SAPROUTER + VPN
Hi gurus,
I connect to a customer SAP server using saprouter and all works fine. What is the purpose of using also a VPN connection? Is it a matter of security? I'm not a network expert ...
Thanks
Guido
Hi,
SAProuter & VPN are two different things.
SAProuter is the tool provided by SAP to access the SAP servers securely. You can configure the it as SNC-Secure Network Connection.
[http://help.sap.com/saphelp_nw04/helpdata/EN/4f/992d65446d11d189700000e8322d00/content.htm]
A virtual private network (VPN) is a private network that makes use of a public network (such as the Internet), while maintaining security and privacy through encryption and security procedures.
VPN's give companies an alternative to leasing an expensive, dedicated private connection from one office to another. Many businesses are using VPN on their servers to allow their employees to connect to their server from home.
If you are using VPN then there is no need to use the SAprouter.
Hope this helps you to understand.
Thanks,
Shambo
Similar Messages
-
Hi,
I want to know if using the string of saprouter the consume of the bandwith is less than the consume for a VPN?
More thanks.Whats your scenario?.... not enough information here
-
Hello Experts,
I have been requested to setup new SAProuter with VPN 7.10 in our client SAP environment.
Kindly anyone provide pre-requests documents for this installation and configuration.
Appreciate your early help on good step by step documents for saprouter with vpn installation.
Thanks,
VenkatHello, here is a guide line:
1. Choose a connection type and apply for your connection.
2. Provide SAP with the data it needs to set up the connection between your SAProuter system and the SAP support server using the Remote Connection Data Sheet (SAP Note 0028976).
3. Configure your network components (e.g. SAProuter).
4. Once a remote connection is established, enter the required logical connections between your R/3 systems and SAP. You will find a description of this procedure in SAP Note 31515.
Not as detailed as you requested but feel free to ask for more details.
We need to know exactly what kind of connection is to be set up.
Hope this helps.
Regards,
Steve. -
SAPROUTTAB Permissions Table location
I am a third part software developer without a local SAP installation and has to connect to the SAP test database facility. The scenario is SAPROUTER -> VPN -> SAPROUTER -> SAP.
We are in the very early stages and have just setup our VPN, got connection details from SAP etc. I am now attempting to setup the SAPROUTER on our side. However, each time we try and start SAPROUTER in a command window to see if settings are ok we get the following message:
"saprouttab table not found!".
Firstly, what filetype should be given to the SAPROUTTAB, is it a normal .TXT file?
Secondly, I created a C:\usr\sap\saprouter folder and the SAPROUTRTAB file resides in this folder.
I know this may sound absolutely stupid but I am stuck!There is no exact rule how to find a structure filled in.
I located the place from where this value is coming for FBL3N,the internal table it_pos defined in RFITEM_DEF.
If you can trace how this internal table filled you can identity how ebeln is populated.
Put a break point in program RFITEMGL following FM and check the value of internal table it_pos.
call function 'FI_ITEMS_DISPLAY'
exporting
caller_repid = c_repid_gl
acctype = c_koart_gl
x_opvw = x_gl_opvw
x_change = x_change
i_u_save = gd_alvsave
is_u_variant = gs_variant
it_u_fieldcat = gt_fieldcat[]
it_kontab = it_accts[]
it_slbtab = it_comps[]
it_t001 = it_h_t001[]
it_skat = it_h_skat[]
it_skb1 = it_h_skb1[]
x_grid = x_grid
x_inet = pa_inet
tables
it_items = it_pos.
About locating values how it filled,
Several ways exist to do this.
(1) F1 & F9 gives the field name then search where used list in se11.
(2) Using SQL trace u can i identify how a structure filled in but its a complex process.
Hope this helps,
Thanks,
vamshi tallada -
We have two saprouters - one local, another in DMZ:
SolMan->Local saprouter>DMZ saprouter-VPN--> SAP saprouter
As VAR partner the input in systems of the customer is necessary for us (via SolMan and action "Customer Connection via SAP Service Backbone"). But for our SolMan in parametres OLSAPROUTER and OLSAPROUTERPORT it is possible to specify only one saprouter.
There is a problem decision?
Many thanks
VitaliyNote 1390163 - ISV/VAR: Connection to end customer with second SAProuter
-
New SAProuter with VPN to setup
Hello Gurus,
I have been requested to setup new SAProuter 7.00 in our SAP environment through VPN to be created.
