Skip to Content
Author's profile photo Former Member

Can I tell you a secret?

Disclaimer: I am in no way affiliated with SAP-AG nor know of anyone from SAP, telling me of info regarding the hidden features of saprouter. The info written in this article are already publicly available in SAP Help, SCN discussions, and other online articles.

It has been many months or probably a year now since the last time I have written something.

I thought it is high time to contribute once again to the community.

I cannot find a more appropriate title for this article but I hope it’s enough anyway to catch your attention 😆

This may not necessarily be a secret but I’m sure it is something that is undocumented and either well hidden or not really talked about specially by SAP.

Here’s a scenario which you may/can relate to:

You can connect to an ABAP system via SAPGUI (because the Basis guy said they have setup saprouters) but nothing else.

What about web browser, or plugins on Excel, or Developer Studio, or some other fancy SAP tool?

If SAPGUI works then why not the others?

The simple answer that any Basis person will tell you is, the saprouter only routes SAPGUI (DIAG protocol).

To connect to the other services a direct connection (e.g. via VPN) is required.

Or if it is just HTTP then the Web Dispatcher can do the job of being a reverse proxy.

OK but then you remembered, how in the world does SAP-support logon to the same SAP system to any SAP service (HTTP, Windows Terminal, telnet, etc. etc.) when they themselves dont have direct connectivity either by VPN or direct connection? They do for sure use the same saprouter technology, so how then do they do it?

There has been a number of discussions going around in SCN that SAP-AG is using a special “proxy” software to connect for example using a web browser. Up until now (well at least for me), no one really knows how it works! and no one is telling anything, quite possibly even the SAP-support guy couldn’t be bothered to know how it actually works as long as he can connect to the customer’s system using that magical tool.

So how does it work?

In the quest of searching for an answer, I stumbled upon the saprouter Reverse Invoke configuration.

This tells me that saprouter has more features than usually known. I asked the question, what if the saprouter can just bounce off network packets or what is better known as “port forwarding”. Then viola! A Google search for the term landed me to this old SAP help (which by the way is strangely no longer maintained and published in the later Netweaver versions).

So piecing in the 2 together:

1) Reverse Invoke – to form the proxy

2) Existing saprouters – as port forwarders

is the secret to connecting to any protocol using nothing but just the saprouter! 😉

I will illustrate how it works. Let us say you already have SAPGUI working with the following entry.


So connection goes like this for SAPGUI.

PC (SAPGUI) -> router1 (port 3299) -> router2 (port 3299) -> sapob1.mycompany.lan (port 3200)

This works because SAPGUI knows what to do and how to route the saprouter string “/H/router1/H/router2”.

What about the HTTP to the ICM?

We know it cannot be a simple:

PC (web browser) -> router1 -> router2 -> sapob1 (8000)

as a normal web browser doesnt know what a saprouter string is.

Taking the hint that there is a “proxy” tool used by SAP support, then putting the proxy in between the Web Browser and router1 like the Reverse Invoke Configuration might do the trick!

Here’s the answer to the secret!

Using the port numbers as in the example provided in the SAP Help:

PC (web browser) -> RI-router1 (4001) -> RI-router2 (5002) -> router1 (3299) -> router2 (3299) -> sapob1 (8000)

Which translates to the following route parameter of RI-router1’s config.


So to connect to the HTTP (ICM) of ABAP system OB1 is as easy as typing in the following URL in the browser:



Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member
      Blog Post Author

      and oh watchout for saprouttab of the last saprouter, it needs to have the specific entry of the destination host and port, not a wildcard (I guess it's exact same reason as to why SAP support wants the customer to put in the specific saprouttab entry when SAP support needs to connect)

      e.g. in the above example, saprouttab entry looks like

      P router2 sapob1.mycompany.lan 8000

      Author's profile photo Jianhua Zhou
      Jianhua Zhou

      How to achieve specific documents? What agents to use ah!

      Author's profile photo Tony Swietochowski
      Tony Swietochowski

      Hi Donald,

      Great Post. In your example of http connections, how does router2(3299) know to pass the traffic to sapob1? Is this via the parameter you mentioned?


      Kindly clarify the syntax of this parameter and in which file to put the parameter in. Also can there be multiple parameters to route to different destinations? Would a different route need another pair of reg port/service ports on RI-router1 and RI-router2?

      Thanks and regards,


      Author's profile photo Tony Swietochowski
      Tony Swietochowski

      I just got around to doing this and making it work. Oh wow. 🙂

      Author's profile photo Former Member
      Former Member

      Hi Tony

      i can read you succeeded to perform the configuration to reach http connection across saprouter.

      i would like to use the same configuration in order to work on remote via saprouter on sap system with webdynpro crmui interface, so i need run http url.

      i understand that only saprouter configuration are required without any tools, only reverse invoke configuration and port forwarding. Is it correct ?

      could you send me more explanation ?

      thanks a lot.

      i.m looking forward to read you