/support/notes/service/sap_logo.png){kind=logo}
SAP Knowledge Base Article - PublicSymptom
To be able to connect your SuccessFactors (SF) instance to a new external/third-party site (SFTP/REST/SOAP) is necessary to allowlist SAP DCs IPs in the third-party servers and also allowlist the third-party site IPs in SAP servers.
For the allowlisting in third-party side, refer to the KBA 2395508 and request it.
For the allowlisting in SAP side, follow the steps below.
Environment
SAP SuccessFactors HCM Suite
Cause
- As per our security policy, outbound connections to external/third-party sites are blocked on SF datacenters by default.
- Therefore, when setting up outbound connection to new external sites, you will need first request their destination IP/URLs be allowlisted on the corresponding SF datacenter end.
Resolution
The allowlisting can be requested by raising a support ticket to LOD-SF-PLT. The information below must be included in the ticket:
For external FTP/SFTP endpoint:
- SFTP IP address;
- SFTP Hostname;
- Business justification on why you need this allowlisting;
OBS.: The standard Destination Port is 22, no other custom ports will be allowed. This is valid for all SAP systems (Integration Center, Provisioning jobs, Boomi SF atoms, ...).
For external REST/SOAP endpoint:
- Domain URL;
- Destination Port;
- Source IP address (for SOAP endpoints only);
- Business justification on why you need this allowlisting;
The SAP support team will create an internal request to SF Operations and SF Network teams to include your endpoint IP or URL in our datacenter allowlist.
IMPORTANT NOTES:
- This allowlisting is not required for SF-provided SFTP accounts.
- This allowlisting is not required for DC33. All outbound connections are allowed in DC33 by default.
- A new allowlisting is required for FTP/SFTP/SOAP endpoints only if the IP or Port changes and for REST endpoints only if the URL or Port changes.
- The allowlisting is done at DC level meaning there is no need to request the same allowlisting for a different tenant on the same DC
- If you are using the port 443 to connect, you don't need to request allowlisting. If using the port 22, then we only need customer-specific IP addresses.
OBS.: For SAP support, check the internal KBA 3251227 for instructions.
See Also
Keywords
allowlist, allow-list, allow list, allowlisting, allow-listing, allow listing, whitelist, white-list, white list, whitelisting, white-listing, white listing, outbound, export, inbound, import, connection, connector, communication, communicating, external, third-party, 3rd party, site, endpoint, server, sf , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , How To
/support/notes/service/facebook.svg)
/support/notes/service/twitter.svg)
/support/notes/service/youtube.svg)
/support/notes/service/linkedin.svg)
/support/notes/service/instagram2.svg)