Professional Documents
Culture Documents
Customer version
INTERNAL
Focus
This Document is intended to give SAP HEC Customers a Guideline to choose and setup an DNS Integration
Scenario to access SAP HEC Services over:
If you directly access your SAP HEC Applications using the public Internet only e.g. “*.hec.ondemand.com” this Document will not fit.
Table of Contents
Which DNS Zones / DNS Domains needs to be integrated in the Customers DNS
The Client Computers on Customers End are configured in almost all cases to use the Customers internal DNS
Servers as DNS Resolvers. This internal DNS Servers must provide DNS Information for internal Resouces -
the Intranet, mostly for the Internet and also for external Resouces such as for SAP HEC. This will require the
internal DNS Servers to have dynamic Access to DNS Data of SAP HEC. In general SAP HEC supports 3
different Techniques to provide the SAP HEC DNS Data to the Customers internal DNS Servers:
Depending on the Customers internal DNS Design one of the above Scenarios should fit.
SAP HEC recommends and prefer to get DNS Zone Transfer set up on this point. It is the most reliable and
safe Solution. SAP HEC can provide only for DNS Zone Transfer a 99,5% Service Level (SLA).
A conditional DNS Forward is perhaps a good alternative Choice if the Customers Firewall doesn’t allow
Inbound Connections from SAP HEC to the Customers internal DNS Servers, which is necessary for DNS Zone
Transfer to receive DNS Notifiers from SAP HEC DNS Servers. But it has the disadvantage to do Caching and
hence it has a Time Delay, depending on the Time to Live (TTL) of the SAP HEC DNS Data which is 1 hour as
per Default. For an Disaster Recovery Scenario using two independent SAP HEC Datacenters it may led to an
more or less huge Delay in a DR Failover situation to get the secondary SAP HEC Systems back available in
Customers internal DNS.
DNS Domain Delegation is probably the best Choice if the Customer has tens or hundreds of internal DNS
Servers and no internal Upstream DNS “Resolver” Servers where DNS Zone Transfers or conditional DNS
Forward are configured for external DNS Resources such as SAP HEC.
It wouldn’t make sense to configure and maintain DNS Zone Transfer or conditional DNS Forward towards SAP
HEC on each of numerous DNS Servers. Instead it is possible to configure a DNS Domain Delegation on a
single point in the Active Directory to have the DNS Delegation Information present on all internal DNS Servers.
In the Case of a DNS Domain Delegation the internal DNS Servers only hold the information which SAP HEC
DNS Server will provide DNS Resolution for the SAP HEC delegated DNS Zones/Domains. The Disadvantage
is that every Server or Client Computer on customers End would need to direct communicate to SAP HEC DNS
Servers
–or-
to your internal on premise DNS Servers if we configure them in the HEC DNS Zones as secondary
Nameservers but this is an Extra and not the SAP HEC Default.
Which DNS Zones / DNS Domains needs to be integrated in the Customers DNS
To enable the Computers on Customers End to use SAP HEC Applications over private Connection
(VPN or MPLS) it is necessary that the Client Computer has an additional DNS Resolution for a
Minimum of 3 SAP HEC DNS Domains, where SAP HEC has the Authority – the Master Zones, also
called as “delegated zones” :
<hec or sap>.customer.corp
Where “customer.corp” is assumed here in the example as the Customers internal DNS Domain or Customers End TLD.
“hec.customer.corp” is the Domain where the SAP HEC Application Entry points are located in general.
SAP HEC Application Entry point DNS Names and hence this DNS Domain must be HEC Datacenter independent.
No IP-Addresses or DNS hostnames here in general, only DNS Aliases (CNAME) are possible in this DNS Domain
In the case of a DR Failover only the Target of this Aliases will be switched from primary HEC DC to
secondary HEC DC – or to an HA System in the same HEC DC for example.
The DNS Domainname “hec.customer.corp” can be also “sap.ourcompany.local” for example. This Name is to understand as
a template - but it must start with “hec” or “sap”. A maximum of two such Customer TLD’s are
possible per SAP HEC Customer. This Domain will be used forSSL Certificates.
DNS Hostnames, IP-Addresses (and perhaps also DNS Aliases) are here. But Client Computers should never use this DNS
Hostnames or DNS Aliases in this DNS Domain directly – as Application Entry point, URL or “Target”.
