2 Prepare certicates
Before installing and conguring the Browser Access service, you must make some necessary preparations.
2.1 Choose a method to handle external requests
As the Browser Access service enables you to access SAP Business One from external networks, it is essential
that external requests can be sent properly to internal services.
To handle external requests, we recommend deploying a reverse proxy rather than using NAT/PAT (Network
Address Translation/Port Address Translation). Compared with NAT/PTA, the reverse proxy is more exible and
can lter incoming requests.
Note
Regardless of the method, the SAP HANA services are not exposed to external networks; only the SAP
Business One services are exposed. However, you must never directly assign an external IP address to any
server with SAP Business One components installed.
To improve your landscape security, you can install your SAP HANA database on a machine other than the
one holding SAP Business One components.
Reverse Proxy
A reverse proxy works as an interchange between internal SAP Business One services and external clients. All
the external clients send requests to the reverse proxy and the reverse proxy forwards their requests to the
internal SAP Business One services.
To use a reverse proxy to handle incoming external requests, you need to:
1. Import a trusted root certicate for all SAP Business One services during the installation.
The certicate can be issued by a third-party certication authority (CA) or a local enterprise CA.
For instructions on setting up a local certication authority to issue internal certicates, see Microsoft
documentation .
All the components (including the reverse proxy) in the SAP Business One landscape should trust the root
CA which issued the internal certicate for all SAP Business One services.
2. Purchase a certicate from a third-party public CA and import the certicate to the reverse proxy server.
Note that this certicate must be dierent from the rst certicate. While the rst certicate allows the
reverse proxy to trust the CA and, in turn, the SAP Business One services, the second certicate allows the
reverse proxy to be trusted by external clients.
All clients from external networks naturally trust the public CA and, in turn, the reverse proxy. A chain of
trust is thus established from the internal SAP Business One services, to the reverse proxy, and to the
external clients.
4
PUBLIC
How to Deploy SAP Business One with Browser Access
Prepare certicates