ESRS Gateway Customer Implementation Guide

EMC Secure Remote Support Gateway
Customer Implementation Guide

Version 2.3

2 ESRS Gateway Customer Implementation Guide 2.3

Contents
ESRS Gateway Solution Technical Overview ................................................................................................. 3
Documentation and Software ...................................................................................................................... 6
Architecture and Specifications .................................................................................................................... 6
Gateway Client ........................................................................................................................................ 6
High Availability Architecture ................................................................................................................... 6
Policy Manager ........................................................................................................................................ 7
Policy Manager Redundancy .................................................................................................................... 7
Co-located Gateway Client and Policy Manager ....................................................................................... 7
Virtual Machine Support .......................................................................................................................... 7
Configuration Options .............................................................................................................................. 7
Licensing Requirements (EMC) ....................................................................................................................10
Device Support ...........................................................................................................................................11
Device Management IP addresses ...........................................................................................................11
Clariion and VNX Block Support...............................................................................................................12
Brocade Switch Support ..........................................................................................................................12
Cisco Switch Support ...............................................................................................................................12
Device Call-Home Support ......................................................................................................................13
Server Preparation ......................................................................................................................................14
Configure Internet Information Services (Gateway Client Only) ...............................................................14
Configure Local User Accounts (Gateway Client Only) .............................................................................14
Configure Domain Name Resolution for EMC Enterprise Servers .............................................................18
Network Preparation ..................................................................................................................................19
Gateway Client to EMC Communication ..................................................................................................19
Gateway Client to Policy Manager Communication .................................................................................19
Device Management Interfaces ...............................................................................................................20
Gateway Client to EMC Device Communication.......................................................................................20
Environment Validation ..............................................................................................................................24
Install Customer Environment Check Tool (CECT) ....................................................................................24
Configure CECT Test Parameters .............................................................................................................24
Run CECT Tests .......................................................................................................................................24
Analyse CECT Test Results .......................................................................................................................24
Collect CECT Test Logs .............................................................................................................................24
Change Control (EMC).................................................................................................................................25
CCA Requirements ..................................................................................................................................25
Solution Implementation ............................................................................................................................25
Obtaining ESRS Software .........................................................................................................................25
Installation ..............................................................................................................................................25
Deploy EMC Devices ...............................................................................................................................26
RemotelyAnywhere Support ...................................................................................................................27
Configure and Test Device Call-Home......................................................................................................27
Test Remote Connectivity .......................................................................................................................27
APPENDIX A: Troubleshooting Device Connectivity Issues ...........................................................................28
APPENDIX B RemotelyAnywhere Access Filter Configuration ....................................................................32

ESRS Gateway Customer Implementation Guide 2.3 3

ESRS Gateway Solution Technical Overview
Refer to the Secure Remote Support Technical Description document on Powerlink for more detailed
information about the ESRS Gateway solution features and functionality.
The EMC Gateway solution provides secure, IP-based connectivity to your EMC platforms that enables pro-
active, round-the-clock remote support. Advanced security features address Government and industry
regulations to keep you in compliance, while the IP-based connection accelerates time to resolution and
lowers costs.
ESRS Gateway solution is designed to address the concerns of Security and Network Administrators. The
Policy Manager application allows you to determine when and how EMC can access your systems. The
firewall-friendly architecture eliminates the need to open inbound ports and allows you to install the ESRS
Gateway solution where it fits your security policies.
ESRS Gateway Client
The ESRS Gateway Client is installed on a dedicated server running Windows 2003 or Windows 2008 and
acts as the conduit for all communication between EMC and the Managed Devices. EMC does not have
visibility or access to the Windows OS from outside the customers network environment.
ESRS Policy Manager
The optional Policy Manager enables the customer to set permissions for devices being managed by the
Gateway Client. The three options for each policy are Always Allow, Ask for Approval and Never
Allow.
When an action requires Customer approval, the Policy Manager sends an email message to a designated
mail address and the customer must use the Policy Manager interface to Accept or Deny the request. Policy
filters allow different policies to apply at different times of the day or week depending on customers
requirements.
The Policy Manager uses the Apache Tomcat engine and a local JDBC relational database to provide a
secure web-based user interface for policy management. Optionally it may be configured to use and
external LDAP directory server such as SunOne or OpenDS.
The Policy Manager also maintains an audit log of all remote actions and requests that have occurred on
the Gateway Client. EMC personnel do not have visibility of the Policy Manager Application or Windows OS
from outside the customers network environment.
High Availability Option
EMC recommends two or more
Gateway Clients be deployed for
High Availability. In this
configuration, the two Gateway
Clients behave as Active-Active
peers that manage the same set
of devices and can be located in
different physical locations.
There is no direct communication
between Gateway Clients,
synchronization occurs via the
heartbeat process back to EMC.
The figure on the right shows an
example of a High Availability
Gateway Client topology with
Policy Manager.


Solution Security
All communication between the Gateway Client and EMC is initiated from the customer side and
incorporates the latest security practices and encryption technologies, including RSA Lockbox technology
based on FIPS Certified OpenSSL libraries and Advanced Encryption Standard (AES) 256-bit encryption.
At install time, each Gateway Client is issued with an RSA SecurID authenticated digital certificate based on
the X.509 standard. All communication between EMC and the Gateway Client requires bilateral
authentication these digital certificates.
This firewall-friendly communication technology, using SSL VPN gateway tunnels, only requires enabling of
outbound communication over SSL default ports 443 and 8443. Remote access to your EMC storage devices
is secured using a session-based IP port-mapping solution.
Proxy Server
Network traffic can be configured to route from the Gateway Clients though proxy servers to the
Public Internet. Such configurations include support auto-configuration, HTTP and SOCK proxy
standards.
Heartbeat Monitoring
The Gateway Client sends a regular
Heartbeat to EMC in 30-second
intervals, containing a small
datagram that identifies the
Gateway server and provides EMC
with status information on the
health of the managed EMC
devices.
Should EMC not receive a
Heartbeat from the Gateway
Client for 30 minutes, a Service Call
is automatically generated for
investigation by EMC Support.
The figure on the right shows the
Heartbeat process from the
Gateway Client to the EMC
backend servers.
Remote Notification
When an alert condition occurs on
a managed device, an event
message file is generated by the
device and is transferred to the
Gateway using FTP, SMTP or HTTPS
protocols.
The Gateway Client compresses,
encrypts and then forwards the
message to EMC using the same
secure SSL VPN tunnel technology
used for all other communication
to EMC.
Remote Notification process from
the Gateway Client to the EMC
backend servers.