Existing environment is as below :
SAP systems : R/3 4.6C
SAProuter release : v34
SAProuter host configuration : Windows 2003 (US) Entreprise Edition
SAProuter runs through router ISDN line 128KBits connected to our LAN...
As I already checked 'SAProuter 7.00 - Documentation' from http://service.sap.com/patches, I would like to know the 'step-by-step' procedure to proceed :
1. Can I setup new SAProuter even if we currently use existing SAProuter?
2. If NO, what is the procedure for testing my new SAProuter when installed?
3. Plus, can I 'upgrade' existing SAPRouter release to 7.00 then 'only' modify the network configuration? (note that I am checking documentation 'Remote Connectivity for mySAP.com Solutions over the Internet' from march 2001 to find solution : where finding newest release of this documentation?)
Thanks in advance for your insight!
Rgds,
zulainHello Hari,
As mentionned previously, we started a survey to change our SAProuter acrhitecture to SAProuter 7.0 version.
As we overviewed all prerequisites, I do require confirmation on the 2 following points :
1. As saprouter program will be installed on host which already exists
and is located in DMZ, the existing Windows operating system version is
W2003 Server Standard Edition in french version.
Thus, we would like SAP support to confirm that SAProuter program can
be installed and will run correctly on Windows 2003 Standard Edition in
french version as SAP note 690432 'Windows 2003 Support' mentions that
SAP supports such an hardware configuration if Windows Multilanguage
User Interface (MUI) kit is installed and that W2003 Standard Edition
is supported for 'test or small systems only' (only saprouter program
will run on this host)
2. One of the requirements of saprouter installation is to provide
public @IP to SAP.
As we get such an IP adress, we require SAP support to confirm that
this IP adress will work properly as below :
Saprouter will be installed on host which is located in DMZ (SAP
requirement) what does mean 'between our 2 firewalls'
Thus, connection from sap will be translated by first firewall which
will redirect to public adress provided
Question : Must the host on which saprouter will run have one and only
one IP adress?
As mentionned previously, host already exists and has already an IP
adress : then, public @IP provided will have to be translated by
firewall. Will such a configuration work fine?
Thanks in advance for your support.
Rgds,
Zulain -
Dear All
my company have VPN tunnel with SAP. I have put niping, saprouter and saprouttab under saprouter folder. As per my understanding since this is VPN connection i don't need to apply for saprouter certificate. now i am trying to start saprouter with command saprouter -r but getting this message ...i have put sapdp99 3299/tcp, sapgw99 3399/tcp and sapmsO01 3601/tcp entries in /etc/services. still facing problem. any help would be appreciated. i have assign saprouter folder to <sidadm> insted of creating new admin user.
LOCATION SAProuter 39.3 (SP4) on 'rpc7444'
ERROR partner '127.0.0.1:3299' not reached
TIME Tue Sep 7 08:33:40 2010
RELEASE 710
COMPONENT NI (network interface)
VERSION 39
RC -10
MODULE nixxi.cpp
LINE 3147
DETAIL NiPConnect2: 127.0.0.1:3299
SYSTEM CALL connect
ERRNO 111
ERRNO TEXT Connection refused
COUNTER 2
kind regards
Gurprinderjust to make sure i am on right track . Please check if these entries are correct.
i have put host entries in etc\hosts
<host IP> SAP-ROUTER
194.117.106.129 sapserv1
in service file etc\services
sapdp99 3299/tcp
sapgw99 3399/tcp
sapmsO01 3601/tcp
I HAVE RUN COMMAND BELOW...IS THIS MEAN ROUTER IS RUNNING??????????????
saprouter -l -H <host name>
Wed Sep 8 08:17:02 2010
SAP Network Interface Router, Version 38.10
Wed Sep 8 08:17:04 2010
peer SAProuter with NI version 39 ...
send info-request to running SAProuter ...
SAP Network Interface Router running on port 3299 (PID = 12188)
Started on: Wed Sep 8 08:15:00 2010
ID CLIENT | PARTNER service
+----
9 SAP-ROUTER | (no partner)
Total no. of clients: 1
Working directory : /
Routtab : /usr/sap/saprouter/saprouttab
kind regards
Gurprinder
Edited by: Gurprinder Padda on Sep 8, 2010 2:18 PM
I HAVE RUN COMMAND BELOW...IS THIS MEAN ROUTER IS RUNNING??????????????
saprouter -l -H <host name>
Wed Sep 8 08:17:02 2010
SAP Network Interface Router, Version 38.10
Wed Sep 8 08:17:04 2010
peer SAProuter with NI version 39 ...
send info-request to running SAProuter ...