Again, <SAP HEC Datacenter Short>.sap.anothercompany.local or any would be valid. But SAP HEC need a hierarchical
order in the delegatd DNS Domain Names.
Domain Names in a different Order like “sap.<SAP HEC Datacenter Short>.company.corp” are invalid.
Only one DNS Domain can be assigned to a single SAP HEC Network Segment in general.
If a “Multi Tier” Setup is wanted – SAP HEC need at least one a Network Segment per Tier – for example:
With a maximum of two TLD’s = sap.customer.corp and sap.customer.com
<SAP HEC Datacenter Short>.dev.sap.customer.corp for SAP HEC Dev Network 192.168.110.0/24
<SAP HEC Datacenter Short>.qas.sap.customer.corp for SAP HEC QA Network 10.10.200.0/24
<SAP HEC Datacenter Short>.sap.customer.com for SAP HEC Production Network 10.10.100.0/23
The DNS reverse Domain(-s) where the DNS Pointers (PTR-Records) are located. For example:
110.168.192.in-addr.arpa
Each of the above forward and reverse DNS Zones is “independent” – SAP HEC don’t support Sub Domain or Stub Configurations.
DNS Zone Transfer is the Default and preferred by SAP HEC
Disadvantages :
zone “customer.corp" in {
type master;
….
};
zone “hec.customer.corp" in {
type slave;
file "slave/hec.customer.corp.zone";
masters { 192.168.100.252; 192.168.100.253; };
};
Firewall Configuration
Firewall Configuration
on-premise Server
Advantages :
• No incoming Connections from HEC DNS on Customers Firewall
necessary
• This Advantage is only if no forward from HEC to Customer necessary
Disadvantages:
• Forward Cache Delay on-premise (Delay Time can be configured on Customers End)
• This is a perhaps a problem if you use HEC Disaster Recovery Scenario. A
Failover will take more time, hence SAP HEC cannot guarantee the full
Service Level (SLA).
• Only limited Status Monitoring
®
How to configure using UNIX or LINUX DNS
zone “customer.corp" in {
type master;
….
};
zone “hec.customer.corp" in {
type forward;
forward only;
forwarders { 192.168.100.252; 192.168.100.253; };
};
Advantages:
• You can administer your HEC DNS Delegation on a single point for the all your Company DNS Servers.
Disadvantages:
• Each of your DNS Servers and your Client Computers need Connectivity to SAP HEC Customer DNS.
• This may result in a Lot of DNS Traffic towards the HEC Customer DNS Servers and hence slower
Responsibility for all your SAP HEC Environment.
• The DNS Cache TTL Delay is long here. This is a perhaps a problem if you use HEC Disaster Recovery
Scenario. A Failover will take more time, hence SAP HEC cannot guarantee the full Service Level (SLA).
• The Number of DNS Clients is limited to 1000 on each HEC Customer DNS Server as per Default.
For Help howto configure in your Windows DNS Environment please refer to:
http://technet.microsoft.com/en-us/library/cc771640.aspx
You also can find a Howto Video for DNS Delegation in Windows Environment here :
https://www.windows-server-2012-r2.com/dns-zone-delegation.html
Domain delegation is also possible in UNIX® or Linux DNS Environment on Customers End. Just create the
Zones you want to delegate to SAP HEC as primary/Master DNS Zones and place the HEC Customer DNS
Servers as NS Records. You also have to place this HEC Customer DNS Servers as A-Records in your
internal Top Level DNS Domain.
SAP HEC don’t recommend DNS Domain Delegation on Customers End for SAP HEC Environment.
DNSSEC:
SAP HEC can provide DNSSEC to secure the DNS Traffic. But this is not a Standard Feature in the SAP
HEC Product Portfolio. If you have a VPN Connection to SAP HEC please keep in Mind this Traffic is already
encypted and secured.
DNS TSIG:
SAP HEC can provide DNS TSIG to secure the DNS Traffic. But this is not a Standard Feature in the SAP
HEC Product Portfolio. If you have a VPN Connection to SAP HEC please keep in Mind this Traffic is already
encypted and secured. DNS TSIG is not compatible to MS® Windows DNS.
DNS6:
SAP HEC does not provide DNS6 for IPv6.