Let's follow up this discussion at the Neptune Community

(this forum will be kept in read-only mode)
Solved

Security when using APP's from outside company firewall

Hey,


I'm just curious to know if any steps are needed to secure data from an APP build in Neptune when the APP have to be run outside the company's firewall. Do there exist any whitepaper or similar regarding this subject. I know SAP made this SMP(SAP Mobile Platform) . Put the expense seems to be huge compared to the benefit.


Do there exist alternative solutions or do we at all need expanded security when we want to run applications from outside.


For testing purpose we today using VPN solution, but again this is a 2 step solution. And It would be preferred just to open the app, without we have to do preliminary login or so.


Hi Henrik,

There are different solutions our customers are using for securing external access to their back-end SAP systems. These solutions range from Reversed proxies, VPN,traditional zone security, SAP Mobile Platform, Airwatch, XenApps, Mocana Atlas etc.Here is a "bit outdated" recommendations from Neptune: 


http://support.neptune-software.com/solution/categories/122856/folders/202023/articles/175915-security-guidelines-for-neptune-application-designer-


Different customers have different requirements when it comes to securing their external access and we have experience from most scenarios. We have also recently implemented SAP SSO OTP support for the SAP Enterprise Portal.


BR

Njål



Dear Friends, 


Is there a guide or a tutorial how we have to set up the SAP-System and Neptune that we can connect from the internet? What is the easiest way? Is it possible just to move the SAP-Server into the DMZ?


best regards,

Daniel

Hi Daniel


The normal setup to achieve this is to use a reverse proxy in DMZ. Than all external connection will be directly to the reversed proxy, and only allowing access to yoursapserver/neptune/* 


Recommend using https on the reversed proxy, with a valid SSL Certificate and public URL.


Attached you find some other setup of Neptune.


PS: Do you already have an reversed proxy in your network ?


Regards

Ole Andre 

pptx

Hi Ole,


thanks for your fast reply. :-)

I have installed a new SAP-System with EHP7 and Neptune 3.10 SP01 last weekend. 

I will talk to our firewall administrator, if we already have an reversed proxy installed. 

Are there any other information he needs for the set up? Ports?


Many Thanks,


best regards,

Daniel


Hi Ole,

what is the best way to block access to NAM and the other admin sub sites with a reverse proxy scenario?
I want to give access only to the bundled applications and use admin tools from the internal network url. Is it possible/safe to implement a filter conf on reverse proxy (denying some patterns?).

Thank you very much.
K -

 

Hi Andrea


The best way to block NAM is to set a Policy assigned to the /neptune/nam application. Use the tile "Assign Policy to Application".


I recommend this way compared to rules in the Reversed Proxy.




Regards

Ole Andre 


Hi Ole Andre,

this is an interesting way to block the "administration" Neptune Apps.


In "NAM Requirements" I read

"In order to access the Neptune Application Management suite, you should have at least installed Neptune version 3.0 and been assigned the relevant ‘NEPTUNE’ and ‘/NEPTUNE/DEVELOPER’ roles in transaction ‘PFCG’."


But It seems that a user without /NEPTUNE/DEVELOPER role it's able to access and save NAM objects.. do you confirm?


I tried in a 310_700 SP 2


Thanks

Alessandro



HI Alessandro


That is confirmed. The Neptune Developer role gives access to all transactions, but does not contain any security setup to prevent acces to NAM. That is why we recommend using the Policy in NAM and block NAM and Neptune Application Monitor in Neptune.


Regards

Ole Andre 

Thank you Ole for your immediate answer!


So I think this is a mandatory activity not only with a "reverse proxy" scenario but also for an "on-premise" config to avoid NAM access to unwanted users..


Regards

Alessandro

Login or Signup to post a comment