EMC
®CLARiiON
®Secure Remote Support Solutions
Technical Notes
P/N 300-006-009REV A03 October 5, 2010
This technical note discusses the benefits, value, and implementation of EMC®
Secure Remote Support solutions for CLARiiON®
storage systems in customer environments. It contains information on these topics:
Introduction ... 2
Overview ... 3
Core components in EMC Secure Remote Support solutions ... 4
CLARiiON remote access security considerations ... 11
Conclusion ... 12Introduction
All EMC® CLARiiON® storage systems are designed with hardware and
software that detect, analyze, and act upon certain events. Based on the event, the CLARiiON storage system determines the best way to secure the integrity of the system and notify the remote support facility. EMC offers several flexible remote options, referred to as EMC Secure Remote Support solutions, for the CLARiiON product line. These solutions include EMC Secure Remote Support IP and email-home WebEx. Each solution has a unique set of advantages.
Email-home WebEx works with the customer’s existing infrastructure, which reduces phone line costs. WebEx allows the customer to control, observe, and monitor a remote support session.
Secure Remote Support IP is EMC’s latest remote support innovation; it uses a high-speed, reliable, secure, IP-based connection. It addresses corporate and industry security compliance regulations by offering features such as encryption, authentication, audit, and authorization. EMC support is not limited to hardware and software solutions; EMC also takes full advantage of its skilled customer support team. Onsite and remote support professionals work in tandem to quickly and effectively remedy any issues proactively.
Audience
This technical notes document is intended for EMC employees, partners, IT planners, storage architects, administrators, and any others involved in evaluating, acquiring, managing, operating, or designing an EMC networked storage environment.
Overview
Overview
EMC Secure Remote Support solutions alert EMC when an abnormal event occurs on a CLARiiON storage system. These solutions enable EMC to connect remotely to a CLARiiON storage system to diagnose and, in some cases, resolve problems. EMC’s Secure Remote Support suite includes the following two solutions:
The email-home WebEx solution.
The EMC Secure Remote IP solution. This solution has two options:
o The ESRS IP Gateway Client
o The ESRS IP Device Client, also called the EMCSecure Remote Support IP Client
These solutions allow outbound communications to EMC, as well as inbound communications that can remotely access the storage system. Historically, many customers have chosen the modem-based (dial-in and
dial-home) solution because it is simple and effective. In the modem-based solution, the dial-home feature allows a CLARiiON storage system to alert EMC when an event occurs. The dial-infeature allows EMC to remotely access the CLARiiON storage system through the modem. This modem-based solution is installed on a customer-supplied Windows workstation. It requires a dedicated phone line and is sometimes problematic, so EMC does not recommend this solution for remote support of CLARiiON storage systems. EMC will support upgrading the modem-based solutions to newer solutions and will eventually discontinue supporting all modem-based, remote support solutions.
The email-home WebEx solution is a newer solution that provides the same functionality as the modem-based solution. The email-home WebEx solution uses the customer’s email SMTP server to send alerts to EMC. At EMC, a service engineer can use a remote application called WebEx to remotely access the CLARiiON storage system. This solution is installed on a customer-supplied Windows workstation. With this solution, customers can control, observe, and monitor EMC’s remote support. Someone must be present at the customer site when diagnosing problems in CLARiiON environments.
The EMCSecure Remote Support IP Client for CLARiiON includes:
EMC Secure Remote IP Agent; this agent installs the software components that enable remote support.
The EMC Secure Remote Support IP Client provides a complete IP-based alert and remote-access solution. It addresses corporate and industry security compliance regulations by offering the following features:
Encryption
Authentication
Audit
Authorization
These features can be customized using the optional Policy Manager software. The new EMCSecure Remote Support IP Client for CLARiiON software does not require a dedicated server for remote support
management of CLARiiON systems. The ESRS IP Device Client for CLARiiON solution can be used only to monitor CLARiiON storage systems.
The ESRS IP Gateway Client should be deployed when other EMC products such as Symmetrix®, Celerra, or RecoverPoint are installed in
your environment. Additional functionality is available with the
Gateway solution that is not available with the IP Client for CLARiiON. The Gateway solution requires a dedicated Windows server for remote support.
EMC has designed each remote service solution to operate reliably and securely, but the software is not the only aspect of EMC’s dedication to remote support. EMC uses a collaborative escalation process that proactively assesses, diagnoses, and corrects issues proactively. Even as a customer engineer (CE) travels to the site, EMC support professionals maintain contact with the CLARiiON storage system. They remotely monitor the storage system to provide the CE with latest information. This collaborative approach gets the CLARiiON storage system back to normal as fast as possible.
Core components in EMC Secure Remote Support solutions
The remote support solutions explained above consist of five core components:
Monitoring
Notification
Core components in EMC Secure Remote Support solutions
Diagnostics
Repair
EMC’s Secure Remote Support solutions for CLARiiON include the email-home WebEx, and the IP-based EMC Secure Remote Support IP solution. You can select which remote support solution (email-home WebEx or IP-based EMC Secure Remote IP) you wish to leverage. Each remote support solution offers a unique set of advantages.
Email-home WebEx
CLARiiON has the option of notifying the EMC Customer Support Center of a problem using a one-way email. Email home requires that the customer provide a workstation with access to an SMTP email server and the CLARiiON storage systems. Multiple CLARiiON storage systems can share this workstation. This solution eliminates the need for an active telephone line.
The monitoring workstation receives an alert from the CLARiiON storage system when an event occurs. An alert is then securely emailed to the EMC Customer Support Center. This email home occurs within seconds of the system event to ensure that no time is lost in addressing the issue.
Upon receipt of the alert by the EMC Customer Support Center, EMC’s service request management application automatically generates a new support case and routes the case to the proper support organization. As a result, EMC Customer Service is aware of a CLARiiON system event within minutes of the occurrence at the customer site.
The EMC support professional analyzes the information provided in the case and takes appropriate action to resolve the issue, which may include dispatching an EMC customer engineer to replace a part. At times, it is necessary for the support professional to gather additional information from the CLARiiON storage system. In these cases the support
professional uses WebEx to remotely access the CLARiiON storage system (with the customer’s permission).
WebEx is a remote application and computer sharing tool. With WebEx, an EMC support professional can remotely connect into a customer-provided workstation. This connection allows the EMC support professional to gather comprehensive diagnostic information, identify any issues, and possibly correct those issues remotely. This allows customers to control, observe, and monitor the support session if required.
It is also possible to use the CLARiiON storage system storage
to EMC from the storage processor. This distributed email-home solution also requires access to an SMTP email server. Although this solution does not require a customer-supplied Windows workstation, EMC still recommends that you provide one. Email notification from the storage processor is not encrypted and configuration reporting is not supported; therefore it is more difficult to configure and manage this solution in a large storage environment. In addition this solution requires a service provider and it not customer-installable.
The EMC Secure Remote Support IP solution
The EMC Secure Remote Support IP solution uses a high-speed, reliable, secure, IP-based connection. This solution lowers phone line costs, because a dedicated phone line and modem are not required. With enhanced and customizable security features such as encryption, authentication, audit, and authorization, this solution addresses corporate and industry security compliance regulations. It is firewall-friendly, so network modifications to the customer infrastructure are minimal.
Using authentication, authorization, and audit logging, EMC Secure Remote Support IP provides a centralized, secure connection between EMC and your CLARiiON storage systems. An EMC service engineer can remotely connect to your CLARiiON to run various diagnostic and management tools such as Navisphere Manager, Unisphere, NaviSecCLI, Unisphere Service Manager, Healthcheck, Capture SPCollect,
EMCRemote, RemotelyAnywhere, and Ktcons.
The EMC Secure Remote Support IP solution has two options that are described in the following sections: “The EMCSecure Remote Support IP (Device) Client for CLARiiON option” and “The EMCSecure Remote Support IP Gateway Client option.”
The EMCSecure Remote Support IP (Device) Client for CLARiiON option
ESRS IP Client for CLARiiON software monitors the operation of your CLARiiON storage systems for error events and automatically notifies your service provider of error events. The benefits of using the ESRS IP Client for CLARiiON are:
Only a single monitoring station is required for the ESRS Client. In the past, you needed two monitoring stations: one for the Navisphere/Unisphere packages and one for the ESRS Gateway software.
Core components in EMC Secure Remote Support solutions
o You can install it on a Windows virtual machine.
o It supports auto-registration of the CLARiiONs. It includes support for management tools like Navisphere Manager, Unisphere, Unisphere Service Manager, and NaviSecCLI.
It is easier to configure a portal (to the storage system running the highest level of FLARE® code); the process is user-friendly
and includes easy-to-understand help and instructions.
Furthermore, it performs auto-discovery of all CLARiiONs in a domain.
It includes support for auto-registration of CLARiiON systems with the EMC Device Relationship Manager (DRM). The DRM manages all customer devices for proactive or reactive remote support management.
The ESRS Client is backward-compatible, allowing you to monitor CLARiiON storage systems running release 19 or later. (However, at least one storage system in the environment must be running FLARE release 23 or later.)
The installer for the ESRS IP Client for CLARiiON software suite includes the monitoring programs shown in Figure 1. A short description of these programs follows:
Central Event Monitor - This application continuously polls
CLARiiON storage systems for their latest event log entries. Using the call-home template filter file, Event Monitor then processes the events for each storage system. If an event match is found between the call-home filter file and a storage system event, an alert is sent to the EMC Customer Support Center.
