Skip to Content

Stop user session in DMZ

We currently use handheld bar code reader devices on our shop floor with ITSmobile to transact warehouse transactions against ECC.

We want to use these devices with external suppliers running our warehouses, with access over the internet. However, our company security policy does not allow any user session from external to the company (over the general internet) to pass through the DMZ / Firewalls and actually execute on a back end system inside the firewalls. . Our ECC system is all within the firewall. Hence, the ITSmobile transactions are not within the required security policy when used that way, running on our ECC NW (ITS) and executing an ECC transaction / service.

I read about having a stand-alone ITS server (Netweaver), and wondered it we could put that on a separate instance in the DMZ, and then could it call the ECC system via an RFC type of communication (AGate)? That would be allowed if the user session ended in the DMZ.

Has anyone every done anything like that, separating ITS from the actual back-end system? Does it work that way?

Or does anyone have any other suggestions for how we might re-architect the solution to meet our security requirements, without having to develop a new application to run in the DMZ and interact with the handheld devices.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • Mar 30, 2016 at 11:39 PM

    Hello Ruth,

    The Standalone ITS (version 6.20) is already in custom maintenance support (SAP notes 197746 and 325616). Even though its architecture comprehends a agate (tied to the R/3) and a wgate (tied to a web server), it cannot be linked to a Netweaver 7.00 or higher (SAP note 709038). Thus, you cannot have only the ITS running separated from the ABAP system.

    I would try to think in a security solution rather than changing the actual system architecture. What I have in mind:

    a) Authentication - there are several SSO possibilities (SAP note 1257108 tells about the possibilities in a Netweaver ABAP system);

    b) Authorization - a well defined profile should help avoiding unwanted access to sensitive information;

    c) Monitoring - SAP offers the Security Audit Log (SAL) to record access information (SAP note 539404 and this SCN Document).

    Maybe your network team could also assess whether using the SAP Web Dispatcher for external suppliers would be a valid alternative.

    I hope this helps,


    Add comment
    10|10000 characters needed characters exceeded

    • Thank you Chris. Good to know the standalone ITS server is not an option.

      Unfortunately we have already explored a number of the other options you mention before we had to put our entire Supplier Portal System (running SCM / SNC ) into the DMZ to pass the security policy requirements.

      the handhelds do use a user logon when they reach SAP.

      and we pass through a web dispatcher in the DMZ, but have been unable to convince our corporate security team that is anything more than a "reverse proxy" type of path through. The user sessions still passes to ECC inside the firewalls. And there concern is that then the session can some how be "hi-jacked" and used to get to other parts of our network. We even had SAP experts in to try to explain it to them, and failed.

      We use SSO with our other application, but the hand held users have real SAP id's, and we don't need to use that. But that is authentication at the end, when session reaches SAP. We could potentially add the front end Ldap logon, and even have two log ons.. but.. session is still passing to inside the firewall, so I don't think that will actually change much in the situation.