SAP&Router&配置--实现从外网登录SAP服务器
1、用SAP&router实现从外网登录SAP服务器（方式一）
自已搭建的局域网结构如下:
SAP服务器IP: 192.168.0.2,
路由器中设为DMZ区
在SAP服务器上启用SAP
router,即可
router的搭建非常简单:
1.找到SAP的***目录(例如D:\usr\sap\ECC\DVEBMGS00\exe\),可以看到saprouter.exe文件
用记事本建立一个名为SAPROUTTAB的文件(没有扩展名),&输入 P * * * 后保存
3.打开c:\system32\drivers\etc目录下SERVICERS文件，查看是否有如下字段：
（XX为你的SAP服务器的系统编号）
通常情况下, ***SAP后,系统已经自动添加这些内容了,
如果没有，添加后保存.
4.&修改c:\system32\drivers\etc目录下Host文件，加入以下字段：
&&&localhost
192.168.0.2
这里192.168.0.2
和SAPEC根据自己实际情况修改,注意需要重启才能使Host文件生效
建一个批处理文件(以下是根据我电脑上的实际情况)
D:\usr\sap\ECC\SYS\exe\uc\NTAMD64
运行后会提示说使用了通配符*,
窗口不会自动关闭.
注意:先到saprouter所在的路径再运行saprouter会比较好.&
6. 申请一个动态域名, 比如花生壳,
***在服务器上。
7. 在SAP GUI中设置一个SAP连接,
其它设置与内网登录一样. 在SAP router中加入 /H/ domainname /H/ ，举例动态域名是
就是:/H//H/&当在外网时,
就可以用这个外网的连接登录SAP了.
当然直接用IP也是可以的,
如果查到IP是123.456.789.111,那就/H/123.456.789.111/H/也行,
不过每次得改。
2、用SAP&router实现从外网登录SAP服务器（方式二）
1、设置路由转向 转到SAP内网地址上（每个SYSNUM都有相应一个端口号）
2、由此就可以指明域名和IP达到登陆SAP了。
此法更简单写。
1. SAP Router的***：
SAP Router可***在UNIX，Windows NT，OS/400系统上。其***过程比较简单，以Windows
例，只需将SAP Router程序所需可执行文件saprouter.exe 及niping.exe等拷贝到所建目录
:\usr\sap下即可运行。
2. SAP Router参数的相关配置
下述相关参数配置以图连接状态为例。
2.1 创建SAP Router参数配置表：
在SAP Router1及SAP Router2主机的:\user\sap目录下创建或编辑SAP
Router参数配置表文件，文件名为mysaprouter.txt，其中“mysaprouter”可任取。语法编辑格
式为：P/S/D 。其中，参数P表示“允许”； 参数S表示
“安全”； 参数D表示“拒绝接受”；host1表示访问端（客户）主机IP地址；host2表示目标端
主机IP地址，当访问路径中存在多个SAP Router路由时，host2指离访问端最近的主机IP地址；
Service指请求服务的内容；password指给客户机所设置的访问密码，可以缺省。各参数间为一空
格。对于图1中所示从客户机访问ERP应用服务器的一个完整配置可以是：
在SAP Router1主机的SAP Router参数配置表文件中配置：
P &192.168.18.221
&192.168.18.222 &*
&passwd1 &
其中，192.168.18.221是客户机的IP地址；192.168.18.222是SAP
Router路由1的IP地址（相应的
主机名为saprouter1）；passwd1是设置的密码。
同时在SAP Router2主机的SAP Router参数配置表文件中配置：
P &192.168.18.223
&192.168.18.224 &*
其中，192.168.18.223是SAP Router路由2的IP地址（相应的主机名为saprouter2）；
192.168.18.224是ERP应用服务器的IP地址（相应的主机名为erpsapr3）；passwd2是设置的密
SAP Router参数配置的常用语法见表1。
2.2 系统hosts文件配置
在SAP Router路由1主机的hosts文件中配置目标端的IP地址及相应的主机名：
192.168.18.223 &saprouter2
192.168.18.224 &erpsapr3
在SAP Router路由2主机的hosts文件中也应配置目标端的IP地址及相应的主机名：
192.168.18.224 &erpsapr3
2.3配置源端的访问路由
在PC客户机的SAP登陆属性中修改其登陆属性，增加SAP路由器字符串。其语法格式为：
/H/host1/S//W//H//S//W//H/
其中，“H”表示主机IP地址，host1和host2分别是按访问路由的主机IP地址；“S”表示服务，
“default”表示默认的服务内容，可省略；“W”表示密码，“password1”及“password2”分
别是访问路由中所设置的密码。注意这里的“H”、“S”“W”均为大写。
图1中所示从客户机访问ERP应用服务器的一个完整访问路由可以设置为：
/H/192.168.18.222/W/passwd1/H/192.168.18.223/W/passwd2/H/
或/H/saprouter1/W/passwd1/H/saprouter2/W/passwd2/H/
并配置ERP应用服务器的IP地址：192.168.18.224
3. SAP Router的启动：
在MS-DOS模式下键入:\user\sap\saprouter &r &R
mysaprouter.txt回车即可运行SAP
