Loading

Apex: How to Make a Callout to a Web Service Hosted Behind a VPN

Veröffentlichungsdatum: Jun 3, 2026
Beschreibung

When making an Apex callout to a web service that is hosted behind a Virtual Private Network (VPN), the callout throws a System.CalloutException. Salesforce cannot establish a direct VPN tunnel to internal services. To resolve this, you must expose the service endpoint to the public internet and secure it using one of the methods described below.

Lösung

Option 1: Use a Proxy Server

Do not tunnel directly from an external IP into your VPN service (for example, through a DMZ or port forwarding). Instead, consider using a proxy server that requires authentication. The proxy sits between Salesforce and your internal service and authenticates incoming requests before routing them internally.

Option 2: Use Authentication (OAuth or Two-Way SSL)

You can use two-way SSL (mutual TLS) and/or an authentication mechanism such as OAuth or token-based authentication. This approach hardens your service against unauthorized access. Salesforce supports client certificate authentication in Apex callouts using Named Credentials.

Option 3: Use Salesforce IP Filtering

Salesforce publishes a list of IP addresses used for outbound callouts. You can configure your proxy or firewall to only allow transactions originating from these Salesforce IP addresses. This restricts access to known Salesforce infrastructure only.

Option 4: Logging and Intrusion Detection

Use a logging system and configure an Intrusion Detection System (IDS) to detect unusual traffic patterns. This helps identify and mitigate attacks in the event that other protection layers are bypassed. This is especially important for publicly exposed endpoints.

Nummer des Knowledge-Artikels

000387021

 
Laden
Salesforce Help | Article