SAP Network Interface Router running on port 3299 (PID = 12188)
Started on: Wed Sep 8 08:15:00 2010
ID CLIENT | PARTNER service
+----
9 SAP-ROUTER | (no partner)
Total no. of clients: 1
Working directory : /
Routtab : /usr/sap/saprouter/saprouttab
kind regards
Gurprinder -
Sapgui kerberos saprouter (no vpn)
Is there a way to do sso (kerberos) from sapgui from external customers using saprouter?
Eduardo,
If kerberos is installed on SAP ABAP system at customer and they are using an SNC library for internal use (you dind't mention which one) you can use same SNC library used on internal network on the remote workstations running SAP GUI. Thes users would also need to authenticate to AD using cached credentials or using a separate Kerberos authentication before they logon to SAP GUI and connect to the customers SAP ABAP system.
I don't see any need for SAP Router, or for SAP Cryptolib.
It is only possible for a SAP system to use one SNC library at a time, and it semes they already have an SNC library which they are using for internal users to logon.
In summary:
1) need to check correct ports are open on firewall
2) confirm if user can authenticate with AD on remote comptuer before they logon to SAP
It would be easier for me to help you if you had a detailed network diagram showing the connectivity involved. I want to make sure you understand how to solve this, and you would need to make sure the solution is secure.
Thanks,
Tim -
Multipe customer numbers under a single snc saprouter
We have a concern regarding saprouter (snc type) and customer numbers.
We are a consulting company providing application hosting for 3 of our customers running SAP systems. All of these systems are hosted in a data centre at our premises. Presently we have 3 separate saprouters for each customer and these 3 customers have separate SAP customer numbers.
Inline with our server consolidations efforts, we are planning to merge these 3 snc saprouters into a single saprouter. While we understand that due to the generation of snc cert which is based on customer number, every saproute cert is unique to that particular customer, are there any work arounds for this? Have there been any solutions for other companies having the same issue i.e. having multiple customers in the same data centre and sharing saprouter?
Please advise the best solution forward to consolidate saprouters.Hi Stephen,
Question: Can the SAProuter be on the internal network with a private IP address but accessed by via the Public address of our firewall and proxied through?
yes, no problem, just a port forwarding for this one port 3299 for insite and NAT for outsite is required!
Question: Must all these ports be opened? Elsewhere Volker has stated only one port is required to be opened through the firewall.
ONLY port 3299 - I did several setups this way )
Question: Exactly how secure is this connection? What measures have others taken to protect the connection.
As save as a 128 Bit certificate is - by now I didn't hear on breaking that => it is safe with state of the art )
(I would imagine VPN is 128 Bit "only" as well)
=> really go for that ....
Regards
Volker Gueldenpfennig, consolut.gmbh
http://www.consolut.de - http://www.4soi.de - http://www.easymarketplace.de -
Dear Team,
We are going to access sap from out side internet without using the office VPN or network.
Now I want to set SAP Router string thru which any person who wants to access our SAP system can do so without getting into our VPN or network. Basically people in Sales when they are at the customer sites.
My saprouter is working fine, as SAP can login to our systems.The NAT is completed so that does not seem any issue.
find the below is our configuration..
Our sap router has configured in SOLMAN SERVER.
For Solman server below are the IP:
132.147.166.3 Private IP for internal access
210.18.50.134Public IP address.
ROUTAB file is in the below path C:\usr\sap\saprouter.
Below is the content of ROUTAB file
SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC connection to local system for R/3-Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3202
Access from the local Network to SAP
P 192.168.. 194.39.131.34 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 5631
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3389
P * 194.39.131.34 3299
P "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3201
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3200
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3389
deny all other connections
D * * *
Now I want to access my production server with ip =132.147.166.11from outside .
So I had configured the below setting in Sap GUI .
Application server=132.147.166.11 [public ip of server where saprouter has installed]
SAProuter String=/H/210.18.50.134/S/3299
system id=ELP
system number=02
but when i click on login it is showing below error..
router permission denied(210.18.50.134 to 132.147.166.11 ,sapdp02
location =saprouter 38.10 ON 'SOLMAN'
relese=700
version=38
returncode=-94
counter=012
Is it nacessary to make any change in routab file , as net work admin is saying problem is from saprouter to production server
please help us for the same
Regards
Rabin Nayak
SAP Basis TeamDear Sourabh,
Thanks for your support, I am using /H/210.18.50.134/H/132.147.166.11/H/ for production server only
& /H/210.18.50.134/H/132.147.166.5/H/ for my developement server.
