We recently enabled SAP Fiori access to our systems via the Internet by reverse proxy’ing our Netweaver Gateway server, in a similar manner to SAP’s document http://scn.sap.com/docs/DOC-62438 .
During a 3rd party Penetration Test it was identified that SAP Web GUI access was also available via the reverse proxy, so we had to immediately deactivate this service on the Netweaver Gateway system.
We are trying to investigate how to harden the Reverse Proxy configuration, so that only SAP Fiori is accessible and we do not inadvertently activate an SICF service that should not be exposed to the Internet. However, when we restrict the reverse proxy to only allow traffic for the FioriLuachpad ( http://our.host.name.com/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html ) we lose all of the images and style sheets, as this content is retrieved from completely different URL paths (/sap/public).
Does SAP publish instructions on how to harden the Fiori reverse proxy configuration, so that only the required Fiori URL’s are exposed? Exposing all Netweaver Gateway services via a reverse proxy appears to be insecure and inadvisable.
Thanks,
Simon
