SAP Knowledge Base Article - Public

2658112 - Restrict IP access to SFTP server to specified IP addresses only

Symptom

Request to restrict or deny (blocklist) access to specific IP addresses only for SAP provided standard SFTP accounts

Environment

  • SAP SuccessFactors HXM Suite
  • SAP SuccessFactors Learning
  • SAP provisioned standard SFTP account or iContent account

Resolution

It is possible to apply for IP restriction to your SFTP accounts. Note IP denying is not available on data centers: DC 15,17,18,19.

Note for connector or report destinations to customer's own SFTP, see KBA 2579806.

Raise an incident ticket with component LOD-SF-PLT-FTPS (for BizX provided SFTP), and provide the following information:

  1. Company ID
  2. SFTP username
  3. Data Center and/or SFTP URL
  4. Correct IP addresses to allow/restrict

Note that if you fail to provide correct and complete IP addresses, it may impact your streamlined business process by denying access request to your SFTP account from the end point that is supposed to be allowed.

  • Request to restrict or deny (blocklist) an IP to SFTP: we can only add to exceptions of blocklist for IP addresses, but can set the SFTP access to deny all but the exception list of customer provided IPs.
    SFTP IP restriction has nothing to do with BizX or LMS IP restriction and allow internal site SuccessFactors IP addresses will be taken care by us so that it will not impact the communication between SuccessFactors and SFTP, but will block other SAP systems unless you provide those IP addresses as well.
  • Allowlisting an IP address compromises the security of the user as well as the reliability of the Cluster for everyone else that uses it. You can only request to add to allowlist an IP to SFTP if there was a specific prior request to deny this IP addresses OR if this IP was blocked automatically for exceeding the number of login attempts (e.g. too many requests within certain period from same user/system may appear as DDOS attack and allowlist will not resolve - see if access from another IP range allows and open incident to request Operations to unblock.)

    Why do IP addresses get blocked?

  • IP addresses get blocked because someone is repeatedly attempting to access the FTP cluster with invalid login credentials. We follow the convention of blocking IPs that hit the cluster too many times with incorrect login attempts.
  • Unfortunately, one of the problems we run into is that a misconfigured account owned by the client will also hit the server repeatedly with incorrect login credentials and the same security measure will be used to block the client.

    Why don't we allowlist IP addresses?
  • Allowlisting a client's IP address that gets continually blocked would stop the client from getting blocked, but it would also stop potential intruders from getting blocked too.
  • Another issue is that users who request allowlist does not know all IP addresses used to connect to the FTP using their account. While each account on our FTP Clusters is independent (so that if one account gets hacked the others are still safe) if one IP does get blocked the other users on that server may still be affected. The whole cluster performance can degrade and even this can bring the whole cluster down.
  • Even if it were safe to allowlist an IP address, we would avoid doing so to guard against lag and potentially overwhelming the Cluster. Every time the Cluster is hit with a log in request it needs to check through the list of IP addresses that are allowlisted and blocklisted. Every time someone needs to log in the user attempt must go through all those lists. The longer those lists are the more time it takes for the Cluster to process each request and the Cluster is constantly being hit with requests from users.
  • If we made it a practice, then quickly everything would slow down.
(Support team see internal memo).

See Also

  • 2395508 - IP addresses to be added into allow list when customer's own sftp is used with Integration Center
  • 2579806 - "Could not connect to SFTP server" Error for Remote File Report Job

Keywords

sftp, learning, lms, icontent, ip address, allow, restrict, deny, Restriction, Security access, allowlist SFTP, allowlist IP SFTP, allowlist, IP SFTP, allow SFTP, block IP, restrict IP, IP SFTP , KBA , LOD-SF-PLT-FTPS , SFTP Account Creation, Reset Password & Install SSH Service , LOD-SF-LMS-PCM , iContent , LOD-SF-LMS-PER , Application Latency/ Performance Issues , LOD-SF-PLT-SEC , Security Reports , How To

Product

SAP SuccessFactors HXM Suite all versions ; SAP SuccessFactors Learning all versions