IP Whitelisting Scenarios for SaaS Applications

Overview

This Knowledge Base (KB) article explains how to configure IP whitelisting for Software as a Service (SaaS) applications using SonicWall Cloud Secure Edge (CSE). By routing specific SaaS application traffic through CSE Service Tunnels, administrators can enforce Zero Trust access controls, ensuring that users can only log into critical SaaS platforms from trusted network locations.

This guide covers two primary deployment models for securing SaaS applications via IP whitelisting:

1. Egress via SonicWall Global Edge PoPs

2. Egress via Corporate Office IP (Connector / Private Edge / Firewall)

Licensing Requirements

To utilize Service Tunnels for SaaS IP whitelisting, your SonicWall CSE tenant must be provisioned with one of the following licenses:

• SPA Basic (Secure Private Access Basic)

• SPA Advanced (Secure Private Access Advanced)

Scenario 1: Egress via Global Edge PoPs

In this model, traffic destined for your SaaS applications is routed directly through the SonicWall Global Edge Network. The traffic will egress to the internet using the public IP addresses of the SonicWall Global Edge Points of Presence (PoPs).

How it Works

You will utilize the Public Include List inside your Service Tunnel configuration. When users attempt to access the specified SaaS IP networks or domains, the traffic is seamlessly secured via the CSE Service Tunnel and egresses from a SonicWall Global Edge IP.

Configuration Steps

1. Configure the Service Tunnel:

   • Log in to the SonicWall CSE Command Center.

   • Navigate to Private Access > Service Tunnels and create or edit a Service Tunnel. (See official documentation on Publishing a Service Tunnel).

   • Under the Public Include List section, add the public IP addresses, networks (CIDRs), or domains required by your SaaS application.

   • Best Practice Recommendation: We strongly recommend using IP addresses or networks (CIDRs) rather than domains whenever possible. Certain applications, such as Microsoft 365 on mobile devices, may bypass standard DNS resolution and make direct IP connections. Specifying IP addresses ensures this mobile traffic is properly captured by the Service Tunnel. 

   • Microsoft365 example: Microsoft 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn 

2. Assign an Access Policy:

   • To grant authorized users access to this Service Tunnel, you must assign an Access Policy (specifically, a Tunnel Policy).

   • Navigate to Private Access > Access Policies and create a Tunnel Policy enforcing your desired Trust Levels and Roles. (See official documentation on Creating Tunnel Policies).

3. Update SaaS App IP Whitelist:

   • Log in to your SaaS application's security console.

   • Action Required: You must update the IP whitelist/allowlist in your SaaS application to include the SonicWall Global Edge NAT Egress IP ranges for the PoPs that you have provisioned. (For the current active list of Global Edge Egress IPs, please refer to the SonicWall CSE Global Edge Network IP Ranges or contact SonicWall Support).

Scenario 2: Route through Corporate Office IP (Connector, Private Edge, or Firewall)

In this model, traffic destined for the SaaS application is routed back through your organization's on-premises network via a CSE Connector, Private Edge, or integrated Firewall. The traffic then egresses to the internet using your corporate office's standard public IP address.

How it Works

This setup also utilizes a Service Tunnel, but it is specifically configured in Split Tunnel mode (not Full Tunnel). Specific public traffic meant for the SaaS app is captured by the Service Tunnel, routed to your on-premises infrastructure, and then forwarded out to the internet through your local gateway.

Configuration Steps

1. Ensure Proper Routing and Egress Prerequisites:

   • If using a Connector: By default, Connectors are designed to route private (RFC 1918) traffic. To route public internet traffic (non-RFC 1918) through your local network, you must enable Public IP support on the designated CSE Connector in the Command Center.

   • If using a Private Edge (Access Tier): Unlike Connectors, Access Tiers natively process and route traffic, but you must ensure the underlying host infrastructure has a default route to the public internet.

   • If using a SonicWall Firewall: Public IP support must be enabled directly on the firewall. Note: This capability is only supported on firewalls running SonicOS version 7.1.3 or later.

   • For all types, you must add the route list for the SaaS app to the connector or access tier routes. Microsoft 365 example - Microsoft 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn 

   • Note for all deployment types: Ensure your local perimeter firewall has the appropriate Source NAT (SNAT) and security rules configured to allow outbound internet access for traffic originating from the Connector, Access Tier, or Firewall routing IP.

2. Configure the Service Tunnel:

   • In the CSE Command Center, create or edit a Service Tunnel operating in Split Tunnel mode. (See official documentation on Publishing a Service Tunnel).

   • Select your on-premises Connector, Private Edge Access Tier, or Firewall containing the route as the network for the tunnel.

3. Assign an Access Policy:

   • Just like in Scenario 1, ensure a suitable Access Policy (Tunnel Policy) is attached to govern who can use this Service Tunnel.

4. Update SaaS App IP Whitelist:

   • No change is needed to your SaaS application's IP whitelist, assuming your corporate office's public IP address is already whitelisted. Because the traffic egresses from your local firewall, the SaaS application will recognize the standard office IP.

Summary Matrix