cFolders has two official SAP back-end systems: the cFolders back-end add-on for 4.6B and 4.6C systems, and the cProjects application. Both systems are typically located in the intranet zone. Communication between the back-end system(s) and the cFolders server (SAP Web AS) is relevant to security because the cFolders server is located in the demilitarized zone (DMZ). The network environment looks like this:
Both types of back-end system use SAP’s own protocol “RFC” to communicate, rather than HTTP. However, the user also uses the Internet Explorer browser to control the results, which means that he or she also needs a HTTP(S) connection between the intranet and the DMZ. For more information, see Scenario A: No Content Server.
In both cases, the direction of communication is from the intranet to the DMZ, that is, from a zone with a high level of security to a zone with a lower level of security. For this configuration, no additional network security is needed. However, if your network policy demands additional control over communication, this can be achieved by using an SAP router, which allows you to control the RFC communication in detail. In particular it allows you to restrict calls to certain IP addresses. The cFolders server never calls the back-end system, the back-end system always calls the cFolders server.
A trusted-trusting system relationship between the cFolders server in the DMZ and the back end in the intranet is the most likely scenario. This allows Single Sign-On (SSO) for RFC connections and HTTP(S). While the trusted-trusting relationship between cFolders and the back end is being set up, an RFC connection must be opened from the cFolders server to the back end. This means that the intranet firewall must allow a temporary connection from the outside to the inside for the RFC. This connection can be shut down after the system relationship has been set up; it is only needed for exchanging system certificates. However, if you do not want to open the firewall temporarily, you can move the cFolders server to the intranet, establish the connection, set up the trusted-trusting relationship, and then move the cFolders system back into the DMZ. The easiest time to do this is when the systems are being set up initially.