INTERNAL – Authorized for SAP Customers and Partners

Document Version: 1H 2021 – 2021-07-08

Setting Up a VPN Connection to Employee Central

Payroll Systems
© 2021 SAP SE or an SAP affiliate company. All rights reserved.

THE BEST RUN

Content

1 Change History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 General Information on VPN Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4 Technical Details of the VPN Connection to SAP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4.1 IPsec VPN Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4.2 IPsec VPN Configuration Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4.3 Creation of Service Request to Configure the VPN Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.4 Security Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4.5 SAProuter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Download and Install SAProuter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Start SAProuter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Network Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.6 Employee Central Payroll Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Customer Access to/from Payroll Systems Via VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
SAP Logon for Employee Central Payroll. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
SAP Logon Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Customer Access to/from Payroll Systems Available Via Web Service . . . . . . . . . . . . . . . . . . . . . . . .17

Setting Up a VPN Connection to Employee Central Payroll Systems

2 INTERNAL – Authorized for SAP Customers and Partners Content
1 Change History

Learn about changes to the documentation for Setting Up a VPN Connection to Employee Central Payroll Systems
in recent releases.

1H 2021

Type of Change Description More Info

June 11, 2021

Changed We’ve corrected and updated the follow­ IPsec VPN Prerequisites [page 6]
ing documentation.
IPsec VPN Configuration Parameters
[page 8]

Creation of Service Request to Configure

the VPN Connection [page 10]

SAP Logon Configuration [page 16]

Customer Access to/from Payroll Sys­

tems Available Via Web Service [page
17]

Setting Up a VPN Connection to Employee Central Payroll Systems

Change History INTERNAL – Authorized for SAP Customers and Partners 3
2 Introduction

This document describes the steps required to set up a secure connection between an Employee Central Payroll
customer and SAP. After a summary on VPN technologies, we will talk about some technical prerequisites as well
as VPN configuration details.

The Employee Central Payroll VPN connection is primarily needed for the back end access to SAP Payroll systems
via SAPGui. However, it can also be used for RFC/ALE based integrations.

For integration scenarios where it is possible , SAP recommends that you rather use Web Services instead of RFC
to be less dependent on the VPN connection.

 Note

A VPN connection can’t be used for Integration scenarios with HTTP/HTTPS connections.

Setting Up a VPN Connection to Employee Central Payroll Systems

4 INTERNAL – Authorized for SAP Customers and Partners Introduction
3 General Information on VPN Technologies

IPsec-VPN

Internet Protocol Security (IPsec) is a protocol suite that can provide a secure communication channel through
insecure networks like the Public Internet. IPsec-VPNs are typically used to connect businesses in a secure and
cost-efficient way.

As IPsec VPN technology has been de facto an industry standard for B2B connections for years, we will not explain
further technical details of IPsec VPNs in this document.

Another VPN Technologies

Beside IPsec VPNs, there are more VPN technologies like L2TP, PPTP, or SSL-VPNs. Note that these VPN
technologies are not supported by SAP.

Setting Up a VPN Connection to Employee Central Payroll Systems

General Information on VPN Technologies INTERNAL – Authorized for SAP Customers and Partners 5
4 Technical Details of the VPN Connection to
SAP

The technical setup consists of at least a VPN device and an SAProuter on the customer side, as well as a VPN
device and a load balanced SAProuter farm on the SAP side. Note that all network devices at SAP are set up as a
high available cluster. For simplicity reasons, VPN devices, Firewalls, and Load Balancer are represented as single
devices in this picture:

4.1 IPsec VPN Prerequisites

This section explains the prerequisites that must be met in order to set up a VPN connection to SAP and access
Employee Central Payroll systems.

IPsec-Capable VPN Device

As SAP SE only supports IPsec-VPNs, an IPsec-capable VPN device is required. Examples of IPsec-capable VPN
devices are Checkpoint FW-1, Cisco ASR, Cisco ASA, Sophos UTM, Palo Alto Networks Firewalls, etc. If you are not
sure whether your VPN device supports IPsec-VPNs, contact the vendor of your VPN device.

