Agentry Network Landscapes
The ANGEL connection is a TCP connection used for the Agentry platform. The network connection setup, especially when users will be establishing a connection from outside the network firewall, can prove problematic for users. Please note, these instructions apply to standalone Agentry 4.4.2 through 6.0 and SMP 2.3. Agentry versions prior to 4.4.2 do not use the ANGEL protocol, and as of SMP 3.0 Agentry uses HTTPs with Websockets for Client to server connections. A load balancer can be used at any point between the Agentry Clients and Agentry Server to direct the different connections to the Agentry Server should one be needed.
In the images below I have listed a Load Balancer in cause there are multiple Agentry Servers. As the Agentry Server doesn’t load balance client connects between themselves, a third party load balancer would need to be used. The load balance can be a hardware or software version, but this is optional and isn’t required if only one Agentry Server is being used. If not load balance is being used the Agentry Client can just connect directly to the Agentry Server or to a Reverse Proxy. If a load balancer is used it needs to be configured as TCP Pass-through to allow connections to reach the Agentry Server.
More information for ANGEL connection can be found here: https://service.sap.com/sap/support/notes/1816645
Some common questions are:
Should the Agentry Server be in the DMZ?
Can a proxy or load balancer be used for client connections?
Do users have to have a VPN?
What Firewall ports are need to be opened?
Most network landscapes for Agentry connections fall into one of the following 4:
1) Agentry Server within an Internal Network and a Reverse Proxy is used within a DMZ
- – Only one port is need to be opened from the DMZ through the Internal firewall to let client connections come in from the DMZ
- – The Reverse Proxy can change the Incoming client port and send it out on the port the Agentry Server is listening on.
- – The port that needs to be opened in the firewall is a TCP connection
2) Agentry Server within the DMZ
- – A TCP Connection doesn’t have to be opened for clients to connect to the Agentry Server within the internal network
- – If the Agentry Server needs to open all the ports needed for each backend system (different backends have different connections)
- – If there are any users are connecting from the internal network the ANGEL port will also need to be opened
3) Devices us a VPN Connection to the Internal Network
- – No ports are needed to be opened Externally
- – VPN software may have added costs
- – The device has to connect by VPN before they are able to connect to the Agentry Server
4) No External User Access permitted
- – No ports are needed to be opened Externally
- – Users have to be in an internal network covered area to be able to transmit to server
There is no “one solution” that is considered recommended or ideal. Every company has different network setups and business needs, they should choose the network environment that is right them.
For more information on what ports the Agentry Server uses to connect to backend servers see:
Agentry SAP Applications: https://service.sap.com/sap/support/notes/1998514
Agentry Maximo Applications: coming soon
Other Agentry connections: coming soon
I like that really. Do you have an upated paper about SMP 3.0 and Agentry?
Would be nice.
With SMP 3.0 and Agentry the only real change is that the communications are over a websockets connection instead of a direct TCP/IP connection. This allows for proxy servers supporting websocket connections to be used instead of TCP pass through connections to the Agentry server.
The Agentry clients with SMP 3.0 use an https URL to connect to the Agentry server and by default work on port 8081 but of course if using the standard https port (443) when using a proxy server.
Everything else is still the same.
I would like if the Apache reverse proxy can be used as reverse proxy for SMP 2.3 SPS 4 and with an agentry application. Based on the sap note :
1916947 - Agentry apps do not work with reverse proxy
It seems that it can't be used as reverse proxy. Is this true? do I have to use nginx for Reverse Proxy as indicated in the sap note "1904213 - SAP Mobile Platform Server Release Information"? If yes can I use the How to guide for SMP 3.X available in this link:
How-to-Guide for Reverse Proxy and Load Balancing in SAP Mobile Platform 3.xo'
Thanks in advance for your collaboration.
You should post this as a question to the group so that it will get more visibility and you can then mark answered once completed.
I was wondering which would be the recommended Reverse Proxy to implement in the first landscape: External Fiewall -> DMZ Reverse Proxy -> Internal Firewall -> Agentry Server...
Thanks in advance for any help on this matter.
The is not Recommenced Reverse Proxy as most projects use what the customer already has in the system.
Stephen, thanks for your input. So, if in our case we are able to implement any reverse proxy, which would be the ones that are better suited for the task, specially for windows platforms.
thanks in advance for any input.