diff --git a/app/api/repp/api.rb b/app/api/repp/api.rb
index af83d235d..976376f76 100644
--- a/app/api/repp/api.rb
+++ b/app/api/repp/api.rb
@@ -8,7 +8,8 @@ module Repp
     end
 
     before do
-      if request.ip != ENV['webclient_ip']
+      webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
+      unless webclient_request
         error! I18n.t('ip_is_not_whitelisted'), 401 unless @current_user.registrar.api_ip_white?(request.ip)
       end
 
@@ -20,7 +21,7 @@ module Repp
       message = 'Certificate mismatch! Cert common name should be:'
       request_name = env['HTTP_SSL_CLIENT_S_DN_CN']
 
-      if request.ip == ENV['webclient_ip']
+      if webclient_request
         webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient'
         error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name
       else
diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
index cbb67169c..021011390 100644
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@@ -13,7 +13,8 @@ class Epp::SessionsController < EppController
     success = true
     @api_user = ApiUser.find_by(login_params)
 
-    if request.ip == ENV['webclient_ip'] && !Rails.env.test? && !Rails.env.development?
+    webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
+    if webclient_request && !Rails.env.test? && !Rails.env.development?
       client_md5 = Certificate.parse_md_from_string(request.env['HTTP_SSL_CLIENT_CERT'])
       server_md5 = Certificate.parse_md_from_string(File.read(ENV['cert_path']))
       if client_md5 != server_md5
@@ -26,7 +27,7 @@ class Epp::SessionsController < EppController
       end
     end
 
-    if request.ip != ENV['webclient_ip'] && @api_user
+    if !webclient_request && @api_user
       unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
         epp_errors << {
           msg: 'Authentication error; server closing connection (certificate is not valid)',
@@ -95,7 +96,8 @@ class Epp::SessionsController < EppController
   # rubocop: enable Metrics/CyclomaticComplexity
 
   def ip_white?
-    return true if request.ip == ENV['webclient_ip']
+    webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
+    return true if webclient_request
     if @api_user
       return false unless @api_user.registrar.api_ip_white?(request.ip)
     end
diff --git a/config/application-example.yml b/config/application-example.yml
index c01412138..7f6bc4250 100644
--- a/config/application-example.yml
+++ b/config/application-example.yml
@@ -4,7 +4,7 @@ app_name: '.EE Registry'
 zonefile_export_dir: 'export/zonefiles'
 bank_statement_import_dir: 'import/bank_statements'
 legal_documents_dir: 'import/legal_documents'
-time_zone: 'Tallinn' # more zones by rake time:zones:all  
+time_zone: 'Tallinn' # more zones by rake time:zones:all
 
 # New Relic app name, keep only current mode, remove other names.
 # Example: 'Admin, EPP, REPP' will have name 'Admin, EPP, REPP - production' at New Relic.
@@ -25,7 +25,7 @@ ca_key_path:  '/home/registry/registry/shared/ca/private/ca.key.pem'
 ca_key_password: 'your-root-key-password'
 
 # EPP server configuration
-webclient_ip: '127.0.0.1'
+webclient_ips: '127.0.0.1,0.0.0.0' #ips, separated with commas
 webclient_cert_common_name: 'webclient'
 # Contact epp will not accept org value by default
 # and returns 2306 "Parameter value policy error"
@@ -72,7 +72,7 @@ sk_digi_doc_service_name: 'EIS test'
 
 # Autotest config overwrites
 test:
-  webclient_ip: '127.0.0.1' # it should match to localhost ip address
+  webclient_ips: '127.0.0.1' # it should match to localhost ip address
   crl_dir:      '/var/lib/jenkins/workspace/registry/ca/crl'
   crl_path:     '/var/lib/jenkins/workspace/registry/ca/crl/crl.pem'
   ca_cert_path: '/var/lib/jenkins/workspace/registry/ca/certs/ca.crt.pem'
diff --git a/config/initializers/env_required.rb b/config/initializers/env_required.rb
index d5921a161..585fd9031 100644
--- a/config/initializers/env_required.rb
+++ b/config/initializers/env_required.rb
@@ -7,7 +7,7 @@ required = %w(
   ca_cert_path
   ca_key_path
   ca_key_password
-  webclient_ip
+  webclient_ips
   legal_documents_dir
   bank_statement_import_dir
   time_zone
diff --git a/doc/certificates.md b/doc/certificates.md
index 2e400ac66..9d9a4ca7c 100644
--- a/doc/certificates.md
+++ b/doc/certificates.md
@@ -100,7 +100,7 @@ Configure registry registry/shared/config/application.yml to match the CA settin
 
 Configure registry epp registry-epp/shared/config/application.yml:
 
-    webclient_ip: '54.154.91.240'
+    webclient_ips: '54.154.91.240'
 
 Configure EPP port 700 virtual host:
 
diff --git a/spec/requests/v1/account_spec.rb b/spec/requests/v1/account_spec.rb
index 5a8fd6b0d..712502bf2 100644
--- a/spec/requests/v1/account_spec.rb
+++ b/spec/requests/v1/account_spec.rb
@@ -2,7 +2,7 @@ require 'rails_helper'
 
 describe Repp::AccountV1 do
   it 'should fail without whitelisted IP' do
-    ENV['webclient_ip'] = '192.188.1.1'
+    ENV['webclient_ips'] = '192.188.1.1'
     @registrar1 = Fabricate(:registrar, white_ips: [Fabricate(:white_ip_registrar)])
     @api_user = Fabricate(:api_user, registrar: @registrar1)
 
@@ -11,7 +11,7 @@ describe Repp::AccountV1 do
     body = JSON.parse(response.body)
 
     body['error'].should == 'IP is not whitelisted'
-    ENV['webclient_ip'] = '127.0.0.1'
+    ENV['webclient_ips'] = '127.0.0.1'
   end
 
   context 'with valid registrar' do