Is it possible to run a nFactor EPA pre-auth scan for a certain range of client IP addresses? We want to be able to run EPA pre-auth scans for connections from an untrusted network and bypass the EPA scans if on a trusted network.

[Mike Smithson]

An alternative is to stand up an additional Access Gateway vServer for trusted networks users, controlling access by IP address using a responder policy. However we are trying to get away from having multiple URL's for end users to remember.

[Chris Chau]

Yes. By using nFactor Auth approach, you may setup a Factor, with No-Auth policy, to distinguish the client source IP and see whether it is within a defined internal subnet. If yes, will go to the next Auth Factor directly. If no, will go to an EPA Factor, and then to the Auth Factor.

Using the nFactor Visualizer to configure will be easier for you to track the flow.

[Mike Smithson]

Many thanks Chris for the info, If I understand that correctly - Create a no auth policy as your first factor, within that auth policy check for client source IP --> if IP is trusted go to next factor login --> if no go to EPA factor and carry on to auth factor.

[Chris Chau]

Yes, something like that:

 

And in the first Trusted-IP factor, the trusted-ip-pol policy is like that:

 

The Other-IP policy is like that:

 

You may try other combinations and alternatives going on and on. Good luck~!

[Mike Smithson]

That's great Chris. Many thanks for taking the time to put the visual explanation together.