Loading

Request a Firewall Rule to Allow Outgoing Connections to Third Party Services for B2C Commerce

Data pubblicazione: Mar 19, 2025
Descrizione
Environment/s: All POD instances

This article describes the steps a customer must perform before B2C Commerce can add new rules to the firewall on each POD to allow outgoing connections to third party service providers for SFTP, FTP, WebDAV, and Webservice (HTTP/HTTPS).
Risoluzione

The procedure for adding new firewall rules is as follows:

1. Customer confirms whether a new firewall rule is needed.
2. If a new firewall rule is needed, the customer should open a Support Case and include the IP:Port combination/s.
3. B2C Commerce adds the new firewall rule and confirms this in the Support case.
4. Once the customer validates these changes, the case can be prepared for closure.


Note: If there is a POD maintenance scheduled on the load balancer B2C Commerce cannot perform any firewall changes ~18 hours before the maintenance window and ~18 hours after the maintenance window - this also includes emergency updates.

Firewall Q&A
Which ports are open by default on the B2C Commerce platform?
TCP ports 22, 80, 443, and 587 are open by default on B2C Commerce and do not need Firewall Rules created. Port 21 (ftp) is not open by default, but a request can be made and it will opened.

How long does it take to allowlist an IP address?
Firewall updates take two to three business days to be done. Changes go through an internal approval process.

Do web service connections require firewall rules/allowlist requests?
Yes, all outgoing requests on custom ports other than ports 22, 80 and 443 are blocked by the firewall and require specific updates on the B2C Commerce side.

What if the connection attempt is still failing after the firewall rule was added?
It is then likely that the request is blocked on the remote side, either by a firewall there or on the application layer. The outgoing IP of the POD then needs to get allowlisted on the the remote end. See the articles below for details.


Is there a limit to the number of IP:Port pairings B2C Commerce will open for a particular external integrations?
Per standard security best practices, firewall rules should be restrictive as possible; therefore, B2C Commerce recommends a limit of five IP:Port pairs for any one realm. B2C Commerce policy will allow customer realms to have a maximum of up to ten IP:Port pairs if there is a particular need. This means that a request to open an entire C class network -- for example, "Please open 132.30.40.0/24 for port 99999" -- would be denied. Any request for more than ten IP:Port pairs per realm will require an approved Security Assessment.

Can B2C Commerce copy firewall rules from one realm to another?
For PODs greater than POD45, we are now able to acquire the list of firewall rules per customer.  For any pod less than POD45, an exact list of IPs and ports needs to be provided. 

Can Firewall Rules use Domains instead of IPs?
Firewall rules must only use IP addresses and not domains. When firewall rules get added they use an explicit IP:port pairing, so replacing a domain for an IP would not be accepted.

What is the difference between Outbound and Inbound connections?
Outbound means you initiate the connection and the traffic starts flowing outward of your computer to the destination you intended, such as a server.  Inbound means someone else from outside of your computer initiates the connection to your computer so the traffic starts flowing inward to your machine, such as a server gets requests from people.  This doesn't mean the actual dataflow. Inbound doesn't mean always inward traffic and outward doesn't mean always outward traffic because ports like TCP need both directions in order to establish the connection.

How do I request Firewall Rules for an On-Demand Sandbox?
We do not currently firewall outgoing traffic but you might need to allowlist On-Demand Sandbox IP addresses on other systems or firewalls to communicate with On-Demand Sandboxes. For more information refer to  Allowlist On-Demand Sandbox IP Addresses.

​​​​​​How do I allowlist for an On-Demand Sandbox?
We do not restrict On-Demand Sandbox outbound data. If your receiving systems reside within the same VPN or an unrestricted network, allowlisting the On-Demand Sandbox IP addresses is unnecessary. For details, see the following documentation: Allowlist On-Demand Sandbox IP Addresses

Are there any IP addresses or Ports we can't request allowlisting for?
Requests for allowlisting to reserved IP addresses will be denied. This includes, but is not limited to, the following IP address ranges, which are reserved for private networks. They are not publicly accessible from outside of the internal network they're on.

All ports between 1024 and 65,536 (well known ports) are eligible for requesting policy on the Firewall permitting outgoing connections. Ports below 1024 cannot be opened, with the exception of port 21.
 
LARGEST CIDR BLOCK
SUBNET MASK
IP ADDRESS RANGE
NUMBER OF IPs (HOSTS)
10.0.0.0/8
255.0.0.0
10.0.0.0 - 10.255.255.255
16,777,216
172.16.0.0/12
255.240.0.0
172.16.0.0 - 172.31.255.255
1,048,576
192.168.0.0/16
255.255.0.0
192.168.0.0 - 192.168.255.255
65,536

 
Numero articolo Knowledge

000391592

 
Caricamento
Salesforce Help | Article