Infinidat Remote Support is an optional software running on the Support Appliance (SA).


The Infinidat Remote Support provides a means of creating a secure point-to-point connection for supporting InfiniBox, accelerating the resolution of support cases.

The connection through the Remote Support provides Infinidat Support with access to the management interfaces and the backend code only. This is equivalent to attaching a keyboard and a screen to the InfiniBox with the added benefit of exposing a full audit trail of the support session.

The Remote Support provides the following:

  • On-demand secured connection to the InfiniBox on the customer site.
  • End-to-end encrypted channel.
  • Full customer control of the connection.
  • Full visibility and auditing of the session logs.



Remote Support Application

SASupport Appliance


Remote Support Server


Outbound tunnel

The outbound tunnel connection from the Support Appliance (SA) to the Remote Support Server (RSS) is encrypted with TLS 1.2 (2048 bit AES encryption).

RSA tunnel

On top of that protocol the RSA tunnels regular SSH traffic, which is itself encrypted with SHA256.


The authentication is handled by OpenSSH, which is one of the leading solutions in the world today for secure login.


The Support Appliance (SA) requires a connection to the Infinidat RSS. The connection can be either direct or through a web proxy.

The storage administrator initiates the connection by accessing the SA (port 8000) using a standard browser.

The storage administrator is required to create a password and the connection through the tunnel will only be possible with that password.

The internal SSH daemon that serves the session is only listening to local connections (thus only accepting connections coming through the RSS). It is the RSA (and not the RSS) that validates the password. Thus, even if the RSS was jeopardized, it will not allow access to any of the open sessions.

Once a tunnel is stopped, the local process relaying communications to the internal SSH daemon is killed, and thus it becomes impossible to create connections into the SA.

Network topology

The Support Appliance (SA) is a separate server within the InfiniBox rack. It has its own dedicated Ethernet ports.



The customer initiates the connectivity via the Support Appliance and sends the password to the Infinidat support representative. 


The Support Appliance sends a request to the customer’s Proxy Server. 


The Support Appliance logs into the customer Proxy Server.


The Support Appliance creates a tunnel to the Remote Support Server.


The support personnel locate the connected InfiniBox system and connect to the Support Appliance via the Remote Support Server, using the provided password.

The outbound connection can go through the same network the administrator is connecting from, or through another network.

It is assumed that the Support Appliance (SA) can either:

  1. Directly reach the internet, or more specifically the RSS
  2. Can reach a proxy (HTTPS/SOCKS4/SOCKS5) enabling it to access the RSS
  3. Can reach a proxy through one or more intermediate hops, each hop being a simple, netcat-like TCP tunnel.
    See: Creating network hops further down this document.


For obvious reasons, we recommend restricting the SA outgoing connection in either of the following ways:

  • To the RSS or to the Proxy only.
  • Based on the customer’s policy.

Both methods of restriction are carried out by the customer’s network or firewall settings.

For cases 1 and 2, the web UI allows the customer to directly configure the connectivity. For option 3, a tunnel should be established first, and only then can the web UI be directed to the first hop as RSS or proxy address.

Ethernet port connectivity

The following chart provides details on the ports that are used for Remote Support.

Setting-up the Remote Support

Always prefer using InfiniBox GUI for connecting to the Remote Support. In case that the InfiniBox GUI is not available, use the Challenge Response option.

Ports connectivity









Client (browser)

Support Appliance

Remote Support Management



Support Appliance

Remote Support Servers:


Remote Support session

  • Alias:
  • IP Address:

Dedicated for mainframe systems
443TCPSupport Appliance Send performance data to Infinidat See InfiniDrop

Setting-up a remote-support connection from the InfiniBox GUI

To set-up a Remote Support connection from the InfiniBox GUI:


On the InfiniBox GUI, click the menu icon at the top-right corner of the screen and select Support Console.

The Support Console screen opens.


Fill in the following fields and click Connect.

  • Logged-in Username - a username with an Admin role.
  • Logged-in User Password - the password of this username.
  • RSS Address - the address of the RSS server, either RSS02 or RSS05.
  • RSS Secret - the password generated by the person initiating the connection. It must be communicated to Infinidat Support once the tunnel is opened to enable them to connect.
  • Terminate Connection - when to automatically terminate the connection.
  • Proxy Protocol - whether a proxy is used
  • Proxy Address - the address of the proxy server

Click Connect.

The connection is established.

Challenge-response authentication

The Remote Support login is performed against the system management layer. For cases when the management layer is not available, we have an option to use challenge-response authentication.


Log in to the Support Appliance using port 8000 to create a support connection.


Set a session password and complete the session details to initialize a connection.

Optional session details:

  • Select a proxy protocol for reaching the internet
  • Select a session timeout on the Terminate Connection field. Once the timeout expires, the session disconnects regardless of the activity that may take place.


Notify the INFINIDAT support engineer about the connection and the password.


The INFINIDAT support engineer accesses the tunnel.

5When done, close the connection using the Stop button.

Session logs

Each of the sessions is fully recorded with ttyrec. The logs are kept on the RSS and are available to the customer on demand.

Creating network hops

To set up a tunnel, you can use the script (available from Infinidat Support). Run it (no dependencies aside from Python >=2.6):

$ python <local port> <remote address> <remote port>

Logically, the tunnel hops are under the customer control, and it is preferable for the customer or someone from the IT/netsec department at the customer site to be aware and in charge of the intermediate tunnel.

Auditing the support sessions

The Remote Support creates custom events on the InfiniBox for opening a Remote Support connection and when Infinidat Support connects to the system.

Depending on the Remote Support application version, the events can be either of the following.


  • Event code: CUSTOM_INFO_EVENT
  • Event description: The following descriptions, depending on the reported action:
  • Support session started
  • Infinidat support connected to the system
  • Infinidat support disconnected from the system
  • Support session ended

Separate events for session started and ended


Infinidat support connected to the system


EXTERNAL  Infinidat support disconnected from the system


EXTERNAL  Support session '{session_name}' started, will automatically be closed on {session_expiry_time}


EXTERNAL  Support session '{session_name}' ended

Was this article helpful?
0 out of 0 found this helpful

0 out of 0 found this helpful

Last edited: 2022-08-06 08:06:31 UTC