SAP
Contents
1 Introduction
Kemp's LoadMaster family of purpose-built hardware and Virtual Appliances (Virtual LoadMaster) offer advanced Layer 4 and Layer 7 server load balancing, content switching, SSL Acceleration and a multitude of other advanced Application Delivery Controller (ADC) and optimization features.
Kemp's LoadMaster fully supports SAP's key solutions and has been certified by SAP. The LoadMaster efficiently distributes user traffic for the SAP workloads so that users get the best performance experience possible. Also, High Availability (HA) and high capacity scale-out deployments of the SAP solutions are complemented from the network technology side.
The entire Kemp LoadMaster product family, including the Virtual LoadMaster (VLM) supports SAP.
For more information about Kemp, visit www.kemptechnologies.com.
1.1 Document Purpose
This document is intended to provide technical guidance on how to configure the Kemp LoadMaster product to provide various Application Delivery network services for SAP application HTTP protocol-based client traffic to SAP backend application systems.
Clients to an SAP backend are typically:
End users who are using different browser types to work interactively in SAP systems
Other SAP and non-SAP applications connecting using web-services or RESTful Application Program Interfaces (APIs) to an SAP backend system for application integration scenarios.
A particularly important use case of application integration is the integration of new SAP cloud-based solutions which SAP applications customers run in their own "on premise" data centers. This document was created from test experiences and results in a representative sample environment which is described later in the document. As this document is not intended to cover every possible deployment scenario, it may not address unique setup or requirements. The Kemp Support Team is available to provide solutions for scenarios which are not explicitly defined in this document.
1.2 Prerequisites
It is assumed that the reader is a network administrator or a person otherwise familiar with networking and general computer terminology. It is further assumed that the SAP environment has been set up and the Kemp LoadMaster has been installed. A network and an SAP administrator should work together on details which need to be coordinated between network and application configurations.
Other LoadMaster documentation can be referred to as needed from http://www.kemptechnologies.com/documentation.
The minimum requirements which should be met before proceeding are as follows:
LoadMaster firmware version 7.1 or later should be installed
SAP applications should be installed and configured
Internal and external DNS entries for the SAP applications should be configured
Access to the LoadMaster Web User Interface (WUI) should be established
2 Load Balancing SAP
Deploying an SAP environment can require multiple servers to provide High Availability (HA). Load balancing is necessary in this situation to distribute the traffic amongst these servers.
Kemp recommends the configuration as depicted in the above diagram. The SAP Customer Relationship Management (CRM) application is depicted as a representative of SAP Business Suite components, which run on the SAP NetWeaver ABAP platform. The SAP NetWeaver Portal is an example of a component running on the NetWeaver Java platform and the SAP Business Object Explorer is a representative of SAP's Business Intelligence (BI) solutions. The LoadMaster should be configured in analogous ways as described in this document for other SAP NetWeaver ABAP and Java and SAP BI solutions. If your configuration differs from the recommended configuration and there are issues deploying the LoadMaster, please contact the local Kemp Support Team for assistance.
3 Configuring Virtual Services for SAP
The below sections provide instructions and recommended configuration options for setting up a Kemp LoadMaster to work with the SAP NetWeaver-based and SAP BI solutions. For clarity, the following applications are used as representative examples:
SAP CRM on the SAP NetWeaver-ABAP platform
SAP Enterprise Portal on the NetWeaver-Java platform
SAP Business Objects Explorer (BOE)
For an explanation of each of the fields mentioned, refer to the Web User Interface Configuration Guide.
3.1 Ports
In some cases, the ports used for accessing SAP CRM are non-standard to provide better security. In general, all ports used by the SAP backend systems can be freely configured by the SAP application administrator. The standard HTTP 80 and HTTPS 443 ports for Internet-facing traffic are supported as well and may also be used during the configuration. However, the purpose of an ADC is to provide standard ports 80/443 for the Internet-facing traffic and route that traffic to non-standard ports used on the SAP backend systems as a passive security measure.
3.1.1 Persistence
Persistence will provide client connections to the same SAP server node of a scale out cluster deployment for each subsequent request to the Virtual Service.
Source IP Address Persistence
Source IP Address persistence can be used but take care before enabling it because:
Clients from behind a Network Address Translation (NAT) device show up as a single IP address
It can result in uneven connection distribution
Cookie PersistenceIf cookies are used, there is no negative impact. The name of the cookie does not have any specific requirements.
3.1.2 SSL Acceleration
When SSL Acceleration is enabled on the Kemp LoadMaster there are two options that can be leveraged. The decision to choose which option is primarily determined by the corporate security policies within an organization.
