The Network page allows admins to identify their network perimeter to Okta. Public Gateway IP addresses and IP Zones allow Okta to gate certain features to on or off premises impacts. Any IP address that is not included in the list is considered off network, and subject to any off-network security policies you might create.
Note: IP Zones supersedes the Public Gateway IP Addresses feature.
Okta offers authentication whitelisting and blacklisting based on zones. Zones are set of IP address ranges or geolocations defined by an adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button (shown below) on the upper right side of the My Applications page.. Zones are used in policies, application sign in rules, VPN Notifications, and Integrated Windows Authentication (IWA). If a zone definition is updated, any policy or rule that uses it is automatically updated to the new specification.
Zones replace the earlier concept of Public Gateway IPs in which you could only specify one set of IP addresses. The terms on network and off network are replaced by in zone and not in zone.
Geolocation is an Early Access (EA) feature; contact Okta support to enable geolocations.
Setting up Zones
A zone can either define IP addresses or geographical locations. You can set up to 100 zones. Each zone can contain up to 150 specifications.
The following table describes specifications for IP address zones.
|Public Gateway IP Addresses – enter one per line or separate by commas. For ranges, either use a hyphen to separate the range, or use CIDR notation.||
|Trusted Proxy IP addresses – same format as above||
Note: The Gateway IP field must be populated in order for the Zone to be evaluated properly.
If you have the Geolocations feature enabled, you can also use geographical specifications. The following table describes specifications for geographic location zones.
|A country and a region– enter one per line||
You cannot define a country as a specification and then add another specification that defines a region within that country. The following combination of specifications is valid:
The following combination of specifications is invalid:
Note: You cannot specify cities or IPv6 addresses.
Use the Add Zone button for new zones. Use the Edit or Delete buttons next to existing zones to change or remove them. If you have a legacy zone, you cannot edit or delete it.
When entering a rules for policies, such as sign-on policies and MFA policies, specify zone information from the selection shown below.
Choices for the location are Anywhere, In zone, and Not in zone.
After selecting In zone or Not in zone, the following zone selection options appear.
If you check All Zones, all of your defined zones are selected, and the box below it is no longer visible, as shown below.
If you do not check All Zones, you can begin typing a zone name in the Zones box. A dropdown list appears that contains all existing zones that contain the text you entered anywhere in the zone name. You can choose any number of zones. The following example shows a search for all zones that contain the letter t. In this case, only one zone is found. You still must select it to make it active.
When entering rules for VPN notifications, you cannot list specific zones for these notifications; you can specify Inside Any Zones or Outside All Zones.
Note: You can jump to the Zone setup screens anytime by choosing the Network link shown above.
When evaluating IWA logins, Okta checks that the login is from the configured zones. You can edit the configuration and choose any desired zones, or choose All Zones as you do in policies.
When an IWA agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. is configured, the IP address of the clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. is added to the LegacyIPZone. The LegacyIPZone is the only zone configured by default, as shown below.
Note: You can define up to 20 network zones in IWA network zones.
When an IP or Location Zone is deleted, all rules that use the deleted zone are affected.
- If the zone to delete is the only zone in any rule, you cannot delete the zone and receive an error message. Edit the rule to use a different zone then perform the deletion again.
- If the zone to delete is not the only zone in any rule you can delete the zone. The zone is removed from all the rules where it is specified.
If you have already defined Public Gateway IP Addresses, the information is migrated to a zone named LegacyIpZone. You cannot delete this zone, but you can edit it.
For existing rules, LegacyIpZone retains the previous settings. This zone is still active and can be used in new assignments.
Note: You can define a maximum of 5000 legacy network zones is 5000.
Blacklist an Entire Zone
Entire zones can be marked as blacklisted. Clients from these zones cannot access any URL for the orgAn abbreviation of organization, but can also be thought of as a company. A company that uses Okta as their SSO portal is generally referred to as an org. As an administrator, you decide how Okta should be displayed and/or integrated with your org.. To mark a zone as blacklisted, check Blacklist access from IPs listed in this zones in the Add IP Zone screen.
Note: Two network zones are created by default when the Multiple Network Zones feature is enabled. One of them can be used for blacklisting IPs. Creating multiple network zones is currently an EA feature; contact Okta support to enable it.
To set these IP addresses,
- Click Edit in the Gateway Settings section.
- Enter the appropriate IP addresses (see the Okta features that use Public Gateway IPs, below).
- Note: Separate IPs and IP ranges with a newline or comma, and separate IPs in a range with a dash.
- Click Save.
Okta Features Using Public Gateway IPs
Desktop SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. – Prevents the SSO redirect (to the IWA site) from occurring when accessed off premises.
Multifactor Authentication – Permits an admin to require MFA only when the system is accessed off premises.
AppAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in. Sign On Policies – Permits denial of access to certain applications when accessed off premises.
The "Obey X-Forwarded-For header..." Checkbox
The Obey X-Forwarded-For header for specified Public Gateway IPs checkbox, in simplest terms, enables support for trusted proxies. Checking this box allows Okta to view the X-Forwarded-For (XFF) header to determine IP origin, allowing trusted public gateway IPs to gain on network status from Okta.
To enter the appropriate IP addresses
- Click Edit in the Gateway Settings section.
- Check the Obey X-Forwarded-For header for specified Public Gateway IPs checkbox. An empty field appears.
- Zscaler is an often used web proxy. If using Zscaler, click Add ZScaler IP addresses to automatically populate the field with trusted Zscaler addresses.
- Add additional trusted IP address, if needed.
- Click Save.