Security requires fixed IP address when using BO Client Tools - but why?

Currently, we are required to have a fixed IP address to use Client tools (IDT, Rich Client) (also server admin). I’m no admin guy, but I assume the server police want this so that anyone connecting via Client Tools is a trusted user.

But the working from home thing throws a wrinkle into things, since we get a home-based IP address. Even a wireless connection from the office isn’t allowed.

However, as context, one can connect to the server from any machine via a browser for Web Intelligence and CMC things … so I don’t really get why they’re so strict when connecting via client tools.

Could we switch the “authority” to connect to use client tools from IP address to our PC device name? This might be even more secure because it’s fixed to the PC whereas an IP address technically is not.

For actual server administration, I can certainly understand a “trusted source” model, that makes sense. But that’s totally different login credentials from Rich Client or IDT.

Looking for some help to talk to the security team.

We’re on BI 4.2 SP-5


Just to be clear it’s a company policy not a BOBJ requirement? I am running multiple BOBJ servers with various configuration for test purpose and I don’t get the point regarding fixed IP address.

For sure a client tool need to connect to multiple BOBJ services, but this policy is very strange. Can you provide more context ?

This is indeed not a SAP BI requirement. There are a lot of companies that normally don’t allow end-users to directly connect to the databases. The client tools that get installed on the laptop/desktops sometimes to require database access. In this case it can be required to have the IP address of the laptop/desktop to be listed in the company firewall to allow access to the database.

1 Like

Can understand restricting access to dbase servers. But, allowing access based on IP address would require having static IP addresses on the workstations. If the IP is dynamic, it could change if the machine restarts, looses power, etc. Enabling based on range would solve that, but defeats the purpose of only allowing specific machines to connect. Names are typically used because of that issue. Remote workers would also present a problem.

Either way, this is something being done internal by your organization’s security team.
Have a chat with them to understand their concerns and why they set it up the way they did. Then let them know how’s it’s impacting your ability to work. It’s possible they aren’t even aware of the BO client tools and how they function and need to connect to the dbases. Educate them and see what they propose. They might have other solutions.

1 Like

Full Client tools connect to SAP BO CMS on ports 6400 / 6410 (I can’t remember the exact port ranges). On some clients, these ports are open but more and more, they are locked for security reasons in production environments even also on prior. If you need these specials ports, you have to open it between the VO server and you box at firewall level and for this you need fixed Ip because if you open a port between to IP and if one of it change, you loose it…

yeah. because of security. some companies are heavy firewalled = multiple firewalls on different levels. therefore a services must run on static ports and is really funny to specify all the requests what can communicate with what. and therefore the ips are in most cases fixed or reserverd to mac addresses in dhcp.

I’m sorry for the delay. But I was able to use your input and they have relaxed the policy. So I can connect from home, different PC’s, etc.

Martensnl - - - also thank you and sorry for the delay. In this case I’m in IT and a developer, hence I use IDT and Rich Client. And understand not allowing end users, all they use is WebI. But they relaxed the rule, in part due to feedback from this post … :grinning:

dtolley - thank you and apologize for the delay. They relaxed the rules!

1 Like

@tom_kar @bernard_timbal

very good, and they have relaxed the rules. So now I can connect from home or work, no worries on the IP address.