Connecting DirectAccess Clients to SAP

When a DirectAccess client computer is on the Internet, it connects to the corporate network using DirectAccess. All communications between the DirectAccess client and DirectAccess server are done over IPv6 (encapsulated by an IPv4 tunnel to carry the IPv6 traffic over the IPv4 Internet). In fact, the client application assumes that the connection is IPv6 from end-to-end, even when the destination server on the intranet is an IPv4-only capable resource. UAG DirectAccess can enable IPv4 connectivity to an intranet resource by using its NAT64/DNS64 IPv6/IPv4 protocol translation feature, which allows the UAG DirectAccess server to map an IPv6 address associated with the IPv4 address of the intranet resource. This mapped IPv6 address is used by the DirectAccess client to connect to the IPv4 resource on the intranet. The UAG DirectAccess server will translate this to an IPv4 address and forward the connection to the desired IPv4-only resource on the intranet.

While NAT64/DNS64 solves the problem of IPv4-only capable systems on the intranet, the client side application on the DirectAccess client must be IPv6 capable. If the client-side application is not IPv6 capable, it must use a non-DirectAccess method to reach the application server, such as an Internet accessible application gateway.

In the context of connectivity to SAP resources, you had to use an alternate method outside the DirectAccess tunnels before the release of SAP GUI version 7.1. With the introduction of SAP GUI 7.1, the DirectAccess client can connect to SAP resources on the intranet over the DirectAccess tunnels. However, to get this to work, you need to set a specific environment variable, which we will discuss later in this post. This solves the IPv6 problem on the client side.

If the SAP server is not IPv6 capable (meaning that it isn’t using ISATAP or native IPv6 addressing), then the UAG DirectAccess server’s NAT64/DNS64 feature will be used for IPv6/IPv4 protocol translation. While this will allow access to a SAP server, it will break SAP load balancing. The end result is that if you don’t need SAP load balancing, then all you need is to do is set the environment variable on the SAP GUI client and connectivity will work over DirectAccess because NAT64/DNS64 will take care of the protocol translation for you.

Solving the Load Balancing Problem

However, if you need load balancing for your SAP servers, NAT64/DNS64 isn’t going to do all the work. In this case you’re going to need to bring in another component, called a SAPRouter.

A SAProuter is a non-transparent gateway that can accept both IPv4 and IPv6 connections and do protocol translation between IPv4 and IPv6. NAT64/DNS64 are not used. Instead, the DirectAccess client connects to the SAPRouter using the SAPRouter’s IPv6 address, and then the SAPRouter can route  the connections to the IPv4-only SAP servers behind the SAPRouter. At this point the SAP servers are able to load balance the connections and also return the responses to the SAPRouter, which is then able to return the responses to the DirectAccess clients through the UAG DirectAccess server.

Figure 1 illustrates the request/response path between the DirectAccess client and the SAP resource servers (note that the load balancing component of the SAP servers is called out to make the path easier to understand).

Figure 1

  1. The DirectAccess client sends a request to the IPv6 address of the SAPRouter to gain access to the SAP CRM resource on the intranet.
  2. The UAG DirectAccess server forwards the connection request to the IPv6 address of the SAPRouter.
  3. The SAPRouter forwards the connection to the IPv4 address of the SAP server load balancer.
  4. The SAP server load balancer forwards the request to the IPv4 address of the SAP CRM resource server.
  5. The SAP CRM returns a response to the IPv4 address of the SAP server load balancer.
  6. The SAP server returns the response to the IPv4 address on the SAPRouter.
  7. The SAPRouter returns the response to the IPv6 address of the UAG DirectAccess server.
  8. The UAG DirectAccess server returns the response to the IPv6 address of the DirectAccess client.

Configuring the SAPGUI 7.1 Client

The following are instructions should configure the SAP GUI 7.1 client to work with DirectAccess:

  1. Start SAP Logon.
  2. Click the button 'New Item'.
  3. Click the button 'Next'
  4. In the window "Create New System Entry" choose the connection type "Custom Application Server".
    Add the following into the dialog:
    Field "Description"                  > A description
    Field "Application Server"    > enter the hostname of the SAP Application Server
    Field "System Number"         > The number of the instance
    Field "System ID"                      > The System ID

If you are using a saprouter you would have to add an entry in the field "SAProuter String", for example "/H/saprouterxy".


  • If you don’t need load balancing for your SAP CRM resources, then all you need to do is configure the SAP GUI 7.1 client
  • If you need load balancing for your SAP CRM resources, then you will need to introduce a SAPRouter
  • The SAPRouter can translate IPv4 to IPv6 and back so that the DirectAccess client can be configured with the IPv6 address of the SAPRouter

If you have further questions regarding this issue, please write to the address in the sig line below.


Noam Ben-Yochanan, Senior Program Manager, DA

Tom Shinder
Knowledge Engineer, Microsoft DAIP iX/Forefront iX 
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time):
Follow me on Twitter:

Comments (13)
  1. thomas w shinder - msft says:

    Hi Moonty,

    This allows connectivity using the native application layer protocol used for SAP access over the DirectAccess tunnel.



  2. thomas w shinder - msft says:

    Hi Victor,



  3. Anonymous says:

    This Method Will Use SSl Tunneling Application (UAG) ???


  4. heyko says:

    @Victor GRENU:

    Thank you! We’ve set "SAP_IPV6_ACTIVE=1" on our Direct Access Clients and now we’re able to use SAP on all our DA Clients.

  5. Victor GRENU says:

    Dear Tom,

    I think you forgot to talk about the SAP Client environment variable.

    SAP_IPv6_ACTIVE =1…/content.htm

  6. drumcode says:

    How can i find out the SAP Router IPv6 adress?


  7. Mohammed says:

    is SAP Router required to get SAP working on DA clients?

  8. Doreen says:

    We are trying to rollout DirectAccess 2012 and have a showstopper issue as we cannot get it to work with our SAP GUI 7.30 clients.
    We do not have UAG and DirectAccess 2012 is supposed to no longer have this additional requirement.

    Has anyone gotten this to work?
    Did you have to introduce SAPROUTER into the mix?

  9. Doreen says:

    Update to 30 Oct 2014 post – we found that SAPROUTER was required for the 2012 solution to work

  10. Gudmundur Johannsson says:

    In case of no load balancing is it correct that we do not need a SAP router ?

    Another question I have is regarding SAP_IPV6_ACTIVE=1 , does this require that there is ipv6 connectivity through the whole path from the DA server to SAP server ?

  11. Josua says:


    you state that a saprouter is necessary in case you want to connect to a SAP application server via load balancing.
    Would it also work if the SAP application server itself is configured to provide IPv4 and IPv6 connectivity and no saprouter is used ?


  12. Yogesh says:

    Hello All,

    For Direct Access setup you can follow link below …


  13. vivek mehar says:

    Hello Tom,

    we have a requirement of using sap Logon groups over the internet i mean from sap router. i searched on the internet but not able to found anything concrete solution. please tell me how to do the configurations for the same.

Comments are closed.

Skip to main content