cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AEX or Web Dispatcher in DMZ ?

Go to solution
former_member319750
Explorer

on ‎11-19-2015 8:33 PM

0 Kudos

Hello,

My company is running a centralized SAP PI/PO  AEX and BPM (7.4), java only, to which many internal systems connect.  We have a new requirement to process messages from external vendors. Corporate Security is insisting that we have the external users authenticate in the DMZ.  With this stipulation, our options seem to be limited to building an AEX in the DMZ with a load balancer in front of it, whether it's Cisco or SAP WD.  The problem with this is that we also are trying to limit the complexity/footprint of the applications in the DMZ (simpler apps have less maintenance needs).  An AEX instance  will require failover capability and a database both also in the DMZ.

Can we do this with the SAP Web Dispatcher alone in the DMZ?  I have read the document regarding SAP Web Dispatcher Security and it seems that, although we can provide layers of filtering, there is still no authentication capability.

Are there alternatives that I am missing here? 

Thanks much,

Diane Maller

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

isaias_freitas
Advisor
Advisor
‎11-20-2015 5:53 PM
0 Kudos

Hello Diane,

The Web Dispatcher does not perform authentication (besides the authentication to its own Web Administration Page).

Authentication will take place at the backend system.

Regards,

Isaías

Show replies
Show replies
former_member319750
Explorer
‎11-20-2015 6:29 PM
0 Kudos

Hi Isaias,

Thanks for the response.  So, what is the best practice for this particular use case?  How secure can we make the Web Dispatcher in the DMZ?  Or do we need to just give up our dream of keeping a small footprint in the DMZ and build the AEX there?

Diane

vadimklimov
Active Contributor
‎11-20-2015 8:08 PM
0 Kudos

Hi Diane,

For your requirement, commonly implemented solution is installation of a non-central Advanced Adapter Engine (ncAAE) together with dedicated Web Dispatcher or any other load balancer for it, both placed in DMZ, and ncAAE being connected to your central PO system (which is presumably located in Intranet). It isn't necessary to install AEX in DMZ since you already have PO in your landscape and you only need runtime engine for messages processing in DMZ - so ncAAE is normally sufficient.

Regards,

Vadim

isaias_freitas
Advisor
Advisor
‎11-20-2015 8:18 PM
0 Kudos

Hello Diane,

You are welcome.

From the Web Dispatcher perspective, the most common scenario would be to put the Web Dispatcher in the DMZ.

Then, you can open only the Web Dispatcher ports to the external access.

You would also need to allow the Web Dispatcher to reach the HTTP(S) ports of the backend system (from the Message Server and from the ICM of each instance).

Regards,

Isaías

former_member319750
Explorer
‎11-23-2015 4:49 PM
0 Kudos

Hi Vadim,

Thank you for the response.  What would be the architecture of the ncAAE in the DMZ?  Would it require a separate database or would it use the central PO system database?

Diane

former_member319750
Explorer
‎11-23-2015 9:49 PM
0 Kudos

Vadim,

I think I understand now.  The ncAAE is really a smaller version of the AEX which has it's own database and can run decoupled from the AEX ume, in other words, it uses it's own ume.  If this is correct, this is pretty much exactly what I need.  Thank you for your help.  It is much appreciated.

Diane

Answers (0)

Ask a Question