SAPRouter for remote logon

Hi,
We have a typical scenario here regarding usage of SAPRouter.
Our user base is spread across various Ships and offices located across India.  We are planning to use SAPRouter to allow access to them.
How do we restrict access to the users based on their IP addresses (IPs will be changing if they use different internet service providers)?  Also, it would be difficult to maintain so many IP addresses in the saprouttab file.
Is there a different way to achive this type of access, other than SAPRouter?
Regards
Abdul

Hi,
We have been on your situation, too.
We manage to use VPN Client from product of a well-known network vendor (rather than managing SAP Router)
From the security point of view, our network teams have managed user authentification so that authorized user only can logon to the system. So that only specified user can logon to the network.
From basis point of view, we don't need to reconfigure saprouttab file, restarting saprouter every time user is connected. Also, minimized for leakage of SAProuter, in example we wish to simplify saprouttab management by using string asterisk (*) that may be potential for unwanted user logon to your system (as long as they know your SAP router string)
How this VPN Client works (from user perspective)
they logon to the internet - starting VPN client agent on their PC or laptops - importing profile file - login using their VPN Client -  connect - and then they are on the same network with headquarters (work as if they are on the headquarters)
benefit :
- less SAP router management (changing saprouttab, restarting SAP router services, managing start/stop SAP router
- centralized network access (by network team) so that only authorized user can access the network
- you don't need to be worried if one or several of your user is resign or moving to another company, you just only to delete their profile from VPN user list. Imagine if you are using SAP router, the last barrier you have is SAP user authorization.
- to secure who is authorized to access SAP system, you should manage SAP user authorization as well
- ability to use your local application beside SAP : mail system, local application etc, because by logging in and connecting using VPN CLient, you are standing as if you are on the headquarters (office)
- they are note depending on public ip of sap router (if suddenly changed)
weak point :
- once a user is connecting, they can logon to all SAP client he are able to login. we cannot make limitation of certain client here. the only limitation we can made is by user authorization for each client.
- we cannot make limitation whether user A is allowed to use SAP only, user B is allowed to use SAP and mail only, and user C no limitation. once he is logging in, he will be able to execute or run any application he is authorized.
hope it help you.
rgds,
Alfonsus Guritno

Similar Messages

  • Trying to replicate - asking for Remote logon

    Hi Gurus,
    When I am trying to replicate the datasource,by right clicking the datasource,  itstead of replicating , it is going to SAP  Remote Logon menu..and asking for R/3  User iD and password.
    Can anyone let me know the reason for this
    Thanks in advacnce
    Savi

    few possible reason i can suggest:
    1. Check if your source system is active.Source system tab.Right click the specific source system and select check.
    2. If your password for the background user has changed.
    hope it helps,
    regards,
    Parth.

  • Remote Logon with Internet Explorer

    Using SAPNW7.0ABAPTrialSP12.
    I'm trying to logon in a network by using Internet Explorer but every thing fails.
    Remote and local Gui Logon is Ok and local logon true URL http://localhost:8000/sap/bc/gui/sap/its/webgui?sap-client=000 is Ok.
    I don't know the Url for remote logon and firewall and/or server settings.
    Used following:
    firewall enable Port 3300 and 8000
    http://saphome:8000/sap/bc/gui/sap/its/webgui?sap-client=000
    http://saphome:3300/sap/bc/gui/sap/its/webgui?sap-client=000
    Could someone point me in the right direction?

    > http://saphome:8000/sap/bc/gui/sap/its/webgui?sap-client=000
    > http://saphome:3300/sap/bc/gui/sap/its/webgui?sap-client=000
    If you ping your "saphome" from the network, do you get any reply? One of the things I can think of is the loopback adapter bothering other network traffic. I know of some occasions where my loopback adapter acts as default gateway preventing all outgoing network traffic from reaching the 'real' network adapter.
    If your SAP machine is on the network with a name that can be properly resolved (either a proper network name or a fully qualified domain name or fqdn) try to start your SAP instance without the loopback adapter running and see if you can still reach SAP locally (using the machines network name or fqdn instead of "localhost"). Maybe that'll give some network clues....
    EDIT: typo found and corrected
    Edited by: Jurjen Heeck on Aug 28, 2008 11:43 AM

  • How to remote logon to other client while developing ALE

    hi,
         Iam just learning cross applications. i  have generated RFC..but how to check whether the connection is created??tell me how do remote logon.
    thanks in advance.

