This section describes the security measures that can be applied when the Internet Transaction Server (ITS) is used to connect the R/3 System to the Internet. The WGate is the part of the ITS that connects to an HTTP server. The AGate is the part of the ITS that communicates with the R/3 System. It transfers and translates data between WGate and the R/3 System.

The HTTP server (1) forms the interface to the Web. Closely integrated (as a DLL), the WGate (2) represents the general interface between the HTTP server and the AGate gateway (3). AGate communicates with the HTTP server on one end and with the R/3 System (4) on the other. The separation of AGate and WGate means that AGate and the HTTP server can be installed on different systems.
The connection between the web browser (5) and the HTTP server is over TCP/IP. A proprietary protocol is used between WGate and AGate. The DIAG and RFC protocols are used for the link between AGate and the R/3 System.

Firewall

A firewall opens access to a server only for selected programs and services. Generally, a firewall is always used to separate an internal network from the Internet. Such a firewall is recommended for all web applications, not only those based on the ITS.
SAP recommends that you install a firewall between the computer used for the HTTP servers and the one used for the Agate. This requires you to install WGate and AGate on different systems.
Depending on the configuration of the R/3 System, it may also make sense to use another firewall and a SAProuter to protect the application server(s).

Encryption

The data stream between WGate and AGate can be encrypted to prevent third party interception. This currently involves a proprietary solution. SAP is also currently implementing a commercial security product. 
To encrypt the data stream between WGate and AGate, set the registry parameter SecureCommunication on the AGate system to 1. This key is in 
HKEY_LOCAL_MACHINE - SOFTWARE - SAP - ITS - AGate.
A generally applicable logon must exist for all services for which no individual logon process into the R/3 System is supported. The necessary data - including the password - is saved in the service description. The password is DES-encrypted. For this reason, a special tool (such as the SAP@Web Studio of ITS) must be used to modify the passwords.

Protection Against Break-Ins

A logon to the R/3 System is required for every service that is started from the Web. ITS stores a status for each current transaction. Accordingly, all user requests received from the Web that are part of a web transaction can utilize the existing connection to the R/3 System. Because all transactions in the Web are status-free, requests from the Web must be assigned to an R/3 connection. The assignment of status-free requests from the Web to existing connections in the R/3 System theoretically enables unauthorized third-parties to piggyback on an existing session. Appropriate ITS measures are used to hinder such attempts.

HTTP-S

Regular data communications between the HTTP server and the web browser are not secure. As a result, a third party can both intercept the transmitted data and piggyback on an existing R/3 session. 
This process is complicated by the ITS itself, but cannot be reliably protected unless the data stream between the HTTP server and the web browser is encoded. This encoding can be achieved, for example, by using a secure Internet connection based on HTTP-S. Please note that web browsers used outside of the USA sometimes do not support strong encoding.

Required Port Numbers

A firewall allows access to a network only via selected port numbers.
By default, the installation procedure reserves port numbers 3900 through 3999 for the connection between WGate and AGate. If these ports are not available, the first available block above this range is used. (The starting address is always an even hundred.) The following names are assigned: SAPAVW00 through SAPAVW98 for port numbers 3900 - 3998, SAPAVWMM for 3999. Currently, only ports SAPAVW00 and SAPAVWMM are used.

Secure File System

All security-relevant information, such as passwords, is stored by ITS in special directories on the AGate server. This directory can be protected against unauthorized access by assigning appropriate access privileges through the NT Security Concept.
To accomplish this, you must install the AGate program on an NTFS partition and select maximum security when installing Windows NT Security. When an installation with maximum security is performed, access privileges for all subdirectories and the AGate root directory (default: 
\Program Files\SAP\ITS\AGate) are set such that only the ITS administrator is allowed access to these directories. In addition, subdirectories Service and Template contain all access privileges for members of the ITSUSERS group.
Instructions for defining the various users and user groups are provided in the SAP@Web Installation guidelines.

Passwords and Authorizations

When ITS is installed, a global service description is defined that contains information about a general web user. This user must also be set up in R/3. It is used for all web transactions, and must therefore have far-ranging authorizations.
For installations with increased security requirements, a separate user should be defined for each application (or area of an application). Each of these application users should be assigned only the necessary authorizations and entered in the special service description. This will overwrite the default settings in the global service description.