This document does not claim to be complete, nor does it claim to be exact. The reason I wrote this document is because I got stuck with setting up SAProuter on a DMZ, with a couple of firewalls. So I collected as much information as I could find and crafted this document so I would have a reference.
Working with some other people on the issue(s) it appeared that I was not the only one wandering in the dark, so I decided to release the document to the world for everybody to shoot at. So shoot, and help to make this document better and more complete.
This document is based on tests done with SAProuter running on Debian GNU/Linux and two Debian GNU/Linux firewalls.
With kind regards - Dennis Leeuw (dleeuw at made"minus-sign"it dot com)
With great help from: Z-Option, SAP and Marcel Rabe.
With adjustments, ideas and remarks from: Aniel Natoewal
SAP uses a lot of different ports to make connections. It heavily relies on the services file to make the right decisions.
Start by adding the needed services to the /etc/services file.
sapdp## 32##/tcp # SAP Dispatcher. 3200 + System-Number sapgw## 33##/tcp # SAP Gateway. 3300 + System-Number sapsp## 34##/tcp # 3400 + System-Number sapms## 36##/tcp # SAP Message Server. 3600 + System-Number sapdp##s 47##/tcp # SAP Secure Dispatcher 4700 + System-number sapgw##s 48##/tcp # SAP Secure Gateway 4800 + System-Number sapgw97 3397/tcp # SAP Oss sapgw98 3398/tcp # SAPcomm sapgw99 3399/tcp # SAP EPS sapdp99 3299/tcp # SAProuter |
The 32## ports are used by SAP GUI, while the 33## ports are used by RFC (Remote Function Call) applications.
To be able to connect to a SAP server from the Internet, one uses SAProuter as a proxy between the SAP GUI and the SAP server.
SAP router according to help.sap.com is: "SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP Systems, or between SAP Systems and external networks. SAProuter controls the access to your network (application level gateway), and, as such, is a useful enhancement to an existing firewall system (port filter)."
SAP has implemented it's own protocol called NI or SAP protocol. From help.sap.com: "The protocol used by SAP programs that communicate using the NI interface is called the SAP protocol. This is an enhanced version of the TCP/IP protocol, which has been supplemented by one length field and some options for error information."
The use of saprouter means that a client will first connect to saprouter. SAProuter then connects to an additional SAProuter or to a SAP server.
The connection from SAP GUI to SAP router is a connection to port 3299, and SAProuter uses port 32## to connect to the SAPserver for a "normal" connection and port 33## for an RFC (Remote Function Call) connection. In both cases ## is the systemnumber of the SAP server.
For the proxy-like connectivity of SAProuter, they use source routing. The SAP GUI on the client gets a string that tells it how to connect to the SAP server. The router string might look like this:
/H/host/S/service/W/pass |
The H,S and W must be uppercase and indicate what the next element is. H means the next section is a Host, S is for Service and W for password.
The router table contains lines that describe a single route. Every line starts with a D(eny), P(ermit) or S(ecure) letter. The S means that one uses the SAPprotocol instead of TCP.
saprouter -h |
I created two special directories within /usr/local/sap (in which installed all SAP related stuff) named conf and log. To start saprouter on GNU/Linux I found the following command to be working best, if you have other experiences, please let me know:
./saprouter -W 30000 -R conf/saproutetab -G log/saprouter.log -r & |
./saprouter -s |
To keep things simple I assume the following network setup:
Internet:SAP GUI -- FW1 -- DMZ:saprouter -- FW2 -- LAN:SAP server |
FW1 should allow connections from SAP GUI unprivileged ports to 3299 on saprouter.
FW2 should allow connections from saprouter unprivileged to port 32## on the SAP server. This will allow SAP GUI to function.
If you use NAT (Network Address Translation) you are in for a couple surprises. This section is meant for those that will use NAT with SAP.
Next to NAT you can also do a redirect of the port. Say you redirect port 3099 to 3299 to fool an attacker. If you do this you should be VERY careful. Let me first write down a warning: NEVER do a redirect for RFC connections. Redirecting RFC (33##) connections breaks the RFC connection!
Okay, now we are off. We have to assume a couple of thing to prevent this document from becoming unreadable.
Assume the following settings for the SAP GUI (note we only use external IP addresses, so we never show the internals of our network).
Table 1. SAP GUI
| Setting | Value |
|---|---|
| Application Server | 123.456.789.123 |
| Route string | /H/123.456.789.123/S/3099 |
| System name | TEST |
| System number | 00 |
Table 2. Hosts
| Host | IP Internet | Port Internet | IP DMZ | Port DMZ | IP LAN | Port LAN |
|---|---|---|---|---|---|---|
| FW1 | 123.456.789.123 | 3099 | 172.1.1.1 | |||
| saprouter | 172.1.1.2 | 3299 | ||||
| FW2 | 172.1.1.3 | 3200/3300 | 192.168.1.1 | |||
| SAP server | 192.168.1.2 | 3200/3300 |
FW1 is then configured to accept connections on it's external interface and redirect those connections from port 3099 to 3299 on saprouter.
saprouter accepts this connection and opens 3200 for SAP GUI or 3300 for SAP RFC to the external IP!!! To make sure that this is handled correctly we add a host route on saprouter so that it send packets for 123.456.789.123 to 172.1.1.3.
Since NAT is done in a PREROUTING (iptables) rule the fact that an external IP address enters FW is not a problem. We just NAT it and everybody is happy :)
After the NAT in the PREROUTING FW1 just sets the connection through to the SAP server. SAP server however now detects a connection from 123.456.789.123, which is not something he expects so he denies it, and it should!
To get a work-a-round we add 123.456.789.123 to the DNS server (RFC needs to be able to resolve the IP address), if you owe 123.456.789.123, else use your hosts file to override DNS, and we add the name we have given to that IP address to gw/alternative_hostnames in RZ11 (or RZ10 with a restart).
You should now be up and running.