    Hi,
    In RFC destination scrren (SM59), you will find  two buttons.
    1. for test connection
    2. for remote logon.
    click any of them
    Reddy

  • Central autoreactions for remote systems (saprouter)

    Hi, Experts!
    There is a possibility to define the central autoreactions for remote systems connected to Solman through SAPRouter??

    Hi,
    The CEN Configuration is dependant on the CCMS agents that you install on your satellite system.
    The CCMS agents run as Services at OS level.
    When you install CCMS Agent, there will be parameters pertaining to connecting to CEN.
    Hope this solves  your problem.
    Feel free to revert back.
    -=-Ragu

  • AFP logon window takes 60 - 90 seconds for remote users

    We have a 10.4.11 server running AFP and multiple other services. About 25 users connect to the AFP sharepoints via the internal network and the login window appears immediately. Another 25 users connect through a hardware VPN from another office and their login screen appears immediately as well. We have another set of 25 users who connect directly over the internet, and only recently, it is taking 60 - 90 seconds for the logon window to appear. Once it does appear, the connection runs at normal speed.
    It makes no difference whether the address is specified as FQDN or IP address. I've tried turning off Bonjour, and adding the host domain name to the search domains, but this made no difference either.
    This problem did not exist until recently. It may have been about the same time as the 10.5.4 update, but I can't be sure.
    Also, our ISP is known to play with "Shaping" although we did have AFP set to high priority and Port 548 is not restricted.
    Is there another service that Apple uses to bring up the logon window? If so perhaps our provider is restricting bandwidth on that.
    - Tim

    This problem related to AFP requesting a "Service Record" first and waiting until that timed out before requesting the "A" record for the site. It seems to be an issue with OS X 10.5.4 and OpenDNS. Hopefully they will sort it out soon.

  • Remote Logon Tab does not work

    Hello All,
    We have a standard ABAP RFC Connection from our Dev system to our Prod system. We have maintained the connection with a Dialog user and the connection tests and authorization tests works fine. However when i test the 'Remote Logon' tab , nothing happens. We do not have an error message as well. So I turned on the RFC trace and the entries in the dev_rfc and dev_rd are as below;
    Dev_RFC:
    **** Trace file opened at 20140708 115142 AUS Eastern Standard Time, SAP-REL 640,0,414 RFC-VER 3 1368070 MT-SL
    >>>> [1] SID          : R/3  <ac: 844> K 10.200.1.31 >>> CLOSE abrfcio.c 2679 (86262062)
      -{E3128536-7394-41B0-9DD0-FDE742DFD323}
    ==== Delta HO 0,  0 LOG DROPPED
    DEV_RD:
    *** trace for connection 6 enabled ***
    GwIHandleRq: own_index: 0
    GwIHandleRq: set act rq type DEALLOCATE
    R3DEAL(86262062, cpic_vector=0, ..)
    I am the client (0)
    R3DEAL: state of conn/index 6/0: RESET
    R3DEAL: send return code to cpic partner
    GwISendRc: send appc_rc/sap_rc/status 18/0/0 to conn/target/client 6/1/20
    GwGetMemory: allocated 000000000BCE6000 (len=192)
    GwGetMemory: act_overflow_size = 460 (+ 192)
    GwSetCPICState: state of conn/index 6/1: RESET
    GwSendToClient: send data to conn/target/client 6/1/20
    OUT:
    ReqType     : CPIC         SysIdx  : 20     ReqLen  : 80     ReqId   : 0
    CommIdx     : 13           ConnIdx : 6      ReqVer  : 6      Trace   : 0
    conn        : 6            wp_no   : -1     ReqBlk  : -1
    RqType      : SAP_SEND     Prot    : INT    UID     : 31769  Mode    : 0
    User        :              SapRc   : 0      AppcRc  : 18     ConvId  : 86262062
    Vector      :
    Info        : SYNC_CPIC_FUNCTION
    Info3       : GW_WITH_CODE_PAGE
    NiIWrite: write 80, 1 packs, MESG_IO, hdl 23, data complete
    GwFreeMemory: free 000000000BCE6000 (len=192)
    GwFreeMemory: act_overflow_size = 268 (- 192)
    GwSendToClient: 80 bytes send to conn/target/client 6/1/20
    GwSendToClient: decrement conv_no of client 20: 0
    GwFreeMemory: free 000000000BCE4000 (len=268)
    GwFreeMemory: act_overflow_size = 0 (- 268)
    GwIDelR3Conn: idx/conv = ((0/0) | (-1/0)), delete conv 6 from conv-table
    GwClearConn: conv_no/tcp_conv_no/sna_conv_no: 3/3/0
    GwClearConn: free r3 conv info
    GwClearConn: free buffer info
    GwFiSearchConvId: deleted 86262062 local, conn=6
    GwListInsert: insert elem 6 into conn_free_list (at begin)
    GwListInsert: 497 elems in conn_free_list
    GwListRemove: elem 6 not in conn_search_list
    GwListRemove: elem 6 not in conn_write_list
    GwListRemove: remove elem 6 from conn_inuse_list
    GwListRemove: 3 elems in conn_inuse_list
    *** trace switched off ***
    There are no error messages in ST22 and SM21. After reading a couple of posts in SDN; I changed the password of the dialog user to a password consisting only of alphabets and upper case only but that did not help either.
    I did go through the SAP Notes ; 704206 and 189077 , however we are not using a saprouter string for the connection. We are using the local gateway connection.
    Point to note is that the same RFC connection which we have also set up in our Quality system gives us the remote log in prompt.
    I also checked the hosts and services files on both the servers and both seem to have the same entries.
    System Details:
    Release - 620
    Kernel Patch - 640 Patch 414
    Please do share if you have any ideas on how to resolve the issue. Do let me know if you need additional information.
    Thanks
    Surajit

