Example Firewall Configuration of an SAP vApp with vShield App
In the previous article, Part 1, we described the use cases for vShield App in a virtual SAP environment. Here we demonstrate a simple vShield App firewall configuration that quickly isolates a virtualized SAP landscape defined as a vApp in vCenter. It assumes the vShield Manager and App Appliances and vShield plug-in have been installed. The vShield App plug-in for vCenter allows you to create firewall rules via the vSphere client .
The following diagram shows the SAP vApp (called “SAP_MSSQL”) which consists of the following two virtual machines: SQL Server database and SAP Central Instance; application server instance. The only access into the SAP landscape will be via the SAP presentation client (SAP GUI) which in this example will use port 3200 (for background on SAP TCP/IP ports go to http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/4e515a43-0e01-0010-2da1-9bcc452c280b) . In this simple scenario we are not isolating the application from the database server.
This vApp is configured in the vCenter client and appears as follows in the vCenter “Hosts and Clusters” inventory view .
The next three diagrams show vCenter screen captures that describe the three firewall configuration steps for this example:
1) Block all access into the landscape or vApp
2) Define the port for SAP GUI access
3) Allow SAP GUI access
The following whitepaper is available for further reading, “VMware vShield™ App: Protecting Virtual SAP Deployments” at http://www.vmware.com/files/pdf/techpaper/VMware-vShield-App-Protecting-Virtual-SAP-Deployments.pdf .