Create a network zone for IWA sign-ins
You can create a network zone for Integrated Windows Authentication (IWA) sign-ins.
Okta evaluates IWA sign-ins and verifies that they come from a configured zone. When an IWA agent is configured, the IP address of the client is added to the LegacyIPZone. The LegacyIPZone is the only zone configured by default. You can define up to 20 dynamic zones in IWA Network Zones.
You can't delete LegacyIPZones.
Before you begin
Ensure that IWA Web agent is installed and configured.
Configure a LegacyIPZone routing rule
In the Admin Console, go to Security > Identity Providers > Routing Rules.
- Click Add Routing Rule.
- Complete these fields:
- Rule Name: Enter a descriptive name for the rule.
- User's IP is: Select In zone to apply the rule to a specific zone.
- In the zones field, type "l" (lower-case "L") and then select LegacyIpZone.
- User's device platform is: Select Any device to apply the rule to users with any device type. To apply the rule to users with specific devices, select Any of these devices and select specific devices.
- User is accessing:
- Any application: Apply the rule when a user accesses any application.
- Any of the following applications: Apply the rule when a user accesses specific applications. Enter an application name.
- Use this identity provider: Select Okta.
Define a network zone for LegacyIPZone
- In the Admin Console, go to .
- Click Add Zone and select Add IP Zone.
- Enter the name for the routing rule that you created in the Configure a LegacyIPZone routing rule procedure.
- Enter the Gateway IP addresses and Proxy IP addresses. Separate IPs and IP ranges with a newline or comma. You can add single IPs, IP ranges, or use CIDR notation.
- Click Save.
When you edit a network zone,wait approximately 60 seconds for the change to propagate across all servers and take effect.