Dear all,
I would like to know best what is the best practice to be followed while installing SAPRouter.
1. Shall we install SAProuter in Demilitarized Zone (DMZ) or in the same LAN network / IP segment where SAP servers are installed.
2. What is the advantages when we install in DMZ.
Kindly share the configuration documents to be following while installing in DMZ.
Regards,
Venu Kumar G
Hello!
In a classic network architecture with internal zone, DMZ zone, and Internet zone, I've seen several scenarios.
1. DMZ
1.1 Required Port from SAP support to the SAProuter only tcp/3299 (Firewall ACL only port 3299 from SAP to the SAProuter)
1.2 All required application ports must be released from SAProuter via the firewall to the systems in the internal zone. These can be a lot of ports to many systems (http(s), DB, Webgui, SAPgui, Java, etc.). Afterwards you have a lot of open ports from the DMZ to the internal zone (a sub-vlan in the DMZ with ACL on that sub-vlan)
2. internal Zone
2.1 same as 1.1
2.2 SAProuter is in a different VLAN than the SAP servers. In the internal Zone are also Firewalls which allows filtering the traffic between SAProuter and the SAP servers.
There are no open application ports from the DMZ to the internal Zone. SAP is terminated via VPN-Tunnel in the separate WAN Zone.
3. two SAProuters, one in DMZ and one in the internal Zone, cascading
3.1 same as 1.1
3.2 In addition to the SAProuter in the DMZ, a SAProuter in the internal Zone
=> Only port 3299 from SAP Support to the DMZ-SAProuter and only port 3299 from the DMZ-SAProuter to the SAProuter in the internal Zone
Best regards
Hi,
SAP router should be in DMZ as this will ensure your network is not in risk.
Advantage is, it is protected by firewalls so only opened port is used to for communication and nobody can access the network using default ports like 80 or 443. You can have complete control of it.
First step is, you have to register your saprouter with public IP to SAP (SAProuter should be in DMZ as public IP can be accessed from anywhere in the internet) Refer SAP note https://launchpad.support.sap.com/#/notes/28976
Open Port 3299 for the router host.
Once you got Distinguished name in SAP support portal, you can install and configure as below links.
More Info: https://support.sap.com/en/tools/connectivity-tools/saprouter.html
Install : https://support.sap.com/en/tools/connectivity-tools/saprouter/install-saprouter.html
Configure : https://support.sap.com/en/tools/connectivity-tools/saprouter/configure.html
Complete PDF document: https://support.sap.com/content/dam/support/en_us/library/ssp/tools/connectivity-tools/saprouter/saprouter-documentation.pdf
Hope this helps.
Thanks,
Pradeep
Add a comment