Router。参数“r”表示启动SAP Router，参数“R”表示其后紧跟SAP Router参数配置表。
4.SAP Router的停止
在MS-DOS模式下键入C:\user\sap\saprouter &s回车停止程序运行。参数“s”表示终止SAP
Router程序运行。
表1：SAP Router常用参数配置方式
属性Host1Host2ServicesPassword
表示：允许所有的路径和服务的连接
P***password
表示：如果密码正确则允许所有的路径和服务的连接
P192.168.18..18.222*password
表示：如果密码正确则允许从192.168.18.253到192.168.18.222所有服务的连接
P*192.168.18.222*
表示：允许任何到192.168.18.222所有服务的连接
P192.168.18.*192.168.18
表示：允许子网在192.168.18内的所有的连接
P192.168.xxx10010.*
表示：允许任何IP地址在192.168.18.*到192.168.242.*内的到任何地址的所有服务的连接；xxx
为二进制数0或1
P*,0**password
表示：如果密码正确，允许任何连接到非SAProuter的服务
P192.168.18..18.222telnet
表示：允许从192.168.18.253到192.168.18.222要求的非SAP服务的远程登陆（服从TCP/IP协议）
S192.168.18.253
表示：允许任何从192.168.18.253开始的连接，但是必须是满足SAP protocol 协议
D192.168.18..18.222*
表示：不允许从192.168.18.253到192.168.18.222所有服务的连接
D192.168.18.253
表示：不允许从192.168.18.253开始的所有连接
另外，Services内容的设置可以通过ERP应用系统对客户权限进行设置，因此在SAP Router参数配
置表中可将其设为“*”或忽略（默认值为3299），表示所有的服务内容。
前面的表可能不是很清楚，
呵呵，贴一下图。
1. Create the subdirectory SAProuter in the directory
/usr/sap/.
2. Download the latest version from sapserv3, directory
/general/misc/saprouter. Also see the corresponding file 'README'
in this directory. Copy programs 'saprouter' and 'niping' into the
directory /usr/sap/saprouter.
If you cannot copy the programs from sapserv3, you can get a
(possibly out-of-date) version from the directory
/usr/sap//SYS/exe/run.
3. Add the following lines to the file /users/adm/startsap__ before
the lines '#Start OS-Collector daemon'.
# # Start saprouter
SRDIR=/usr/sap/saprouter
if [ -f $SRDIR/saprouter ];then
&&&echo "\nStarting
saprouter Daemon " | tee -a $LOGFILE
"--------------------------- " | tee -a $LOGFILE
&&&$SRDIR/saprouter
-r -W 30000 -R $SRDIR/saprouttab \
&&&&&&&&&&&&&&&&&&|
tee -a $LOGFILE &
This entry automatically starts the SAProuter during the system
start and it ensures that the SAProuter is always started. Since
the SAProuter should continue to run after R/3 is shut down no
respective entry is included in the Stopsap Script. If you boot the
R/3 several times, the system displays error messages when the
SAProuter is started. You can ignore these error messages. The
entry of the SAProuter in the Startup Script is a recommendation.
However, you can also start the SAProuter manually.
4. The corresponding routing table must be maintained in
/usr/sap/saprouter/saprouttab.
5. Remarks
As of version 25 the SAProuter must have a routing table. The
router terminates with an error message if it cannot read the
table. If you do not want an authorization check use the line 'P *
Setting up the SAProuter as a Windows NT service.
