Hello,

SAPRouter isn't a good solution when you're not dealing with static IP addresses. And I'm not sure the usage agreement permits that kind of use, especially for the encryption.

You should look into some sort of VPN solution or the webgui; but going web brings in it's own host of security issues.

Regards,

Michael

Hi,

We have been on your situation, too.

We manage to use VPN Client from product of a well-known network vendor (rather than managing SAP Router)

From the security point of view, our network teams have managed user authentification so that authorized user only can logon to the system. So that only specified user can logon to the network.

From basis point of view, we don't need to reconfigure saprouttab file, restarting saprouter every time user is connected. Also, minimized for leakage of SAProuter, in example we wish to simplify saprouttab management by using string asterisk (*) that may be potential for unwanted user logon to your system (as long as they know your SAP router string)

How this VPN Client works (from user perspective)

they logon to the internet - starting VPN client agent on their PC or laptops - importing profile file - login using their VPN Client - connect - and then they are on the same network with headquarters (work as if they are on the headquarters)

benefit :

- less SAP router management (changing saprouttab, restarting SAP router services, managing start/stop SAP router

- centralized network access (by network team) so that only authorized user can access the network

- you don't need to be worried if one or several of your user is resign or moving to another company, you just only to delete their profile from VPN user list. Imagine if you are using SAP router, the last barrier you have is SAP user authorization.

- to secure who is authorized to access SAP system, you should manage SAP user authorization as well

- ability to use your local application beside SAP : mail system, local application etc, because by logging in and connecting using VPN CLient, you are standing as if you are on the headquarters (office)

- they are note depending on public ip of sap router (if suddenly changed)

weak point :

- once a user is connecting, they can logon to all SAP client he are able to login. we cannot make limitation of certain client here. the only limitation we can made is by user authorization for each client.

- we cannot make limitation whether user A is allowed to use SAP only, user B is allowed to use SAP and mail only, and user C no limitation. once he is logging in, he will be able to execute or run any application he is authorized.

hope it help you.

rgds,

Alfonsus Guritno

Hi,

In sap routtab you need to mention the ip address which all you want allow and rest you need to denie. please see the SAProuter documentation.

Note 30289 - SAProuter documentation

Note 38119 - SAP Logon: Administration of functions

Regards,

Sushma

Edited by: sushma tatineni on Jan 4, 2010 12:53 PM