Some questions about VPN and MID server

eastashkina
Kilo Explorer

Hi all,

While having a discussion with customer we got a scope of questions we couldn't really get clarified from ServiceNow wiki. Here is the list of questions:

About VPN:

1) Could you please provide some technical information about VPN implementation between ServiceNow and customer's network? As we have understood from ServiceNow wiki, it's only one-way VPN with connections initialized by ServiceNow instance. Is this correct?

2) What kind of integrations are possible using securing traffic via VPN? Is any integration using web services, JDBC, e-mail services possible through VPN?

3) What kind of traffic is send via VPN? Is it possible to send some traffic via VPN and have some inbound-to-ServiceNow connection using MID server and HTTPS?

About MID server:

1) Is it possible to send SOAP message to MID server with following redirect by this server to ServiceNow instance and visa versa?

2) Is it possible to add custom monitors and workers to MID server?

3) Is it needed to have ports open on firewall for communication between ServiceNow and MID server?

4) What kind of integrations are possible through MID server?

 

Maybe someone can answer some of them?

Thanks

2 REPLIES 2

prdelong
Kilo Guru

1) Ask your SN account manager for this information. They should have a white paper for you to review.


2) Really the only type of traffic I've seen SN want going over the VPN is LDAP traffic, so yes that would be one-way traffic from your network, initiated by SN, back to the SN data center.


3) Integrations will utilize HTTPS SOAP traffic if coming through the MID server (JDBC, probes, et al). Otherwise, it is dictated by the type of connection you're setting up. End user traffic is normal HTTPS. Like I mentioned, your LDAP traffic is liable to go through the VPN, and the MID server is going to handle integration traffic usually related to some kind of data import.



MID server:


1) I'm fairly certain you can route SOAP messages through the MID, but I'm not entirely positive. It's not someting I've done before. SN can communicate with the MID to send outbound and accept inbound messages htough.


2) Not sure


3) The only port you need open between the MID and SN is most likely going to be 443. If you need to route the MID server traffic through a proxy, that port (ie 80) is going to need to be open as well as port 443 outbound from the proxy


4) That is best checked on the wiki. Some common ones I implement are JDBC, flat file pickup, and SN Discovery.


dhoffman
Tera Contributor

pridelong already answered pretty thoroughly, but I'll add more color on the VPN details.



1)   Technical details on the VPN are available through the customer's HI portal at https://hi.service-now.com.   Last I checked, they're just your usual IPSEC tunnels terminating through ServiceNow Cisco ASA appliances.   There are many options available for the Phase 1 and Phase 2 details, including AES-256 and various types of Diffie-Helman key exchange.   There WILL be some NATing or PATing required by the customer's Network team.



2)   VPN is pretty much for LDAP/LDAPS traffic only.   Web services, JDBC, and e-mail are done externally via HTTPS or SMTP/s on the Internet.



3)   VPN is limited to LDAP/LDAPS traffic only.



MID:



1)   SOAP/REST can be routed through the MID server.   For example, the SCCM 2012 Integration via MID server is done through SOAP/REST.



2)   I'm sure it's technically possible.   It's ServiceNow, the end of "No," remember?  



3)   Yes, it's all HTTPS, so the only port that needs to be open is 443/tcp outbound, which is likely already opened.



4)   Many integrations possible via MID server, such as Orchestration, Discovery, and SCCM 2012.   All these answers are available via the Wiki (duh).