I am working on an implementation of NW Gateway and have run into an issue which I would think that others have run into and overcome.  The architecture we decided to go with from the beginning is to have Gateway in DMZ with reverse proxy to that system, rather than in the same domain as our backend systems.

For the RFCs from Gateway to backend we did not want to use a single user, which I understand is against SAP license for this purpose anyway, so I set the RFC to use SNC, that way the user connecting to gateway is passed to the backend and authorizations are checked against their user ID.  The SPN for both systems is setup correctly and RFCs work before setting SNC.  My understanding of what is causing this issue is the attempt to use SPNs across domains.  The research that I have been doing tells me that in order for SPNs to be accepted by either system there needs to be domain trust or the systems need to be in the same domain.  We will not setup a trust between DMZ and the domain where SAP lives for obvious reasons and our network security team does not want us to put an Internet facing server in the domain with our other SAP systems.

Because of this issue, I am exploring other options.

For others out there that have used a similar scenario, how do you have Gateway configured to connect to your backend?

For those of you that have an Internet facing Gateway in the same domain as your backend, what do you do to prevent attackers from breaking into your domain?