ESRS Gateway Customer Implementation Guide

EMC Secure Remote Support Gateway

Customer Implementation Guide

Version 2.3

2 ESRS Gateway Customer Implementation Guide 2.3

Contents

ESRS Gateway Solution Technical Overview ................................................................................................. 3

Documentation and Software ...................................................................................................................... 6

Architecture and Specifications .................................................................................................................... 6

Gateway Client ........................................................................................................................................ 6

High Availability Architecture ................................................................................................................... 6

Policy Manager ........................................................................................................................................ 7

Policy Manager Redundancy .................................................................................................................... 7

Co-located Gateway Client and Policy Manager ....................................................................................... 7

Virtual Machine Support .......................................................................................................................... 7

Configuration Options .............................................................................................................................. 7

Licensing Requirements (EMC) ....................................................................................................................10

Device Support ...........................................................................................................................................11

Device Management IP addresses ...........................................................................................................11

Clariion and VNX Block Support...............................................................................................................12

Brocade Switch Support ..........................................................................................................................12

Cisco Switch Support ...............................................................................................................................12

Device Call-Home Support ......................................................................................................................13

Server Preparation ......................................................................................................................................14

Configure Internet Information Services (Gateway Client Only) ...............................................................14

Configure Local User Accounts (Gateway Client Only) .............................................................................14

Configure Domain Name Resolution for EMC Enterprise Servers .............................................................18

Network Preparation ..................................................................................................................................19

Gateway Client to EMC Communication ..................................................................................................19

Gateway Client to Policy Manager Communication .................................................................................19

Device Management Interfaces ...............................................................................................................20

Gateway Client to EMC Device Communication.......................................................................................20

Environment Validation ..............................................................................................................................24

Install Customer Environment Check Tool (CECT) ....................................................................................24

Configure CECT Test Parameters .............................................................................................................24

Run CECT Tests .......................................................................................................................................24

Analyse CECT Test Results .......................................................................................................................24

Collect CECT Test Logs .............................................................................................................................24

Change Control (EMC).................................................................................................................................25

CCA Requirements ..................................................................................................................................25

Solution Implementation ............................................................................................................................25

Obtaining ESRS Software .........................................................................................................................25

Installation ..............................................................................................................................................25

Deploy EMC Devices ...............................................................................................................................26

RemotelyAnywhere Support ...................................................................................................................27

Configure and Test Device Call-Home......................................................................................................27

Test Remote Connectivity .......................................................................................................................27

APPENDIX A: Troubleshooting Device Connectivity Issues ...........................................................................28

APPENDIX B RemotelyAnywhere Access Filter Configuration ....................................................................32

ESRS Gateway Customer Implementation Guide 2.3 3

ESRS Gateway Solution Technical Overview

Refer to the Secure Remote Support Technical Description document on Powerlink for more detailed

information about the ESRS Gateway solution features and functionality.

The EMC Gateway solution provides secure, IP-based connectivity to your EMC platforms that enables pro-

active, round-the-clock remote support. Advanced security features address Government and industry

regulations to keep you in compliance, while the IP-based connection accelerates time to resolution and

lowers costs.

ESRS Gateway solution is designed to address the concerns of Security and Network Administrators. The

Policy Manager application allows you to determine when and how EMC can access your systems. The

firewall-friendly architecture eliminates the need to open inbound ports and allows you to install the ESRS

Gateway solution where it fits your security policies.

ESRS Gateway Client The ESRS Gateway Client is installed on a dedicated server running Windows 2003 or Windows 2008 and

acts as the conduit for all communication between EMC and the Managed Devices. EMC does not have

visibility or access to the Windows OS from outside the customers network environment.

ESRS Policy Manager The optional Policy Manager enables the customer to set permissions for devices being managed by the

Gateway Client. The three options for each policy are Always Allow, Ask for Approval and Never

Allow.

When an action requires Customer approval, the Policy Manager sends an email message to a designated

mail address and the customer must use the Policy Manager interface to Accept or Deny the request. Policy

filters allow different policies to apply at different times of the day or week depending on customers

requirements.

The Policy Manager uses the Apache Tomcat engine and a local JDBC relational database to provide a

secure web-based user interface for policy management. Optionally it may be configured to use and

external LDAP directory server such as SunOne or OpenDS.

The Policy Manager also maintains an audit log of all remote actions and requests that have occurred on

the Gateway Client. EMC personnel do not have visibility of the Policy Manager Application or Windows OS

from outside the customers network environment.