Remote Access
Two-level authentication is used to remotely connect to an ESRS managed device. Before an EMC support
specialist can access a managed device, they must be authenticated on the EMC network and
authenticated on the Remote Connection application. The support specialist makes a request to access a
ESRS managed device and this request is then queued at EMC until the next Heartbeat is received from the
Gateway Client that manages that device.
In response to the Heartbeat
message, EMC notifies the
Gateway Client of the request
details and the Gateway Client
checks the request details against
the configured access policies for
that device. If access is approved,
the Gateway Client establishes a
separate secure SSL connection
back to EMC.
This secure VPN session only
allows IP traffic between the EMC
Support Specialist who requested
the connection and the managed
EMC device.
Remote Access from the Gateway
Client to the EMC backend servers.


Documentation and Software
All customer viewable documentation is available at powerlink.emc.com at the following location:
Home > Support > Technical Documentation and Advisories > Software ~ S ~ Documentation >
Secure Remote Support > Secure Remote Support (ESRS2)
Recommended documents for customer review are listed below:
Secure remote Support Technical Description
Secure Remote Support Operations Guide
Secure Remote Support Policy Manager Operations Guide
Secure Remote Support Site Planning Guide
Secure Remote Support Port Requirements
Secure Remote support Release Notes
The Customer Environment Check Tool is used to verify the readiness of the ESRS environment and can be
downloaded from powerlink.emc.com at the following location:
Home > Support > Product and Diagnostic Tools > Environment Analysis Tools > Customer Environment
Check Tool (CECT)
In addition to the above official EMC documentation, customised documentation is also available from your
EMC Account Service Representative (ASR) to assist with planning and preparation of the ESRS Gateway
Solution. Please request the following:
ESRS Gateway Pre-Install Checklist
ESRS Gateway Customer Implementation Guide (this document)
ESRS Gateway CECT Procedures
Customer Environment Check Tool
CECT Analyser Tool (Zip File)

Architecture and Specifications
Refer to the Secure Remote Support Site Planning Guide and Secure Remote Support Technical Description
for more detailed information about the hardware requirements to implement the ESRS Gateway solution.
Gateway Client
The minimum requirement for ESRS is a single Gateway Client running on a dedicated Windows 2003 or
2008 server. The Gateway Client acts as a conduit for all communication between EMC and the EMC
managed devices at the customer site. The Gateway Client can manage EMC devices across multiple
locations. EMC do not have visibility to the Windows OS from outside the customers environment.
High Availability Architecture
For redundancy, two Gateway Clients can be configured in a High Availability cluster. In this configuration,
both Gateway Clients manage the same set of devices and if one Gateway is unavailable, the other
Gateway is able to provide remote access capability for all devices. The Gateway Clients should be located
at different sites for maximum redundancy.
Documentation and Software Checklist
ESRS Gateway Pre-Install Checklist
Customer Environment Check Tool
ESRS Gateway CECT Procedures
CECT Analyser Tool

Policy Manager
The Policy Manager is an optional component that enables the customer to set access permissions for the
EMC devices being managed by the Gateway Client. The Policy Manager also maintains and audit log of all
remote access actions and requests that have occurred on the Gateway Client. EMC do not have visibility to
the Windows OS or Policy Manager functionality from outside the customers environment.
Policy Manager Redundancy
If the Policy Manager fails, the Gateway Clients will still be able to provide remote access to EMC managed
devices using a cached copy of the last known policy configuration. If the last known policy for a managed
device was set to Ask for Approval or Never Allow , the Gateway will Deny access to that device. If the
policy was set to Always Allow, the Gateway will continue to allow remote access to that device.
A second Policy Manager can be configured as a Cold Standby. When the Production Policy Manager fails,
the customer must manually activate the Standby Policy Manager using a backup of the Production Policy
Managers database.
Co-located Gateway Client and Policy Manager
The Gateway Client and Policy Manager can be co-located on a single dedicated server. This configuration is
not recommended for production environments and is not supported in a High Availability configuration.
Since the Gateway Client requires remote access via the Public Internet and the Policy Manager requires
internal network access only, combining these two roles into a single server may implications for the
customers security requirements and network environment.
Virtual Machine Support
Hyper-V virtual machines can be used to host the Gateway Client only. The Policy Manager software is not
yet qualified for Hyper-V support.
VMWare virtual machines based on VMWare ESX 2.5.2 or later can be used to host the Gateway Client and
Policy Manager servers, with the following caveats:
Dual Gateway Configurations should have Gateway Client virtual machines on separate physical servers
If possible, avoid placing Gateway Client virtual machine on storage provided by EMC Managed devices
VMotion is supported for the Policy Manager only, VMotion is not supported for the Gateway Client
Configuration Options
The table below lists the common configuration options and the number of servers required for each. The
recommended configuration option for most environments is Dual Gateway Clients configured as a High
Availability cluster, plus a separate Standalone Policy Manager.
Configuration Server Qty
Single Gateway Client Server One
Co-Located Gateway Client Server with Policy Manager
NOTE 1
One
Single Gateway Client Server and Standalone Policy Manager Two
Dual High Availability Gateway Client Servers Two
Dual High Availability Gateway Client Servers and Standalone Policy Manager
NOTE 2
Three
Dual High Availability Gateway Client Servers and Standalone Policy Manager with additional
Cold-Standby Policy Manager
NOTE 3

Four
Notes
1. Co-Located Gateway Client and Policy manager only recommended for non-production environments.
2. The recommended configuration for most customers is the Dual High Availability Client servers with separate
Policy Manager server.
3. The Cold Standby Policy Manager maintains a copy of the running Policy Manager database and must be
manually activated by the customer.

