Martin Vierling
SAP Integration and
Certification Center
SAP
Remote Access and Connectivity
Service
Access with Internet SAProuter
(for SAP RAC Standard)
Public
Language: English
Version: 1.0
Update: October 10, 2008
Service
Table of contents:
1 Introduction ....................................................................................................................3
2 Configuration ..................................................................................................................3
2.1 Scenario.................................................................................................................................................3
2.2 Prerequisites .........................................................................................................................................3
2.3 Options ..................................................................................................................................................3
2.4 Test Connection ....................................................................................................................................4
2.5 Online Diagnostic Tools........................................................................................................................4
3 SAProuter........................................................................................................................4
3.1 SAProuter Software...............................................................................................................................4
3.2 SAProuter String ...................................................................................................................................4
3.3 SAProuter Installation ...........................................................................................................................5
4 SAP Logon ......................................................................................................................5
4.1 SAPGUI Software...................................................................................................................................5
4.2 SAP Logon entry - example ..................................................................................................................6
5 User data and system details ........................................................................................6
6 Support line ....................................................................................................................7
7 Programs.........................................................................................................................7
7.1 RFC Programming-Libraries .................................................................................................................7
7.2 Parameters in RFC-programs ...............................................................................................................7
7.3 Passwords in RFC-communication ......................................................................................................8
8 Options for vulnerability-prevention.............................................................................8
9 Conclusion......................................................................................................................8
SAP RAC Service – Access with Internet SAProuter
Page 2 of 8
Service
1 Introduction
For the ICC Test-System available through SAP Remote Access and Connectivity (RAC) Service we
introduced a new, easy to setup and convenient access method. Access will be directly over Internet.
Additional efforts for VPN connection, ISDN dial-in or dedicated services of Internet service providers
are no longer necessary.
Please find in this document details about prerequisites and set-up process for the new introduced access
method.
2 Configuration
2.1 Scenario
Unidirectional TCP/IP communication
ICC
Test-Systems
Arrow from left:
Internet
SAP DMZ
saprac.sap.com
RAC Subscriber
Port
SAProuter
RFC/DIAG
3299
155.56.49.28
Figure 1: Communication Scenario
2.2 Prerequisites
For remote-connection to the ICC Test-Systems there has to be one static official IP-addresses assigned to
your company. Using an IP-address for Private Internet is not possible, IP Blocks for Private Internets:
10.0.0.0 - 10.255.255.255 (108 prefix)
172.16.0.0 - 172.31.255.255 (172.1612 prefix)
192.168.0.0 - 192.168.255.255 (192.16816 prefix)
Subscriber needs to have firewall open on port 3299 for outbound TCP/IP communication
2.3 Options
To connect your interface software to the ICC Test-Systems you can:
1. Install SAP Frontend Software, your RFC-Client software, your RFC-Server software on server that is
entitled to access SAP's network.
2. If you like to spread connection within your LAN you need to install SAProuter software on server that
is entitled to access SAP's network. Then you can install SAP Frontend Software, your RFC-Client
software, your RFC-Server software on any PC.
See details in section for SAProuter.
SAP RAC Service – Access with Internet SAProuter
Page 3 of 8
Service
2.4 Test Connection
Please ensure that on your firewall is open for outbound TCP-traffic on port 3299. You can check connection
with "telnet 155.56.49.28 3299". There should be empty screen but no error-message.
At first logon trial with SAPGUI there may occur errors pointing to network-problems. In that case please try
again, there error should have gone. For Details please refer to SAP Note 34518
(http://service.sap.com/notes).
2.5 Online Diagnostic Tools
SAP Offers the following tools to help diagnose performance related issues:
Bandwidth Test
Select the corresponding link below to get a snapshot reading of the downstream Available Bandwidth from
your Internet connection to SAP. This tool is helpful in diagnosing performance problems and rates your
connection Bandwidth against typical Norms for each technology.
http://connect.sap.com -> Diagnostic Tools -> Bandwidth Test -> Walldorf Gateway
Latency Test
Select the corresponding link below to get a snapshot of the round trip time it takes in mili seconds for a
packet to travel from your Internet connection directly to each hop between you and SAP's Network. A sign
of Internet peering point congestion could be a large disparity between readings from one hop to the next.
http://connect.sap.com -> Diagnostic Tools -> Latency Test -> Walldorf Gateway
3 SAProuter
3.1 SAProuter Software
Please tell us platform of your enabled server (see 2.2). You will receive software per email
If entitled you will find SAProuter on Software distribution Center of SAP Service Marketplace:
http://service.sap.com/swdc
SAP Support Packages
Entry by Application Group
Additional Components
SAPROUTER
3.2 SAProuter String
In any case, an SAP Router String is required for the connection to our test systems:
Basically , the format of this string is:
/H/<your_server>/S/<your_SR_port >/H/155.56.49.28/H/
your_server:
IP-address or name of your server that is entitled to access SAP's network
your_SR_port: SAP Router port, default port ist 3299. If you use the standard port 3299,
then you can omit the complete section "/S/<your_SR_port>"
SAP RAC Service – Access with Internet SAProuter
Page 4 of 8
Service
3.3 SAProuter Installation
1. Extract provided executable-package to any directory of your enabled server (see 2.2).
2. Create file “SAPROUTTAB” containing line “P
*
*
*
*”
3. Sart SAProuter with commend “saprouter -r”
This will start SAProuter on standard-port 3299. To start SAProuter on other port please use
command "saprouter -r –S <your_desired_port>".
