cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Agentry, DMZ settings/VPN

Go to solution
Former Member

on ‎11-05-2013 8:21 PM

0 Kudos

Hello Agentry followers. We have several implementations pending on Agentry. Our client is looking into an agentry DMZ deployment option. Is there a document, on top of admin and configuration guides, which described the different pro and cons for such a set up, versus for example a VPN connection of  mobile clients into the corporate network.

thanks

Stephan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

i834235
Product and Topic Expert
Product and Topic Expert
‎11-25-2013 7:27 PM
0 Kudos

Stephan,

It was not clear from your  question whether your questions were related to  Agentry on SMP 3.0 platform or Agentry as a standalone server.   in SMP 3.0 Agentry client uses Web sockets which is https based  protocol.

We don't have any specify documents which  lists out pros and cons of  Agentry in DMZ verus non-DMZ.I think lot of customers have concerns about security and  data that gets transmits  between  Agentry client and SAP.  We need to explain the architecture of Agentry and how it works.

a)    Typically we have seen customers putting Agentry Server in DMZ zone. Since Agentry uses Angel  protocol  in Agentry  6.0 and  earlier versions,  Your data is encrypted from client to Server. if data needs to be encrypted all the way to SAP we have to modify some Java classes to use  SAP SNC encryption from Agentry to SAP server. The Agentry server communicates with SAP systems using the SAP Java Connector. 

b)  Yes in future all Agentry based products will be closely  aligned with other  SAP  products when it comes to SSO.   by default OOB Agentry products comes with client/server certificates to meet  basis  security needs. You can always create your own self signed certificates depending on your requirements.

c) You can look at some security settings that can be done on Agentry client side  like   lockout time, idle time , password retry -  such that after 3 incorrect passwords, data on client can be wiped out.

d) I'm not clear with questions.... This could be more of  VPN connection settings on device than Agentry client requirements or settings.

Let me know if i have answered  your question.

Thanks - Manju

SAP Rapid Innovation Group - RIG

Show replies
Show replies
Former Member
‎11-26-2013 2:27 PM
0 Kudos

Hello Manju, thanks for the overview. Where would those client settings mentioned in point c) above be made?

thanks

Stephan

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎11-26-2013 3:18 PM
0 Kudos

Stephan,

All the security settings Manju mentioned are exposed with the Agentry Editor under the Application | Application Security.  As Manju mentioned you can idle and lockup behavior for your appilcation and for the newer devices (iOS / Android) you can also chose to have the local database on the device encrypted to further protect your data in the event of a device being lost or stolen.  The Engineering team is also further working on enhancing the security options available with respect to the certificate handling and options for these devices as well.

In terms of your question d) around VPN, many customers do choose to leverage their existing VPN infrastructure to also protect the connections to the Agentry serer.  The user simply esatblishes the VPN connection on the device (outside of Agentry) and the Agentry traffic automatically routes over the connection based on the host connection / routing defined by the VPN.  We don't need to make any special configuraiton in Agentry to have it utilze the VPN.

--Bill Froelich

  Global Mobility Services

Answers (1)

Answers (1)

agentry_src
Active Contributor
‎11-06-2013 5:31 AM
0 Kudos

Hi Stephan,

I would first take a look at the new Agentry Landing page (should bookmark it) which links to most all things Agentry. 

As you probably noticed, there is more Agentry traffic here than even as little as two months ago.  Partly this is due to the Forums in the Syclo Resource Center being shutdown, partly due to some proselytizing (not just by me either), and partly due to the greatly increasing amount of documents being posted in this community and in the SAP Mobility Wiki (link in the Landing Page). 

Good to hear from you!

Cheers, Mike

SAP Rapid Innovation Group - RIG

Show replies
Show replies
Former Member
‎11-06-2013 1:35 PM
0 Kudos

Thanks Mike, now do I have to move this discussion somewhere there, or does it stay here? perhaps some background is useful as well.

Agentry is built as offline capable platform, but sometimes clients want to use it as much online as possible. Therefor they are investigating ways expose Agentry server beyond firewall, and are asking for recommendations on how to do this. We did get some materials from SAP/Syclo support indicating that this can be done.  I do understand that the setup of this probably requires additional client authentication settings are per guide. The issues I would like to get feedback on are

a) If an agentry server is in some DMZ the RFC SAP Gateway tcp port needs to be opened to DMZ. Of course the agentry server port needs to be openend as  well. The only protection of the Agentry server itself beyond communication encryption is the client authentication feature. Is this a SAP supported approach from a security perspective?

b) Classically, all SAP products fall under some NW Security settings like SSO. So far Agentry server seems to be more standalone if you look at the use of open source SSL or MS Crypto providers. Is it save to assume that we will see a closer alignment here in the future?

c) Device Management at SAP would be related to Afaria. How does this play together? How to handle if afaria is not used, and e,g a device is stolen? Update CA certificate and all other devices?

d) what about standard network options like a VPN connection from Mobile device to internal network? Usually this technology would cover more security settings and not expose any ports beyond VPN port, which can be SSL.

thanks

Stephan

agentry_src
Active Contributor
‎11-11-2013 4:24 PM
0 Kudos

Hi Stephan,

No, just leave it here.  This is pretty much the main Agentry Forum (Community) going forward.  Not that it couldn't change, but for now...

I would have to defer to the real Agentry experts to answer the security/DMZ questions.  Will try to steer a few folks to respond directly to this Discussion.

Regards, Mike

SAP Rapid Innovation Group - RIG

Ask a Question