Standalone Gateway Client Server Specifications
The ESRS Gateway software must reside on a dedicated server.
You may harden the Windows OS to meet network security requirements, as long as the changes do
not inhibit normal ESRS IP Client installation or operation.
Hardware
Processor One or more processors, minimum 2.2 GHz, must support SSE/SSE2 for FIPS compliance
Free Memory Minimum 1 GB RAM, preferred 2GB RAM
Network Single or dual Ethernet adapters ( depending on customer network environment)
Free Disk Space Minimum 1GB for installation (preferably on a storage device of 40 GB or larger)

Software
Operating System
Windows Server 2003 R1 or R2, 32-bit or 64-bit, SP1 or SP2 or SP3
Windows Server 2008 R1, 32-bit or 64-bit, SP1 or SP2
NOTE 1

Windows Server 2008 R2, 64-bit, SP1 or SP2
NOTE 1
Windows Server 2008 R2, Datacenter or Enterprise Editions, 64-bit, SP1or SP2
NOTE 1
Microsoft .NET Framework 2.0 SP1 or greater (3.5 & 4.0 not compatible)
Microsoft Visual C++ 2005 SP1 Runtime Library installed
Microsoft Internet Information Services (IIS), FTP and SMTP services enabled
EMC OnAlert and ESRSConfig Local User accounts created
Remote Desktop installed
NOTE 2

Notes
1. Domain credentials not supported for Windows 2008
2. If EMC needs to remotely access a desktop to verify ESRS IP configuration or to troubleshoot, EMC will contact
you for a WebEx session and ask you to establish a Remote Desktop session to the Gateway or Policy Manager
Standalone Policy Manager Server Specifications
Policy Manager may reside on a shared server, but there may be some restrictions, example:
o Policy Manager cannot reside on same server as EMC Control Center
o Conflicts with other applications that uses the Tomcat Web server or ports 8090 and 8443
Hardware
Processor One or more processors, minimum 2.1 GHz
Free Memory Minimum 1GB RAM, preferred 2GB RAM
Network Single or dual Ethernet adapters ( depending on customer network environment)
NOTE 1
Software
Operating System
Windows XP (SP2 or later), Windows Server 2003, Windows Vista
Microsoft .NET Framework 2.0 SP1 or greater (3.5 & 4.0 not compatible)
Microsoft Windows Task Scheduler running and unrestricted
NOTE 2

NOTE 3

Notes
1. Disk Space will be consumed due to audit logging. Ensure that adequate disk space is maintained.
2. Task Scheduler required for Policy Manager Database backup


Co-located Gateway Client and Policy Manager Server Specifications
Recommended for test environment only
No High Availability Option
The ESRS Gateway software must reside on a dedicated server.
You may harden the Windows OS to meet network security requirements, as long as the changes do
not inhibit normal ESRS Software installation or operation.
Hardware
Processor One or more processors, minimum 2.2 GHz, must support SSE/SSE2 for FIPS compliance
Free Memory Minimum 3 GB RAM
Network
Minimum single 10/100 Ethernet adapter, preferred Gigabit Ethernet adapters (may require
dual Ethernet depending on customer network configuration and environment)
NOTE 1
Software
Operating System
Windows Server 2003 R1 or R2, 32-bit or 64-bit, SP1 or SP2
NOTE 2

NOTE 2

Microsoft .NET Framework 2.0 (or a newer version that is backward compatible with 2.0)
Microsoft Visual C++ 2005 SP1 Runtime Library installed
Microsoft Windows Task Scheduler running and unrestricted
NOTE 3

Microsoft Internet Information Services (IIS),FTP and SMTP services enabled
EMC OnAlert and ESRSConfig Local User accounts created
NOTE 4

Notes
1. Disk Space will be consumed due to audit logging. Ensure that adequate disk space is maintained.
3. Domain credentials not supported for Windows 2008
2. Task Scheduler required for Policy Manager Database backup

Architecture Checklist
Select Configuration Option
Specify location for each Gateway Client servers
Advise EMC Account service Representative on the number and location of Gateway Client servers

Licensing Requirements (EMC)
The EMC Account Representative is responsible ensuring that the correct number of ESRS Gateway
software licenses (zero cost) are ordered from EMC Sales several weeks prior to installation.
The license is required to install the Gateway Client software (not required for Policy Manager) and must be
registered against the Party ID corresponding to the physical location of the Gateway Client server.
During installation of the Gateway Client, the user will enter the Party ID of the Gateway Client and the
EMC Enterprise server will check the CSI Install Database for a corresponding ESRS Gateway license before
issuing the RSA Digital Certificate for that Gateway Client instance.
The table below lists the quantity of ESRS Gateway licenses required for each configuration option.
Configuration License Qty
Single Gateway Client Server One
Co-Located Gateway Client Server with Policy Manager One
Single Gateway Client Server and Stand Alone Policy Manager One
Dual High Availability Gateway Client Servers Two
Dual High Availability Gateway Client Servers and Standalone Policy Manager (Recommended) Two
Dual High Availability Gateway Client Servers and Standalone Policy Manager with additional
Cold-Standby Policy Manager
Two

Pre-Install Checklist
Correct Number of ESRS Gateway licenses have been ordered
Licenses are installed in CSI Install Base against the correct Party ID
License check performed for each Party ID and the output listed in the ESRS Gateway Pre-Install
Checklist

Device Support
Refer to the Secure Remote Support Release Notes document for latest information about supported EMC
devices.
Device Management IP addresses
The table below lists the EMC devices that can be managed by the Gateway Client and the Management IP
Address requirements for each EMC device. These are the management connections required for ESRS
connectivity and do not include data interfaces.
Product
Management
Interface
Management
Addresses
Notes
ATMOS Appliance One per node Connect to management interface on each node
AVAMAR Appliance One Connect to the Utility Node Management port
BROCADE Switch

One Dual-CTP requires Virtual IP Address only
CELERRA Control Station One or more
Dual Control Station configuration requires
Primary, Secondary and Active IP Addresses.
CENTERA Access Node One or more Recommend minimum of two Access Nodes
CISCO Switch

