cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Syclo Agentry setup in a DMZ network

Go to solution
neha_mahanty
Active Participant

on ‎03-03-2014 1:12 PM

0 Kudos

Hi All,

We are working with SMP 2.3 SP03 with SAP Syclo Service Manager 4.0

The customer requirement is to have Syclo server in a DMZ zone. I could not find any document which describes the steps I should follow to achieve this.

From the documents/forum links which I referred, related to DMZ, I understand that with Agentry we cannot use Relay servers.

Hence the other option we have is proxy / reverse proxy.

Following that I have created a process flow diagram . PFA. Please let me know If that is correct.

Please let me know If there is any documentation or steps I should follow to achieve this.

Also is there any specific proxy/reverse proxy servers which is recommended from SAP which we should follow.

Please advise and suggest

Thanks and Regards

Neha Mahanty

Tags edited by: Michael Appleby

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎03-28-2014 7:34 PM
0 Kudos

Neha,

Please see: http://scn.sap.com/docs/DOC-53741

Stephen Streeter

Show replies
Show replies
neha_mahanty
Active Participant
‎04-01-2014 6:06 AM
0 Kudos

Thanks everyone

Answers (4)

Answers (4)

mark_pe
Active Contributor
‎03-18-2014 4:42 PM
0 Kudos

The Reverse proxy needs to be set to TCP\IP pass thru and send the connection to the Agentry Servers ANGEL port (as shown in your Agentry.ini Angel port), and the Agentry Client needs to point the Reverse Proxy instead of the of the Agentry Server.

Additional SAP KBAs:

Show replies
Show replies
neha_mahanty
Active Participant
‎03-25-2014 4:53 AM
0 Kudos

HI All,

Our client requirement for this is changed now.

SAP - Syclo works only with TCP/IP protocol for connectivity between the mobile device and Syclo application

Client is NOT allowing to open the TCP/IP protocol through the DMZ to reach the internal server

Hence with this limitation, the only way to achieve this connectivity would be to install the syclo application on DMZ network itself.

Please suggest how this should be done . An architecture diagram explaining the Syclo app in DMZ network and  its internal connection to SAP application would be very helpful

Please suggest

Thanks and Regards

Neha Mahanty

RobEricsson
Participant
‎03-25-2014 12:53 PM
0 Kudos

Hi Neha,

An ASCII diagram looks something like this:

Client --> External FW --> Agentry Server --> Internal FW --> SAP ERP

The internal firewall would need to be configured to allow JCo communications between the Agentry Server and SAP ERP. The standard GUI port (32xx) can be used for this.

I hope that is helpful.

Best regards,

Rob

Former Member
‎03-25-2014 1:23 PM
0 Kudos

With Work Manager 5.3 and later, you will also need to make sure the HTTPXML listenOn System connection port is open, so you are able to get updates from the SAP Server for Push messages.

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎03-25-2014 2:00 PM
0 Kudos

The other option is to put a reverse proxy / load balancer in the DMZ to receive the traffic and forward on to the Agentry server.  I'm not sure by your statement that they won't allow TCP/IP through also means this option is not possible.

Client  --> External FW -->  Load Balancer / Reverse Proxy (port 7003)  --> internal FW -->  Agentry (different port i.e. 7005) --> SAP ERP

Just another option to consider.

--Bill

neha_mahanty
Active Participant
‎03-28-2014 10:47 AM
0 Kudos

Hi All,

Thanks for all the suggestions . Based on your inputs I have redesigned the architecture diagram. PFA

Please guide me that what protocol is supported in order to achieve this and also what ports do I need to open.

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎03-28-2014 2:13 PM
0 Kudos

Neha,

I don't see any diagram.  Can you attach it or share it?  Based on that we can provide some input on what protocols / ports are used and need to be opened.

--Bill

Former Member
‎03-28-2014 2:21 PM
0 Kudos

From the internet to the DMZ you need to open the ANGEL Front End Connection Port, default of 7003, which it a TCP based connection

From the Agentry Server to the backend Systems you need to open all needed ports, for SAP Jco port(s) and also the Agentry Server listens for an HTTP connection that comes from the SAP System, and this defaults to 8282.

If you have any other backend connections open like SQL Database's, the ports for each the systems need to be opened.

Stephen Streeter

midhun_vp
Active Contributor
‎03-03-2014 5:44 PM
0 Kudos

It is recommended to keep the server inside the firewall. Your design looks perfect since relay server is not supported by syclo apps and you are going with reverse. Also not that in SMP3.0 agentry apps will not supports reverse proxy. In future it may be supported.

Midhun VP

Show replies
Show replies
Former Member
‎03-03-2014 7:11 PM
0 Kudos

SMP 3.0 Agentry Application while still don't support relay servers, they server client connection is HTTPs with Websockets.

Former Member
‎03-03-2014 9:28 PM
0 Kudos

steve

Can you confirm this pls? I have been informed by folks from Product mgmt that Agentry is now supported on Relay for HTTPS without inspection with SMP3.0...

bill_froelich
Product and Topic Expert
Product and Topic Expert
‎03-03-2014 9:57 PM
0 Kudos

Just to clarify...


In SMP3.0, your agentry apps still support reverse proxy connections from your clients.  If the reverse proxy is setup for TCP pass through traffic (just as for Agentry or SMP 2.3) it will route and work just fine with SMP 3.0.  Additionally, in SMP 3.0 the Agentry connections are swtiching to websocket based connections so that you can potentially also use an HTTPS proxy like the relay server.


While I have not yet used the relay server with SMP 3.0 Agentry applications, I have tested my Agentry applications behind a reverse proxy using TCP passthrough and they work as expected.


--Bill

Former Member
‎03-03-2014 11:30 PM
0 Kudos

From my understanding Relay Server doesn't currently support WebSockets.   Which the new client connection needs.  If at any point Relay Server does work with WebSockets then it will be able to work with the Agentry Client connection.

Former Member
‎03-03-2014 11:38 PM
0 Kudos

In SMP 3.0 Agentry does official support nginx

https://service.sap.com/sap/support/notes/1904213

neha_mahanty
Active Participant
‎03-04-2014 5:24 AM
0 Kudos

Thanks Everyone.

I Shall try this.

Regards

Neha Mahanty

ray_isada
Participant
‎03-03-2014 5:25 PM
0 Kudos

Hi Neha -

With the exception of the Load Balancer, this diagram pretty much mirrors what you have:

http://infocenter.sybase.com/help/topic/com.sybase.infocenter.dc01919.0233/doc/html/apr1374254815627...

The rest of the documentation is availble from that link. We do not make recommendations as far as specific proxy/reverse proxy servers - as long as they can handle TCP/IP traffic per Robert's comment above.

Hope this helps,

Ray

Show replies
Show replies
RobEricsson
Participant
‎03-03-2014 1:47 PM
0 Kudos

Hi Neha,

My experience in this area is with Work Manager which should be similar. Your diagram is correct. I've not seen any official documentation on this and got a recommendation from SAP directly on how to set it up. Any proxy server that can handle TCP/IP traffic should be fine (e.g. it can't just be an HTTP(S)).

Typically, we have used VPN from the client devices and put the Agentry server inside the firewall. For most situations, this works better as they already have a VPN in place and this is just an extension to what they already do with the mobile devices.

Best regards,

Rob

Show replies
Show replies
Ask a Question