IP Whitelisting
IP whitelisting is a restrictive security method that functions like a rigid digital gatekeeper, allowing network access only to a specific list of pre-approved IP addresses. Instead of filtering out known threats, this approach blocks every connection attempt by default unless the user’s IP address is already on the "allow" list.
In practice, this creates a significant amount of friction; because most modern internet connections use dynamic addresses that change frequently, legitimate users are often locked out of their own systems the moment they switch networks or move locations. This turns a simple security measure into a high-maintenance hurdle that requires constant manual updates to prevent authorized people from being treated like intruders.
While we do not recommend the use of IP whitelisting, Files.com supports an IP Whitelisting feature that lets you limit the IP addresses that can access your site. For example, you could implement this feature so that connectivity to your site is only allowed from your corporate network, limiting access to employees who are either physically at your corporate office or connected to your corporate office via VPN. Employees who are remote, external, or mobile would not be able to connect.
Implementing this feature will block access to your site from every IP address that is not included in the whitelist.
Restricting access by IP address can be done on a variety of levels: a site-wide basis, for a specific partner, at the group level, and for individual users.
This is an optional feature that we provide to allow compliance with your company security posture; it is not a required nor recommended configuration.
IP Whitelisting is Not Universally Recommended
IP whitelisting may seem like a straightforward way to control access, but it introduces significant challenges that often outweigh any perceived benefits. This feature is designed to restrict access, not grant it. It should only be implemented when explicitly required by your security office or by compliance regulations.
Implementing an IP whitelist without fully understanding the implications can lead to unnecessary access issues and increased support overhead. Business processes that rely on external connectivity with vendors, suppliers, partners, or customers will be impacted if any of these external parties changes premises, updates their network, or changes their internet service provider.
IP whitelisting is a frequent source of connectivity failures. Many organizations have dynamic or cloud-based IPs that change periodically, rendering a previously approved IP obsolete without notice. This results in unexpected disruptions and frustrated users who may suddenly find themselves unable to connect. Additionally, mobile users, remote employees, and third-party vendors often access services from multiple locations, making it impractical to maintain an accurate and functional whitelist.
From a security perspective, IP whitelisting is an outdated practice. Modern security models emphasize identity-based authentication, encryption, and network-level controls that provide far more robust protection without the operational headaches. Over-reliance on whitelisting can create a false sense of security while simultaneously complicating legitimate access.
If your site does not already have an IP whitelist in place, adding one will not resolve connectivity issues. Updating the whitelist only has an impact if access has already been restricted.
Before enabling IP whitelisting, carefully evaluate whether it is truly necessary. In most cases, other security mechanisms provide better protection with far fewer operational challenges.
Enabling IP Whitelisting For All Users
To add IP addresses to the site-wide IP whitelist, type "IP Whitelist/Blacklist" in the search box at the top of every page and then click on the matching result. Each whitelisted IP address should be entered on a separate line. You may specify a range in CIDR format, such as 192.168.1.0/27.
Adding one or more IP addresses to the site-wide whitelist will force all users to access the site from one of these IP addresses, unless they have a user-specific whitelisted IP address or have the Bypass Site IP Whitelist setting enabled, as described below.
How IP Whitelists Apply to Users, Groups, and Partners
In addition to your site's IP whitelist, you can create more targeted lists that apply only to specific users, groups, or partners. A user can connect if their IP appears on any applicable list, whether site-wide, group, user, or partner.
User-level and group-level IP whitelists apply only to their users and groups.
Partner-level IP whitelists apply to all of that partner's users. Partner users can have IP lists on their user account; these apply only to that particular partner user. Partner users cannot be members of groups, so group-level IP lists never apply to a partner user.
When There is No Site-Wide IP Whitelist
When no list exists for the site, the user, any of their groups, or (for partner users) their partner, a user can connect from any IP address without restriction.
When a specific IP whitelist exists for the user (or their group or partner), that user must access the site from one of the addresses on the specific IP whitelist.
Bypassing the Site-Wide IP Whitelist
By default, your site's setting for Allow User Overrides for Allowed IPs is enabled. When it's enabled, you can enable the Bypass site IP whitelist setting for individual users. Disabling the site-wide Allow User Overrides for Allowed IPs prevents you from setting up user-level IP whitelists, but group-level and partner-level IP whitelists can still be used.
When the user account is configured to Bypass site IP whitelist, the site-wide list no longer applies to them, even if one exists. When there is an IP whitelist at the user, group, or partner level, they can only connect from an IP address in the matching list.
If no such list exists for a user who is configured to Bypass site IP whitelist, they can connect from any IP address.
Disabling IP Whitelisting
To disable IP Whitelisting, clear out all content for the site-wide and per-user, per-group or per-partner IP whitelists.
Interaction With Other Restrictions
If you maintain a list of Allowed countries or Disallowed countries, the IP Whitelist and country restrictions are combined such that a given connection must satisfy all restrictions in order to be allowed. For example, IP addresses that are associated with countries in your list of Disallowed countries will not be allowed to connect, even if they would be allowed because of your IP whitelists.
Public Hosting
Folders that are configured with the Public Hosting (Web Hosting) setting are not affected by IP Whitelisting. These public folders will be accessible from any location and any IP address.
Logging
In general, Files.com logs all login attempts made to the site by users or systems. Login attempts that are blocked due to IP address restrictions configured by a Site Administrator do not appear in the user’s activity logs or the site-wide History logs. These blocked attempts are captured in the API logs, where they are recorded with a 401 status code and an error type of not-authenticated/locked-out for administrators to review as needed.
IPv6
Files.com does not support IPv6 addresses for any part of its platform, including for IP Whitelisting.
Get The File Orchestration Platform Today
4,000+ organizations trust Files.com for mission-critical file operations. Start your free trial now and build your first flow in 60 seconds.
No credit card required • 7-day free trial • Setup in minutes