INTERNAL – Authorized for SAP Customers and Partners

Document Version: 2H 2022 – 2022-12-09

Setting Up an SNC-Based SAProuter Connection

for Employee Central Payroll Systems
© 2022 SAP SE or an SAP affiliate company. All rights reserved.

THE BEST RUN

Content

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Change History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 SNC Connection Between SAPRouters: Technical Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4 Install and Configure SAPRouter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5 Start SAProuter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1 Linux/Unix-Based Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.2 Windows-Based Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.3 Network Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

6 SAP Logon for Employee Central Payroll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

7 SAP Logon Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

7.1 Usage of Connectivity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

8 Customer Access To/From Payroll Systems Available Using Web Services. . . . . . . . . . . . . . . . . . . 20

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

2 INTERNAL – Authorized for SAP Customers and Partners Content
1 Introduction

This document describes the steps required to set up a secure connection using SNC (Secure Network
Communications) between an Employee Central Payroll customer and SAP. SAProuter connectivity is primarily
needed for the back-end access to Employee Central Payroll systems via SAP GUI. However, it can also be used
for RFC/ALE-based integrations. For integration scenarios, where it is possible SAP recommends that you use Web
Services instead of RFC to be less dependent on the SAProuter connection.

 Caution

SAProuter connectivity cannot be used for integration scenarios with HTTP/HTTPS connections.

Supported Scenarios

The following scenarios are supported:

• SAP GUI communication through the SAProuter (to the message server and/or SAP dispatcher).
• RFC communication between systems or between RFC client and Gateway
• Support connections from SAP to customers. For support purposes SAP enables the transfer of other
protocols through special, proprietary precautions, but these are not appropriate for production operation
and are not released.

Not Supported Scenarios

The following scenarios are not supported:

• Communication between server components with HTTP-based protocols through the SAProuter (e.g. Web
service calls through HTTP)
• Communication from a user interface such as the browser or the Business Client through SAProuter to an
application server (e.g. Web Dynpro or BSP-based applications)
• Binary protocols (e.g. terminal server, X-server) between communication partners

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

Introduction INTERNAL – Authorized for SAP Customers and Partners 3
2 Change History

Learn about changes to the documentation for Setting Up an SNC-Based SAProuter Connection for Employee
Central Payroll Systems hosted on AZURE/GCP in recent releases.

2H 2022

Type of Change Description More Info

Changed We updated the content. Windows-Based Hosts [page 13]

1H 2022

Type of Change Description More Info

Added We’ve added information about new data Install and Configure SAPRouter [page
centers. 8]

Network Tests [page 13]

Usage of Connectivity [page 17]

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

4 INTERNAL – Authorized for SAP Customers and Partners Change History
3 SNC Connection Between SAPRouters:
Technical Details

The technical setup consists of at least SAProuter on the customer side, as well as a load balanced SAProuter on
the SAP side. Note that all network devices at SAP are set up as a high availability cluster. For simplicity, the firewall
and Load Balancer are represented as single devices in the figure below.

SAPRouter

SAProuter is a software application that provides Application Level Gateway (ALG) functionality for SAP application
protocols. Typically, SAProuter is used to provide a remote connection to the SAP support infrastructure. For
Employee Central Payroll connectivity, SAProuter is used only as an Application Level Gateway.

SAPRouter must be configured with a public IP address owned by your company. This helps to avoid IP address
conflicts with other customers. As most customers use private IP addresses on their internal systems, this can be
achieved by applying Network Address Translation (NAT).

SAPRouter Registration

Ensure that SAProuter is provisioned in the DMZ network that should have a public IP address assigned to it. Follow
the guidelines below to get SAProuter registered with SAP. Request SAProuter registration by creating a support
ticket for component XX-SER-NET-NEW with the template filled in as shown below:

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

SNC Connection Between SAPRouters: Technical Details INTERNAL – Authorized for SAP Customers and Partners 5
Template

Dear SAP Team,

Register SAProuter using the details below which will be used to connect “Employee Central Payroll Systems hosted in <Azure/
GCP>”

EC Payroll Systems SID: <Dev, QA, Prod>

IP address of the SAProuter computer (*): ___<Mention public IP of SAProuter>______

Host name of the SAProuter computer (*): ___<any unique hostname_________ (Note : hostname should not be SAPRouter or
SAPRouter CA.)

