Manage Networks
a month ago

Manage Networks

A network zone includes a range of IP addresses that can be used to ensure that only users from specific networks are allowed or denied access to applications, the application portal, and the Administration and Authentication APIs. Additionally, for the application portal and applications, network zones can ensure that users located in specific networks are challenged with a designated assurance level for additional authentication.

The following network zones are available:

  • Access Policy Network Zones: These zones include migrated trusted networks used in access policies that involve authentication conditions based on trusted networks. The default behavior is restricting IP addresses.

  • System Default Zone: This is the default zone. It is automatically applied in network configurations and cannot be deleted as long as it remains the default. By default, this zone trusts all IP addresses. You can also set any other network zone as the default. For more information, see Set a Network Zone as Default

  • IDR Network Zones: These zones contain restricted networks published to the identity router (IDR) to block traffic. The default behavior is trusting IP addresses.

If you use the Trusted Network attribute in an access policy, during authentication the user’s IP address is compared with all trusted networks in the Access Policy Network Zone to find a match. The access policy specifies how to handle the user’s request (Allow, Deny, or Authenticate), depending if a match is found. Only Access Policy Network Zones can be used within access policies.

Super Administrators can create, edit, or delete network zones as needed.

 

Create a Network Zone

You can create network zones to define groups of IP addresses that are either trusted or restricted. Trusted networks are granted access to your configurations in Cloud Access Service (CAS), while restricted networks are blocked. Each network zone has a default behavior for IP addresses that are not included in the trusted or restricted lists. If no restricted networks are defined, or if an IP address is not part of any specified trusted network, the IP address will be treated as restricted by default. Conversely, if no trusted networks are defined, or if an IP address is not part of any specified restricted network, the IP address will be treated as trusted by default.

You can apply network zone restrictions to SCIM-based identity sources to enhance security and control access. This enables you to specify which IP addresses are permitted or denied for SCIM connectivity with CAS. Supported identity sources include Azure Active Directory (SCIM), Local, and SCIM Managed. For more information, see Unified Directory Identity Sources

You can also allow or restrict IP addresses for AM connection to CAS by applying network zone restrictions to Authentication Manager registration. For more information, see Connect Your Cloud Access Service Deployment to Authentication Manager.

Procedure 

  1. In the Cloud Administration Console, click Access > Networks.
  2. Click Create Network Zone.
  3. In the Name field, enter a name for the network zone (for example, "Company Internal Network" or "Eastern Region Office").
  4. (Optional) In the Description field, enter the network zone details.
  5. In the Trusted Networks list, add trusted networks to control application access. The network zone compares incoming traffic IPs with the trusted networks list to validate access. In the Restricted Networks list, define networks that are restricted to access.

    1. In the Name field, enter the network name.

    2. In the IP Address field, enter an IP address using the IPv4 standard for classless inter-domain routing (CIDR) notation. You can specify a single address, for example, 10.10.1.16. You can specify a range by including number of bits to use as an IP network prefix. For example, 10.10.1.16/24 specifies the range from 10.10.1.0 to 10.10.1.255.

    3. Click ADD to add more networks, if needed.

  1. Click Create Network Zone.

  2. (Optional) To publish this configuration change and immediately activate it on the identity router, click Publish Changes.

 

Set a Network Zone as Default

You can set a network zone as the default to automatically apply its rules to IP addresses that are not part of any other defined network. A network zone cannot be deleted while it is set as the default.

Procedure 

  1. In the Cloud Administration Console, click Access > Networks.

  2. Click the three vertical dots next to the network zone you want and select Set as default. An icon appears next to the network zone name to indicate it is the default.

 

View or Edit an Existing Network Zone

You can review the details of any network zone or make changes to its settings, such as updating trusted or restricted networks.

Procedure 

  1. In the Cloud Administration Console, click Access > Networks.
  2. Locate the network zone you want to view or edit, click the three vertical dots next to it, and select View/Edit.

  3. Make any changes if needed, then click Save to apply them.

 

Delete a Network Zone

After you delete a network zone from RSA Authenticator, that network is no longer used during authentication to determine who can access applications and the application portal, and which assurance level to use for additional authentication.

Procedure 

  1. In the Cloud Administration Console, click Access > Networks.
  2. Locate the network zone you want to delete, click the three vertical dots next to it, and select Delete.
  3. When prompted, confirm the deletion.
  4. Click Save to apply your changes.
  5. (Optional) To immediately activate this configuration change on the identity router, click Publish Changes.

Note:  The Access Policy Network Zones cannot be deleted.

 

Don't see what you're looking for?