on 03-03-2014 1:12 PM
Hi All,
We are working with SMP 2.3 SP03 with SAP Syclo Service Manager 4.0
The customer requirement is to have Syclo server in a DMZ zone. I could not find any document which describes the steps I should follow to achieve this.
From the documents/forum links which I referred, related to DMZ, I understand that with Agentry we cannot use Relay servers.
Hence the other option we have is proxy / reverse proxy.
Following that I have created a process flow diagram . PFA. Please let me know If that is correct.
Please let me know If there is any documentation or steps I should follow to achieve this.
Also is there any specific proxy/reverse proxy servers which is recommended from SAP which we should follow.
Please advise and suggest
Thanks and Regards
Neha Mahanty
Tags edited by: Michael Appleby
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The Reverse proxy needs to be set to TCP\IP pass thru and send the connection to the Agentry Servers ANGEL port (as shown in your Agentry.ini Angel port), and the Agentry Client needs to point the Reverse Proxy instead of the of the Agentry Server.
Additional SAP KBAs:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI All,
Our client requirement for this is changed now.
SAP - Syclo works only with TCP/IP protocol for connectivity between the mobile device and Syclo application
Client is NOT allowing to open the TCP/IP protocol through the DMZ to reach the internal server
Hence with this limitation, the only way to achieve this connectivity would be to install the syclo application on DMZ network itself.
Please suggest how this should be done . An architecture diagram explaining the Syclo app in DMZ network and its internal connection to SAP application would be very helpful
Please suggest
Thanks and Regards
Neha Mahanty
Hi Neha,
An ASCII diagram looks something like this:
Client --> External FW --> Agentry Server --> Internal FW --> SAP ERP
The internal firewall would need to be configured to allow JCo communications between the Agentry Server and SAP ERP. The standard GUI port (32xx) can be used for this.
I hope that is helpful.
Best regards,
Rob
The other option is to put a reverse proxy / load balancer in the DMZ to receive the traffic and forward on to the Agentry server. I'm not sure by your statement that they won't allow TCP/IP through also means this option is not possible.
Client --> External FW --> Load Balancer / Reverse Proxy (port 7003) --> internal FW --> Agentry (different port i.e. 7005) --> SAP ERP
Just another option to consider.
--Bill
From the internet to the DMZ you need to open the ANGEL Front End Connection Port, default of 7003, which it a TCP based connection
From the Agentry Server to the backend Systems you need to open all needed ports, for SAP Jco port(s) and also the Agentry Server listens for an HTTP connection that comes from the SAP System, and this defaults to 8282.
If you have any other backend connections open like SQL Database's, the ports for each the systems need to be opened.
Stephen Streeter
It is recommended to keep the server inside the firewall. Your design looks perfect since relay server is not supported by syclo apps and you are going with reverse. Also not that in SMP3.0 agentry apps will not supports reverse proxy. In future it may be supported.
Midhun VP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just to clarify...
In SMP3.0, your agentry apps still support reverse proxy connections from your clients. If the reverse proxy is setup for TCP pass through traffic (just as for Agentry or SMP 2.3) it will route and work just fine with SMP 3.0. Additionally, in SMP 3.0 the Agentry connections are swtiching to websocket based connections so that you can potentially also use an HTTPS proxy like the relay server.
While I have not yet used the relay server with SMP 3.0 Agentry applications, I have tested my Agentry applications behind a reverse proxy using TCP passthrough and they work as expected.
--Bill
In SMP 3.0 Agentry does official support nginx
Hi Neha -
With the exception of the Load Balancer, this diagram pretty much mirrors what you have:
The rest of the documentation is availble from that link. We do not make recommendations as far as specific proxy/reverse proxy servers - as long as they can handle TCP/IP traffic per Robert's comment above.
Hope this helps,
Ray
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Neha,
My experience in this area is with Work Manager which should be similar. Your diagram is correct. I've not seen any official documentation on this and got a recommendation from SAP directly on how to set it up. Any proxy server that can handle TCP/IP traffic should be fine (e.g. it can't just be an HTTP(S)).
Typically, we have used VPN from the client devices and put the Agentry server inside the firewall. For most situations, this works better as they already have a VPN in place and this is just an extension to what they already do with the mobile devices.
Best regards,
Rob
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
84 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.