Skip to Content
Author's profile photo Miguel Peredo Zurcher

Reverse Proxy for Analytics cloud to BW/4 (in Azure) Live Bex Queries in 1 hour

Setting a reverse proxy in a complex scenario (big network) can be frustrating.

My advice is that first you meet with the different actors: infra team (Do we need to deploy a new host?, is it a VM, a docker image,etc.), network team (make new DNS entries,  is the host accessible by the users ?, who will generate the SSL certificate?), network security specialists (where to put the new host? Is there a need for it to be in DMZ?), OS specialist (linux or windows depending of the preferences), BASIS (Enable required services inside BW, check SP, notes, etc.) and explain what you are going to do, so they can understand who is responsible for what. One common mistake is to think this is a task for SAP Basis, but as you can see it’s a multiple team effort.

For experimenting with this kind of setup, you can try doing this with a BW/4 deployed in Azure cloud. This will help also when doing the planning for the real environment.This is what this blog is about: Connecting SAP analytics cloud live to Bex queries in a BW/4 deployed in Azure.

Note that there is also a new way of connecting that does not require the reverse proxy, this is explained here.

See also the Document – SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud

To be able to follow this steps you should have the following:


  • SAP BW/4HANA 1.0 SP05 and BPC 11 SP01 including BW/4 Content SP02 deployed to Azure from
  • Be able to connect via RDP (Remote Desktop) to that host
  • Have saved the .PEM file that is generated when you deploy the BW/4 to Azure
  • A paid account in SAP analytics cloud (The free one (TRIAL) does not allow connections to BW)


If you don’t have these 4 things, then you can refer to this steps, but you wont be able to follow them.


From this point on all the steps that I will perform are not in My PC but in the remote desktop from the Azure BW/4, except point 1, that is connecting to the remote desktop ;).


  1. Connect to the remote desktop


2. Copy the .PEM file

Copy the .PEM file that you should have downloaded when deploying your BW/4 Hana from CAL.SAP.COM to Azure to that remote desktop. I just sent it to my email, and opened the email in the browser in the remote desktop. (If you do not have this file you cannot continue!)


3. Connect via SSH to the Linux server.

3.1 Download an install PuTTY (64-bit version) in the remote host.

3.2 Follow the instructions from here:

The ones in this section:

How to connect to a running instance via the secure shell protocol (SSH)?

Use the following steps to generate the private key from PuTTYgen:

a. Log into your Windows operating system.
b. Run the puttygen.exe key generator file.
c. Choose Load to load the downloaded private key (.PEM file) from SAP Cloud Appliance Library.
d. Choose Save private key to save the file locally in PuTTY’s native format (*.PPK)
e. Choose Save.
3external. Log into your instance via a PuTTY client or a SSH client:
    If you use the PuTTY client, use the following steps to log into your instance:
    1. Log into your Windows operating system.
    2. Run the putty.exe client file.
    3. From the Category tree in the PuTTY Configuration dialog box, navigate to Connection -> SSH.
    4. Choose Auth and then choose Browse… to select the generated PuTTY private key from your local computer (see step 3).
    5. Choose Open.
    6. In the Category tree, navigate to Session.
    7. In the Host Name (use this name:vhcala4hcs ) field, specify the address of your instance created in SAP Cloud Appliance Library.
    8. Choose Open. When the log on prompt screen is displayed, enter root.

Now you should see:

4. Generate the certificate

The version of SuSE that is deployed to azure already contains an Apache httpd 2.x server installed, we just need to generate some certificates:

Using this guide I came up with this command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/vhcala4hcs.key -out /etc/apache2/vhcala4hcs.crt

(the command is just one line)

This will generate the two files needed in folder /etc/apache2

I replied like this to the questions:

5.Change the configuration file

We need to modify the configuration of the Apache web server, based on this instructions:

in the putty terminal type: vi /etc/apache2/httpd.conf

This will open the VIM editor with the configuration file:

Using the down cursor key go to the end of the file:

Your file should end where the purple arrow is, press I, in the lower screen you will see — INSERT —

5.1 Copy the text from the Appendix A of this document to a notepad (always in the remote host), change your SAC hosts, then go back to putty, and right click, that will PASTE the text to the end of the configuration file.

