Network Restrictions

AMS allows you to enable, partially enable, or disable access to AMS functions based on a user’s IP address. You can choose the following access levels:

• No access restrictions: With no restrictions in place, AMS users can log into AMS and access the full range of features available to your organization from any IP address. This is the default setting in place until you choose another option.
• Full restrictions: With full restrictions configured, users are allowed to log into AMS only from explicitly allowed IP addresses. Users attempting to log into AMS from disallowed IP addresses will be unable to log in.
• Partial restrictions: With partial restrictions configured, administrators can restrict access to specific features, which will be available only to users logging into AMS from approved IP addresses. Features left unrestricted can be accessed by authenticated users logging in from any IP address.

Configure network restrictions:

1. From the AMS Admin Console, click System Settings, then click Network Restrictions. The Network Restrictions page appears.

2. Choose the Protection Status:

• Disabled: If you choose Disabled, no network restrictions will be configured, and any existing restrictions will be removed. This option allows authenticated users to log in and access the full range of AMS features available to your organization from any IP address.

After you choose Disabled, click Submit. You do not need to continue with any other steps in this section.

• Enabled: If you choose Enabled, users will be allowed to log into AMS only from IP addresses you list in the Allowed Networks list that appears.
• Partially Enabled: If you choose Partially Enabled, users will be allowed access to the features you choose only when they log into AMS from IP addresses you list in the Allowed Networks list that appears.

3. In the Allowed Networks field, enter the IP addresses from which users are allowed access to AMS or its features. You can specify addresses or an IP range using CIDR notation, with the following restrictions:

• You must include your own IP address in the Allowed Networks field. Because AMS will not allow you to lock yourself out, the IP address for the computer you are using must be included among those in the Allowed Networks field. AMS displays your IP address so that you can include it in the list.
• You must provide your external IP addresses. Private network host ranges (such as 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) cannot be used to implement network restrictions.

To check whether a specific host is within the range you specified, you can enter its IP address in the Host IP Address field and click OK.

4. For full restriction, click Submit. You do not need to continue with the next step. For partial restriction, continue to the next step.
5. For partial restriction only, check the boxes in the Protected Features list to restrict features. Users will be allowed to access features you check only from allowed IP addresses. Any features you leave unchecked will be available to authenticated AMS users logging in from any IP address.

• For example, you could check Administrative Console to restrict access to the AMS Admin Console to a limited set of IP addresses, but leave Webmail unchecked to allow users to access Webmail from any IP address.

6. Click Submit.