ITS Network Connections (SAP Library - Network Integration Guide (BC-NET))

ITS Network Connections

All components of the ITS are connected through TCP/IP networks. Here we describe the characteristics of these network connections (especially TCP ports). The load that IACs impose on the network connections is described in ITS Network Load.

Browser – Web Server

The Web browser and the Web server use a TCP/IP network to communicate, for example the Internet or a corporate intranet. The standard HTTP protocol is used for this connection. No additional communication channel or software is needed to use the IACs delivered by SAP.

A Web server requires one TCP service. Port number 80 is reserved for HTTP and used by default by all servers and browsers. If you want to use a different port number you can configure your Web server port numbers freely. If you do this, the URL must contain this port number (in this case, 1080) in the form

http://server.mycorp.com:1080/index.html

If the communication is encrypted with SSL, a different port number is used. The default is 443. The URL for an HTTP request over SSL has the form

https://secureserver.mycorp.com/index.html

WGate – AGate

Communication between the WGate and the AGate uses a TCP/IP network connection. The WGate opens a new connection to the AGate for every incoming request. The connection uses the SAP Network Interface (NI). It is an additional protocol layer on top of TCP (since ITS version 1.1). This protocol provides two benefits:

It can be relayed through SAProuter
You can use SAP SNC encryption for high security demands

By default, the data sent between the WGate and the AGate is sent as clear text. You can choose a different connection type which encrypts the data with an DES algorithm and a static key. This key is not configurable; therefore, this encryption provides protection only against accidental reading of the data, but not against serious attacks. See ITS Security for details.

The WGate opens the connection to the AGate dispatcher services on the AGate host. The AGate dispatcher service name is sapavw00_INST , where INST is the name of the ITS instance. The file \WINNT\System32\Drivers\etc\Services ( /etc/services on UNIX) defines which port number this service name is mapped to.

When you install an ITS component, 10 service ports are automatically added to the file etc\services :

sapavw00_INST tcp/3900

sapavw01_INST tcp/3901

sapavw08_INST tcp/3908

sapavwmm_INST tcp/3909

For normal ITS installations only the port sapavw00_INST is required. The other ports are not used and may be deleted from etc\services .

The ITS setup program tries to find a sequence of 10 unused ports starting with port number 3900. This procedure is repeated on each computer where an ITS component is installed. As a result the sapavw00_INST port number may vary for different installations. You have to check your installation to find out which port is actually used. Each ITS instance uses its own ports.

You have to make sure that the sapavw00_INST port numbers are identical on the WGate and the AGate host. This is not guaranteed automatically.

Outsourcing the Web Server

An Internet Service Provider (ISP) is needed if you want to offer Web services to the Internet. Some ISPs offer additional services, such as hosting your complete Web server on one of their computers. You can also use these services for running an ITS to reduce the technical effort on your side. This would also reduce the bandwidth needed for the connection between the ISP and your site, because all pictures are loaded directly off the Web server.

The WGate is located on the computer of the ISP and only the WGate–AGate connection has to be routed into your corporate network. A SAProuter can be used for security. See ITS Security. The following graphic shows a possible setup:

The ISP's infrastructure has to meet the following requirements:

The Web server must run on one of the platforms supported by the ITS. These platforms are listed in the brochure SAP System Requirements (available in SAPnet under http://sapnet.sap-ag.de/SSR ).

The security measures must meet your standards.

The pictures used by the IACs are located on the Web server. This means that you need convenient access to this computer for updates and maintenance.

Using a dedicated computer for WGate is preferable to sharing one computer with other customers of the ISP.

Since no sensitive data is located on the WGate computer, security is usually not critical. Communication between the WGate and the AGate can be secured by encryption (see ITS Security).

AGate – SAP System

The SAP connection parameters are entered during the ITS installation process. They are stored in the global service file (see ITS Technology). You can change this file at any time. All connection modes available with the SAPgui, such as load balancing or SAProuter, can be used with the ITS.

The connection between AGate and SAP system depends on the ITS programming model used:

WebTransactions: Since the AGate behaves exactly like a SAPgui, it holds one TCP session for every user session. WebTransactions keep the transaction state inside the SAP system.

WebRFC and WebReporting: Usually each request opens a new RFC connection to the SAP System. Each request requires a SAP logon. The logon data is stored in the ITS so that the user does not have to re-enter it. To identify user sessions the ITS relies on a unique session ID that is encoded in every Web request. In special cases it is possible to use one RFC session for multiple Web requests.

All connections are opened by the AGate to the SAP application server and to the message server. The communication channel is identical to normal SAPgui and RFC clients. The following TCP services are used:

WebTransactions: Port sapdpXX for the SAP dispatcher ( XX = SAP instance number)

WebRFC and WebReporting: Port sapgwXX for the SAP gateway ( XX = SAP instance number)

Port sapmsSID for the message server when load balancing is used ( SID = SAP System name)

You can use a SAProuter to relay all communication through a single connection.