If the Saprouter has already been entered as a service with
srvany.exe, the definition of the service from the registry (path:
HKLM -& System
-& CurrentControlSet -& Services -& SAPRouter) should
first be removed and then the machine should be rebooted.
With the following command you can newly define the service from
the command line:
'ntscmgr install SAProuter -b \saprouter.exe -p "service -r
Replace with the corresponding path to saprouter.exe and with any
parameters required. It is important that all parameters be in a
character string delimited by ".
As of version 25 (3.0E) a route permission table file (SAPROUTTAB)
must be specified for the Saprouter. When you want to specify the
SAProuttab you consequently must also enter '-R \saprouttab' as a
and create a corresponding SAPROUTTAB (see Note 30289). An
installation command could thus be as follows:
ntscmgr install SAPRouter -b c:\saprouter\saprouter.exe
-p "service -r -R c:\saprouter\SAPROUTTAB"
If no path to SAPROUTTAB is specified, the SAPROUTTAB must be in a
directory which is contained in the PATH variable of the NT system
environment, thus for example the SYSTEM32 directory of the Windows
NT installation. If the SAPROUTTAB should be in a special
directory, this path to SAPROUTTAB must be specified.
Proceed as follows after the installation to maintain the general
attributes of the service:
Go to 'Control Panel -& Services: SAPRouter -& Button:
Startup', set the startup type to 'Automatic' and enter a user. The
SAPRouter should NOT run under the system account.
To avoid the error message 'The description for Event ID (0) ...'
in the NT Eventviewer you must make the following entries in the
Registry. Under:
HKEY_LOCAL_MACHINE -& SYSTEM -& CurrentControlSet -&
Services -& Eventlog -& Application
enter the following
key:&&&&&&SAPRouter
Under this, define the two following values:
&&&&EventMessageFile&&&(REG_SZ)&&&&:
\sapevents.dll
&&&&TypesSupported&&&&(REG_DWORD)
All required files (ntscmgr.exe, saprouter.exe, sapevents.dll) can
be found in your usr\sap\\sys\exe\run directory.
SAPRouter on a firewall computer:
----------------------------------------
The NTSCMGR utility creates the SAPRouter Service with predefined
dependencies from NT Workstation Service and NT Server Service. If
the SAPRouter is to be installed on a firewall and if the Server
Service is to be stopped, the dependencies of the SAPRouter need to
be adjusted. To do so, open the registry editor (REGEDT32.EXE) and
switch to the following subkey:
&&&&HKLM\System\CurrentControlSet\Services\SAPRouter
Double-click the parameter DependOnService on the right hand side
of the window and delete the entry 'LanmanServer' from the
displayed list. Exit the registry editor and restart SAPRouter
Use the following command line to create the
sapgenpse get_pse &p -x
The Distinguished Name consists of the following elements:
?&&&&&&&&CN
?&&&&&&&&OU
?&&&&&&&&O
?&&&&&&&&C
Example Distinguished
CN=SAPJ2EE, O=MyCompany, C=US
sapgenpse creates a PSE in the SAP J2EE Engine’s SECUDIR
directory.
The following command line creates the file SAP_J2EE.pse that is
protected with the PIN j2eepin. When using this PSE, the SAP J2EE
Engine has the Distinguished Name CN=SAPJ2EE, O=MyCompany,
sapgenpse get_pse &p SAP_J2EE.pse -x j2eepin CN=SAPJ2EE,
O=MyCompany, C=US
the following command line to open the server’s PSE and create
credentials
sapgenpse seclogin &p -x -O
The credentials file (cred_v2) for the user specified with the &O
option is created in the SECUDIR directory.
