SAP Web Dispatcher – HTTPS/SSO

The SAP Web dispatcher is a reverse proxy that handles all incoming HTTP(S) traffic. It is closely linked to the application servers, responsible for balancing the load between the central and dialog instances, and ensures a secure SSL (HTTPS) connection between the search clients and the SAP NetWeaver Enterprise Search system.

From a technical perspective, it is important to understand that the SSL tunnel is created between the search client and the SAP Web dispatcher and not between the search client and the ABAP application server. Otherwise load balancing would not be possible. However, the route between the Web dispatcher and the application server goes through a separate (private) network segment, therefore, this does not increase the security risk. Furthermore, it is important to keep in mind that all absolute URLs generated by the application and the SSL certificate itself must be configured to use the external host name under which the SAP Web dispatcher is known in the customer network.

SAProuter – RFC/JCo

While the SAP Web dispatcher serves only for HTTP(S) connections, the SAProuter opens a secure and controlled channel for other protocols used by SAP applications. These include RFC, SAPGUI, and so on. The list of allowed hosts that can be accessed and the protocols that can be used is managed in the saprouttab file on the blade for the SCS instance, that is, the master blade.

As soon as this has been completed, all communication between a client or another SAP system in the customer network and a server within the SAP NetWeaver Enterprise Search system must use the SAProuter string. These tokens replace the direct addressing of the host names, for example in SM59. If you normally connect to <abap_external_hostname> via SAP Logon or SM59 directly, you now have to enter the SAProuter string as follows: /H/<master_blade_external_hostname>/H/<abap_internal_hostname>

The standard IP forwarding through NAT must be configured in order to handle other protocols, such as LDAP, that neither of these two technologies (SAProuter and SAP Web Dispatcher) support. It can be used for direct outbound connections. However, we strongly recommend using the SAProuter for all other outbound RFC connections to SAP systems, for example, to an ERP 2005 system in the customer landscape.

IP Forwarding/NAT

As already mentioned, IP forwarding and network access translation (NAT) are needed to access other required resources within the customer network. These include the LDAP server and file systems that are to be indexed by SAP NetWeaver Enterprise Search. While this works for all outgoing TCP/IP-based communication, only the incoming NC host is accessible by it external host name for external clients. Administrative connections to other hosts in the private network of the SAP NetWeaver Enterprise Search system can be created only through the console for the master blade or the port redirect functions of an SSH client. Example:

We strongly advise against redirecting the master blade ports permanently to internal servers using IP port forwarding. We expect that everyone who really needs to connect to the internal servers of the Enterprise Search appliance has a local X-Server (such as Exceed, ReflectionX, or Cygwin) and an SSH client installed on their local system. (This includes customer administrators as well as the hardware partners who are performing the installation.)

After creating an SSH connection to the master blade using activated X11 and port forwarding, you can perform the following activities: