on 11-19-2015 8:33 PM
Hello,
My company is running a centralized SAP PI/PO AEX and BPM (7.4), java only, to which many internal systems connect. We have a new requirement to process messages from external vendors. Corporate Security is insisting that we have the external users authenticate in the DMZ. With this stipulation, our options seem to be limited to building an AEX in the DMZ with a load balancer in front of it, whether it's Cisco or SAP WD. The problem with this is that we also are trying to limit the complexity/footprint of the applications in the DMZ (simpler apps have less maintenance needs). An AEX instance will require failover capability and a database both also in the DMZ.
Can we do this with the SAP Web Dispatcher alone in the DMZ? I have read the document regarding SAP Web Dispatcher Security and it seems that, although we can provide layers of filtering, there is still no authentication capability.
Are there alternatives that I am missing here?
Thanks much,
Diane Maller
Hello Diane,
The Web Dispatcher does not perform authentication (besides the authentication to its own Web Administration Page).
Authentication will take place at the backend system.
Regards,
Isaías
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Diane,
For your requirement, commonly implemented solution is installation of a non-central Advanced Adapter Engine (ncAAE) together with dedicated Web Dispatcher or any other load balancer for it, both placed in DMZ, and ncAAE being connected to your central PO system (which is presumably located in Intranet). It isn't necessary to install AEX in DMZ since you already have PO in your landscape and you only need runtime engine for messages processing in DMZ - so ncAAE is normally sufficient.
Regards,
Vadim
Hello Diane,
You are welcome.
From the Web Dispatcher perspective, the most common scenario would be to put the Web Dispatcher in the DMZ.
Then, you can open only the Web Dispatcher ports to the external access.
You would also need to allow the Web Dispatcher to reach the HTTP(S) ports of the backend system (from the Message Server and from the ICM of each instance).
Regards,
Isaías
Vadim,
I think I understand now. The ncAAE is really a smaller version of the AEX which has it's own database and can run decoupled from the AEX ume, in other words, it uses it's own ume. If this is correct, this is pretty much exactly what I need. Thank you for your help. It is much appreciated.
Diane
User | Count |
---|---|
87 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.