Skip to Content
Author's profile photo Richard Hirsch

The role of agents in hybrid (OnDemand / OnPremise) environments or why Corporate IT isn’t going to disappear any time soon

The use of OnDemand software in the enterprise space is  evolving as the market becomes more mature. For some use cases, there is a shift  from pure OnDemand applications to platforms that harness the best of the new  SaaS applications and existing OnPremise assets. 

I started thinking about this development and how such  applications are embedded in real corporations.  To often enough, pure SaaS  applications represent Shadow  IT in which Corporate IT is regarded as a hindrance and its involvement is not  viewed as necessary or desirable.  The pitfalls of such efforts can be very  costly as portrayed by a recent blog  by Gartner analyst Thomas Otter about SaaS contracts. 

As SaaS HCM deals come up for  renewal, and procurement gets involved, it is now crystal clear that most HR  departments have been contracting for HCM software without IT procurement  involvement.  One of our findings is that most of the time, HR departments are  rather poor negotiators.  Software vendors have had a field day, and not just on  pricing.  Most of the time HR just signs the boiler plate, and the boiler plate  is typically one-sided, like All Blacks v Japan one-sided.

Indeed, SAP Business ByDesign has marketed its OnDemand  offering as one that largely eliminates the need for Corporate IT.


A quick rant about Corporate IT

The life of the typical enterprise user is affected by  Corporate IT in a variety of areas.   Software used must be governed, paid for,  supported, etc.  Usually, corporate users are only interested in the IT services  when something doesn’t work or the application that they need is unavailable.   As long as the service works, then users shouldn’t be aware of the existence of  such services.

Corporate involvement, however, encompasses more than  software –   there are a variety of other related services that exist in the  background (network, telephone, security, servers, etc) without which most  employees couldn’t work at all. In this blog, I’d like to examine Corporate IT  using this broader context.

The role of agents in Hybrid  Environments

During the recent Influencer Summit in Boston, Peter Lorenz  (executive vice president and corporate officer) keynoted  on SAP’s Cloud Strategy. For me, one slide where Lorenz talked about the  involved technology rang a bell.  In particular, the ‘SAP Cloud Connector’ was  familiar. 



Lorenz described the Connector as a packaged approach that  was based on lightweight peer-to-peer communication and which includes a reverse  proxy.   This description resonated and reminded me of other “agents” that  mediate between the OnDemand and OnPremise worlds – many of which I have seen in  other contexts / conversations with SAP.

I recalled a TweetChat in December concerning the new  OnDemand Portal where another ‘agent’ was discussed.


The conversation referred to the Enterprise Agent that is  used by StreamWork and which has the following architecture.



Now, I have no idea if these are separate agents or the same  one but what is evident is that a hybrid environment as it is often proposed by  SAP requires additional OnPremise components beyond the existing OnPremise  systems (ERP, CRM, LDAPs, Active Directories, etc) that are to be integrated  with the OnDemand offerings.

The StreamWork agent is currently in productive use and thus  the instructions on how to use it are the best documented. Let’s take a quick  look at the network protocols necessary to configure this agent. 



Although such network-configured configuration tasks are  quite common for Corporate IT, they are tasks that can’t be performed by  ‘Business’.  The involvement of Corporate IT is therefore necessary or such  solutions will not function. 

Note: It is important to state that I am not  questioning the validity of such agents. Their usage is often necessary in such  hybrid environments to reduce complexity and meet certain corporate policies  (for example, those related to security). Despite this usefulness, there will be  a variety of OnDemand customers who have a pure OnDemand environment (for  example, many SME customers) – their configuration will usually be less complex  and can largely be set up without the involvement of Corporate IT.  However, as ByDesign  is focusing on medium-sized companies, many of which have subsidiaries,  hybrid environments will probably be common for such customers. 

Corporate IT tasks associated with the integration of  external and internal systems are not new.  For example, this document  from 2006 describes options and strategies to secure Internet-facing SAP Portals  and depicts similar steps as that described in the StreamWork document.   Such  tasks are also not only restricted to SAP’s Cloud offerings  but are a major  general challenge (as this Re: Calling print program for ztransaction and output the smart form regarding the necessity to Bridge Amazon VPC and an enterprise’s own IT  infrastructure reveals) in such environments. 