One Connect to management interface
CLARIION SPA and SPB Two Both SPA and SPB required
DATA DOMAIN Appliance One Connect to management interface
DL3D
Engines,
SPA and SPB
Three Both SPA and SPB required
DLM Control Station One or more
Primary, Secondary and Active IP Addresses
DLM 6000 & 8000
Access Control
Point
One or more
Dual Access Control Point configuration requires
Primary, Secondary and Active IP Address
EDL
Engines,
SPA and SPB
Three or four
Dual Engine configuration requires Service IP
address of both Engines.
Both SPA and SPB required for Clariion backend.
GREENPLUM DCA Appliance One Connect to management interface
RECOVERPOINT Appliance One per node Connect to each Appliance in cluster
SYMMETRIX &VMAX Service Processor

One Requires single network connection and Static IP
VNX BLOCK SPA and SPB Two Both SPA and SPB required
VNX UNIFIED
Control Stations,
SPA and SPB
Three or more
Primary, Secondary and Active IP Addresses.
Both SPA and SPB required for Block component.
VNXE Appliance One Connect to management interface
VPLEX Appliance One Connect to management interface


Clariion and VNX Block Support
For environments with Clariion or VNX Block devices, the recommended call-home configuration requires a
separate Management Workstation with Monitoring software and diagnostic tools specific to these types
of devices.
With this configuration, remote support comes in to the Storage Processors via the ESRS Gateway Client,
while call-home notifications are initiated from the Management Workstation and are sent to EMC via the
ESRS Gateway Client or Customer mail server.
If the environment only contains Clariion and/or VNX Block devices, consider installing the ESRS VNX IP
Client solution. This simplified version of ESRS Gateway combines all the necessary monitoring and
diagnostic tools with a simplified version of the ESRS Gateway, all of which can be installed on a single
Windows workstation.
With this configuration all remote support and call-home functionality is routed via a single Management
Workstation.
Brocade Switch Support
For environments with Brocade switches, the ESRS Gateway Client only provides remote connectivity from
EMC to the switch management ports. Call-home monitoring requires a separate Windows management
workstation with Connectrix Manager to monitor the switches and generate call-home notifications. The
notifications can then be forwarded to EMC via the ESRS Gateway Client or Customer mail server.
Cisco Switch Support
For environments with Cisco switches, the ESRS Gateway Client only provides remote connectivity from
EMC to the switch management ports. Call-home monitoring requires a separate Windows management
workstation with Fabric Manager to monitor the switches and generate call-home notifications. The
notifications can then be forwarded to EMC via the ESRS Gateway Client or Customer mail server.


Device Call-Home Support
The table below lists the supported call-home options for each supported EMC device. Note that the FTP
protocol may not be required if the preferred SMTP or HTTPS call-home methods are used instead.
Product
Call-Home
Source
Email via
Customer
Email via
ESRS Client
FTP via ESRS
Client
HTTPS via
ESRS Client
ATMOS Appliance Preferred
Not
Supported
Not
Supported
Not
Supported
AVAMAR Utility Node Preferred
Not
Supported
Not
Supported
Not
Supported
BROCADE Workstation
NOTE 1
Preferred
Not
Supported
Not
Supported
Not
Supported
CELERRA Control Station Preferred Alternate Alternate
Not
Supported
CENTERA Access Node Preferred
Not
Supported
Not
Supported
Not
Supported
CISCO Workstation
NOTE 2
Preferred Alternate
Not
Supported
Not
Supported
CLARIION Workstation
NOTE 3
Alternate Alternate Alternate Preferred
DATA DOMAIN Appliance Preferred
Not
Supported
Not
Supported
Not
Supported
DL3D Engine Preferred
Not
Supported
Not
Supported
Not
Supported
DLM
Control Station or
Access Control Point
EDL Engine Preferred Alternate
Not
Supported
Not
Supported
GREENPLUM DCA Appliance Preferred
Not
Supported
Not
Supported
Not
Supported
RECOVERPOINT Appliance Preferred
Not
Supported
Not
Supported
Not
Supported
SYMMETRIX &
VMAX
Service Processor

VNX BLOCK Workstation
NOTE 3
VNX UNIFIED Control Station Alternate Alternate Alternate Preferred
VNXE Appliance Preferred Alternate
Not
Supported
Not
Supported
VPLEX Appliance Preferred
Not
Supported
Not
Supported
Not
Supported
NOTES
1. Requires separate Windows monitoring workstation running Connectrix Manager
2. Requires separate Windows monitoring workstation running Fabric Manager Server 5.x or higher
3. Requires separate Windows Monitoring workstation running ESRS VNX IP Client

Populate Device List in ESRS Gateway Pre-Install Checklist, including Call-Home method
Ensure Management Interfaces are available for each device

Server Preparation
The customer is responsible for building the ESRS server hardware or virtual machine, Windows OS, Anti-
virus and backup applications. The Windows OS may be hardened to meet network security requirements,
as long as the changes do not inhibit normal ESRS IP Client installation or operation. In addition, the
customer needs to complete the following tasks:
Install Microsoft .NET Framework (Gateway Client and Policy Manager)
Ensure the Microsoft .NET Framework 2.0 SP2 package is installed on the Gateway Client and Policy
Manager servers. It is bundled with Windows 2008 but if required, it can be downloaded from the
Microsoft download site at:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5b2c0358-915b-4eb5-9b1d-
10e506da9d0f&displaylang=en
Refer to the table below for the method of confirming the package is installed and the method for installing
if required:
Windows 2003 Windows 2008 R1 Windows 2008 R2
Confirmation Add/Remove Programs Programs and Features Roles Summary
Installation Add/Remove Programs Windows Update Roles Management
Install Visual C++ Redistributable (Gateway Client Only)
Ensure the Visual C++ Redistributable package is installed on the Gateway Client servers (not required on
Policy Manager). The package can be downloaded from the Microsoft download site at:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32bc1bee-a3f9-4c13-9c99-
220b62a191ee&displaylang=en
Refer to the table below for the method of confirming the package is installed and the method for installing
if required:
Windows 2003 Windows 2008 R1 Windows 2008 R2
Confirmation Add/Remove Programs Programs and Features Programs and Features
Installation Add/Remove Programs Programs and Features Programs and Features
Configure Internet Information Services (Gateway Client Only)
The Microsoft FTP and SMTP services are used to provide call-home functionality for the managed devices
that support this protocol. The Microsoft IIS and SMTP services must be installed and running prior to the
installation of the Gateway Client software. The FTP service is optional and can be disabled if not required.
Refer to the Device Call-Home Support table on page 9 for information about which devices support these
protocols.
During installation of the Gateway Client, the FTP and SMTP servers will be auto-configured. Modifying the
FTP and SMTP server configuration prior to install may cause the auto-configuration to fail. If auto-
configuration fails during install, an alert will be raised and the user will have to manually configure the FTP
and SMTP servers as per the Gateway Client Server Preparation section of the ESRS IP Solution Operations
Guide.
Configure Local User Accounts (Gateway Client Only)
In addition to the Internet Information Services described above, two Local User Accounts are required to
be configured and enabled prior to the install of the Gateway Client.
The onalert account is used by the managed devices to call-home via the FTP protocol. This account must
be configured and enabled prior to install of the Gateway Client even if the FTP service is not required.
After installation, this account can be disabled.

