As an enterprise CRM platform increasingly popular among organizations, Salesforce facilitates the delivery of secure, reliable and functional software applications to support customers. To ensure maximum security, Salesforce administrators can further protect their CRM implementations via the use of IP whitelisting. This practice authorizes specific network connections based on their IP addresses to filter out unauthorised traffic from an organization’s infrastructure and reduce the risk of system infiltration and malicious intrusions.

IP whitelisting helps administrators protect their valuable data and optimize production processes by preventing unnecessary communication and limiting access to authorized personnel. While whitelisting is sometimes used in combination with other security protocols such as role-based authentication or two-factor authentication, it is a necessary first step towards the secure utilization of Salesforce.

For Salesforce administrators eager to lower their exposure to potential exploits, a comprehensive understanding of the IP whitelisting process is essential for implementation. In this article, we’ll explore the basics of IP whitelisting in Salesforce, describe the configurations and assumptions needed for effective setup, discuss best practices, and finally, provide some suggestions for improving security and reliability.

What is IP Whitelisting?

IP whitelisting, or permitting access to a network based on authorized IP addresses, involves configuring a network to receive and accept connections only from allowed IP addresses and to reject any unauthorized traffic. Whitelisting helps protect organizations from malicious intrusions and unauthorized external access. It is also sometimes used with role-based access control (RBAC) protocols, though IP whitelisting is the quickest and most effective form of access control.

Salesforce administrators can authorize particular IP addresses to access their organizational applications. For example, an administrator could whitelist an IP address representing an employee's company laptop, a third-party service's IP address, or even a wholly dedicated office IP address so that only authenticated networks are granted access. This process can be completed in the Security & Network tab of the relevant Salesforce organization’s portal.

Configuring IP Whitelisting in Salesforce

Configuring IP whitelisting in Salesforce is a straightforward process; administrators must merely navigate to the Security & Network tab of their Salesforce organization, then to Network Access. When adding a new IP address or range, administrators are able to specify the type of connection, such as internet, VPN, or corporate network. If an on-premises connection is requested, the client must specify the IP address or range. Lastly, if the connection is Internet-based, theAllow access to this network by IP range option must be selected.

Making the decision to implement IP whitelisting comes with a few caveats. First, the implementation of whitelisting requires that the users of Salesforce applications maintain consistently updated IP addresses. For example, if the whitelisted IP addresses become outdated, the resulting access error will likely cause disruptions in production operations. Thus, when implementing IP whitelisting, administrators should ensure that Salesforce applications are able to adjust IP addresses in real-time when necessary.

Second, IP whitelisting also necessitates unified authentication protocols; if a user logging in from a whitelisted IP address is not recognized as an authorised user, their access will be denied regardless of legitimate credentials. Therefore, when implementing IP whitelisting in Salesforce, administrators should ensure that their authentication protocols are working together and that users logging in from whitelisted addresses are being validated correctly.

Best Practices for IP Whitelisting

When developing an IP whitelisting policy, administrators should be mindful that even a single IP leakage can circumvent the security benefits of whitelisting. To maximise the benefits of IP whitelisting, administrators should practice a number of best practices.

1. Make sure whitelisted IP addresses are updated regularly. It is important to ensure not only that client networks and Salesforce applications maintain valid whitelisted IP addresses but that all clients update the whitelist on a regular basis. The frequency at which IP addresses and other whitelisting information should be updated should be set based on on the requirements of each organization’s IT security policies.

2. Leverage SSL/TLS encryption techniques to further protect network traffic. While whitelisting can block malicious traffic from external sources, it can offer limited protection against man-in-the-middle attacks. To safeguard information exchanges, SSL/TLS encryption techniques should always be leveraged in combination with whitelisting.

3. Determine the appropriate logs, webpages, and applications that need to be whitelisted. Administrators should determine which Salesforce applications require IP whitelisting and the associated IP addresses, webpages, and logs that need to be whitelisted. It is important to note that web applications and extranets may require access from IP addresses outside of the organization’s controlled perimeter, such as those associated with customers or other third-party services and applications.

4. Consider building multiple whitelists; for instance, one for inbound access and another for outbound access. Depending on the scope of an organization’s whitelisting policy, it is often necessary to establish separate whitelists for inbound and outbound access. This allows administrators to have a more granular control over which networks are allowed to connect and which IPs and subnets are given access to the Salesforce platform.


IP whitelisting is an effective security protocol for protecting Salesforce implementations, but all organizations should be mindful that it does not replace more advanced security controls. When leveraging IP whitelisting, administrators should keep in mind to regularly update IP addresses, ensure UI authentication protocols are up to date and secure, and know which applications and webpages are being whitelisted. When all of these concurrent security protocols are leveraged in concert, organizations can ensure a sound security environment for their critical Salesforce resources.


SFDC best practices


Salesforce tools

signup for our blog


“Flosum is the best native release management tool that you will fall in love with. I have gained confidence in my role and has given me the ability to view release management from a whole different perspective.”

Faizan Ali

Faizan Ali
Salesforce Consultant at Turnitin