How can I enable Virtual Private Network (VPN) access to Oracle Service Cloud?
All versions of Oracle Service Cloud
I want to enable Virtual Private Network access for my Oracle Service Cloud instance.
Overview of Oracle Service Cloud VPN Service
VPN is an optional service for customers who prefer an added layer of security for data being exchanged between their own private network and the Oracle Service Cloud.
A VPN is established between two VPN-capable network devices, one at Oracle’s data center and the other at your own location. Depending on your hardware, VPN gear may be called gateways, firewalls, VPN concentrators, VPN routers, VPN peers or VPN appliances. There are many network protocols available to use with VPN tunnels, but Oracle uses IPSec exclusively because it is the most common and most robust protocol.
Requirements for VPN Service
To set up a VPN service or tunnel to Oracle Service Cloud, you will need a VPN device that uses current IPSec standards to establish a secure tunnel between your network and your Oracle Service Cloud instance (aka Service Cloud site). Additional requirements for your VPN device are specified in the Service Cloud VPN request forms located at the bottom of this page.
Your device must support:
- IPv4 traffic with support for ICMP, TCP and UDP. Multicast traffic is not supported.
- Tunnel mode sessions. This encrypts the entire TCP packet, not just the payload.
- Authentication with pre-shared keys.
- Dynamic rekeying. IPsec uses dynamic rekeying to control how often a new key is generated during communication. Traffic is sent in blocks and each block of data is secured with a different key.
An IPSec tunnel is established in two phases, which are detailed below.
Phase 1: IKE
Phase 1 is the initial "handshake" between the two VPN devices during which they authenticate each other, establish a "secured channel", and "negotiate" the parameters for data protection.
Phase 2: IPSec
Phase 2 deals with traffic management of the data communication between sites, including determining which traffic goes where, whether it is encrypted, and whether is it allowed to access the remote site.
The following tables describe the technical configuration requirements for each phase of a VPN service with Oracle Service Cloud. You can choose to implement either an IKEv1 or an IKEv2 VPN service.
|IKEv1 VPN Service||Phase 1||Phase 2|
|Diffie-Hellman Group||Group 2||--|
|Lifetime||86400 sec (24hrs)||3600 sec (1 hr)|
|IKEv2 VPN Service||Phase 1||Phase 2|
(Local & Remote)
|Diffie-Hellman Group||Group 14||--|
|Lifetime||86400 sec (24hrs)||3600 sec (1hr)|
Frequently Asked Questions
How long does it take to establish a VPN?
Although a VPN service can be configured in a matter of minutes, the overall process may take a few days or a few weeks to fully implement. The process includes acquiring necessary approvals, exchanging information, configuring the VPN gear at both ends, and testing.
Once configured and active, what is needed to maintain a VPN?
Once the VPN service is established, little to no effort is needed to maintain it. Typically, connectivity issues are resolved during testing or in the first few days or weeks. If the tunnel ever goes down, Oracle Service Cloud personnel must be able to contact you to troubleshoot the issue.
If changes are made to either end of the VPN tunnel (e.g. new hosts are added, address schemes are changed, etc.), then the VPN tunnel configuration on both sides will have to be updated to reflect those changes.
If I have multiple Service Cloud instances all in a single Oracle data center, how many VPNs will I need to purchase?
If you have a single Service Cloud instance, or if all of your instances are in the same data center, you will need just one VPN service.
If I have multiple Service Cloud instances in different Oracle data centers, how many VPNs will I need?
If you want direct VPN connectivity to each site, you will need one VPN service per data center.
If I have multiple interfaces on my Service Cloud instance, which interfaces can utilize the VPN?
Once you have VPN service at a data center, all of your Service Cloud instances and all associated interfaces at that data center can utilize your VPN service.
Which Oracle Service Cloud components will utilize the VPN service?
Oracle Service Cloud is comprised of many different components and services that create communications between Service Cloud and your customers and between Service Cloud and your employees or agents or administrators.
Communications between your customers and Service Cloud will NOT traverse the VPN. Customers access your Service Cloud via the Customer Portal or the customer side of Chat, and this traffic does NOT traverse the VPN.
Traffic that WILL traverse the VPN include communications between Service Cloud and your employees, agents, and administrations. Traffic that traverse the VPN includes:
- Agent Desktop
- Agent side of Chat
How do I request a VPN tunnel?
- Contact your sales representative and purchase the following (if not already included in your agreement):
- One "Oracle Virtual Private Network Setup Fee Cloud Service" per data center
- One "Oracle Virtual Private Network for Oracle RightNow Cloud Service" per data center
- Once the above subscriptions are active, complete either the Oracle Service Cloud IKEv1 VPN Request Form or the Oracle Service Cloud IKEv2 VPN Request Form, depending on whether you prefer an IKEv1 or an IKEv2 VPN. Links to both forms are below.
- Open a service request and attach the completed form.
Oracle will receive your request with your completed form and ensure all pre-requisites are satisfied. During an agreed maintenance window, Oracle and your designated network engineers will provision the VPN service, ensure the VPN connection is established, and perform testing.
Information you will need to complete the VPN request form includes:
- Customer name: your company name
- Technical contacts: information about your own network personnel
- Model: your VPN device model(s)
- IP address: the public IP address of your VPN device
- Phase 1 encryption and hashing algorithms to be used
- Diffie-Hellman group you want to use to generate keys
- Lifetime for the IKE security association
- Phase 2 encryption and authentication algorithms to be used
- Lifetime for the IPSec security association: time between renegotiations of the SA
- Remote subnet(s): the host IP address(es) or network subnet(s) at your location(s) that will send and receive traffic over the VPN