The EMC devices that support the FTP call-home protocol are pre-programmed to use the same default
password that is specified when creating the onalert account. This password may be modified to meet
customer complexity requirements, however, the EMC devices must also be reconfigured to use the same
password.
The esrsconfig account is used to perform some device deployment functions on the Gateway Client. This
account must be configured and enabled prior to install of the Gateway Client, however, it may be disabled
when the install is completed. The password may be changed from the default to meet customer
complexity requirements.
Configure Windows 2003 Gateway Client
1. Install Internet Information Services (IIS), FTP and SMTP services
a. Go to Start > Control Panel > Add or Remove Programs
b. Select Add/Remove Windows Components
c. Select Application Server and click Details
d. Select Internet Information Services (IIS) and click Details
e. Check the File Transfer Protocol (FTP) Service and SMTP Service options
f. Click OK to exit the Internet Information Services (IIS) options window
g. Click OK to exit the Application Server options window
h. Click Next at the Windows Components window
i. If you receive a Files Needed prompt, insert the required CD-ROM and/or provide the path to
the Windows Installation i386 directory. Click OK to continue.
j. Click Finish when the IIS component installation has completed.
k. Close the Add or Remove Programs application
2. Create the onalert local user account
a. Right-click on My Computer and select Manage
b. Double-click on Local Users and Groups
c. Right-click Users and select New User
d. Enter onalert in the User name field
e. Enter EMCCONNECT (case sensitive) in the Password field
f. Enter EMCCONNECT (case sensitive) in the Confirm Password field
g. Clear the user must change password and next logon checkbox
h. Select the Password Never Expires checkbox
i. Select the User cannot change password checkbox
j. Click Create
3. Create the esrsconfig local user account
a. Enter esrsconfig in the User name field
b. Enter esrsconfig (case sensitive) in the Password field
c. Enter esrsconfig (case sensitive) in the Confirm Password field
d. Clear the user must change password and next logon checkbox
e. Select the Password Never Expires checkbox
f. Select the User cannot change password checkbox
g. Click Create
h. Click Close
i. Close the Computer Management application


Configure Windows 2008 R1 & R2 Gateway Client
1. Install the Internet Information Services and the FTP service
a. Go to Start > Server Manager to start the Server Manager console
b. In the Roles Summary section, click Add Roles
c. If this is the first time you have added a role on this server, the Before You Begin window will
appear. Check the Skip this page by default option and click Next
d. In the Select Server Roles window, select the Web Server (IIS) role and click Next
e. If the Add features required for Web Server (IIS)? window appears, click Add Required
Features
f. Ensure that the Web Server (IIS) role is still selected in the Select Server Roles window.
g. Click Next
h. Read the information in the Web Server (IIS) Introduction window and click Next
i. In the Select Roles Services window, scroll down to the Management Tools section and select
the following features:
i. IIS Management Console
ii. IIS Management Scripts and Tools
iii. IIS 6 Management Compatibility
j. Under the IIS 6 Management Compatibility section, select all the options with that section
k. Scroll down to the FTP Publishing Service and select the FTP Server feature
l. Click Next
m. Click Install at the bottom of the Confirm Installation Selections window
n. The Installation Progress window appears and displays the progress of the installation
o. If the installation is successful, the Installation Results window appears with the message
Installation Succeeded
p. Review the results and click Close
2. Install the SMTP service
b. In the Features Summary section, click Add Features
c. In the Select Features window select the SMTP Server feature
d. If the Add features required for SMTP Server ? window appears, click Add Required Features
e. Ensure that the SMTP Server feature is still selected in the Select Features window.
f. Click Next
g. Click Install at the bottom of the Confirm Installation Selections window
h. The Installation Progress window appears and displays the progress of the installation
i. If the installation is successful, the Installation Results window appears with the message
Installation Succeeded
j. Review the results and click Close
k. Close the Server Manager console
3. Temporarily Disable password complexity requirements to allow default local account passwords
a. Go to Start > Administrative Tools > Local Security Policy
b. Double-click Account Policies in the left pane
c. Click Password Policy in the left pane
d. In the right pane, double-click Password must meet complexity requirements
e. In the Properties window, select Disable and click OK
f. Close the Local Security Policy window


4. Create the onalert local user account
b. Double-click on Local Users and Groups
c. Right-click Users and select New User
d. Enter onalert in the User name field
e. Enter EMCCONNECT (case sensitive) in the Password field
f. Enter EMCCONNECT (case sensitive) in the Confirm Password field
g. Clear the user must change password and next logon checkbox
h. Select the Password Never Expires checkbox
i. Select the User cannot change password checkbox
j. Click Create
5. Create the esrsconfig local user account
a. Enter esrsconfig in the User name field
b. Enter esrsconfig (case sensitive) in the Password field
c. Enter esrsconfig (case sensitive) in the Confirm Password field
d. Clear the user must change password and next logon checkbox
e. Select the Password Never Expires checkbox
f. Select the User cannot change password checkbox
g. Click Create
h. Click Close
i. Close the Server Manager application
6. Re-enable password complexity requirements
a. Go to Start > Administrative Tools > Local Security Policy
b. Double-click Account Policies in the left pane
c. Click Password Policy in the left pane
d. In the right pane, double-click Password must meet complexity requirements
e. In the Properties window, select Enable and click OK
f. Close the Local Security Policy window


Configure Domain Name Resolution for EMC Enterprise Servers
The Gateway Client must be able to resolve the EMC Enterprise server hostnames listed below. If the
Gateway Client does not have access to DNS, then these Hostname/Address pairs should be added to the
Windows hosts file located in C:\Windows\system32\drivers\etc\ directory.

