Admins

Securing Your Org Through Salesforce IP Ranges: Your Complete Guide

By Mariel Domingo

Have you ever found yourself concerned about who’s accessing your org’s sensitive data? The good thing about setting up IP ranges in Salesforce is having the power to control access to your instance based on user IP addresses.

This works whether you’re safeguarding against unauthorized access, aiming to polish network security, or simply seeking peace of mind as an admin. In this tutorial, we’ll walk through the steps to set up IP ranges in Salesforce.

What’s an IP Range in Salesforce?

Understanding IP ranges is essential for effectively managing access to a Salesforce org. IP range stands for Internet Protocol range, and is a collection of IP addresses that fall within a specific range defined by a starting IP address as well as an ending IP address. In network administration or management, these are used to regulate resource access based on the IP addresses of the devices used by the company’s employees.

In Salesforce, an admin can designate which networks or locations are allowed to access their Salesforce org without facing extra authentication or verification difficulties by setting up trusted IP ranges.

Determining Trusted IP Addresses

There is no one-size-fits-all for IP ranges. The IP addresses that should be included within trusted IP ranges will vary per company, as they depend on the network setup as well as the security policies of the company.

Typically, the best and easiest place to obtain this is from the organization’s network admin or IT department, which can provide a list of IP addresses that are authorized for usage by employees or even external partners. Looking through network logs can also be done to find IP addresses that are frequently used to access the Salesforce org.

Establishing Trusted IP Ranges

Setting up IP ranges can make it easy for trusted users to access the org. While approved users can log in hassle-free, those outside of the trusted IP ranges will have to go through extra login checks and verification without blocking the user entirely.

  1. Navigate to Setup.
  2. In the quick find box, type “Network” and select the “Network Access” result.
  3. Hit “New”.
  4. Enter valid IP addresses both on the Start and End IP Address fields. Some notes to consider:
    • The End IP Address must be a higher IP address than the Start IP Address.
    • If you want to allow only a single IP address, you can enter the same address in both fields.
    • IP addresses must be in an IPv4 range.
  5. Write a description. This isn’t required, but it’s a good practice to have, especially if you maintain multiple ranges and would like to know which part of your network corresponds to each range. The image below establishes four trusted IP addresses.
  6. Hit “Save”.

To test, I tried logging in to the org from an IP address outside the range stated above. I am not completely blocked off from the org, but it does ask for verification.

Restricting Login IPs through Profiles

Now, what if you’d like to take security up a notch and control access per user? IP address restriction can be done at the profile level so that any login attempts from outside the profile’s defined IP range are blocked. Here’s how:

  1. Navigate to Setup.
  2. In the quick find box, search for and select “Profiles”.
  3. Select a profile and go to “Login IP Ranges”.
  4. Click “Add IP Ranges”, then enter a start address, end address, and description. Keep in mind the same notes stated above for trusted IP ranges, but this time the IP addresses in your range can be either IPv4 or IPv6.
  5. Hit “Save”.

To test, here’s the error displayed upon logging in from an IP address outside the range specified on the profile level. Compared with trusted IPs which only require verification, this one blocks the user entirely.

Make sure to regularly review your IP ranges to ensure that they align with your org’s network policies, and make adjustments as needed.

Summary

Improving and maintaining the security of data and resources in your org is essential. Though setting up trusted IPs or restricting them via profile is only one of the many ways to secure the org, it is also one of the best ways to do it. This way, you can control access to your instance and safeguard against unauthorized access from the frontlines. With these measures in place, you are sure to have greater peace of mind as an admin.

Have you implemented similar security measures in your Salesforce org? Feel free to share them with us in the comments section below!

The Author

Mariel Domingo

Mariel is the Courses Administrator at Salesforce Ben.

Comments:

    Francis Pindar
    May 01, 2024 9:20 pm
    " so that any login attempts from outside the profile’s defined IP range are blocked" wrong! If this is a complete guide it needs to include where you can bypass IP ranges even if it is enabled on a profile. This is mis-information.
    DB
    May 02, 2024 1:38 pm
    In terms of establishing IP ranges for the entire org you state that you are "not completely blocked off from the org, but it does ask for verification". But, under normal circumstances doesn't Salesforce's MFA requirement ALWAYS ask for verification?

Leave a Reply