cancel
Showing results for 
Search instead for 
Did you mean: 

DMZ and the Portal

Former Member
0 Kudos
135

Hello,

I hope this is the right forum for this question. Our Portal is up and running fine however we are having problems with our DMZ and need to replace it. Can anyone tell me what if any configuration will need to be done with the new DMZ.

Thanks in advance

Stephanie

Accepted Solutions (1)

Accepted Solutions (1)

martin_juen2
Contributor
0 Kudos

normally you run only the web dispatcher in a dmz. this one connects to the portal.

if you use another server in a dmz you have to install a new web dispatcher. normally the profile of the first wd helps to customize the new one...

regards, martin

Answers (2)

Answers (2)

Former Member
0 Kudos

Hi Stephanie,

I just came to think of (we have a rather large DMZ installation ourselves) you need to see if the new DMZ will have the same name/setup as the old one in regard to Certificate trust if youre using single sign on or other trust across domains. If not you might have to install new certificates on your webdispatcher and on your server internally/LAN side.

So please have certificates in mind when re-designing your landscape

Kind Regards,

Soren

Former Member
0 Kudos

Is it possible to run with two DMZ? One to roll-over if something goes wrong.

Stephanie

martin_juen2
Contributor
0 Kudos

Hi,

Are you thinking about a HA Solution for your Web Dispatcher in the demilitarized zone?

Or are you speaking about a standby WD which is starting when the first WD makes problems?

HA: I think this should not be a problem. you have to take over the alias and the ip-address and start the web dispatcher with the same configuration (port) as on the original server.

Standby WD: You can install a WD with the same configuration on a additional server. But what to do when the original server fails? The url points to the original server and you have to redirect it to the new server -> it's also some kind of HA.

I think you should use a HA solution for your WD - it's not to complicate and it's fail safe.

regards, Martin

Former Member
0 Kudos

Hi Stephanie,

Usually you would run your system with a cluster solution, as you would have a DMZ in each server room. Then you would have your first server node in server room 1, and another in server room 2, both installed in DMZ. When active node fails clustering functionality would (depending on setup) stop using the non functioning node, or it would switch ressources to second node. (depends if youre running active/active - meaning both servers are used for load distribution, og if you run active passive, meaning one server is active and another waiting for first server to fail, or if youre runnig web dispatcher its a master/slave setup as web dispatcher isnt supporting usual clustering mechanisms). I wont get into too much detail but it is possible to ensure user uptime using virtual nodes and proper linking (just never use physical hardware for pointers if youre running HA).

So to get back to your question, it isnt so much if you have 2 DMZ zones available, its more if you have your hardware represented in different data centres so that if something bad happens in one center, or with the hardware itself, it will "fail over" to the backup solution, represented in the DMZ in the opposite data centre.

So yes it is possible to have a scenario where you are covered if something happens to the server/instance.

Kind Regards,

Soren

Edited by: Soeren Friis Pedersen on Dec 22, 2010 9:35 AM

Former Member
0 Kudos

Thanks Soren. We will look at the setup of hardware and creating the cluster. Are there any configuration changes that need to happen on the Portal side ie adding an Alias?

Former Member
0 Kudos

Hi Stephanie,

In the portal the system object pointing to the new cluster instance needs to point at the virtual node which will always be available. So instead of an alias you use the virtual name of the clustered instance. Also in the configuration parameters remember to use UNC paths (ex. "
virtualservernode\sapmnt\SID\SYS\profile" instead of "C:\usr\sap\SID\SYS\profile".) We have a problem due to this in my company at the moment because it wasnt installed using virtual nodes and UNC paths, but using physical hardware nodes/names, and non UNC paths. So if the cluster fails over, it will be alive, but users would not be able to log on anymore because their links (favourites etc) points to the physcal node 1 of the cluster, and the system object in the portal points to the old node 1. Its easy enough to change the portal system object, but parameters are wrong in the profile too, which is a bigger issue. So please be aware about functionality in the cluster operation, and make sure to implement it after best practise methods so that you can avoid these issues.

Another way of controlling this would be to use a Web Dispatcher in front of your portal so if you should encounter problems you only have 1 place to correct paths etc. So the users would have 1 link to the portal, and you could change whats behind the Web Dispatcher without any user interruption - they still just have the pointer for the Web Dispatcher - as a single point of entrance to the portal. This is a solution I will implement myself Q1 of next year, because I had issues with old saved favourites when I changed our portal environment to run https/ssl. everyone still had the old link for http - and you cant blame the users really, I use favourites a lot myself So I want a single point of entry for the portal environment, nomatter whats behind.

I hope everything will be ok in your project.

Kind Regards,

Soren

Edited by: Soeren Friis Pedersen on Dec 23, 2010 7:37 AM

Former Member
0 Kudos

Hi Soren,

We have been researching this for some time now and this is great information. I will pass it along and try to get started with this project.

Thanks so much!

Stephanie

Former Member
0 Kudos

You need to see if you are using serviceaccounts specific for the DMZ domain so that you can create them in the new DMZ aswell. This is for Web Dispatcher or if youre running anything else in the DMZ (CRM, E-Recruitment etc).

Also you might want to check up with the network staff to make sure correct ports are open if you use new firewalls or other routing hardware.

Kind Regards,

Soren