SFDC apps call the LaunchWorks web application and therefore rely on the proxy to obfuscate URL’s. Calls made from SFDC are made via the web browser so the originating IP will be from the Client IP.
In the area of restricting access, what can be done in the current version are the following:
1) SFDC can restrict what servers SFDC Calls
- Optional IP ranges can be set where the connected app might be running
2) SFDC can restrict IP of User that can call the application
- Set Trusted IP Range (Oauth only)
3) Report Launch can restrict so that the calling application can only be called from the specific SalesForce connected app in the specific SalesForce Org by checking the referring URI (custom Launchworks application configuration). This will restrict the system from being called outside of SFDC.
While not as tight as restricting which IP addresses can reach the Report Launch application (as the calls to Report Launch are done from the client browser), it should meet the requirements of most organizations.
- In the future, we will have a Report Launch application in SalesForce natively making back end calls so that the ability to have tighter restrict will be possible using SalesForce's native platform architecture.