UniFi Identity Enterprise - Network Zone
Instruction
UniFi Identity Enterprise can utilize network zones to define security perimeters in which administrators can restrict access based on the following parameters:
- A single IP address
- One or more IP address ranges
- CIDR notations (Classless Inter-Domain Routing)
- A list of geographical locations
Network zones consist of IP Zones and Dynamic Zones which may be added to or used for:
- Sign-on Policies
- Password Policies
- App Sign-on Policies
- Approval Policies
- VPN Policies
Note: Policies and rules will be updated automatically when a Network Zone is modified.
IP Zones and Dynamic Zones have the following limitations:
- Up to 100 IPs per zone;
- Up to 10 countries per Dynamic Zone.
The following two network zone types are generated by default in the workspace:
- Blocked IP Zone: The status of this IP zone is Active and the gateway IPs are empty. You cannot delete a blocked IP zone and can only modify the gateway IPs.
- Legacy IP Zone: The status of this IP zone is Active and both the gateway IPs and proxy IPs are empty. Note that you are not allowed to delete a legacy IP zone, you can only edit or modify the zone's gateway IPs and proxy IPs.
IP Zone and Dynamic Zone
An IP zone allows admins to define network perimeters around a set of IPs. Admins can add both gateway IPs and proxy IPs to IP zones.
IPs that can be added to an IP zone are as follows:
- Single IPs
- IP range
- Classless Inter-Domain Routing (CIDR) notation
- Proxy IPs
IP Zone Checking
UniFi Identity Enterprise Network Zone uses an IP chain to determine if a request is within or outside an IP Zone. The IP chain is the IPs of all the hops between the originating request IP and the defined IP zone.
The following table explains the IP chain processing for one or multiple IPs in an IP chain:
| IP Chain Type | Description |
| IP chain contains one IP | If the IP is contained in any of the defined zones, then the request is classified as from within the network zone. |
| IP chain contains more than one IP |
• If the last IP address in the IP chain is directly connected to UID and the IP chain is within the defined gateways or proxies for the IP zone. • If the IP is a defined gateway, the request is from within that zone. • If the IP is a defined proxy, then the process repeats for the previous IP (the one directly connecting to the proxy) in the chain. |
Note: The IP chain check process will repeat until:
- A matching gateway IP is found, in which case the request is from within the network zone.
- Five IPs in the chain are checked, in which case the request is not from the IP Zone.
IP Zone Check Process
| IP Chain Type | Gateway | Proxy | Is the Request From Within the Zone? |
|
1.1.1.1 |
1.1.1.1 |
Empty |
T |
|
1.1.1.1 |
1.1.1.1 |
2.2.2.2 |
T |
|
1.1.1.1 |
Empty |
Empty |
F |
|
1.1.1.1 |
Empty |
1.1.1.1 |
F |
|
1.1.1.1, 2.2.2.2 |
2.2.2.2 |
Empty |
T |
|
1.1.1.1, 2.2.2.2 |
2.2.2.2 |
3.3.3.3 |
T |
|
1.1.1.1, 2.2.2.2 |
1.1.1.1 |
2.2.2.2 |
T |
|
1.1.1.1, 2.2.2.2 |
Empty |
Empty |
F |
|
1.1.1.1, 2.2.2.2 |
Empty |
1.1.1.1 |
F |
|
1.1.1.1, 2.2.2.2 |
Empty |
2.2.2.2 |
F |
|
1.1.1.1, 2.2.2.2 |
2.2.2.2 |
1.1.1.1 |
T |
Dynamic Zone
Location
A location is defined as either a country, region, or a combination of a country or region and a state or province. If a state or province is not specified in the country or region, the location will be set to the entire country or region. You can specify a single location, multiple locations, or no location in a Dynamic Zone. If no location is defined for a Dynamic Zone, then New York, United States will be used as the default location. A single Dynamic Zone can have up to 10 different locations.
Dynamic Zone Check
When a Dynamic Zone is included in a policy, UniFi Identity Enterprise verifies if the Dynamic Zone configuration matches the location of the request IP.
The following applies when the IP chain of the request contains one IP:
UniFi Identity Enterprise resolves the location for that IP and compares it with the Dynamic Zone configuration to determine if the request is from within that Dynamic Zone.
The following applies when the IP chain of the request contains more than one IP:
UniFi Identity Enterprise attempts to identify the original client IP as described next in Identifying the original client IP.
Identify the Original Client IP
To identify the original client IP of the request, the request IP chain is compared with all the proxy IPs defined in all the IP zones for that workspace.
If the IP address at the end of the IP chain is not defined as a proxy IP, it is marked as the client IP.
If the IP address at the end of the IP chain is a proxy IP, the IP address check process will continue until a none proxy IP is discovered. This IP will be marked as the client IP.
Once the client IP is determined, the geo-location for that IP is resolved and compared with the configured zone’s geo-location to check if they match. If a match is found, the request is from within that zone.
| IP Chain | All Proxies Defined for the Request Original Client IP | Request Original Client IP |
| 1.1.1.1 | Empty | 1.1.1.1 |
| 1.1.1.1 | 1.1.1.1 | 1.1.1.1 |
| 1.1.1.1 | 2.2.2.2 | 1.1.1.1 |
| 1.1.1.1, 2.2.2.2 | Empty | 2.2.2.2 |
| 1.1.1.1, 2.2.2.2 | 2.2.2.2 | 1.1.1.1 |
| 1.1.1.1, 2.2.2.2 | 3.3.3.3 | 2.2.2.2 |
| 1.1.1.1, 2.2.2.2 | 1.1.1.1 | 2.2.2.2 |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | 3.3.3.3, 2.2.2.2 | 1.1.1.1 |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | 3.3.3.3 | 2.2.2.2 |
| 1.1.1.1, 2.2.2.2, 3.3.3.3 | 4.4.4.4 | 3.3.3.3 |