This topic explains how to define the ranges of your internal network by specifying the egress NAT addresses on your edge firewall or router. Defining your internal network in this way enables the Universal Broker service to apply network-specific policies such as bypassing two-factor authentication for internal users.
To define your internal network for Universal Broker, you use the Network Ranges tab in the Broker page to specify all the ranges of egress NAT addresses that correspond to your internal end-user traffic.
The Universal Broker service recognizes the specified ranges of egress NAT addresses on your edge router or firewall as originating from your internal network. Users connecting from origins within these ranges are considered internal users. Users connecting from origins outside these ranges are considered external users.
Identify the egress Network Address Translation (NAT) addresses on your edge router or firewall that correspond to your internal end-user traffic.
- Select .
- In the Broker page, click the Network Ranges tab.
The list of address ranges corresponding to your internal end-user traffic is displayed.Note: Even if the Network Ranges tab refers to public IP ranges, these entries are technically not public IP addresses. Rather, they are the egress NAT addresses on your edge router or firewall.
- To add an egress NAT address range to the list, click Add. Enter the range in CIDR format, between the allowable ranges of /1 and /32. Then click Save.
- Continue to add more egress NAT address ranges to the list until you have defined the full extent of your internal network traffic.
What to do next
You can use the controls in the Network Ranges tab to Edit or Delete a range in the list.
- When you delete an egress NAT address range, Universal Broker considers that range to be part of the external network.
- If you delete all the ranges from the list, Universal Broker treats all users as external users. You can no longer apply policies to internal users, such as bypassing two-factor authentication if it is enabled, even if you have configured internal Unified Access Gateway instances for your pods.