[Host name is restricted to 16 characters]

Regards, XXXXXX

For more information, refer to SAP Note 28976 .

While SAP is performing SAProuter registration, follow the steps described in Install and Configure SAPRouter.

Disaster Recovery Setup for SAPRouter

SAP has built Disaster Recovery systems at SAP DR sites for every corresponding Employee Central Payroll
Production system. In case of any disaster situation at SAP Production site, customer must be able to connect
to payroll system located in DR site via DR SAPRouter to continue with business run, until Production system
become available. The same configuration details submitted for Production site SAPRouter would be used for DR
site SAProuter configuration too. In case you have separate SAProuter for SAP DR site, please follow same process
mentioned in section "SAPRouter Registration" to configure your another SAProuter with SAP.

Secure Network Communication (SNC)

SNC is used to make network connections using the Internet, in particular WAN connections, secure. It provides
reliable authentication as well as encryption of the data to be transferred.
SAProuter allows SNC connections to be set up. The route permission table can be used to specify precisely
whether SNC connections are allowed, and if so, which ones.

Prerequisites

The prerequisites are the following:

• SAPRouter must be registered with SAP as mentioned in chapter "SAPRouter Registration"

• You’re using at least version 30 of SAProuter or higher and have an SNC configured using the relevant guide.
• SAProuter must get started with option -K <SNCname>. These names ensure the authenticity of a host.
• There must be a KT entry in the route permission table of the source host. This causes the connection to the
target host to use the SNC layer.

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

6 INTERNAL – Authorized for SAP Customers and Partners SNC Connection Between SAPRouters: Technical Details
 • Allowlist for both primary and disaster sites SAP IP addresses as mentioned below:
• SAP Payroll system located in XME-Canada: Toronto
(Disaster Recovery: Canada East - Quebec)
Productive Datacenter : 52.139.17.187 , 52.228.104.172.
Disaster Recovery Datacenter : 40.80.240.128
• SAP Payroll system located in XM2-USA: Virginia
(Disaster Recovery: US West 2 – Washington)
Productive Datacenter : 52.154.71.175 and 52.226.170.15
Disaster Recovery Datacenter : 52.143.86.32 and 52.156.145.222
• SAP Payroll system located in XM3-USA: Virginia
(Disaster Recovery: Washington)
Primary Datacenter : 20.36.216.190 , 20.75.47.175
Disaster Recovery Datacenter : 20.80.180.191 & 52.137.102.104
• SAP Payroll system located in XGB-Germany: Frankfurt
((Disaster Recovery: Europe - West4 Netherlands)
Primary Datacenter : 34.89.141.13 , 34.89.143.40 and 35.242.198.13
Disaster Recovery Datacenter : 34.91.42.149 and 34.90.197.160
• SAP Payroll system located in XG9-Tokyo: Japan
(Disaster Recovery: Osaka)
Primary Datacenter : 35.243.103.152, 34.85.76.76 and 35.190.233.102
Disaster Recovery Datacenter : 34.97.254.223, 34.97.23.238 and 34.97.3.31
• SAP Payroll system located in XMS-Australia: New South Wales
(Disaster Recovery: Melbourne)
Primary Datacenter : 20.227.19.131 , 20.53.139.250
Disaster Recovery Datacenter : 52.255.53.186, 52.189.194.37
• SAP Payroll system located in DB1-United Arab Emirates: Dubai
Primary Datacenter : 130.214.197.23 , 130.214.250.32/27
• SAP Payroll system located in RI1-Saudi Arabia: Riyadh
Primary Datacenter : 130.214.223.77 , 130.214.222.32/27

 Note

We recommend that you always install the latest SAProuter version.

 Note

US region has 2 Datacenters, XM2-USA-Virginia & XM3-USA-Virginia, Please refer your provisioning handover
email to find your allocated system DC in US region. If you are not sure, please raise a case to component
LOD-EC-GCP-PY-OPS

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

SNC Connection Between SAPRouters: Technical Details INTERNAL – Authorized for SAP Customers and Partners 7
4 Install and Configure SAPRouter

This section covers the procedure for installing and configuring SAProuter and includes information for both Linux/
Unix and Windows hosts.

Context

SAProuter related data is available on the SAP Portal Home page .