Setting Up a VPN Connection to Employee Central Payroll Systems

6 INTERNAL – Authorized for SAP Customers and Partners Technical Details of the VPN Connection to SAP
Static Public IP Address of Your VPN Device

Dynamic IP addresses are not supported for VPN connections to SAP. In case your VPN device is using dynamically
assigned IP address, ask your ISP to provide you a statically assigned IP address.

SAProuter Installation

Connectivity between the customer landscape and the Employee Central Payroll systems is limited to SAProuter
connections. For details about SAProuter, see SAProuter [page 11].

Officially Registered IP of Your SAProuter

In order to prevent IP address conflicts on our VPN devices that are caused by different customers using the same
IP address range in their internal network, SAP requires the usage of an officially registered IP address assigned to
your SAProuter. If you prefer to use private IP addresses for your systems this can be achieved by using Network
Address Translation on your VPN device, or by setting up NAT-T (to use the Outside Interface IP as the Encryption
Domain IP. Additionally, ensure that the NAT can communicate between your Private and Public IP of router with
your service provider if Opted for.

DSN Resolution on your SAProuter

Using the Disaster Recovery (DS) setupt requires using Fully Qualified Domain Names (FQDNs) for the SAProuters
on SAP side. For this, your SAProuter needs to be able to resolve SAP Public DNS entries:

● SAProuter FQDN EMEA: sr-emea.payroll.gtm.ondemand.com

● SAProuter FQDN US: sr-amer.payroll.gtm.ondemand.com
● SAProuter APJ: sr-apj.payroll.gtm.ondemand.com

Setting Up a VPN Connection to Employee Central Payroll Systems

Technical Details of the VPN Connection to SAP INTERNAL – Authorized for SAP Customers and Partners 7
4.2 IPsec VPN Configuration Parameters

Depending on the location of your SAP Payroll systems some VPN configuration parameters vary, as SAP uses
different VPN endpoints for the various locations.

SAP Payroll Systems Located in EMEA

Productive Datacenter (Germany)

IP address of SAP VPN gateway: 155.56.220.27

Encryption Domain SAP 147.204.30.17

Disaster Recovery Datacenter (Amsterdam)

IP address of SAP VPN gateway: 157.133.143.30

Encryption Domain SAP 157.133.141.65

SAP Payroll Systems Located in APJ

Productive Datacenter (Sydney 1)

IP address of SAP VPN gateway: 210.80.140.26

Encryption Domain SAP: 210.80.140.235

Productive Datacenter (Sydney 2)

IP address of SAP VPN gateway: 157.133.107.30

Encryption Domain SAP: 157.133.109.65

SAP Payroll Systems Located in the USA

Productive Datacenter (Newtown Square)

IP address of SAP VPN gateway: 169.145.9.78

Encryption Domain SAP: 169.145.9.91

Disaster Recovery Datacenter (Sterling)

IP address of SAP VPN gateway: 169.145.116.46

Encryption Domain SAP: 169.145.118.65

Setting Up a VPN Connection to Employee Central Payroll Systems

8 INTERNAL – Authorized for SAP Customers and Partners Technical Details of the VPN Connection to SAP
SAP Payroll Systems Located in RIYADH

IP address of SAP VPN gateway: 157.133.95.222

Encryption Domain SAP: 157.133.93.65

SAP Payroll Systems Located in DUBAI

IP address of SAP VPN gateway: 157.133.87.222

Encryption Domain SAP: 157.133.85.65

Other SAP Payroll Systems

All other VPN configuration parameters aren’t location-specific. The standard parameters are the following:

IKEv1 Phase 1 Parameters

IKE Encryption Algorithm AES-256

IKE Hash Algorithm SHA-1

Diffie-Hellman-Group 2 (1024 bit)

