Think you need a VPN for your integrations? Chances are, you don't! Got LDAP? Got MID? Heard of SSL? SSO a possibility? Then why use VPN?

I often find myself in discussions with folks who think the only way to solve their integration needs is by using a VPN tunnel.   Then, those same folks wonder why their users are experiencing downtime just because they have a tunnel outage. Well, when you depend on a tunnel for authentication, that's exactly what can happen.

So, why depend on a tunnel when better technologies exist today? Sure, VPNs are a tried and true technology that have been around since before DVDs were invented. But we live in the 21st century now and we don't need a VPN anymore! So why do we still get requests for them?

To answer this question we have to look a little deeper into what exactly is being protected with a VPN (IPSec) tunnel. Firstly, let's focus on LDAP integration.

LDAP Integrations

LDAP integrations have two main functions for our use: User Data Imports and Authentication. Today we'll focus on the user data import side.

The User Data Import is simply a means of synchronizing user information so things like email addresses, office locations, departments, and other attributes (not passwords, though) in the instance match what's configured in the directory servers. When a user is added to, removed from, or modified in the domain, then we want that user record in the instance updated to reflect this change.

We could sync from the instance to the LDAP server directly. In fact, we do this in many cases. The instance has a "listener" that catches changes to the directory server and updates only those modified records in near-real-time. But we don't need a VPN tunnel to secure the data.

In fact, since the Eureka release, we now have polling capability available on the MID server, which is available to all customers. The MID server lives in your network and is under your full control. It connects to your instance just like users do—over a secure SSL channel with all the traffic encrypted, end-to-end, at the application layer.

On the other hand, VPN tunnels only encrypt the traffic between the two VPN peers and leave a leg on both sides of the connection, between the peer and the local server, unencrypted. If security is a concern, it would be best to steer clear of VPNs, actually. Instead, simply download the MID server application from the instance, install it on a server in your network, and voilí ! You now have a method of "listening" to your directory server and updating the instance without the need for ServiceNow to make any kind of a connection to your network. Isn't that cool?

Check out Part II for why you still don't need a VPN, even if you don't want to use a MID server.