4. Stop SAProuter with commend “saprouter -s”
For complete SAProuter documentation:
- call “saprouter” without parameters
- See SAP Notes 30289, 30374, 41054, 48243 (http://service.sap.com/notes)
- See SAP Help Portal:
http://help.sap.com/saphelp_nw70/helpdata/en/4f/992ce8446d11d189700000e8322d00/frameset.htm
!
You don’t need program NIPING because the remote part does we don’t started at SAP site.
4 SAP Logon
4.1 SAPGUI Software
SAP GUI for Windows is SAP´s Windows-based client for accessing all SAP Dynpro functionality.
If entitled you will find on Software distribution Center of SAP Service Marketplace:
http://service.sap.com/swdc
Installation Package:
SAP Installations & Upgrades
Entry by Application Group
SAP Frontend Components
SAP GUI FOR WINDOWS
SAP GUI FOR WINDOWS 7.10 CORE
Software Patches:
SAP Support Packages
Entry by Application Group
SAP Frontend Components
SAP GUI FOR WINDOWS
SAP GUI FOR WINDOWS 7.10 CORE
SAP RAC Service – Access with Internet SAProuter
Page 5 of 8
Service
4.2 SAP Logon entry - example
At first logon trial with SAPGUI there may occur errors pointing to network-problems. In that case please try
again, there error should have gone. For Details please refer to SAP Note 34518
(http://service.sap.com/notes).
1. In SAP Logon click ‘New Item’
2. In first screen choose ‘User defined System’, click button ‘Next’
3. In next screen entry provide system-parameter, see example below
click button ‘Next’
4. In next screen select radio-button ‘Low Speed Connection’, click button ‘Next’
5. Click button ‘Finish’
Troubleshooting: If you experience error message with SAPGUI please read SAP Note 161053.
A quick fix may be to switch to “High Speed Connection” and ignore the usual “first-connection-trial” failure
that will occur.
5 User data and system details
Please see available test-systems on SAP RAC Service homepage, do your selection and let us know.
Access data for your system-choice were provided by email.
SAP RAC Service – Access with Internet SAProuter
Page 6 of 8
Service
6 Support line
If there are questions please contact rac-support@sap.com.
7 Programs
7.1 RFC Programming-Libraries
The RFCSDK - all libraries necessary to interface to the mySAP Business Suite you will find on Software
distribution Center of SAP Service Marketplace:
http://service.sap.com/swdc
SAP Support Packages
Entry by Application Group
Additional Components
SAP NW RFC SDK
SAP RFC SDK
SAP RFC SDK UNICODE
7.2 Parameters in RFC-programs
In programs using SAP RFC connection-parameters to access ICC Test-Systems are most of the times
[SAProuterstring + SAP_System_Host_Name].
Examples:
1. sapinfo ashost=<saprouter_string>cpcf501 sysnr=05
2. Connection types in configuration-file saprfc.ini:
DEST=CF5_CLT
TYPE=A
ASHOST=<saprouter_string>cpcf501
SYSNR=05
DEST=CF5_SRV
TYPE=R
PROGID=SERV_TEST
GWHOST=<saprouter_string>cpcf501
GWSERV=3305
Generally string for host-parameter is "<saprouter_string>cp<SID_ID>01",
for GWSERV it is "33<SYS_NR>".
Where <SID_ID> is SAP system-name, <SYS_NR> is system-number.
Example for parameters ASHOST, GWHOST
/H/10.20.30.40/H/155.56.49.28/H/cpcf501
SAP RAC Service – Access with Internet SAProuter
Page 7 of 8
Service
7.3 Passwords in RFC-communication
Please note that as of WAS 700 password is case-sensitive and changed from a length of 8 to 40 characters.
RFC-libs for 6.xx automatically translate passwords to upper-case.
!
Thus you have to set in a WAS 700 based system the passwords on uppercase.
Example:
"pw1234" is translated to "PW1234" for RFC-logon
e.g. thus in ICC Test-System CF5 you have set PW as "PW1234"
that you old program will still work
Please pay attention for SAPnotes:
862989 New password rules as of SAP NetWeaver 2004s (NW ABAP 7.0)
1023437 ABAP syst: Downwardly incompatible passwords (since NW2004s)
8 Options for vulnerability-prevention
Regarding network security every PC with static IP address connected to the Internet is vulnerable.
Please see image below for general options for vulnerability-prevention.
SAP Network
Internet
Firewall
ISV Network
Firewall
Firewall
PC (DMZ)
SAProuter
(any)
SAProuter
2
(3299)
(any)
(any)
(any)
3
access-list
(32xx)
(33xx)
access-list
ICC
Test-Systems
(DMZ)
PC
(Intranet)
(defined
by ISV)
(any)
1
1
SAProuter: only outbound traffic to particular SAP system(s): hostname + port(s)
block any inbound routes
2
Firewall: only outbound route to SAP saprouter 155.56.49.28 on port 3299
3
Firewall: block any inbound routes
TCP/IP communication
Direction
Port-No. in brackets
Figure 2: Options for vulnerability-prevention
9 Conclusion
According to the general terms and conditions all provided software must be only used for your recertification project and deleted afterwards.
SAP RAC Service – Access with Internet SAProuter
Page 8 of 8