SAProuter - How to setup the saprouter ? What is the saprouter ?
The program SAProuter is the router (software) for the connection from customers to SAP and vice versa.
SAP Kernel Programs
SAProuter in a SAP System
This tool SAProuter is designed, to connect different IP Networks even when the IP adresses are in conflict as it does a network adress translation itself. So, this is always used in order to connect SAP with the customer's systems. This is the case for the way from SAP to the customers and mostly the case as well for logging on into the SAP systems from customer's site as well. If the customer uses the SAPNet R/3 Frontend, he has to use the SAProuter on his site.
Further information is available in the very good note 30289.
What ports to open for a SAProuter ?
From external to the SAProuter (mostly from Internet to DMZ)
The SAProuter is running (listening) on port 3299 by default. When you change this with the option "-S" you have to open a different service. But, by default it is just the port 3299 inbound that needs to be available from external partners. The SAProuter now changes the ports to the "original" ones on the computer where the SAProuter is running. So, it looks like for the target system, as if the request would always come from the computer where the SAProuter is running.
From the SAProuter to the internal systems (mostly from DMZ to intranet)
The SAProuter rerouts all requests from the port 3299 where it is receiving the data to the original ports. Therefore, it is necessary, that you open all ports from the SAProuter to your intranet, that are used in your environment.
This is normally at least the SAP system. The SAP systems dispatcher is running on port 32nn where nn is the system number. So, you might have to open port 3200 - keep in mind, that 3299 to the intranet normally is NOT necessary.
Overview of a few typical applications and their port needs (especially for the access from SAP to your system):
- 32nn: R3 Support Connection
- 23: Telnet
- 1503: Netmeeting
- 5601: PC-Anywhere
- 3389: Windows Terminal Server (WTS)
How to setup the SAProuter for an VPN-Internet-Connection ?
Even when VPN often sounds horrible complicated this is pretty easy in this scenario ...
You just grap the "Remote Connection Data Sheet" from note 28976 and return it filled in to SAP either via Fax or via SAPNet R/3 Frontend (OSS) with componente XX-SER-NET-OSS-NEW (The short text for that message must be "Remote Connection Data Sheet").
In this "Remote Connection Data Sheet" you mainly have to let SAP know the official IP adress of your VPN Server and the second official IP adress of your SAProuter. You then forward this second IP to the server of your choice where you want to run the SAProuter.
SAP will setup the VPN access for you and will return the necessary preshared key with the official SAP IP adresses in a few days to you. You then setup your end of the VPN and everything is fine.
Installation of the SAProuter itself for VPN works identically to the way via a private line for non internet connections as described below.
How to setup the SAProuter for NON-Internet-Connection ?
The following description is designed for Windows, but for other platforms, there is documentation available as well in the SAP Help Portal.
- First you have to setup a physically direct connection to SAP. This can be an ISDN-, Frame-Relay or similar connection. If a direct connection from your site is not feasable, you can have a look to some service providers, if they can offer you a "OSS-Connection" to SAP for a useful fee.
Then you receive a special official IP-Adress from SAP (mostly 2 IPs). One of the IP adresses has to become attached to the server you want to run SAProuter on. This means, that this server can receive several IP adresses (at least your normal local one and the official one from SAP).
- Create the subdirectory saprouter in the directory <drive>:\usr\sap.
- Copy the SAProuter.exe either from <drive>:\usr\sap\<SID>\SYS\exe\run or get the latest one as described below from the SAP Service Marketplace.
- Install the SAProuter as service as follows:
ntscmgr install SAProuter -b <drive>:\usr\sap\saprouter\saprouter.exe -p "service -r <parameter>"
(The "parameter" has to become replaced with the additional parameters you are using. This is mostly not necessary at all)
- Define the general attributes of the service:
Control Panel->Services, set the startup type to “automatic” and enter a user. SAProuter should not run under the SystemAccount.
- To avoid the error message “The description for Event ID (0)” in the Windows NT event log, you must enter the following in the registry: Under HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Eventlog->Application, create the key saprouter and define the following values under it:
EventMessageFile (REG_SZ): <drive>:\usr\sap\saprouter\saprouter.exe
TypesSupported (REG_DWORD): 0x7
- Every SAProuter needs a file called "saprouttab". This is normally expected in the same directory as saprouter.exe is located. You should have a look at the end of this web-site or to the SAP Help Portal how to setup this for productive use.
Right for the moment for tests, the following line in the file <drive>:\usr\sap\saprouter\saprouttab is sufficient:
P * * *
(Please change this as soon as your tests are done, as this file opens all ports and all of your systems!)
- Now, have fun with your SAProuter after starting it via the Windows Service Manager!
How to download the latest version ?
You can download the latest version of all the SAP Executables in the SAP Service Marketplace. As the binaries are different for each platform, you should have a look at the following link:
Download Executable Patches on the SAP Service Marketplace
SAProuter online help with all supported command line options and further examples
SAP Network Interface Router
start router : saprouter -r
stop router : saprouter -s
soft shutdown: saprouter -p
router info : saprouter -l (-L)
new routtab : saprouter -n
toggle trace : saprouter -t
cancel route : saprouter -c id
dump buffers : saprouter -d
flush " : saprouter -f
start router with third-party library: saprouter -a library
-R routtab : name of route-permission-file (default ./saprouttab)
-G logfile : name of log file (default no logging)
-T tracefile : name of trace file (default dev_rout)
-V tracelev : trace level to run with (default 1)
-H hostname : of running saprouter (default localhost)
-S service : service-name / number (default 3299)
-P infopass : password for info requests
-C clients : maximum no of clients (default 801)
-Y servers : maximum no of servers to start (default 1)
-K [myname] : activate SNC; if given, use 'myname' as own sec-id
-A initstring: initialization options for third-party library
-D : switch DNS reverse lookup off
-B quelength : max. no. of queued packets per client (default 1)
-Q queuesize : max. total size for all queues (default 20000000 bytes)
-W waittime : timeout for blocking net-calls (default 5000 millisec)
-M min.max : portrange for outgoing connects, like -M 1.1023
-U abs_path : absolute path for Unix Domain Sockets,
default is "/tmp/.sapstream%d"
# this is a sample routtab : -----------------------------------------
D host1 host2 serviceX
P * * serviceX
P 155.56.*.* 155.56
P host4 host5 * xxx
P host6 localhost 3299
P host7 host8 telnet
KP sncname1 * *
KS * host11 *
KD "sncname "abc" * *
KT sncname3 host11 *
# deny routes from host1 to host2 serviceX
# deny all routes from host3
# permit routes from anywhere to any host using serviceX
# permit all routes from/to addresses matching 155.56
# permit ... with 3rd byte matching 1011xxxx
# permit routes from host4 to host5 if password xxx supplied
# permit information requests from host6
# permit native-protocol-routes to non-SAP-server telnet
# permit ... excluding native-protocol-routes (SAP-servers only)
# permit ... if number of preceding/succeeding hops (saprouters) <= 0/*
# permit SNC-connection with partnerid = 'sncname1' to any host
# permit all SAP-SAP SNC-connections to host11
# deny all SNC-connections with partnerid = 'sncname "abc'
# open connects to host11 with SNC enabled and partnerid = 'sncname3'
# first match [host/sncname host service] is used
# permission is denied if no entry matches
# service wildcard (*) does not apply to native-protocol-routes
If you have some more ideas to this topic, please let us know via the Feedback Area.