High Availability Option EMC recommends two or more

Gateway Clients be deployed for

High Availability. In this

configuration, the two Gateway

Clients behave as Active-Active

peers that manage the same set

of devices and can be located in

different physical locations.

There is no direct communication

between Gateway Clients,

synchronization occurs via the

heartbeat process back to EMC.

The figure on the right shows an

example of a High Availability

Gateway Client topology with

Policy Manager.


Solution Security All communication between the Gateway Client and EMC is initiated from the customer side and

incorporates the latest security practices and encryption technologies, including RSA Lockbox technology

based on FIPS Certified OpenSSL libraries and Advanced Encryption Standard (AES) 256-bit encryption.

At install time, each Gateway Client is issued with an RSA SecurID authenticated digital certificate based on

the X.509 standard. All communication between EMC and the Gateway Client requires bilateral

authentication these digital certificates.

This firewall-friendly communication technology, using SSL VPN gateway tunnels, only requires enabling of

outbound communication over SSL default ports 443 and 8443. Remote access to your EMC storage devices

is secured using a session-based IP port-mapping solution.

Proxy Server Network traffic can be configured to route from the Gateway Clients though proxy servers to the

Public Internet. Such configurations include support auto-configuration, HTTP and SOCK proxy

standards.

Heartbeat Monitoring The Gateway Client sends a regular

Heartbeat to EMC in 30-second

intervals, containing a small

datagram that identifies the

Gateway server and provides EMC

with status information on the

health of the managed EMC

devices.

Should EMC not receive a

Heartbeat from the Gateway

Client for 30 minutes, a Service Call

is automatically generated for

investigation by EMC Support.

The figure on the right shows the

Heartbeat process from the

Gateway Client to the EMC

backend servers.

Remote Notification When an alert condition occurs on

a managed device, an event

message file is generated by the

device and is transferred to the

Gateway using FTP, SMTP or HTTPS

protocols.

The Gateway Client compresses,

encrypts and then forwards the

message to EMC using the same

secure SSL VPN tunnel technology

used for all other communication

to EMC.


Remote Notification process from

the Gateway Client to the EMC

backend servers.


Remote Access Two-level authentication is used to remotely connect to an ESRS managed device. Before an EMC support

specialist can access a managed device, they must be authenticated on the EMC network and

authenticated on the Remote Connection application. The support specialist makes a request to access a

ESRS managed device and this request is then queued at EMC until the next Heartbeat is received from the

Gateway Client that manages that device.

In response to the Heartbeat

message, EMC notifies the

Gateway Client of the request

details and the Gateway Client

checks the request details against

the configured access policies for

that device. If access is approved,

the Gateway Client establishes a

separate secure SSL connection

back to EMC.

This secure VPN session only

allows IP traffic between the EMC

Support Specialist who requested

the connection and the managed

EMC device.


Remote Access from the Gateway

Client to the EMC backend servers.


Documentation and Software

All customer viewable documentation is available at powerlink.emc.com at the following location:

Home > Support > Technical Documentation and Advisories > Software ~ S ~ Documentation >

Secure Remote Support > Secure Remote Support (ESRS2)

Recommended documents for customer review are listed below:

Secure remote Support Technical Description

Secure Remote Support Operations Guide

Secure Remote Support Policy Manager Operations Guide

Secure Remote Support Site Planning Guide

Secure Remote Support Port Requirements

Secure Remote support Release Notes

The Customer Environment Check Tool is used to verify the readiness of the ESRS environment and can be

downloaded from powerlink.emc.com at the following location:

Home > Support > Product and Diagnostic Tools > Environment Analysis Tools > Customer Environment

Check Tool (CECT)

In addition to the above official EMC documentation, customised documentation is also available from your

EMC Account Service Representative (ASR) to assist with planning and preparation of the ESRS Gateway

Solution. Please request the following:

ESRS Gateway Pre-Install Checklist

ESRS Gateway Customer Implementation Guide (this document)

ESRS Gateway CECT Procedures

Customer Environment Check Tool

CECT Analyser Tool (Zip File)

Architecture and Specifications

Refer to the Secure Remote Support Site Planning Guide and Secure Remote Support Technical Description

for more detailed information about the hardware requirements to implement the ESRS Gateway solution.

Gateway Client The minimum requirement for ESRS is a single Gateway Client running on a dedicated Windows 2003 or

2008 server. The Gateway Client acts as a conduit for all communication between EMC and the EMC

managed devices at the customer site. The Gateway Client can manage EMC devices across multiple

locations. EMC do not have visibility to the Windows OS from outside the customers environment.

