Another good case for a SAP webdispatcher inbetween which is hardened and terminates the SSL. Server side SSL in dmz or server zone is not seen. That has always been SAP's recommendation.
If the dispatcher is ok (and is not on expected ssl port number anyway) then script kiddies and backends should be safe for a while...
Cheers,
Julius