If SaaS integration is not planned  properly, it creates a “cloud in the corner” syndrome – a condition where new  cloud-based SaaS solutions are disconnected from existing IT resources. The  result: fragmented enterprise data scattered across the cloud.

CIOs have seen this “cloud in the  corner” and data silo problem too many times in the past. They know how this  movie is likely to unfold. Data quality and integration issues — aggregating  data from the myriad sources and services within an organization — are CIOs and  IT Architects top concern about SaaS and the main reason they hesitate to adopt  it (Data security is another  concern). [SOURCE]

Thus, this problem is inherent in most complex SaaS data  integration scenarios – regardless of the vendor.


Other SAP OnDemand offerings where Corporate IT support is  necessary

SAP has a variety of OnDemand offerings which are currently  entering public betas. In such applications, the desire to use synergies with  existing OnPremise infrastructure is increasing and understandable.

For example, a recent webinar with the SAP  River team depicted the ability to use external identities in this new OnDemand  offering. The use case is that a company could allow Single Sign On with SAP  River so that users wouldn’t have to login separately to the platform but could  login once in their internal environment (for example, via Windows / Active  Directory) and then be authenticated automatically accessing their SAP River  applications. 

To use this identity management-related functionality, a SAML  interface must be enabled / configured in SAP River.



This configuration is not trivial and requires the experience  of Corporate IT to perform it correctly.  Indeed, I expect such identity  management–related configurations to increase in number as SAP’s Java-based PaaS  evolves and becomes available to more users. 

Why is NetWeaver Gateway different?

Although Gateway is not a SAP OnDemand offering, it also  represents an example where OnPremise content is being made available to  externals. In this case, developers are accessing data via REST APIs. The  typical Gateway architecture can also include a mix of internal and external  (which may or may include OnDemand offerings) components. 



Yet, the necessity to involve Corporate IT – don’t forget we  are using a broad definition here – in the set-up of such environments is  assumed / accepted and openly described as this How to Architect SAP NetWeaver Gateway for Dummies (and for Experts) about Gateway by John Appleby demonstrates.

If you are deploying  applications that allow access from the outside world, like mobile apps, into  your SAP network, and security is paramount, then you should deploy a separate  instance of NetWeaver Gateway into a demilitarised zone or DMZ. This provides  separation between your core SAP network and your edge. You can get the network  team to lock down the NetWeaver Gateway system which will make it very difficult  for unwanted visitors to penetrate your network.

Indeed, the official SAP  Documentation on NW Gateway contains a great deal of material about security  and configuration of this environment.

An awareness of the importance of Corporate IT in Gateway-related activities is also evident in SAP’s marketing of NetWeaver Gateway as a  slide below demonstrates.



I was curious as to why this distinction exists. I assume it  is related to the different audiences to which SAP’s two marketing campaigns are  focused. The OnDemand marketing is focused more on the Business / Department  level user (who assumes that Corporate IT is ‘Evil Incarnate’) while the Gateway  marketing campaign is currently focused more on developers who are perhaps more  realistic regarding the necessitates of involving Corporate IT in such  environments. 


This blog has focused on the technical aspects of this  integration; there are a variety of other Corporate IT-related aspects which  must be considered when dealing with hybrid environments:

Developing strategic (data  governance), tactical (consistent data integration requirements) or operational  (vendor selection) strategies to deal with this emerging “internal-to-cloud”  data quality problem is a growing priority in 2012. Otherwise most enterprises  are going to get less than optimal value from various SaaS solutions. Things are  likely to get out of control pretty quickly. [SOURCE]

Thus, it is evident that hybrid architectures require  Corporate IT involvement – regardless of whether this fact is inconvenient for  SAP OnDemand marketing efforts to “Business”. This is the reality of the complex  IT infrastructure of most corporations.

I’m not suggesting that the emergence of OnDemand offerings  won’t lead to a major change in how Corporate IT relates to Business.  I’m just  advocating an honest approach when discussing such environments.  This would  avoid unrealistic expectations from all (end-users, customers, Corporate IT,  etc) involved.   

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.