High Availability Architecture For redundancy, two Gateway Clients can be configured in a High Availability cluster. In this configuration,

both Gateway Clients manage the same set of devices and if one Gateway is unavailable, the other

Gateway is able to provide remote access capability for all devices. The Gateway Clients should be located

at different sites for maximum redundancy.

Documentation and Software Checklist

ESRS Gateway Pre-Install Checklist

Customer Environment Check Tool

ESRS Gateway CECT Procedures

CECT Analyser Tool


Policy Manager The Policy Manager is an optional component that enables the customer to set access permissions for the

EMC devices being managed by the Gateway Client. The Policy Manager also maintains and audit log of all

remote access actions and requests that have occurred on the Gateway Client. EMC do not have visibility to

the Windows OS or Policy Manager functionality from outside the customers environment.

Policy Manager Redundancy If the Policy Manager fails, the Gateway Clients will still be able to provide remote access to EMC managed

devices using a cached copy of the last known policy configuration. If the last known policy for a managed

device was set to Ask for Approval or Never Allow , the Gateway will Deny access to that device. If the

policy was set to Always Allow, the Gateway will continue to allow remote access to that device.

A second Policy Manager can be configured as a Cold Standby. When the Production Policy Manager fails,

the customer must manually activate the Standby Policy Manager using a backup of the Production Policy

Managers database.

Co-located Gateway Client and Policy Manager The Gateway Client and Policy Manager can be co-located on a single dedicated server. This configuration is

not recommended for production environments and is not supported in a High Availability configuration.

Since the Gateway Client requires remote access via the Public Internet and the Policy Manager requires

internal network access only, combining these two roles into a single server may implications for the

customers security requirements and network environment.

Virtual Machine Support Hyper-V virtual machines can be used to host the Gateway Client only. The Policy Manager software is not

yet qualified for Hyper-V support.

VMWare virtual machines based on VMWare ESX 2.5.2 or later can be used to host the Gateway Client and

Policy Manager servers, with the following caveats:

Dual Gateway Configurations should have Gateway Client virtual machines on separate physical servers

If possible, avoid placing Gateway Client virtual machine on storage provided by EMC Managed devices

VMotion is supported for the Policy Manager only, VMotion is not supported for the Gateway Client

Configuration Options The table below lists the common configuration options and the number of servers required for each. The

recommended configuration option for most environments is Dual Gateway Clients configured as a High

Availability cluster, plus a separate Standalone Policy Manager.

Configuration Server Qty

Single Gateway Client Server One

Co-Located Gateway Client Server with Policy Manager NOTE 1

One

Single Gateway Client Server and Standalone Policy Manager Two

Dual High Availability Gateway Client Servers Two

Dual High Availability Gateway Client Servers and Standalone Policy Manager NOTE 2

Three

Dual High Availability Gateway Client Servers and Standalone Policy Manager with additional

Cold-Standby Policy Manager NOTE 3

Four

Notes

1. Co-Located Gateway Client and Policy manager only recommended for non-production environments.

2. The recommended configuration for most customers is the Dual High Availability Client servers with separate

Policy Manager server.

3. The Cold Standby Policy Manager maintains a copy of the running Policy Manager database and must be

manually activated by the customer.


Standalone Gateway Client Server Specifications

The ESRS Gateway software must reside on a dedicated server.

You may harden the Windows OS to meet network security requirements, as long as the changes do

not inhibit normal ESRS IP Client installation or operation.

Hardware

Processor One or more processors, minimum 2.2 GHz, must support SSE/SSE2 for FIPS compliance

Free Memory Minimum 1 GB RAM, preferred 2GB RAM

Network Single or dual Ethernet adapters ( depending on customer network environment)

Free Disk Space Minimum 1GB for installation (preferably on a storage device of 40 GB or larger)

Software

Operating System

Windows Server 2003 R1 or R2, 32-bit or 64-bit, SP1 or SP2 or SP3

Windows Server 2008 R1, 32-bit or 64-bit, SP1 or SP2 NOTE 1

Windows Server 2008 R2, 64-bit, SP1 or SP2 NOTE 1

Windows Server 2008 R2, Datacenter or Enterprise Editions, 64-bit, SP1or SP2 NOTE 1

Microsoft .NET Framework 2.0 SP1 or greater (3.5 & 4.0 not compatible)

