Networks

A network zone is a set of IP address ranges, a single IP address, or geolocations that are defined by an adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. for network security.


Creating and configuring a network zone allows an admin to set a network perimeter for improved security. As an admin, you can set up to 100 zones. Each zone can contain up to 150 gateways and 150 proxies. Zones are used in policies, application sign in rules, VPN Notifications, and Integrated Windows Authentication (IWA). If a zone definition is updated, any policy or rule that uses it is automatically updated to the new specification.

Once your network zones are configured, they can be used with Okta SignOn, Application Sign On, MFA, Password policies, and IWA and VPN notification configurations. For example, you can use the Zones in Okta SignOn Policy to allow or block access to Okta.


Accessing this feature

From the admin dashboard, navigate to Security > Networks.


Types of Zones

There are two types of network zones:

  1. IP Zones: A zone where the network perimeter is configured based on IP addresses
  2. Dynamic Zones: A zone where the network perimeter is configured based on location or the proxy type. To create a dynamic zone, one of two features must be enabled: Geolocation for Network Zones or IP Trust for Network Zones.

 

IP Zone Evaluation

Once an IP Zone is included in a policy, Okta verifies if the IP chain of the request matches the gateways and proxies configured in the zone.

The following applies when the IP chain of the request contains one IP:

  • If the IP is defined as a gateway in particular zone, Okta considers the request to be from within that zone.

The following applies when the IP chain of the request contains more than one IP:

Gateway Evaluation
  • If the IP address to the very right of the IP chain is defined as a gateway for that zone, the request is considered to be from inside that zone.
  • If the IP address to the very right of the IP chain is not defined as a gateway or a proxy for that zone, the request is considered not to be from inside that zone.

Proxy Evaluation
  • If the IP address to the very right of the IP chain is not defined as a gateway, but is defined as a proxy, the IP to the left of the proxy is then verified and the process repeats.
  • If this IP is a gateway IP, the request is considered to be from inside that zone.
  • If it is not a gateway IP or a proxy, the IP address is not considered a match and the request is considered not to be from inside that zone.

This process of matching continues until one of the following is found:

  • An IP in the chain is a gateway (in which case the request is considered from within the zone).

  • An IP in the chain is neither a gateway nor a proxy (in which case the request is considered not to be from within the zone).

 

Dynamic Zone Evaluation

When a dynamic zone is included in a policy, Okta verifies if the dynamic zone configuration (location, proxy type or ASN) matches the location, proxy type and ASN of the IP where the request originates.

The following applies when the IP chain of the request contains one IP:

  • Okta resolves the location, proxy type, or ASN for that IP and compares it with the dynamic zone configuration (location, proxy type or ASN) to determine if the request is from within that zone.

The following applies when the IP chain of the request contains more than one IP:

 

Generating a Proxy IP Report

A report of proxy IP addresses can be generated to help you identify which proxies can be configured in IP zones. This information is used by Okta to correctly identify the client IP where the request originated. The proxy report lists all proxy IP addresses that have been used to connect to your Okta org, including proxies that may or may not be trusted.

Note: Due to the possibility that some proxy IP addresses may potentially be malicious, ensure that any IP you add as a trusted proxy is trustworthy.

To obtain a list from your dashboard, navigate to ReportsProxies. For more information, refer to Reports.

 

Advanced Topics

Top