# Restrict Access to Administrator Portal by IP Addresses

As an administrator, you can tie administrator portal access to a list of trusted IP (Internet Protocol) addresses. Once the restriction is active, administrator logins are accepted only when they originate from an address you have approved.

:::note
This feature requires PBX (Private Branch Exchange, the phone system) server firmware version 84.16.0.70 or later.
:::

## Set up the IP restriction

1. Log in to the Cloud Voice Dashboard at https://voice.izt.cloud and click **Login** to open your phone system's management portal with full administrator access, then open **Security > Security Settings > Security Options**.
2. Enable **Enable IP Restriction for Administrator Login**.

   ![The Security Options page with the administrator login IP restriction turned on](/images/pbx/current-ip-address.png)

   The portal warns you that your current IP address is not yet on the allowed list.

   :::caution
   The restriction applies to your own connection too. If you save it without adding the address you are working from right now, you will lock yourself out of the administrator portal the next time you sign in. Add your current IP address to the allowed list before you finish. The portal shows you what that address is when you turn the option on.
   :::
3. Add the addresses that should be permitted:

   ![Dialog for entering an allowed IP address and its subnet mask](/images/pbx/enter-allowed-ip.png)

   1. Click **Add**.
   2. Enter the allowed IP address along with its subnet mask. The subnet mask sets how wide the rule is: use `255.255.255.255` to allow a single address, or a broader mask to allow a whole range.

   :::note
   You can define up to 10 allowed-IP rules. Adding an 11th rule will fail, so group ranges with subnet masks if you need to cover many addresses.
   :::
4. Click **Save**.

## What happens after you save

Only the IP addresses on your list can reach the administrator portal, and the change applies the next time an administrator signs in. Anyone who is already signed in keeps their current session until they log out.

An administrator who tries to connect from an address that isn't allowed sees a different message depending on the URL used:

- Signing in at `PBX domain name/admin/login` returns a page-not-found error.

  
  ![Cloud Voice, page-not-found error shown when a restricted address opens the admin login URL](/images/pbx/restrict-ip-404-pce.png)

- Signing in at `PBX domain name/login` returns the message "Your current IP address is restricted".

  
  ![Cloud Voice, login page reporting that the current IP address is restricted](/images/pbx/restrict-ip-pce.png)
