Internet access to ECC environment
Currently our end-users logs to our ECC environment from our network, with SNC access and SSO via Kerberos (with Microsoft Kerberos library gsskrb5.dll)
Now we're planning to grant SAPGUI access to some users to our ECC environment through Internet. Our planned landscape would be the next:
SAPGUI (end-user) --> SNC (WAN) --> Firewall --> SAProuter (in DMZ) --> Firewall --> ECC
SNC connection MUST be used between SAPGUI and SAProuter, so any other traffic or connection attempts would be rejected by our SAProuter.
This network topology is currently used in our SAP Support Channel connection, but there's a SAProuter at SAP side. Is it possible to allow connections from end-users directly to our SAProuter using Internet access? Would be a security hole in our organization? Is it necessary to install any additional software (SNC-certified software by SAP)? What do you think about IP-rules in our firewall (only allows connection to a IP range)?
Any recommendation or best-practice is welcomed.