SAP Security Online


	R/3 Security
	BW Security
	Enterprise Portal
	CUA
	Single Sign On
	SOX/ SoD
	OSS
		Configuring VPN
		OSS Tips
	HR Security
	Other SAP Apps
	Solution Manager
	Interview Questions

Introduction to SAProuter

SAProuter Introduction

SAProuter is a program that functions as an intermediate station between SAP Systems or programs. SAProuter functions as an application-level gateway (proxy) that enables and regulates access to SAP through the SAProuter port. SAProuter allows you to connect to an SAP System without a direct network connection between the client computer and the application server. The SAPGUI connects to the SAProuter that forwards all the packets to the application server or to another SAProuter. This enhances security because the link to other applications does not have to be open.

You can use SAProuter to:

Control and log the connections to your SAP System.
Allow access from only the SAProuters you have selected.
Protect your connection and data from unauthorized access.
Allow only encrypted connections from a known partner.

SAProuter does not automatically begin background processing. You need to start
background process using the command, .saprouter -r. SAProuter connections can
be logged using the option -G during startup. SAProuter does not protect the network. You must ensure that other network connections are not possible by installing a firewall or disabling ports/services.

The SAProuter uses a configuration file in which specific IP addresses and subnetworks can be allowed or denied access to a particular network. The saprouttab file contains a list of connections that are denied or permitted access to a particular network.

Each entry has the format:

[D|P|S]{#before,#after} <source> <target> <service> {password}

D: Deny the connection, P: permit the following connection, S: Permit only SAP
protocol connections. You can restrict the number of preceding and subsequent
SAProuters by entering #before and #after.

<source>: Host name or IP address of client, which is either the preceding SAProuter
or the SAPGUI.

<target>: Host name or IP address of the next connection.

<service>: Service name or port number of <target>.

{password}: The password required to use this route (optional).

You can use wildcard characters (*) for hosts and services. The system always uses the first match (source target service). If no entries match, permission is denied.

SAP Help | SAP Service Market Place | SAP SDN