Network Zones

SAP NetWeaver Process Integration (PI) can be used for two main purposes:

·        Intra-enterprise application integration (EAI) where company-internal heterogeneous applications communicate using PI. This is also known as A2A (application-to-application) communication.

·        Inter-enterprise integration where companies exchange XI messages. This is also known as B2B (business-to-business) communication.

Depending on the usage scenario, the risk assessment of the network infrastructure, and a company’s security policy, appropriate security measure should be taken.

The least critical case is where PI is used for A2A messaging within a company-internal secure network, because there may be no need to install different network zones.

However, even in this case, security considerations may lead to an architecture where some critical application systems are located in a separate backend network zone, where the communication to and from the Integration Server is always routed through a firewall that only allows PI A2A messaging between these components and prevents any other communication.

The most critical case is where PI is used for B2B messaging and the business partner sends HTTP messages over unsecure Internet connections. In this case, SAP strongly recommends that you use secure messaging connections (that is, HTTPS and SNC) to prevent attackers from eavesdropping or modifying messages.

The general recommendation for protecting a system from malicious access from the Internet is the usage of several security components such as firewalls and application gateways leading to a landscape with different network zones with different levels of protection (see Using Multiple Network Zones in the SAP NetWeaver Security Guide).

In a first approach, this leads to the following architecture, in which the Integration Server is protected by a demilitarized network zone (DMZ), where several security checks for incoming messages can be applied by an application gateway, also known as reverse proxy.

The firewall between the internet and the DMZ should only allow incoming requests of known business partners for B2B messaging to the application gateway and outgoing requests from the proxy to these partners. The firewall between the DMZ and the Integration Server network area should only allow incoming requests from the application gateway to the Integration Server and Adapter Engines, and requests from the Integration Server and Adapter Engines to the proxy server. The application gateway provides several checks for incoming requests. For an overview of the features of an application gateway, see the presentation SCUR204 in the SAP Developer Network.

In addition, you should install a Web dispatcher between the application gateway and the Integration Server network area for load balancing purposes.

If a high-availability solution is required, a solution for all installed network components (proxy, application gateway, Web dispatcher, firewalls) must be implemented. This solution depends on the actual components and their individual high-availability features. For more information about high availability, see SAP Service Marketplace at service.sap.com/ha.

In the solution described above, both the Integration Server and its Adapter Engines communicate with internal and external systems.

Depending on the security requirements, a dedicated Integration Server for B2B messaging can be added in a separate network zone. This provides enhanced security because it impedes direct access from the Internet to the more critical A2A Integration Server and A2A Adapter Engines.

Keep in mind that this solution requires more PI configuration effort because work has to be distributed between the B2B and the A2A Integration Servers. SAP recommends that the B2B Integration Server and Adapter Engines do all necessary business checks by using sender agreements. Actual routing and mapping will take place in the A2A network area, while the B2B Integration Server only forwards incoming messages to its A2A peer.

Whenever an external connection cannot generally be secured by the network architecture, SAP strongly recommends that you use VPN technology for this connection.

For information about protecting the Integration Server and the business systems themselves, see the recommendations in the SAP NetWeaver Security Guide.