The T4S Server runs on a virtual machine within your DMZ and is configured to only communicate with the various Ahpra Salesforce Orgs running in the cloud.
This allows the Content Manager Server to remain protected within your LAN.
The T4S Server API will only accept external requests originating from a Salesforce domain, and the IIS Server is also set up with Two Way SSL, so that only pre-installed Salesforce Organization generated certificates passed in with each request are authenticated to access the T4S Server API.
When a Salesforce Org generated Self Signed Certificate expires, or a Sandbox is refreshed, a new Self Signed Certificate must be generated and installed using MMC onto the T4S Server so that IIS can authenticate the incoming request.
The newly created Certificate name must be updated within the Salesforce T4S Server configuration page, so that Salesforce T4S package knows which Salesforce Certificate to send to the T4S Server.
T4S Server Access to Salesforce
T4S will need to have access to your Salesforce Orgs in the cloud by Domain Name.
Here is a full list of the Salesforce Domain Names.
Allow the Required Domains (salesforce.com)
The minimum list that should be allowed are:
*.force.com
*.lightning.com
*.salesforce.com
*.visualforce.com
Salesforce Access to T4S Server
Salesforce is currently migrating its servers to their Hyperforce cloud infrastructure.
There may be some Salesforce Sandbox Orgs on non-Hyperforce servers, while others are moved to the Hyperforce servers.
See Salesforce IP Addresses and Domains to Allow
To find the Salesforce Org instance, within Salesforce navigate to Setup - > Company Information, and view the “Instance“ value.
e.g. An Australian Salesforce Sandbox instance may be “AUS36S“
Use Find My Instance - Trust | Availability (salesforce.com) to find out where your Salesforce Org is, and if it is running on Hyperforce.
To find Non Hyperforce IPs:
Salesforce IP Addresses and Domains to Allow