on 01-14-2008 7:43 PM
Dear Experts,
I have ABAP backend system and I need to open it to internet. Doing so, I have implemented web dispatcher that is running in DMZ. Up to this point everything went on as desired, but one thing.
When I call the URL http://teidom.com:60000 then it redirects to the target host with the local address http://<localhost>.teidom.local:8000/sap/bc/gui/sap/its/webgui. Hereby this is not possible to call the page from internet. This is working only in local network, not in internet. In order to call and view the page from internet, the address has to be intact with no address redirection.
Just to get you closer to understand the situation, here below I wrote down the parameters which I defined for Web Dispatcher (sapwebdisp.pfl).
SAPGLOBALHOST = WebServerRack
SAPSYSTEM = 02
INSTANCE_NAME = W02
DIR_CT_RUN = C:\WebDisp\NTI3867
DIR_EXECUTABLE = C:\WebDisp\NTI3867
#----
Accesssability of Message Server
#----
rdisp/mshost = backsvr.teidom.local
ms/http_port = 8100
#----
Configuration for medium scenario
#----
icm/max_conn = 500
icm/max_sockets = 1024
icm/req_queue_len = 5003
icm/min_threads = 10
icm/max_threads = 50
mpi/total_size_MB = 80
#----
SAP Web Dispatcher Ports
#----
#icm/server_port_0 = PROT=HTTP,PORT=81$$
icm/server_port_0 = PROT=HTTP,PORT=60001
icm/HTTP/redirect_0= PREFIX=/, PORT=8000, PROT=HTTP, TO=/sap/bc/gui/sap/its/webgui, HOST=backsvr.teidom.local
Kind Regards,
Taner Guler
Hi Taner,
I think you are asking to the browser to connect directly to the 8000 port of the internal server whic is obviously not possible because of the firewall.
It seems to me that you make a confusion between an URL redirect and an URL rewrite.
The redirect is sent to the browser as a new URL.
Did you try something like
icm/HTTP/redirect_0= PREFIX=/, TO=/sap/bc/gui/sap/its/webgui
You just want the browser to change the URL from / to /sap/bc/gui/sap/its/webgui but don't waant to change anything for the host and port from the web dispatcher because it is used as a reverse proxy.
Regards,
Olivier
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Olivier,
Thanks a lot for your kind help.
As you suggested I have tried parameter 'icm/HTTP/redirect_0= PREFIX=/, TO=/sap/bc/gui/sap/its/webgui' and this did not work either.
You catched a good point that where I got confused in the field of web dispatcher configuration. I have short of knowledge there. As you well understand, the problem might be on the port 8000. But, this is a standard port for ABAP systems which is required when the service is called from internet. In addition, in the ABAP system when I try the service in SICF transaction then it results 'http: //backsvr.teidom.local:8000/sap/bc/gui/sap/its/webgui' here you see the port number is 8000. Isn't that a proof of the port I used was correct (8000).
What I need to do is, as you well noticed, to rewrite the URL, not a redirection. The address has to be intact, which is internet address, not a local address and not changed.
When I tried parameter 'icm/HTTP/redirect_0= PREFIX=/, TO=/sap/bc/gui/sap/its/webgui' as you suggested in the profile parameter. Then the error has come out as below in web browser.
-
500 Dispatching Error
Error: -26
Version: 7000
Component: HTTP_ROUTE
Date/Time: Tue Jan 15 14:08:04 2008
Module: http_route.c
Line: 3126
Server: WebServerRack__02
Error Tag:
Detail: no valid destination server available for '!ALL' rc=7
-
Regards,
Taner
Hello again,
>What I need to do is, as you well noticed, to rewrite the URL, not a redirection. The address has >to be intact, which is internet address, not a local address and not changed.
The SAP web dispatcher is not able to rewrite URLs. It can only do redirects which are interpreted by the browser.
It means that you will not be able to hide the "technical URL" from the internet.
I had this need and I had to use Apache+web dispatcher because Apache is able to rewrite URLs
What you need to achieve is when the user types
http://teidom.com:60000/ in his browser the redirect should type
http://teidom.com:60000/sap/bc/gui/sap/its/webgui in the browser
For that the syntax should not be very far from the one I gave you.
You have to experiment...
Regards,
Olivier
Edited by: Olivier CHRETIEN on Jan 15, 2008 1:59 PM
spelling
Hi,
Have a look at http://httpd.apache.org
Read this documentation on URL rewriting :
http://httpd.apache.org/docs/2.2/misc/rewriteguide.html
Be careful, this is a complex subject and it took me several weeks to learn how to use Apache as a rewriting URL reverse proxy. But it's very interesting and powerful !
