Skip to Content

Central HUB Gateway inside or outside DMZ (Firewall) ?

Oct 25, 2017 at 07:30 PM


avatar image
Former Member

We are planning to install Gateway 2.0 as a separate server (Central HUB option) NW7.51. We have gone thru the deployment options and understand that Gateway can be either installed inside the DMZ or inside firewall.

If installed inside firewall, we can use web dispatcher or any other reverse proxy in the DMZ and redirect traffic to our central hub.

The real question is on what scenario, we will have to DEFINITELY install Gateway server in the DMZ (Demilitarized Zone)?

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Bartosz Jarkowski Oct 25, 2017 at 08:13 PM

Did you read excellent blog written by SAP Mentor Former Member ?

You should find there the answer to your question!

Show 4 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Bartosz,

Thank you for your response.

The first thing I read is the excellent blog written by John Appleby. But unfortunately the answer to my question was not available.

I read this Para:


Scenario 1: Security is paramount

If you are deploying applications that allow access from the outside world, like mobile apps, into your SAP network, and security is paramount, then you should deploy a separate instance of NetWeaver Gateway into a demilitarised zone or DMZ. This provides separation between your core SAP network and your edge. You can get the network team to lock down the NetWeaver Gateway system which will make it very difficult for unwanted visitors to penetrate your network."

- Is security is the only decision factor to install Gateway inside firewall or outside firewall?

- Also it was not very clearly how can the environment be more secured, if GW is installed inside firewall?




Hello Senthil,

the main argument to put the Gateway in DMZ is security. It doesn't bring any other added values.

If your gateway server is facing internet, then it is definitely a good idea to put it into DMZ. There is plenty of articles about DMZ, I personally really like the answer on StackOverflow (the first answer)

But if your Gateway server is going to be accessed only from internal network, then the importance of putting it in DMZ is definitely lower...

Former Member

Thank you Bartosz for clarifying that the main reason is only for security purpose. I just read the stackexchange answer.


1. Internet > DMZ (web dispatcher) > Private Network (Gateway/Business suite)

2. Internet > DMZ (web dispatcher & Gateway system) > Private Network (Business suite)

They say that scenario 2 is more secured than 1. I really can't understand technically how can 2 be more secured than 1? can you please explain technically?

Kindly let me know if my question is not clearly.




I think the level of security in above scenarios is pretty much the same. Personally, I would choose the first option.