Skip to Content
Author's profile photo Former Member

SAProuter – SNC or VPN?

Technical Specifications

SAP has enabled its Business Analytic customers the capability to establish secure connections to SAP over the Internet for support purposes. Currently, SAP offers two alternative ways to connect to the Support Network over the Internet:

  • SAProuter with Secure Network Communications (SNC) over the Internet
  • Internet Virtual Private Network (VPN)

Let me describe both alternatives and their technical specifications, and compare the two options. If you read this, you will have enough information to decide which option is better for your needs and requirements. Both options provide the level of security recommended when using a public medium like the Internet. In other words, strong encryption will be employed for data that travels over the Internet.

Overview

SAP has implemented a functional subset of the Remote Customer Support Network services in an Internet DMZ (demilitarized zone). With this infrastructure in place, the suite of Remote Customer Support Network service offerings is accessible over the Internet.

SAProuter / SNC via Internet Internet VPN
SNC secured SAProuter – SAProuter connections are established between SAP and the customer’s SAProuter to provide data confidentiality and integrity services. State-of-the-art encryption, authentication, and access control technology will be employed. No additional hardware compared to a leased-line setup is required at either end of the connection.

LAN-to-LAN IPSec VPNs are established between SAP and the customer’s network to provide data confidentiality and integrity services. These VPNs complement the leased lines in the current Remote Customer Support Network environment. State-of-the-art encryption, authentication, and access control technology will be employed. VPN equipment is required at both ends of the connection. The VPN switch at customer’s side must be reachable from the Internet.

Customers are required to install a SAProuter with an official, static IP address (DHCP Addresses will not work) running SNC inbound and outbound connection to SAP at their end of the connection in a Demilitarized Zone. This SAProuter must be accessible from the Internet. All service connections between SAP and the customer must be made over the respective SAProuters. Besides the VPN equipment (also called VPN switch or VPN gateway), customers are also required to install a SAProuter with an official IP address at their end of the connection. All service connections between SAP and the customer must be made over the
respective SAProuters.
Certificates needed are available on the SAP Service Marketplace. VPN access can also be achieved through a telecommunication provider. The provider will then be connected to SAP’s VPN switch, and the provider can offer connections to customers over the Internet. SAP will make a list of VPN-enabled providers. This option is not covered in this blog. For more information, contact SAP.

Diagram

SAProuterSNC.jpg

Technical Requirements

SAProuter / SNC via Internet Internet VPN

1. Internet connection: recommended minimum bandwidth = 64 kbps

2. SAProuter machine

3. Official IP address (static) for the SAProuter host.

4. SAProuter installation package

5. SAP SNC libraries and executable. These may be downloaded from the SAP Service Marketplace.

6. A Demilitarized Zone at the customer site with a minimal setup.

7. Since the host running the SAProuter software is a full computer with operating system, the security at the operating system level must be hardened. One recommendation will be for example to run a C2 security
level compliant operating system.

8. Other networking equipment (routers and hubs) needed to form the network at the customer’s
premises.

1. Internet connection: recommended minimum bandwidth = 64 kbps

2. SAProuter machine

3. Two official IP subnets. These IP  subnets are assigned to:

  – The public interface of the VPN box. Additionally, this IP subnet must be routed in the Internet.

  – The customer’s SAProuter

4. If the customer is operating any firewall(s) to secure its Internet connection, the firewall(s) must permit the edge VPN equipment to exchange IPsec packets using their respective public interfaces (the VPN gateway may also serve as the firewall). Specifically, the customer’s firewall must allow UDP port 500 (IKE) and IP Protocol 50 (ESP).

5. Recommended VPN equipment: SAP is using CISCO VPN equipment. Customers may also try to connect using other IPSec compliant
VPN equipment. The equipment must support certain IPSec features that are mandatory to establish communication with SAP’s VPN equipment.

6. Other networking equipment (routers and switches / hubs) needed to form the network at the customer’s premises.

Comparison

Option SAProuter / SNC via Internet Internet VPN
Hardware Requirements Firewall + SAProuter host in DMZ

VPN switch + firewall + SAProuter host

(VPN and firewall may be the same box)

Network Address 1 official static IP address for SAProuter

1 official static IP address for VPN switch +

1 official static IP address for SAProuter host

Configuration Setup of saprouttab necessary for security. Saprouttab influences security strongly as access is controlled via saprouttab and firewall. Setup of routing configuration in VPN switch necessary for security. Saprouttab influences security less strongly as access is controlled via VPN switch, SAProuter
software and firewall
Encryption

By software

By hardware
Encrypted data

TCP packets

Only the data stream between SAProuters is encrypted

Encryption is handled on Application layer

IPsec (IP packets) Encryption is handled on IP

Minimum
required free bandwidth
64 kbit/s but may work also with 32 kbit/s 64 kbit/s
Key management Digital certificates being requested via Service Marketplace Public Key Infrastructure (PKI)

Pre-shared keys provided by SAP, later Public Key Infrastructure (PKI)

Key storage In file system In VPN switch

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Wouter Peeters
      Wouter Peeters

      Thanks for the information! If possible I would love to see a small comparison and some use cases of SAP Router versus Web Dispatcher as well. I'm not a BC guy but it is interesting to know the cases.

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      In this case they do not actually compare to one another. SAProuter is intended to established a bridge between two networks. This bridge is intended to enable superior support when logging a message with SAP.

      The Web Dispatcher application is an SAP product which performs a load balancing operation for your application servers for requests entering your network from the internet.

      -Tim

      Author's profile photo Former Member
      Former Member

      very useful!

      Author's profile photo Former Member
      Former Member

      Nice information, if you can add the "performance" in comparison.

      Author's profile photo Adrien Monges
      Adrien Monges

      Very useful information.. thanks a lot... Is snc necessary for SAP router?

      Theoritically, can sap router work without SNC?

      Author's profile photo Erick Verbena
      Erick Verbena

      Hi Adrien

      SNC depends of SAProuter, reverse not.

      Erick Verbena

      PROLAMSA

      Author's profile photo Former Member
      Former Member

      It's really helpful. This article gave us the concept of SAProuter and difference of VPN and SNC 🙂

      Author's profile photo Prabhu Reddy
      Prabhu Reddy

      Hi,

      Thanks for the blog.

      We are planning to setup remote connectivity between our company and our customer as part of PCOE setup. Customer wants to use the option SAProuter to connect with us? In this blog, it is mentioned that in both cases, we are using SAProuter method to connect ? How this can be done between our company and Customer. Please advise?