The following command line creates credentials for the user
SAPService so that it can access the file SAP_J2EE.pse. The PIN
that protects the PSE is j2eepin.
sapgenpse seclogin &p SAP_J2EE.pse -x j2eepin &O
SAPService
Start the SAProuter as
saprouter -r -K -Y 0 -C 1000 -D -G -J
Note 734095 -&WSAEADDRINUSE error during connection
Increase the range of port numbers that can
be allocated by the operating system. By default, you have a range
between port 1024 and port 5000; you can, however, increase the
upper limit of 5000 by changing the following Windows registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort
By default, an IP address and port remain
locked for 240 seconds (that is, four minutes) after the connection
was closed. You can also adjust this to 30-300 seconds. However, we
recommend that you adjust the upper limit of the port numbers
instead of the interval. The registry key is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay
Microsoft documentation about this is
SAP Network Interface Router, Version 38.10
Compiled Jun&&2 :34
start router : saprouter -r
stop router&&: saprouter
soft shutdown: saprouter -p
router info&&: saprouter -l
new routtab&&: saprouter
toggle trace : saprouter -t
cancel route : saprouter -c id
dump buffers : saprouter -d
flush&&&"&&&&:
saprouter -f
hide errInfo : saprouter -z
start router with third-party library: saprouter -a library
additional options
routtab&&&:
name of route-permission-file&&(default
./saprouttab)
logfile&&&:
name of log
file&&&&&&&&&&&&&&&(default
no logging)
-T tracefile : name of trace
file&&&&&&&&&&&&&(default
-V tracelev&&: trace level to
with&&&&&&&&(default
-H hostname&&: of running
SAProuter&&&&&&&&&&&(default
localhost)
service&&&:
service-name /
number&&&&&&&&&&(default
-P infopass&&: password for
info requests
clients&&&:
maximum no of
clients&&&&&&&&&&(default
servers&&&:
maximum no of servers to start (default 1)
-K [myname]&&: activate SNC; if
given, use 'myname' as own sec-id
-A initstring: initialization options for third-party library
-D&&&&&&&&&&&:
switch DNS reverse lookup off
-E&&&&&&&&&&&:
append log- and trace-files to existing
-J filesize&&: maximum log file
size in byte&&(default
-6&&&&&&&&&&&:
IPv6 enabled
-Z&&&&&&&&&&&:
hide connect error information for clients
expert options
-B quelength : max. no. of queued packets per
client&&(default 1)
-Q queuesize : max. total size for all queues (default
-W waittime&&: timeout for
blocking net-calls (default 5000 millisec)
min.max&&&:
portrange for outgoing connects, like -M 1.1023
address&&&:
address for outgoing connects, like -I 155.56.76.6
# this is a sample routtab :
-----------------------------------------
D&&&&&host1&&&&&&&&&&&&&&&&host2&&&&&serviceX
D&&&&&host3
P&&&&&*&&&&&&&&&&&&&&&&&&&&*&&&&&&&&&serviceX
P&&&&&155.56.*.*&&&&&&&&&&&155.56
P&&&&&155.57.1011xxxx.*
P&&&&&host4&&&&&&&&&&&&&&&&host5&&&&&*&&&&&&&&&&xxx
P&&&&&host6&&&&&&&&&&&&&&&&localhost
P&&&&&host7&&&&&&&&&&&&&&&&host8&&&&&telnet
S&&&&&host9
P0,*&&host10
KP&&&&sncname1&&&&&&&&&&&&&*&&&&&&&&&*
KS&&&&*&&&&&&&&&&&&&&&&&&&&host11&&&&*
KD&&&&"sncname
"abc"&&&&&&&*&&&&&&&&&*
KT&&&&sncname3&&&&&&&&&&&&&host11&&&&*
# deny routes from host1 to host2 serviceX
# deny all routes from host3
# permit routes from anywhere to any host using serviceX
# permit all routes from/to addresses matching 155.56
# permit ... with 3rd byte matching 1011xxxx
# permit routes from host4 to host5 if password xxx supplied
# permit information requests from host6
# permit native-protocol-routes to non-SAP-server telnet
# permit ... excluding native-protocol-routes (SAP-servers
# permit ... if number of preceding/succeeding hops (SAProuters)
# permit SNC-connection with partnerid = 'sncname1' to any
# permit all SAP-SAP SNC-connections to host11
# deny all SNC-connections&&with partnerid = 'sncname
# open connects to host11 with SNC enabled and partnerid =
'sncname3'
# first match [host/sncname host service] is used
# permission is denied if no entry matches
# service wildcard (*) does not apply to
native-protocol-routes
--------------------------------------------------------------------
已投稿到：
以上网友发言只代表其个人观点，不代表新浪网的观点或立场。