RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

How to configure RM Unify MFA with trusted IP addresses
Published Date : 30 Jun 2022   Last Updated : 20 Apr 2023   Content Ref: TEC8637174  


Operating System(none)
Part No(none)
SummaryExplains how to configure RM Unify MFA with trusted IP ranges so that MFA is bypassed on devices in the trusted range.



Symptoms

When setting up RM Unify multi-factor authentication (MFA), you are able to configure a set of trusted IPv4 address range(s) for your establishment so that users will not be prompted for MFA when using a device assigned a trusted IP address. 

This will allow you to exclude your school's IP range if you would only like users to be prompted for MFA when they are outside of this range. It can be helpful for schools that operate a 'no mobile phones' policy, as this will remove the requirement to complete the MFA prompt on a user's personal device while at school. Since the majority of malicious attacks on user accounts are more likely to occur from outside of the school location, this feature will allow schools to make a compromise between security and user experience.



Procedure

  1. If you are an RM Connectivity customer and RM provides your broadband, please follow the steps in the RM Connectivity Customers section below.
  2. Sign in to RM Unify as a super admin user.
  3. Navigate to the RM Unify Management Console.
  4. On the left-hand side, under 'Sign In & Security', select Trusted IP Addresses.
  5. Type the CIDR* of the trusted IPv4 range. For example, a CIDR of 21.19.35.32/28 will set the IPs 21.19.35.32 - 21.19.35.46 with subnet mask 255.255.255.240 as trusted IPs.
  6. Click Add.

*Classless Inter-Domain Routing is a method for allocating IP addresses and for IP routing.


RM Connectivity Customers
  1. Log a support request and we will provide the trusted IP addresses to add.
  2. Follow the steps in the Procedure above to add the IP addresses we provide.
  3. On each device with a browser configured to use any proxy server, add *.rmunify.com as a proxy server exception. Please contact your network support team for assistance with rolling this out, as they may deliver the setting automatically as part of a Group Policy Object. 
As an example, given below is a screenshot of the equivalent setting on a Windows 10 desktop:
Image showing proxy exception for RM Unify

Notes:

  • It is not necessary to add *.rmunify.com as a proxy exception when the browser is not configured with a proxy server, e.g. if you are using transparent filtering.
  • If you are using an additional product such as Smoothwall and browsers are configured with the Smoothwall server as the proxy server, please add the *.rmunify.com exception to the device's browser.


Checks

If I configure a trusted IP range, what happens when MFA on an app is set to Required but the user has not yet enroled for MFA?
  • If the user is accessing the app from an IP in the trusted IP range, they will not get prompted to set up MFA and will be able to access the app.
  • If the user is accessing the app from an IP that is not in the trusted IP range, they will get prompted to set up MFA.


Possible Issues

A warning icon  is displayed beside a CIDR value if the number of IP addresses in the range is more than 20.

An additional address or range is rejected with the message "An error occurred while saving the settings" if:
  • it is not a valid IPv4 CIDR format.
  • it ends with '/31'.
  • it overlaps any of these internal ranges:
    • Class A: 10.0.0.0 through 10.255.255.255
    • Class B: 172.16.0.0 through 172.31.255.255
    • Class C: 192.168.0.0 through 192.168.255.255
  • it overlaps any of these multicast addresses:
    • 224.0.0.0 to 239.255.255.255
  • it overlaps any of these other ranges:
    • 0.0.0.0/8: Current (local) network RFC 1122
    • 127.0.0.0/8: Local host RFC 1122
    • 169.254.0.0/16: Link-local RFC 3927
    • 255.255.255.255/32: Limited broadcast destination address RFC 8190 and RFC 919


More Information

What is CIDR notation?
CIDR notation is a compact representation of an IP address and its associated network mask. For more information, please refer to the links below:

Can I set a trusted range for IPv6 addresses?
Currently, only IPv4 address ranges are supported. Extending to IPv6 addresses may be considered for a future release.


Other Useful Articles

RM Unify Multi Factor Authentication (TEC5941143)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: Unify,Trusted,IP,ipv4,Address,range,bypass,whitelist,mfa,multi,factor,auth, by pass, TEC8637174


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page