Define Secure Zones
This topic describes how to define Secure Zones by specifying IP ranges.
You can specify your entire corporate IP range, or create additional Secure Zones using a subset of your corporate IP range or an external IP range. You can use Secure Zones for the following use cases.
| Use case | Description |
|---|---|
|
Configure Integrated Windows Authentication (IWA) |
With IWA, Active Directory users can sign in to CyberArk Identity with silent authentication. Refer to Manage Integrated Windows Authentication (IWA) for more information. |
|
Create authentication rules based on Secure Zones (see Create authentication rules) |
If you enable authentication policy controls, you can exempt users from additional authentication requirements if they are in a Secure Zone. Secure Zones can be internal or external to your corporate network. |
Define Secure Zones for authentication and access control
The following procedure describes how to define Secure Zones based on corporate IP ranges. You can use these Secure Zones to create authentication and access control policies.
- In the Identity Administration portal, go to Settings > Network > Secure Zones > Add.
- Enter a name to quickly identify the IP address or range.
-
Enter an IP address or a range of addresses in the form
<network>/<subnet mask>, or using a comma-separated list without spaces, then click OK.Use routable, public IP addresses.
All new configurations default to Active, as shown in the Status column. This means that any configured policy rules based on the inside secure zones or outside secure zones conditions include the new Secure Zone in their logic (refer to the IP address filter in Create authentication rules).
Disable Secure Zones
You can disable Secure Zones to exempt them from policy rules. Disabling the zone sets it to inactive. Any policy settings configured in Policies > Authentication Policies that include the inactive Secure Zones are not applied to those Secure Zones. For example, if you have a policy setting that enforces an email authentication mechanism to access CyberArk Identity for the Secure Zone defined by IP address range 192.168.92.11/30, and you disable that Secure Zone, then the email authentication policy rule is not enforced for that IP address range. In this case, the default profile is enforced instead when users sign in to CyberArk Identity.
See the table below for a summary.
|
Action |
Status |
Description |
|---|---|---|
| Disable | Inactive | Policy rules configured in Identity Administration portal > Policies > Authentication Policies are not enforced for the selected IP range. |
| Enable (default) | Active | Policy rules configured in Identity Administration portal > Policies > Authentication Policies are enforced for the selected IP range. |
The following procedure describes how to disable Secure Zones.
To exempt an IP address or range from policy rules by disabling a Secure Zone
- Click Settings > Network > Secure Zones.
-
Select the IP address or ranges that you want to exempt from a configured policy rule (you can select multiple IP ranges).
For information on authentication rules for the IP address filter, see Create authentication rules.
-
Click Actions, then select Disable from the drop-down menu.
Once you select Disable the Status column indicates the IP range is Inactive.
Select Enable from the drop-down menu to set the IP range status back to Active. Any policy rules configured for the IP range are then applied.
