Parameters are set on the SAP backend systems to enforce SNC access.A server SNC certificate is exported and then imported to each client machine, after which secure access to the backend systems is possible. SNC is enabled on both the backend and SAP GUI clients.SAP GUI clients are configured to access the SAP backend systems via the AWS load balancer & SAProuter (at this stage the connectivity is not using SNC and is not encrypted).This will provide access to the SAProuter from the Internet, which in turn redirects traffic to the SAP backend systems An AWS network load balancer is configured with the SAProuter as its target.A SAProuter is installed on an instance hosted in a private subnet in AWS which redirects traffic to the backend SAP systems.Later in the blog, we will drill into each of these steps in more detail. Refer to the above diagram for the main steps described below. The following diagrams summarize the scenario and the configuration steps required for secure access for SAP GUI clients:įigure 1: Not configured, no access provided to SAPGui clients to SAP Backend systems hosted on AWSįigure 2: Steps required for a fully configured scenario AWS EC2 instance provisioning and configuration.AWS network load balancer configuration.Therefore, there will be an assumption that the reader has reasonable experience in the following topics: The blog needs to be concise whilst still providing adequate information for most SAP Basis consultants to follow without going into too much detail. As such, users will still require basic authentication (User ID and password) when logging in to the SAP back-end systems. The scenario also does not consider or allow for Single-Sign-On (SSO) access. However, the same general principles should still apply for other Cloud service providers. The blog assumes a scenario where SAP systems are hosted in AWS in a private subnet. This blog provides a method for this, it also goes further in that it provides a method to ensure that only the required users are able to connect, and that security is enforced by the back-end SAP system. How do you allow flexible and easy remote access whilst still ensuring security? Providing access to remote users without a VPN poses a security challenge. However, some customers do not want the administrative burden of VPNs. As a result, SAP customers have realised the need to facilitate access to corporate systems from outside the corporate network. As a result of the recent Covid-19 pandemic and changing work practices, many users need access to SAP systems from remote locations (such as homes, hotels, coffee shops and such).