Regards,
Olivier
Hi again,
Usually you have 2 firewalls to make a DMZ, one external and one internal.
external firewall DMZ internal firewall
Browser --- HTTP 60000 -
> Webdisp -
> HTTP 8000 -
> WAS ICM
. Webdisp -
> HTTP 8100 -
> WAS Message Server
So you need to open port 60000 on the external firewall and ports 8000 and 8100 on the interna l firewall.
Why do you use port 60000 for HTTP on the internet ?
I always use the standard port 80.
Hope this helps.
Olivier
Edited by: Olivier CHRETIEN on Jan 15, 2008 4:25 PM
This forum editor is crap : not at all WYSIWYG
all my ascii drawing is mixed up !
You should definitely not open port 8000 to the outside, only between your dmz and internal network.
Also, instead of 'rewrites' or 'redirects' you should probably consider configuring your web dispatcher to do ssl termination and re-encryption. This will hide the 'technical' URL from the end-user's browser, as all communication for the end-user will be to/from the web dispatcher, not the internal ABAP server. There are a number of parameters to be configured for this, but the critical one to "turn on" the re-encryption is wdisp/ssl_encrypt = 2. I think maybe this is what you mean by "rewrite" the URL? If so, the web dispatcher absolutely can do this, without Apache or any other webserver or proxy software.
For more information about configuring SSL on the web dispatcher, have a look at the online documentation (http://help.sap.com/saphelp_nw70/helpdata/en/de/89023c59698908e10000000a11402f/frameset.htm) and Note 870127.
Regards,
--Matt
Hello Matt,
I use SSL termination with re encryption on the Web disptacher and it works very well but it sure does not hide any technical URL.
Its use, in my case, is to encrypt the password for basic authentication.
There is a big differerence between hiding the internal back office server and hiding the "technical" URL.
Regards,
Olivier
Hi Matt,
It is very kind of you commenting on the subject.
I just want to be sure of the problem that I am facing. My problem is when I call the URL http://teidom.com:60000 from the internet; it is supposed to view the page (information) from ABAP system. But it couldn't.
Web dispatcher is running on the host named 'webdispsvr'
In the firewall I set port 60000 open from internet to web dispatcher server
And in the other firewall (at the back) I set port 8000 open to R3 ABAP system which supplies information to internet.
After setting up the web dispatcher profile according to (thanks Olivier) instructions from help.sap.com
At next stage I started to test
First I tested it in local by URL http://webdispsvr:60000 it works and web browser views the ABAP login windows. From this point of the subject one thing that took my attention was, after pushing enter button for URL http://webdispsvr:60000 then it directly turns to address URL http://<localhost>.teidom.local:8000/sap/bc/gui/sap/its/webgui -- <localhost> is a host of where R3 ABAP system runs on (the address redirects to local address which is not wanted situation in the internet as long as it redirects to local URL address)
Second test was in the internet
Behaviour of the system is same nothing changed
When I call URL http://teidom.com:60000, as it happens in local test, it redirects the URL to http://<localhost>.teidom.local:8000/sap/bc/gui/sap/its/webgui for this reason page could not be viewed when it is called from the internet.
I hope above information is clear enough to get you understand how bad situation I am in.
Isnt there a way out of this struggle?
Thanks all of you for your great contribution to the situation.
Regards,
Taner
Hi Matt,
It is very kind of you commenting on the subject.
I just want to be sure of the problem that I am facing. My problem is when I call the URL http://teidom.com:60000 from the internet; it is supposed to view the page (information) from ABAP system. But it couldn't.
Web dispatcher is running on the host named 'webdispsvr'
In the firewall I set port 60000 open from internet to web dispatcher server
And in the other firewall (at the back) I set port 8000 open to R3 ABAP system which supplies information to internet.
After setting up the web dispatcher profile according to (thanks Olivier) instructions from help.sap.com
At next stage I started to test
First I tested it in local by URL http://webdispsvr:60000 it works and web browser views the ABAP login windows. From this point of the subject one thing that took my attention was, after pushing enter button for URL http://webdispsvr:60000 then it directly turns to address URL http://<localhost>.teidom.local:8000/sap/bc/gui/sap/its/webgui -- <localhost> is a host of where R3 ABAP system runs on (the address redirects to local address which is not wanted situation in the internet as long as it redirects to local URL address)
Second test was in the internet
Behaviour of the system is same nothing changed
When I call URL http://teidom.com:60000, as it happens in local test, it redirects the URL to http://<localhost>.teidom.local:8000/sap/bc/gui/sap/its/webgui for this reason page could not be viewed when it is called from the internet.
I hope above information is clear enough to get you understand how bad situation I am in.
Isnt there a way out of this struggle?
Thanks all of you for your great contribution to the situation.
Regards,
Taner
User | Count |
---|---|
88 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.