MID Server vs VPN

iammi
Kilo Explorer

‎04-13-2015 04:40 AM

Hello,

I have just learned some limitations regarding MID Server and LDAP authentication, and I am asking myself the question if it is possible to completely rely on VPN being a customer of Servicenow. I mean, are we able to fulfill all the required queries via VPN and make the choice note to use MID Server.

Can we use the VPN to import LDAP data ?

Regards

0 Helpfuls
  • 2,114 Views
2 REPLIES 2

abhyodaya_padiy
ServiceNow Employee
ServiceNow Employee

‎05-29-2015 01:44 PM

Hi Ismail,



yes, you can use VPN to import LDAP data or use cloud identity partners such as OKTA for LDAP authentication.


0 Helpfuls

BillB
Tera Contributor

‎08-03-2015 12:03 PM

VPN tunnels could be used for both authentication and user data imports, but they are NOT the best method.



MID servers are used for user data imports, (not authentication).   ServiceNow never connects to a MID server but, rather, the MID server always initiates the connection.   The MID server, living in your private network, connects to your LDAP server and pushes any changes in your directory server to the Instance.   Since our Eureka release and later, the LDAP listener lives on the MID server so that changes to your directory servers are updated in near real time in the Instance using your MID server.



Authentication is addressed using Single Sign-On (SSO).   Just like the MID server for user data imports, ServiceNow never connects to your Identity Provider (IdP) using SSO.   Instead, your users connect directly to your configured IdP to grab a token for authentication.



Keep in mind also that VPN tunnels merely encrypt the traffic between two points (VPN peers) on the Internet.   There is still a leg on both sides of the tunnel, between each peer and the hosts inside their respective networks, where the traffic is unencrypted.



Using the MID server together with SSO for authentication is, therefore, a much more secure method for achieving a complete LDAP integration because ServiceNow is never connecting to any server in your network and the encryption is performed at the application layer, end-to-end.   No tunnels to maintain, no firewall holes to open up, and no dependency on ServiceNow to reconfigure the network when you want to make simple changes.   It's a much better solution.



If you haven't already, please take a look at the following articles:



Community Blog


==============


https://community.servicenow.com/community/support/blog/2014/11/25/you-dont-need-a-vpn


https://community.servicenow.com/community/support/blog/2014/12/02/you-dont-need-a-vpn--part-ii-ldap...


https://community.servicenow.com/community/support/blog/2014/12/09/you-dont-need-a-vpn-part-iii--sin...



Configuration


============


http://wiki.servicenow.com/index.php?title=MID_Server


http://wiki.servicenow.com/index.php?title=LDAP_Integration_via_MID_Server_Setup


http://wiki.servicenow.com/index.php?title=OKTA_SSO_Integration



Feel free to contact me directly if you have additional questions.



Thanks,


Bill



—


Bill Brown | Sr. Network Engineer


ServiceNow | The Enterprise Cloud Company


(o) 858.436.7641 | bill.brown@servicenow.com


www.servicenow.com


0 Helpfuls