IKE SA Lifetime 86400 seconds

IKEv2 Phase 1 Parameters

IKE Encryption Algorithm AES-256

IKE Hash Algorithm SHA-384

Diffie-Hellman-Group 14 (2048bit)

IKE SA Lifetime 86400 seconds

IKEv1 Phase 2 Parameters

IPsec Encryption Algorithm AES-256

IPsec Hash Algorithm SHA-1

Mode tunnel

Perfect forward secrecy on

PFS Diffie-Hellman-Group 2 (1024bit)

IPsec Lifetime 28800 seconds / 1152000 bits

IKEv2 Phase 2 Parameters

IPsec Encryption Algorithm AES-256

IPsec Hash Algorithm SHA-384

Setting Up a VPN Connection to Employee Central Payroll Systems

Technical Details of the VPN Connection to SAP INTERNAL – Authorized for SAP Customers and Partners 9
Mode tunnel

Perfect forward secrecy on

PFS Diffie-Hellman-Group 14 (1024bit)

IPsec Lifetime 28800 seconds / 1152000 bits

To complete the set of VPN configuration, you would need to provide us IP addresses and configuration parameters
of your VPN device as well as the Pre-Shared-Key to be used for this VPN.

4.3 Creation of Service Request to Configure the VPN

Connection

See how to create service request to configure the VPN connection for your Employee Central Payroll systems.

Go to the One Support Launchpad and follow the steps described in KBA 3012342 .

SAP has built Disaster Recovery systems at SAP DR sites for every corresponding Employee Central Payroll
Production system. In case of any disaster situation at SAP Production site, customer must be able to connect to
DR system via DR VPN Tunnel to continue with business run, until Production system become available.

The same configuration details submitted for Production VPN tunnel would be used for DR tunnel creation too. In
case you require separate tunnel for SAP DR site, please raise new service request for DR tunnel. For more
information, refer to Point #7 in KBA 3012342 . Choose Option - DR VPN Tunnel Setup.

For more details on Disaster Recovery Tunnel set up process and technical information please refer to KBA
0003037793 and 2875892 .

4.4 Security Policy

By default, only SAProuter connections (tcp/3299) and ICMP for debugging purposes are allowed through the VPN
connection. This results in the following security policy:

● <Encryption Domain Customer> → <Encryption Domain SAP> tcp/3299

● <Encryption Domain Customer> → <Encryption Domain SAP> icmp
● <Encryption Domain Customer> -> <Encryption Domain DR Site> icmp
● <Encryption Domain Customer> -> <Encryption Domain DR Site> icmp

● <Encryption Domain SAP> -> <Encryption Domain Customer> tcp/3299

● <Encryption Domain SAP> -> <Encryption Domain Customer> icmp
● <Encryption Domain SAP> -> <Encryption Domain DR Site > tcp/3299
● <Encryption Domain SAP> -> <Encryption Domain DR Site > icmp

Setting Up a VPN Connection to Employee Central Payroll Systems

10 INTERNAL – Authorized for SAP Customers and Partners Technical Details of the VPN Connection to SAP
4.5 SAProuter

SAProuter is a software application that provides Application Level Gateway (ALG) functionality for SAP application
protocols.

Typically, a SAProuter is used to provide a remote connection to the SAP support infrastructure. For Employee
Central Payroll connectivity, the SAProuter is used only as Application Level Gateway.

 Caution

You don't need to register this SAProuter with SAP Support.

If you already have a SAProuter installed, it’s possible to use it also to connect to your SAP Payroll systems, but we
highly recommend that you use a separate SAProuter installation for this purpose.

As stated in the section IPsec VPN Prerequisites, your SAProuter should be configured with a public IP address
owned by your company. This is necessary as we need to avoid IP address conflicts with other customers on our
VPN gateways. As most customers use private IP addresses on their internal systems, this can be achieved by
applying Network Address Translation (NAT) like on the VPN-Gateway.