    Hello Adil,
    Appreciate your feedback on this.
    Our network team confirms that the set up between Dev and Prod is exactly same as the set up bw QA and Prod. As the connection bw QA and Prod works , they are suspecting some other area to be the cause of this issue.
    Thanks
    Surajit

  • Trusted RFC and Remote logon not possible due to Nat'd IP addresses

    Hi,
    We are trying to connect our SolMan 4 to our cusotmers ECC 6 and BI7 systems, the systems are off site and the IP addresses for the customers systems are nat'd when they come in and go out from our Network.
    The problem we get is that we cannot set up Trusted systems or Remote Logon to these systems due to issues with the Nating of the IP adresses. We can set up all standard RFC's after adding the the appropriate addresses into the hosts file and they work fine. But the trusted RFC does not set up properly and the BACK rfc from the satelite system does not get set up properly. What appears to happen is that when you try to start a remote session SAP goes to the satelite system and finds the Instance Name and the local IP address rather than the NAT'd IP address and try's to open a session from there. I found this by going into the trusted RFC in SM59 and then going to Extra's, System Information, Target System, this then tells me the Target System information, where it shows the System ID and IP address (which is the incorrect IP address).
    Anyone know how we can get the system to try to have the correct IP adress in the target system information so that we can get Remote Logon's to work??
    Cheers

    Hi Carl,
    Based on your explanation about Nating,, how will the RFC determine to connect to Solmans internal IP after it has been directed to the IP for the Router connection.
    I feel it is like configuring a jump of RFCs from one IP to another in a single chain.
    Can this be done ?? I mean we have to specify an IP in the RFC connection right.. so how will the automatic jumping of IPs be done.
    Sorry not answering the question but its very interesting and wanted to know.
    Also went trough note # 148832, might help.
    Regards,
    Kaustubh.
    Edited by: Kaustubh Krishna on Aug 13, 2009 12:17 PM

  • SM59 - Remote Logon taking very long time - RFC is receiver

    Hi Friends,
    We have ABAP connection (SM59) to R/3 system from PI system.  The connection test is fine. But, when we click the Remote Logon from SM59, it is taking very long time. It is unable to login.
    Due to this, messages are in scheduled state in the receiver CC monitoring. (SOAP to RFC - Async ). Receiver RFC CC also are green.
    We checked with R/3 team, the remote user which is used in SM59 is not locked in R/3 system and password also not changed.
    Friends, kindly clarify why it is taking very long time from PI in SM59 when the connection is fine.
    Kind regards,
    Jegathees P.

