IPS Enforcement Modes
To provision resource access policies, you can use 802.1X Layer 2 switch, access point, or firewall within any enterprise class network edge infrastructure that supports 802.1X and Remote Authentication Dial-In User Service (RADIUS).
The following types of devices can be used as IPS enforcement points:
- Infranet Enforcer (Firewall) —Devices that control traffic flow based on Layer 3 data. You can use Palo Alto, Check Point, Fortinet, Juniper Networks SRX series and Screen OS firewalls as enforcers. For more information, see Layer 3 Enforcement.
- 802.1X devices—You can use any 802.1X enabled switches or access points with IPS. The 802.1X protocol provides port based authenticated access to LAN. This standard applies to both wireless and wired networks. For more information, see Layer 2 Enforcement.
You can use 802.1X enabled switches or access points with or without the Infranet Enforcer as part of the solution. If you do not deploy the Enforcer, the 802.1X enabled switch or access point functions as the enforcement point. You can create different security zones by configuring VLANs on the network and assigning different roles to the appropriate VLAN.
Allowing Required IP Addresses
The IPS uses a series of IP addresses and ports to facilitate access to the admin and user web consoles, for user enrollment, and for connections to Ivanti Policy Secure. To ensure network access, make sure the following IP addresses and ports are added to the allowed list in your network firewalls and routing infrastructure.
If IPS devices are connected to NSA and nZTA controllers. For detailed information refer to KB24280.
The following table lists the NSA Azure IP instance ranges and n ZTA tenant IP range. Select the IP addresses and ports for your corresponding region only.
| Region | External IPs | External IPs |
| North America | 52.186.44.249 (port 443) | 52.188.33.186 (port 443) |
| Europe | 51.138.111.17 (port 443) | 20.50.150.82 (port 443) |
| APJ | 20.44.238.229 (port 443) | 20.44.237.67 (port 443) |
| UAE | 20.233.40.108 (port 443) | 20.233.41.69 (port 443) |
| Canada | 20.220.157.85 (port 443) | 20.220.157.158 (port 443) |
Add the following URLs to the Allow list:
• Host Checker signatures https://download.pulsesecure.net
• PCLS https://pcls.pulseone.net
• Online Help Pages - https://help.ivanti.com/
• KB links https://forums.ivanti.com