Show TOC

 RecommendationsLocate this document in the navigation structure

We recommend you consider the following points before proceeding with the SNC configuration:

  • You cannot use SNC to protect the communication path between the application server and the database.

    When communicating with the database, the communication end points are located within the database modules and not in the SAP system modules. Therefore, you cannot use SNC to protect this communication path. We recommend you isolate the (sub-)network that contains your database from the rest of your network and protect it with a firewall (see the figure below).

  • To save on performance, protect internal remote function calls (RFCs) using the network infrastructure instead of SNC.

    Time critical communications often occur between application servers within the SAP system (for example, RFCs). To save on performance (establishing an SNC-protected connection is time consuming), we recommend you protect these communications by establishing a secure sub-network. Within this sub-network, you can securely operate without needing to use SNC (see the figure below). See also the description for the profile parameter snc/r3int_rfc_secure. (Set it to the value "0". Internal RFCs are then not protected with SNC.)

  • You need to allow access to end users beyond the secure (sub-)network.

    The connection to the SAP system using SAP GUI must be available to every end point and for every end user. These connection requests must be able to cross the firewall. You either have to open the SAP system dispatcher port directly on the firewall (sapdp<nn>), or route the connection request over a SAProuter. The default SAProuter port is 3299.

    Note

    You can configure your system so that only SNC-protected SAP GUI connections are accepted. Specify this configuration in the profile parameters and in the user master records. You can set this option to apply to all SAP GUI connections or for specific users only. For more information, see the profile parameter snc/accept_insecure_gui.

  • Use the "secure" gateway port (sapgw<nn>s) to allow only SNC-protected connections between the SAP system and external RFC server programs.

    The connection to the SAP system must also be available for external RFC server programs. When using SNC, we recommend you only allow SNC-protected connections between SAP systems and the external RFC server programs. To enforce SNC protection, configure your firewall to only accept requests to the secure gateway port (sapgw<nn>s) and deny requests to the normal gateway port (sapgw<nn>). The gateway denies any incoming requests over the secure port that are not SNC-protected.

Example of an SNC-Secured Network

The following ports are the secure gateway ports that must be accessible through the firewall:

  • sapgw<nn>s/tcp 4800-4899

    where <nn> is the SAP system number

As an alternative, you can allow access to the ports over a SAProuter. In this case, you need to configure your firewall to deny all requests to other ports and only accept requests to the SAProuter port. You then need to make the necessary entries in the SAProuter's route permission table, where the SAProuter specifies to which secured port on which gateway (sapgw<nn>s) access is allowed. For more information, see Configuring SNC: SAProuter → SAProuter.