Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
former_member290907
Participant
5,246
Thought about writing this blog after learning how to use Azure Application Gateway to access SAP web-based services such as Webdypro and FIORI applications via intranet or internet.

Application Gateway manages to navigate web applications by making routing decisions based on the URI path and HTTP header.

Following are some exciting features of Application Gateway:


1.    It is a layer 7 load balancer that means it only manages web traffic.
2.    It supports Offloading SSL capabilities
3.    It does routing based on URL
4.    It does round-robin distribution of incoming traffic to route request among target servers
5.    It can set up multi-site hosting.

 

Following are four different tiers of application gateway along with their pricing



  1. Standard

  2. Standard V2

  3. Web Application Firewall

  4. Web Application Firewall V2


Application Gateway BASIC/Standard SKU Size





















Average back-end page response size Small Medium Large
6 KB 7.5 Mbps 13 Mbps 50 Mbps
100 KB 35 Mbps 100 Mbps 200 Mbps


  1. The above table shows an average performance throughput for each application gateway instance with SSL offload enabled

  2. Basic/Standard Application Gateway with single instance count does not support high availability as it needs two or more cases for the HA setup.

  3. Small App GW instance is only recommended for development and testing scenarios.

  4. Instance size can be changed from medium to large without disruption after App GW setup


Application Gateway Standard V2 Tier

  1. V2 version supports the public IP-address configuration to allow internet traffic.

  2. Standard V2 Application Gateway supports high availability and spreads instances across fault and update domains

  3. It also has an auto-scaling feature, which is not present in the Standard v1 version.


You must be wondering why can't we use Azure Private Load Balancer to distribute traffic b/w SAP application nodes because it is less complicated to configure and no dedicated Subnet is required. Also, a private load balancer is cheaper than the application gateway.

However, the following are the reasons that we need the Application Gateway to distribute web traffic.

  1. A Private load balancer does not support the SSL offloading hence it can only run with HTTP protocol.

  2. Application Gateway is known as OSI 7 layer load balancer and hence support the ROUND ROBIN algorithm for traffic distribution. Also, it has multi-site hosting and URL based routing features. Whereas, private load balancers use a 5 tuple distribution algorithm (source IP, source port, destination IP, destination port, protocol type) hash to map traffic to available servers


Application Gateway Architecture


We had a requirement of deploying the Application Gateway for FIORI applications. Along with it, we configured the standalone Active-Active web dispatchers to route traffic (based on the rules defined in dispatcher profile) to respective FIORI backend servers.

Therefore, we had three-layer architecture:

  1. Layer 1 - Application Gateway with SSL termination

  2. Layer 2 - SAP Web Dispatchers

  3. Layer 3 - SAP Backend servers S4HANA 1809 with embedded FIORI (Front End Server 5.0)


Application Gateway Configuration


Assuming, SAP web dispatchers are already installed.

Following are the required details I provided while setting up the Application Gateway.


Application Gateway Tier: Standard, tier standard can only support intranet access as we don't have such requirement to access any of these web site through an internet.








Create backend pool but don't add target systems






During the configuration, you have to provide the certificate PFX file to let application gateway accessible on port 443. Therefore, get SSL certificate generated for both s4hana.com and fiori.com websites.

Since, azure application gateway is cloud service hence CSR can be generated using IIS (configured on local machine) or using utility such as DigiCert Certificate Utility for Windows. I used, IIS to generate both CSR and private key. Refer below blog.

https://docs.druva.com/Knowledge_Base/inSync/How_To/Using_Microsoft_IIS_to_generate_CSR_and_Private_...




Enter the FQDN of the website



Refer above table and update details to configure routing rules


Application Gateway is configured successfully.


Now, add the required target systems (web dispatcher) in backend pool.



Save your changes.

SAP Web Dispatcher Configuration


Update following parameter in both SAP web dispatcher profiles

#-----------------------------------------------------------------------
# Back-end system configuration
#-----------------------------------------------------------------------

  • wdisp/system_conflict_resolution = 1

  • wdisp/ping_protocol = https

  • wdisp/group_info_protocol = https

  • wdisp/url_map_protocol = https

  • wdisp/add_client_protocol_header = true

  • wdisp/handle_webdisp_ap_header = 1

  • wdisp/add_xforwardedfor_header = true

  • icm/server_port_0 = PROT=HTTP,PORT=8003

  • wdisp/system_1 = SID=<FIORI_SID>, MSHOST=<ABAP_Front-End_Message_Server_Host>, MSPORT=<ABAP_Front-End_Message_Server_Port>, SRCSRV=*:8003, SRCURL=/sap/opu;/sap/public;/sap/bc

  • wdisp/system_2 = SID=<S4_SID>, MSHOST=<ABAP_Back-End_Message_Server_Host>, MSPORT=<ABAP_Back-End_Message_Server­_Host>, SRCSRV=*:8003, SRCURL=/sap/es


Perform dispatcher configuration check and confirm no error.

FIORI Testing


https://fiori.com:443/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html


FIORI URL is working fine with Azure Application Gateway website

Conclusion


In this blog post I have explained in detail about Azure Application Gateway Setup with SSL termination to access SAP FIORI launchpad via internet/intranet.

 

 

 

 

 

 

 

 

 

 
3 Comments
Labels in this area