Procedure

1. Create the subdirectory saprouter in directory /usr/sap/saprouter.

2. On the SAP Portal Home page , do the following:
a. Click on Download SAProuter to download the latest version of the SAProuter software according to the
operating system of the host that you plan to install SAProuter.
b. A-Z Alphabetical List of Products > S > SAPROUTER > SAPROUTER (latest versions) > select OS from
drop-down > select saprouter_XXX-XXXXXXXX.sar > Download Basket button
c. A-Z Alphabetical List of Products > S > SAPCRYPTOLIB > COMMONCRYPTOLIB (latest version) > select
OS from drop-down > select SAPCRYPTOLIBP_xxxx-xxxxxxxx.SAR > Download Basket button
d. A-Z Alphabetical List of Products > S > SAPCAR > SAPCAR (latest version) >your preferred O.S. version >
SAPCAR_xxx-xxxxxxxx.EXE

Depending on the operating system, the following steps must be executed from the command line
interface.
3. Make sure that all downloaded files have the same path. For example, the path from step 1 above: /usr/sap
4. Extract all the files in the same path using the following commands:
• SAPCAR -xvf <SAPCRYPTOLIBP_xxxx-xxxxxxxx.SAR>
• SAPCAR -xvf < saprouter_XXX-XXXXXXXX.sar>

 Note

For Windows ensure that downloaded SAPCAR_XXX-XXXXX.EXE file is being used to unchar the .SAR file.

5. Set the environment variables SNC_LIB and SECUDIR.

• SNC_LIB = <path of COMMONCRYPTOLIB>

Example: SNC_LIB=/usr/sap/saprouter/libsapcrypto.so in Linux)
• SECUDIR = <Directory of SAProuter>
Example: SECUDIR=/usr/sap/saprouter in Linux
Example: SECUDIR=/usr/sap/saprouter in Linux
Ensure that the sec directory is created if it does not exist. However, it is not mandatory to use this sec
directory. Instead, the same directory (/usr/sap/saprouter) where the executable is located can be used.

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

8 INTERNAL – Authorized for SAP Customers and Partners Install and Configure SAPRouter
 6. Create a file saprouttab (without any file extension like .txt) in the folder where executables are downloaded
and maintain the entries below according to your systems location (data center).

Primary Datacenter: XME-Canada: Toronto

KT "p:CN=PAYDC47_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll.sapsf.com 3299

KS "p:CN=PAYDC47_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll.sapsf.com 3200.3399

D***

Disaster Datacenter : Canada East – Quebec

KT "p:CN=PAYDC49_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll49.sapsf.com 3299

KS "p:CN=PAYDC49_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll49.sapsf.com 3200.3399

D***

Primary Datacenter : XM2-USA: Virginia

KT "p:CN=PAYDC41_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll41.sapsf.com 3299

KS "p:CN=PAYDC41_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll41.sapsf.com 3200.3399

D***

Disaster Datacenter : US West 2 – Washington

KT "p:CN=PAYDC43_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE"payroll43.sapsf.com 3299

KS "p:CN=PAYDC43_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll43.sapsf.com 3200.3399

D***

Primary Datacenter : XM3-USA: Virginia

KT "p:CN=PAYDC64_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll64-osk.sapsf.com 3299

KS "p:CN=PAYDC64_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll64-osk.sapsf.com 3200.3399

D***

Disaster Datacenter : US West 2: Washington

KT "p:CN=PAYDC65_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll65-osk.sapsf.com 3299

KS "p:CN=PAYDC65_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll65-osk.sapsf.com 3200.3399

D***

Primary Datacenter : XGB-Germany: Frankfurt

KT "p:CN=PAYDC55_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll55.sapsf.eu 3299

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

Install and Configure SAPRouter INTERNAL – Authorized for SAP Customers and Partners 9
 KS "p:CN=PAYDC55_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll55.sapsf.eu 3200.3399

D***

Disaster Datacenter : Europe - West4 Netherlands

KT "p:CN=PAYDC56_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll56.sapsf.eu 3299

KS "p:CN=PAYDC56_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll56.sapsf.eu 3200.3399

D***

Primary Datacenter : XG9 - Tokyo Japan

KT "p:CN=PAYDC50_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" 35.243.103.152 3299

KS "p:CN=PAYDC50_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll50.sapsf.eu 3200.3399

D***

Disaster Datacenter : Osaka

KT "p:CN=PAYDC51_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" 34.97.254.223 3299

KS "p:CN=PAYDC51_SR, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll51.sapsf.eu 3200.3399

D***

Primary Datacenter : XMS-Australia: New South Wales

KT "p:CN=PAYDC66_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll66-osk.sapsf.com 3299

KS "p:CN=PAYDC66_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll66-osk.sapsf.eu 3200.3399

D***

Disaster Datacenter : Australia Southeast: Melbourne

KT "p:CN=PAYDC67_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll67-osk.sapsf.com 3299

KS "p:CN=PAYDC67_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll67-osk.sapsf.eu 3200.3399

D***

Primary Datacenter: DB1-United Arab Emirates: Dubai

KT "p:CN=PAYDC22_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll22-osk.sapsf.com 3299

KS "p:CN=PAYDC22_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll22-osk.sapsf.eu 3200.3399

D***

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

10 INTERNAL – Authorized for SAP Customers and Partners Install and Configure SAPRouter
 Primary Datacenter:RI1-Saudi Arabia: Riyadh

KT "p:CN=PAYDC23_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" payroll23-osk.sapsf.com 3299

KS "p:CN=PAYDC23_OSK, OU=0001119571, OU=SAProuter, O=SAP, C=DE" * 3200.3399

S * payroll23-osk.sapsf.com 3200.3399

D***

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

Install and Configure SAPRouter INTERNAL – Authorized for SAP Customers and Partners 11
5 Start SAProuter

Context

Before starting the SAProuter service, ensure that SAProuter registration is completed via the request described in
section about the SAProuter Registration. Once it’s registered, please do the following:

Procedure

1. Go o to the portal https://launchpad.support.sap.com/#/saproutercertificate and search for the SAProuter

application and from the list of SAProuters registered to your installation number, choose the relevant
SAProuter.
2. Generate a PSE. You must provide a password, which will be used to create your SAProuter PSE.
3. Download the generated PSE https://support.sap.com/en/tools/connectivity-tools/saprouter.html and
save it as local.pse in the same directory as the sapgenpse executable.
4. Run the following commands on the SAProuter machine by logging in with <Service user ID> account:

• sapgenpse seclogin -p local.pse -x -O <DOMAIN>\<Service user ID> [windows machine]

• sapgenpse seclogin -p local.pse -x -O <Service user ID> [Linux machine]
• sapgenpse get_my_name -v -n Issuer

This command ensures that the issuer of the certificate is from SAProuter CA. For more information, refer to
the SAProuter page https://support.sap.com/en/tools/connectivity-tools/saprouter.html .

5.1 Linux/Unix-Based Hosts

Start SAProuter using the following command to run in the background.

nohup SAProuter -r -K "p:<Full distinguished name of the applied certificate>” & Note that this command can
be used to run the service in the background.

 Note

Other useful commands for Linux/Unix based hosts:

• Stop SAProuter using the SAProuter -s command.

• Check SAProuter status using the SAProuter -l command.
• Soft shutdown of SAProuter using the SAProuter -p command

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

12 INTERNAL – Authorized for SAP Customers and Partners Start SAProuter
5.2 Windows-Based Hosts

To start SAPRouter in Windows-Based hosts, follow the instructions provided in SAP Note 525751 .

5.3 Network Tests

To check whether the connection to SAP is working, log on to the command line of the SAProuter server, navigate
to the dedicated SAProuter directory and execute the following commands based on the location of your system.

XME-Canada: Toronto

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll.sapsf.com/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll.sapsf.com/S/3299/H/vaci<payroll system

ID>/S/3200

Canada East – Quebec

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll49.sapsf.com/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll49.sapsf.com/S/3299/H/vaci<payroll system

ID>/S/3200 (This command works only when DR site is active)

XM2-USA: Virginia

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll41.sapsf.com/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll41.sapsf.com/S/3299/H/vaci<payroll system

ID>/S/3200

US West 2 – Washington

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll43.sapsf.com/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll43.sapsf.com/S/3299/H/vaci<payroll system

ID>/S/3200 (This command works only when DR site is active)

