VPN Configuration for User Access to NetSuite
Oracle NetSuite does not support traffic that is routed through a split-tunnel Virtual Private Network (VPN) to control user access to NetSuite.
In a full-tunnel VPN configuration:
-
Users connect to the internet indirectly, using the company’s VPN server.
-
Users are represented by the single IP address of the company’s VPN server.
In a split-tunnel VPN configuration:
-
The VPN client routes calls from users to a host (specified in the URL) based on the target host’s IP address.
-
Depending on how the routing is performed, users are represented on the internet either by the IP address of the Internet Service Provider (ISP) or by the IP address of company’s VPN server.
To ensure users’ access to their NetSuite account, a company using a split-tunnel VPN would need to hard-code an IP address for a specific NetSuite data center in the company’s VPN configuration. Such a configuration would no longer work after the NetSuite account is moved to a different data center.
A role that has access restricted by IP address rules would no longer work after the move. In this case, the hard-coded IP address in the VPN would no longer be valid, therefore the traffic would be routed through the internet. The user would be represented by the IP address of an ISP, instead of by the IP address of the company’s VPN server. (See Enabling and Creating IP Address Rules for more information about the Restrict this role by IP Address feature.)
References to NetSuite that use IP addresses are too fragile to be reliable in a cloud environment. NetSuite IP addresses can change without notice. In addition, a split-tunnel VPN configuration cannot take advantage of the Content Delivery Networks (CDNs) in the Oracle NetSuite global infrastructure.
If you choose to use a full-tunnel VPN, be aware that this configuration does not ensure the same performance as when no VPN is present.