This document is intended to give some guidelines regarding securing external (internet) access to applications created with the Neptune Application Designer.


The Neptune Application Designer runs inside SAP Netweaver systems and uses the Internet Communication Framework (ICF) to handle the server client communication. Therefore securing a Neptune Application is identical to other Netweaver solutions based on ICF.

There are also a great number of solutions that provide increased security on top of Netweaver such as the SAP Mobile Platform (Both on premise and Cloud edition) and Mocana MAP that can be used together with Neptune Applications.


It is of paramount importance that any communication between an external network and the SAP Backend systems is encrypted. SSL (HTTPS) should be used to ensure integrity of data.

To further protect the backend data there are several options and here is information about the most common scenarios:

Network zones

It is recommended to protect your system landscape through zone security. This will protect your sensitive data and only allow access through the DMZ (demilitarized zone) and firewalls will protect your backend systems from undesired access.

Reversed Proxy

A reversed proxy protects you with an additional security layer and has the ability to mask your backend servers for external clients.


Reverse Invoke 

Reverse invoke ensures that external connections cannot get through the firewall. All communication must be opened from the internal network.


To gain external access to the internal network a VPN (Virtual private network) solution can also be used to provide encryption and tunneling security.


User access

To access functions and data in a backend Netweaver system the user needs to be authenticated.

This depends on the individual customer setup. It is very important to determine where the end users of the application have access and know their credentials.

SAP Logon Tickets

The most common logon to SAP systems from a web clients is the use of SSO2 tickets. The user needs to provide a username and password to access the initial SAP system node and will receive a MYSAPSSO2 cookie that can give access to multiple SAP systems.

SAML 2.0

SAML 2.0 is a Single Sign-on solution that requires an identity provider that manages the identity information for the service providers.

Client Certificates

Using X.509 client certificates is another option for user authentication. This solution authenticates the application and no username or password is required.

SAP Mobile Platform Cloud Edition

For customers without a system landscape already prepared for secure external communication we recommend trying out the SAP Mobile platform Cloud Edition as a fast, secure solution with low initial cost where only the SAP Cloud Connector (SCC) needs to be installed on premise.