Callout to Web Service hosted within VPN
|Knowledge Article Number||000204988|
|Description||Requirement was to make a call out to web service that is connected through a VPN. It was throwing System.CalloutException and not working after trying all possibilities.|
|Resolution||To make a call out to web service that is connected through a VPN you need to expose an IP/Port to the public internet. We can't set up a direct VPN tunnel from SFDC. You will have to use IP Whitelisting and Client Certificate, to secure the connection. The port is whatever they want incase a port needs to be opened. it doesn't need to be port 443 . You could put it on a non-standard port if they want to obfuscate it more. It's just a public endpoint that is secured with IP Whitelisting and client cert from customer's end. Below are the links for more details :
Your service has to be accessible from the public Internet, because you can't access VPN from salesforce. That said, there are many ways to secure your services from unintentional or malicious outside transactions. Below are some ways :-
Don't tunnel directly from an external IP into your service (eg DMZ, port forwarding). Instead, consider a proxy server that requires authentication.
You can use two way SSL and/or some authentication mechanism, such OAuth or tokens of other types. This will harden your service against access.
Client IP Filtering:
Salesforce maintains a list of their IP addresses. You can configure your proxy to only allow transactions from this list of approved IP addresses.
Logging and IDS:
Use a logging system, and train an Intrusion Detection System to detect unusual patterns. This will help identify and mitigate attacks. This is important in the event that someone does slip by all the other protection layers.
==Two way SSL===