Create a location

Depending on how you want to identify a location, complete one of these procedures:

  • If your organization uses static IP addresses, see Create a location with a static IP address.
  • If your organization uses dynamic IP addresses and you can identify the DNS host, see Create a location with a dynamic IP address.
  • If your organization uses dynamic IP addresses and you cannot identify the host, you can set up an IPsec tunnel to direct traffic from your organization to ‚ÄčSIA‚Äč. No IP address is required for this configuration. Instead, you identify the location through the IKE ID and PSK that‚Äôs used to validate and secure communication in the IPsec tunnel between ‚ÄčSIA‚Äč and your location. For instructions on creating a location with an IKE ID, see Create a location with an IKE ID.

ūüďė

While you can assign a policy to a location configuration, you can also assign a location or multiple locations to a policy when you create or modify a policy.

Create a location with a static IP address

Complete this procedure to identify a location with a static IP address.

Make sure you enter the IP address or addresses that belong to a region or geographic area in your network, such as a CIDR block for an office branch or company headquarters. Make sure that the CIDR block you provide includes the external IP address of your AD or the local DNS server that is used to communicate with ‚Äč‚ÄčSIA‚Äč.

To create a location with static IP addresses:

  1. In the Threat Protection menu of Enterprise Center, select Locations.
  2. Click the plus sign (+) icon to add a new location.
  3. In the Location name field, enter a name for the location.
  4. In the Description field, enter a description for the location.
  5. If the policy you need is already created, select a policy from the Policy menu. Otherwise, assign a location to a policy when configuring the policy or edit this location later.
  6. Click the link icon for Identifiers.
  7. Select IP address as the location identifier.
  8. To configure static IP addresses or CIDR blocks, in the IP Address / CIDR field, enter an IP address or CIDR block in this format:
    IPAddress/n
    where:
    • IPAddress is the IPv4 or IPv6 address.
    • n is the bit prefix. The maximum CIDR block for IPv4 is /16 and for IPv6 it is /48.
      You can provide multiple IP addresses or CIDR blocks. If you enter more than one address, each address appears as a separate item in the field.
  9. Click Save.
  10. To mask the internal (private) IP address of a sub-location, make sure the Internal IP Mask toggle is enabled. When enabled, you can configure sub-locations with a subnet that’s up to /28 for IPv4 or /56 for IPv6. Disable this option to configure addresses with a subnet that’s up to /32 for IPv4 or /128 for IPv6.
  11. To protect DNS traffic that arrives from an IPsec tunnel with the policy that’s assigned to the location, select Protect DNS in Tunnels.
  12. You can assign a policy that’s applied only to client traffic. In the Override location policy for client menu, select a policy.
  13. Click Save. To deploy the location with the save operation, click Save and Deploy.

Next Steps:

  • If you want to create a new policy for this location, see Create a policy.
  • If this location is assigned with the policy you need and you haven't deployed the location, deploy it to the ‚Äč‚ÄčSIA‚Äč‚Äč network. For instructions see Deploy configuration changes.
  • To associate a sub-location to a location, see Add a sub-location.

Create a location with a dynamic IP address

Complete this procedure to identify a location with a dynamic DNS host for dynamic IP addresses.

To create a location with a dynamic IP address:

  1. In the Threat Protection menu of Enterprise Center, select Locations.
  2. Click the plus sign (+) icon to add a new location.
  3. In the Location name field, enter a name for the location.
  4. In the Description field, enter a description for the location.
  5. If the policy you need is already created, select a policy from the Policy menu. Otherwise, assign a location to a policy when configuring the policy or edit this location later.
  6. Click the link icon for Identifiers.
  7. Select IP address as the location identifier.
  8. Expand the Dynamic DNS Host section.
  9. In the provided field, enter the domain or domains that are registered with the dynamic DNS provider.
  10. Click Save.
  11. To mask the internal (private) IP address of a sub-location, make sure the Internal IP Mask toggle is enabled. When enabled, you can configure sub-locations with a subnet that’s up to /28 for IPv4 or /56 for IPv6. Disable this option to configure addresses with a subnet that’s up to /32 for IPv4 or /128 for IPv6.
  12. To protect DNS traffic that arrives from an IPsec tunnel with the policy that’s assigned to the location, select Protect DNS in Tunnels.
  13. You can assign a policy that’s applied only to client traffic. In the Override location policy for client menu, select a policy.
  14. Click Save. To deploy the location with the save operation, click Save and Deploy.

