Teams App Access - Require WARP except for IP range

We’re new to Teams and have had some initial great results locking down a few self hosted apps. Currently running the free version.

For some of these apps, I would like to require the WARP client, unless the user is coming from a whitelisted IP range. Our goal is to allow authenticated access inside the office (Google Work), but users on mobile/home remote connections should be using Warp. Thus, I have configured a single policy with rules as:

Groups - Internal Team A
Include - Warp
Exception - Office IP range

However, in testing the exception is not being processed along with the WARP rule - it seems the WARP rule alone is being applied. I’ve also tried setting Require - Warp instead of Include - Warp, but that doesn’t make a difference. If we’re not connected to Warp, even from the whitelisted IP range, we can’t access the application.

Perhaps my understanding or configuration is wrong?

This means you are trying to prevent Office IP ranges from accessing the application.

You should add the IP address to the Require section.

And yes this should be the correct one too instead of using Include - Warp.

The final result should be:
Groups: Internal Team A
Require: Warp, Office IP ranges

Thanks for the reply. I tried your suggestion but I’m still being blocked (even with my IP address whitelisted). What I’m trying to achieve is:

If IP is outside of the whitelist, the client must be using Warp. eg, home IPs and mobile need to be using Warp if they want to access the self-hosted app

If IP is in whitelist, don’t require Warp. This would be used in the office specifically, and would allow access to the application from any seat that has an office IP.

Not sure what I’m doing wrong. I’ve even tried separate ‘allow’ polices to achieve the above (warp vs IP whitelisting)

I managed to somewhat get it working, but in process I believe I have found a quirk in the application of policies with regards to multiple IP addresses specified in the Require IP range. As we have two office locations, if I include the public IP address for each office location in a single Require IP range makes it impossible to match that IP condition. For example the following doesn’t work:

Require IP: Public IP Office 1, Public IP Office 2

However, if I have a separate policy for each IP above, it works as intended.

Thus, it takes three policies to achieve my goal - one for warp, and then one for each distinct IP that is not part of a logical CIDR block.

  1. Policy A - External Access with Warp
    Groups - Internal Team A
    Include Warp
    Require Warp

  2. Policy B - Internal Access from Office 1 without Warp
    Groups - Internal Team A
    Include IP Range: Public IP Office 1
    Require IP Range: Public IP Office 1

  3. Policy C - Internal Access from Office 2 without Warp
    Groups - Internal Team A
    Include IP Range: Public IP Office 2
    Require IP Range: Public IP Office 2

I would have though that the IP range would allow for multiple IP blocks, non-contiguous, but perhaps this is the way it is intended to work?

Sorry for the incorrect information given. Just read again the Cloudflare Docs, looks like you can create a group to Include Warp and Office IP ranges, then Require the group inside an application policy.

https://developers.cloudflare.com/cloudflare-one/policies/zero-trust/common-configs#requiring-multiple-conditions