For Self-Hosted Instance, Ensure only Trusted IP Addresses are Allowed to Connect to An Instance

Release version: Australia

Updated March 12, 2026

2 minutes to read

Summarize

Summarized using AI

Summary of Ensure only Trusted IP Addresses are Allowed to Connect to An Instance

This guide outlines how to configure your self-hosted ServiceNow instance to allow only trusted IP addresses to connect. A self-hosted instance is one where the propertyglide.installation.selfhostedis set to true, indicating it runs on your own infrastructure rather than ServiceNow's cloud.

Show full answer Show less

Key Features

System Properties: Control inbound IP connections using properties like glide.ip.authenticate.allow.selfhostedenabled and glide.ip.authenticate.allow.secured.selfhostedenabled.
Strict Mode: When enabled via glide.ip.authenticate.strict, this mode replaces the inbound IP allow list with a secured list defined in glide.ip.authenticate.allow.secured.selfhostedlist.
IP List Formats: You can specify IP ranges using hyphen notation, CIDR notation, or single IP addresses. Default values are set to 127.0.0.1 if not configured.

Key Outcomes

By setting glide.ip.authenticate.allow.selfhostedenabled and glide.ip.authenticate.allow.secured.selfhostedenabled to true, you ensure that only specified trusted IP addresses can access your self-hosted instance. This significantly reduces the risk of unauthorized access, as the default allow list often permits access from ServiceNow personnel, which is not applicable in self-hosted environments.

There are no expected functional impacts for self-hosted instances when these properties are set, but improper configuration on non-self-hosted instances could disrupt functionality.

Use system properties to control which inbound IP addresses can connect to self-hosted instances.

A self-hosted instance is a customer-managed deployment of the ServiceNow platform, which runs on your own infrastructure instead of ServiceNow's cloud. A instance is classified as self-hosted if the property glide.installation.self_hosted is set to true.

On these self-hosted instances, the glide.ip.authenticate.allow.self_hosted_enabled system property overrides the inbound IP allow list for an instance when set to true. The glide.ip.authenticate.allow.secured.self_hosted_enabled system property provides the same functionality in strict mode. Strict mode is enabled when the system property glide.ip.authenticate.strict property is set to true.

In strict mode: The glide.ip.authenticate.allow.secured.self_hosted_enabled property replaces the inbound IP allow list with the IP allow list defined in the property glide.ip.authenticate.allow.secured.self_hosted_list.
Not in strict mode: The glide.ip.authenticate.allow.self_hosted_enabled property replaces the inbound IP allow list with the IP allow list defined in the glide.ip.authenticate.allow.self_hosted_list property.

All list properties mentioned are strings containing lists of IP ranges that are appended to the inbound IP allow list of an instance. The strings contain a comma separated range of IP addresses in IPv4 or IPv6 format. IP ranges can be specified using a hyphen (10.0.10.14-10.0.10.19), using CIDR notation (10.0.10.0/24), or consist of a single IP address (10.0.10.5).

Note:

Both of the list properties have a default value of 127.0.0.1 if not set. IP ranges of the property glide.custom.ip.authenticate.allow are always appended to the inbound IP allow list, and are not affected by the properties described here. The IP Address Access Controls [ip_access] table is not affected by these properties.

If your instance is self-hosted:

Set the glide.ip.authenticate.allow.self_hosted_enabled and glide.ip.authenticate.allow.secured.self_hosted_enabled properties to true.
Ensure that the glide.ip.authenticate.allow.secured.self_hosted_list and glide.ip.authenticate.allow.self_hosted_list system properties are either not set, or contain a comma-separated value consisting of only trusted IP ranges that you want to allow access to your instance.

More information


Attribute	Description
Configuration name	glide.ip.authenticate.allow.self_hosted_enabled glide.ip.authenticate.allow.secured.self_hosted_enabled glide.ip.authenticate.allow.secured.self_hosted_list glide.ip.authenticate.allow.self_hosted_list
Configuration type	System Properties (/sys_properties_list.do)
Data type	Boolean Boolean String String
Recommended value	For self-hosted instances `true` `true` empty, or a comma-separated list of trusted IP ranges empty, or a comma-separated list of trusted IP ranges For ServiceNow hosted instances `false` `false` `127.0.0.1` `127.0.0.1`
Default value	`false` `false` `127.0.0.1` `127.0.0.1`
Fallback value	`false` `false` `127.0.0.1` `127.0.0.1`
Category	Architecture, design, and threat modeling
Security risk	Severity score: 4.3 CVSS score: Medium Security risk details: The default IP allow list for instances is geared towards allowing ServiceNow personnel and infrastructure access to an instance. If an instance is self-hosted, the default IP allow list increases the risk of unauthorized or non-essential access to the instance from IPs that should otherwise be blocked on self-hosted instances as these instance are generally not on the ServiceNow network. Setting the properties glide.ip.authenticate.allow.self_hosted_enabled and glide.ip.authenticate.allow.secured.self_hosted_enabled to `true` ensures only those IP addresses the instance owner explicitly allows are able to access an instance.
Functional impact	If your instance is self-hosted, there should be no unexpected functional impact from any of these properties as the instance is not on the ServiceNow network, and therefore does not have access to those IP ranges on the default IP allow list. If the instance is not self-hosted, setting these properties may break functionality.
Dependencies and prerequisites	None