SAP NetWeaver 7.4 AS Java – Filtering Administration Requests

The URLs for NWA have a unique prefix and can be filtered out in the ICM on a rule basis.
In the profile file (we recommend the default profile DEFAULT.PFL), configure the following modification handler:

icm/HTTP/mod_0 = PREFIX=/,FILE=$(DIR_GLOBAL)/security/data/icm_filter_rules.txt

You must then create the rule file in the specified directory and specify the filter rules.
(The directory is usually: usr/sap/SID/SYS/global/security/data/)

If you want to prevent access to administration requests completely, you should define the following rule:

RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]

If you want to prevent access to administration requests for external administration, you should define the following rule:

if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
if %{REMOTE_ADDR} !stricmp ::1
RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]

If you want to allow access to administration requests for certain network segments (for example, 10.18.*), you should define the following rule:

if %{REMOTE_ADDR} !regimatch 10.18.*.*
RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]

If you do not want to restrict access to the administration requests to certain clients, remove the lines from the file or turn the lines into a comment:

#if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]
#if %{REMOTE_ADDR} !stricmp ::1
#RegIRedirectUrl ^/webdynpro/resources/sap. com/tc~lm~itsam~ui~mainframe~wd/(.)*$ /nwa/remote_access_error [QSA]

The syntax for IPv6 addresses is as follows:

Local host is the string “::1”
An example for an IPv6 address is “fe80::21c:c4ff:fedc”.

The IP address of the client can be determined with the following (temporary) rule:
RegIRedirectUrl ^/ipaddr_echo /echo?clientip=%{REMOTE_ADDR}

Use the browser/client to call the following URL on the server: http://<host>:<http_port>/ipaddr_echo

In the client/browser, the system now displays the IP address of the client in the URL line (for example, http://server.sap.com/echo?clientip=10.18.55.11).

It is important that you remember to remove the temporary rule again.

Author: