Professional Documents
Culture Documents
VPN Ecp PDF
VPN Ecp PDF
1 Change History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Learn about changes to the documentation for Setting Up a VPN Connection to Employee Central Payroll Systems
in recent releases.
1H 2021
Changed We’ve corrected and updated the follow IPsec VPN Prerequisites [page 6]
ing documentation.
IPsec VPN Configuration Parameters
[page 8]
This document describes the steps required to set up a secure connection between an Employee Central Payroll
customer and SAP. After a summary on VPN technologies, we will talk about some technical prerequisites as well
as VPN configuration details.
The Employee Central Payroll VPN connection is primarily needed for the back end access to SAP Payroll systems
via SAPGui. However, it can also be used for RFC/ALE based integrations.
For integration scenarios where it is possible , SAP recommends that you rather use Web Services instead of RFC
to be less dependent on the VPN connection.
Note
A VPN connection can’t be used for Integration scenarios with HTTP/HTTPS connections.
IPsec-VPN
Internet Protocol Security (IPsec) is a protocol suite that can provide a secure communication channel through
insecure networks like the Public Internet. IPsec-VPNs are typically used to connect businesses in a secure and
cost-efficient way.
As IPsec VPN technology has been de facto an industry standard for B2B connections for years, we will not explain
further technical details of IPsec VPNs in this document.
Beside IPsec VPNs, there are more VPN technologies like L2TP, PPTP, or SSL-VPNs. Note that these VPN
technologies are not supported by SAP.
The technical setup consists of at least a VPN device and an SAProuter on the customer side, as well as a VPN
device and a load balanced SAProuter farm on the SAP side. Note that all network devices at SAP are set up as a
high available cluster. For simplicity reasons, VPN devices, Firewalls, and Load Balancer are represented as single
devices in this picture:
This section explains the prerequisites that must be met in order to set up a VPN connection to SAP and access
Employee Central Payroll systems.
As SAP SE only supports IPsec-VPNs, an IPsec-capable VPN device is required. Examples of IPsec-capable VPN
devices are Checkpoint FW-1, Cisco ASR, Cisco ASA, Sophos UTM, Palo Alto Networks Firewalls, etc. If you are not
sure whether your VPN device supports IPsec-VPNs, contact the vendor of your VPN device.
Dynamic IP addresses are not supported for VPN connections to SAP. In case your VPN device is using dynamically
assigned IP address, ask your ISP to provide you a statically assigned IP address.
SAProuter Installation
Connectivity between the customer landscape and the Employee Central Payroll systems is limited to SAProuter
connections. For details about SAProuter, see SAProuter [page 11].
In order to prevent IP address conflicts on our VPN devices that are caused by different customers using the same
IP address range in their internal network, SAP requires the usage of an officially registered IP address assigned to
your SAProuter. If you prefer to use private IP addresses for your systems this can be achieved by using Network
Address Translation on your VPN device, or by setting up NAT-T (to use the Outside Interface IP as the Encryption
Domain IP. Additionally, ensure that the NAT can communicate between your Private and Public IP of router with
your service provider if Opted for.
Using the Disaster Recovery (DS) setupt requires using Fully Qualified Domain Names (FQDNs) for the SAProuters
on SAP side. For this, your SAProuter needs to be able to resolve SAP Public DNS entries:
Depending on the location of your SAP Payroll systems some VPN configuration parameters vary, as SAP uses
different VPN endpoints for the various locations.
All other VPN configuration parameters aren’t location-specific. The standard parameters are the following:
Diffie-Hellman-Group 14 (2048bit)
Mode tunnel
To complete the set of VPN configuration, you would need to provide us IP addresses and configuration parameters
of your VPN device as well as the Pre-Shared-Key to be used for this VPN.
See how to create service request to configure the VPN connection for your Employee Central Payroll systems.
Go to the One Support Launchpad and follow the steps described in KBA 3012342 .
SAP has built Disaster Recovery systems at SAP DR sites for every corresponding Employee Central Payroll
Production system. In case of any disaster situation at SAP Production site, customer must be able to connect to
DR system via DR VPN Tunnel to continue with business run, until Production system become available.
The same configuration details submitted for Production VPN tunnel would be used for DR tunnel creation too. In
case you require separate tunnel for SAP DR site, please raise new service request for DR tunnel. For more
information, refer to Point #7 in KBA 3012342 . Choose Option - DR VPN Tunnel Setup.
For more details on Disaster Recovery Tunnel set up process and technical information please refer to KBA
0003037793 and 2875892 .
By default, only SAProuter connections (tcp/3299) and ICMP for debugging purposes are allowed through the VPN
connection. This results in the following security policy:
SAProuter is a software application that provides Application Level Gateway (ALG) functionality for SAP application
protocols.
Typically, a SAProuter is used to provide a remote connection to the SAP support infrastructure. For Employee
Central Payroll connectivity, the SAProuter is used only as Application Level Gateway.
Caution
If you already have a SAProuter installed, it’s possible to use it also to connect to your SAP Payroll systems, but we
highly recommend that you use a separate SAProuter installation for this purpose.
As stated in the section IPsec VPN Prerequisites, your SAProuter should be configured with a public IP address
owned by your company. This is necessary as we need to avoid IP address conflicts with other customers on our
VPN gateways. As most customers use private IP addresses on their internal systems, this can be achieved by
applying Network Address Translation (NAT) like on the VPN-Gateway.
Context
Procedure
1. Select Download SAPRouter to download the latest version of the SAProuter software according to the
operating system of the host where you plan to install SAProuter.
For Windows hosts, the command above must be executed from command prompt.
3. Create a file saprouttab in the folder where executables are downloaded.
P * sr-amer.pay 3299 # US
roll.gtm.onde
mand.com
P sr-amer.gtm.pay * 3300.3399 # US
roll.ondemand.com
P * 169.145.9.91 3299 # US IP
P 169.145.9.91 * 3300.3399 # US IP
P * 169.145.118.65 3299 # US DR IP
P 169.145.118.65 * 3300.3399 # US DR IP
nohup saprouter -r & command can be used to run the service in background.
Windows-Based Hosts
Create a service to start the SAProuter. Execute the command below from command prompt.
Note
To check whether the connection to SAP is working, logon to the command line of the SAProuter server and
navigate to the dedicated SAProuter directory and execute:
The following graphic illustrates customer access to SAP SuccessFactors Employee Central Payroll systems over a
virtual private network (VPN). As stated previously in the Introduction [page 4], the primary reason for using the
VPN is SAPGui access to the SAP Payroll systems. It can also be used for remote function call (RFC)/application
link enabling (ALE) based integrations. SAP recommends that you use Web Services instead of RFC to set up
integration wherever possible.
SAPGui and SAP RFC use SAProuters on both sides of the connection. SAProuter strings are required to establish a
successful connection. The SAProuter strings vary depending on the location of the SAP Payroll systems. The
following list of SAProuter strings is provided to be used for end-to-end connectivity tests using the SAP NIPING
tool. The SAProuter string used in SAP Logon is slightly different – see the next section for details.
US (NSQ/STL) /H/<customer-saprouter>/S/3299/H/sr-amer.payroll.gtm.ondemand.com/H/<payroll-
host>/S/3200
US (NSQ/STL) /H/<customer-saprouter>/S/3299/H/sr-amer.payroll.gtm.ondemand.com/H/<payroll-
host>/S/3300
US (NSQ/STL) /H/sr-amer.payroll.gtm.ondemand.com/H/<customer-saprouter>/S/3299/H/<cus
tomer-host>/S/3300
Note
The specific requirements to be met by the customer for this RFC to work are:
SAP Logon is used to initiate user session to your Employee Central Payroll system. Not all logon pads are available
for cloud customers.
To install the SAP GUI for Windows for Employee Central Payroll systems, go to the ONE Support Launchpad .
GUI versions are downward compatible . The supported version of GUI that can be used for Employee Central
Payroll systems available are SAP GUI FOR WINDOWS 7.50 CORE and SAP GUI FOR WINDOWS 7.60 CORE.
Customers can download either version.
To complete your SAP Logon configuration, you need the information regarding Application Server Name and
System ID that has been provided to you in the system handover mail.
The SAProuter String value depends on both the IP address of your SAProuter as well as the location of your SAP
Payroll systems. The following lines show standard SAProuter strings for the various Payroll locations:
The integration between SAP S/4HANA Cloud Public and SAP SuccessFactors Employee Central Payroll is done via
web service and doesn’t require a VPN connectivity.
For more information about the procedure, see the Integration Between Payroll and Finance document.https://
help.sap.com/viewer/6b39bd1d0e5e4099a5b65d835c29c696/latest/en-US/
92b87c4ebfde49ada97673358ace9427.html
For more information about the configuration, see the Setting Up Payroll Processing with SAP SuccessFactors
Employee Central Payroll (1NL) document.
Note
As these configuration steps are customer-specific, they can’t be delivered by SAP and must be carried out by
the customer.
Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:
● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements
with SAP) to this:
● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.
● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you
agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.
Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and
phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example
code unless damages have been caused by SAP's gross negligence or willful misconduct.
Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.
SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.