diff --git a/DocService/sources/canvasservice.js b/DocService/sources/canvasservice.js
index 9eda8a45..cd700d42 100644
--- a/DocService/sources/canvasservice.js
+++ b/DocService/sources/canvasservice.js
@@ -1613,6 +1613,14 @@ exports.downloadFile = function(req, res) {
           isInJwtToken = true;
         } else if (wopiClient.isWopiJwtToken(decoded)) {
           ({url, headers} = wopiClient.getWopiFileUrl(ctx, decoded.fileInfo, decoded.userAuth));
+          let filterStatus = yield wopiClient.checkIpFilter(ctx, url);
+          if (0 === filterStatus) {
+            //todo false? (true because it passed checkIpFilter for wopi)
+            //todo use directIfIn
+            isInJwtToken = true;
+          } else {
+            errorDescription = 'access deny';
+          }
         } else if (!tenTokenEnableBrowser) {
           //todo token required
           if (decoded.url) {
diff --git a/DocService/sources/wopiClient.js b/DocService/sources/wopiClient.js
index c5c4afa1..a867c937 100644
--- a/DocService/sources/wopiClient.js
+++ b/DocService/sources/wopiClient.js
@@ -748,7 +748,8 @@ function checkFileInfo(ctx, wopiSrc, access_token, opt_sc) {
       }
       fillStandardHeaders(ctx, headers, uri, access_token);
       ctx.logger.debug('wopi checkFileInfo request uri=%s headers=%j', uri, headers);
-      //todo false?
+      //todo false? (true because it passed checkIpFilter for wopi)
+      //todo use directIfIn
       let isInJwtToken = true;
       let getRes = yield utils.downloadUrlPromise(ctx, uri, tenDownloadTimeout, undefined, undefined, isInJwtToken, headers);
       ctx.logger.debug(`wopi checkFileInfo headers=%j body=%s`, getRes.response.headers, getRes.body);
@@ -969,6 +970,7 @@ function dummyOk(req, res) {
   res.sendStatus(200);
 }
 
+exports.checkIpFilter = checkIpFilter;
 exports.discovery = discovery;
 exports.collaboraCapabilities = collaboraCapabilities;
 exports.parseWopiCallback = parseWopiCallback;