Solved: Internet access to ECC environment

SergioSanchez · ‎09-12-2014

Hi, guys

Currently our end-users logs to our ECC environment from our network, with SNC access and SSO via Kerberos (with Microsoft Kerberos library gsskrb5.dll)

Now we're planning to grant SAPGUI access to some users to our ECC environment through Internet. Our planned landscape would be the next:

SAPGUI (end-user) --> SNC (WAN) --> Firewall --> SAProuter (in DMZ) --> Firewall --> ECC

SNC connection MUST be used between SAPGUI and SAProuter, so any other traffic or connection attempts would be rejected by our SAProuter.

This network topology is currently used in our SAP Support Channel connection, but there's a SAProuter at SAP side. Is it possible to allow connections from end-users directly to our SAProuter using Internet access? Would be a security hole in our organization? Is it necessary to install any additional software (SNC-certified software by SAP)? What do you think about IP-rules in our firewall (only allows connection to a IP range)?

Any recommendation or best-practice is welcomed.

Best regards,

Sergio Sánchez

tim_alsop · ‎09-12-2014

Hi,

You need to be aware that SAP GUI use of SNC is not the same as SAP Router use of SNC. When SAP GUI is using SNC, it is at the application layer (user authentication / SSO etc.), but SAP router uses SNC to secure network transport layer communications, so is typically used to secure IP communications between companies (e.g. between your company network and SAP network for support). So, i'm not sure if SAP Router is right for your requirement. Instead, I would suggest you consider using a traditional VPN. The user can authenticate using the VPN and they can then access the SAP system using SAP GUI over the VPN tunnel (authenticating using SNC / Kerberos). This will also mean that (maybe in future if needed) the users can use other SAP applications over the same VPN tunnel, such as web based applications (web gui, nwbc, crm ui etc.). Also, when using a VPN the users can be required to authenticate using two-factor authentication, so you are providing stronger security controls for users accessing your SAP systems from the Internet.

Thanks

Tim

tim_alsop · ‎09-12-2014

Hi,

You need to be aware that SAP GUI use of SNC is not the same as SAP Router use of SNC. When SAP GUI is using SNC, it is at the application layer (user authentication / SSO etc.), but SAP router uses SNC to secure network transport layer communications, so is typically used to secure IP communications between companies (e.g. between your company network and SAP network for support). So, i'm not sure if SAP Router is right for your requirement. Instead, I would suggest you consider using a traditional VPN. The user can authenticate using the VPN and they can then access the SAP system using SAP GUI over the VPN tunnel (authenticating using SNC / Kerberos). This will also mean that (maybe in future if needed) the users can use other SAP applications over the same VPN tunnel, such as web based applications (web gui, nwbc, crm ui etc.). Also, when using a VPN the users can be required to authenticate using two-factor authentication, so you are providing stronger security controls for users accessing your SAP systems from the Internet.

Thanks

Tim

SergioSanchez · ‎09-12-2014

Hi, Tim

Thanks for your quick answer.

Regarding use a traditional VPN, we're currently using VPN connection in some cases. However, our IT security department has strict requirements when a site has to connect to our headquarters facilities via VPN (network requirements, PC & laptop requirements, firewall requirements and so on). In some cases, these requirements aren't fulfilled (sites at business centers, office shared with our partners...) and we need a different alternative.

Specially in those cases, we need to allow some users to login to our ECC environment and, additionally, we can't deploy a SAProuter on the other side because is "out of our scope". This is the reason why we raise the question.

Many thanks,

Sergio

tim_alsop · ‎09-12-2014

The SNC in the SAP Router product will only work with another SAP Router (not SAP GUI). So, if you have SAP Router in your DMZ, and you must use this, then you must have SAP Router somewhere else. I doubt you would want to put SAP Router on a users workstation 🙂

Unless I misunderstand your situation, I think you have to use a VPN unless you open a 'hole' in your firewall for the SAP GUI ports (32xx etc.) and put appropriate firewall rules in place for the IP port / NAT etc. and see if your network security team allow that.

Thanks

Tim

SergioSanchez · ‎09-12-2014

You are right. We want to open one port in our firewall to allow SAProuter connections (3299 port, for example), establish NAT and so on. So we need to use SNC protocol to secure communications. To increase security, we can try to make IP filter in firewalls or SAProuter table.

Do you know if there is some 3rd party software certified by SAP to allow a direct SNC connections between SAP GUI and SAProuter?

Thanks,

Sergio

tim_alsop · ‎09-12-2014

As I have explained, it is not possible to use SNC between SAP GUI and SAP Router. if it was possible then i am sure a third party or SAP themselves would have provided something for this. The SAP Router is using SNC at lower level in protocol stack and SAP GUI is using SNC at high level in protocol stack (application level).

In summary, the options are:

1. Open hole in firewall so that SAP GUI (authenticated using SNC) can connect to ECC through the hole (no SAP Router involved)

2. Put SAP Router on users workstation so that SAP Router can talk to SAP Router and SAP GUI (with SNC) can be used over the SAP Router <--> SAP Router connection.

3. Use a VPN

Thanks

Tim