Skip to Content

SAP Router installation in Demilitarized Zone (DMZ)

Dear all,

I would like to know best what is the best practice to be followed while installing SAPRouter.

1. Shall we install SAProuter in Demilitarized Zone (DMZ) or in the same LAN network / IP segment where SAP servers are installed.

2. What is the advantages when we install in DMZ.

Kindly share the configuration documents to be following while installing in DMZ.

Regards,

Venu Kumar G

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • May 27 at 09:11 AM

    Hi,

    SAP router should be in DMZ as this will ensure your network is not in risk.

    Advantage is, it is protected by firewalls so only opened port is used to for communication and nobody can access the network using default ports like 80 or 443. You can have complete control of it.

    First step is, you have to register your saprouter with public IP to SAP (SAProuter should be in DMZ as public IP can be accessed from anywhere in the internet) Refer SAP note https://launchpad.support.sap.com/#/notes/28976

    Open Port 3299 for the router host.

    Once you got Distinguished name in SAP support portal, you can install and configure as below links.

    More Info: https://support.sap.com/en/tools/connectivity-tools/saprouter.html

    Install : https://support.sap.com/en/tools/connectivity-tools/saprouter/install-saprouter.html

    Configure : https://support.sap.com/en/tools/connectivity-tools/saprouter/configure.html

    Complete PDF document: https://support.sap.com/content/dam/support/en_us/library/ssp/tools/connectivity-tools/saprouter/saprouter-documentation.pdf

    Hope this helps.

    Thanks,

    Pradeep

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Venu,

      -->Why it is not recommended to have SAPRouter in same network as SAP servers are installed.

      To be clear, I never said SAPRouter requires separate network :) SAPRouter can be within customer network not separate (sub)domain or network . Separate network is different term and DMZ zone is different term. The server which can be accessed from internet should be protected strongly by firewalls (other word DMZ zone - Surrounded by firewalls both inbound and outbound communications through opened ports only). Default SAPRouter port is 3299 so your public IP should only connect through this port. This will reduce risks. You may ask what if middle man attack happens, remember the communication between SAP network and customer network through SAPRouter is completely encrypted by SNC.

      -->Anyhow SAP Router installation in LAN is going to be protected by Firewall, further SAP Router and its communications are going to be allowed only between specific IP addresses and ports through Firewall (SAP support to Customer Network, vice versa).It does not make any difference if we have SAP Router in DMZ or in Local LAN, this is my view, request you to provide your suggestions and value adds as well.

      This is wrong, If you install SAPRouter in local LAN server, it will not be accessible from SAP network through internet as local LAN server doesn't have public IP.

      Hope this clears your doubt

  • Jun 17 at 03:09 PM

    Hello!
    In a classic network architecture with internal zone, DMZ zone, and Internet zone, I've seen several scenarios.

    1. DMZ
    1.1 Required Port from SAP support to the SAProuter only tcp/3299 (Firewall ACL only port 3299 from SAP to the SAProuter)
    1.2 All required application ports must be released from SAProuter via the firewall to the systems in the internal zone. These can be a lot of ports to many systems (http(s), DB, Webgui, SAPgui, Java, etc.). Afterwards you have a lot of open ports from the DMZ to the internal zone (a sub-vlan in the DMZ with ACL on that sub-vlan)

    2. internal Zone
    2.1 same as 1.1
    2.2 SAProuter is in a different VLAN than the SAP servers. In the internal Zone are also Firewalls which allows filtering the traffic between SAProuter and the SAP servers.
    There are no open application ports from the DMZ to the internal Zone. SAP is terminated via VPN-Tunnel in the separate WAN Zone.

    3. two SAProuters, one in DMZ and one in the internal Zone, cascading
    3.1 same as 1.1
    3.2 In addition to the SAProuter in the DMZ, a SAProuter in the internal Zone
    => Only port 3299 from SAP Support to the DMZ-SAProuter and only port 3299 from the DMZ-SAProuter to the SAProuter in the internal Zone

    Best regards

    Add comment
    10|10000 characters needed characters exceeded