SAProuter is a software application that provides a remote connection between our customer's network and SAP. SAProuter can be used to:
SAProuter can be used with traditional SAP products as well as analytics solutions and offerings acquired from Sybase. For a comprehensive list of which SAP Business Analytics products benefits from SAProuter connections, see SAP Note 1478974.
SAProuter controls access to your network on application level and is a useful enhancement to an existing firewall system (port filter).
You can use SAProuter to:
You must use SAProuter to control and log the connections between SAP and your R/3 System. SAProuter is used at SAP Active Global Support.
The only pre-requisite for using SAProuter is a network connection from the customer's network to the SAP network.
In order to establish this it will be necessary to first coordinate with the SAP network team to prep your environment. To best facilitate this request it’s vital that you ensure the following:
New Connection Requirements
Existing Connection Requirements
It is key for SAP to offer the Services and Support for your solution in a safe, fast and auditable way. Therefore customers will profit from the following benefits:
SAP, together with the network providers, strives to offer the highest possible security for accessing customer networks via WAN (wide area network) connections. Maximum security against unauthorized access to customer systems and local networks via a WAN connection is only guaranteed, however, if the customer also undertakes specific measures and observes all security guidelines.
Customers are primarily responsible for complying with all necessary security measures. SAP can only provide the highest security possible if customers consistently comply with all security measures.
SAProuter is an SAP software program for controlling and monitoring communication between internal and external networks. Because SAP routes all accesses to internal systems and all maintenance connections via a corresponding SAProuter, the connection between SAP and the customer is reduced to a single SAProuter - SAProuter connection.
Encrypt your data transfer
Special server certificates can be issued to validate Internet connections set up for support purposes between your company and SAP via the SAProuter. In general, they are used for server authentication for encrypted data transfer within mySAP.com via the Generic Security Services API interface (GSS-API).
SAProuter certificates are available free of charge from the SAP Support Portal.
A route is defined for SAProuter in the form of a route string, which must observe specific syntax rules. A route string contains an entry, or substring, for each SAProuter and for the target server. Each substring contains the information that SAProuter needs to make a connection in the route: the host name, the port name, and the password, if supplied.
A route string can look like this: /H/host/S/service/P/pass
Each substring begins with /H/, which indicates the host name. You can optionally specify a service after each host name. The service name is preceded by /S/. The substring can then include a password, which is preceded by /P/.
By default, route strings are sent without a password. The default value for service is "3299", and the default password is "" (empty).
The diagram below shows a sample connection between SAP and a customer system. In this example, an SAP service engineer working at sappc needs to log on to a customer application server yourapp, which offers or uses the service sapservice.
Dial-in of an SAP employee into a customer system
The SAP service engineer logs onto R/3 and connects sappc to yourapp via the SAProuter on saprouter and the customer’s SAProuter yoursaprouter.
yoursaprouter requires the password pass_to_app for connections to yourapp.
The route string looks like this: /H/saprouter/H/yoursaprouter/H/yourapp/S/
This route string is interpreted by SAProuter as follows:
|Substring 2||/H/yoursaprouter||/S/default||<no password>|
The connection from sappc to the application server is made in the following stages:
|sappc (frontend)||builds the connection to the SAProuter on saprouter according to substring 1, and passes on the remainder of the route information.|
|checks whether the route sappc to yoursaprouter, 3299 is permitted, builds the connection to the SAProuter on yoursaprouter, and passes on substring 3.|
|yoursaprouter||(SAProuter) checks whether the route saprouter to yourapp, sapservice is permitted. The password pass_to_app is also checked. SAProuter then builds the connection to the application server.|
SAProuter always checks only the previous host name or IP address and the next substring (/H/.../S/.../P/...) for the host name or IP address, service and password. No password is used in the first substring, since the client is accessing itself.
If the /S/ part is missing, the default SAProuter port number is used.
If the /P/ part is missing, no password is used.