Requiring client IP addresses to be within specified IP address ranges

You can require that client IP addresses be within a specified IP address range or ranges to log on to the cloud service. Clients to which this feature applies with IP addresses that are outside of a specified range cannot log in.

Before you begin

Enabling IP address restrictions can block mobile device access to the following applications Traveler, Mobile Chat, Mobile Meetings, Mobile Connections. To allow device access to these mobile applications when IP address restrictions are used, enable the use of applications passwords and select the Ignore IP range restrictions for applications setting. Complete this task before you enable IP address restrictions. For more information, see Enabling application passwords.

About this task

This feature provides an extra level of security. If IP ranges are restricted to IP addresses that can only originate from your network, an attacker must authenticate to the service from within your network to access any data.

IP range restrictions can currently be used to restrict access to clients that access browser-based applications over HTTP.

This feature is not currently supported for clients that access the service over the following protocols:
  • IMAP
  • NRPC
  • SMTP

Your company might use a proxy device between your clients and the cloud service. In this case, if the proxy does not propagate the client IP address to the service, the IP address restriction must be for the proxy IP address rather than the client IP address.

You can use IP address restrictions in combination with SAML single sign-on authentication.

Note: Be careful when enabling this feature to ensure that all clients can continue to access the service.

Procedure

  1. Click Administration > Manage Organization
  2. Click Security.
  3. Click Add Range in the IP Address Ranges section to enter the beginning and ending IP addresses. You must specify the IP address at which you are currently logged in.