How to Restrict Access to Our Salesforce Environment to Specific IP Addresses and Ranges

ליאור נכתב על ידי ליאור לביא, עודכן בתאריך 01/11/2023

For many organizations, connecting to the external internet from within the company's internal network poses a serious risk. Browsing outside the organizational network exposes the user's computer to intrusion, viruses, malware, and other security risks.

To minimize this risk, one of the tools that companies use is routing external requests through a limited number of IP addresses. When the organization's users browse the internet, their requests go through an information security layer that conceals their IP address from the external world and routes the request through a few IP addresses that the company has chosen to expose to the world securely.

An easy and efficient way we can use to ensure that only authorized entities connect to our Salesforce environment is to restrict access so that it is only possible from the same limited list of addresses that our organization exposes to the world. This technique is called "Login IP Ranges" in Salesforce and is defined at the user profile level. To use it, follow these steps:

  1. Open the Setup page.
  2. In the left-hand sidebar under ADMINISTRATION, click on Users > Profiles.
  3. In the Profiles page, click on the profile name for which you want to define valid IP ranges for accessing Salesforce.
  4. In the profile page, click on the Login IP Ranges (0) link at the upper left side of the page. This is an internal link that will take you to the Login IP Ranges table. Click on the New button. Click on Login IP Ranges
  5. In the Login IP Ranges page, enter the range of IP addresses from which you want to allow access to your environment. If you want to enter a specific IP address and not a range, simply enter that IP address in both the Start IP Address and End IP Address fields. Enter IP Ranges
  6. (Optional) Enter a brief description for the range or address you entered.
  7. Click the Save button to save the range or address. Note: If the address or range you entered does not include your current address from which you are connecting to Salesforce, the system will alert you. The reason is that you may block yourself from accessing the system! This situation can occur if you modify your profile to allow access only from a range of IP addresses that does not include your current one.

Now, when a user with the profile for which you defined the Login IP Ranges tries to connect to the environment from an IP address not included in the list of Login IP Ranges, they will receive an error message. Note that the error message presented to the user is a generic error message, which may confuse users and lead them to believe they entered an incorrect password.