The URLs for NWA have a unique prefix and can be filtered out in the ICM on a rule basis.
In the profile file (we recommend the default profile DEFAULT.PFL), configure the following modification handler:
icm/HTTP/mod_0 = PREFIX=/,FILE=$(DIR_GLOBAL)/security/data/icm_filter_rules.txt
You must then create the rule file in the specified directory and specify the filter rules.
(The directory is usually: usr/sap/SID/SYS/global/security/data/)
If you want to prevent access to administration requests completely, you should define the following rule:
RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]
If you want to prevent access to administration requests for external administration, you should define the following rule:
if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND] if %{REMOTE_ADDR} !stricmp ::1 RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]
If you want to allow access to administration requests for certain network segments (for example, 10.18.*), you should define the following rule:
if %{REMOTE_ADDR} !regimatch 10.18.*.* RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]
If you do not want to restrict access to the administration requests to certain clients, remove the lines from the file or turn the lines into a comment:
#if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND] #if %{REMOTE_ADDR} !stricmp ::1 #RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]
The syntax for IPv6 addresses is as follows:
Local host is the string “::1”
An example for an IPv6 address is “fe80::21c:c4ff:fedc”.
The IP address of the client can be determined with the following (temporary) rule:
RegIRedirectUrl ^/ipaddr_echo /echo?clientip=%{REMOTE_ADDR}
Use the browser/client to call the following URL on the server: http://<host>:<http_port>/ipaddr_echo
In the client/browser, the system now displays the IP address of the client in the URL line (for example, http://server.sap.com/echo?clientip=10.18.55.11).
It is important that you remember to remove the temporary rule again.