How to Send SAP ERP Data to a Local Integration Server Without Opening Firewall Ports
SAP ERP sends outbound IDocs and HTTP messages to integration middleware using RFC destinations configured in transaction SM59. The middleware must have a reachable HTTPS URL. In typical enterprise environments, getting that URL means raising a change request with the network team, waiting for firewall rules to be approved, and coordinating with SAP Basis to update the RFC destination. For development, testing, or rapid prototyping of integration scenarios, that process takes days or weeks. A Localtonet HTTP tunnel gives your local integration server a public HTTPS URL in under two minutes. No firewall changes, no network team involvement, and no SAP transport required to update later.
📋 What's in this guide
The Integration Development Problem
SAP integration projects follow a pattern familiar to anyone who has worked in enterprise IT. The development team builds the middleware a Node.js service, a Python Flask application, a MuleSoft flow, or a custom ABAP-adjacent integration server. They need SAP to send test IDocs to that middleware so they can verify the parsing logic, test the mapping, and confirm the data reaches the downstream system correctly.
To receive an IDoc from SAP, the middleware needs a reachable HTTPS URL. In most corporate environments, the middleware runs on a developer laptop or a local server with no public address. The standard path to a public URL involves the network security team, a change management ticket, a firewall rule approved by a committee, and a DNS entry created by IT. On a complex enterprise network, this can take a week or more per environment.
A Localtonet HTTP tunnel bypasses this entirely for development and testing scenarios. Your local integration server gets a public HTTPS URL immediately. You configure that URL in SAP's SM59 transaction as the RFC destination target. SAP sends IDocs to your laptop as if it were a fully deployed integration server. When the integration is ready for production, you replace the tunnel URL with the real production endpoint.
What this approach is suitable for
- Development and unit testing of SAP integration middleware
- IDoc parsing and mapping validation
- Proof-of-concept integrations before infrastructure is provisioned
- Training and onboarding environments where SAP Basis access is available but network infrastructure is not
- System integrator workshops where the team brings a laptop but not a server
This guide covers development and testing scenarios. Production SAP integrations require a stable, monitored, and secured endpoint on dedicated infrastructure not a developer laptop. The tunnel URL from this guide serves as a placeholder during development. Replace it with the production middleware URL before go-live.
How SAP Sends Data to External Systems
SAP ERP (ECC and S/4HANA on-premise) uses several mechanisms to send data to external systems. The two most relevant for middleware integration are outbound IDocs via ALE and HTTP calls via RFC destinations.
📦 Outbound IDoc via XML HTTP port
An IDoc (Intermediate Document) is SAP's standard container for exchanging transactional and master data. SAP packages data a purchase order, a material master record, a customer invoice into an IDoc and sends it to an external system. The receiving end gets an XML document with a well-defined structure. The XML HTTP port type (configured in transaction WE21) tells SAP to deliver IDocs to an HTTP endpoint. An RFC destination (SM59) defines the target host and path for that endpoint.
🔧 Direct HTTP call via RFC destination
ABAP programs can make outbound HTTP calls to external systems using an RFC destination of type
HTTP connection to external server (type G in SM59). This is used for REST webhooks,
SOAP calls, and any scenario where ABAP needs to call a URL directly.
The same RFC destination configuration applies: you define the host, port, and path prefix,
and the ABAP program calls it using the HTTP_GET, HTTP_POST, or similar function modules.
| Mechanism | Transaction | SAP configures | Middleware receives |
|---|---|---|---|
| IDoc via XML HTTP port | WE21, WE20, SM59 | Partner profile, port, RFC destination | XML IDoc payload via HTTP POST |
| Direct HTTP call from ABAP | SM59 | RFC destination type G | Custom JSON or XML via HTTP POST/GET |
| IDoc via tRFC | WE21, SM59 | Transactional RFC port | IDoc via SAP proprietary RFC protocol |
Build a Local Integration Server
Your integration server receives HTTP POST requests from SAP containing IDoc XML payloads or custom data from ABAP programs. It needs to accept the request, parse the payload, and route data to downstream systems. Below are minimal working examples in Node.js and Python that receive and log SAP IDoc payloads a starting point to build your actual integration logic on.