    Hi Sabarish,
    I checked in SM58. There are no entries.  SM59 is for other interfaces (IDoc).  In the Message Monitoring all messages showing 'To be Delivered' and 'Delivering' from yesterday onwards. In the CC monitoring, it shows 'Message Processing Started' from yesterday onwards. But not completed.
    I checked in SM21 take log of type 'RD'.  I doubt is this the correct log for this problem.
    The specified operating system call was returned with an error.        |
    For communication calls (receive, send, etc) often the cause of errors
    are network problems.
    It could also be a configuration problem at operating system level.
    (file cannot be opened, no space in the file system etc.).
    Additional specifications for error number 146
    Name for errno number ECONNREFUSED
    Interprocess communication (e.g. TCP/IP) connection refused by partner.
    |This usually means that the necessary receiver program is not running.
    Kindly clarify.
    Kind regards,
    Jegathees P.

  • GRC10 - EAM - Transaction Code GRAC_SPM opening remote logon screen

    Gurus,
    We are on SAP EHP 2 for SAP NetWeaver 7.0  and Plugin patch level 007. Have configured EAM.
    IN AC system Firefighter executes transaction code GRAC_SPM.Firefighter selects FFID, enters reason code ,details and clicks logon. The next screen is asking autnentication of target system (Remote Logon screen in SM59) .Please can you suggest if this issue is related to RFC or configuration.
    Thanks
    ARD
    Edited by: ARD on Feb 21, 2012 8:56 PM

    Hi,
    Are you on SP06? If so, and you are sure that the RFC connections have been set up correctly, as well as all the SPM related configuration at both the GRC and plug-in systems (SPM ID = Service type, SPRO etc), you probably need to consider implementing the following SAP note https://service.sap.com/sap/support/notes/1652880.
    This fixed a similar issue I had when we moved to SP06. I understand that this note is delivered as part of SP07 now.
    Hope that helps.

  • SM59 Remote Logon User Prompt 'pop up'

    In setting up an R/3 system source system in BW Netweaver 2004s, through RSA1 seems the R/3 system will not logon to the BW system.
    Tested SM59 remote logon with a Dialog user using the correct username and password, SAP_ALL, SAP_NEW, S.A_System etc. The logon screen option is not checked, but it 'pops up' prompting for a username and password. I have tried connecting with another BW 2004s system without issue, appears something specific with the R/3 4.7 version?
    Also, have tried running a trace and it simply shows the last dynpro in the logon process.
    Any insight or help in this would be great ! I'm stumped.

    Hi,
    We already had a similar problem :
    Are you using a BI 7.0 system ?
    BI 7.0 is based on netweaver 7.0 and passwords are case sensitive.
    R/3 4.7 is based on wAS 6.20 and passwords are always converted in UPPER CASE.
    Set the password of your BI user in upper case and R/3 will be able to use it from SM59...
    Hope this helps,
    Olivier

  • SM59 "Remote Logon" malfunctions after server migration

    Hi all,
    Originally our BW server is running under I386 platform. And the server seems not powerful enough, so we decided to migrate the server to IA64 platform.
    After we migrated the server to the IA64 platform, we've performed some basic checking, including SM59 check. But problem occurs.
    After I choose one of the RFC destination from SM59, I CAN execute the "Connection Test" and "Unicode Test" correctly. But when I press the button "Remote Logon", nothing happens.
    I've also checked for the developer trace and nothing can be found. So I have also updated the Kernel to the latest version but the result is still the same ("Remote Logon" malfunctions).
    Do you have any idea?
    Many Many Thanks.
    Best Regards,
    Marco

    > Originally our BW server is running under I386 platform. And the server seems not powerful enough, so we decided to migrate the server to IA64 platform.
    Oh - IA64 - x86_64 would have been as powerful (or even more) and cheaper but neverless - to your problem:
    > After I choose one of the RFC destination from SM59, I CAN execute the "Connection Test" and "Unicode Test" correctly. But when I press the button "Remote Logon", nothing happens.
    Is the user provided a DIALOG user on the remote system? If not, then you can't logon.
    Markus

