Define Secure Zones

This topic describes how to define Secure Zones by specifying IP ranges.

You can specify your entire corporate IP range, or create additional Secure Zones using a subset of your corporate IP range or an external IP range. You can use Secure Zones for the following use cases.

Use case Description

Configure Integrated Windows Authentication (IWA)

With IWA, Active Directory users can sign in to Identity Administration with silent authentication.

See Manage Integrated Windows Authentication (IWA) for more information.

Create authentication rules based on Secure Zones

If you enable authentication policy controls, you can exempt users from additional authentication requirements if they are in a Secure Zone. Secure Zones can be internal or external to your corporate network.

See Create authentication rules for more information.

Configure App Gateway

App Gateway enables users to access self-hosted applications from external IP addresses without a VPN. Secure Zones define whether or not an IP address is internal or external. Internal or external IP addresses might access App Gateway application through different URLs for optimal performance. For example, if a user access the app from inside a Secure Zone, then they will use the internal URL of the app for better performance.

See Configure an application to use App Gateway for more information.

Define Secure Zones for authentication and access control

The following procedure describes how to define Secure Zones based on corporate IP ranges. You can use these Secure Zones to create authentication and access control policies.

To define a Secure Zone:
  1. In the Identity Administration portal, go to Settings > Network > Secure Zones > Add.
  2. Enter a name to quickly identify the IP address or range.
  3. Enter an IP address or a range of addresses in the form <network>/<subnet mask>, or using a comma-separated list without spaces, then click OK.

    Use routable, public IP addresses.

All new configurations default to Active, as shown in the Status column. This means that any configured policy rules based on the inside secure zones or outside secure zones conditions include the new Secure Zone in their logic (refer to the IP address filter in Create authentication rules).

Disable Secure Zones

You can disable Secure Zones to exempt them from policy rules. Disabling the zone sets it to inactive. Any policy settings configured in Policies > Authentication Policies that include the inactive Secure Zones are not applied to those Secure Zones. For example, if you have a policy setting that enforces an email authentication mechanism to access Identity Administration for the Secure Zone defined by IP address range 192.168.92.11/30, and you disable that Secure Zone, then the email authentication policy rule is not enforced for that IP address range. In this case, the default profile is enforced instead when users sign in to Identity Administration.

See the table below for a summary.

Action

Status

Description

Disable Inactive Policy rules configured in Identity Administration portal > Policies > Authentication Policies are not enforced for the selected IP range.
Enable (default) Active Policy rules configured in Identity Administration portal > Policies > Authentication Policies are enforced for the selected IP range.

The following procedure describes how to disable Secure Zones.

To exempt an IP address or range from policy rules by disabling a Secure Zone

  1. Click Settings > Network > Secure Zones.
  2. Select the IP address or ranges that you want to exempt from a configured policy rule (you can select multiple IP ranges).

    For information on authentication rules for the IP address filter, see Create authentication rules.

  3. Click Actions, then select Disable from the drop-down menu.

    Once you select Disable the Status column indicates the IP range is Inactive.

    Select Enable from the drop-down menu to set the IP range status back to Active. Any policy rules configured for the IP range are then applied.