Restricting Access to LegalServer by IP Address
This feature allows administrators to control the timeout period, permissions, and ability to login based on the IP address the person is connecting from.
Logins can be denied completely, to all users or selected roles, unless a user is connecting from a designated network. Less drastic, a user's permissions may be lowered when connecting from outside approved networks.
Allow staff attorneys to connect externally (courthouse access, etc.). That role has external permissions; all others do not, and those users must be in the office.
Mitigate downloading large amounts of data to unauthorized devices. Hide the Report tab when connecting from outside an office network (i.e., when the connecting device itself can't be authenticated).
Note: Administrators should review the permissions for each user role before establishing internal and external networks. Each user role by default has almost no external permissions, therefore all users would be severely restricted when logging in from an external network until those adjustments were made. See User Roles and Permissions.
Administrators configure this feature on the Admin / Client IP Address Ranges page.
This option overrides the sitewide default session duration in Admin / Site Settings, which provides 4 options (1, 1.5, 2, or 3 hours). Timeout values on this page are entered in minutes. Administrators can use this feature to provide shorter or longer timeouts. For example, to provide longer timeouts for users logging in inside a secured office network.
This field relates to the internal and external permissions that can be separately set for each user role. If a user connects from a network where Internal is Yes, the internal permissions will appy; or if set to No, the external permissions will apply. See Help:User Roles and Permissions for information on creating roles and assigning permissions.
The terms "internal" and "external" refer to the permissions sections for each user role. They do not necessarily correlate to a particular network being physically internal or external to a location.
Logins from an external network can be blocked completely by removing the "Login" permission in the external section of a user role.
Note: You need at least one external network defined (one with Internal set to No). This is usually a catchall network as shown in the screenshot above and the example below.
Address ranges are entered in CIDR format. 192.168.0.0/24 or 0:0:0:0:0:ffff:808:404/64, for example. A single IP address may be entered with or without a /32 or /128 CIDR mask.
If an incoming IP address matches multiple entries, the most specific (highest CIDR) is applied. The order of the entries in the list is not significant, however the order entries are entered is significant. For example, if an administrator entered a 'catchall' CIDR like 0.0.0.0/0 as the first entry, and that entry forced a user into a restricted role, the administrator would be forced into that role and unable to make further changes.
A simple example of entries to allow only restricted, short term, logins from outside an office network could be:
22.214.171.124/32 - no timeout entered - internal (assumes the office has a single IP address of 126.96.36.199)
0.0.0.0/0 - 30 minute timeout - external (with possibly fewer permissions granted per user role; or the Login permission removed to completely block some or all roles from logging in outside the office)