4.5.1 Download and Install SAProuter

Context

SAProuter related data is available on the SAP Support Portal Home .

Procedure

1. Select Download SAPRouter to download the latest version of the SAProuter software according to the
operating system of the host where you plan to install SAProuter.

Downloaded files are in format .sar. Download SAPCAR_XXX-XXXXXXXX.EXE if not available.

2. Extract the SAProuter executables using the SAPCAR_XXX-XXXXXXXX.EXE -xvf saprouter_XXX-
XXXXXXXX.sar command.

For Windows hosts, the command above must be executed from command prompt.
3. Create a file saprouttab in the folder where executables are downloaded.

P * sr-emea.pay­ 3299 # EMEA

roll.gtm.onde­
mand.com

Setting Up a VPN Connection to Employee Central Payroll Systems

Technical Details of the VPN Connection to SAP INTERNAL – Authorized for SAP Customers and Partners 11
 P sr-emea.pay­ * 3300.3399 # EMEA
roll.gtm.onde­
mand.com

P * 147.204.30.17 3299 # EMEA IP

P 147.204.30.17 * 3300.3399 # EMEA IP

P * 157.133.141.65 3299 # EMEA DR IP

P 157.133.141.65 * 3300.3399 # EMEA DR IP

P * sr-apj.payroll.gtm.on­ 3299 # APJ

demand.com

P sr-apj.payroll.gtm.on­ * 3300.3399 # APJ

demand.com

P * 210.80.140.235 3299 # APJ IP

P 210.80.140.235 * 3300.3399 # APJ IP

P * 157.133.109.65 3299 # APJ DR IP

P 157.133.109.65 * 3300.3399 # APJ DR IP

P * sr-amer.pay­ 3299 # US
roll.gtm.onde­
mand.com

P sr-amer.gtm.pay­ * 3300.3399 # US
roll.ondemand.com

P * 169.145.9.91 3299 # US IP

P 169.145.9.91 * 3300.3399 # US IP

P * 169.145.118.65 3299 # US DR IP

P 169.145.118.65 * 3300.3399 # US DR IP

P * 157.133.93.65 3299 # RIYADH

P 157.133.93.65 * 3300.3399 # RIYADH

P * 157.133.85.65 3299 # DUBAI

P 157.133.85.65 * 3300.3399 # DUBAI

D * * * # Deny everything else

4.5.2 Start SAProuter

Linux/Unix Based Hosts

Start SAProuter using the saprouter -r command.

nohup saprouter -r & command can be used to run the service in background.

Setting Up a VPN Connection to Employee Central Payroll Systems

12 INTERNAL – Authorized for SAP Customers and Partners Technical Details of the VPN Connection to SAP
  Note

Useful commands for Linux/Unix based hosts

● Stop SAProuter using the saprouter -s command.

● Check SAProuter status using the saprouter -1 command.
● Soft shutdown of SAProuter using the saprouter -p command.

Windows-Based Hosts

Create a service to start the SAProuter. Execute the command below from command prompt.

sc.exe create SAPRouter binPath= "<path>\saprouter.exe service -r <parameter>" start=

auto obj= "NT AUTHORITY\LocalService"

 Note

Path = Location where the saprouter.exe is extracted.

Parameter = location of the saprouttab file, for example: E:\SAProuter\saprouttab

For more details, see SAP Note 41054 .

