cFolders and cProjects are Internet scenarios, therefore, the base server must be accessible not only to intranet (or internal) users, but also to Internet (or external) users all over the world. To protect the base server from malicious attacks and distorted requests, several standard Internet security components can be installed in front of the server, forming an Internet gateway. Some of these components, such as the SAP Web Dispatcher or the built-in features in the SAP Web Application Server (SAP Web AS), are from SAP, while other components like reverse proxies or hardware load balancers are non-SAP products. There are many components such as these in existence, which can be used alone or in conjunction with one another. This makes it impossible to recommend the best solution: it always depends on company policy, the existing server landscape, and individual security requirements.
In general, Internet gateway architecture consists of the following:
· Outer firewall: restricts HTTP requests to allowed ports and protocols, for example, only HTTPS requests on port 443 are allowed, everything else is blocked.
· Application proxies: servers without their own built-in logic, which accept requests, analyze them in terms of security rules, and route the requests towards the real application server. Reverse proxies or the SAP Web Dispatcher are types of application proxies.
· Inner firewall: restricts connections at IP level and checks the communication on TCP/IP low-level session handling.
The following figures show two typical types of Internet gateway. The first one consists completely of non-SAP components, the second introduces the SAP Web Dispatcher for load-balancing purposes (this is unnecessary if there is only one application server).
These or similar types of Internet gateways must be placed in front of every HTTP server that can be accessed from the Internet. However, one Internet gateway can be used for several servers because the load on the Internet gateway is not high.
Internet Gateway Architecture with Non-SAP Components
Internet Gateway Architecture with the SAP Web Dispatcher