SAProuter & Native Routing
https://blogs.sap.com/2016/09/07/can-i-tell-you-a-secret/
Disclaimer: I am in no way affiliated with SAP-AG nor know of anyone from SAP, telling me of info regarding the hidden features of saprouter. The info written in this article are already publicly available in SAP Help, SCN discussions, and other online articles.
It has been many months or probably a year now since the last time I have written something.
I thought it is high time to contribute once again to the community.
I cannot find a more appropriate title for this article but I hope it’s enough anyway to catch your attention This may not necessarily be a secret but I’m sure it is something that is undocumented and either well hidden or not really talked about specially by SAP.
Here’s a scenario which you may/can relate to:
You can connect to an ABAP system via SAPGUI (because the Basis guy said they have setup saprouters) but nothing else.
What about web browser, or plugins on Excel, or Developer Studio, or some other fancy SAP tool?
If SAPGUI works then why not the others?
The simple answer that any Basis person will tell you is, the saprouter only routes SAPGUI (DIAG protocol).
To connect to the other services a direct connection (e.g. via VPN) is required.
Or if it is just HTTP then the Web Dispatcher can do the job of being a reverse proxy.
OK but then you remembered, how in the world does SAP-support logon to the same SAP system to any SAP service (HTTP, Windows Terminal, telnet, etc. etc.) when they themselves dont have direct connectivity either by VPN or direct connection? They do for sure use the same saprouter technology, so how then do they do it?
There has been a number of discussions going around in SCN that SAP-AG is using a special “proxy” software to connect for example using a web browser. Up until now (well at least for me), no one really knows how it works! and no one is telling anything, quite possibly even the SAP-support guy couldn’t be bothered to know how it actually works as long as he can connect to the customer’s system using that magical tool.
So how does it work?
In the quest of searching for an answer, I stumbled upon the saprouter Reverse Invoke configuration.
This tells me that saprouter has more features than usually known. I asked the question, what if the saprouter can just bounce off network packets or what is better known as “port forwarding”. Then viola! A Google search for the term landed me to this old SAP help (which by the way is strangely no longer maintained and published in the later Netweaver versions).
So piecing in the 2 together:
1) Reverse Invoke – to form the proxy
2) Existing saprouters – as port forwarders
is the secret to connecting to any protocol using nothing but just the saprouter!
I will illustrate how it works. Let us say you already have SAPGUI working with the following entry.
So connection goes like this for SAPGUI.
PC (SAPGUI) -> router1 (port 3299) -> router2 (port 3299) -> sapob1.mycompany.lan (port 3200)
This works because SAPGUI knows what to do and how to route the saprouter string “/H/router1/H/router2”.
What about the HTTP to the ICM?
We know it cannot be a simple:
PC (web browser) -> router1 -> router2 -> sapob1 (8000)
as a normal web browser doesnt know what a saprouter string is.
Taking the hint that there is a “proxy” tool used by SAP support, then putting the proxy in between the Web Browser and router1 like the Reverse Invoke Configuration might do the trick!
Here’s the answer to the secret!
Using the port numbers as in the example provided in the SAP Help:
PC (web browser) -> RI-router1 (4001) -> RI-router2 (5002) -> router1 (3299) -> router2 (3299) -> sapob1 (8000)
Which translates to the following route parameter of RI-router1’s config.
route=/H/RI-router1/S/4001/H/RI-router2/S/5002/H/router1/H/router2/H/sapob1.mycompany.lan/S/8000
So to connect to the HTTP (ICM) of ABAP system OB1 is as easy as typing in the following URL in the browser:
Cheers!
##########################################################
##########################################################
##########################################################
##########################################################
Old SAProuter Docu with SAProuter as Port Forwarder
Middle Old SAProuter:
Test Setup for RI SAProuter
Test-Setup avaible on sap208 & sap209 in T:\SAProuterClientXXX & T:\SAProuterServerXXX for http, ssh, rdp & hana ;-)
http is not 100% working ... the rest seems to work perfectly ;-)
SAProuter as Port Forwarder
If two SAProuters with reverse invoke are used as in the example (RI Configuration of SAProuter: Example), these can also act as port forwarders. In addition to the standard configuration the parameter route must also be set on the client. This route specifies where incoming connections are forwarded.This profile parameter replaces a call to the SAProuter with a route, so for this reason the first SAProuter must appear in the route string. The route string you specify as the parameter is the one you would specify in SAP GUI or for gateway connections.
