Connecting to a server in a different Network via SapGui

Services SAP uses a lot of different ports to make connections. It heavily relies on the services file to make the right decisions. Start by adding the needed services to the /etc/services file. sapdp## 32##/tcp # SAP Dispatcher. 3200 + System-Number sapgw## 33##/tcp # SAP Gateway. 3300 + System-Number sapsp## 34##/tcp # 3400 + System-Number sapms## 36##/tcp # SAP Message Server. 3600 + SystemNumber sapdp##s 47##/tcp # SAP Secure Dispatcher 4700 + System-number sapgw##s 48##/tcp # SAP Secure Gateway 4800 + System-Number sapgw97 3397/tcp # SAP Oss sapgw98 3398/tcp # SAPcomm sapgw99 3399/tcp # SAP EPS sapdp99 3299/tcp # SAProuter The 32## ports are used by SAP GUI, while the 33## ports are used by RFC (Remote Function Call) applications. ------------------------------------------------------------------------------- SAProuter To be able to connect to a SAP server from the Internet, one uses SAProuter as a proxy between the SAP GUI and the SAP server. SAP router according to help.sap.com is: "SAProuter is an SAP program that acts as an intermediate station (proxy) in a network connection between SAP Systems, or between SAP Systems and external networks. SAProuter controls the access to your network (application level gateway), and, as such, is a useful enhancement to an existing firewall system (port filter)." SAP has implemented it's own protocol called NI or SAP protocol. From help.sap.com: "The protocol used by SAP programs that communicate using the NI interface is called the SAP protocol. This is an enhanced version of the TCP/IP protocol, which has been supplemented by one length field and some options for error information." The use of saprouter means that a client will first connect to saprouter. SAProuter then connects to an additional SAProuter or to a SAP server. The connection from SAP GUI to SAP router is a connection to port 3299, and SAProuter uses port 32## to connect to the SAPserver for a "normal" connection and port 33## for an RFC (Remote Function Call) connection. In both cases ## is the systemnumber of the SAP server. ------------------------------------------------------------------------------- Source routing For the proxy-like connectivity of SAProuter, they use source routing. The SAP GUI on the client gets a string that tells it how to connect to the SAP server. The router string might look like this: /H/host/S/service/W/pass The H,S and W must be uppercase and indicate what the next element is. H means the next section is a Host, S is for Service and W for password. ------------------------------------------------------------------------------- Router tab The router table contains lines that describe a single route. Every line starts with a D(eny), P(ermit) or S(ecure) letter. The S means that one uses the SAPprotocol instead of TCP. -------------------------------------------------------------------------------Stopping and starting saprouter saprouter -h gives you all the commandline arguments that are supported by saprouter and it also provides you with a brief introduction to the routertab file. I created two special directories within /usr/local/sap (in which installed all SAP related stuff) named conf and log. To start saprouter on GNU/Linux I found the following command to be working best, if you have other experiences, please let me know: ./saprouter -W 30000 -R conf/saproutetab -G log/saprouter.log -r & and use ./saprouter -s to stop it. -------------------------------------------------------------------------------- Firewalling SAP To keep things simple I assume the following network setup: Internet:SAP GUI -- FW1 -DMZ:saprouter -- FW2 -- LAN:SAP server FW1 should allow connections from SAP GUI unprivileged ports to 3299 on saprouter. FW2 should allow connections from saprouter unprivileged to port 32## on the

SAP server. This will allow SAP GUI to function. ------------------------------------------------------------------------------- Using NAT If you use NAT (Network Address Translation) you are in for a couple surprises. This section is meant for those that will use NAT with SAP. Next to NAT you can also do a redirect of the port. Say you redirect port 3099 to 3299 to fool an attacker. If you do this you should be VERY careful. Let me first write down a warning: NEVER do a redirect for RFC connections. Redirecting RFC (33##) connections breaks the RFC connection! Okay, now we are off. We have to assume a couple of thing to prevent this document from becoming unreadable. Assume the following settings for the SAP GUI (note we only use external IP addresses, so we never show the internals of our network). Table 1. SAP GUI Setting Value Application Server 123.456.789.123 Route string /H/123.456.789.123/S/3099 System name TEST System number 00 and we should also define our hosts: Table 2. Hosts Host IP Internet Port Internet IP DMZ Port DMZ IP LAN Port LAN FW1 123.456.789.123 3099 172.1.1.1 saprouter 172.1.1.2 3299 FW2 172.1.1.3 3200/3300 192.168.1.1 SAP server 192.168.1.2 3200/3300 FW1 is then configured to accept connections on it's external interface and redirect those connections from port 3099 to 3299 on saprouter. saprouter accepts this connection and opens 3200 for SAP GUI or 3300 for SAP RFC to the external IP!!! To make sure that this is handled correctly we add a host route on saprouter so that it send packets for 123.456.789.123 to 172.1.1.3. Since NAT is done in a PREROUTING (iptables) rule the fact that an external IP address enters FW is not a problem. We just NAT it and everybody is happy :) After the NAT in the PREROUTING FW1 just sets the connection through to the SAP server. SAP server however now detects a connection from 123.456.789.123, which is not something he expects so he denies it, and it should! To get a work-a-round we add 123.456.789.123 to the DNS server (RFC needs to be able to resolve the IP address), if you owe 123.456.789.123, else use your hosts file to override DNS, and we add the name we have given to that IP address to gw/alternative_hostnames in RZ11 (or RZ10 with a restart).