This option will allow the LoadMaster to accept connections from the clients encrypted over HTTPS and then send the traffic to the SAP backend application un-encrypted over HTTP. In some environments this is not permitted due to the possible security risks.
SSL Reencrypt
This option will allow the LoadMaster to accept connections from the clients encrypted over HTTPS and then re-encrypt the traffic over HTTPS before sending to the SAP backend application. This configuration typically provides the security requirements for most organizations.
3.1.3 Certificates
Certificates play a large part in the configuration of the SAP applications. Several certificate types will be used as part of this configuration and must be imported into the LoadMaster. More information about managing LoadMaster certificates can be found in the SSL Accelerated Services Feature Description.
3.1.3.1 Server Certificates
In order to encrypt the traffic between the client and the LoadMaster, the necessary certificates must be installed. If the configuration is going to be encrypted traffic from end to end, the same certificates on the back end systems can be used for this purpose. These certificates can either be in .PEM or .PFX formats and are imported under Certificates & Security > SSL Certificates in the main menu of the LoadMaster WUI.
3.1.3.2 Reverse Proxy Client Certificates
This certificate is used to authenticate the LoadMaster to the backend systems. This certificate should be imported prior to the configuration of the LoadMaster Virtual Services. These certificates can either be in .PEM or .PFX formats and are imported under Certificates & Security > SSL Certificates in the main menu of the LoadMaster WUI.
3.1.3.3 Intermediate Certificates
These certificates are imported to allow the LoadMaster to trust the Certificate Authorities used in obtaining the Server and Client Certificates. These certificates are in Base64 format and are imported under Certificates & Security > Intermediate Certs in the main menu of the LoadMaster WUI.
4 Template
Kemp has developed a template containing our recommended settings for this workload. You can install this template to help create Virtual Services (VSs) because it automatically populates the settings. You can use the template to easily create the required VSs with the recommended settings. You can remove templates after use and this will not affect deployed services. If needed, you can make changes to any of the VS settings after using the template.
Download released templates from the following page: LoadMaster Templates.
For more information and steps on how to import and use templates, refer to the Virtual Services and Templates, Feature Description on the Kemp Documentation page.
5 Enable Subnet Originating Requests Globally
It is best practice to enable the Subnet Originating Requests option globally.
In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.
In a two-armed setup where the Virtual Service is on network/subnet A, for example, and the Real Servers are on network B, Subnet Originating Requests should be enabled on LoadMasters with firmware version 7.1-16 and above.
When Subnet Originating Requests is enabled, the LoadMaster routes traffic so that the Real Server sees traffic arriving from the LoadMaster interface that is in that network/subnet.
When Subnet Originating Requests is enabled globally, it is automatically enabled on all Virtual Services. If the Subnet Originating Requests option is disabled globally, you can choose whether to enable Subnet Originating Requests on a per-Virtual Service basis.
To enable Subnet Originating Requests globally, follow the steps below:
1. In the main menu of the LoadMaster Web User Interface (WUI), go to System Configuration > Miscellaneous Options > Network Options.
2. Select the Subnet Originating Requests check box.
6 Configure the Virtual Service for SAP CRM
6.1 SAP CRM Offloaded
To configure an offloaded Virtual Service for SAP CRM, follow the steps below:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Enter a Virtual Address.
3. Enter 44300 in the Port field.
The port may differ depending on SAP environment. To ensure you use the correct port, please consult with your SAP administrator.
4. Enter a recognisable Service Name, for example SAP CRM Offloaded.
5. Ensure that tcp is selected as the Protocol.
6. Click Add This Virtual Service.
7. Configure the settings as shown in the following table:
|
Section |
Option |
Value |
Comment |
|---|---|---|---|
| Basic Properties | Service Type | HTTP/HTTPS | |
|
Standard Options |
Transparency | Disabled | |
| Persistence Mode | Active Cookie | ||
|
|
Persistence Timeout | 8 Hours | |
|
|
Cookie name | Enter a unique cookie name. | Click Set Cookie. |
| Scheduling Method | round robin | ||
| Idle Connection Timeout | 1800 | Click Set Idle Timeout. | |
| SSL Properties | SSL Acceleration | Enabled | Click OK. |
| Certificates | Select the certificate previously imported. | Click the > button to assign the certificate. * | |
| Require SNI hostname | Disabled | ||
| Support TLS Only | Enabled | ||
| Client Certificates | No Client Certificates Required | ||
|
Real Servers |
Real Server Check Method | HTTP Protocol | |
| Use HTTP/1.1 | Enable | ||
| HTTP Method | HEAD |
* Information about managing LoadMaster certificates can be found in the SSL Accelerated Services Feature Description.
