cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Network Security Solution to allow suppliers access SAP Sourcing without VPN

Go to solution
Former Member

on ‎05-10-2012 7:30 AM

0 Kudos

What is Network Security Solutions/ options to allow suppliers , without requiring VPN, to access SAP Sourcing On Premise installed behind the firewal.

I have searched SDN/ SCN forum and find there are 2 people posted similar questions but no one has answer...I think this information will be very usefull for all companies that plan to implement SAP Sourcing on-premise...So I really hope any Security experts can share their experience.  Thank you in advance

Detail questions

How to allow the suppliers access to SAP Sourcing/ CLM  i.e. perform self registration and submit RFP response without requiring them to have VPN access?

Requiring a separate VPN User ID/ Password for the suppliers to access to our company’s network will inhibit the effectiveness of rolling out SAP Sourcing to our suppliers

-          We want to install SAP Sourcing systems inside the internal firewall 

-          The supplier should be able to access the SAP Sourcing systems to do supplier registration and submit RFP response/ submit contract

-          I understand that the URL for supplier registration and submit RFP response can different but they all point to the same server. 

1.       The URL for supplier registration has /sourcing/fsguestvendor/

2.       The URL to submit RFP response has /sourcing/fsvendor/

3.       The URL for internal users has /sourcing/fsbuyer/

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member89217
Contributor
‎05-10-2012 1:21 PM
0 Kudos

Hi Trygve,

There are several ways to address external access for suppliers.  Typically the the application and database servers are behind a firewall on a secured network.  As you suggest, requiring VPN access to this secured network makes supplier registration useless and on-boarding new suppliers a very tedious, expensive and  slow process. This has been done in some cases but I don't believe this is the most efficient approach. there are 2 classic approaches to establishing external access.

1) Put a webserver/reverse proxy/webdispatcher in the DMZ and allow traffic for the FSGUESTVENDOR and FSVENDOR servlets to hit this server. This will allow external users access without VPN.

2) Another option is to have 2 completely seperate application servers. On in the secured network for internal traffic and one in the DMZ for external traffic both will point to a common database in the secured network. This also allows for completely seperate resources for internal and external load. 

Authentication of internal and external users is already divided by separate directory configurations. You can also segment this further by URL. If this is desirable, you would also add a second cluster for the external traffic.  So in effect you would have something like this:

https://<dns_for_external>/sourcing/fsvendor/portal/login

https://<host_for_internal>/sourcing/fsbuyer/portal/login

Both of these options have been successfully implemented in previous installations. How one is used over the other is usually determined by the security and network teams on site.

Gary

Show replies
Show replies
Former Member
‎05-11-2012 1:53 AM
0 Kudos

Hi Gary

Thank you very much for the information. This is very helpful. I have a follow on question especially on option 2- to have 2 completedly separate application server. 

Is this means we install SAP Sourcing at two servers i.e. we have 2 SAP Sourcing? If this is the case , then how to integrate the two separate applications installed in two separate application server so the two systems can talk to each others? Do we only need to do cluster configuration only or is there any other setup beyond that?  Do we only need to setup 1 context and 2 clusters such as followed?

- Install external SAP Sourcing within DMZ, let say I call this as Host_external

- Install internal SAP Sourcing inside the internal firewall let say I call this as  Host_internal

    Setup context_us

    Setup cluster_internal that point to context_us and server Host_internal

    Setup cluster_external that point to context_us and server Host_external

    Setup the internal directory to point to cluster_internal and to point to context_us

    Setup the external directory to point to cluster_external and to point to context_us

I appreciate if you can validate this?

Thank you,

Trygve

former_member89217
Contributor
‎05-11-2012 2:59 PM
0 Kudos

Yes in a nutshell that's it... a single context with 2 clusters implemneted across multiple physical servers.   The application is installed and deployed on these seperate servers, however they share the same database.  So essentially, it is still 1 application but with seperate infrastructure for internal and external users.  Best to draw it out, the application is very flexible in how it can be deployed. It just a matter of deciding how and using the proper combination of cluster and directory settings to implement the chosen landscape design.  The details of how to deal with the firewalls, Physical loadbalancers if they exist, DNS etc. Is where the actual fun begins.

Former Member
‎05-15-2012 7:02 AM
0 Kudos

Gary, thank you very much.

This is very helpful.

FYI, after discussing several options with our Basis, they finally decided to use DataPower devices installed in the DMZ zone. They said this approach simplifies the support of the environment when troubleshooting because the device is managed internally within Basis team.

Kind Regards,

Trygve

steven_pelser
Participant
‎09-17-2015 9:58 AM
0 Kudos

Hi Gary I sit possible to have  a procedure how to set this.I am a basis consultant and have been tasked with setting this up. WPodl like to use this option 1) Put a webserver/reverse proxy/web dispatcher in the DMZ and allow traffic for the FSGUESTVENDOR and FSVENDOR servlets to hit this server. This will allow external users access without VPN. Can you tell me where to start and maybe point me in a a direction or url Appreciate any help

Former Member
‎12-31-2015 6:04 AM
0 Kudos

Hi Gary,

Appreciate if you can help in fixing the issue?

In our case,

Portal and CLM installed on the same host with different databases.

To communicate with CLM from Portal, we followed this approach.


1. Created an URL Iview in portal to have an access to CLM. Say for example, 1-role has an access to CLM buyer URL, another one is for CLM Vendor URL.

2. To publish our portal in internet, We have installed web-dispatcher to handle HTTPS requests by maintaining virtual hosts.

3. Internally, Buy-Side Users will use the real host related URL's.

For example, http://test.sap.internal.com:50000/irj/portal


4. External Users will be using  https://test.sap.external.com -->This is virtual host

5. Hence, we have defined two clusters in which one will point to the internal host (test.sap.internal) and another one will point to external host (https://test.sap.external.com)

Suppliers will be using this external Portal URL. https://test.sap.external.com

Now my question is that,

If I use external Portal URL (https://test.sap.external.com) within LAN, I should not see the content of CLM.

How can I achieve this functionality?

Now, It is asking for User id and Password of CLM login page since we have integrated CLM URL with an I-View.

Once I enter user id and password, I will be able to access CLM data which i want to restrict ??

Thanks,

Kishore

Answers (1)

Answers (1)

steven_pelser
Participant
‎05-22-2015 9:53 AM
0 Kudos

Hi

It would be appreciated if you could advise me exactly the steps to setup this up

We want to do the same thing but we only have on CI clm server

can you please send me the procedure

Show replies
Show replies
Ask a Question