Node.js (Express)
npm init -y
npm install express body-parser xml2js// server.js
const express = require('express');
const bodyParser = require('body-parser');
const xml2js = require('xml2js');
const app = express();
// SAP sends IDocs as application/xml or text/xml
app.use(bodyParser.text({ type: ['application/xml', 'text/xml', '*/xml'] }));
app.use(bodyParser.json());
// IDoc receiver endpoint
app.post('/idoc', async (req, res) => {
console.log('Received IDoc from SAP');
console.log('Headers:', req.headers);
try {
const parser = new xml2js.Parser({ explicitArray: false });
const parsed = await parser.parseStringPromise(req.body);
const idocData = parsed.IDOC || parsed;
console.log('IDoc type:', idocData?.EDIDC40?.IDOCTP || 'unknown');
console.log('Message type:', idocData?.EDIDC40?.MESTYP || 'unknown');
console.log('Sender:', idocData?.EDIDC40?.SNDPRT + '/' + idocData?.EDIDC40?.SNDPOR);
// Add your integration logic here:
// - Transform and forward to ERP, CRM, WMS, or other systems
// - Insert into a database
// - Publish to a message queue
// - Write to a file for further processing
// SAP expects HTTP 200 to confirm successful receipt
res.status(200).send('IDoc received successfully');
} catch (err) {
console.error('Error processing IDoc:', err.message);
// Return 500 so SAP marks the IDoc for retry
res.status(500).send('Processing error');
}
});
// Generic HTTP endpoint for ABAP direct calls
app.post('/webhook', (req, res) => {
console.log('Received webhook from SAP:', req.body);
res.status(200).json({ status: 'received', timestamp: new Date().toISOString() });
});
app.listen(3000, () => {
console.log('SAP integration server running on http://localhost:3000');
});node server.jsPython (Flask)
pip install flask lxml# app.py
from flask import Flask, request, jsonify
from lxml import etree
import logging
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger(__name__)
app = Flask(__name__)
@app.route('/idoc', methods=['POST'])
def receive_idoc():
logger.info('Received IDoc from SAP')
content_type = request.content_type or ''
raw_body = request.get_data()
try:
if 'xml' in content_type:
root = etree.fromstring(raw_body)
idoc_type = root.findtext('.//IDOCTP') or 'unknown'
message_type = root.findtext('.//MESTYP') or 'unknown'
logger.info(f'IDoc type: {idoc_type}, Message type: {message_type}')
# Add your integration logic here
# Forward data, write to database, publish to queue, etc.
# HTTP 200 confirms successful receipt to SAP
return 'IDoc received successfully', 200
except Exception as e:
logger.error(f'Error processing IDoc: {e}')
# HTTP 500 causes SAP to retry delivery
return 'Processing error', 500
@app.route('/webhook', methods=['POST'])
def receive_webhook():
data = request.get_json(force=True)
logger.info(f'Webhook received: {data}')
return jsonify(status='received'), 200
if __name__ == '__main__':
app.run(host='0.0.0.0', port=3000)python app.pyExpose the Integration Server with Localtonet
With the integration server running on port 3000, create a Localtonet HTTP tunnel to give it a public HTTPS URL. This is the URL you will configure in SAP as the RFC destination target.
localtonet --authtoken <YOUR_TOKEN>
Go to the HTTP tunnel page,
set local IP to 127.0.0.1 and port to 3000.
Click Create and start the tunnel.
The dashboard shows a public HTTPS URL such as https://abc123.localto.net.
Verify the endpoint is reachable before configuring SAP:
curl -X POST https://abc123.localto.net/idoc \
-H "Content-Type: application/xml" \
-d '<TEST><MESSAGE>ping</MESSAGE></TEST>'If the server logs the request and responds with HTTP 200, the tunnel is working correctly. Proceed to configure SAP.