5.2 Save the configuration file. Press ESC, then wq and Enter. (all this are VI / VIM commands that you can google if you are interested or not familiar)

5.3 now we should start the apached httpd server, type the following into putty terminal:

service apache2 start

and the you can type:

tail /var/log/messages

to confirm that the service has started



6. Test the configuration

Open Firefox in the remote desktop and go to this URL:


Add the security exception, since we used a self signed certificate in point 4.

You should see (it will ask for the BW password, user: developer, password: the master password you set).

7. Download and install chrome

Download and install chrome on the remote desktop.


Starting from step 8 all steps are carried out in the SAC webpage, using chrome running inside the remote desktop connection.

8. Create the connection

Open chrome, go to https://vhcala4hci.dummy.nodomain

Confirm the security exception. Close chrome.

Go to: https://vhcala4hci.dummy.nodomain again it will take you the SAP Analytics clouds logon page, login, then you will see:


(Notice that you have in the URL https://vhcala4hci.dummy.nodomain, but you are seeing the Analytics cloud page, the reverse proxy is working!)

8.1 Create a connection


The connection page, will appear click +

Set this parameters for the connection:


9. Run a query

Query: 2CRVCOLAPSTATUC/2CRVCOLAPSTATUQ is included an it contains the usage statistics of the system, let’s use that one.


9.1 Create a model based on query:



You will see the next screen , just press save


9.2 Create a story.

Create a story using that model, you will see the prompt of the query.

In the image is the prompt of the query in RSRT and in SAC, and then the results in both.




And now we have successfully setup the reverse proxy, and set up a connection to SAC.


IMPORTANT: Whenever you suspend your Azure instance, the Apache httpd service will stop.

Please execute the following command every time your instance is activated: service apache2 start from the PuTTY, like described in 5.3.










Appendix A

This is the piece of text you need to add the end of the file cd /etc/apache2/httpd.conf

Remember to replace the value of:

Define SAP_ANALYTICS_CLOUD with yours for example:



Copy below this line:


ServerName vhcala4hci.dummy.nodomain
LoadModule ssl_module /usr/lib64/apache2-prefork/
Listen 443

SSLEngine On
SSLCertificateFile "/etc/apache2/vhcala4hcs.crt"
SSLCertificateKeyFile "/etc/apache2/vhcala4hcs.key"

SSLProxyEngine on
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off

# Second part
LoadModule proxy_module /usr/lib64/apache2-prefork/
LoadModule proxy_http_module /usr/lib64/apache2-prefork/
LoadModule headers_module /usr/lib64/apache2-prefork/
LoadModule xml2enc_module /usr/lib64/apache2-prefork/


ProxyRequests off
ProxyPreserveHost on

RequestHeader append X-Custom-Host ${SAP_ANALYTICS_CLOUD}

# Third Part
ProxyPass /sac http://vhcala4hci:50000
ProxyPassReverse /sac http://vhcala4hci:50000
<Location /sac>
  ProxyPassReverseCookiePath /sap/bw/ina/GetResponse /sac/sap/bw/ina/GetResponse
#`  Header unset www-authenticate

ProxyPass / https://${SAP_ANALYTICS_CLOUD}/
ProxyPassReverse / https://${SAP_ANALYTICS_CLOUD}/

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Roland Kramer
      Roland Kramer

      Hello Miguel
      Nice Blog, thank you.

      Did you know, that you can replace the reverse Proxy with the CORS Implementation which also reduces the complexity?

      See also the Document - SAP First Guidance – Implement SAP BW/4HANA in the Azure Cloud

      Best Regards Roland

      Author's profile photo Miguel Peredo Zurcher
      Miguel Peredo Zurcher
      Blog Post Author

      Hello Roland,

      Thanks! Yes, I am aware of CORS. I even mentioned:

      "Note that there is also a new way of connecting that does not require the reverse proxy, this is explained here."

      Point 4.2.3 Connect the SAP system to sapservX from the document you mentioned was really useful for me. I will try it out. Anyways the first guidance document is really great.

      Thanks for bringing it up,

      Best Regards,


      PS.: Adding a link to the first guidance right now.