Introduction
Infinidat Remote Support is an optional software running on the Support Appliance (SA).
Purpose
The Infinidat Remote Support provides a means of creating a secure point-to-point connection for supporting InfiniBox, accelerating the resolution of support cases.
The connection through the Remote Support provides Infinidat Support with an access to the management interfaces and the backend code only. This is equivalent to attaching a keyboard and a screen to the InfiniBox with the added benefit of exposing a full audit trail of the support session.
The Remote Support provides the following:
- On-demand secured connection to the InfiniBox on the customer site.
- End-to-end encrypted channel.
- Full customer control of the connection.
- Full visibility and auditing of the session logs.
Terminology
RSA, SA | Remote Support |
RSS | Remote Support Server |
Security
Outbound tunnel | The outbound tunnel connection from the Support Appliance (SA) to the Remote Support System (RSS) is encrypted with TLS 1.2 (2048 bit AES encryption). |
RSA tunnel | On top of that protocol the RSA tunnels regular SSH traffic, which is itself encrypted with SHA256. |
Authentication | The authentication is handled by OpenSSH, which is one of the leading solutions in the world today for secure login. |
Architecture
The Support Appliance (SA) requires a connection to the Infinidat RSS. The connection can be either direct or through a web proxy.
The storage administrator initiates the connection by accessing the SA (port 8000) using a standard browser.
Once a one-time password is set by the customer, the connection is possible only through the tunnel, and only with that password. The internal SSH daemon that serves the session is only listening to local connections (thus only accepting connections coming through the RSS). It is the RSA (and not the RSS) that validates the password. Thus, even if the RSS was jeopardized, it will not allow access to any of the open sessions.
Once a tunnel is stopped, the local process relaying communications to the internal SSH daemon is killed, and thus it becomes impossible to create connections into the SA.
Network topology
The Support Appliance (SA) is a separated server within the InfiniBox rack. It has its own dedicated Ethernet ports.
1 | The customer initiates the connectivity via the Support Appliance and sends the password to the Infinidat support representative. |
2 | The Support Appliance sends a request to the customer’s Proxy Server. |
3 | The Support Appliance logs into the customer Proxy Server. |
4 | The Support Appliance creates a tunnel to the Remote Support Server. |
5 | The support personnel locate the connected InfiniBox system and connect to the Support Appliance via the Remote Support Server, using the provided password. |
The outbound connection can go through the same network the administrator is connecting from, or through another network.
It is assumed that the Support Appliance (SA) can either:
- Directly reach the internet, or more specifically the RSS
- Can reach a proxy (HTTPS/SOCKS4/SOCKS5) enabling it to access the RSS
- Can reach a proxy through one or more intermediate hops, each hop being a simple, netcat-like TCP tunnel.
See: Creating network hops further down this document.
Note | For obvious reasons, we recommend restricting the SA outgoing connection in either of the following ways:
Both methods of restriction are carried out by the customer’s network or firewall settings. |
For cases 1 and 2, the web UI allows the customer to directly configure the connectivity. For option 3, a tunnel should be established first, and only then can the web UI be directed to the first hop as RSS or proxy address.
Ethernet port connectivity
The following chart provides details on the ports that are used for Remote Support.
Setting-up the Remote Support
Always prefer using InfiniBox GUI for connecting to the Remote Support. In case that the InfiniBox GUI is not available, use the Challenge Response option.
Ports connectivity
Ports | Protocol | Source | Target | Purpose |
8000 9000 | TCP | Client (browser) | Support Appliance | HTTPs Remote Support Management |
443 | TCP | Support Appliance | Remote Support Servers:
| Remote support session |
| ||||
Dedicated for MainFrame systems | ||||
443 | TCP | Support Appliance | callhome-eu.ramen.infiniops.com | Remote support |
Setting-up a remote-support connection from the InfiniBox GUI
To set-up a remote support connection from the InfiniBox GUI:
1 | On the InfiniBox GUI, click the menu icon at the top-right corner of the screen and select Support Console. |
2 | Fill in the following fields and click Connect.
Click Connect. The connection is established. |
Challenge-response authentication
The remote support login is performed against the system management layer. For cases when the management layer is not available, we have an option to use challenge-response authentication.
1 | Log into the Support Appliance using port 8000 to create a support connection that may require a proxy to reach the internet. |
2 | Set a session password and initialize a connection. Optional:
|
3 | Notify the INFINIDAT support engineer about the connection and the password. |
4 | The INFINIDAT support engineer accesses the tunnel. |
5 | When done, close the connection using the Stop button. |
Session logs
Each of the sessions is fully recorded with ttyrec (read further here: ttyrec). The logs are kept on the RSS and are available to the customer on demand.
Creating network hops
To set up a tunnel, you can use the script (available from Infinidat Support). Run it (no dependencies aside from Python >=2.6):
$ python tunnel.py <local port> <remote address> <remote port>
Logically, the tunnel hops are under the customer control, and it is preferable for the customer or someone from the IT/netsec department at the customer site to be aware and in charge of the intermediate tunnel.
Auditing the support sessions
The Remote Support creates custom events on the InfiniBox for opening a remote support connection and when Infinidat Support connects to the system.
Depending on the Remote Support application version, the events can be either of the following.
CUSTOM_INFO_EVENTS
- Event code: CUSTOM_INFO_EVENT
- Event description: The following descriptions, depending on the reported action:
- Support session started
- Infinidat support connected to the system
- Infinidat support disconnected from the system
- Support session ended
Separate events for session started and ended
SUPPORT_CONNECTED | Infinidat support connected to the system |
SUPPORT_DISCONNECTED | EXTERNAL Infinidat support disconnected from the system |
SUPPORT_SESSION_STARTED | EXTERNAL Support session '{session_name}' started, will automatically be closed on {session_expiry_time} |
SUPPORT_SESSION_ENDED | EXTERNAL Support session '{session_name}' ended |
Comments