- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- SAP Router installation in Demilitarized Zone (DMZ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SAP Router installation in Demilitarized Zone (DMZ)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2019 9:20 AM
Dear all,
I would like to know best what is the best practice to be followed while installing SAPRouter.
1. Shall we install SAProuter in Demilitarized Zone (DMZ) or in the same LAN network / IP segment where SAP servers are installed.
2. What is the advantages when we install in DMZ.
Kindly share the configuration documents to be following while installing in DMZ.
Regards,
Venu Kumar G
- SAP Managed Tags:
- Basis Technology,
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2019 4:09 PM
Hello!
In a classic network architecture with internal zone, DMZ zone, and Internet zone, I've seen several scenarios.
1. DMZ
1.1 Required Port from SAP support to the SAProuter only tcp/3299 (Firewall ACL only port 3299 from SAP to the SAProuter)
1.2 All required application ports must be released from SAProuter via the firewall to the systems in the internal zone. These can be a lot of ports to many systems (http(s), DB, Webgui, SAPgui, Java, etc.). Afterwards you have a lot of open ports from the DMZ to the internal zone (a sub-vlan in the DMZ with ACL on that sub-vlan)
2. internal Zone
2.1 same as 1.1
2.2 SAProuter is in a different VLAN than the SAP servers. In the internal Zone are also Firewalls which allows filtering the traffic between SAProuter and the SAP servers.
There are no open application ports from the DMZ to the internal Zone. SAP is terminated via VPN-Tunnel in the separate WAN Zone.
3. two SAProuters, one in DMZ and one in the internal Zone, cascading
3.1 same as 1.1
3.2 In addition to the SAProuter in the DMZ, a SAProuter in the internal Zone
=> Only port 3299 from SAP Support to the DMZ-SAProuter and only port 3299 from the DMZ-SAProuter to the SAProuter in the internal Zone
Best regards
- SAP Managed Tags:
- Basis Technology,
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-27-2019 10:11 AM
Hi,
SAP router should be in DMZ as this will ensure your network is not in risk.
Advantage is, it is protected by firewalls so only opened port is used to for communication and nobody can access the network using default ports like 80 or 443. You can have complete control of it.
First step is, you have to register your saprouter with public IP to SAP (SAProuter should be in DMZ as public IP can be accessed from anywhere in the internet) Refer SAP note https://launchpad.support.sap.com/#/notes/28976
Open Port 3299 for the router host.
Once you got Distinguished name in SAP support portal, you can install and configure as below links.
More Info: https://support.sap.com/en/tools/connectivity-tools/saprouter.html
Install : https://support.sap.com/en/tools/connectivity-tools/saprouter/install-saprouter.html
Configure : https://support.sap.com/en/tools/connectivity-tools/saprouter/configure.html
Complete PDF document: https://support.sap.com/content/dam/support/en_us/library/ssp/tools/connectivity-tools/saprouter/sap...
Hope this helps.
Thanks,
Pradeep
- SAP Managed Tags:
- Basis Technology,
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-29-2019 8:15 AM
Hi Pradeep,
Why it is not recommended to have SAPRouter in same network as SAP servers are installed.
Anyhow SAP Router installation in LAN is going to be protected by Firewall, further SAP Router and its communications are going to be allowed only between specific IP addresses and ports through Firewall (SAP support to Customer Network, vice versa).
Even if we install SAP Router in DMZ, approach which is mentioned above is going to be followed by every one.
It does not make any difference if we have SAP Router in DMZ or in Local LAN, this is my view, request you to provide your suggestions and value adds as well.
Regards,
Venu Kumar G
- SAP Managed Tags:
- Basis Technology,
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-11-2019 8:10 AM
Hi Venu,
-->Why it is not recommended to have SAPRouter in same network as SAP servers are installed.
To be clear, I never said SAPRouter requires separate network 🙂 SAPRouter can be within customer network not separate (sub)domain or network . Separate network is different term and DMZ zone is different term. The server which can be accessed from internet should be protected strongly by firewalls (other word DMZ zone - Surrounded by firewalls both inbound and outbound communications through opened ports only). Default SAPRouter port is 3299 so your public IP should only connect through this port. This will reduce risks. You may ask what if middle man attack happens, remember the communication between SAP network and customer network through SAPRouter is completely encrypted by SNC.
-->Anyhow SAP Router installation in LAN is going to be protected by Firewall, further SAP Router and its communications are going to be allowed only between specific IP addresses and ports through Firewall (SAP support to Customer Network, vice versa).It does not make any difference if we have SAP Router in DMZ or in Local LAN, this is my view, request you to provide your suggestions and value adds as well.
This is wrong, If you install SAPRouter in local LAN server, it will not be accessible from SAP network through internet as local LAN server doesn't have public IP.
Hope this clears your doubt
- SAP Managed Tags:
- Basis Technology,
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-17-2019 4:09 PM
Hello!
In a classic network architecture with internal zone, DMZ zone, and Internet zone, I've seen several scenarios.
1. DMZ
1.1 Required Port from SAP support to the SAProuter only tcp/3299 (Firewall ACL only port 3299 from SAP to the SAProuter)
1.2 All required application ports must be released from SAProuter via the firewall to the systems in the internal zone. These can be a lot of ports to many systems (http(s), DB, Webgui, SAPgui, Java, etc.). Afterwards you have a lot of open ports from the DMZ to the internal zone (a sub-vlan in the DMZ with ACL on that sub-vlan)
2. internal Zone
2.1 same as 1.1
2.2 SAProuter is in a different VLAN than the SAP servers. In the internal Zone are also Firewalls which allows filtering the traffic between SAProuter and the SAP servers.
There are no open application ports from the DMZ to the internal Zone. SAP is terminated via VPN-Tunnel in the separate WAN Zone.
3. two SAProuters, one in DMZ and one in the internal Zone, cascading
3.1 same as 1.1
3.2 In addition to the SAProuter in the DMZ, a SAProuter in the internal Zone
=> Only port 3299 from SAP Support to the DMZ-SAProuter and only port 3299 from the DMZ-SAProuter to the SAProuter in the internal Zone
Best regards
- SAP Managed Tags:
- Basis Technology,
- Security
