VPN Configuration for User Access to NetSuite
Oracle NetSuite does not support traffic that is routed through a split-tunnel Virtual Private Network (VPN) to control user access to NetSuite.
In a full-tunnel VPN configuration:
-
Users connect to the internet indirectly, using the company’s VPN server.
-
Users are represented by the single IP address of the company’s VPN server.
In a split-tunnel VPN configuration:
-
The VPN client routes calls from users to a host (specified in the URL) based on the target host’s IP address.
-
Depending on how the routing is performed, users are represented on the internet either by the IP address of the Internet Service Provider (ISP) or by the IP address of company’s VPN server.
To keep users connected to their NetSuite account, a company with a split-tunnel VPN needs to hard-code an IP address for a specific NetSuite data center in their VPN setup. If the NetSuite account is moved to a different data center, this setup won't work anymore.
After the move, roles with IP address restrictions won't work either. In this scenario, the hard-coded IP address in the VPN isn't valid, so traffic gets routed through the internet. The user appears to be coming from the ISP's IP address, rather than the company's VPN server IP address. (See Enabling and Creating IP Address Rules for more information about the Restrict this role by IP Address feature.)
IP address references to NetSuite are unreliable in a cloud setup NetSuite IP addresses can change at any time, without warning. Also, split-tunnel VPN configurations can't use the Content Delivery Networks (CDNs) in Oracle NetSuite's global infrastructure.
If you choose to use a full-tunnel VPN, be aware that this configuration does not ensure the same performance as when no VPN is present.