Caution
Since this configuration enables all incoming connections to be forwarded, administration requests cannot be identified by the SAProuter. Therefore, the client SAProuter cannot be administered. You can only stop the SAProuter using signals at operating system level.
You could extend the above example to a port forwarder in the following way:
The route parameter must be added to the configuration file of the client as follows:
route = /H/10.18.0.1/S/4001/H/10.18.0.2/S/5002/H/10.18.0.3/S/8080
Since 'raw' connections (pure TCP/IP without NI header) are necessary for HTTP, the route permission table on server 2 (file rt2) must be modified. You must enter the destination port:
P 10.18.0.1 * 8080
With the HTTP browser you can now call the Web server on 10.18.0.3:8080 using the following URL:
http://10.18.0.1:4001
The server SAProuter displays the following connection data:
> saprouter -l -S 4002
...
ID CLIENT | PARTNER service
-----------------------------+---------------------------------
4 localhost | (no partner)
2 10.18.0.1 + 10.18.0.3 8080
...
RI server hdl 1/sock 5 BUFFERED
client 10.18.0.1:5001
registered 0.0.0.0:5002
connPool 3
checks 0
selectSet set0
onDemand NO
CONN ID S SOCK
0: 0000306404935302 C 9
1: 000040acd61fac53 C 11
2: 000050ba74a8a931 C 6
##########################################################
##########################################################
##########################################################
##########################################################
https://answers.sap.com/questions/5350297/use-http-connection-over-saprouter.html
Use HTTP connection over SAPROUTER?
hallo
i have 2 saprouters connected so i can access sap with sapgui by using saprouter string
/H/212.xx.xx.xxx/S/sapdp99/H/212.yy.yy.yyy/S/sapdp99/H/
so far no problem
i added entries in saprouttab for port 8000 as well (same es for oss service required)
how can i now access to bsp application by using this saprouter-tunnel?
i find a lot of documentation how to setup the saprouttab for http connection but not how to use it
regards
joerg
Just found this, so I thought to update here as well :
SAProuter as Port Forwarder
SAP NetWeaver Security Guide - SAP Library
Basically it explains how to setup port-forwarding using the SAProuter so you can use Telnet, HTTP and whatnot over a SAProuter connection.
Cheers!
Simplified here with example
Hello,
From my understanding, the saprouter routes HTTP only for SAP OSS connection.
I never found a way to use it for HTTP except for this specific use.
This is not a real reverse proxy and how would you specify the saprouter chain in a web browser ?
For dual sapgui and BSP use over a wan link, we put both a saprouter and a reverse proxy (Apache or SAP Web dispatcher) in the DMZ.
Regards,
Olivier
ok
i just thought when sap can access over oss we might be able to use this(how can they?)
regards
joerg
>(how can they?)
That seems to be their (well kept) secret !
Olivier
some solution known?
can we connect our EP over SAPROUTER???
regards
Chris
This has been discussed here with saprouter and telnet:
I bet the same applies for http.
Cheers Michael
> I bet the same applies for http.
yes.
If the SAP support clicks on an HTTP connection some local scripts on their PCs will act as a proxy, so basically the connect "locally" and internal programs/proxies forward that through the saprouter connections.
To make an HTTP access from outside the network possible you can install an apache webserver and configure it as a reverse proxy.
Markus
I guess not anymore:) I somehow cracked the hidden features of saprouter.
All info are publicly available anyway, so I was just piecing them in together.
See my article
Do you solved?
Yes, using the link above, I was able to (ab)use the SAProuter as a gateway for connections other than SAP standard.
Do you like to share the information about how you accomplished this (especially how to specify a route string on clients other than SAP GUI)?
You setup the Route strings on the SAProuters.
From your front-end computer you request the http page with one important exception: You do not request it from the endpoint -the server hosting it- but from the Client-SAProuter which will forward the request to the Server-SAProuter which in turn will forward it to the Server.
This is the principle of port-forwarding, ask your network specialist about it if you do not understand.
Read the article linked above and the linked pages and you do not have to be a Network Guru to get it working.
Cheers!
Hi Martin,
but the thing is, we never start the SAPRouter at our side using -i (Reverse Invoke), if I remember correctly.
Yet, SAP is still able to connect HTTP or Telnet into our system.
So there could be another trick used by SAP. They are not using this port forwarding feature in SAP Remote Support connection.
Thanks, by the way, for the link.
It's awesome.
0 Kommentare:
Kommentar veröffentlichen