ConnectEMC - Simplifies and standardizes the method EMC
products use for service notification operations that transport event files to EMC support. ConnectEMC enables event file transfers from the monitoring workstation to EMC and to the EMC Secure Remote Support Gateway server using modem, SMTP, FTP or HTTPS communication protocols. All event files are first encrypted using FIPS 140-2 specified RSA BSAFE security before they are transported to EMC or the Gateway server.
Reactive SP - Collects diagnostic information about the
also sends call-home files to EMC.
Automated Array Configuration Capture Utility – This tool
runs as a service on the customer’s Windows workstation. The tool captures CLARiiON storage-system configuration data every seven days and sends the data file to EMC. The
configuration data is then used to maintain accurate and up-to-date storage systems records in the EMC Customer Service Infrastructure databases.
EMCRemote and RemotelyAnywhere – These are remote access
applications that EMC uses for remote diagnostics and troubleshooting. EMCRemote is a proprietary remote access application. As such, only authorized personnel have access to the application. By default, EMCRemote encrypts all data communicated between the host and the client using advanced data encryption techniques. EMCRemote is used over a modem connection to remotely access a Windows workstation or over an IP connection to remotely access a storage-system storage processor.
The ESRS IP Device Client (agent) - Provides a secure,
IP-based, centralized remote service support solution to give command, control, and visibility of remote support access.
Core components in EMC Secure Remote Support solutions
Figure 1 CLARiiON centralized monitoring
The ESRS Client controls remote access to your devices, maintains an audit log of remote connections, and supports files transfer operations.
Monitored Arrays Monitoring Station Central Monitor ESRS Provisioning Request ESRS Poll Folder ACU Configuration File Create ESRS Provisioning Request Place Request in Poll Folder Add/Remove Monitored Hosts Portal System (Array or Off Array Mgmt Server) Navi
Manager
Monitor Tab-> Monitor Options
Central Monitor Loads and invokes Initialization interface to seed Serviceability DLL with list of managed hosts. Receives updates via Portal System, updates
navimon.cfg and invokes Serviceability DLL interfaces to Add/Remove hosts.
Portal System CLARiiON or Off Array Mgmt Server. Receives updates via Navi Manager and updates Central Monitoring Agent
ConnectEMC
ESRS
ConnectEMC Sends call homes, heartbeats, ACU files and RSC files to EMC
ESRS Agent Provides secure channel from EMC to access arrays and send Call Homes. Call Home Files ConnectEMC Poll Folder Call Home Template Heartbeat Template RSC Template Heartbeat Files
Pull New Events
ACU ACU
Files
ACU Sends configuration update files to EMC via ConnectEMC
Config Capture
Files
RSC RSC
Initiates SPCollects and sends call home files RSC
Files
SMTP Server E-mail Call Home
ESRS Call Home
EMC
Encrypted E-mail
Inbound ESRS Connection
Modem
Dial-Out Call Home
ESRS Connection to Array List Of Monitored Hosts
The default is to allow the ESRS IP Client for CLARiiON to remotely monitor the CLARiiON storage systems. If more control is required over remote access to your monitored storage systems, you can use the ESRS Policy Manager software to set authorization permissions. EMC
recommends that you install the Policy Manager software component on a dedicated server that is different from the server on which the ESRS IP Client for CLARiiON software is installed.
For detailed information on the installation and configuration of the ESRS IP Client for CLARiiON, see the EMC Secure Remote Support IP Client for CLARiiON Requirements and Installation document available on Powerlink®.
The EMCSecure Remote Support IP Gateway Client option
The ESRS IP Gateway option resides on a dedicated customer-provided server located behind any external firewalls. For a highly available configuration, you can add a peer Gateway server. The Gateway solution also includes an optional Policy Manager application that enables customizable control of EMC’s remote support activity. Although the Policy Manager application is optional, EMC strongly recommends implementing it to provide access authorization and an audit log. With the Policy Manager, you can control how EMC interacts with the storage system. Each policy has three possible settings. You can select Always Allow or Never Allow EMC to connect in the specified manner. There is also an option to Ask for Approval before making the connection. With this option, the Policy Manager sends the user an email asking the user to accept or deny the connection from EMC.
During normal operation, the Secure Remote Gateway sends a heartbeat
to EMC every 30 seconds. Each heartbeat contains a small datagram that identifies the Gateway server and updates the status of the monitored storage systems. The heartbeat is also the method by which EMC communicates with the Gateway. It is important to note that all communication between EMC and the Gateway is initiated by the Gateway at the customer site and is conducted using industry-standard Secure Socket Layer (SSL) encryption.
