Port 3299: SAP Router — The Gatekeeper at the Edge of Enterprise SAP

What This Port Is

Port 3299 sits in the registered port range (1024-49151). These ports are documented with IANA, meaning organizations can register a service name to stake their claim. The IANA entry for 3299 lists "pdrncs" — an abbreviation that appears in almost no real-world documentation and is practically unknown in practice.

What is known in practice: port 3299 belongs to SAP Router.

SAP Router

SAP Router is an application-layer proxy developed by SAP SE. It runs at the network perimeter of organizations that use SAP's enterprise software — ERP, S/4HANA, and older R/3 systems — and acts as a controlled entry point for all SAP-specific traffic.

Think of it as a firewall that speaks SAP. It doesn't inspect packets generically; it understands SAP's proprietary DIAG protocol and routes connections based on a configuration file called saprouttab. Every connection request arrives at port 3299, and SAP Router consults its routing table to decide whether to allow, reject, or forward the traffic deeper into the network.

Route strings look like this:

/H/external-host/S/3299/H/internal-sap-server/S/3200

Each /H/ is a host hop, each /S/ a service port. You can chain them — a single connection tunneling through multiple systems, each leg authorized separately. It's how SAP support engineers connect to customer systems without exposing those systems directly to the Internet.

Why This Port Matters to Security Teams

SAP Router's position makes it high-value for attackers. It sits between the Internet and the SAP application layer, and a misconfigured instance can bypass traditional firewall controls entirely.

Common misconfigurations:

• No password on the router — SAP Router supports password authentication, but the default is empty. Many installations never change this.
• Permissive routing tables — A saprouttab that allows P * * * (permit all) routes any connection to any internal SAP service.
• Disabled logging — Without logs, unauthorized access leaves no trace.
• Exposed configuration files — If saprouttab is readable via SMB or NFS, an attacker learns the internal network topology before attempting a connection.

A fully open SAP Router on port 3299 is a tunnel into SAP Dispatcher (port 3200), SAP Gateway (port 3300), and the Message Server (port 3600) — the core components of every SAP system. From there, an attacker with SAP credentials (or none, if those systems are also misconfigured) owns the enterprise data.

How to Check What's Listening

On Linux/macOS:

ss -tlnp | grep 3299
# or
lsof -i :3299

On Windows:

netstat -ano | findstr :3299

From outside the system:

nmap -sV -p 3299 <target>

An SAP Router instance will respond to specific SAP protocol handshakes. Security scanners like nmap with SAP scripts can probe for version and configuration details.

Should You See This Port Open?

If you're an enterprise running SAP software and you have a dedicated SAP Router host — yes, port 3299 being open is expected and intentional.

If you see port 3299 open on a system that isn't supposed to be running SAP infrastructure, investigate immediately. SAP Router is not general-purpose software; it has no business appearing on random hosts.

If you're a penetration tester and you find an exposed port 3299, check whether authentication is required and what the routing table permits. An open SAP Router in a poorly segmented network is a significant finding.