Skip to Content

Is there a way of configuring cascaded saprouters (DMZ saprouter and LAN saprouter)?

Hello,

We want to configure 2 saprouters on our network. One of them is in DMZ network and the other is in LAN. With this configuration port 3299 will be open from DMZ to LAN.

I searched through help documents and installation guides but could not find a solution for below configuration of cascaded saprouters.

Is there a way of installing this configuration? If yes, can you give a link to the installation guides, help documents, etc.

How can I configure Route Permission Table for saprouter in DMZ?

Thanks for your help.

Regards,

Yuksel AKCINAR

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Best Answer
    Apr 07, 2017 at 08:55 AM

    Hello,

    Below configuration ran for my landscape.

    Thank you all for your help.

    ...

    the SNC with the SAP SNC certificate *ONLY* exists between sapserv2 and your DMZ-SAProuter.

    > For the correct setup, real the documentation on URL "https://support.sap.com/remote-support/help/installing-saprouter.html"!

    > valid saprouttab-lines external SAProuter:

    # SNC connection to and from SAP

    KT "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" 194.39.131.34 *

    #for access to internal SAProuter

    KP "p:CN=sapserv2, OU=SAProuter, O=SAP, C=DE" <IP INTERNAL SAPROUTER> *

    #for access from local to SAP

    P * 194.39.131.34 3299

    #DENY ALL

    D * * *

    Between your DMZ-SAProuter and Internal-SAProuter you can use your own SNC certificate if you have one.......not required!

    > valid saprouttab-lines internal SAProuter:

    #for SAPGUI access

    P * * *

    #or

    P <IP DMZ SAPROUTER> <IP SERVER> <ABAP-PORT>

    #for access from local to SAP

    P * * 3299

    #DENY ALL

    D * * *

    ...

    Regards,

    Yuksel AKCINAR

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 24, 2017 at 05:58 PM

    Hello Yuksel,

    The document sent by Yogesh shows a scenario with two saprouters, actually.

    Anyway, yes, you can cascade saprouters.

    At the client end, the router string (just a very simple example!) would look like:

    /H/saprouter1/H/saprouter2/H/final_target/S/<port>

    • The saprouttab from the "saprouter1" would allow the route from the client to the saprouter2 at port 3299. Like:

      P <tab> <client IP> <tab> saprouter2 <tab> 3299
    • The saprouttab from the "saprouter2" would allow the route from the "saprouter1" to the "final_target" at port "<port>". Like:

      P <tab> saprouter1 <tab> <final_target> <tab> <port>

    *** above, "<tab>" is the TAB key pressed once, just to separate each field of the saprouttab entry

    Regards,

    IsaĆ­as

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 24, 2017 at 03:00 PM

    Hello,

    Look at this document and try to understand how it works

    How Does SAProuter Process Route Strings?

    Thanks

    Yogesh

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 24, 2017 at 04:34 PM

    Thank you Yogesh for quick answer.

    In this document there is only one customer saprouter. I need a config for 2 saprouters on customer side.

    My friend showed me below link also. I can study your link and this and find a solution in my opinion.

    https://blogs.sap.com/2012/04/27/oss1-rfc-connections-saposs-sapnetrfc-sdccoss/

    I need to test it.

    Thanks and Regards,

    Yuksel AKCINAR

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 27, 2017 at 06:50 AM

    Thank you Isaias.

    I will configure and test the this configuration.

    Thanks and Regards,

    Yuksel AKCINAR

    Add comment
    10|10000 characters needed characters exceeded

  • Mar 29, 2017 at 10:13 AM

    Hello Isaias,

    As you know there is SNC connection and configuration between DMZ saprouter and SAPNet saprouter.

    Do I need to configure SNC also in internal saprouter? If yes how?

    Regards,

    Yuksel AKCINAR

    Add comment
    10|10000 characters needed characters exceeded