When a CLARiiON storage system detects a problem, the Gateway server that monitors the CLARiiON systems receives an alert and sends this alert to EMC during the next Gateway heartbeat. EMC decrypts the file and creates a CLARiiON support ticket to address the problem. This process does not use the ESRS IP Client for CLARiiON to monitor the CLARiiON storage systems. However, it is also possible to install the ESRS IP Client for CLARiiON on a separate server and use it to monitor and auto-register the CLARiiON storage systems.
CLARiiON remote access security considerations
An authorized EMC support professional then opens the ticket. If necessary, the EMC support professional requests remote access to the CLARiiON storage system from the Gateway. If present, the Policy Manager enforces all customer policies during the Gateway access. Once the session has been approved, the Gateway opens an encrypted remote access session with the CLARiiON storage system. This allows an EMC support professional to remotely diagnose, and if possible, solve the problem.
CLARiiON remote access security considerations
The EMC Secure Remote Support suite of solutions is designed with strong security features and flexible options for remote access. Information related to remote access activity is readily available for auditing purposes. At installation, EMC personnel set the remote access security options for the user. Each service is installed on a customer-supplied workstation. The level of security of CLARiiON Remote Support depends on the security attributes of each solution and the implementation of security at the installation site.
WebEx security
WebEx services are delivered on demand over the global Cisco WebEx Collaboration Cloud. The WebEx Collaboration Cloud offers better than 99.99% reliability, as well as robust security, to meet your strict
requirements. Your session content is never stored on our servers, and 128-bit SSL and 256-bit AES encryption ensures privacy during
transmission. WebEx services are stringently audited against ISO-17799 standards with compliance details provided in a SAS 70 Type II report and other third-party security reports.
EMC Secure Remote Support IP solution security
EMC strongly recommends the EMC Secure Remote Support IP solution for users who require customizable security options due to federal, industry, or corporate regulations. Enhanced security features such as encryption, access controls, authentication, audit, and authorization address today’s stringent compliance regulations. This solution offers a secure architecture from end to end, including the following features:
EMC issues x.509 digital certificates to authenticate the ESRS IP Gateway or ESRS IP Client for CLARiiON to EMC.
EMC professionals are authenticated using two unique factors.
logged with all their actions.
All communication originates from the remote site. The ESRS IP Gateway and the ESRS IP Client for CLARiiON do not accept unsolicited connections from EMC or the Internet.
The heartbeat uses HTTPS and SOAP to ensure a firewall-friendly solution.
All communications between EMC and the ESRS IP Gateway or ESRS IP Client for CLARiiON include the latest security practices and encryption technologies, including certificate libraries based on RSA Lockbox technology, the Advanced Encryption Standard (AES) 256-bit encryption.
Those who implement the ESRS IP Gateway or ESRS IP Client for CLARiiON solution can further control remote access by using the Policy Manager. The Policy Manager gives full control of how EMC interacts with CLARiiON storage. SSL is available between the ESRS IP client and the policy manager.
Collaborative escalation process
In addition to EMC’s Secure Remote Support technology, issues are proactively handled by skilled technical support engineers and onsite service professionals – allowing for complete support coverage. While a field-based CE is en route to the site, the remote support professional remains in contact with the storage system and monitors it continuously. When the CE arrives, the EMC Customer Support Center provides them with the very latest system diagnostic information, minimizing the need for further onsite diagnostics and testing, and enabling resolution in the shortest time possible. If a part needs to be replaced, the part can be dispatched for arrival with the CE or before they arrive.
Conclusion
EMC offers customers flexible remote support solutions. The solutions available for the CLARiiON product line include the email-home WebEx and the IP-based EMC Secure Remote Support solution. Each solution comes with a unique set of advantages. The email-home WebEx solution works with an Internet connection, reducing phone line costs, and allows customers to control, observe, and monitor a remote support session. The EMC Secure Remote IP solution is EMC’s newest and most robust remote support. This solution offers customers the highest possible level of security. Authentication, authorization, audit logging, and encryption ensure that customers and EMC can use the system with confidence.
References
Furthermore, with the Policy Manager, customers have the flexibility to choose exactly which services EMC uses to support their systems. Although EMC’s portfolio of secure remote support technology is comprehensive, EMC does not stop with that. Customers also receive the support of EMC’s trained and professional support team, who work quickly and effectively to resolve issues
References
On EMC.com:
EMC Secure Remote Support page
EMC Secure Remote Support IP Solution service overview On the EMC Powerlinkwebsite:
Remote Hardware Support: A Detailed Review Technical Notes
EMC Secure Remote Support IP Solution PowerPoint customer presentation
EMC Secure Remote Support IP Client for CLARiiON Requirements and Installation
ConnectEMC for Windows Users Guide
ConnectEMC for Windows Release Notes
EMCRemote Users Guide
Copyright © 2009, 2010 EMC Corporation. All Rights Reserved.
EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All other trademarks used herein are the property of their respective owners.