Please find the below is the Log of dev_rout file.
trc file: "dev_rout", trc level: 1, release: "700"
Mon Mar 29 10:51:26 2010
SAP Network Interface Router, Version 38.10
command line arg 0: saprouter
command line arg 1: -r
command line arg 2: -S
command line arg 3: 3299
command line arg 4: -K
command line arg 5: p:CN=SOLMAN, OU=0000849045, OU=SAProuter, O=SAP, C=DE
SncInit(): Initializing Secure Network Communication (SNC)
PC with Windows NT (mt,ascii,SAP_UC/size_t/void* = 8/32/32)
SncInit(): Trying environment variable SNC_LIB as a
gssapi library name: "C:\usr\sap\saprouter\sapcrypto.dll".
File "C:\usr\sap\saprouter\sapcrypto.dll" dynamically loaded as GSS-API v2 library.
The internal Adapter for the loaded GSS-API mechanism identifies as:
Internal SNC-Adapter (Rev 1.0) to SECUDE 5/GSS-API v2
main: pid = 5260, ppid = 0, port = 3299, parent port = 0 (0 = parent is not a saprouter)
reading routtab: './saprouttab'
ERROR => invalid token (p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE) in IPadr-string, skip line 11 [nirout.cpp 8585]
Mon Mar 29 10:56:20 2010
checkRoute: route not permitted (15)
ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'mail.supremegroup.co.in' failed (rc=-94) [nirout.cpp 2243]
Mon Mar 29 10:56:44 2010
checkRoute: route not permitted (15)
ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 'mail.supremegroup.co.in' failed (rc=-94) [nirout.cpp 2243]
Mon Mar 29 11:25:43 2010
checkRoute: route not permitted (15)
ERROR => NiRClientHandle: NiRExRouteCon for C1/-1 '210.18.50.134.sify.net' failed (rc=-94) [nirout.cpp 2243]
I had addedd another twolines in my routab file as below mentioned Hilited mark.
SNC connection to and from SAP
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
SNC connection to local system for R/3-Support
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3202
Access from the local Network to SAP
P 192.168.. 194.39.131.34 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 5631
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 23
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.19 3389
P * 194.39.131.34 3299
P "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" * *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3201
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3200
KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3389
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.5 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.7 3299
KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 132.147.166.11 3299
deny all other connections
D * * *
P * * *
I had checked my Public Ip already registered with SAP,still i am getting same error at time of login.
Regards
Rabin
Edited by: RABIN-SAP BASIS on Mar 29, 2010 8:03 AM -
SAP router installation for VPN method
Hi All,
Can any one share me the steps to perform SAP Router Configuration with VPN method.
Also what are changes i need to make in saproutab file.
Appreciate your inputs.
Thanks
Pradeep.There is paperwork that you need to fill out with IPSec information, once its filled out you fax it over to SAP.
Not entirely sure what changes need to be made in saprouttab? Are you changing SAPRouter to no longer perform SNC to SAP?
Here is the doco I used for my company - https://support.sap.com/content/dam/library/SAP%20Support%20Portal/remote-support/RemoteSupport.pdf -
SNC with SAPRouter configuration for Third party company
Hi expers,
Need your advise for my below scenario.
We are running SAP on IBM i. My question is about outside world connectivity with encryption mechanism to SAP AS.
As of now , we are not using SNC either for internal / external network connectivity with SAP apps server. But we are going to allow third party company to connect for one of the payment processing takes place. Since the third party company not accepting VPN connectivity, we are planning to implement Separate SAPRouter configured with SNC, (encryption option), and open the firewall port for them. How much secured it is ? we are in the process of installaing and configuring windows server for SNC & SAPRouter installation. What are all the required configuration in SAP Application server level & new SNC server, for this ? How exactly SAPGui ( from third party company) to SAP Apps Server will go through the traffic ? Need experts advise on this ?
Basically I want to make sure, once it is configured, trafic will go through encrypted way outside of our network. Thanks in advance for all your valuable reply !Hi mgrant,
The information at the bottem of the article in in Keith_Beddoe's personal website may help. Link: Using your own router for Infinity
The MTU Size needs to be set as 1492
Cheers
jac_95 | BT.com Help Site | BT Service Status
Someone Solved Your Question?
