IP Address Lockdown
This page describes how to restrict access to your xAssets instance by IP address. When IP address lockdown is enabled, only requests from whitelisted IP addresses are permitted. All other requests are blocked before authentication, providing a network-level security boundary in addition to username/password and MFA controls.
Prerequisites
- Administrator access to xAssets
- Knowledge of the IP addresses or ranges that should be allowed access
- If users connect via VPN, the VPN exit IP address(es) must be included in the whitelist
When to Use IP Address Lockdown
IP address lockdown is appropriate when:
- Your xAssets instance is internet-facing but should only be accessed from known office locations
- You want to restrict API access to specific integration servers
- Compliance or security policies require network-level access controls
- You want to prevent access from personal devices outside the corporate network
Note: IP address lockdown restricts access at the application level. For defence in depth, also consider firewall rules, VPN requirements, and reverse proxy configurations at the infrastructure level.
Enabling IP Address Lockdown
- Navigate to Admin > Settings.
- Search for the setting AUTHENTICATIONIPWHITELIST (or the relevant IP lockdown setting).
- Enter the allowed IP addresses or ranges.
- Save the setting.
Note: The exact setting name may vary by version. Check the Settings screen for keywords like "IP", "whitelist", or "lockdown" if the setting name above does not match. Contact xAssets support if you cannot locate the setting.
IP Address Formats
The whitelist supports the following formats:
| Format | Example | Description |
|---|---|---|
| Single IP | 192.168.1.100 |
Allow one specific IP address |
| CIDR range | 10.0.0.0/24 |
Allow all addresses in the 10.0.0.x range (256 addresses) |
| Multiple entries | 192.168.1.100,10.0.0.0/24 |
Comma-separated list of IPs and/or ranges |
Tip: Use CIDR notation for office networks rather than listing individual IPs. This accommodates DHCP-assigned addresses within the range.
What Happens When an IP Is Blocked
When a request arrives from a non-whitelisted IP address:
- The connection is refused before the login page is displayed.
- The user sees a message indicating that access is not permitted from their current location.
- The blocked attempt is logged for security auditing purposes.
- No authentication is attempted -- the request is rejected at the IP check stage.
Warning: If you misconfigure the whitelist and lock yourself out, you will need to access the xAssets database directly to modify or remove the IP lockdown setting. Ensure you include your own IP address before saving.
Managing the Whitelist
Adding an IP Address
To allow access from a new location:
- Navigate to Admin > Settings.
- Find the IP lockdown setting.
- Add the new IP address or range to the existing list (comma-separated).
- Save the setting.
The change takes effect immediately for new connections.
Removing an IP Address
To revoke access from a previously allowed location:
- Navigate to Admin > Settings.
- Find the IP lockdown setting.
- Remove the IP address or range from the list.
- Save the setting.
Existing active sessions from the removed IP address will continue to work until they expire. Only new connection attempts will be blocked.
Disabling IP Address Lockdown
To remove the IP restriction entirely:
- Navigate to Admin > Settings.
- Clear the value of the IP lockdown setting (set it to blank).
- Save the setting.
With no whitelist configured, all IP addresses are permitted (subject to normal authentication).
Considerations for Common Scenarios
| Scenario | Guidance |
|---|---|
| VPN users | Whitelist the VPN concentrator's exit IP address. Individual user IPs behind the VPN are not relevant -- xAssets sees the VPN exit address. |
| Cloud-hosted xAssets | If your instance is in the cloud, add your office public IP addresses. Remember that public IPs can change -- check with your ISP or use a static IP service. |
| API integrations | Include the IP addresses of servers that call the xAssets API. If the integration server's IP changes (e.g., cloud functions with dynamic IPs), IP lockdown may not be suitable for that integration. |
| Remote workers | If employees work from home with dynamic IPs, IP lockdown alone is impractical. Combine with VPN (so all traffic exits through a known IP) or rely on MFA instead. |
| Multiple offices | Add a CIDR range for each office network. |
Combining with Other Security Controls
IP address lockdown works alongside other xAssets security features:
| Control | Layer | Purpose |
|---|---|---|
| IP Address Lockdown | Network | Restricts which networks can reach the application |
| Username/Password | Authentication | Verifies user identity |
| Multi-factor Authentication | Authentication | Adds a second verification factor |
| User Groups | Authorisation | Controls what data and operations are accessible |
| Record Filters | Authorisation | Limits visibility to specific records |
For maximum security, enable IP lockdown in combination with MFA and restrictive user group permissions.
Troubleshooting
| Problem | Cause | Solution |
|---|---|---|
| Locked out after enabling IP lockdown | Your own IP was not included in the whitelist | Access the database directly and modify or clear the IP lockdown setting. |
| Remote users cannot connect | Their IP is not in the whitelist | Add their IP or VPN exit IP. For dynamic IPs, consider VPN-based access. |
| API integration stopped working | The integration server's IP changed | Update the whitelist with the new IP address. |
| Some users can connect but others at the same office cannot | Users on a different subnet or using a different internet connection | Verify all subnets and ISP exit IPs for the office are included. |
Related Articles
- Multi-factor Authentication -- adding a second authentication factor
- Securing the Web Server -- broader web server security configuration
- Users -- managing user accounts
- Settings -- where IP lockdown settings are configured