8. Add the Real Servers:
a) Click the Add New button.
b) Enter the Real Server Address.
c) Enter the correct Port.
Please use the IP Address and Port of the backend server.
The Forwarding method and the Weight values are set, by default, to those shown in the diagram in the Real Servers section above. If required these settings may be altered.
d) Click Add this Real Server. Click OK to close the pop-up message.
e) Repeat steps b) to d) above to add more Real Servers as needed, based on the environment.
6.2 SAP CRM Reencrypted
To configure a reencrypted Virtual Service for SAP CRM, follow the steps below:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Enter a Virtual Address.
3. Enter 44300 in the Port field.
The port may differ depending on SAP environment. To ensure you use the correct port, consult your SAP administrator.
4. Enter a recognisable Service Name, for example SAP CRM Re-encrypted.
5. Ensure that tcp is selected as the Protocol.
6. Click Add This Virtual Service.
7. Configure the settings as shown in the following table:
|
Section |
Option |
Value |
Comment |
|---|---|---|---|
| Basic Properties | Service Type | HTTP/HTTPS | |
| SSL Properties | SSL Acceleration | Enabled | |
| Reencrypt | Enabled | ||
| Certificates | Select the certificate previously imported. | Click the > button to assign the certificate. * | |
| Require SNI hostname | Disabled | ||
| Support TLS Only | Enabled | ||
| Client Certificates | No Client Certificates required | ||
|
Standard Options |
Persistence Mode | Active Cooke | |
| Persistence Timeout | 8 Hours | ||
|
|
Cookie name | Enter a unique cookie name. | Click Set Cookie. |
|
|
Idle Connection Timeout | 1800 | Click Set Idle Timeout. |
|
Real Servers |
Real Server Check Method | HTTPS Protocol | |
| Use HTTP/1.1 | Enabled | ||
| HTTP Method | HEAD |
* Information about managing LoadMaster certificates can be found in the http://kemptechnologies.com/documentation/.
8. Add the Real Servers:
a) Click the Add New button.
b) Enter the Real Server Address.
c) Enter the correct Port.
Please use the IP Address and Port of the backend server.
The Forwarding method and the Weight values are set, by default, to those shown in the above Add New Real Server screen. If required these settings may be altered.
d) Click Add this Real Server. Click OK to close the pop-up message.
e) Repeat steps Enter the Real Server Address. to Click Add this Real Server. Click OK to close the pop-up message. above to add more Real Servers as needed, based on the environment.
9. Set the Reencryption Client Certificate to be used in the Virtual Service:
Reencyption client certificate is the client certificate the LoadMaster presents when connecting to an HTTPS real server. This is only needed if the Real Server requires it.
a) In the main menu of the LoadMaster WUI, go to Certificates & Security > SSL Certificates.
b) Click the Reencryption Usage button for the client certificate installed earlier.
c) Select the IP Address for the CRM Virtual Service and click the > button to move the IP address to the Assigned VSs box.
d) Select Save Changes.
7 Configure the Virtual Service for SAP Enterprise Portal
7.1 SAP Enterprise Portal Offloaded
To configure an offloaded Virtual Service for SAP Enterprise Portal, follow the steps below:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Enter a Virtual Address.
3. Enter 50001 in the Port text box.
The port may differ depending on the SAP Portal environment. To ensure you use the correct port, consult your SAP administrator.
4. Enter a recognisable Service Name, for example SAP Enterprise Portal Offloaded.
5. Ensure that tcp is set as the Protocol.
6. Click Add This Virtual Service.
7. Configure the settings as shown in the following table:
|
Section |
Option |
Value |
Comment |
|---|---|---|---|
| Basic Properties | Service Type | HTTP/HTTPS | |
|
Standard Options |
Transparency | Disabled | |
| Persistence Mode | Active Cookie | ||
| Persistence Timeout | 8 Hours | ||
|
|
Cookie name | Enter a unique cookie name. | Click Set Cookie. |
|
|
Idle Connection Timeout | 1800 | Click Set Idle Timeout. |
| SSL Properties | SSL Acceleration | Enabled | |
| Certificates | Select the previously imported certificate. | Click the > button to assign the certificate. * | |
| Require SNI hostname | Disabled | ||
| Support TLS Only | Enabled | ||
| Client Certificate | No Client Certificates required | ||
|
Real Servers |
Real Server Check Method | HTTP Protocol | |
| Use HTTP/1.1 | Enabled | ||
| HTTP Method | HEAD |
* Information about managing LoadMaster certificates can be found in the http://kemptechnologies.com/documentation/.
