Since the gateway is an application server interface to other systems (other SAP systems, external programs, and so on), security conditions must be met as appropriate. Since external programs are normally started through the gateway, you should use the security options described below.
You should be aware of the following security issues for operating the gateway.
Permit or deny connections. With two profile parameters and an ACL file (Access Control List) you can specify from which hosts the gateway accepts connections.
For more information, see: Setting Up Access Control Lists (ACL)
Make connections between gateways of different SAP systems secure. To do this you have to set up SNC or use the SAProuter between the gateways, which de-encrypts and encrypts the data by SNC.
For more information, see: Configuring Support of SNC Components.
Activate gateway logging. You can configure the gateway so that actions executed by the gateway and requests that it receives are written to a log file.
For more information, see: Setting Up Gateway Logging.
It is assumed that all application servers and database hosts are located in the same network segment. The system is protected with a DMZ (demilitarized zone) from external programs. This means the following:
External programs exist (SAP help programs, for example, sapxpg or non-SAP programs) that are to be launched within the secured network segment, or external programs that want to register from the secure segment on the application server.
External programs exist that want to register on the system from outside the DMZ. Likewise, external programs should be started outside the DMZ.
You can find more information about configuring the gateway with regard to external programs in Making Security Settings for External Programs
Recommendation
Communication with external programs outside the DMZ must be regarded fundamentally as insecure because the RFC data stream is not encrypted by default, and therefore can be listened to, or even manipulated.
For this reason programs registered outside the DMZ should only communicate with system instances through the SAProuter and by using SNC. The SAProuter must be located in the DMZ, and must not be installed locally on an instance. This reduces the configuration of the two DMZ firewalls to a minimum.
Since the data in the data stream outside the DMZ can still be listened to or manipuated, a SAProuter should also be installed in the DMZ of the network segment in which the external program is running. Communication between SAProuters should be encrypted. The part of the communication taking place outside the DMZ will therefore be encrypted.
You can find details of the parameters relevant for security settings under Security Parameters.