XM3-USA: Virginia

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll64-osk.sapsf.com/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll64-osk.sapsf.com/S/3299/H/vaci<payroll

system ID>/S/3200

US West 2: Washington

niping -c -O -H /H/<<local LAN IP of SAProuter>/S/3299/H/payroll65-osk.sapsf.com/S/3299

niping -c -O -H /H/<<local LAN IP of SAProuter>/S/3299/H/payroll65-osk.sapsf.com/S/3299/H/vaci/S/3200

(This command works only when DR site is active)

XGB-Germany: Frankfurt

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll55.sapsf.eu/S/3299

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

Start SAProuter INTERNAL – Authorized for SAP Customers and Partners 13
niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll55.sapsf.eu/S/3299/H/vaci<payroll system
ID>/S/3200

Europe - West4 Netherlands

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll56.sapsf.eu/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll56.sapsf.eu/S/3299/H/vaci<payroll system

ID>/S/3200 (This command works only when DR site is active)

XG9 - Tokyo Japan

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll50.sapsf.eu/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll50.sapsf.eu/S/3299/H/vaci<payroll system

ID>/S/3200

Osaka

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll51.sapsf.eu/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll51.sapsf.eu/S/3299/H/vaci<payroll system

ID>/S/3200 (This command works only when DR site is active)

XMS-Australia: New South Wales

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll66-osk.sapsf.com/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll66-osk.sapsf.com/S/3299/H/vaci<payroll

system ID>/S/3200

Australia Southeast: Melbourne

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll67-osk.sapsf.com/S/3299

niping -c -O -H /H/<local LAN IP of SAProuter>/S/3299/H/payroll67- osk.sapsf.com/S/3299/H/vaci/S/3200

(This command works only when DR site is active)

DB1-United Arab Emirates: Dubai

niping -c -O -H /H/<customer SAProuter localIP>/S/3299/H/payroll22-osk.sapsf.com/S/3299

niping -c -O -H /H/<local LAN IP ofSAProuter>/S/3299/H/payroll22-osk.sapsf.com/S/3299/H/vaci<SID>/S/

3200

RI1-Saudi Arabia: Riyadh

niping -c -O -H /H/<customer SAProuter localIP>/S/3299/H/payroll23-osk.sapsf.com/S/3299

niping -c -O -H /H/<local LAN IP ofSAProuter>/S/3299/H/payroll23-osk.sapsf.com/S/3299/H/vaci<SID>/S/

3200

 Note

SAP will be enabling monitoring for the connection between SAPRouter at SAP side and SAPRouter at
customer side. This will periodically check the connection to customer SAPRouter and alert in case of
connectivity errors. Customer must allow incoming traffic from SAP's SAPRouter to customer's SAPRouter
to enable the monitoring. The connection won’t be monitored if customers don’t allow the inbound access from
SAP's SAPRouter to customer's SAPRouter.

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

14 INTERNAL – Authorized for SAP Customers and Partners Start SAProuter
6 SAP Logon for Employee Central Payroll

SAP Logon is used to initiate a user session to your Employee Central Payroll system. Not all logon pads are
available for cloud customers.

To install the SAP GUI for Windows for Employee Central Payroll systems, go to the SAP ONE Support
Launchpad . GUI versions are backward compatible. The supported version of GUI that can be used for Employee
Central Payroll systems available are SAP GUI FOR WINDOWS 7.50 CORE and SAP GUI FOR WINDOWS 7.60 CORE.
Customers can download either version.

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

SAP Logon for Employee Central Payroll INTERNAL – Authorized for SAP Customers and Partners 15
7 SAP Logon Configuration

To complete your SAP Logon configuration, you need the information regarding Application Server Name and
System ID that has been provided to you in the system handover mail.

The SAProuter String value depends on both the IP address of your SAProuter as well as the location of your
SAP Payroll systems. As mentioned in the following picture, configure the settings to achieve logon load balance
connectivity:

Setting Description

Connection Type Group/Server selection

Description Your payroll Dev/QA/Prod system description

System ID SID

Message server vacs<sid>

SAProuter String of SAProuter /H/<cust-IP>/S/3299/H/<sap-IP>/S/

3299

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

16 INTERNAL – Authorized for SAP Customers and Partners SAP Logon Configuration
 Setting Description

Group/Server PUBLIC

Instance number 00

 Note

Make sure that the following line is added into your SAP GUI service file in your window host:

Sapms<SID> 3600/tcp #SAP message server port

 Note

In case of SAP GUI for Java, make sure that the following string is maintained for connection type server group:

conn=/M/<message server address>/S/<message server port no>/G/<Log on Group name>