Microsoft Visual C++ 2005 SP1 Runtime Library installed

Microsoft Internet Information Services (IIS), FTP and SMTP services enabled

EMC OnAlert and ESRSConfig Local User accounts created

Remote Desktop installed NOTE 2

Notes

1. Domain credentials not supported for Windows 2008

2. If EMC needs to remotely access a desktop to verify ESRS IP configuration or to troubleshoot, EMC will contact

you for a WebEx session and ask you to establish a Remote Desktop session to the Gateway or Policy Manager

Standalone Policy Manager Server Specifications

Policy Manager may reside on a shared server, but there may be some restrictions, example:

o Policy Manager cannot reside on same server as EMC Control Center

o Conflicts with other applications that uses the Tomcat Web server or ports 8090 and 8443

Hardware

Processor One or more processors, minimum 2.1 GHz

Free Memory Minimum 1GB RAM, preferred 2GB RAM

Network Single or dual Ethernet adapters ( depending on customer network environment)

Free Disk Space Minimum 2GB for installation (preferably on a storage device of 80 GB or larger)NOTE 1

Software

Operating System

Windows XP (SP2 or later), Windows Server 2003, Windows Vista

Windows Server 2008 R1, 32-bit or 64-bit, SP1 or SP2

Windows Server 2008 R2, 64-bit, SP1 or SP2

Microsoft .NET Framework 2.0 SP1 or greater (3.5 & 4.0 not compatible)

Microsoft Windows Task Scheduler running and unrestricted NOTE 2


Notes

1. Disk Space will be consumed due to audit logging. Ensure that adequate disk space is maintained.

2. Task Scheduler required for Policy Manager Database backup




Co-located Gateway Client and Policy Manager Server Specifications

Recommended for test environment only

No High Availability Option

The ESRS Gateway software must reside on a dedicated server.

You may harden the Windows OS to meet network security requirements, as long as the changes do

not inhibit normal ESRS Software installation or operation.

Hardware

Processor One or more processors, minimum 2.2 GHz, must support SSE/SSE2 for FIPS compliance

Free Memory Minimum 3 GB RAM

Network Minimum single 10/100 Ethernet adapter, preferred Gigabit Ethernet adapters (may require

dual Ethernet depending on customer network configuration and environment)

Free Disk Space Minimum 3GB for installation (preferably on a storage device of 80 GB or larger)NOTE 1

Software

Operating System

Windows Server 2003 R1 or R2, 32-bit or 64-bit, SP1 or SP2

Windows Server 2008 R1, 32-bit or 64-bit, SP1 or SP2 NOTE 2

Windows Server 2008 R2, 64-bit, SP1 or SP2 NOTE 2

Microsoft .NET Framework 2.0 (or a newer version that is backward compatible with 2.0)

Microsoft Visual C++ 2005 SP1 Runtime Library installed

Microsoft Windows Task Scheduler running and unrestricted NOTE 3

Microsoft Internet Information Services (IIS),FTP and SMTP services enabled

EMC OnAlert and ESRSConfig Local User accounts created


Notes

1. Disk Space will be consumed due to audit logging. Ensure that adequate disk space is maintained.

3. Domain credentials not supported for Windows 2008

2. Task Scheduler required for Policy Manager Database backup



Architecture Checklist

Select Configuration Option

Specify location for each Gateway Client servers

Advise EMC Account service Representative on the number and location of Gateway Client servers


Licensing Requirements (EMC)

The EMC Account Representative is responsible ensuring that the correct number of ESRS Gateway

software licenses (zero cost) are ordered from EMC Sales several weeks prior to installation.

The license is required to install the Gateway Client software (not required for Policy Manager) and must be

registered against the Party ID corresponding to the physical location of the Gateway Client server.

During installation of the Gateway Client, the user will enter the Party ID of the Gateway Client and the

EMC Enterprise server will check the CSI Install Database for a corresponding ESRS Gateway license before

issuing the RSA Digital Certificate for that Gateway Client instance.

The table below lists the quantity of ESRS Gateway licenses required for each configuration option.

Configuration License Qty

Single Gateway Client Server One

Co-Located Gateway Client Server with Policy Manager One

Single Gateway Client Server and Stand Alone Policy Manager One

Dual High Availability Gateway Client Servers Two

Dual High Availability Gateway Client Servers and Standalone Policy Manager (Recommended) Two

Dual High Availability Gateway Client Servers and Standalone Policy Manager with additional

Cold-Standby Policy Manager Two

Pre-Install Checklist

Correct Number of ESRS Gateway licenses have been ordered

Licenses are installed in CSI Install Base against the correct Party ID

License check performed for each Party ID and the output listed in the ESRS Gateway Pre-Install

Checklist


Device Support

Refer to the Secure Remote Support Release Notes document for latest information about supported EMC

devices.

