2 Replies Latest reply on Feb 12, 2019 2:56 AM by Lu Zhou

    IICS secure agent IP address whitelist incomplete

    Lu Zhou New Member

      Hi,

      In my company, most of our application servers are in a "secure" zone, communication with Informatica Cloud need to be explicitly whitelisted on the Firewall.

       

      In order to get the Informatica IICS secure agent to work, I need to pass the information of IP addresses to the network team to be whitelisted. But I am not sure if I have covered the complete range of IPs.

       

      I read information in the FAQ 524982, FAQ 566418, FAQ 533496 and FAQ 535281 and requested the following IP addresses to be whitelisted:

      FAQ 524982 

      NA instance all

      Primary IP Addresses, Disaster Recovery IP Addresses

      52.24.61.131, 52.205.75.129

      52.11.251.104, 107.23.162.216

      50.112.49.143, 52.3.153.17

      52.10.243.198, 52.4.49.138

      34.211.40.58, 18.205.145.16

      54.69.116.168, 34.196.111.175

       

      34.213.159.62

      54.191.222.209

      54.148.162.18

      52.40.243.250

      52.36.242.47

      52.40.102.26

       

      IP Address Range for IICS USW3 pod/US West 3 (in addition to the Identity Service and Package Dependency Manager IP Addresses above)

      Primary IP Addresses, Disaster Recovery IP Addresses

      52.88.61.96, 107.23.73.191

      54.191.56.244, 52.4.94.16

      35.166.78.117, 34.192.23.61

      54.201.136.247, 107.23.71.56

      34.217.226.198, 52.4.57.103

      54.200.198.134, 54.86.155.230

       

      FAQ 566418

      40.91.74.126

       

      FAQ 533496

      IICS USW3 pod/US West 3

      Primary IP Addresses, Disaster Recovery IP Addresses

      34.218.40.109, 18.233.82.242

      34.215.16.250, 35.153.97.244

       

      FAQ 535281

      IP Address Ranges for IICS USW3 POD  (North America POD3)

      Primary IP Addresses

      52.34.68.88

      54.187.67.94

      54.190.0.113

      52.40.70.248

      54.187.52.95

      35.167.148.55

      34.218.40.109

      34.215.16.250

       

      I haven't requested the IP addresses of all PODs to be whitelisted as we only used 'US West 3' pod, the urls we use:

      https://dm-us.informaticacloud.com/ma/...

      https://usw3.dm-us.informaticacloud.com/cloudUI/...

       

      I installed the IICS secure agent on a Linux Server, after starting the agent and running the configuration commands:

      ./infaagent startup

      ./consoleAgentManager.sh configure myusername 'password'

      ./consoleAgentManager.sh getStatus

      --------------------------------

      JAVA_HOME=/infaagent/apps/agentcore/../../jre

      READY

      --------------------------------

       

      The agent has been displayed as 'Up and Running' in the Informatica Cloud Runtime Environments. I was able to create a new connection with type 'salesforce', after entering my salesforce username, password and security token, I clicked 'Test Connection' button, it showed:

      "The test for this connection was successful."

      The service URL is https://login.salesforce.com/services/Soap/u/31.0

       

      I created a synchronization task to load a flat file into salesforce Account object, it returned a 'Failed' status and a message:

      [FATAL] Login failed. User [myuserid@mydomainname.com]. Fault code [SOAP-ENV:Client]. Reason [Error observed by underlying BIO: Connection reset by peer].

       

      I then installed the IICS secure agent on a different Linux server which is outside the secure zone(IP whitelist is not required), the synchronization task completed successfully, so the user login wasn't the problem, instead the server from the secure zone was blocked by the firewall.

       

      My colleague in the network team told me they could see the blocked IP addresses: 136.147.57.44 and 136.147.58.172 from the failed task, but I couldn't see these IP addressed mentioned in the FAQ.

       

      Is there any other FAQ for IICS IP whitelist I missed? Any suggestion would be appreciated.

       

      Many thanks

       

      Lu

        • 1. Re: IICS secure agent IP address whitelist incomplete
          Neeraj Upadhyay Support Moderators

          Do you have a Proxy in your environment?

          If yes please check if the secure agent is configured to use Proxy details

           

          Since the issue is happening at runtime setting proxy details in JVM options can help

           

          Check this Kb: 173787 

          • 2. Re: IICS secure agent IP address whitelist incomplete
            Lu Zhou New Member

            Thank you, Neeraj

             

            No, we don't have a Proxy.

             

            In my synchronization task, I used two connections:

            1. flat file connection (source)

            2. salesforce connection (target)

            Both were successful when I clicked 'Test connection' button in the Informatica Cloud. However for the second one, the testing might have run between Informatica Cloud and Salesforce.com which was fine, but the synchonization task was running between the secure agent and salesforce.com, perhaps the firewall blocked the communication from our server to salesforce.com.

             

            I have requested the following IP ranges (list in Help | Training | Salesforce, ARIN and RIPE as we are using EMEA instance) to be whitelisted:

            IPv4 Network, IPv4 IP Range

            13.108.0.0/14,13.108.0.0 - 13.111.255.255

            66.231.80.0/20, 66.231.80.0 - 66.231.95.255

            68.232.192.0/20, 68.232.192.0 - 68.232.207.255

            96.43.144.0/20, 96.43.144.0 - 96.43.159.255

            136.146.0.0/15, 136.146.0.0 - 136.147.255.255

            198.245.80.0/20, 198.245.80.0 - 198.245.95.255

            199.122.120.0/21, 199.122.120.0 - 199.122.127.255

            204.14.232.0/21, 204.14.232.0 - 204.14.239.255

            85.222.128.0/19, 85.222.128.0 - 85.222.159.255

            161.71.0.0/17, 161.71.0.0 - 161.71.127.255

            185.79.140.0/22, 185.79.140.0 - 185.79.143.255

             

            I then re-run the task, unfortunately it failed again. I would be grateful for any suggestions/comments.

             

            Many thanks

            Lu