[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] AW: [FW1] Firewall-1 and SAP
Mike, I'm not definitely sure what ports will be used by the last SAProuter to communicate with local SAP nodes since I haven't done any snooping but I have been told be SAP support that there will be used the "normal port range". But this is not interesting to me because I'm able to limit the access to only one port between two locations. We have the two following configurations and each works fine: 1st variant: ------------ The clients at location A use their local SAProuter. Traffic is passed to another location through FW1 with the following rule: SRC: saprouter_from_location_A DST: saprouter_at_location_B SVC: 3299/tcp ACT: accept 2nd variant: ------------ In other locations with no own SAProuter it is even possible to map the client traffic to a SAProuter at location B which is done by the following rule: SRC: client(s)_from_location_A DST: saprouter_at_locationB SVC: 3299/tcp ACT: accept Configuration on the client (c:\windows\saproute.ini): LOC_A->LOC_B=/H/10.1.2.3/S/3299/H/10.2.3.4/S/3299/H/ or something similar to that. This tells the client to use the specific port 3299 and allows the traffic to the next SAProuter on port 3299, too. All clients can use the full range (printing, GUI, etc.). Hope this explains and helps. with kind regards, Bernd Fritzsche - Netzwerktechnik / FIT-CN2 =================================================================== Heidelberger Druckmaschinen AG - Gutenbergstr. 2 - D-69168 Wiesloch POTS(Fax)+49 6222 82 2845(3440) / [email protected] =================================================================== > -----Ursprüngliche Nachricht----- > Von: Mike Anning [mailto:[email protected]] > Gesendet am: Dienstag, 26. September 2000 10:50 > An: Fritzsche, Bernd 2845 FIT-CN2 > Cc: '[email protected]'; > '[email protected]' > Betreff: Re: [FW1] Firewall-1 and SAP > > > > Does this still mean that the last hop would communicate with > the clients on > 32xx, 36xx etc...? > > Cheers > Mike > > > > > "Fritzsche, Bernd 2845 FIT-CN2" <[email protected]> on > 26/09/2000 08:52:42 > > To: "'[email protected]'" <[email protected]> > cc: "'[email protected]'" > <[email protected]> (bcc: Mike > Anning/WEY/EU/CHEP) > Subject: Re: [FW1] Firewall-1 and SAP > > > > > > Hello, > > maybe this helps you: > > we're having traffic between SAP nodes in international sites, too > but we are using SAProuters. In this case you only have to allow > SAP-OSS (3299/tcp) between the two SAProuters in order to get your > traffic through. The last SAProuter in the local LAN will then > communicate with the nodes with the range of ports Mike and Joe > already stated. > > This is done by configuring the SAProuter to use this port when > routing SAP traffic to the next SAP-hop. > > with kind regards, > Bernd Fritzsche - Netzwerktechnik / FIT-CN2 > =================================================================== > Heidelberger Druckmaschinen AG - Gutenbergstr. 2 - D-69168 Wiesloch > POTS(Fax)+49 6222 82 2845(3440) / [email protected] > =================================================================== > > > ============================================================== > ================== > To unsubscribe from this mailing list, please see the > instructions at > http://www.checkpoint.com/services/mailing.html > ============================================================== > ================== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|