Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTP requests & Access from a SAP Environment + DMZ

Former Member

‎01-12-2009 5:18 PM

0 Kudos

Dear Experts,

I don't know if i write in the right topic but if it is wrong, do accept my apologize.

Currently, i have installed a SAP ECC 6.0 IDES + a SAP EP 7.0 Enterprise Portal + a SAP Solution Manager 7.0 (SAP Zone) with a SAP Router whitch is in a DMZ (See image this link for more details : http://img149.imageshack.us/img149/1603/sdniu3.jpg)

In the SAP Zone, when i try to connect to Internet everything works. From the LAN or from other place, impossible to connect to http://<hostname>:5XX00/irj/portal from EP7 for example.

I have poor skills in network and security and i would like to know what do you suggest me?

1/ Can a SAP WebDispatcher be usefull in the DMZ?

2/ Do i have to install IIS or APACHE for this?

My own goal is to access for HTTP Request (http://<hostname>:5XX00/irj/portal for example) from the LAN or outside the NetWork.

Thank you very much in advance for your helps.

Best regards,

Pascal.

5 REPLIES 5

RainerKunert
Active Participant

‎01-13-2009 7:59 AM

0 Kudos

Hi,

if you have a DMZ you will have a firewall between the SAP Zone and other network areas. Please make sure that port 5xx00 is opened in the firewall. Normally the firewall blocks this port.

The WebDispatcher can work as reverse proxy and URL filter. You should have such a tool in the DMZ to secure your systems. You may think about user authentication in the DMZ. With WebDispatcher users have to authenticate at the SAP system, that means every user must pass the DMZ also not wanted users. It's better to block them as early as possible, that means in the DMZ.

You should also think about a Web Application Firewall. This kind of appliances checks the traffic and the content. It is more secure than having only a reverse proxy.

RainerKunert
Active Participant

‎01-13-2009 8:02 AM

0 Kudos

IIS or apache is not necessary.

You can install a reverse proxy on apache, but it is better to use an appliance instead of self-installed reverse proxy software, because you have to harden the operating system and the application itself.

Former Member
In response to RainerKunert

‎01-13-2009 9:37 AM

0 Kudos

Hello Rainer Kunert,

thank you for replying. I forget to say that there are only 2 ports opened to "outside" the SAP Zone. Inside the SAP Zone, i can sign in the portal with the port 5XX00 for example. For security reason, there will be only one way to pass throught the DMZ via 1 or 2 ports maximum. Outside the SAP Zone, i could access to the SAP System with SAP Logon but with a t-code whitch use http request (for example se80 for a package program) there is no effect but inside the SAP Zone, everything's ok.

I just want to know what do you mean by "Web Application Firewall" and "appliance". Do you have an example or something explaining it please?

Thank you very much again.

Best regards,

Pascal.

RainerKunert
Active Participant
In response to RainerKunert

‎01-19-2009 6:18 PM

0 Kudos

Hi,

a web application firewall is an appliance that can look into the communication channel. That means it does not only check IP addresses and ports but also the content of the web application. It analyses the http headers and content, can detect sql injections, buffer overflows and not allowed characters.

The only appliance I know is from F5. But there are also other suppliers. I am not experienced with such products. May be someone else can share her/his knowledge?

Regards

Rainer

Former Member

‎01-19-2009 3:17 PM

0 Kudos

Anyone have an idea?

Any suggestion is welcomed.

Thank you very much,

Pascal.