Compile a list of the application servers to be secured, and a list of the user workstations from which secure application traffic needs to be provided.

The example environment in Figure 6.10 contains the Management Server, SAP Application Server (sapserver.example.com) and Windows workstations requiring secure access to the SAP Server.

Figure 6.10. Secure application connectivity, example environment

The Management Agent has been deployed to all target hosts as described in step 2 of Secure System Administration. SSH Tectia Client has been deployed to the workstation hosts and SSH Tectia Server to the SAP Application Server as described in step 3 of Secure System Administration.

Ensure that traffic to TCP/IP port 22 (the standard port for Secure Shell traffic) is allowed through firewalls within the target environment.

In SSH Tectia Manager, create the SSH Tectia Client tunneling rules for the applications that are to be secured. See SSH Tectia Client User Manual and SSH Tectia Manager Administrator Manual for details.

The SSH Tectia Server configuration requires tunneling settings to allow users in group sapuser to tunnel connections to named ports (local tunnels), used by the SAP GUI traffic, on the SAP Application Server. Remote tunnels via the SSH Tectia Server running on the SAP Application Server are denied for everyone. Example tunneling settings are shown in Figure 6.11.

Figure 6.11. Example tunneling settings on SAP application server

The SSH Tectia Client software on the user workstations needs to be configured to capture and tunnel the SAP GUI traffic transparently. Figure 6.12 shows a tunneling policy rule which captures and encrypts all SAP traffic (the application parameters define the captured ports) from hosts in the Workstations group to hosts in the Servers group. The traffic is tunneled directly to the destination host.

Figure 6.12. Tunneling policy rule

Deploy the configurations to the managed hosts.

The created SSH Tectia Server configuration is assigned and deployed to the SAP Application Server as described in step 5 of Secure System Administration. The example tunneling rule is dynamically allocated to each host belonging to the group Workstations upon configuration deployment to the corresponding hosts. The tunneling rules are combined into an SSH Tectia Client configuration file when the deployment process is initiated, and the rules are deployed to the target hosts in a manner similar to the SSH Tectia Client/Server configuration deployment.

Once the new configurations are deployed, the SSH Tectia Client software on the workstations transparently captures the SAP GUI traffic and forwards it in an authenticated and encrypted tunnel to the SSH Tectia Server software running on the SAP Application Server. See Figure 6.13

SSH Tectia Server then decrypts the traffic and forwards it to the SAP Server software on the server host. All return traffic is also routed through the tunnel. No changes in configuration need to be made to the SAP software running on the workstations or on the Application Server host. Connections other than those defined in the SAP application definition are not affected, and they are transmitted as plaintext.

Figure 6.13. SAP GUI traffic secured with the SSH Tectia managed security middleware

SSH Tectia Server status monitoring and log gathering are described in step 11 of Secure System Administration.

Test the secured application traffic to ensure connectivity.

Train the staff on implications of secure connectivity using SSH Tectia software (for availability of SSH Tectia training services in your region, please contact your local SSH sales). Depending on the implementation, training needs may be minimal.

If unsecured connectivity to the application servers is to be prevented, host firewalls need to block access to unsecured application ports.