Use IP Allowlisting to enforce zero trust policies for specific SaaS Applications integrated with Duo
Use a Duo Networks policy to require a CSE Service Tunnel when authenticating to a SaaS Application
- Updated on
Overview
This guide explains how to use a Duo Networks policy to require that end users have a CSE Service Tunnel established before they can authenticate to a protected SaaS application through Duo. The result is equivalent to the Entra ID IP allowlisting flow: authentication is permitted only when the request originates from the CSE Access Tier egress IP addresses. In effect, the CSE Service Tunnel becomes a precondition for authentication, so access to the SaaS application is confined to traffic that has already passed through CSE.
Doc status: CSE-side steps reviewed 2026-06-29. The third-party IdP console steps follow the vendor’s own documentation and should be confirmed against the live admin console, which can change without notice.
Prerequisites
- A Duo admin account with permission to manage Policies and applications.
- A CSE Service Tunnel that your users connect through.
- The SaaS application(s) you want to protect already protected by Duo SSO.
Values to exchange
This integration is driven by a single value: the CSE Access Tier egress IP address(es) that you authorize in Duo. Use the value identified in your own environment; do not substitute example addresses.
| Value | Source (where to read it) | Destination (where to enter it) |
| CSE Access Tier egress IP address(es) | CSE (identified in Step 2) | Duo Networks policy, authorized networks (Step 3.2) |
Steps
Step 1: Register a Service Tunnel for the public domains
This step ensures that authentication and application traffic is routed through CSE, so that Duo sees a CSE Access Tier egress IP rather than the user’s local address.
1.1 Register a Service Tunnel for Public Domains.
1.2 Configure the Service Tunnel to include the Duo authentication domains and the domains of the SaaS application(s) you are protecting, so that this traffic is routed through CSE.
Step 2: Identify the CSE Access Tier egress IP addresses
2.1 Determine the public egress IP address(es) of the Access Tier(s) that serve the Service Tunnel. These are the source IPs Duo sees for tunneled traffic, and the addresses you will authorize in Step 3.
Step 3: Create a Duo Networks policy that allows only the CSE egress IPs
This step is what enforces the allowlist: it tells Duo to permit authentication only from the CSE egress IPs and to block everything else. The steps below are performed in the Duo Admin Panel, whose layout is owned by Cisco Duo; confirm the current navigation and field labels against Cisco Duo’s documentation.
3.1 In the Duo Admin Panel, navigate to Policies, and create a New Policy.
3.2 In the Networks section, add the CSE Access Tier egress IP range(s) from Step 2 as authorized networks, and set the action for those networks to Allow access (or require 2FA, per your requirements).
3.3 Set the action for all other networks to Deny access, so users not coming through the CSE Service Tunnel are blocked.
Note: Duo’s Networks policy acts on the client IP address Duo receives. Some authentication paths (for example, LDAP) do not pass a client IP to Duo, in which case network-based rules cannot be enforced. Confirm the exact action labels in your Duo edition.
Step 4: Apply the policy to the SaaS application
This step binds the network restriction to a specific protected application, so the allowlist takes effect for that application’s authentications.
4.1 In the Duo Admin Panel, navigate to Applications, and select the application you want to protect.
4.2 Under Policy, apply the policy you created in Step 3 as an application policy.
Expected Behaviour
If the user does NOT have the Service Tunnel connection established, Duo sees a non-authorized source IP and denies access to the application. Once the user establishes the Service Tunnel, the request originates from an authorized Access Tier IP and authentication succeeds.
References
- Cisco Duo, Policy & Control.
- Cisco Duo, Networks Policy Settings.