8. Add the Real Servers:
a) Click the Add New button.
b) Enter the Real Server Address.
c) Enter the correct Port.
Please use the IP Address and Port of the backend server.
The Forwarding method and the Weight values are set, by default, to those shown in the above image. If required these settings may be altered.
d) Click Add this Real Server. Click OK to close the pop-up message.
e) Repeat steps b) to d) above to add any additional Real Servers as needed, based on environment.
7.2 SAP Enterprise Portal Reencrypted
To configure a reencrypted Virtual Service for SAP Enterprise Portal, follow the steps below:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Enter a Virtual Address.
3. Enter 50001 in the Port text box.
The port may differ depending on the SAP Portal environment. To ensure you use the correct port, consult your SAP administrator.
4. Enter a recognisable Service Name, for example SAP Enterprise Portal Reencrypt.
5. Ensure that tcp is set as the Protocol.
6. Click Add This Virtual Service.
7. Configure the settings as shown in the following table:
|
Section |
Option |
Value |
Comment |
|---|---|---|---|
| Basic Properties | Service Type | HTTP/HTTPS | |
| SSL Properties | SSL Acceleration | Enabled | |
| Reencrypt | Enabled | ||
| Certificates | Select the certificate previously imported. | Click the > button to assign the certificate. * | |
| Require SNI hostname | Disabled | ||
| Support TLS Only | Enabled | ||
| Client Certificates | No Client Certificates required | ||
|
Standard Options |
Persistence Mode | Active Cookie | |
| Persistence Timeout | 8 Hours | ||
|
|
Cookie name | Enter a unique cookie name. | Click Set Cookie. |
|
|
Idle Connection Timeout | 1800 | Click Set Idle Timeout. |
|
Real Servers |
Real Server Check Method | HTTPS Protocol | |
| Use HTTP/1.1 | Enabled | ||
| HTTP Method | HEAD |
* Information about managing LoadMaster certificates can be found in the SSL Accelerated Services Feature Description.
8. Add the Real Servers:
a) Click the Add New button.
b) Enter the Real Server Address.
c) Enter the correct Port.
Please use the IP Address and Port of the backend server.
The Forwarding method and the Weight values are set, by default, to those shown in the above image. If required these settings may be altered.
d) Click Add this Real Server.
e) Repeat steps b) to d) above to add any additional Real Servers as needed, based on environment.
9. Set the Reencryption Client Certificate to be used in the Virtual Service:
Reencyption Client Certificate is the client certificate the LoadMaster presents when connecting to an HTTPS real server. This is only needed if the real server requires it.
a) In the main menu of the LoadMaster WUI, go to Certificates & Security > SSL Certificates.
b) Click the Reencryption Usage button for the client certificate installed earlier.
c) Select the IP Address for the CRM Virtual Service and click the > button to move the IP address to the Assigned VSs box.
d) Select Save Changes.
8 Configure the Virtual Services for SAP Business Objects
8.1 SAP Business Objects Offloaded
To configure an offloaded Virtual Service for SAP Business Objects, follow the steps below:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Enter a Virtual Address.
3. Enter 8080 in the Port text box.
The port may differ depending on SAP BOE environment. To ensure you use the correct port, consult your SAP administrator.
4. Enter a recognisable Service Name, for example SAP Business Objects Explorer Offloaded.
5. Ensure that tcp is set as the Protocol.
6. Click Add This Virtual Service.
7. Configure the settings as shown in the following table:
|
Section |
Option |
Value |
Comment |
|---|---|---|---|
|
Standard Options |
Transparency | Disabled | |
| Persistence Mode | Active Cookie | ||
|
|
Persistence Timeout | 8 Hours | |
|
|
Cookie name | Enter a unique cookie name. | Click Set Cookie. |
| Idle Connection Timeout | 1800 | Click Set Idle Timeout. | |
| SSL Properties | SSL Acceleration | Enabled | |
| Reencrypt | Disabled | ||
| Certificates | Select the certificate previously imported. | Click the > button to assign the certificate. Click Set Certificates. * | |
| Require SNI hostname | Disabled | ||
| Supported Protocols | TLS1.0, TLS1.1, TLS1.2, and TLS1.3 enabled |
While this workload may not support TLS1.3 yet, Kemp recommend enabling it for future proofing. |
|
| Client Certificates | No Client Certificates required | ||
|
Real Servers |
Real Server Check Method | HTTP Protocol | |
| Use HTTP/1.1 | Enabled | ||
| HTTP Method | HEAD |
* Information about managing LoadMaster certificates can be found in the SSL Accelerated Services Feature Description.
8. Add the Real Servers:
a) Click the Add New button.
b) Enter the Real Server Address.
c) Enter the correct Port.
