Direct Live Connections in the Internet Scenario
In my last blog Introducing Direct Live HANA Connections in SAP Analytics Cloud, I talked about the new “Direct” connectivity option for live HANA connections based on the HTML5 CORS specification. The Direct live connectivity has now become the recommended connectivity option for all live connectivity data sources, including HANA, BW, S4 and universe. With this new connectivity option, a reverse proxy is not needed anymore as long as the end user’s web browser has direct access to the backend system. But what if some end users are on the Internet and don’t have access to the backend system directly? Well, like any web application server, you can “publish” the web server (in this case, the HANA/BW/S4/BIP system) to the Internet.
This can be done by various infrastructure options, such as port mapping, etc, but the most commonly used approach is to add a reverse proxy in your DMZ for the backend HANA/BW/S4/BIP system. But wait a minute, reverse proxy again?? Didn’t we introduce the Direct connectivity option to avoid reverse proxies in the first place? Well, the reverse proxy here serves a totally different purpose from the traditional reverse proxy-based live connectivity, which was to bypass the web browser’s Same Origin Policy. In this case, the sole purpose of the reverse proxy here is to publish the backend system to the Internet. Technically, this means:
- No complicated reverse proxy rules needed for URL rewriting, for both non-SSO and SSO scenarios.
- Only the backend system is reverse proxy’ed, not the SAP Analytics Cloud (SAC) system.
As a result, we can use SAP Web Dispatcher for this purpose, and Apache is not mandatory anymore. This offers great relief to many customers as they are able to get SAP product support on SAP Web Dispatcher, while Apache, as a third-party open-source product, offers community support only. We therefore recommend using SAP Web Dispatcher for this purpose.
Below is a snippet of a sample Web Dispatcher profile for this scenario:
# Backend System #This is the rule for the HANA system wdisp/system_1 = SID=HN2, EXTSRV=https://righana2.yourcompany.corp:4300, SRCURL=/, SRCSRV=*:4310 # SAP Web Dispatcher Ports icm/server_port_0 = PROT=HTTP,PORT=8010 icm/server_port_1 = PROT=HTTPS,PORT=4310
Some prerequisites and best practice tips:
- Note that in the earlier version of the blog post, I provided an option for the SAP Web Dispatcher to issue the CORS headers. The updated recommendation is to make sure that the backend system issues the CORS headers, and Web Dispatcher just passes them through.
- As the Web Dispatcher’s root URL is used to map to the HANA system, this Web Dispatcher is used for the HANA/BW/S4/BIP system exclusively. If you would like to use the Web Dispatcher for other systems as well, make sure a dedicated virtual host/port is allocated for the backend system.
- If there are multiple instances of server nodes for the backend system, it is recommended to turn on load balancing on the Web Dispatcher to leverage the entire server cluster and distribute the workload for optimal performance. Important: make sure session stickiness is configured on the Web Dispatcher so that live connection requests within a session are always routed to the same server instance.
For the SAML 2 SSO scenario, make sure your backend SAML 2 SP metadata is revised so that the Assertion Consumer URL points to the new reverse proxy’ed URL.
One more word on the SSO scenario. For the Internet scenario, the SAML 2 Identity Provider (IdP) must be accessible on the Internet too. This can be a cloud-based SAML 2 IdP on the Internet, or an on-premises SAML 2 IdP which has been made available to the Internet – how this is done is beyond the scope of this blog, but most likely you will publish it via a reverse proxy too.
Hi, thanks for your post. Any idea when HANA 2.0 will be supported?
Hi Patrick, HANA 2.0 support is planned to be released in Wave 2017.16.
Thank you Dong. These are great posts.
Perhaps not entirely obvious and so I’d thought I’d add a bit:
The Reverse Proxy hostname:port would need to used in the SAC-Connections-HANA Live Connections-(direct connection)-Host and HTTPs Port for the client to connect to HANA via the Reverse Proxy. Reverse Proxy here, as you say, will be rewriting the headers to give the impression the Reverse Proxy is the HANA system to the client browser.
I think my understanding is right? Regards, Matthew
Correct, I also see it that way.
Which brings me to the next question: How can I use this “reverse-proxy’ed” host and port inside my SAC Live Connection details for
at the same time? Is this hybrid approach even possible?
Your hybrid approach should be possible with "Split-DNS" configuration. With Split-DNS you have the possibilty to reach your reverse-proxy from different directions (Internet, corporate network) with one fqdn
Is it possible to use direct connections if we have HANA db as a service deployed on CF in SAP (hosted on AWS ). I would like to use SAC on an existing application deployed.
I have the same problem. Could you solve it?
In the snippet, you have authorized all url of the HANA server to be published on the Internet including administration UI for sample. It could be better to authorize only URL used by SAC / CORS. Do you have the list of those url ?
Yes, in a production deployment, it is recommended to restrict the URL path based on what's actually required. SAC consumes the HANA InA service only, and its URL path is /sap/bc/ina/service/v2/.
For the SAML SSO use case, you would need to expose the URL to this package as well: sap.hana.xs.formLogin.
For those interested,
Should you prefer to use Apache over SAP Web Dispatcher, here is a step-by-step blog with tutorial videos how to configure Apache SSL reverse proxy for use with SAP Analytics Cloud Live Connections (using CORS):
Thank you Dong,
Can the "direct" and "internet" options co-exist from a SAC tenant to the same backend BW/4HANA system?
What is the best practice / recommendation to configure:
(a) data connections within SAC, BW/4HANA.
(b) Data models, ideally referring a single connection, rather than duplications.
Thanks for your information.
My case HANA DB installed on the AWS and we do have a cloud connector to use as reverse proxy which helps us to Connect BTP, CF and Neo platform.
How we can connect the HANA DB to SAC with help is cloud connector? It will be great if you can help on this scenario.
I am very much new for this SAC integration but i`m good at the cloud connector.
We are trying connect SAP HANA DB (CF) with Instance name and Port in SAC Trail account over Internet. Do we need reverse proxy for SAP HANA Cloud.
If yes can you please explain how to configure it SAP HANA DB (CF) Environment.