4.5.3 Network Tests

To check whether the connection to SAP is working, logon to the command line of the SAProuter server and
navigate to the dedicated SAProuter directory and execute:

Region Command for Server Test

EMEA niping -c -O -H 147.204.30.17 -S 3299

EMEA DR niping -c -O -H 157.133.141.65 -S 3299

APJ niping -c -O -H 210.80.140.235 -S 3299

APJ DR niping -c -O -H 157.133.109.65 -S 3299

USA niping -c -O -H 169.145.9.91 -S 3299

USA DR niping -c -O -H 169.145.118.65 -S 3299

for Riyadh niping -c -O -H 157.133.93.65 -S 3299

for Dubai niping -c -O -H 157.133.85.65 -S 3299

Setting Up a VPN Connection to Employee Central Payroll Systems

Technical Details of the VPN Connection to SAP INTERNAL – Authorized for SAP Customers and Partners 13
4.6 Employee Central Payroll Connectivity

4.6.1 Customer Access to/from Payroll Systems Via VPN

The following graphic illustrates customer access to SAP SuccessFactors Employee Central Payroll systems over a
virtual private network (VPN). As stated previously in the Introduction [page 4], the primary reason for using the
VPN is SAPGui access to the SAP Payroll systems. It can also be used for remote function call (RFC)/application
link enabling (ALE) based integrations. SAP recommends that you use Web Services instead of RFC to set up
integration wherever possible.

SAPGui and SAP RFC use SAProuters on both sides of the connection. SAProuter strings are required to establish a
successful connection. The SAProuter strings vary depending on the location of the SAP Payroll systems. The
following list of SAProuter strings is provided to be used for end-to-end connectivity tests using the SAP NIPING
tool. The SAProuter string used in SAP Logon is slightly different – see the next section for details.

SAPGui from Customer to SAP Payroll System

EMEA (ROT/AMS) /H/<customer-saprouter>/S/3299/H/sr-emea.payroll.gtm.ondemand.com/H/<payroll-
host>/S/3200

APJ (SYD1/SYD2) /H/<customer-saprouter>/S/3299/H/sr-apj.payroll.gtm.ondemand.com/H/<payroll-

host>/S/3200

US (NSQ/STL) /H/<customer-saprouter>/S/3299/H/sr-amer.payroll.gtm.ondemand.com/H/<payroll-
host>/S/3200

Riyadh (RI1) /H/<customer-saprouter>/S/3299/H/157.133.93.65/S/3299/H/<payroll-host>/S/3200

Dubai (DXB1) /H/<customer-saprouter>/S/3299/H/157.133.85.65/S/3299/H/<payroll-host>/S/3200

Setting Up a VPN Connection to Employee Central Payroll Systems

14 INTERNAL – Authorized for SAP Customers and Partners Technical Details of the VPN Connection to SAP
RFC from Customer to SAP Payroll System
EMEA (ROT/AMS) /H/<customer-saprouter>/S/3299/H/sr-emea.payroll.gtm.ondemand.com/H/<payroll-
host>/S/3300

APJ (SYD1/SYD2) /H/<customer-saprouter>/S/3299/H/sr-apj.payroll.gtm.ondemand.com/H/<payroll-

host>/S/3300

US (NSQ/STL) /H/<customer-saprouter>/S/3299/H/sr-amer.payroll.gtm.ondemand.com/H/<payroll-
host>/S/3300

Riyadh (RI1) /H/<customer-saprouter>/S/3299/H/157.133.93.65/S/3299/H/<payroll-host>/S/3300

Dubai (DXB1) /H/<customer-saprouter>/S/3299/H/157.133.85.65/S/3299/H/<payroll-host>/S/3300

RFC from SAP Payroll System to Customer ABAP Systems

EMEA (ROT/AMS) /H/sr-emea.payroll.gtm.ondemand.com/H/<customer-saprouter>/S/3299/H/<cus­
tomer-host>/S/3300

APJ (SYD1/SYD2) /H/sr-apj.payroll.gtm.ondemand.com/H/<customer-saprouter>/S/3299/H/<customer-

host>/S/3300

US (NSQ/STL) /H/sr-amer.payroll.gtm.ondemand.com/H/<customer-saprouter>/S/3299/H/<cus­
tomer-host>/S/3300

Riyadh (RI1) /H/157.133.85.65/S/3299/H/<customer-saprouter>/S/3299/H/<ABAP server to be con­

nected>/S/3300

Dubai (DXB1) /H/157.133.85.65/S/3299/H/<customer-saprouter>/S/3299/H/<ABAP server to be con­

nected>/S/3300

 Note

The specific requirements to be met by the customer for this RFC to work are:

● Customer-SAProuter connectivity to ABAP end-server using the 3299/3300 port

● Allow incoming traffic from SAP SuccessFactors Employee Central Payroll through the SAP Public Cloud
Router to SAProuter (Customer).

