Connecting DirectAccess Clients to SAP

  • [アーティクル]

When a DirectAccess client computer is on the Internet, it connects to the corporate network using DirectAccess. All communications between the DirectAccess client and DirectAccess server are done over IPv6 (encapsulated by an IPv4 tunnel to carry the IPv6 traffic over the IPv4 Internet). In fact, the client application assumes that the connection is IPv6 from end-to-end, even when the destination server on the intranet is an IPv4-only capable resource. UAG DirectAccess can enable IPv4 connectivity to an intranet resource by using its NAT64/DNS64 IPv6/IPv4 protocol translation feature, which allows the UAG DirectAccess server to map an IPv6 address associated with the IPv4 address of the intranet resource. This mapped IPv6 address is used by the DirectAccess client to connect to the IPv4 resource on the intranet. The UAG DirectAccess server will translate this to an IPv4 address and forward the connection to the desired IPv4-only resource on the intranet.

While NAT64/DNS64 solves the problem of IPv4-only capable systems on the intranet, the client side application on the DirectAccess client must be IPv6 capable. If the client-side application is not IPv6 capable, it must use a non-DirectAccess method to reach the application server, such as an Internet accessible application gateway.

In the context of connectivity to SAP resources, you had to use an alternate method outside the DirectAccess tunnels before the release of SAP GUI version 7.1. With the introduction of SAP GUI 7.1, the DirectAccess client can connect to SAP resources on the intranet over the DirectAccess tunnels. However, to get this to work, you need to set a specific environment variable, which we will discuss later in this post. This solves the IPv6 problem on the client side.

If the SAP server is not IPv6 capable (meaning that it isn’t using ISATAP or native IPv6 addressing), then the UAG DirectAccess server’s NAT64/DNS64 feature will be used for IPv6/IPv4 protocol translation. While this will allow access to a SAP server, it will break SAP load balancing. The end result is that if you don’t need SAP load balancing, then all you need is to do is set the environment variable on the SAP GUI client and connectivity will work over DirectAccess because NAT64/DNS64 will take care of the protocol translation for you.

Solving the Load Balancing Problem

However, if you need load balancing for your SAP servers, NAT64/DNS64 isn’t going to do all the work. In this case you’re going to need to bring in another component, called a SAPRouter.

A SAProuter is a non-transparent gateway that can accept both IPv4 and IPv6 connections and do protocol translation between IPv4 and IPv6. NAT64/DNS64 are not used. Instead, the DirectAccess client connects to the SAPRouter using the SAPRouter’s IPv6 address, and then the SAPRouter can route  the connections to the IPv4-only SAP servers behind the SAPRouter. At this point the SAP servers are able to load balance the connections and also return the responses to the SAPRouter, which is then able to return the responses to the DirectAccess clients through the UAG DirectAccess server.

Figure 1 illustrates the request/response path between the DirectAccess client and the SAP resource servers (note that the load balancing component of the SAP servers is called out to make the path easier to understand).

image
Figure 1

  1. The DirectAccess client sends a request to the IPv6 address of the SAPRouter to gain access to the SAP CRM resource on the intranet.
  2. The UAG DirectAccess server forwards the connection request to the IPv6 address of the SAPRouter.
  3. The SAPRouter forwards the connection to the IPv4 address of the SAP server load balancer.
  4. The SAP server load balancer forwards the request to the IPv4 address of the SAP CRM resource server.
  5. The SAP CRM returns a response to the IPv4 address of the SAP server load balancer.
  6. The SAP server returns the response to the IPv4 address on the SAPRouter.
  7. The SAPRouter returns the response to the IPv6 address of the UAG DirectAccess server.
  8. The UAG DirectAccess server returns the response to the IPv6 address of the DirectAccess client.

Configuring the SAPGUI 7.1 Client

The following are instructions should configure the SAP GUI 7.1 client to work with DirectAccess:

  1. Start SAP Logon.
  2. Click the button 'New Item'.
  3. Click the button 'Next'
  4. In the window "Create New System Entry" choose the connection type "Custom Application Server".
    Add the following into the dialog:
    Field "Description"                  > A description
    Field "Application Server"    > enter the hostname of the SAP Application Server
    Field "System Number"         > The number of the instance
    Field "System ID"                      > The System ID

If you are using a saprouter you would have to add an entry in the field "SAProuter String", for example "/H/saprouterxy".

Summary

  • If you don’t need load balancing for your SAP CRM resources, then all you need to do is configure the SAP GUI 7.1 client
  • If you need load balancing for your SAP CRM resources, then you will need to introduce a SAPRouter
  • The SAPRouter can translate IPv4 to IPv6 and back so that the DirectAccess client can be configured with the IPv6 address of the SAPRouter

If you have further questions regarding this issue, please write to the address in the sig line below.

Authors:

Noam Ben-Yochanan, Senior Program Manager, DA

Tom Shinder
tomsh@microsoft.com
Knowledge Engineer, Microsoft DAIP iX/Forefront iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): https://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder
Facebook: https://www.facebook.com/tshinder

Comments

  • Anonymous
    January 01, 2003
    Hi Moonty, This allows connectivity using the native application layer protocol used for SAP access over the DirectAccess tunnel. HTH, Tom

  • Anonymous
    January 01, 2003
    Hi Victor, Thanks! Tom

  • Anonymous
    January 01, 2003
    This Method Will Use SSl Tunneling Application (UAG) ??? Thanks

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    March 23, 2011
    Dear Tom, I think you forgot to talk about the SAP Client environment variable. SAP_IPv6_ACTIVE =1 help.sap.com/.../content.htm

  • Anonymous
    November 05, 2013
    How can i find out the SAP Router IPv6 adress? thanks

  • Anonymous
    April 29, 2014
    The comment has been removed

  • Anonymous
    October 30, 2014
    We are trying to rollout DirectAccess 2012 and have a showstopper issue as we cannot get it to work with our SAP GUI 7.30 clients.
    We do not have UAG and DirectAccess 2012 is supposed to no longer have this additional requirement.
    Has anyone gotten this to work?
    Did you have to introduce SAPROUTER into the mix?

  • Anonymous
    January 05, 2015
    Update to 30 Oct 2014 post - we found that SAPROUTER was required for the 2012 solution to work

  • Anonymous
    April 20, 2015
    The comment has been removed

  • Anonymous
    May 10, 2016
    Hi,you state that a saprouter is necessary in case you want to connect to a SAP application server via load balancing.Would it also work if the SAP application server itself is configured to provide IPv4 and IPv6 connectivity and no saprouter is used ?Thanks,Josua

  • Anonymous
    May 13, 2016
    Hello All,For Direct Access setup you can follow link below ... http://scn.sap.com/docs/DOC-72971ThanksYogesh

  • Anonymous
    January 12, 2017
    Hello Tom,we have a requirement of using sap Logon groups over the internet i mean from sap router. i searched on the internet but not able to found anything concrete solution. please tell me how to do the configurations for the same.