Objective 

Note: The policy names used in this article are for illustrative purposes only.

Prerequisites 

• Professional edition of ADSelfService Plus
• Endpoint MFA license
• ADSelfService Plus application must be hosted on the internet with X-Forwarded-For enabled
  

Note on X-Forwarded-For 

Perimeter security is essential for this setup. When users connect from a public IP address, the request initially reaches the perimeter firewall before proceeding to the ADSelfService Plus server. This means the server sees the firewall’s IP address, not the user’s original IP. If the firewall’s IP falls within the internal range, MFA won’t be enforced. To address this, ensure that X-Forwarded-For is enabled at each network hop. This ensures the source IP is included in the request, allowing accurate IP-based Conditional Access.

 Steps to enable X-Forwarded-For 

• To enable X-Forwarded-For in ADSelfService Plus, navigate to the conf folder in the installation directory and open the security.xml file.
• Update the following <Valve> configuration:

<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" requestAttributesEnabled="true" internalProxies="172\.16\.10\.20"/>, replacing 172\.16\.10\.20 with your proxy server’s IP.

• Save the file, then restart the ADSelfService Plus service to apply the changes.

Steps to create a IP-based conditional access rule to bypass MFA 

1. Create a policy named "Internal Policy", targeting relevant users and configuring MFA for required endpoints; refer to these policy configuration steps for detailed instructions.

2. Duplicate the Internal Policy by clicking the Copy option under the Actions column and renaming it to "External Policy".

3. Edit the Internal Policy and disable MFA for endpoints.

• Navigate to Configuration > Multi-Factor Authentication, and select the policy named Internal Policy. Select the MFA for Endpoints tab, then in the MFA for Machine Login section, disable the Enable N factor authentication for Machine login checkbox.

Step 2: Configuring conditional access   

1. Go to Configuration > Self Service > Conditional Access.
2. Create a rule named Internal Access. This rule will define the internal IP range, ensuring that users within this range are assigned the newly created Internal Policy, where MFA is disabled.

Fig.1: Configuring Conditional Access rules for internal IP range

Fig.2: Assigning Conditional Access rules for the internal policy

3. Copy the Internal Access rule and rename it as External Access. Modify this rule’s criteria to "NOT 1," meaning all IP addresses outside the defined internal range.

4. Navigate to the Rule Assignment tab, then select External for the Choose CA rule drop-down. In the Access Controls section, enable the Assign Policies checkbox and assign the External Policy.

Validation and confirmation

• If a user’s machine connects from a public network (i.e., the IP is not in the internal range), the External rule applies, activating the External Policy where MFA is required.
  
• If a user’s machine is on the office LAN (i.e., the IP is in the internal range), the Internal rule applies, activating the Internal Policy where MFA is disabled, allowing the user to log in without MFA.
  

How to reach support