Next Steps:

  • If you want to create a new policy for this location, see Create a policy.
  • If this location is assigned with the policy you need and you haven't deployed the location, deploy it to the ‚Äč‚ÄčSIA‚Äč‚Äč network. For instructions see Deploy configuration changes.
  • To associate a sub-location to a location, see Add a sub-location.

Create a location with an IKE ID

If you prefer to not identify a location by an IP address, you can identify a location by the IKE ID and PSK for an IPsec tunnel. The IKE ID and PSK you generate in this procedure is provided in the SD-WAN solution where you create the tunnel. For more information on IPsec, see Set up IPsec tunnels.

ūüďė

Identifying a location by the IKE ID and the PSK is currently in beta. To participate in the beta, contact your ‚ÄčAkamai‚Äč representative.

To create a location with an IKE ID:

  1. In the Threat Protection menu of Enterprise Center, select Locations.
  2. Click the plus sign (+) icon to add a new location.
  3. In the Location name field, enter a name for the location.
  4. In the Description field, enter a description for the location.
  5. If the policy you need is already created, select a policy from the Policy menu. Otherwise, assign a location to a policy when configuring the policy or edit this location later.
  6. Select IKE ID as the location identifier.
  7. For the IKE ID, enter the prefix. The IKE ID consists of a suffix that is already provided for you. The suffix includes your ‚Äč‚ÄčSIA‚Äč configuration ID and the location ID.
  8. Enter the pre-shared key (PSK). The pre-shared key must contain a minimum of eight alphanumeric characters that are in a random sequence. Make sure you use at least one uppercase and one lowercase letter. To generate a key with random characters on Linux or macOS, see Generate a pre-shared key.
  9. Click Save.
  10. To mask the internal (private) IP address of a sub-location, make sure the Internal IP Mask toggle is enabled. When enabled, you can configure sub-locations with a subnet that’s up to /28 for IPv4 or /56 for IPv6. Disable this option to configure addresses with a subnet that’s up to /32 for IPv4 or /128 for IPv6.
  11. To protect DNS traffic that arrives from an IPsec tunnel with the policy that’s assigned to the location, select Protect DNS in Tunnels.
  12. You can assign a policy that’s applied only to client traffic. In the Override location policy for client menu, select a policy.
  13. Click Save. To deploy the location with the save operation, click Save and Deploy.

Next steps

  • If you want to create a new policy for this location, see Create a policy.

  • If this location is assigned with the policy you need and you haven't deployed it, deploy the location configuration to the ‚ÄčSIA‚Äč network. For instructions see Deploy configuration changes.

  • To associate a sub-location to a location, see Add a sub-location.

  • Make sure you set up an IPsec tunnel with the IKE ID and PSK that you provided in the location configuration. To learn more about IPsec, see Set up IPsec tunnels.

Add a sub-location

You can associate a sub-location to a location. A sub-location represents a segment in your network that's routed to the Internet with the same IP address as a parent location.

You need to be an ‚ÄčSIA‚Äč administrator to complete this task.

Before you begin

  • Create a location.

  • Take note of the considerations for creating a sub-location. For more information, see Sub-locations.

  • If your organization uses an HTTP Forwarder, make sure the policy that is associated with the sub-location and the parent location is enabled with the proxy.

To add a sub-location:

  1. In the Threat Protection menu of Enterprise Center, select Locations.

  2. Find the location that you want to assign with a sub-location. To search for a location, see Search for a location.

  3. Click the plus sign icon to add a sub-location.

  4. In the provided field, enter a name for the sub-location.

  5. In the Description field, enter a description for the sub-location.

  6. From the menu, select the policy that you want to associate with the sub-location.

  7. Click the chain icon and in the provided field, enter the internal IP addresses or CIDR blocks for the sub-location, and click Save.

  8. Click Save to save the sub-location. To deploy the sub-location with the save operation, click Save and Deploy.

Next steps

If you haven't deployed the sub-location, make sure you deploy it to the ‚ÄčSIA‚Äč network. For instructions, see Deploy configuration changes.