Securing Hosted Apps

CHI-LTD
CHI-LTD used Ask the Experts™
on
Hello

We are to deploy Sales force Cloud to users.  From initial testing 2FA looks to work well using the authenticator app, however we are now proposing to block access by corporate IP ranges i.e. our firewall WAN IPs, rather than 2FA.  This will mean VPN for remote users will be required not only for SF but other current and future apps.  
Unfortunately the subscription/evaluation has expired and SF wont extend the trial, i have to pay a years fee to continue.

We are also looking at SF inbox, marketing cloud, SF inbox and other 3rd party tools to help integrate SF with exchange.

So, if w ego the route of IP blocking can anyone confirm if this can be setup in Sales Cloud globally for Inbox, marketing and sales cloud?  I only see option to white-list SF IPs.

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Wow... You can do all this + this level of complexity will likely dramatically decrease your user base + income.

If all your end users are part of your company, you can force them to take this level of pain.

If not, best stick with a simple method.

No VPN will ever provide better encryption than HTTPS, so just wrap access to your App in HTTPS + a login to authenticate valid users.

This approach means your end users don't require setting up a VPN.

Note: If you force random customers to setup a VPN, then best have a very large budget to pay a support staff for 24x7 support helping people setup their VPN + fix VPN breakage, every time an end user updates their OS.

Author

Commented:
Small user base, already have VPN in place and works well.  Just need to get SF IP filtering to work..
Any ideas where or if this setting is?
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Okay.

Help me understand.

Sounds like you're trying to circumvent the Sales Force time limit on trial memberships.

If this is correct, you should avoid this for many reasons.

Best option is to just pay the minor fee charged by SF to use their code.

If I'm missing something here, try a rephrase of your question.

Start by saying if you're trying to circumvent SF check or doing something else.

Author

Commented:
No we are trying to restrict non-corporate devices accessing the SF platform (once we re-sign back up with a years membership).
Commented:
Locked SF by external IP.  Works ok.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial