Introduction
Setting-up the Remote Support
Auditing the support sessions
- CUSTOM_INFO_EVENTS
- Separate events for session started and ended

Introduction

Infinidat Remote Support is an optional software running on the Support Appliance (SA).

Purpose

The Infinidat Remote Support provides a means of creating a secure point-to-point connection for supporting InfiniBox, accelerating the resolution of support cases.

The connection through the Remote Support provides Infinidat Support with an access to the management interfaces and the backend code only. This is equivalent to attaching a keyboard and a screen to the InfiniBox with the added benefit of exposing a full audit trail of the support session.

The Remote Support provides the following:

On-demand secured connection to the InfiniBox on the customer site.
End-to-end encrypted channel.
Full customer control of the connection.
Full visibility and auditing of the session logs.

Terminology

RSA, SA	Remote Support
RSS	Remote Support Server

Security

Outbound tunnel	The outbound tunnel connection from the Support Appliance (SA) to the Remote Support System (RSS) is encrypted with TLS 1.2 (2048 bit AES encryption).
RSA tunnel	On top of that protocol the RSA tunnels regular SSH traffic, which is itself encrypted with SHA256.
Authentication	The authentication is handled by OpenSSH, which is one of the leading solutions in the world today for secure login.

Architecture

The Support Appliance (SA) requires a connection to the Infinidat RSS. The connection can be either direct or through a web proxy.

The storage administrator initiates the connection by accessing the SA (port 8000) using a standard browser.

Once a one-time password is set by the customer, the connection is possible only through the tunnel, and only with that password. The internal SSH daemon that serves the session is only listening to local connections (thus only accepting connections coming through the RSS). It is the RSA (and not the RSS) that validates the password. Thus, even if the RSS was jeopardized, it will not allow access to any of the open sessions.

Once a tunnel is stopped, the local process relaying communications to the internal SSH daemon is killed, and thus it becomes impossible to create connections into the SA.

Network topology

The Support Appliance (SA) is a separated server within the InfiniBox rack. It has its own dedicated Ethernet ports.

1	The customer initiates the connectivity via the Support Appliance and sends the password to the Infinidat support representative.
2	The Support Appliance sends a request to the customer’s Proxy Server.
3	The Support Appliance logs into the customer Proxy Server.
4	The Support Appliance creates a tunnel to the Remote Support Server.
5	The support personnel locate the connected InfiniBox system and connect to the Support Appliance via the Remote Support Server, using the provided password.

The outbound connection can go through the same network the administrator is connecting from, or through another network.

It is assumed that the Support Appliance (SA) can either:

Directly reach the internet, or more specifically the RSS
Can reach a proxy (HTTPS/SOCKS4/SOCKS5) enabling it to access the RSS
Can reach a proxy through one or more intermediate hops, each hop being a simple, netcat-like TCP tunnel.
See: Creating network hops further down this document.

Note

For obvious reasons, we recommend restricting the SA outgoing connection in either of the following ways:

To the RSS or to the Proxy only.
Based on the customer’s policy.

Both methods of restriction are carried out by the customer’s network or firewall settings.

For cases 1 and 2, the web UI allows the customer to directly configure the connectivity. For option 3, a tunnel should be established first, and only then can the web UI be directed to the first hop as RSS or proxy address.

Ethernet port connectivity

The following chart provides details on the ports that are used for Remote Support.

Setting-up the Remote Support

Always prefer using InfiniBox GUI for connecting to the Remote Support. In case that the InfiniBox GUI is not available, use the Challenge Response option.

Ports connectivity

Ports	Protocol	Source	Target	Purpose
8000 9000	TCP	Client (browser)	Support Appliance	HTTPs Remote Support Management
443	TCP	Support Appliance	Remote Support Servers: rss02.infinidat.com 81.218.29.28	Remote support session
			rss05.infinidat.com/ Alias: rss-us-east.infinidat.com IP Address: 204.48.28.170
			rss07.infinidat.com 128.199.40.123	Dedicated for MainFrame systems
443	TCP	Support Appliance	callhome-eu.ramen.infiniops.com	Remote support

Setting-up a remote-support connection from the InfiniBox GUI

To set-up a remote support connection from the InfiniBox GUI:

On the InfiniBox GUI, click the menu icon at the top-right corner of the screen and select Support Console.

The Support Console screen opens.

Fill in the following fields and click Connect.

Logged-in username - a username with an Admin role
Loggin-in user password - the password of this username
RSS Address - the address of the Support Console
- Alternately, use an IP address
RSS Secret - the password that was generated by the connection initiator and sent to INFINIDAT
Terminate Connection - determine when to automatically terminate the connection
Proxy Protocol - determine whether to use a proxy
Proxy Address - set the address of the Proxy server

Click Connect.

The connection is established.

Challenge-response authentication

The remote support login is performed against the system management layer. For cases when the management layer is not available, we have an option to use challenge-response authentication.

1	Log into the Support Appliance using port 8000 to create a support connection that may require a proxy to reach the internet.
2	Set a session password and initialize a connection. Optional: Select a Proxy protocol Select a session timeout on the Terminate Connection field. Once the timeout expires, the session disconnects regardless of the activity that may take place.
3	Notify the INFINIDAT support engineer about the connection and the password.
4	The INFINIDAT support engineer accesses the tunnel.
5	When done, close the connection using the Stop button.

Session logs

Each of the sessions is fully recorded with ttyrec (read further here: ttyrec). The logs are kept on the RSS and are available to the customer on demand.

Creating network hops

To set up a tunnel, you can use the script (available from Infinidat Support). Run it (no dependencies aside from Python >=2.6):

$ python tunnel.py <local port> <remote address> <remote port>

Logically, the tunnel hops are under the customer control, and it is preferable for the customer or someone from the IT/netsec department at the customer site to be aware and in charge of the intermediate tunnel.

Auditing the support sessions

The Remote Support creates custom events on the InfiniBox for opening a remote support connection and when Infinidat Support connects to the system.

Depending on the Remote Support application version, the events can be either of the following.

CUSTOM_INFO_EVENTS

Event code: CUSTOM_INFO_EVENT
Event description: The following descriptions, depending on the reported action:

Support session started
Infinidat support connected to the system
Infinidat support disconnected from the system
Support session ended

Separate events for session started and ended

SUPPORT_CONNECTED	Infinidat support connected to the system
SUPPORT_DISCONNECTED	EXTERNAL Infinidat support disconnected from the system
SUPPORT_SESSION_STARTED	EXTERNAL Support session '{session_name}' started, will automatically be closed on {session_expiry_time}
SUPPORT_SESSION_ENDED	EXTERNAL Support session '{session_name}' ended

INFINIDAT Support InfiniBox Getting Started Remote Support user guide