Reference Material | Geoblocking

Central concepts

Allow: list of countries, IP addresses or ranges explicitly allowed to access a service.
Deny: list of countries, IP addresses or ranges explicitly blocked from accessing a service.

Description

Geoblocking allows you to restrict access to your Specops Authentication account for certain users based on the geographical location (country), or specific IP address they are trying to access the service from. The blocking of countries is based on a continuously updated list of IP addresses associated with each country.

The Gatekeeper Admin Tool will show an overview of the current Geoblocking settings if geoblocking is enabled.

When users attempt to log in from a blocked country or IP range, they will get a message saying: “Unknown domain or username.

A common scenario for geoblocking, for example, is one where certain countries are denied, but certain IP ranges within those countries are allowed (for example in order for local offices there to be able to access the service).

Note that you do not have to populate both lists. You can choose to only list either countries or IP ranges, or both.

Adding countries and IP ranges
Countries
  1. At the top of the Countries list, choose whether you want to deny or allow the countries in the list by selecting the appropriate option in the dropdown. This step can also be performed later in the process if you want to populate the list first.
    Note: you can only either deny  or allow countries or IP ranges; it is not possible to combine Deny and Allow in one column.
  2. In the Select country dropdown, select the country you want to add to the list and select Add.
  3. Repeat this for every country you want to add.
IP ranges
  1. At the top of the IP Ranges list, choose whether you want to deny or allow the countries in the list by selecting the appropriate option in the dropdown. This step can also be performed later in the process if you want to populate the list first.
  2. Enter a name in the Name IP Range field so that it is recognizable in the list, e.g. Office Access.
  3. Enter IP addresses in the From and To fields and select Add.
    Note: do not use IP range notations (e.g. 192.168.0.15/24) in the To or From fields.
    Note: To add a single IP address, enter it in the From field, and leave the To field empty.
  4. Repeat this for every IP address or range you want to add.
Examples
Example 1

Countries list is populated with allowed countries
When allowing countries, all countries not listed are automatically blocked. You can then do one of the following if you need to refine your criteria:

  • Deny certain IP ranges within the allowed countries. OR
  • Allow additional IP ranges outside the allowed countries.
Example 2

Countries list is populated with denied countries
When denying countries, requests from all countries not listed are automatically allowed. You can then do one of the following if you need to refine your criteria:

  • Allow certain IP ranges within the denied countries. OR
  • Deny additional IP ranges outside the denied countries.
General guidelines and restrictions
Unknown IP addresses

Some IP addresses are not associated with specific countries in the database and are therefore by definition not denied or allowed in the country list. Administrators can choose to add these unknown IP addresses to the country list by selecting the option (Unknown Country) in the Select Country dropdown.

Blocking your own IP address

Administrators cannot block the IP address they are accessing the Specops Authentication web from. Any country or IP range that includes your current IP address will not be added to the denied list. Similarly, any country or IP range that excludes your current IP address will not be added to the allowed list, unless your own country or IP range is already allowed as well. In these cases administrators will see the following error message: The configuration you are trying to save will lock you out of Specops Authentication. Please review your settings and try again.

Duplicate IP ranges

The system will not allow you to add duplicate IP addresses or ranges.

Logging

All events related to geoblocking are logged in the Reporting section of the Specops Authentication web.

Auditing

Here all updates to the Geoblocking settings are logged. It will list events related to geoblocking under the category GeoBlocking. Clicking on the entry will reveal the ID of the user who made the change, as well as what changes were made (e.g. GeoBlockingCountrRemoved SE, if Sweden was removed from the list).

System Events

Any blocked login attempts will be listed here. Events related to geoblocking will be listed as Geoblocked. If you want to filter the list for geoblocking events, enter ipAddressBlocked in the Event field.