Device Management IP addresses

The table below lists the EMC devices that can be managed by the Gateway Client and the Management IP

Address requirements for each EMC device. These are the management connections required for ESRS

connectivity and do not include data interfaces.

Product Management

Interface

Management

Addresses Notes

ATMOS Appliance One per node Connect to management interface on each node

AVAMAR Appliance One Connect to the Utility Node Management port

BROCADE Switch

One Dual-CTP requires Virtual IP Address only

CELERRA Control Station One or more Dual Control Station configuration requires

Primary, Secondary and Active IP Addresses.

CENTERA Access Node One or more Recommend minimum of two Access Nodes

CISCO Switch

One Connect to management interface

CLARIION SPA and SPB Two Both SPA and SPB required

DATA DOMAIN Appliance One Connect to management interface

DL3D Engines,

SPA and SPB Three Both SPA and SPB required

DLM Control Station One or more Dual Control Station configuration requires

Primary, Secondary and Active IP Addresses

DLM 6000 & 8000 Access Control

Point One or more

Dual Access Control Point configuration requires

Primary, Secondary and Active IP Address

EDL Engines,

SPA and SPB Three or four

Dual Engine configuration requires Service IP

address of both Engines.

Both SPA and SPB required for Clariion backend.

GREENPLUM DCA Appliance One Connect to management interface

RECOVERPOINT Appliance One per node Connect to each Appliance in cluster

SYMMETRIX &VMAX Service Processor

One Requires single network connection and Static IP

VNX BLOCK SPA and SPB Two Both SPA and SPB required

VNX UNIFIED Control Stations,

SPA and SPB Three or more

Dual Control Station configuration requires

Primary, Secondary and Active IP Addresses.

Both SPA and SPB required for Block component.

VNXE Appliance One Connect to management interface

VPLEX Appliance One Connect to management interface


Clariion and VNX Block Support

For environments with Clariion or VNX Block devices, the recommended call-home configuration requires a

separate Management Workstation with Monitoring software and diagnostic tools specific to these types

of devices.

With this configuration, remote support comes in to the Storage Processors via the ESRS Gateway Client,

while call-home notifications are initiated from the Management Workstation and are sent to EMC via the

ESRS Gateway Client or Customer mail server.

If the environment only contains Clariion and/or VNX Block devices, consider installing the ESRS VNX IP

Client solution. This simplified version of ESRS Gateway combines all the necessary monitoring and

diagnostic tools with a simplified version of the ESRS Gateway, all of which can be installed on a single

Windows workstation.

With this configuration all remote support and call-home functionality is routed via a single Management

Workstation.

Brocade Switch Support

For environments with Brocade switches, the ESRS Gateway Client only provides remote connectivity from

EMC to the switch management ports. Call-home monitoring requires a separate Windows management

workstation with Connectrix Manager to monitor the switches and generate call-home notifications. The

notifications can then be forwarded to EMC via the ESRS Gateway Client or Customer mail server.

Cisco Switch Support

For environments with Cisco switches, the ESRS Gateway Client only provides remote connectivity from

EMC to the switch management ports. Call-home monitoring requires a separate Windows management

workstation with Fabric Manager to monitor the switches and generate call-home notifications. The

notifications can then be forwarded to EMC via the ESRS Gateway Client or Customer mail server.


Device Call-Home Support

The table below lists the supported call-home options for each supported EMC device. Note that the FTP

protocol may not be required if the preferred SMTP or HTTPS call-home methods are used instead.

