Manage Networks
A network zone includes a range of IP addresses that can be used to ensure that only users from specific networks are allowed or denied access to applications, the application portal, and the Administration and Authentication APIs. Additionally, for the application portal and applications, network zones can ensure that users located in specific networks are challenged with a designated assurance level for additional authentication.
Super Administrators can create, edit, and delete network zones as needed, and any network zone can be set as the default zone for your Cloud Access Service (CAS) deployment:
The following network zone automatically exists in every new CAS deployment:
System Default Zone: RSA creates this zone as the initial default network zone when it sets up your Cloud deployment. As the default network zone, it is automatically applied to configurations when no network zone is selected. When initially created, this zone trusts all IP addresses. You can edit this zone, but you cannot delete it while it is set as the default. To set another network zone as the default, see Set a Network Zone as Default .
The following network zones are no longer automatically added to CAS deployments. If they exist in your deployment, you can edit or delete them:
Access Policy Network Zones: You can use this zone in any network zone configuration, and you can configure Access Policy Conditions with any network zone. For more information, see Add, Clone, or Delete an Access Policy.
IDR Network Zones: You can use this zone in any network zone configuration, and you can configure Clusters with any network zone.
Create a Network Zone
You can create network zones to define groups of IP addresses that are either trusted or restricted. Trusted networks are granted access to your configurations in Cloud Access Service (CAS), while restricted networks are blocked. Each network zone has a default behavior for IP addresses that are not included in the trusted or restricted lists. If no restricted networks are defined, or if an IP address is not part of any specified trusted network, the IP address will be treated as restricted by default. Conversely, if no trusted networks are defined, or if an IP address is not part of any specified restricted network, the IP address will be treated as trusted by default.
You can apply network zone restrictions to SCIM-based identity sources to enhance security and control access. This enables you to specify which IP addresses are permitted or denied for SCIM connectivity with CAS. Supported identity sources include Azure Active Directory (SCIM), Local, and SCIM Managed. For more information, see Unified Directory Identity Sources.
You can also allow or restrict IP addresses for AM connection to CAS by applying network zone restrictions to Authentication Manager registration. For more information, see Connect Your Cloud Access Service Deployment to Authentication Manager.
Procedure
- In the Cloud Administration Console, click Access > Networks.
- Click Create Network Zone.
- In the Name field, enter a name for the network zone (for example, "Company Internal Network" or "Eastern Region Office").
- (Optional) In the Description field, enter the network zone details.
- In the Trusted Networks list, add trusted networks to control application access. The network zone compares incoming traffic IPs with the trusted networks list to validate access. In the Restricted Networks list, define networks that are restricted to access.
In the Name field, enter the network name.
In the IP Address field, enter an IP address using the IPv4 standard for classless inter-domain routing (CIDR) notation. You can specify a single address, for example, 10.10.1.16. You can specify a range by including number of bits to use as an IP network prefix. For example, 10.10.1.16/24 specifies the range from 10.10.1.0 to 10.10.1.255.
Click ADD to add more networks, if needed.
Click Create Network Zone.
(Optional) To publish this configuration change and immediately activate it on the identity router, click Publish Changes.
Set a Network Zone as Default
You can set a network zone as the default to automatically apply its rules to IP addresses that are not part of any other defined network. A network zone cannot be deleted while it is set as the default.
Procedure
- In the Cloud Administration Console, click Access > Networks.
Click the drop-down arrow next to the network zone you want, then select Set as default. The blue default icon appears next to the network zone.
View or Edit an Existing Network Zone
You can review the details of any network zone or make changes to its settings, such as updating trusted or restricted networks.
Procedure
- In the Cloud Administration Console, click Access > Networks.
- Click View/Edit next to the network zone you want to view or edit.
Make any required changes, then click Save to apply them.
Delete a Network Zone
After you delete a network zone from RSA Authenticator, that network is no longer used during authentication to determine who can access applications and the application portal, and which assurance level to use for additional authentication.
Note: You cannot delete a network zone if it is set as the default.
Procedure
- In the Cloud Administration Console, click Access > Networks.
- Click the drop-down arrow next to the network zone you want to delete, then select Delete.
- When prompted, confirm the deletion.
- Click Save to apply your changes.
- (Optional) To immediately activate this configuration change on the identity router, click Publish Changes.
Related Articles
Replacing the Console Certificate 287Number of Views Configure the Remote Syslog Host for Real Time Log Monitoring 576Number of Views Cloud Administration User Event Log API 465Number of Views Import a Token Record File 349Number of Views Add an Identity Source 311Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.8 Setup and Configuration Guide How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device RSA Authentication Manager 8.9 Setup and Configuration Guide Authentication Manager Supported Hardware and Upgrade Paths