RFC Gateway Security, Part 4 - Prxyinfo ACL - SAP Blogs
RFC Gateway Security, Part 4 - Prxyinfo ACL - SAP Blogs
RFC Gateway Security, Part 4 - Prxyinfo ACL - SAP Blogs
Community
Follow
RSS Feed
Technical Articles
Johannes Goerlich
February 1, 2021 | 5 minute read
From my experience the RFC Gateway security is for many SAP Administrators still a
not well understood topic. As a result many SAP systems lack for example of proper
defined ACLs to prevent malicious use.
After an attack vector was published in the talk “SAP Gateway to Heaven” from
Mathieu Geli and Dmitry Chastuhin at OPDCA 2019 Dubai
(https://github.com/gelim/sap_ms) the RFC Gateway security is even more
important than ever. This publication got considerable public attention as
10KBLAZE.
With this blogpost series i try to give a comprehensive explanation of the RFC
Gateway Security:
Part 1: General questions about the RFC Gateway and RFC Gateway security.
https://blogs.sap.com/2021/02/01/rfc-gateway-security-part-4-prxyinfo-acl/ 1/10
10/21/21, 1:14 PM RFC Gateway security, part 4 – prxyinfo ACL | SAP Blogs
Follow
Updates:
Like 2021-10-12: Updated the whole blogpost.
Please make sure you have read at least part 1 of this series to be familiar with the
basics of the RFC Gateway and the terms i use to describe things.
https://blogs.sap.com/2021/02/01/rfc-gateway-security-part-4-prxyinfo-acl/ 2/10
10/21/21, 1:14 PM RFC Gateway security, part 4 – prxyinfo ACL | SAP Blogs
In the older days, the prxyinfo ACL was only checked if the endpoint was an
ABAP RFC enabled function module. In 2014 SAP introduced the so-called
Follow strong gw/proxy_check, which can be controlled in the profile parameter
gw/reg_no_conn_info. With this, the prxyinfo ACL is also evaluated if the end
point is a registered external RFC Server program.
Like
Nowadays this feature is enabled by default.
RSS Feed
What are common use-cases?
Proxying calls to an external RFC Server program which is
registered on a RFC Gateway of another application server
of the same system
In some scenarios, an external RFC Server program like SAP TREX is
registered only at one RFC Gateway of a multi-application server system.
In this case, the remote destination is created in SM59 and the RFC Gateway
used to communicate with the end point is specified in the remote destination:
https://blogs.sap.com/2021/02/01/rfc-gateway-security-part-4-prxyinfo-acl/ 3/10
10/21/21, 1:14 PM RFC Gateway security, part 4 – prxyinfo ACL | SAP Blogs
Follow
Like
RSS Feed
With this, each request will be sent to the defined RFC Gateway and this RFC
Gateway will establish the communication with the end point. In other words
this RFC Gateway will be used as proxy towards the end point.
For this scenario a custom rule in the prxyinfo ACL would be necessary, e.g.,
P SOURCE=internal,local DEST=local
Please note: In this case the request goes to an external RFC Server
program registered to the proxying RFC Gateway. Therefore, the target is
https://blogs.sap.com/2021/02/01/rfc-gateway-security-part-4-prxyinfo-acl/ 4/10
10/21/21, 1:14 PM RFC Gateway security, part 4 – prxyinfo ACL | SAP Blogs
displayed as %%RFCSERVER%%(0.0.0.0).
Follow If the relevant rule is missing, the following error will be displayed:
Like
RSS Feed
In this case, the remote destination is created in SM59 and the stand-alone
RFC Gateway is specified to establish the communication with the end point:
https://blogs.sap.com/2021/02/01/rfc-gateway-security-part-4-prxyinfo-acl/ 5/10
10/21/21, 1:14 PM RFC Gateway security, part 4 – prxyinfo ACL | SAP Blogs
Follow
With this, each request will be sent to the defined RFC Gateway and this RFC
Like Gateway will establish the communication with the end point. In other words,
this RFC Gateway will be used as proxy towards the end point.
RSS Feed For this scenario, a custom rule in the prxyinfo ACL of the stand-alone RFC
Gateway would be necessary, e.g.,
P SOURCE=<RFC-client-1>,<RFC-client-n> DEST=internal,local
Please note: The RFC Gateway ‘PXY’ may be either a stand-alone RFC
Gateway or the RFC gateway of another SAP NW AS ABAP.
To identify this use case on system ‘SRC’, we can look for any connection in
transaction SM59 with ‘Gateway Host’ different to the IP address or hostname
of any application server of the same system where the ‘Target Host’ is not
directly accessible from at least one of the application servers of the same
system, e.g.,:
https://blogs.sap.com/2021/02/01/rfc-gateway-security-part-4-prxyinfo-acl/ 6/10
10/21/21, 1:14 PM RFC Gateway security, part 4 – prxyinfo ACL | SAP Blogs
Follow
Like
RSS Feed
For this scenario, a custom rule in the prxyinfo ACL of the stand-alone RFC
Gateway would be necessary, e.g.,
P SOURCE=<hosts-SRC> DEST=<hosts-TGT>
SAP introduced an internal rule for the prxyinfo ACL to allow all proxying by
default:
P SOURCE=* DEST=*
https://blogs.sap.com/2021/02/01/rfc-gateway-security-part-4-prxyinfo-acl/ 7/10
10/21/21, 1:14 PM RFC Gateway security, part 4 – prxyinfo ACL | SAP Blogs
Please note: This rule is applied when no custom prxyinfo ACL was defined!
Follow
Like
<–Previous
Alert Moderator
Assigned tags
Security
RFC Gateway
RFC Gateway security, part 5 - ACLs and the RFC Gateway security
By Johannes Goerlich Feb 03, 2021
Follow
Related Questions
Like
Gateway not connected to local R/3
By souradeep ghosal Aug 10, 2021
RSS Feed
How to register an external program on gateway
By Former Member Sep 13, 2017
What is the resolution to error while making SNC connection to SAP Netweaver AS ABAP?
By Former Member Nov 10, 2016
Coffee Corner
Join the new Coffee Corner Discussion Group.
2 Comments
Isaias Freitas
June 27, 2021 at 8:00 pm
When the parameter "gw/reg_no_conn_info" includes the bitmask value 128, the proxy info ACL is also
checked when the communication with registered programs is taking place.
https://blogs.sap.com/2021/02/01/rfc-gateway-security-part-4-prxyinfo-acl/ 9/10
10/21/21, 1:14 PM RFC Gateway security, part 4 – prxyinfo ACL | SAP Blogs
Read the SAP KBA 2464128 for more details. It also includes links to resources that explain how the parameter
"gw/reg_no_conn_info" works.
Follow
Cheers!
Isaías Like
Like 1 | Share
RSS Feed
Johannes Goerlich | Blog Post Author
October 12, 2021 at 11:44 am
Hello Isaías,
thanks for your comment. It took a while but now I've updated the blogpost.
Greets
Joe
Like 0 | Share
Find us on
Newsletter Support
https://blogs.sap.com/2021/02/01/rfc-gateway-security-part-4-prxyinfo-acl/ 10/10