3122406 - How to connect SuccessFactors to a new third-party site (allowlist on SAP side)

To be able to connect your SuccessFactors (SF) instance to a new external/third-party site (SFTP/REST/SOAP), it is necessary to allowlist:

• SAP's Data Centers IPs in the third-party servers.
• Third-party site IPs in SAP servers.

This only applies when SuccessFactors is the Client System (the one making the call) and not the Source System (the one being called).

• For the allowlisting in third-party side, follow the KBA 2395508.

• For the allowlisting on the SAP side, follow the steps below.

NOTE: Although uncommon, SAP Cloud Product IPs can change.

SAP SuccessFactors HCM Suite

1. Attempt to set up an outbound connection from your SuccessFactors instance to a new external/third party site.
2. Observe that the connection fails due to blocked outbound connections by default.

• Outbound connections to external/third party sites are blocked on SF datacenters by default as per the security policy.
• To set up outbound connections to new external sites, their destination IP/URLs must first be allowlisted on the corresponding SF datacenter end.

Raise a support ticket to component LOD-SF-PLT-FTPS to request allowlisting, providing information according to type of allowlist needed. SAP support will create an internal request to SF Operations and SF Network teams to include your endpoint IP or URL in the datacenter allowlist.

For external FTP/SFTP endpoint:

• SFTP IP address.
• SFTP Hostname.
• Business justification for the allowlisting.
• Notes:
  • The standard Destination Port is 22; no other custom ports will be allowed. This is valid for all SAP systems (Integration Center, Provisioning jobs, Boomi SF atoms, etc.). 
  • All SFTP integrations require firewall allowlist adjustments for port 22.

For external REST/SOAP endpoint:

• Domain URL.
• Destination Port.
• Source IP address (for SOAP endpoints only).
• Business justification for the allowlisting.
• Note: If using port 443, allowlisting is not required. For port 22, only customer specific IP addresses are needed.
  
  

Important Notes:

• Allowlisting is not required for SF-provided SFTP accounts.
• A new allowlisting is required for:
  • FTP/SFTP/SOAP endpoints only if the IP or Port changes.
  • REST endpoints only if the URL or Port changes.
• Allowlisting is done at the datacenter level, so there is no need to request the same allowlisting for a different tenant on the same datacenter.
• The timeframe for this allowlisting process to be finished can take up from 7 to 14 days.

Note for SAP support: check the internal memo for instructions.

• KBA 2659632 - "Could not connect to SFTP server" when connecting to an external site - Integration Center
• KBA 3089960 - SAP SuccessFactors Next Generation Cloud Delivery (NGCD) Customer checklist
• KBA 2432796 - Public outgoing IP for SAP SuccessFactors Datacenters. BizX Platform

allowlist, allow-list, allow list, allowlisting, allow-listing, allow listing, whitelist, white-list, white list, whitelisting, white-listing, white listing, outbound, export, inbound, import, connection, connector, communication, communicating, external, third-party, 3rd party, site, endpoint, server, sf , KBA , LOD-SF-PLT-FTPS , SFTP Account Creation, Reset Password & Install SSH Service , How To