Let's follow up this discussion at the Neptune Community
(this forum will be kept in read-only mode)
I'm just curious to know if any steps are needed to secure data from an APP build in Neptune when the APP have to be run outside the company's firewall. Do there exist any whitepaper or similar regarding this subject. I know SAP made this SMP(SAP Mobile Platform) . Put the expense seems to be huge compared to the benefit.
Do there exist alternative solutions or do we at all need expanded security when we want to run applications from outside.
For testing purpose we today using VPN solution, but again this is a 2 step solution. And It would be preferred just to open the app, without we have to do preliminary login or so.
There are different solutions our customers are using for securing external access to their back-end SAP systems. These solutions range from Reversed proxies, VPN,traditional zone security, SAP Mobile Platform, Airwatch, XenApps, Mocana Atlas etc.Here is a "bit outdated" recommendations from Neptune:
Different customers have different requirements when it comes to securing their external access and we have experience from most scenarios. We have also recently implemented SAP SSO OTP support for the SAP Enterprise Portal.
Is there a guide or a tutorial how we have to set up the SAP-System and Neptune that we can connect from the internet? What is the easiest way? Is it possible just to move the SAP-Server into the DMZ?
The normal setup to achieve this is to use a reverse proxy in DMZ. Than all external connection will be directly to the reversed proxy, and only allowing access to yoursapserver/neptune/*
Recommend using https on the reversed proxy, with a valid SSL Certificate and public URL.
Attached you find some other setup of Neptune.
PS: Do you already have an reversed proxy in your network ?
thanks for your fast reply. :-)
I have installed a new SAP-System with EHP7 and Neptune 3.10 SP01 last weekend.
I will talk to our firewall administrator, if we already have an reversed proxy installed.
Are there any other information he needs for the set up? Ports?
The best way to block NAM is to set a Policy assigned to the /neptune/nam application. Use the tile "Assign Policy to Application".
I recommend this way compared to rules in the Reversed Proxy.
Hi Ole Andre,
this is an interesting way to block the "administration" Neptune Apps.
In "NAM Requirements" I read
"In order to access the Neptune Application Management suite, you should have at least installed Neptune version 3.0 and been assigned the relevant ‘NEPTUNE’ and ‘/NEPTUNE/DEVELOPER’ roles in transaction ‘PFCG’."
But It seems that a user without /NEPTUNE/DEVELOPER role it's able to access and save NAM objects.. do you confirm?
I tried in a 310_700 SP 2
That is confirmed. The Neptune Developer role gives access to all transactions, but does not contain any security setup to prevent acces to NAM. That is why we recommend using the Policy in NAM and block NAM and Neptune Application Monitor in Neptune.
Thank you Ole for your immediate answer!
So I think this is a mandatory activity not only with a "reverse proxy" scenario but also for an "on-premise" config to avoid NAM access to unwanted users..