4.6.2 SAP Logon for Employee Central Payroll

SAP Logon is used to initiate user session to your Employee Central Payroll system. Not all logon pads are available
for cloud customers.

To install the SAP GUI for Windows for Employee Central Payroll systems, go to the ONE Support Launchpad .

GUI versions are downward compatible . The supported version of GUI that can be used for Employee Central
Payroll systems available are SAP GUI FOR WINDOWS 7.50 CORE and SAP GUI FOR WINDOWS 7.60 CORE.
Customers can download either version.

Setting Up a VPN Connection to Employee Central Payroll Systems

Technical Details of the VPN Connection to SAP INTERNAL – Authorized for SAP Customers and Partners 15
4.6.3 SAP Logon Configuration

To complete your SAP Logon configuration, you need the information regarding Application Server Name and
System ID that has been provided to you in the system handover mail.

The SAProuter String value depends on both the IP address of your SAProuter as well as the location of your SAP
Payroll systems. The following lines show standard SAProuter strings for the various Payroll locations:

Systems located in EMEA (ROT/AMS) /H/<customer-saprouter>/S/3299/H/sr-emea.payroll.gtm.onde­

mand.com/H/<payroll-host>/S/3200

Systems located in APJ (SYD1/SYD2) /H/<customer-saprouter>/S/3299/H/sr-apj.payroll.gtm.onde­

mand.com/H/<payroll-host>/S/3200

Systems located in the USA (NSQ/STL) /H/<customer-saprouter>/S/3299/H/sr-amer.payroll.gtm.onde­

mand.com/H/<payroll-host>/S/3200

Systems located in Riyadh (RI1) /H/<customer-saprouter>/S/3299/H/157.133.93.65/S/3299/H/

Systems located in Dubai (DXB1) /H/<customer-saprouter>/S/3299/H/157.133.85.65/S/3299/H/

Setting Up a VPN Connection to Employee Central Payroll Systems

16 INTERNAL – Authorized for SAP Customers and Partners Technical Details of the VPN Connection to SAP
4.6.4 Customer Access to/from Payroll Systems Available Via
Web Service

The integration between SAP S/4HANA Cloud Public and SAP SuccessFactors Employee Central Payroll is done via
web service and doesn’t require a VPN connectivity.

For more information about the procedure, see the Integration Between Payroll and Finance document.https://
help.sap.com/viewer/6b39bd1d0e5e4099a5b65d835c29c696/latest/en-US/
92b87c4ebfde49ada97673358ace9427.html

For more information about the configuration, see the Setting Up Payroll Processing with SAP SuccessFactors
Employee Central Payroll (1NL) document.

 Note

As these configuration steps are customer-specific, they can’t be delivered by SAP and must be carried out by
the customer.

Setting Up a VPN Connection to Employee Central Payroll Systems

Technical Details of the VPN Connection to SAP INTERNAL – Authorized for SAP Customers and Partners 17
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements
with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you
agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the
control or responsibility of SAP.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by SAP at
any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the
experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback
(e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and
phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example
code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Setting Up a VPN Connection to Employee Central Payroll Systems

18 INTERNAL – Authorized for SAP Customers and Partners Important Disclaimers and Legal Information
Setting Up a VPN Connection to Employee Central Payroll Systems
Important Disclaimers and Legal Information INTERNAL – Authorized for SAP Customers and Partners 19
www.sap.com/contactsap

© 2021 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

THE BEST RUN