Application-Level Gateways Provided by SAP

The SAProuter and the SAP Web dispatcher are examples of application-level gateways that you can use for filtering SAP network traffic.

Use the SAProuter for dialog and RFC connections. Use the SAP Web dispatcher for HTTP(S) connections.


Filtering Functions

You can use the SAProuter for routing and filtering traffic at the SAP NI layer. You can use it to:

?     Filter requests based on the IP address or protocol. For example, you can reject any requests that do not use the SAP protocols.

?     Require that a password is sent with the request.

?     Require that secure authentication and data encryption occurs at the network layer using Secure Network Communications (SNC).

When using the SAProuter, you only have to open a single port on the firewall for the SAP protocols, which corresponds to the port on the machine running the SAProuter. All connections using the SAP protocols are then required to pass through this port (default=3299).

The SAProuter complements and does not replace the firewall. We recommend that you use the SAProuter and a firewall together. A SAProuter alone does not protect your SAP System network.

For an example of the network topology when using a SAProuter, see Example Network Topology Using a SAProuter.


To enforce access control, specify the IP addresses and address patterns that can access your SAP systems in the configuration file saprouttab.

When specifying the entries in the saprouttab:

?      Use the S indicator in the saprouttab entries to specify that the entry applies to SAP protocols only.

?      Only use the option Pwhere necessary. This options specifies that the entry applies to non-SAP protocols as well.

If you use the SAP remote services (SAP Support Portal), you must use a SAProuter. See Example Network Topology When Using SAP Remote Services.

For more information about the SAProuter, see SAProuter (BC-CST-NI).

SAP Web Dispatcher

You can use the SAP Web dispatcher for load balancing and filtering HTTP(S) requests to the SAP Web Application Server. The rules to use for filtering the requests are contained in a file in the file system on the server where the SAP Web dispatcher runs. For more information about security on the SAP Web dispatcher, see Security Information SAP Web Dispatcher.

The SAP Web dispatcher also supports the use of the Secure Sockets Layer (SSL) protocol to secure the communications at the transport level.

For more information about the SAP Web dispatcher, see SAP Web Dispatcher.