When a DirectAccess client computer is on the Internet, it connects to the corporate network using DirectAccess. All communications between the DirectAccess client and DirectAccess server are done over IPv6 (encapsulated by an IPv4 tunnel to carry the IPv6 traffic over the IPv4 Internet). In fact, the client application assumes that the connection is IPv6 from end-to-end, even when the destination server on the intranet is an IPv4-only capable resource. UAG DirectAccess can enable IPv4 connectivity to an intranet resource by using its NAT64/DNS64 IPv6/IPv4 protocol translation feature, which allows the UAG DirectAccess server to map an IPv6 address associated with the IPv4 address of the intranet resource. This mapped IPv6 address is used by the DirectAccess client to connect to the IPv4 resource on the intranet. The UAG DirectAccess server will translate this to an IPv4 address and forward the connection to the desired IPv4-only resource on the intranet.
While NAT64/DNS64 solves the problem of IPv4-only capable systems on the intranet, the client side application on the DirectAccess client must be IPv6 capable. If the client-side application is not IPv6 capable, it must use a non-DirectAccess method to reach the application server, such as an Internet accessible application gateway.
In the context of connectivity to SAP resources, you had to use an alternate method outside the DirectAccess tunnels before the release of SAP GUI version 7.1. With the introduction of SAP GUI 7.1, the DirectAccess client can connect to SAP resources on the intranet over the DirectAccess tunnels. However, to get this to work, you need to set a specific environment variable, which we will discuss later in this post. This solves the IPv6 problem on the client side.
If the SAP server is not IPv6 capable (meaning that it isn’t using ISATAP or native IPv6 addressing), then the UAG DirectAccess server’s NAT64/DNS64 feature will be used for IPv6/IPv4 protocol translation. While this will allow access to a SAP server, it will break SAP load balancing. The end result is that if you don’t need SAP load balancing, then all you need is to do is set the environment variable on the SAP GUI client and connectivity will work over DirectAccess because NAT64/DNS64 will take care of the protocol translation for you.
Solving the Load Balancing Problem
However, if you need load balancing for your SAP servers, NAT64/DNS64 isn’t going to do all the work. In this case you’re going to need to bring in another component, called a SAPRouter.
A SAProuter is a non-transparent gateway that can accept both IPv4 and IPv6 connections and do protocol translation between IPv4 and IPv6. NAT64/DNS64 are not used. Instead, the DirectAccess client connects to the SAPRouter using the SAPRouter’s IPv6 address, and then the SAPRouter can route the connections to the IPv4-only SAP servers behind the SAPRouter. At this point the SAP servers are able to load balance the connections and also return the responses to the SAPRouter, which is then able to return the responses to the DirectAccess clients through the UAG DirectAccess server.
Figure 1 illustrates the request/response path between the DirectAccess client and the SAP resource servers (note that the load balancing component of the SAP servers is called out to make the path easier to understand).
- The DirectAccess client sends a request to the IPv6 address of the SAPRouter to gain access to the SAP CRM resource on the intranet.
- The UAG DirectAccess server forwards the connection request to the IPv6 address of the SAPRouter.
- The SAPRouter forwards the connection to the IPv4 address of the SAP server load balancer.
- The SAP server load balancer forwards the request to the IPv4 address of the SAP CRM resource server.
- The SAP CRM returns a response to the IPv4 address of the SAP server load balancer.
- The SAP server returns the response to the IPv4 address on the SAPRouter.
- The SAPRouter returns the response to the IPv6 address of the UAG DirectAccess server.
- The UAG DirectAccess server returns the response to the IPv6 address of the DirectAccess client.
Configuring the SAPGUI 7.1 Client
The following are instructions should configure the SAP GUI 7.1 client to work with DirectAccess:
- Start SAP Logon.
- Click the button 'New Item'.
- Click the button 'Next'
- In the window "Create New System Entry" choose the connection type "Custom Application Server".
Add the following into the dialog:
Field "Description" > A description
Field "Application Server" > enter the hostname of the SAP Application Server
Field "System Number" > The number of the instance
Field "System ID" > The System ID
If you are using a saprouter you would have to add an entry in the field "SAProuter String", for example "/H/saprouterxy".
- If you don’t need load balancing for your SAP CRM resources, then all you need to do is configure the SAP GUI 7.1 client
- If you need load balancing for your SAP CRM resources, then you will need to introduce a SAPRouter
- The SAPRouter can translate IPv4 to IPv6 and back so that the DirectAccess client can be configured with the IPv6 address of the SAPRouter
If you have further questions regarding this issue, please write to the address in the sig line below.
Noam Ben-Yochanan, Senior Program Manager, DA
Knowledge Engineer, Microsoft DAIP iX/Forefront iX
UAG Direct Access/Anywhere Access Group (AAG)
The “Edge Man” blog (DA all the time): http://blogs.technet.com/tomshinder/default.aspx
Follow me on Twitter: https://twitter.com/tshinder