When a DirectAccess client computer is on the Internet, it connects to the corporate network using DirectAccess. All communications between the DirectAccess client and DirectAccess server are done over IPv6 (encapsulated by an IPv4 tunnel to carry the IPv6 traffic over the IPv4 Internet). In fact, the client application assumes that the connection is IPv6 from end-to-end, even when the destination server on the intranet is an IPv4-only capable resource. UAG DirectAccess can enable IPv4 connectivity to an intranet resource by using its NAT64/DNS64 IPv6/IPv4 protocol translation feature, which allows the UAG DirectAccess server to map an IPv6 address associated with the IPv4 address of the intranet resource. This mapped IPv6 address is used by the DirectAccess client to connect to the IPv4 resource on the intranet. The UAG DirectAccess server will translate this to an IPv4 address and forward the connection to the desired IPv4-only resource on the intranet.
While NAT64/DNS64 solves the problem of IPv4-only capable systems on the intranet, the client side application on the DirectAccess client must be IPv6 capable. If the client-side application is not IPv6 capable, it must use a non-DirectAccess method to reach the application server, such as an Internet accessible application gateway.
In the context of connectivity to SAP resources, you had to use an alternate method outside the DirectAccess tunnels before the release of SAP GUI version 7.1. With the introduction of SAP GUI 7.1, the DirectAccess client can connect to SAP resources on the intranet over the DirectAccess tunnels. However, to get this to work, you need to set a specific environment variable, which we will discuss later in this post. This solves the IPv6 problem on the client side.
If the SAP server is not IPv6 capable (meaning that it isn’t using ISATAP or native IPv6 addressing), then the UAG DirectAccess server’s NAT64/DNS64 feature will be used for IPv6/IPv4 protocol translation. While this will allow access to a SAP server, it will break SAP load balancing. The end result is that if you don’t need SAP load balancing, then all you need is to do is set the environment variable on the SAP GUI client and connectivity will work over DirectAccess because NAT64/DNS64 will take care of the protocol translation for you.
However, if you need load balancing for your SAP servers, NAT64/DNS64 isn’t going to do all the work. In this case you’re going to need to bring in another component, called a SAPRouter.
A SAProuter is a non-transparent gateway that can accept both IPv4 and IPv6 connections and do protocol translation between IPv4 and IPv6. NAT64/DNS64 are not used. Instead, the DirectAccess client connects to the SAPRouter using the SAPRouter’s IPv6 address, and then the SAPRouter can route the connections to the IPv4-only SAP servers behind the SAPRouter. At this point the SAP servers are able to load balance the connections and also return the responses to the SAPRouter, which is then able to return the responses to the DirectAccess clients through the UAG DirectAccess server.
Figure 1 illustrates the request/response path between the DirectAccess client and the SAP resource servers (note that the load balancing component of the SAP servers is called out to make the path easier to understand).
The following are instructions should configure the SAP GUI 7.1 client to work with DirectAccess:
If you are using a saprouter you would have to add an entry in the field "SAProuter String", for example "/H/saprouterxy".
If you have further questions regarding this issue, please write to the address in the sig line below.
Noam Ben-Yochanan, Senior Program Manager, DA
Tom Shinder email@example.com Knowledge Engineer, Microsoft DAIP iX/Forefront iX UAG Direct Access/Anywhere Access Group (AAG) The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx Follow me on Twitter: http://twitter.com/tshinder Facebook: http://www.facebook.com/tshinder
I think you forgot to talk about the SAP Client environment variable.
This Method Will Use SSl Tunneling Application (UAG) ???
This allows connectivity using the native application layer protocol used for SAP access over the DirectAccess tunnel.
How can i find out the SAP Router IPv6 adress?
is SAP Router required to get SAP working on DA clients?
We are trying to rollout DirectAccess 2012 and have a showstopper issue as we cannot get it to work with our SAP GUI 7.30 clients.
We do not have UAG and DirectAccess 2012 is supposed to no longer have this additional requirement.
Has anyone gotten this to work?
Did you have to introduce SAPROUTER into the mix?
Thank you! We've set "SAP_IPV6_ACTIVE=1" on our Direct Access Clients and now we're able to use SAP on all our DA Clients.
Update to 30 Oct 2014 post - we found that SAPROUTER was required for the 2012 solution to work
In case of no load balancing is it correct that we do not need a SAP router ?
Another question I have is regarding SAP_IPV6_ACTIVE=1 , does this require that there is ipv6 connectivity through the whole path from the DA server to SAP server ?