Step 1: Configure the RFC Destination in SM59
Transaction SM59 manages RFC connections from SAP to external systems. You need to create an HTTP connection of type G (HTTP connection to external server) that points at your Localtonet tunnel URL.
Open SM59 and create a new connection
In SAP GUI, run transaction SM59.
Expand HTTP Connections to External Server and click the create icon.
Enter a destination name such as LOCALTONET_INTEGRATION.
Configure the Technical Settings tab
Set Target Host to your Localtonet hostname, for example abc123.localto.net.
Set Port to 443.
Set Path Prefix to /idoc (or /webhook for direct ABAP calls).
Configure SSL in the Logon and Security tab
Set SSL to Active since Localtonet provides HTTPS. For the SSL certificate, select the appropriate SSL client PSE for your SAP system. In development environments, Active (Do Not Verify Peer Certificate) may be used if the SAP system does not have the Let's Encrypt root CA in its trust store.
Save and test the connection
Save the RFC destination and click Test Connection. A successful test returns HTTP 200 from the integration server. You should see the ping request appear in your server logs.
Localtonet HTTP tunnels use Let's Encrypt certificates. Most modern SAP systems have the ISRG Root X1 certificate in their trust store. If the connection test fails with an SSL error, ask your SAP Basis team to import the Let's Encrypt root CA certificate into the system's SSL client PSE using transaction STRUST. For a development sandbox where Basis access is available, this is a one-time task.
Step 2: Create the IDoc Port in WE21
Transaction WE21 defines the technical port through which SAP delivers IDocs to the external system. For HTTP delivery, use the XML HTTP port type, which wraps the IDoc in XML format and delivers it via the RFC destination you configured in SM59.
Open WE21 and create an XML HTTP port
Run transaction WE21. In the left tree, expand XML HTTP
and click the create icon. Enter a port name such as LTNIDOCPORT
and a description.
Assign the RFC destination
In the port configuration, set RFC Destination to LOCALTONET_INTEGRATION
(the destination you created in SM59).
Set the IDoc record types in XML file option
to SAP Release 4.6 and Above for modern systems.
Save the port
Save the port definition. SAP now knows how to deliver IDocs to your integration server.
Step 3: Configure the Partner Profile in WE20
Transaction WE20 defines partner profiles the rules that determine which IDocs are sent to which port for a given partner system. You need an outbound parameter entry for each IDoc message type you want to deliver to your integration server.
Open WE20 and create or edit a partner profile
Run transaction WE20. Select partner type LS (Logical System)
and find the logical system that represents your integration middleware.
If one does not exist, create a new logical system in transaction BD54 first,
then return to WE20 to create the partner profile.
Add an outbound parameter
In the partner profile, click the Outbound parameters section
and add a new entry. Set the Message type to the IDoc type you want to send
(for example ORDERS for purchase orders or MATMAS for material master data).
Set Receiver port to LTNIDOCPORT (the port from WE21).
Set Output mode to Pass IDoc immediately.
Save the partner profile
Step 4: Test the End-to-End Flow
With SM59, WE21, and WE20 configured, you can trigger a test IDoc from SAP and verify it arrives at your integration server.
Send a test IDoc via WE19
Open WE19 — test tool for IDoc processing
Run transaction WE19. Select an existing IDoc from your system as the template
or create one from a message type. Enter the partner number and type matching your WE20 configuration.
Trigger outbound processing
Click Standard Outbound Processing. SAP packages the IDoc into XML, looks up the port and RFC destination from the partner profile, and sends an HTTP POST to your Localtonet tunnel URL.
Check the IDoc status in WE02
Run transaction WE02 or WE05 to inspect the IDoc status.
Status 03 means the IDoc was dispatched successfully.
Status 02 or 04 indicates a processing error.
Check the status records for the HTTP response code from your server.
If the IDoc reaches status 03, check your integration server logs. You should see the IDoc XML payload printed by your server. At this point, the full SAP-to-middleware pipeline is working and you can build out your integration logic.
