Newer Version Available

This content describes an older version of this product. View Latest

Restricting Login IP Ranges for Your Organization

Available in: All Editions

User Permissions Needed
To view network access: “Login Challenge Enabled”
To change network access: “Manage Users”

Watch Video Demo Who Sees What: Organization Access

Watch how you can restrict login through IP ranges and login hours.

Note

To help protect your organization’s data from unauthorized access, you can specify a list of IP addresses from which users can always log in without receiving a login challenge:

  1. From Setup, click Security Controls | Network Access.
  2. Click New.
  3. Enter a valid IP address in the Start IP Address field and a higher IP address in the End IP Address field.

    The start and end addresses define the range of allowable IP addresses from which users can log in. If you want to allow logins from a single IP address, enter the same address in both fields. For example, to allow logins from only 125.12.3.0, enter 125.12.3.0 as both the start and end addresses.

    The start and end IP addresses in an IPv4 range must include no more than 33,554,432 addresses (225, a /7 CIDR block). For example, the following ranges are valid:

    • 0.0.0.0 to 1.255.255.255
    • 132.0.0.0 to 132.255.255.255
    • 132.0.0.0 to 133.255.255.255

    However, ranges like 0.0.0.0 to 2.255.255.255 or 132.0.0.0 to 134.0.0.0 are too large.

    The start and end IP addresses in an IPv6 range must include no more than 79,228,162,514,264,337,593,543,950,336 addresses (296, a /32 CIDR block). For example, the following range is valid: 2001:8000:: to 2001:8000:ffff:ffff:ffff:ffff:ffff:ffff. However, ranges like :: to ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff or 2001:8000:: to 2001:8001:: are too large.

  4. Click Save.

For organizations that were activated before December 2007, Salesforce automatically populated your organization’s trusted IP address list in December 2007, when this feature was introduced. The IP addresses from which trusted users had already accessed Salesforce during the past six months were added.

Note

Both IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space ::ffff:0:0 to ::ffff:ffff:ffff, where ::ffff:0:0 is 0.0.0.0 and ::ffff:ffff:ffff is 255.255.255.255. A range can’t include IP addresses inside of the IPv4-mapped IPv6 address space if it also includes IP addresses outside of the IPv4-mapped IPv6 address space. Ranges such as 255.255.255.255 to ::1:0:0:0 or :: to ::1:0:0:0 are not allowed. You can set up IPv6 addresses in all organizations, but IPv6 is only enabled for login in sandbox organizations from the Spring ’12 release and later.

Note