  • Central System Administration in Workcenter - Remote Logon Issue

    Hi,
    We have a problem in our Solution Manager and we would like to know if is possible to fix it.
    We have configured Central System Administration correctly for our satellite systems. We have configured some tasks and we are able to do remote logon to run some transactions in the stallete systems.
    The problem comes in the Workcenter via web. In the workcenter we access to the Central System Administration and when we try to do remote logon to the satellite system nothing happens.
    Anyone knows if it is possible to do remote logon to the satellite systems using workcenters?
    Thanks,
    Roberto

    From the transaction SOLMAN_WORKCENTER, navigate to the System Administration tab.
    From the menu on the left select the task "Administration Tools".
    Select your system from the table on the right
    At the bottom of the screen you will see "Details for system <SID>"
    Select the client and the RFC from the drop down menu. 
    You should see a list of Tools for Application Server with corresponding TCODES.  If your selected RFC is functioning properly and the user ID specified in the RFC has the correct authorizations you should be able to log on remotely by clicking on the link provided.

  • 1405975 - Minimum Authorization Profile for Remote Service Delivery

    In the document described in the header SAP Customers are asked to provide a logon user for SAP Remote Service Delivery.
    Due to security concerns, customers wish to grant restricted authorizations only.
    The minimal autorizations required have been described by SAP in a Z_BASIC_SERVICE_V1.zip file.
    Its there that I noticed the requirement for the SE93 transactioncode.
    With SE93 you can assign transactioncodes to your account and create new ones.
    I realy can't match this requirement with 'restricted autorizations only'.
    Am I missing something?

    Hi,
    If you think SE93 authorization should be restricted, then you can remove this from the role. As far I know, SE93 authorization is not necessary for remote service delivery. It is one of the 'good-to-have' authorization not the compulsory one.
    Regards,
    Vivek

  • Remote Logon Required in ChaRM

    Hi Everyone-
    When processing an urgent correction I am taken to a remote logon screen for my development client when I select actions such as Authorize Change Request, Set to In Development, and even when I try to assign partner functions.
    This should be done in the background and appear seamless to the user, however I am still taken to the development logon screen when pulling these actions.
    Other unusual behavior:
    1.) At the logon screen the user's password doesn't work.
    2.) Exiting the logon screen without typing anything into the password field will still save the transaction when returning to CRMD_ORDER.
    Any idea why this happens? Trusted RFCs have been established.

    One more thing:
    If the change manager assigns a developer, tester and It Operator and then sets the status to In Development, the system behaves as it should and creates the transport request in the background.
    However, if the developer logs in after the partner functions are assigned and sets the status to In Development the remote logon is prompted.
    Any ideas?

Maybe you are looking for

  • HP Officejet Pro L7590, can't print legal size

    I am trying to print legal size documents from Open Office (can't) and from GIMP, (can't) on my MacBook Pro, OSx (10.6). I have changed page format to legal, changed default page size for printer to legal, changed page setup everywhere I can find a p

  • Default display changes when connecting to HDTV

    My macbook pro has been connecting to my TV appropriately for months.  The display is suddenly changing to a different default when I connect now.  It was fine two weeks ago and has done 3 software updates in between.  I have not loaded other new sof

  • Create Notification Navigation Button not working in Order Objects Tab

    Hi Gurus, I am having an issue in Order --> Objects tab. I want to create notification for additional  technical objects for the order. When I enter the technical object details and press enter, a "Create Notification" navigation button gets activate

  • J2ME client server

    Hi i have a client J2ME application written verifyed and running. I am a little new to the whole programming thing but I was wondering if anybody knew if it was possible to use JSP or a servlet to distribute an application like a quiz on my server, p

  • Drawing Images in awt Panel object

    HI, I need to display an image in a Label. My project is using awt and not swing. Can anyone help he how to use an setIcon() equivalent in an awt label. I have tried to work around a bit and remove the label from the parent container and diaplay an i