Geoblocking
Central concepts
Allow: list of countries, IP addresses or ranges explicitly
allowed to access a service.
Deny: list of countries, IP addresses or ranges explicitly
blocked from accessing a service.
Description
Geoblocking allows you to restrict access to your
Specops Authentication
account for certain users based on the geographical location (country),
or specific IP address they are trying to access the service from. The
blocking of countries is based on a continuously updated list of IP
addresses associated with each country.
The Gatekeeper Admin Tool
will show an
overview of the current Geoblocking settings if geoblocking is enabled.
When users attempt to log in from a blocked country or IP range, they
will get a message saying: “Unknown domain or username.”
A common scenario for geoblocking, for example, is one where certain
countries are denied, but certain IP ranges within those countries are
allowed (for example in order for local offices there to be able to
access the service).
Note that you do not have to populate both lists. You can choose to only
list either countries or IP ranges, or both.
Adding countries and IP ranges
Countries
-
At the top of the list, choose whether you want to
deny or allow the countries in the list by selecting the appropriate
option in the dropdown. This step can also be performed later in the
process if you want to populate the list first.
NOTE
you can only either deny or allow countries or IP ranges; it is
not possible to combine Deny and Allow in one column.
-
In the Select country dropdown, select the country you want
to add to the list and select Add.
- Repeat this for every country you want to add.
IP ranges
-
At the top of the IP Ranges list, choose whether you want to
deny or allow the countries in the list by selecting the appropriate
option in the dropdown. This step can also be performed later in the
process if you want to populate the list first.
-
Enter a name in the Name IP Range field so that it is
recognizable in the list, e.g. Office Access.
-
Enter IP addresses in the From and To fields and
select Add.
NOTE
do not use IP range notations (e.g. 192.168.0.15/24) in the
To or From fields.
NOTE
To add a single IP address, enter it in the From field, and
leave the To field empty.
- Repeat this for every IP address or range you want to add.
Example 1
Countries list is populated with allowed countries
When allowing countries, all countries not listed are automatically
blocked. You can then do one of the following if you need to refine your
criteria:
-
Deny certain IP ranges within the allowed countries.
OR
- Allow additional IP ranges outside the allowed countries.
Example 2
Countries list is populated with denied countries
When denying countries, requests from all countries not listed are
automatically allowed. You can then do one of the following if you need
to refine your criteria:
-
Allow certain IP ranges within the denied countries.
OR
- Deny additional IP ranges outside the denied countries.
General guidelines and restrictions
Unknown IP addresses
Some IP addresses are not associated with specific countries in the
database and are therefore by definition not denied or allowed in the
country list. Administrators can choose to add these unknown IP
addresses to the country list by selecting the option
(Unknown Country) in the Select Country dropdown.
Blocking your own IP address
Administrators cannot block the IP address they are accessing the
Specops Authentication Web
from. Any country
or IP range that includes your current IP address will not be added to
the denied list. Similarly, any country or IP range that excludes your
current IP address will not be added to the allowed list, unless your
own country or IP range is already allowed as well. In these cases
administrators will see the following error message:
The configuration you are trying to save will lock you out of Specops
Authentication. Please review your settings and try again.
Duplicate IP ranges
The system will not allow you to add duplicate IP addresses or ranges.
All events related to geoblocking are logged in the Reporting section of
the Specops Authentication Web
.
Auditing
Here all updates to the Geoblocking settings are logged. It will list
events related to geoblocking under the category
GeoBlocking. Clicking on the entry will reveal the ID of the
user who made the change, as well as what changes were made (e.g.
GeoBlockingCountrRemoved SE, if Sweden was removed from the
list).
System Events
Any blocked login attempts will be listed here. Events related to
geoblocking will be listed as Geoblocked. If you want to filter the list
for geoblocking events, enter ipAddressBlocked in the
Event field.