Friday, June 12, 2009

What is SAProuter?

SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP systems, or between SAP systems and external networks. SAProuter controls the access to your network (application level gateway), and, as such, is a useful enhancement to an existing firewall system (port filter).

Figuratively, the firewall forms an impenetrable wall around your network. However, since particular types of connections need to penetrate this wall, a hole has to be made in the firewall. SAProuter assumes the control of this hole.

In short, SAProuter provides you with the means of controlling access to your SAP system.

Implementation Considerations

You can use SAProuter to do the following:

  • Control and log the connections to your SAP system, for instance from an SAP service center

  • Set up an indirect connection when programs involved in the connection cannot communicate with each other due to the network configuration

    • Address conflicts when using non-registered IP addresses

    • Restrictions arising from firewall systems

  • Improve network security by means of the following:

    • A password, which protects your connection and data from unauthorized external access

    • Allowing access from only particular SAProuters

    • Only allowing encrypted connections from a known partner (using the SNC layer)

  • Increase performance and stability by reducing the SAP system workload within a local area network (LAN) when communicating with a wide area network (WAN)

The following graphic illustrates your network (LAN) using a firewall as protection against access from outside. SAProuter runs on the firewall host, and serves as a "door" to your network. This door is only opened for connections you specify.

This graphic is explained in the accompanying text.

This is often useful if, for example, there is a support connection from SAP to your SAP system that SAP staff use to access your system in the case of problems. SAProuter controls and monitors these connections.

Caution Caution

Note that installing SAProuter without the use of a firewall does not protect your network against access from external networks. You must ensure that all incoming SAP connections go through the SAProuter "hole".

End of the caution.
Increasing Network Security with SAProuter

The SAProuter running on your firewall host should be configured to allow the following:

  • Only the NI protocol (SAP-Protokoll) is accepted from external systems

  • Not just any number of SAProuters are allowed before and after this one in a route station.

  • Only SAProuters that you trust are allowed access

Recommendation Recommendation

Under UNIX, we do not recommend starting the SAProuter on a port reserved for root.

Blog Archive