SAPRouter
15
The BASIS Experts SAPRouter – Easier than it looks
-
Upload
spencer-matthews -
Category
Documents
-
view
6.801 -
download
8
description
This is a fun presentation I made to explain the functions and troubleshooting of SAPRouter.
Transcript of SAPRouter
The BASIS Experts
SAPRouter – Easier than it looks
The BASIS Experts
The Basics
• What is SAPRouter?
• SAPRouter works like any router to direct traffic and is specifically used to route traffic of any type between SAP and the customers local systems.
The BASIS Experts
Networking Options
• What types of Internet connections can be used for setting up SAPRouter?
- Frame Relay- Secure Network Connection(SNC)- Virtual Private Network(VPN)- ISDN
The BASIS Experts
• Network connection type determines which SAP OSS Server you connect to.
- SNC = SAPSERV2- VPN = SAPSERV1- ISDN/Frame Relay = SAPSERV 3-7- 3-7 is determined based on location. In the
US, SAPSERV4 is used and located in California.
The BASIS Experts
• What are the (dis)advantages to the network options?
- SNC = Cheapest option. Most configuration from BASIS standpoint. Requires a hole in the firewall.
- VPN = Secure and inexpensive. Requires more configuration from a networking standpoint.
- Frame Relay/ISDN – Costly and not recommended.
The BASIS Experts
Key Points
• SAPRouter traffic communicates by default on TCP Port 3299. This is a configurable option.
• SAPRouter executable/binary must be running for SAPRouter to work. There is no start on call options.
• SAPRouter is required to get service from SAP.
The BASIS Experts
Configuring SAPRouter
• Step 1 is always to open a ticket with SAP. Ticket should be opened under XX-SER-OSS-NEW. Required information in the message is the external IP address and hardware of the customers firewall/router that will be used for configuring the connection, SAPRouter Public IP address, and connection type(SNC, VPN, etc..). This is also valid if you are simply changing SAPRouter to a different network type.
The BASIS Experts
SNC Configuration• Pertinent information- Http://service.sap.com/saprouter-sncdoc- Http://service.sap.com/saprouter-sncadd- Note#525751 - Installation of the SNC SAPRouter as NT
Service - T:\SAP\Reapplying for a Saprouter certificate.doc- Special Note – SNC Certificates expire after 1 year- Connection to SAP will always work if SNC is active regardless
of source IP address.- Password generated during SNC configuration(sapgenpse
commands) is optional and can be left blank.
The BASIS Experts
VPN Configuration
• Pertinent Information- Note#41054 - Installation of the
SAPRouter as NT Service- SAPRouter box must have a public IP
address visible to SAP
The BASIS Experts
SAPROUTTAB• This is the routing table used by SAPRouter. • It is a flat file stored on the OS and can be edited using
notepad or vi. • All routes are denied by default and must be explicitly
allowed.• SAPROUTTAB contains five key columns- (P)ermit or (D)eny- Allow traffic from IP- Allow traffic to IP- Port number- Password• Be aware of SNC Specific entries, if applicable.
The BASIS Experts
SAP Configuration
• Transaction OSS1• Local SAPRouter information must be
entered using private network IP• Save and test configuration via RFC
SAPOSS• SDCC and SDCCN also use RFC
connections to SAP that utilize SAPRouter
The BASIS Experts
Understanding SAPRouter Strings
• Basic routing concept• /H/ = target host /S/ = target port• Example:
• /H/192.168.1.1/S/3299/H/194.117.106.129/S/3299/H/10.0.0.1/S/3200
• Understanding the above as seen in SAPGui configuration
• Can be used to connect to any systems via SAPRouter, not just to/from SAP.
The BASIS Experts
Troubleshooting SAPRouter
• SAPRouter has one single logfile in the same directory as SAPRouter named dev_rout. This can be viewed with Notepad or cat.
• First test of SAPRouter should always be telnet test on SAPRouter port(most likely 3299).
• Always test connectivity to and from SAP to avoid finding out about problems later.
• Connectivity to SAP should always be tested via SAPOSS RFC.• Common Issue - Host does not respond ‘X’ times. This is
corrected by ensuring SAP can ping the SAPRouter box. • Common Issue – SAP cannot reach system.
http://service.sap.com/system-data information not correctly entered for system.
The BASIS Experts
Service Connector• Used as to keep the SAPRouter connection open and
active, primarily in Frame Relay and VPN environments• Generates an ongoing ping between SAP and the
customers SAPRouter.• Must be run from a local customer server/desktop. • Could possibly be used to avoid having to allow ping to
the SAPRouter through customers firewall (I haven't had much luck with this though.
The BASIS Experts
Conclusion
• SAPRouter is required by SAP. Do not run without it.
• SAP functions exactly like a slimmed down version of a normal router
• Questions?
![2007 2013 · about various attacks on SAP from the RFC interface, SAProuter, SAP WEB and SAP GUI client workstations [6]. Interest in the topic has been growing exponentially: in](https://static.fdocuments.us/doc/165x107/5e8f004dd0852061937542c5/2007-2013-about-various-attacks-on-sap-from-the-rfc-interface-saprouter-sap-web.jpg)