Confirm the Gateway Client server can resolve these names by trying to PING the hostname via Command
prompt as per the example below:

Compatible Windows OS installed on Gateway Client and Policy Manager servers
Microsoft .NET Framework 2.0 Installed on Gateway Client and Policy Manager servers
Visual C++ Redistributable installed on Gateway Client servers
Internet Information Services installed and configured on Gateway Client servers
Local User Accounts configured on Gateway Client servers
Gateway Client able to resolve EMC Enterprise server hostnames
Gateway Client and Policy Manager server configuration information populated in Pre-Install
Checklist
128.221.192.14 esrs-core.emc.com
168.159.218.21 esrs-coredr.emc.com
128.221.192.13 esrs.emc.com
168.159.218.20 esrs-dr.emc.com
128.221.204.210 esrgweprd01.emc.com
168.159.209.11 esrghoprd01.emc.com
152.62.177.11 esrgckprd01.emc.com
137.69.120.170 esrgscprd01.emc.com
152.62.45.11 esrgspprd01.emc.com

Network Preparation
The Customer is responsible for configuring their network environment to support the ESRS IP Solution.
Refer to the Secure Remote Support Port Requirements and Secure Remote Support Technical Description
documents for more information about the network requirements of the ESRS Gateway solution.
Gateway Client to EMC Communication
The Gateway Client server(s) must be able to communicate with the EMC Enterprise servers listed below on
ports 443 and 8443 OUTBOUND using the HTTPS protocol. Use the table below to generate rules for the
external firewall and/or Proxy Server.
If the Gateway Client does not have access to DNS, these hostname/IP Address pairs must be added to the
Windows hosts file.
GATEWAY CLIENT
Port and Direction Destination Hostname Destination IP Address
443 & 8443 esrs-core.emc.com 128.221.192.14
443 & 8443 esrs-coredr.emc.com* 168.159.218.21
443 & 8443 esrs.emc.com 128.221.192.13
443 & 8443 esrs-dr.emc.com* 168.159.218.20
443 & 8443 esrgweprd01.emc.com 128.221.204.210
443 & 8443 esrghoprd01.emc.com 168.159.209.11
443 & 8443 esrgckprd01.emc.com 152.62.177.11
443 & 8443 esrgscprd01.emc.com 137.69.120.170
443 & 8443 esrgspprd01.emc.com 152.62.45.11
NOTE: EMC hosts esrs-coredr.emc.com and esrs-dr.emc.com are DR servers and may not be
responsive during normal operation.
Gateway Client to Policy Manager Communication
If Policy Manager is being configured, the Gateway Client server(s) must be able to communicate with the
Policy Manager server on both HTTP port 8090 and HTTPS port 8443. To generate Access Request
Notifications (Ask for Approval), the Policy Manager must be able to connect to the customer SMTP server.
If an internal firewall exists between the Gateway Client and Policy manager, configure the firewall rules as
per the table below. The ESRS IP Solution Operations Guide contains instructions on how to force the
Gateway Client and Policy Manager to only use HTTPS port 8443 for all communication.
POLICY MANAGER
Port and Direction Destination Function
8090 Gateway Client Access Policy Referral
8443 Gateway Client Access Policy Referral
25 SMTP Server Access Approval Emails


Device Management Interfaces
Refer to the table on Page 11 for the Management IP Address requirements for each EMC device. These are
the minimum requirements for ESRS Gateway connectivity and do not include any additional network
connectivity for data traffic.
Gateway Client to EMC Device Communication
The table below lists the network port requirements for communication between the Gateway Client server
and the EMC managed devices. If there is an internal firewall between the Gateway Client server(s) and the
EMC devices, use this table to generate the list of firewall rules to allow communication.
ATMOS
22 Gateway Client CLI via SSH
443 Gateway Client Atmos WebUI
25 SMTP Server Call-Home
NOTE: Connection to Atmos Appliance management Interface

AVAMAR
80, 443 Gateway Client Enterprise manager
NOTE: Connection to Avamar Utility Node Management interface

BROCADE
23 Gateway Client Telnet (optional)
162 Connectrix Manager SNMP Notifications
NOTE: Connection to switch Management Interface.

CELERRA
80, 443, 8000 Gateway Client Celerra Manager
25 Primary SMTP Server Call-Home
25 Backup SMTP Server Call-Home
25 Gateway Client Call-Home (Optional)
ALL CELERRA MODELS: Connection to Primary Control Station required
DUAL CONTROL STATION: Connection to Secondary Control Station required
DUAL CONTROL STATION: Connection to Alias IP Address (if configured) optional

CENTERA
3218,3682 Gateway Client Centera Viewer
NOTE: Connection to Centera Node external interface, deploy minimum of two nodes.

CISCO
2162 Fabric Manager SNMP Notifications
NOTE: Connection to switch Management Interface.


