on 07-09-2014 3:32 PM
Hello Colleagues
I need your inputs concerning the configuration of External / Internal access to a Portal system to keep the same URL so that it’s transparent for end users (internal or external).
The landscape is as follow: Internet Browser -> F5 LB -> Web Dispatcher -> EP NW73
The main issue is that when the EP system is accessed for internal user there is URL redirection to internal URL. So the URL is changed and the requirement is to avoid that.
It is likely due to EP system ‘ProxyMapping’ property that is used as the Portal is connected to several backends. Without it, the Portal doesn't respond with the correct URL.
If this property is removed, Portal iViews do not work properly and if proxymapping ‘override’ is changed to FALSE, we have the problem described in SAP Note 1643446.
Configuration of EP property:
ProxyMappings port=(Host:internal_url,Port:port,Scheme:https,Override:true)
And configuratíon in WebDispatcher:
Internal Scenario: wdisp/system_10 = SID=sid, MSHOST=internal_url, MSPORT=port, SRCSRV=*:port
External Scenario: wdisp/system_4 = SID=sid, MSHOST=external_url, MSPORT=port, SRCSRV=*:port
How can the URL redirection be avoided for Internal users so that the same URL is always kept ?
Thanks in advance for your help!
Best regards,
Johann
Hi Johann,
We have implemented to our customer such a way that users from internet and intranet are able to connect using same url using SAP Webdispatcher. Below are the security points were also taken care.
Here i am providing information for two system EP (eg. prodep), SID EPP and EPR (eg.proderp) and SID = PRD
a.) Actual Hostname of Portal system (prodep) shouldn't be viewed in url.
b.) Port information should be hidden in url
c.) Users should be able to access URL from internet and intranet.
To achieve above solution, you need work with Network,Firewall and SAP Basis areas.
1.)Decide on ports to be opened to internet to access EP system. Here I have configured default port 80 in my scenario.
2.) Public IP and Static IP for web dispatcher should be resolvable to same hostname for eg.if internet users need to connect from url let say mysapportal.com.
3.) Please reach out you network team to configure DNS in such a way that when you do nslookup
for public ip and static, or webdispatcher hostname you should be able to see mysapportal.com
4.) Maintain below parameters
icm/server_port_0 = PROT=HTTP, PORT=8000
icm/server_port_2 = PROT=HTTP, PORT=80
wdisp/system_0 = SID=PRD, MSHOST=hostname,MSPORT=81nn,PROT=HTTP, SRCURL=/sap/bc;/sap/, SRCSRV=*:8000
wdisp/system_1 = SID=EPP, MSHOST=hostname, MSPORT=81nn,SRCURL=/, SRCSRV=<url to be accessed>:*
5.) Maintain WAS & IT connection details on your webdispatcher hostname and port in Portal for EPR system.
After above configuration, all internet and intranet users will be able to access EP system with below url
http://mysapportal.com/irj/portal.
Let me know if you need further information and help.
Regards
KSK
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi KSK
thanks for sharing this scenario. It is very helpful to get all the points to consider for this case.
This is really similar to customer scenario I am discussing about.
We're currently trying to review all the proxy settings that we avoid the url changes to internal hostname of Portal system.
I'll give the heads up.
thanks and regards,
Johann
The easiest way is to always use the URL of the F5 LB, internally and externally. Proper configuration of active network equipment will ensure that in case the portal is accessed internally, it never goes outside the company. If that isn't possible, any other solution requires tweaking especially if you have system objects in your portal landscape meaning you are accessing backend systems. In the latter case I suggest you look into Dynamic System Resolution.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Johann ,
I have few questions for better understanding your scenario: -
1) Is the ENTRY POINT for your Portal same for INTERNET and INTRANET ? i.e. the F5 Load Balancer ?
2) The ProxyMappings feature of the AS Java is used in case you have a Reverse Proxy/ Load Balancer as an Entry Point for your Portal.
As per your Settings the value is
ProxyMappings port=(Host:internal_url,Port:port,Scheme:https,Override:true)
What do you mean by INTERNAL URL .
Is it the actual URL of the AS Java System OR a F5 LB URL which is reachable ONLY from Internal DNS of your Company.
Ideally it should be a URL which should be accessible from INTERNET and INTRANET BOTH
So the value for HOST should be the F5 Load Balancer URL and PORT should be the F5 LB Port.
3) You are using F5 LB --> Web Dispatcher --> EP 7.3
I see 2 Load Balancers here .
F5 LB is a hardware load balancer which is capable of handling Layer 7 Load Balancing as well as effecient Reverse Proxying Feature and is also supported by SAP.
If it is not too late in the implementation , I would ask you to reconsider your option of using 2 Load Balancers
4) Are you connecting to any SAP ECC/etc systems from the Portal ?
Regards,
Ashish .A. Poojary
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ashish
thanks for your prompt reply. The answers to your questions are:
1) The entry point access for Internet and Intranet is the same as per know through the F5 Load Balancer
2) The Internal_url is actually the AS Java hostname. You mentionned an important point here as the ProxyMapping is a property of the Portal system, it was thought it will be access only internally once the connection pass through the F5 LB and the Web Dispatcher.
we have to review something here with the property value of this setting.
3) It is a customer implementation and the issue was already mentionned. However it's been some time that their system and configuration is live so removing the Web Dispatcher could only be considered as a new project at long term.
4) The Portal is connecting to several backends such as SRM, HR, ECC and BI. It is another reason to have the ProxyMapping setting configured in the Portal system.
Thanks for your help
Regards,
Johann
Hey Johann ,
Now that we are sure that F5 Load Balancer is the Entry point , the very first change to be done is to change the parameter for ProxyMappings Host and Port to that of F5 Load Balancer.
I dont see how this should effect the access to backend Systems.
I would suggest you go through the below blog.Its very well written blow by Brian which details on the concepts involved while configuring proxies.
http://wiki.scn.sap.com/wiki/display/BSP/Using+Proxies
Regards,
Ashish .A. Poojary
User | Count |
---|---|
84 | |
25 | |
12 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.