- Print
- DarkLight
- PDF
How do I set up IP restrictions?
Sometimes IP restrictions don't seem to work properly. This can happen on different areas. Usually, it is due to incomplete configuration.
Examples:
- IP restrictions are enabled at the company level, but don't seem to do anything
- When IP restrictions are enabled, LocalServices no longer connects.
There are 2 appsettings related to IP restrictions in the web.config. It is important to know the function of both.
- TrustedClientIpAddresses --> These are 'trusted IP addresses'. A client like RV or LS sends its own ClientIp in the authentication token. Anyone can do this, but only from trusted IP addresses, this ClientIp is taken over as the client's IP. The (internal) IP address of RetailVista ERP must be specified as TrustedIpAddress in the web.config of the BO. If this is not the case, the ClientIp will not be taken over and IP restrictions cannot be applied properly.
- RestrictedIpAddresses --> These are IP addresses that are always allowed to log in regardless of IP restrictions. For example, the public IP address of NedFox or a reseller. If the IP address of NedFox is not listed here, this IP address will have to be specified separately for each company. This is undesirable. The list of IP addresses for a customer should only contain trusted IP addresses of the customer.
Example of problem 1:
- IP restrictions don't seem to do anything. Everyone can always log in despite IP restrictions being enabled, or no one can log in when they should be able to.
In the events table, it also seems like every user has the same IP address:
This is an indication that the IP address of RetailVista ERP is not listed in the TrustedIpAddresses of the web.config of the BO. This prevents the real ClientIp of the user from being taken over. After adding the IP address of the RetailVista ERP machine (in this case 10.100.10.91) to the trustedIpaddresses of the BO, it can be seen that the ClientIp is correctly passed (top line):
Example of problem 2:
- IP address of reseller is returned for every company in the instance where the reseller belongs. This is unnecessary and should be resolved through RestrictedIpAddresses.