---
locale: "en"
updated_at: "2025-10-28T13:28:42.033Z"
canonical: "https://www.isdecisions.com/en/userlock/docs/reference/access-policies/geolocation"
---

# Geolocation restrictions

Rules to control access based on geographic location.

## Typical use cases

- Block logons from countries where the organization has no presence.
- Allow access only from the company’s home country.
- Detect and deny suspicious connections originating from unexpected regions.

![](https://a.storyblok.com/f/122374/855x1211/a42e0b9a11/geolocation-allow-3-countries.png)

## Key points to know

- You can maintain a list of **authorized** and **denied** countries. Users outside authorized countries are blocked.
- **When geolocation cannot be determined** (for example, if the IP is missing from the database), you can choose to allow or deny the connection. Allowing avoids accidental lockouts, but may lower security.
- **Proxy servers** can hide the real origin of a connection. You can explicitly choose whether to allow or block logons coming through known proxies. Best practice: deny proxies unless business requirements justify them.
- Geolocation is determined from the public IP address using an internal database. If the address is in a **private range** (10.x, 172.16–31.x, 192.168.x), it cannot be geolocated.
- For users connecting through **RD Gateway**, [install the NPS Agent](/userlock/docs/guides/deploying-agents/nps-agent) on the NPS server handling RD Gateway authentication, so UserLock can retrieve the real client IP.

## Configured policies

A list of all geolocation policies is available in the **Access Policies** section, under the **Geolocation** page.

![](https://a.storyblok.com/f/122374/1665x556/e6e82c9585/geolocation-table.png)

## Best practice: Restrict logons to authorized countries

If your organization operates from a limited set of countries, use geolocation restrictions to block access from anywhere else.
This **greatly reduces your exposure** to unauthorized remote logons.

For example, you can allow access only from your company’s home country and block connections from all others.

To strengthen protection, you can also:

- **Block logons through proxy servers**, which often hide the true origin of a connection.
- **Deny connections when geolocation cannot be determined**, to avoid potential bypass attempts.

This setup ensures that only legitimate users, from expected locations, can access your network resources.
