Aliter Consulting's latest challenge on a customer project was the integration of SAP on Azure into the customer’s SaaS Office 365 environment for outbound and inbound email for SAP S/4HANA to support inbound email for OpenText VIM and SAP GRC, and other general outbound mail requirements...

1. Office 365 SaaS Mail Integration with SAP on Azure

2. • This presentation illustrates one possible solution for
implementing inbound email to and outbound email from SAP
via a tenant on Office 365
• Key requirements from the customer included a highly available
scalable solution with high secure mail transfer
• The customer already had a Microsoft Office 365 SaaS
operation and they had a desire to integrate the SAP
requirements with this same solution
Introduction

3. Architecture Overview
Microsoft SaaS
Office 365
Azure Virtual Network
S/4HANASystem
with Client 800
25800
ABAP A/S
SMTPPlugin
25800
SMTPPlugin
25
ABAP A/S
SMTPPlugin
25800
SMTPPlugin
25
ABAP A/S
SMTPPlugin
25800
SMTPPlugin
25
someone@company.comRouting
25
25Outbound Mail from SAP
Inbound Mail to SAP
Internal
Azure Load Balancer
External
Azure Load Balancer
• Microsoft O365 SaaS service hosting
client mail services
• Outbound connector routing mail to
port 25 at the external Azure Load
Balancer
• Port 25 is routed to port 25800 at the
internal Azure Load Balancer that fronts
the back-end SAP ABAP application
servers
• Internal Azure Load Balancer routes mail
to port 25800 on the calculated available
SAP ABAP application server
• ICM on SAP ABAP application server
receives mail through SMTP plug-in and
stores in SAP database

4. • An O365 outbound connector is required for each SAP
system for which inbound mail to SAP is required
• An O365 inbound connector is required for each sender
certificate CN name which can be shared by multiple SAP
systems in favour of working with sender IP addresses
• The TlsSenderCertificateName parameter on the inbound
connector is used for CN matching
Definitions in O365

5. • Limitations within the SaaS O365 offering and the ability to
change the default SMTP port (25) on the outbound
connector enforced the need to have one IP on the
external Azure Load Balancer listening on port 25 per SAP
system
• For SAP systems with multiple application instances, an
additional Azure Load Balancer can be used to distribute
the load and remove the reliance on one application
server being available
Definitions in Azure

6. • Profile parameters for the ICM SMTP plug-in:
– icm/server_port_<n> = PROT=SMTP,PORT=0,TLS=2
• Signed client certificate stored in the PSE via STRUST
• SAPConnect SMTP node configured with:
– the target SMTP O365 tenant host name and port
– security settings referencing the client certificate for TLS
– signature and encryption if desirable
Definitions in SAP for Outbound Mail (ABAP)

7. • Signed client certificate stored in the PSE via NWA and the
secure store ”javamail” view
• JavaMail service properties configured with:
– mail.smtp.host set to the SMTP O365 tenant host name
– mail.smtp.port set to 25
– mail.smtp.starttls.enable set to true
– mail.from set to a valid mail address for your company
Definitions in SAP for Outbound Mail (Java)

8. • Profile parameters for the ICM SMTP plug-in:
– icm/server_port_<n> = PROT=SMTP,PORT=<port>,TLS=2
– is/SMTP/virt_host_0 = *:<port>;
• Example settings as per the Architecture Overview
– icm/server_port_1 = PROT=SMTP,PORT=25800,TLS=2
– is/SMTP/virt_host_0 = *:25800;
• System user with profile S_A.SCON
• SAPConnect service configured and activated in ICF with:
– logon details of the defined system user
– handler CL_SMTP_EXT_SAPCONNECT defined
Definitions in SAP for Inbound Mail (ABAP)

9. Thank You