CLARIION
80,433 Gateway Client Navisphere Manager
5414 Gateway Client EMCRemote
9519 Gateway Client RemotelyAnywhere
6389,6390,6391,6392 Gateway Client Navisphere CLI
60020 Gateway Client RemoteDiagAgent
13456,22 Gateway Client KTConsole
NOTE: Connection to BOTH SPA and SPB required

CONNECTRIX
NOTE: Connection to Windows Workstation running Connectrix Manager and EMC Remote

DATADOMAIN
80, 443 Gateway Client Enterprise Manager
NOTE: Connection to DataDomain Management interface

DL3D ENGINE
443 Gateway Client WebUI
NOTE: Connection to DL3D Management interface

DLM
22 CLI via SSH CLI via SSH
80,443,8000 Unisphere Manager Unisphere Manager
443 Call-Home Call-Home
25 Call-Home (Optional) Call-Home (Optional)
25 Call-Home (Optional) Call-Home (Optional)
ALL DLM MODELS: Connection to Primary Control Station or ACP required
DUAL CONTROL STATION OR ACP: Connection to Secondary Control Station or ACP required
DUAL CONTROL STATION OR ACP: Connection to Alias IP Address (if configured) optional

EDL ENGINE
443 Gateway Client DL Console
SINGLE ENGINE MODEL: Connection to DL Engine Management Interface
DUAL ENGINE MODEL: Connection to Engine-A and Engine-B Service Address
ALL MODELS: Deploy Clariion backend SPA and SPB as Clariion devices.


GREENPLUM
(DCA)
NOTE: Connection to DCA Appliance Management Interface

RECOVERPOINT
NOTE: Connection to Recoverpoint Appliance Management Interface

SYMMETRIX
&
VMAX
1300 Gateway Client SGBD
1400 Gateway Client SWUCH
5555 Gateway Client Chat Server
2223003,23004,23005 Gateway Client InlineCS
443 Gateway Client Call-Home
NOTE: Connection to Service Processor Management Interface

VNX-BLOCK
22 Gateway Client RemoteKTrace
80,443 Gateway Client Unisphere Manager
13456 Gateway Client KTConsole
6391,6392,60020 Gateway Client RemoteDiagAgent
NOTE: Connection to both SPA and SPB Management Interfaces

VNX-FILE
80,443,8000 Gateway Client Unisphere Manager
443 Gateway Client Call-Home
25 SMTP Server Call-Home (Optional)
ALLVNX UNIFIED MODELS: Connection to Primary Control Station required
DUAL CONTROL STATION: Connection to Secondary Control Station required
DUAL CONTROL STATION: Connection to Alias IP Address (if configured) optional

VNXE
80,443 Gateway Client Unisphere Manager
NOTE: Connection to both SPA and SPB Management Interfaces


VPLEX
443 Gateway Client Element Manager
NOTE: Connection to Appliance Management Interface

Configure external firewall rules for Gateway Client to EMC Enterprise communication
Configure internal firewall rules for Gateway Client to EMC managed device communication
Configure internal firewall rules for Gateway Client to Policy Manager communication

Environment Validation
The Customer Environment Check Tool (CECT) is used to verify the readiness of the ESRS Gateway Client
server(s) for installation of the ESRS software. The CECT will check that the server meets all the
specifications and configuration requirements. It will also confirm network connectivity to the EMC
Enterprise servers, the Policy Manager and EMC devices.
Install Customer Environment Check Tool (CECT)
Refer to the ESRS Gateway CECT Procedures documents for installation instructions.
Install the CECT on all Gateway Client servers in the environment.
Configure CECT Test Parameters
Configure the CECT Tool Server Environment Tests as per Scenario 1 of the ESRS Gateway Solution CECT
Procedures document.
If Policy Manager is going to be configured, make sure the CECT Test Parameters screen contains the Policy
Manager address.
Configure the Device List to contain all the tests for the EMC devices that will be managed by the Gateway
Client server(s).
Run CECT Tests
Run the CECT tests and review the test results for obvious errors.
Analyse CECT Test Results
The CECT Analyser Tool is a HTML based utility that will analyse the CECT Test Log File and provide a
graphical summary of the test results and provide recommendations for tests that have failed.
Refer to Appendix C of the ESRS Gateway CECT Procedures document for instructions on how to use the
CECT Analyser Tool.
Collect CECT Test Logs
Refer to the section Collect Logs in the ESRS Gateway CECT Procedures document for instructions on how
to obtain the CECT Test logs.
If you require assistance with the analysis of the CECT Test results, forward the CECT log files to your EMC
Account Representative to arrange a specialist to assist.
If the CECT Test results are Passed by the CECT Analyser Tool, forward the successful CECT log from each
Gateway Client server for EMC Change Control submission.

Install Customer Environment Check Tool on each Gateway Client server
Configure CECT Test parameters for Gateway Pre-Installation Scenario
Configure Device tests for each EMC device that will be managed by the Gateway Client server
Run CECT Test
Use CECT Analyser Tool to verify CECT Test results
Forward successful CECT Test log file to EMC Account Representative (one per Gateway Client)


Change Control (EMC)
All new ESRS Gateway installations are subject to an EMC Change Control process. This process ensures
that all preparation tasks have been completed and verified by a subject matter expert. EMC is responsible
for submitting and gaining Change Control approval prior to the scheduled installation date.
CCA Requirements
The following is required to submit Change Control:
A completed ESRS Gateway Pre-Install Checklist (including both EMC and Customer required
information)
A successful CECT test log file for each Gateway Client server. Use CECT Analyser Tool with the
Gateway Pre-Install Scenario selected to verify the CECT test log.
Solution Implementation
The ESRS Gateway solution must be installed by a qualified EMC employee or Authorised Service Partner.
An RSA SecurID key is required to download and provision the Digital Certificate used by the ESRS Gateway
Client to authenticate communication with EMC.
Obtaining ESRS Software
The ESRS Gateway solution software includes the following:
Customer Environment Check Tool used to verify the environment
Provisioning Tool used to install the ESRS Gateway Client software
Policy Manager Policy Manager software
The Provisioning Tool and Policy Manager are not available for public download and must be supplied by
the installer. Typically the packages are made available at an FTP location so that the customer can
download the packages and copy to the Gateway Client and Policy Manager servers prior to the agreed
installation time.
Installation
The installation can be performed remotely via a Webex session to the customers workstation and then
using Remote Desktop to access the Gateway servers. If Webex is not allowed or supported then the
installer will need to perform the install from the customers premises.
The high level steps to install the ESRS IP Solution are as follows:
1. Install first Gateway Client via the Provisioning Tool
2. Create HA Cluster and enrol first Gateway Client via Servicelink
3. Under Manage Devices, edit the Party ID list to include all required Party IDs associated with that
customer
For HA Gateway Configuration:
4. Install second Gateway Client via Provisioning Tool
5. Enrol second Gateway Client to HA Cluster via Servicelink
For Policy Manager:
6. Install Policy Manager
7. Configure Gateway Client(s) to use Policy Manager via the Configuration Tool


