Show TOC

Background documentationWhat is SAProuter? Locate this document in the navigation structure

 

SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP systems, or between SAP systems and external networks. SAProuter controls the access to your network, and, as such, is a useful enhancement to an existing firewall system (port filter).

Figuratively, the firewall forms an impenetrable “wall”around your network. However, since particular types of connections need to penetrate this wall, a “gate”has to be made in the firewall. SAProuter assumes control of this gate.

In short, SAProuter provides you with the means of controlling access to your SAP system.

Implementation Considerations

You can use SAProuter to do the following:

  • Control and log the connections to your SAP system, for instance from an SAP service center

  • Set up an indirect connection when programs involved in the connection cannot communicate with each other due to the network configuration

    • Address conflicts when using non-registered IP addresses

    • Restrictions arising from firewall systems

  • Improve network security by means of the following:

    • A password, which protects your connection and data from unauthorized external access

    • Allowing access from only particular SAProuters

    • Only allowing encrypted connections from a known partner (using the SNC layer)

  • Increase performance and stability by reducing the SAP system workload within a local area network (LAN) when communicating with a wide area network (WAN)

The following graphic illustrates your network (LAN) using a firewall as protection against access from outside. SAProuter runs on the firewall host, and serves as a “gate” to your network. This gate is only opened for connections you specify.

This graphic is explained in the accompanying text.

This is often useful if, for example, there is a support connection from SAP to your SAP system that SAP staff use to access your system in the case of problems. SAProuter controls and monitors these connections.

Caution Caution

Note that installing SAProuter without the use of a firewall does not protect your network against access from external networks. You must ensure that all incoming SAP connections go through the SAProuter “gate”.

End of the caution.
Increasing Network Security with SAProuter

The SAProuter running on your firewall host should be configured to allow the following:

  • Only the NI protocol (SAP Protocol) is accepted from external systems

  • Not just any number of SAProuters are allowed before and after this one in a route station.

  • Only SAProuters that you trust are allowed access

Recommendation Recommendation

Under UNIX, we do not recommend starting the SAProuter on a port reserved for root.

End of the recommendation.

Constraints

The following scenarios are supported by the SAProuter:

  • SAP GUI communication through the SAProuter (to the Message Server and/or SAP Dispatcher)

  • RFC communication between systems or between RFC client and SAP Gateway

  • Support connections from SAP to customers. For support purposes SAP enables the transfer of other protocols through special, proprietary precautions, but these are not appropriate for production operation and are not released.

The following scenarios are not supported by the SAProuter:

  • Communication between server components with HTTP-based protocols through the SAProuter (e.g. Web service calls through HTTP)

  • Communication from a user interface such as the browser or the Business Client through SAProuter to an application server (e.g. Web Dynpro or BSP-based applications)

  • Binary protocols (e.g. terminal server, X-server) between communication partners