Transaction BD87 shows all IDocs waiting for dispatch or that encountered errors
during outbound processing. If an IDoc fails to reach your server for example because
the tunnel was not running you can reprocess it from BD87 without having to re-trigger the business event.
Security Considerations
🔑 Add basic authentication to the middleware endpoint
The RFC destination in SM59 supports basic authentication in the Logon and Security tab. Configure a username and password in SM59 and add matching authentication middleware to your integration server. Any request arriving at the tunnel URL without valid credentials returns HTTP 401, which SAP treats as a delivery failure and marks the IDoc for retry.
🌐 Restrict access to the SAP system's outbound IP
SAP ERP systems typically have a fixed outbound IP address or a narrow IP range for outbound HTTP calls. Configure IP restrictions on the Localtonet tunnel to allow only that IP range. Requests from any other source are rejected at the relay before reaching your server.
⏱ Stop the tunnel outside of development hours
During development, stop the Localtonet tunnel when you are not actively working. A stopped tunnel means no inbound requests can reach your integration server, reducing the exposure window. Restart it at the beginning of each development session.
📋 Use a dedicated RFC destination for each developer
In a team with multiple developers testing integrations simultaneously,
create a separate RFC destination and WE21 port for each person's tunnel URL.
Name them consistently LTNDEV_JOHN, LTNDEV_SARA so it is clear
whose endpoint each destination points at. Update only the individual's RFC destination
when their tunnel URL changes.
Frequently Asked Questions
SAP marks the IDoc with error status 29 or 04. What should I check?
Status 29 (Error during dispatch) or 04 (Error within control information) usually means SAP could not reach the HTTP endpoint or received a non-200 response. Check that the Localtonet tunnel is running and the integration server is responding on port 3000. Run the SM59 connection test to confirm the RFC destination resolves and gets HTTP 200. Check the IDoc status records in WE02 they include the HTTP response code and any error message returned by the middleware. A 500 response from the middleware causes SAP to mark the IDoc for retry rather than discarding it.
The SM59 connection test fails with SSL certificate error. How do I fix it?
Localtonet uses Let's Encrypt certificates. The SAP system needs the ISRG Root X1 certificate in its SSL client PSE. Ask your SAP Basis team to import it via transaction STRUST under the SSL Client (Standard) node. Alternatively, for a sandbox system where this is not feasible, change the SSL option in the SM59 Logon and Security tab to Active (Do Not Verify Peer Certificate). Only use the no-verify option in isolated development systems never in production.
Can I use this pattern for receiving data from SAP S/4HANA Cloud?
SAP S/4HANA Cloud sends outbound data through SAP Cloud Integration (CPI) or directly via HTTP calls configured in the Communication Arrangement setup. The target URL for those outbound calls is configured in the cloud tenant's Communication System settings. You can use a Localtonet tunnel URL as the target endpoint in those settings for development purposes. The mechanism is the same SAP makes an outbound HTTPS POST to the URL you provide.
The tunnel URL changes every time I restart Localtonet. How do I avoid updating SM59 repeatedly?
Reserve a custom subdomain for your HTTP tunnel in the Localtonet dashboard. Once reserved, the tunnel URL stays the same across restarts. You configure SM59 once and never need to update it during the development project. For a longer-lived development or integration test environment, attaching a custom domain via the Localtonet DNS Manager gives you a fully permanent URL that is independent of the tunnel infrastructure.
Can I use this approach for ABAP programs that call external REST APIs?
Yes. Any ABAP program using CL_HTTP_CLIENT, CALL FUNCTION with an RFC destination, or the HTTP utility classes can use an SM59 type G destination that points at a Localtonet tunnel URL. The ABAP code calls the RFC destination name it never needs to know the actual URL. This is useful for testing ABAP programs that call external APIs during development, when the target API is running locally on the developer's machine.
Start Receiving SAP IDocs on Your Laptop in Minutes
Start your integration server, create a Localtonet HTTP tunnel, configure SM59 and WE21 in SAP, and send a test IDoc from WE19. Your full SAP-to-middleware pipeline is working before a single network change request has been raised.
Create Free Localtonet Account →
