cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Security issues when PI in DMZ

Go to solution
Former Member

on ‎02-02-2015 10:03 AM

0 Kudos

Dear All,

I have a scenario (without ESR) where I need to process the Payment file(text file) to bank. However, as PI system is in DMZ, and customer's infrastructure team is not willing to open the SFTP port(22) from PI to inside their local network where ECC has been placed. consequently I am not able to connect the ECC system from PI using SFTP adapter, because they are feeling security issue here, as if port is open from PI to ECC it can make a way to hack the other systems in their local network.

Please advise how we are dealing with such kind of scenario.

Thanks,

Farhan

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

iaki_vila
Active Contributor
‎02-02-2015 11:24 AM
0 Kudos

Hi Farhan,

You can send the file to ECC via attachment in ABAP proxy, obviously you should have the connection via ABAP proxy open.

I normally see the PI in the MZ and external webserver like tomcat in the DMZ to allow/deny the connections, may be the PI wouldn't be in the DMZ.

Regards.

Show replies
Show replies
Former Member
‎02-02-2015 1:21 PM
0 Kudos

Hi Iñaki Vila,

Thanks a lot for the quick response. I have other way(by ABAP program or ABAP proxy) to process the file from ECC to PI AL11 and vice versa. However, I am looking for the permanent solution for this problem as you have suggested to place back the PI MZ or local network.

Could you please elaborate on this that how we can use "tomcat in the DMZ to allow/deny the connections" ?

Thanks,

Farhan

iaki_vila
Active Contributor
‎02-02-2015 1:37 PM
0 Kudos

Hi Frahan

First of all SAP has its own webserver, check this link SAP Web Dispatcher - SAP Library, i don't know if you will need an extra license.

I'm not a basis guy and unfortunely i can help you in this aspect, you have URLs to research about this http://tomcat.apache.org/tomcat-5.5-doc/config/http.html, but  i think you would need to talk with your infrastructure team.

On the other hand if you have system directory accessible via ECC (MZ) and PI (DMZ) is not a good solution. You can think if to send the file via SOAP attachment and to have ESR development or to have a system directory only accessible via SFTP from the MZ and the DMZ.

Regards.

Answers (1)

Answers (1)

AnilDandi
Active Participant
‎02-02-2015 1:55 PM
0 Kudos

Hi Farhan

If the FTP port on ECC (DMZ --> ECC) can't be opened, can the port on PI (ECC --> DMZ) be opened? In that case you will have to place the file on PI system's filesystem and write FTP program on ECC system to go fetch the file.

The other option requires changing the system architecture. You migrate the PI system from DMZ to LAN. Inbound communication from outside the corporate FW first goes to Web Dispatcher in DMZ. The web dispatcher relays those calls to PI system in LAN.

regards

Show replies
Show replies
Ask a Question