Symptom
To be able to connect your SuccessFactors (SF) instance to a new external/third-party site (SFTP/REST/SOAP) is necessary to allowlist SAP DCs IPs in the third-party servers and also allowlist the third-party site IPs in SAP servers.
For the allowlisting in third-party side, refer to the KBA 2395508 and request it.
For the allowlisting in SAP side, follow the steps below.
Environment
SAP SuccessFactors HCM Suite
Cause
- As per our security policy, outbound connections to external/third-party sites are blocked on SF datacenters by default.
- Therefore, when setting up outbound connection to new external sites, you will need first request their destination IP/URLs be allowlisted on the corresponding SF datacenter end.
Resolution
The allowlisting can be requested by raising a support ticket to LOD-SF-PLT. The information below must be included in the ticket:
For external FTP/SFTP endpoint:
- SFTP IP address;
- SFTP Hostname;
- Business justification on why you need this allowlisting;
OBS.: The standard Destination Port is 22. No other custom ports will be allowed.
For external REST/SOAP endpoint:
- Domain URL;
- Destination Port;
- Source IP address (for SOAP endpoints only);
- Business justification on why you need this allowlisting;
The SAP support team will create an internal request to SF Operations and SF Network teams to include your endpoint IP or URL in our datacenter allowlist.
IMPORTANT NOTES:
- This allowlisting is not required for SF-provided SFTP accounts.
- This allowlisting is not required for DC33. All outbound connections are allowed in DC33 by default.
- A new allowlisting is required for FTP/SFTP/SOAP endpoints only if the IP or Port changes and for REST endpoints only if the URL or Port changes.
- The allowlisting is done at DC level meaning there is no need to request the same allowlisting for a different tenant on the same DC
- If you are using the port 443 to connect, you don't need to request allowlisting. If using the port 22, then we only need customer-specific IP addresses.
OBS.: For SAP support, check the internal KBA 3251227 for instructions.
See Also
Keywords
allowlist, allow-list, allow list, allowlisting, allow-listing, allow listing, whitelist, white-list, white list, whitelisting, white-listing, white listing, outbound, export, inbound, import, connection, connector, communication, communicating, external, third-party, 3rd party, site, endpoint, server, sf , KBA , LOD-SF-PLT-PSI , Product Security Inquiries , How To