The T4S Server is usually set up on a new or existing virtual machine behind the network firewall within the customer’s DMZ.
This allows the Content Manager Server to remain protected within your LAN, and the T4S Server to be configured to only allow authenticated requests from the customer's Salesforce Orgs and Sandbox through the firewall.
The T4S Server Requirments
Modern Windows Server OS
16GB RAM minimum
IIS v10 or greater
Network Access through to the Content Manager Server
Network firewall whitelisting rules to allow communication to specified Salesforce Orgs.
CA Certified external Domain for Salesforce SSL Connection.
Two-way SSL Security
Each Salesforce Org that is set up to connect to the T4S Server requires a Salesforce Self-signed Certificate created within the Org, and installed into the T4S Server trusted certificate root.
Only Salesforce Orgs whitelisted, and sending requests with a valid certificate will have access to the T4S Server app running in IIS.
Within Salesforce only CA-certified domains will be able to be called out to and allowed to connect back.