Introduction to SAProuter

SAProuter is an SAP software product which is available on all SAP-based UNIX platforms and Windows NT/95. It acts like a firewall system by regulating access from/to your network.

SAProuter can be used

·        to establish an indirect connection between two programs running on different machines. The network configuration does not allow a direct communication between these machines due to missing IP addresses (or the same IP addresses as well) or firewall restrictions.

·        to improve network security by allowing accesses from/to your network with or without password-protection only from a specified machine where the SAProuter is running.

·        to control and log all connections between your network and the rest of the world.

Important SAProuter Commands

saprouter

Online help (display list of all supported options)

saprouter -r

Start SAProuter with default values

saprouter -s

Stop SAPRouter

Route String

A route string can have one or more substrings. Each substring contains parameters how to reach the next SAProuter or the target host or program on the target host.

Such parameters are:

·        name or IP-address of the target host

·        service (port number) of the program running on the target host

·        password for this connection, if needed

Example of one substring:   /H/host/S/service/P/password

H:      Identifier for host name

S:      Identifier for service (port number)

P:      Identifier for password

Route Permission Table

The SAProuter regulates access to your network via the route permission table in form of a file. You can start your SAProuter with this file name.

An entry in a route permission table has the following structure:

<P/D> <source host> <target host> <target service> <password>

P(ermit):

allows connection

D(eny):

prevents connection

<source host>:

host name or IP-address, could be a SAProuter

<target host>:

host name or IP-address, could be a SAProuter

<target service>:

service (port number) of the program of the target host
The default service of SAProuter is ‘3299’.

If no route permission table was explicitly assigned to the SAProuter while starting (option -R <name of a route permission table>), the file ‘saprouttab’ in the current directory will be used. If this file is not available, all connections are allowed.

You can use wildcarts (‘*’) to define hosts, services and passwords in your route permission table.

See SAP note 30289 for more details about SAProuter.

A Typical Use of SAProuter (remote support)

Network_1 (SAP-Walldorf)

Network_2 (Customer)

host_11

host_r1

host_r2

host_21

SAPGUI ————>

SAProuter ————>

(“3299”)

SAProuter ————>

(“3299”)

SAP system

Route Permission Tables

Entry in the route permission table of SAProuter on host_r1 in Network_1:
P    host_11 host_r2 3299

Entry in the route permission table of SAProuter on host_r2 in Network_2:
P                 host_r1        host_21        sapdp<SAP system number>

The SAPGUI on host_11 will connect to the SAP application server on host_21 with the following route string, host name and dispatcher service:
/H/host_r1/H/host_r2/H/host_21/S/sapdp<SAP system number>

The information about services of both SAProuters are not necessary, because they are running with the default service (“3299”).