7.1 Usage of Connectivity

Primary Datacenter: XME-Canada: Toronto

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP server to be connected>

Disaster Datacenter: XME-Canada: Quebec

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll49.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll49.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll49.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP server to be connected>

Primary Datacenter: XM2-USA: Virginia

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll41.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll41.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll41.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP server to be connected>

Disaster Datacenter: US West 2 – Washington

• SAP GUI from Customer to SAP Payroll System

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

SAP Logon Configuration INTERNAL – Authorized for SAP Customers and Partners 17
 /H/<Customer SAProuter>/S/3299/H/payroll43.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll43.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll43.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP server to be connected>

Primary Datacenter : XM3-USA: Virginia

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll64-osk.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll64-osk.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll64-osk.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP Server to be
connected>

Disaster Datacenter: US West 2 – Washington

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll65-osk.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll65-osk.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll65-osk.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP Server to be
connected>

Primary Datacenter: XGB-Germany: Frankfurt

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll55.sapsf.eu/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll55.sapsf.eu/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll55.sapsf.eu/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP server to be connected>

Disaster Datacenter: Europe - West4 Netherlands

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll56.sapsf.eu/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll56.sapsf.eu/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll56.sapsf.eu/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP server to be connected>

Primary Datacenter: XG9 - Tokyo Japan

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll50.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll50.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll50.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP server to be connected>

Disaster Datacenter : Osaka

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

18 INTERNAL – Authorized for SAP Customers and Partners SAP Logon Configuration
 • SAP GUI from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll51.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll51.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll51.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP server to be connected>

Primary Datacenter : XMS-Australia: New South Wales

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll66-osk.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll66-osk.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll66-osk.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP Server to be
connected>

Disaster Datacenter: Australia Southeast: Melbourne

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll67-osk.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll67-osk.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll67-osk.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP Server to be connected>

Primary Datacenter : DB1-United Arab Emirates: Dubai

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll22-osk.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll22-osk.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll22-osk.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP Server to be
connected>

Primary Datacenter : RI1-Saudi Arabia: Riyadh

• SAP GUI from Customer to SAP Payroll System

/H/<Customer SAProuter>/S/3299/H/payroll23-osk.sapsf.com/S/3299/H/<payroll-host>/S/3200
• RFC from Customer to SAP Payroll System
/H/<Customer SAProuter>/S/3299/H/payroll23-osk.sapsf.com/S/3299/H/<payroll-host>/S/3300
• RFC from SAP Payroll System to Customer ABAP Systems
/H/payroll23-osk.sapsf.com/S/3299/H/<Customer SAProuter>/S/3299/H/<ABAP Server to be
connected>

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

SAP Logon Configuration INTERNAL – Authorized for SAP Customers and Partners 19
8 Customer Access To/From Payroll Systems
Available Using Web Services

The integration between SAP S/4HANA Cloud and SAP SuccessFactors Employee Central Payroll is done via Web
service and doesn’t require an SAProuter connectivity.

For more information about the procedure, refer to Overview of the Integration Between Employee Central Payroll
and SAP S/4HANA Finance.

For more information about the configuration, refer to Setting Up Payroll Processing with SAP SuccessFactors
Employee Central Payroll (1NL) .

 Note

Because these configuration steps are customer-specific, they can’t be delivered by SAP and must be carried
out by the customer.

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

20 INTERNAL – Authorized for SAP Customers and Partners Customer Access To/From Payroll Systems Available Using Web Services
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

• Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your agreements
with SAP) to this:

• The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.

• SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

• Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such links, you
agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this information.

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within the
control or responsibility of SAP.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use the
experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your feedback
(e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax and
phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of example
code unless damages have been caused by SAP's gross negligence or willful misconduct.

Bias-Free Language
SAP supports a culture of diversity and inclusion. Whenever possible, we use unbiased language in our documentation to refer to people of all cultures, ethnicities, genders,
and abilities.

Setting Up an SNC-Based SAProuter Connection for Employee Central Payroll Systems

Important Disclaimers and Legal Information INTERNAL – Authorized for SAP Customers and Partners 21
www.sap.com/contactsap

© 2022 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

THE BEST RUN