Skip to Content

Connecting SAP Through Microsoft Direct Access

Hello All,

Now a day its trend to work remotely. And you can use multiple tools to connect your environment such as VPN, Citrix and Direct access and so on…

When you are connected to Direct access its using IPv6 and not able to translate in to IPv4. Any you will not able to connect SAP systems using SAP GUI. Scenario will be like this below.

/wp-content/uploads/2016/05/image002_951113.png

There is couple steps you need to take in order to allow your Microsoft direct Access work with SAP GUI. This configuration I am going to show you is going to work with any version of SAP GUI regardless.

Step 1

Enable your SAP GUI to work with IPv6 adding system environment variable as below (This has to be done on client machine)

SAP_IPv6_ACTIVE = 1

For help: https://support.microsoft.com/en-ca/kb/310519

Step 2

Configure your SAP router to allow your direct access server to pass connection

Example of your saproutertab file

#*************************************************************************

# Direct Access allow list

#*************************************************************************

#MY SAP Application ERP

P             Direct_Access_Server_Host_Name          SAP_CI_Server_Host_Name                        36XX

P             Direct_Access_Server_Host_Name          SAP_Application_Server_Host_Name           32XX

 

You can add multiple direct access servers and multiple SAP Servers as per your requirements.

Note: Make Sure you restart your SAP Router after making changes to saproutertab file and use hostname only. NO IP Address

Step 3

Creating SAP GUI Connection

Without load Balancing

/wp-content/uploads/2016/05/image004_951115.png

SAP Router String Example : /H/SAPRouterHostName/S/sapdp99/H/

With Load Balancing

/wp-content/uploads/2016/05/image005_951116.png

SAP Router String Example : /H/SAPRouterHostName/S/sapdp99/H/

Note: Make sure you select appropriate load Balancing group

Now you have configured your SAP GUI to access SAP through Microsoft Direct Access

Thank you for reading

Yogesh

6 Comments
You must be Logged on to comment or reply to a post.
  • Yogesh:

     

    We are trying this tool out, and have 2 questions:

    1. Would you use the same saprouter process that was historically used for “SAP OSS” (remember sapserv2 and sapserv4?)
    2. How scalable is the saprouter?  In other words, how much work does that process do on each session connection?

    Thank you!

     

    Jim

    • Hello Jim,

      About question:

      1. That is correct;
      2. Very scalable.
        You can even use the arguments “-C <X>” and “-Y <Z>” at the saprouter startup command line, so more saprouter processes are started, each taking care of a certain number of connections instead of a single process handling everything.
        The saprouter is a very simple process. It will just forward the network packets from one end to the other, after confirming that the connection is allowed (through the saprouttab rules).
        Read the PDF file attached to the SAP Note 30289 (S-user required) for more details about those command line arguments.

      Best regards,

      Isaías

  • Hi Isaias Freitas and folks, I have the following situation: We have thousand of users around the world using SAP in our internal network and all of them use the same saplogon.ini file.

    We do have DirectAccess but no saprouter and no IPv6 so no DirectAccess is possible to use SAP. they have to connect to our VPN.

    We want to enable SAP for DirectAccess but we don’t want to setup a saprouter because we will need to change all saplogon.ini files pointing to that saprouter and we are adding a single point of failure for the people connected internally. Another option could be to have two entries per system in saplogon, one for LAN and another for DirectAccess but that don’t look very nice.

    So my question is, how can I have a setup where users have only one entry per system in saplogon  and depending if they are in the LAN they go direct to the message server while if they are using Direct Access they use the saprouter?

    Thank you!

    Mariano

    • Hello Mariano,

      I am not aware of an “easy solution”, so to speak, for the requirements you are proposing.

      If you want different groups of users to reach the same system, using different entry points, but using the same configuration file, then the “easiest” solution that I can think of would be to use DNS to aid you on this.

      All users will have the same configuration file, and then it must point to a single hostname (since you want to avoid having multiple entries in the SAP Logon). But if it points to a single hostname, you would have to use DNS to control the target of the hostname based on the location / group of users.

      I do not know whether this is possible with DirectAccess, though.

      I would say that the easiest solution that comes to my mind is to have multiple entries in the SAP Logon: one for LAN, one for DirectAccess.

      Regards,

      Isaías