Please use the IP Address and Port of the backend server.
The Forwarding method and the Weight values are set, by default, to those shown in the above image. If required these settings may be altered.
d) Click Add this Real Server.
e) Repeat steps b) to d) above to add any additional Real Servers as needed, based on the environment.
8.2 SAP Business Objects Reencrypted
To configure a reencrypted Virtual Service for SAP Business Objects, follow the steps below:
1. In the main menu of the LoadMaster WUI, go to Virtual Services > Add New.
2. Enter a Virtual Address.
3. Enter 8080 in the Port text box.
The port may differ depending on SAP BOE environment. To ensure you use the correct port, consult your SAP administrator.
4. Enter a recognisable Service Name, for example SAP Business Objects Explorer Re-encrypted.
5. Ensure that tcp is set as the Protocol.
6. Click Add This Virtual Service.
7. Configure the settings as shown in the following table:
|
Section |
Option |
Value |
Comment |
|---|---|---|---|
|
Standard Options |
Transparency | Disabled | |
| Persistence Mode | Active Cookie | ||
|
|
Persistence Timeout | 8 Hours | |
|
|
Cookie name | Enter a unique cookie name. | Click Set Cookie. |
| Idle Connection Timeout | 1800 | Click Set Idle Timeout. | |
| SSL Properties | SSL Acceleration | Enabled | |
| Reencrypt | Enabled | ||
| Certificates | Select the previously imported certificate. | Click > to assign the certificate. Click Set Certificates. * | |
| Require SNI hostname | Disabled | ||
| Client Certificates | No Client Certificates required | ||
|
Real Servers |
Real Server Check Method | HTTPS Protocol | |
| Use HTTP/1.1 | Enabled | ||
| HTTP Method | HEAD |
* Information about managing LoadMaster certificates can be found in the SSL Accelerated Services Feature Description document on the Kemp Documentation Page.
8. Expand the Real Servers section and set the following options:
a) Select the HTTPS Protocol option in the health check drop-down menu.
b) Select the Use HTTP/1.1 check box.
c) Select HEAD as the HTTP Method.
9. Add the Real Servers:
a) Click the Add New button.
b) Enter the Real Server Address.
c) Enter the correct Port.
Please use the IP Address and Port of the backend server.
The Forwarding method and the Weight values are set, by default, to those shown in the above image. If required these settings may be altered.
d) Click Add this Real Server.
e) Repeat steps b) to d) above to add any additional Real Servers as needed, based on the environment.
10. Set the Reencryption Client Certificate to be used in the Virtual Service:
Reencyption Client Certificate is the client certificate the LoadMaster presents when connecting to an HTTPS real server. This is only needed if the real server requires it.
a) In the main menu of the LoadMaster WUI, go to Certificates & Security > SSL Certificates.
b) Click the Reencryption Usage button for the client certificate installed earlier.
c) Select the IP Address for the CRM Virtual Service and click the > button to move the IP address to the Assigned VSs box.
d) Select Save Changes.
9 Additional Features
Additional Kemp LoadMaster security and optimization features can be enabled for the deployment of SAP. The deployment steps and configuration settings of these features can be found in the documents which are listed in the References section of this document. These documents can be found on the Kemp documentation web page: http://kemptechnologies.com/documentation/
Edge Security Pack (ESP) - A solution that provides edge security, SSO application integration and flexible authentication options is critical for optimal user experience and information security policy compliance.
Web Application Firewall (WAF) - This enables secure deployment of web applications, preventing Layer 7 attacks while maintaining core load balancing services which ensures superior application delivery and security.
Content Caching - The LoadMaster can cache static content that fits certain criteria (file extension, query string, caching headers, size, and so on). As long as the file meets these criteria it can be stored locally in the LoadMaster to avoid unnecessary requests to the Real Server to retrieve the file.
Intrusion Detection - The LoadMaster's implementation of Intrusion Detection leverages Snort. Snort is an open source network intrusion prevention and detection system (IDS/IPS). Snort rules can be imported to the LoadMaster and applied to HTTP/HTTPS connections.
References
The following sources are referred to in this document:
Kemp website
Kemp Documentation page
http://kemptechnologies.com/documentation/
SSL Accelerated Services, Feature Description
http://kemptechnologies.com/documentation/
Web User Interface (WUI), Configuration Guide
http://kemptechnologies.com/documentation/
Web Application Firewall (WAF), Feature Description
http://kemptechnologies.com/documentation/
Virtual Services and Templates, Feature Description
http://kemptechnologies.com/documentation/
Last Updated Date
This document was last updated on 10 March 2022.