If Zendesk authentication is enabled, you can restrict access to Zendesk Support to users within a specific range of IP addresses. This means that users connecting from these IP addresses are the only users allowed to sign in to Support. For example, to restrict access to users in your company, specify the IP addresses of your company.
You can specify ranges of IP addresses, separating each range with a space. Two methods are available to specify a range. The first is to use asterisk (*) wildcards. An IP address consists of four numbers separated by periods, such as 192.168.0.1. You can substitute a single asterisk character (*) for any number group to let Zendesk know that it should accept any value in that space. For example, 192.*.*.* allows any IP address whose first number is 192.
The second way to specify an IP range is to use IP subnet mask syntax. For example, 192.168.1.0/25 specifies all the IP addresses between 192.168.1.0 and 192.168.1.127.
You cannot specify IP ranges where the CIDR (Classless Inter-Domain Routing) value is 0. For example, if you specify 10.0.0.0/0, the /0 is invalid.
- In Admin Center, click
Account in the sidebar, then select Security > Advanced. - On the IP Restrictions tab, select Enable IP restrictions, then
enter the Allowed IP Ranges you want to restrict. Note: Enabling IP-based access restrictions can break third-party integrations. Be sure to include all external IPs that need access to your account via the Zendesk API.
- (Optional) Select the Allow customers to bypass IP restrictions check
box.
This option ensures that your customers can access your help center regardless of their IP address, even if their IP address is not in the range of allowed IP addresses.
Agents and administrators cannot bypass IP address restrictions.
- Click Save.
Unrestricted endpoints
The endpoints listed below are not protected by IP restrictions and are accessible from any network location. Please review these endpoints carefully and consider any related security implications.
| Endpoint | Reason for exemption |
|---|---|
| /chat/static/css/style_language.less | This endpoint delivers a globally shared static asset required by all accounts. IP restrictions is not feasible without significant redesign. |
| /chat/static/css/style_simulatev2.less | This endpoint delivers a globally shared static asset required by all accounts. IP restrictions is not feasible without significant redesign. |
| /chat/static/css/style_variables.less | This endpoint delivers a globally shared static asset required by all accounts. IP restrictions is not feasible without significant redesign. |
| /voice/calls/ivr_keypress/{ivr_keypress-id} | This endpoint must be accessible to Twilio’s infrastructure to support core call flows. Applying IP restrictions would interfere with integration functionality. |
| /voice/calls/ivr_menu/{ivr_menu-id} | This endpoint must be accessible to Twilio’s infrastructure to support core call flows. Applying IP restrictions would interfere with integration functionality. |
| /voice/failover/v3/on_exception | This endpoint must be accessible to Twilio’s infrastructure to support core call flows. Applying IP restrictions would interfere with integration functionality. |
| /voice/verifications/status/{status-id} | This endpoint must be accessible to Twilio’s infrastructure to support core call flows. Applying IP restrictions would interfere with integration functionality. |
| /flow_composer/assets/bot-avatar/{bot-avatar-id} | This endpoint provides avatar images for bots. Centralized asset delivery must remain openly accessible to ensure compatibility across multiple Zendesk products and clients. |
| /ips | The endpoint provides necessary ingress and egress IP information for customer firewall setup. It must be externally accessible to enable customer operations and integrations. |
| /api/v2/rapid_resolve/fetch | This helper endpoint requires both an authentication token and an article id for access, ensuring unauthorized use is not possible. Open invocation is necessary to support technical workflows such as feedback widgets. |
| /theming/api/internal/s3_upload_tracking | This endpoint receives notifications from Amazon Simple Notification Service (AWS SNS) regarding theme upload events and uses SNS signature authentication. Public accessibility is required to enable integration with AWS services. |
| /integrations/outlook/finish | This endpoint is necessary to complete the Outlook authentication process with Microsoft’s cloud service. Public accessibility is required to support SSO and redirect functionality. |
| /api/services/talk_recordings/recordings/{recordings-id} | This endpoint supports legacy recording integration during the migration to the Voice product. It will remain open throughout the transition period. |
| /api/v2/zorgtest/zorgheaders | This endpoint is used for integration testing. Applying access restrictions would prevent automated validation. |
| /api/v2/zorgtest | This endpoint is used exclusively for internal integration testing and system health checks. Implementing IP restrictions would prevent automation and engineering teams from accessing the endpoint. |
| /flow_director/smooch/v2/webhook | Public access to the webhook endpoint is necessary for integration with external messaging services. Authentication is handled through the use of unique webhook keys. |
| All logout endpoints | Logout endpoints must remain publicly accessible so users can securely end their sessions from any network location. |