Recently, we had a case in which a set of SAP portal that are external facing, hence placed in DMZ, required to have one of the server, SAP2, to access a shared folder on another server, SAP1.
We had trashed it out with the SAP documentation and the implementation team, but it seems like SAP only have documents pertaining to campus usage. There are no documentation describing how you can secure SAP within a DMZ and it insists that SAP only works if you have file sharing enabled. There are no other more secure mechanism as a alternative to SMB. This is just plain lazy design, if you ask me.
So I had to go away to find out how I could get SMB runnig in those 2 boxes in DMZ. No surprisingly, I found nothing on the web or Microsoft that could help me with it. There are references and articles on how SMB works, but none explicitly explains how to configure your server to allow SMB that will owrk in DMZ. After some trial and error, I finally got it working and here it is.
– SAP1 server will host \\sap1\sapmnt and it needs to be accessed by SAP2 server. Both servers are in DMZ
– network firewall rules must allow TCP traffic from SAP2 on any port above 1024 to TCP port 445 on SAP1
Services running on Windows:
On SAP1 – ensure “Server” service is running
On SAP2 – ensure “Workstation” and “TCP/IP NetBIOS Helper” service is running
note: you only need the “TCP/IP NetBIOS Helper” server if you intend to access the share via its name \\Sap1\sapmnt, if you are access it via IP address, then this service can be disabled. (of course, the host name must be in the hosts file)
IP Sec rules:
On SAP1: Allow source, SAP2, on any TCP port to destination, me, on TCP 445
On SAP2: Allow source, me, on any TCP port to destination, SAP1, on TCP 445