Deploy EMC Devices
The EMC or Authorised Partner installer will deploy the devices listed in the ESRS Gateway Pre-Install
Checklist that was submitted and approved by the EMC Change Control Process. The devices will be
deployed via the Servicelink Portal website and the process may not be visible to the customer.
Some devices have multiple interfaces associated with the same serial number; these interfaces are
designated with suffixes as per the table below.
PRODUCT SUFFIX DESTINATION
ATMOS -1 to -16 Node ID
AVAMAR None Utility Node
CELERRA
-P Primary Control Station
-S Secondary Control Station (for Dual Control Stations only)
-A Active Control Station (Alias for Dual Control Station only)
CENTERA -1 to -36 Node ID
CLARIION
-A Storage Processor A
-B Storage Processor B
DATA DOMAIN None Appliance
DL3D -1 to -3 Engine ID
DLM
-P Primary Control Station
-S Secondary Control Station (for Dual Control Stations only)
-A Active Control Station (Alias for Dual Control Station only)
DLM 6000 & 8000
-ACP1 Primary Access Control point
-ACP2 Secondary Access Control point (for Dual ACP only)
-ACPA Active Access Control Point (Alias for Dual ACP only)
EDL
-A Engine A Service IP
-B Engine B Service IP
GREENPLUM DCA
-B Backup Node
-P Primary Node
RECOVERPOINT -1 to -16 Node ID
SWITCH-BROCADE None Switch
SWITCH-CISCO None Switch
SYMMETRIX None Service Processor
VNX BLOCK
-BLOCKA Storage Processor A
-BLOCKB Storage Processor B
-FILEP Primary Control Station
-FILES Secondary Control Station (for Dual Control Station Only)
-FILEA Active Control Station (Alias for Dual Control Station Only)
VNXE None Management Interface
VPLEX None Appliance


RemotelyAnywhere Support
If you have deployed any VNX BLOCK devices or Clariion devices running FLARE 29 or higher, follow the
procedure in Appendix B to allow RemotelyAnywhere access via ESRS.
Configure and Test Device Call-Home
The EMC or Authorised Partner installer is responsible for configuring the managed devices to call-home via
ESRS (where applicable. Each device type has its own specific procedures to configure and test call-home
via ESRS Gateway Client.
Test Remote Connectivity
The EMC or Authorised Partner installer should confirm remote connectivity to the managed devices via
the Servicelink website.


APPENDIX A: Troubleshooting Device Connectivity Issues
If an ESRS Gateway reports a connectivity issue to a particular device the customer should be instructed to
run the Customer Environment Check Tool from the ESRS Gateway that is reporting the issue.
1. From the Gateway server, go to Start > Programs > ESRS > Customer Environment Check Tool or click
on the Desktop icon

2. From the main CECT application screen, select Tests from the menu bar and click on ESRS IP Customer
Environment Check as shown below.

3. In the Server Environment Tests screen, click on Clear All to clear the existing selection and then select
the Device Application and Port Connection Test. Click Next to continue.

4. In the Configuration Parameters screen, select the Product Type from the scroll list. In this example
Clariion is selected.


5. Select the Check All Apps checkbox to enable all possible application test for this device type.

6. Enter the devices IP Address (you cannot use DNS name) and Serial Number. Click Add Device to add
the selected tests to the Device List.

7. The Device List will now contain one test entry per selected Application for the device. The Status of
the test will show New Device until the configuration is saved.

8. To remove a test entry from the Device List:
Click the box to the left of a Device ID to select the row. (You can also press and hold the
Ctrl key and click to select multiple rows.)
Click Remove.


9. Click on SaveCfg to save the Device List configuration. The Status of newly created entries will change
to Device Added.

10. When the Device List is configured correctly, click Next to continue. At the Test Results screen, click on
Run Tests and wait for the tests to complete.


11. Review the test results. Click on each failed test to view the test information and the particular port
that is being tested.

12. If in doubt about the results, obtain the CECT test Log File for the test run you have just completed.
Open Windows Explorer and find the most recent CECT Test Log file (sort by Date Modified) in the
C:\EMC\ESRS\CECT\Logs directory.


APPENDIX B RemotelyAnywhere Access Filter Configuration
For all VNX Block devices and Clariion devices running FLARE 29 or higher, the RemotelyAnywhere Access
Filter needs to be updated to allow the ESRS Gateway to provide RemotelyAnywhere sessions to the
Storage Processor device. This can be done remotely via ESRS or directly from the customers network.
1. Establish a browser session to the setup page of one of the Storage processor devices:
a. If performing the steps from customer network, open Internet Explorer and browse to
https://<ipaddress>/setup where <ipaddress> is the IP Address on either Storage processor. Click
on Continue to this website at the security prompt.

b. If performing remotely via ESRS, establish a UnisphereUSMNaviSecureCLI (VNX-BLOCK) or
NaviMgr/NaviSecureCLI (Clariion) connection to one of the Storage Processors. When the session
goes ready, browse to https://<ipaddress>/setup where <ipaddress> is the IP Address supplied by
the ESRS Remote Session application. Click on Continue to this website at the security prompt.


2. Enter valid Domain admin account credentials at the login prompt.

3. Scroll down and click on Set RemotelyAnywhere Access Restrictions option


4. Add the ESRS Gateway server(s) IP Address to the Filters that apply to all storage systems in the
Domain section and click Apply. Note if there are two ESRS Gateway servers, make sure both IP
addresses are included in this section.

5. Close the session.

ESRS Gateway Customer Implementation Guide

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ESRS Gateway Customer Implementation Guide

Încărcat de

Drepturi de autor:

Formate disponibile

EMC Secure Remote Support Gateway

Customer Implementation Guide

S-ar putea să vă placă și