Restrict Access to Third-Party Apps Outside of Venn’s Blue Border

Each company's Private Company Gateway uses a fixed set of public IP addresses for all network traffic within Blue Border. For any of your business applications that support IP allowlisting, you can apply IP restrictions using your PCG IP addresses to ensure that users can only access the applications from within Blue Border. This adds an extra layer of security, helping ensure that business resources are only accessible by authorized users in a secure environment.

If you have an Identity Provider that supports IP allowlisting via SAML federation to the vendor platform, we recommend applying IP restrictions via your IdP when possible rather than applying the restrictions within the business applications themselves. This solution centralizes app access management and makes it easier to restrict access to additional applications in the future using the same process. If you don’t have an IdP or you can’t integrate an application with your IdP, you can apply IP restrictions within the application itself if it supports IP allowlisting. 

Instructions for Common Identity Providers

Most Identity Providers (IdPs) allow you to restrict access to third-party apps that are integrated with your IdP. For example, if your users log in to Zoom via your IdP, you can use your IdP to restrict access to Zoom by IP address. 

Click the links below to learn how to restrict access to apps outside of Blue Border using the IdPs most popular with Venn’s customers:

If your IdP isn’t listed above, follow the general instructions below.

Some IdPs require that you have a specific tier or license type in order to restrict access to third-party apps. For example, Microsoft Entra requires P1 or P2 licenses to apply Conditional Access.

Instructions for Common Apps

Many software vendors offer the ability to restrict access to apps and sites by IP address.

Click the links below to learn how to restrict access to the apps that are most popular with Venn’s customers outside of Blue Border:

If the app you’d like to restrict access to isn’t listed above, follow the general instructions below.

General Instructions

Step 1: Determine whether or not the software vendor supports the ability to restrict access by IP address.

  • Often, this information will be available on the vendor’s Help Center or online documentation. If you do not find instructions, reach out to the vendor’s support team to see if they can configure a restriction on their back end.

Step 2: Determine which IP addresses need access to the resource. 

  • Visit the PCG page in the Admin portal to view and manage your PCG IP addresses.
  • If access to the app or site needs to be tightly controlled, you may need to create a new group in Venn and assign IP addresses to it in order to only allow access to a subset of users. For example, if the resource contains sensitive data or client information, you may need to limit access to specific users.

Step 3: Gather requirements. 

  • If not all users of the app or site at your organization are Venn users, you may need to be able to apply the restriction only to a specific group of users.
  • If you need to make exceptions for specific users who will need to use the app or site outside of Venn, (such as app administrators or members of your IT team), you may need to be able to exclude certain users or create custom groups to apply the restriction to the appropriate users.
  • If users are not always required to use Venn to access the resource, you may need to exclude certain devices or IP addresses. For example, users may not be required to use Venn to access resources if they’re in your company’s office.
  • If users need to access the app or site on mobile, but you are not using Venn’s MDM solution, you may need to be able to apply the restriction only to certain types of devices or Operating Systems.

Step 4: Determine whether or not the vendor supports your requirements.

  • Reference the documentation you found in step 1 or reach out to the vendor’s team for clarification.

Step 5: Enable the restrictions.

  • Follow the software vendor’s instructions to enable the restrictions. Depending on the vendor’s configuration options, you may need to block access to the resource unless the user is accessing from a PCG IP address or you may need to allow access to the resource only if the user is accessing from a PCG IP address.

Keep in mind that there may be use cases and exceptions that you are not aware of or there may be individuals at your organization who were not fully onboarded to Venn.

  • If the vendor offers an option to do so, first enable the restrictions in “monitor” or “report-only” mode to test the restriction before blocking access. If the vendor does not offer the ability to test your authentication policies before applying them, consider testing the restriction with a small group before blocking access.
  • Always notify users before enabling restrictions in order to avoid disruption of business. Leverage the Access Lockdown email template in the Venn Rollout Toolkit to inform your users.

Step 6: Maintain the restrictions.

Once you have enabled restrictions, any time that you onboard new users to Venn or provision new PCG IP addresses, be sure to update your restrictions as needed.

Was this article helpful?