Customer) , Thank you for reaching out to the Okta Community!
There currently is no feature to explicitly block VPN access. You will need to configure explicit allow/block lists in accordance with your organization’s requirements.
Setting up a Dynamic Network Zone to block “Any Proxy” might work but it could also hinder access for unintended parties.
Typically, you would configure a list of Network Zones considered “safe” (i.e. Office Network) and then block everything else. However, I can understand how in today’s “work from home” climate this might prove rather difficult.
More details about Okta Network Zones configuration below:
How is Okta Evaluating my IP Address While Using an IP Zone in a Policy?
How Are The Proxy IPs in The Network Zones Used in Okta?
Generate a Proxy IP report
In the meantime, you can also suggest a Feature Enhancement on the Okta Community page by going to the Community→ Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented.
More details here.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--------------------------------
What you missed: new product releases and other announcements
Thank you Mihai. Yes, creating allow/block lists won't work for this use case. Say we want to prevent login to O365 from VPNs but not block users who want to check their mail from home. It would just require they don't have VPN enabled (so we get better log fidelity and can better utilize geo-blocking).
This gave me a bit more insight on the "any proxy" option - but still not 100% clear. I guess I can see how that might cause issues with legitimate access... but if it can, I'm not sure what the purpose of that option is. Seems like blocking anonymizing proxy services would be a general best practice and should not impact normal user access. I see that Okta is using NuStar for this determination:
"The IP type determines if the request is from a proxy and if so, which type of proxy the request is from. The IP type is determined based on the IP of the request using Neustar. For issues with IP type accuracy, contact Neustar directly. See Neustar. Define one IP type for a dynamic zone."
So not strictly VPN but certainly anon proxy services.
It’s more of a question of the scale of your operation. If it’s not too large, it worth giving it a try and dealing with individual end-user reports of access issues if/when they come up.
I ran this by the internal team as well and they mentioned that you could try blocking any proxy as most general VPNs IPs are known and recorded to be proxy VPN IPs, but that will not be a 100% guarantee.
You might have to look for a third party solution for this use case.
In the meantime, you can suggest blocking VPNs as a Feature Enhancement on the Okta Community page by going to the Community→ Ideas tab. Features suggested in our community are reviewed and can be voted and commented on by other members. High popularity will increase the likelihood of it being picked up by the Product Team and it being implemented.
More details here.
Regards.
--------------------------------
What you missed: new product releases and other announcements
Thank you for raising the question internally. I believe with the Proxy Report (you referenced prior) it is worth testing. I can at least get some idea of impact with that. I'll also add an enhancement request. Blocking VPN seems to be coming up with most of our compliance recommendations.