Scribd
Upload
122 views

Imp Note - NWA Site

This document describes how to prevent access to NetWeaver Administrator (NWA) administration URLs in the Internet Communication Manager (ICM) by configuring filter rules. Specific rules are provided to prevent access completely, for external administration only, or to allow access for certain network segments. The client IP address can be determined using a temporary redirect rule.

Uploaded by

Dinakar Babu Janga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
122 views

Imp Note - NWA Site

This document describes how to prevent access to NetWeaver Administrator (NWA) administration URLs in the Internet Communication Manager (ICM) by configuring filter rules. Specific rules are provided to prevent access completely, for external administration only, or to allow access for certain network segments. The client IP address can be determined using a temporary redirect rule.

Uploaded by

Dinakar Babu Janga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

Symptom

You want to prevent access to administration URLs of the NetWeaver Administrator


in the Internet Communication Manager (ICM).
Other Terms
URL, Uniform Resource Locator, ICM, NWA, SAP NetWeaver Administrator
Reason and Prerequisites
You use AS Java 7.x.
Solution
The URLs for NWA have a unique prefix and can be filtered out in the ICM on a ru
le basis.
In the profile file (we recommend the default profile DEFAULT.PFL), configure th
e following modification handler:
icm/HTTP/mod_0 = PREFIX=/,FILE=$(DIR_GLOBAL)/security/data/icm_filter_rules.txt
You must then create the rule file in the specified directory and specify the fi
lter rules.
If you want to prevent access to administration requests completely, you sho
uld define the following rule:
RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainfra
me~wd/(.)*$ /nwa/remote_access_error [QSA]
If you want to prevent access to administration requests for external admini
stration, you should define the following rule:
if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
if %{REMOTE_ADDR} !stricmp ::1
RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainfra
me~wd/(.)*$ /nwa/remote_access_error [QSA]
If you want to allow access to administration requests for certain network s
egments (for example, 10.18.*), you should define the following rule:
if %{REMOTE_ADDR} !regimatch 10.18.*.*
RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainfra
me~wd/(.)*$ /nwa/remote_access_error [QSA]
If you do not want to restrict access to the administration requests to cert
ain clients, remove the lines from the file or turn the lines into a comment:
#if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
#if %{REMOTE_ADDR} !stricmp ::1
#RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainfr
ame~wd/(.)*$ /nwa/remote_access_error [QSA]
The syntax for IPv6 addresses is as follows:
Local host is the string "::1"

An example for an IPv6 address is "fe80::21c:c4ff:fedc".


The IP address of the client can be determined with the following (temporary) ru
le:
RegIRedirectUrl ^/ipaddr_echo /echo?clientip=%{REMOTE_ADDR}
Use the browser/client to call the following URL on the server: http://<host>:<h
ttp_port>/ipaddr_echo
In the client/browser, the system now displays the IP address of the client in t
he URL line (for example, http://server.sap.com/echo?clientip=10.18.55.11).
It is important that you remember to remove the temporary rule again.

Header Data
Released On
17.11.2011 08:47:20
Release Status Released for Customer
Component
BC-CST-IC Internet Communication Manager
Other Components
BC-JAS-COR Enterprise Runtime, Core J2EE Framework
Priority
Recommendations / Additional Info
Category
Consulting
Validity
Software Component
From Rel.
To Rel.
And Subsequent
KRNL32NUC
7.20
7.20
7.20EXT
7.20EXT
7.21
7.21
7.21EXT
7.21EXT
KRNL32UC
7.20

7.20
7.20EXT
7.20EXT
7.21
7.21
7.21EXT
7.21EXT
KRNL64NUC
7.20
7.20
7.20EXT
7.20EXT
7.21
7.21
7.21EXT
7.21EXT
7.40
7.40
7.41
7.41
KRNL64UC
7.20
7.20
7.20EXT
7.20EXT

7.21
7.21
7.21EXT
7.21EXT
7.40
7.40
7.41
7.41
SAP_BASIS
710
730
KERNEL
7.20
7.21
7.40
7.40
7.41
7.41
7.42
7.42

You might also like