cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Server Hardening Issues in Distributed Installation on Windows

Former Member

on ‎08-12-2011 7:48 AM

0 Kudos

Hello,

We are installing SAP CE 7.1 in a Distributed Installation on Windows. SCS and App Server on one HOST and DB (Oracle) on another host. There is a firewall between DMZ and App Server. There is a second firewall between App and DB Server

Our Network Security Team has done server hardening there by blocking all ports. Due to this we are running into following issues:

1. We installed SCS. But when we want to install DB, it needs the UNC path for SAPMNT. Our network team is saying they will not allow to share any folders between App and DB and we should tell them some other alternative. I want to know if something else is possible here provided this is a Windows Environment

2. They are asking about all the ports that they will need to open on the firewall for SAP CE to access DB and Web Server in DMZ to access SAP CE

If the experts can provide some inputs in this areas that will be really helpful.

Regards,

Shubham

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎08-12-2011 8:19 AM
0 Kudos

Hi Shubham,

>> 1. We installed SCS. But when we want to install DB, it needs the UNC path for SAPMNT. Our network team is saying they will not allow to share any folders between App and DB and we should tell them some other alternative. I want to know if something else is possible here provided this is a Windows Environment

You can evaluate a NFS solution for the sharing. But, I didn't understand why they resist againts the file sharing between two SAP servers. As a result of it, SAPMNT must be exported.

>> 2. They are asking about all the ports that they will need to open on the firewall for SAP CE to access DB and Web Server in DMZ to access SAP CE

Are you asking these ports for between APP and DB or accessing these servers from client side.

Best regards,

Orkun Gedik

Show replies
Show replies
Former Member
‎08-12-2011 8:50 AM
0 Kudos

Thanks for your prompt reply Orkun.

If you can let me know some details about the NFS Solution, that will be of great help. Our network security team does not understand how SAP Works and from my discussion with them I can say they don't want to. Since its a bit urgent I am looking for some alternatives as the fight to get this done might take more than a month otherwise

For the firewall ports, My understanding is that in the Firewall between Web Server in DMZ and App Server, I need to open port 50000. Similarly in the firewall between App Server and DB Server, I need to open port 1521 for my application to access DB. But I dont know if CE will also speak to DB on port 1521 or some other port. Are there any other ports that need to be opened?

Regards,

Shubham

Former Member
‎08-12-2011 9:43 AM
0 Kudos

Hi Shubham,

>> If you can let me know some details about the NFS Solution, that will be of great help. Our network security team does not understand how SAP Works and from my discussion with them I can say they don't want to. Since its a bit urgent I am looking for some alternatives as the fight to get this done might take more than a month otherwise

This is very bad Anyway, regarding your installation, if you are not planning to install a dialog instance on the DB host and keep your CE installation on the same host, you can turn off the windows sharing safely on the firewall. By doing so, the system will access its shares internally and don't need to share SAPMNT and SAPLOC. Under this circumstance, you don't need to run on a NFS server or a same solution like this. By the way, what about your object transport strategy? Are you planning to use CTS+?

>> For the firewall ports, My understanding is that in the Firewall between Web Server in DMZ and App Server, I need to open port 50000. Similarly in the firewall between App Server and DB Server, I need to open port 1521 for my application to access DB. But I dont know if CE will also speak to DB on port 1521 or some other port. Are there any other ports that need to be opened?

It is enough to open Oracle listener port (1521 standard port) and J2EE server HTTP port (50000) in order to run on CE, because of the system is standing on pure Java stack. What about the telnet access to the J2EE server? If you need to telnet support, you should 50008, also. But, you know that if you are planning to add an dialog instance you need to open more ports such as message server, P4, etc...

Best regards,

Orkun Gedik

Ask a Question