Please let other members know by clicking on ’Mark as Accepted Solution’
Try a Search
See if someone in the community had the same problem and how they got it resolved. -
Hi guys,
I am getting an error in my sap router as my network team made some changes in the VPN connections
SAP Network Interface Router, Version 34, August 30 1999
command line arg 0: saprouter
command line arg 1: -r
ERROR => fopen ./saprouttab (2: No such file or directory) [nixxrout.c 2666]
***LOG Q0I=> NiRRouttab: fopen (2: No such file or directory) [nixxrout.c 2667]
cannot open ./saprouttab: all routing disabled!!!
Could not open permission table
Please reply with ur suggestions.
Thank you,
Irshad MohammedWhen i m trying to start saprouter from saprouter utility im getting this error
External Call
0
31 Could not open permission table
0
17 trcfile dev_rout
17 no logging active
51 routtab cannot open ./saprouttab: EXIT PROGRAM !!!
0
80 (running without saproutab is no longer supported for security reasons)
46 External program terminated with exit code 255 -
Saprouter - Host did not respond times
Hello,
We have configured the saprouter with a VPN, the test connection in SM59 is OK.
When I try to start "R/3 Support" in SAP Support Portal, the SAP Service Connector gives me the message: "The service connection has been opened successfully." but SAPRouter status does not get "connect", it keeps on "Host did not respond x times".
How can I find the problem? If the SAP Connector shows me "The service connection has been opened successfully."?
RegardsHi Richard
1. Is it new SAProuter installed or already working one?
2. In which OS? could you refer the SAP links
Installing the SAProuter - SAProuter - SAP Library
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/c06c8846-c160-2d10-d18e-d9961e9c7219?QuickLink=index&…
BR
SS -
Access Dev Studio J2EE engine via SapRouter?
I have a group of Developers in another country who wish to use the j2ee engine on our local EP6 machine. They can presently access the R3 Dev system via SapRouter, but the question is: can we configure the j2ee engine in the Developer Workplace see the message server on the EP6 machine?
The path to setting is <i>Preferences > SAP J2EE Engine</i>
For example can we enter something like:
H/<localsaprouter>/H/<our saprouter>/H/<EP6 ip address>
Message was edited by: Graham SlaterHi,
As for as I know ,
We need SAPlogon (higher vertion preferable but not necesary) for such knid of connection. for the saplogon connection you need application server name, system ID and username and password as described below
You also need some sort of VPN conection.
Following are the inputs required for creating Connection from SAP Logon Pad.
1. Application Server = IP Address or Host Name of SAP Server you want to connect.
2. SAP Router String = If you are connecting via Firewall accross VPN.
3. System ID = <SID> ex., DEV, PRD...
4. System Number = <00> ex., 00, 01 ..99
5. Select radio Button R/3
6. Give some description under that field.
Before doing the above please try to PING the Server at Location A from your machine(should be replying).
I don't think NWDS have this facility of using sap router remote r/3.
let me know whther this helps. also reward if so.
Maybe you are looking for
-
Itunes store suddenly won't let me buy music - I click on "buy" and nothing happens
Up until today for some reason I cannot purchase music from Itunes. I logged in this morning and added a giftcard I was given and also updated my card details as my card had expired. I click on any other link in itunes so for instance to hear a sampl
-
The big reason Quicktime doesn't work in browsers (question mark appearing)
So far it has been, for many people, unsolved. But I've been digging around, and one of the reasons for quicktime not being able to play flash, youtube, and all types of safari movies (including Apple's quicktime) is because on many Macs, the Mime ty
-
Ich habe folgende Frage: Ist es mit inDesign CS6 möglich, ein interaktives PDF zu kreieren, in dem die zulässige Wortzahl in einem Feld genau definiert wird? Im speziellen Fall möchte ich ein Eingabefeld auf eine DIN A4 Seite setzen, welches exakt 35
-
Wma support on s60 phones?
anyone want to be able to play ogg/wmas on your n70? go here and download the codecs. its free and isnt a cracked version of anything so its not illegal. if installing it on n70, goto file manager and add .mp3 and you'll be able to listen to your wma
-
Using rgb to change colour!
at the moment this program changes the colour of the circle when i click the button. I want to enter 3 rgb values and the click the button to change the colour to the entered rgb value. Can anyone help with the coding? thanx import javax.swing.*; imp