+10
Under Review

Restrict Administrator to access from Specific Networks

31 Networks 7 years ago updated by RADRaze2KX 1 month ago 8 1 duplicate

In an on-site implementation of ScreenConnect, we have setup multiple accounts all with 2-factor authentication. Likewise in order to protect the administrator account specifically or what it is renamed to, we would like to allow the account to remain in the event 2-factor failures occur, without triggering a full product reset of the "issetup" flag. Thus, is there a way easily to isolate the specific users or user group like the "Administrator" privileges provide to only being allowed to log in from a specific local area network, or trusted networks per say.

Duplicates 1

I'd like to second this as I'd like to restrict the administrator account to specific IP addresses (Automate server & Control server), but I'd like to have other accounts able to log in from either specified IPs, or any IP.

Under Review

Hi All,

You can configure RestrictToIPs in the web.config settings to restrict access to pages by IP. 

https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Security_guide




Kirsten,


After chatting with support thought it is my understand that those options are global. The request is to have them applied on a per user or role basis.

Under Review

Thanks for clarifying the request, we'll take another look at it.

This would be an amazing feature.  That way I can restrict admins to LAN or VPN access only.

Hi is this possible? Or is it possible to limit access by time of day?

We need a way to restrict the Internal Administrator account and any service accounts such as for ConnectWise Automate to IP address / CIDR ranges since all our other users are using external SAML / 2FA.

Mainly around the ConnectWise automate service account since the Administrator account can have the inbuilt 2FA enabled ofcource.

Additionally this may be able to used to restricted logins you may have provided to external vendors or employee's so only their known IP's can be used to login to their account.

I'm surprised this thread hasn't really been answered yet. One of the things you can do is put the server behind a CloudFlare redirect and use CloudFlare's WAF rules to specify what IPs should be able to access it. You'd also want to set up your IIS server to whitelist /login page to only specific IPs or subnets. Hope this helps. - Mark w/ RAD Computers