Advanced Networking and Whitelisting

Smart Integration Connector requires outbound traffic over port 443 to function. If you restrict outbound traffic over 443 then whitelisting outbound traffic to Azure Relay Service will be required. Smart Integration Connector does not require any inbound access rules to function.

Whitelist outbound traffic to Azure Relay Service from your Firewall

The best practice is to whitelist outbound traffic to Azure using the *.servicebus.windows.net domain or using the fully qualified domain names for your specific Azure Relay namespaces.

1. (Microsoft Best Practice) To allow traffic to your Azure Relay namespace

   Add the domain <*.servicebus.windows.net> to your firewall rules permitting port 443 outbound.
   See here for additional info.
   

2. Additionally, you can whitelist traffic further using IP addresses by following these Azure-specific instructions:

   1. Whitelist all IP addresses returned by this script.

   2. You will need to monitor these IPs frequently as they are no longer static and up to 20% of the IPs can change in the span of a month.

Restrict traffic to the Azure Relay

You can block or restrict traffic to your Azure relay to only allow certain IP ranges to connect.

1. From the OneStream Windows Application client go to System > Administration > Smart Integration Connector > Relay.

2. Select IPv4 Whitelist.

3. Enter IPv4 compatible IP (XXX.XXX.XXX.XXX) or CIDR addresses (XXX.XXX.XXX.XXX/XX) separated by a semi colon in the IPv4 Whitelist dialog box.

   NOTE: IPv6 addresses are not currently supported.

   NOTE: Do not include any extra spaces for characters.

   

4. Restart your Local Gateway Service.