Product Call-Home

Source

Email via

Customer

Email via

ESRS Client

FTP via ESRS

Client

HTTPS via

ESRS Client

ATMOS Appliance Preferred Not

Supported

Not

Supported

Not

Supported

AVAMAR Utility Node Preferred Not

Supported

Not

Supported

Not

Supported

BROCADE WorkstationNOTE 1

Preferred Not

Supported

Not

Supported

Not

Supported

CELERRA Control Station Preferred Alternate Alternate Not

Supported

CENTERA Access Node Preferred Not

Supported

Not

Supported

Not

Supported

CISCO WorkstationNOTE 2

Preferred Alternate Not

Supported

Not

Supported

CLARIION WorkstationNOTE 3

Alternate Alternate Alternate Preferred

DATA DOMAIN Appliance Preferred Not

Supported

Not

Supported

Not

Supported

DL3D Engine Preferred Not

Supported

Not

Supported

Not

Supported

DLM Control Station or

Access Control Point Alternate Alternate Alternate Preferred

EDL Engine Preferred Alternate Not

Supported

Not

Supported

GREENPLUM DCA Appliance Preferred Not

Supported

Not

Supported

Not

Supported

RECOVERPOINT Appliance Preferred Not

Supported

Not

Supported

Not

Supported

SYMMETRIX &

VMAX Service Processor


VNX BLOCK WorkstationNOTE 3


VNX UNIFIED Control Station Alternate Alternate Alternate Preferred

VNXE Appliance Preferred Alternate Not

Supported

Not

Supported

VPLEX Appliance Preferred Not

Supported

Not

Supported

Not

Supported

NOTES

1. Requires separate Windows monitoring workstation running Connectrix Manager

2. Requires separate Windows monitoring workstation running Fabric Manager Server 5.x or higher

3. Requires separate Windows Monitoring workstation running ESRS VNX IP Client


Populate Device List in ESRS Gateway Pre-Install Checklist, including Call-Home method

Ensure Management Interfaces are available for each device


Server Preparation

The customer is responsible for building the ESRS server hardware or virtual machine, Windows OS, Anti-

virus and backup applications. The Windows OS may be hardened to meet network security requirements,

as long as the changes do not inhibit normal ESRS IP Client installation or operation. In addition, the

customer needs to complete the following tasks:

Install Microsoft .NET Framework (Gateway Client and Policy Manager)

Ensure the Microsoft .NET Framework 2.0 SP2 package is installed on the Gateway Client and Policy

Manager servers. It is bundled with Windows 2008 but if required, it can be downloaded from the

Microsoft download site at:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5b2c0358-915b-4eb5-9b1d-

10e506da9d0f&displaylang=en

Refer to the table below for the method of confirming the package is installed and the method for installing

if required:

Windows 2003 Windows 2008 R1 Windows 2008 R2

Confirmation Add/Remove Programs Programs and Features Roles Summary

Installation Add/Remove Programs Windows Update Roles Management

Install Visual C++ Redistributable (Gateway Client Only)

Ensure the Visual C++ Redistributable package is installed on the Gateway Client servers (not required on

Policy Manager). The package can be downloaded from the Microsoft download site at:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=32bc1bee-a3f9-4c13-9c99-

220b62a191ee&displaylang=en

Refer to the table below for the method of confirming the package is installed and the method for installing

if required:

Windows 2003 Windows 2008 R1 Windows 2008 R2

Confirmation Add/Remove Programs Programs and Features Programs and Features

Installation Add/Remove Programs Programs and Features Programs and Features

Configure Internet Information Services (Gateway Client Only)

The Microsoft FTP and SMTP services are used to provide call-home functionality for the managed devices

that support this protocol. The Microsoft IIS and SMTP services must be installed and running prior to the

installation of the Gateway Client software. The FTP service is optional and can be disabled if not required.

Refer to the Device Call-Home Support table on page 9 for information about which devices support these

protocols.

During installation of the Gateway Client, the FTP and SMTP servers will be auto-configured. Modifying the

FTP and SMTP server configuration prior to install may cause the auto-configuration to fail. If auto-

configuration fails during install, an alert will be raised and the user will have to manually configure the FTP

and SMTP servers as per the Gateway Client Server Preparation section of the ESRS IP Solution Operations

Guide.

Configure Local User Accounts (Gateway Client Only)

In addition to the Internet Information Services described above, two Local User Accounts are required to

be configured and enabled prior to the install of the Gateway Client.

The onalert account is used by the managed devices to call-home via the FTP protocol. This account must

be configured and enabled prior to install of the Gateway Client even if the FTP service is not required.

After installation, this account can be disabled.


The EMC devices that support the FTP call-home protocol are pre-programmed to use the same default

password that is specified when creating the onalert account. This password may be modified to meet

customer complexity requirements, however, the EMC devices must also be reconfigured to use the same

password.

The esrsconfig account is used to perform some device deployment functions on the Gateway Client. This

account must be configured and enabled prior to install of the Gateway Client, however, it may be disabled

when the install is completed. The password may be changed from the default to meet customer

complexity requirements.

Configure Windows 2003 Gateway Client

1. Install Internet Information Services (IIS), FTP and SMTP services

a. Go to Start > Control Panel > Add or Remove Programs

b. Select Add/Remove Windows Components

c. Select Application Server and click Details

d. Select Internet Information Services (IIS) and click Details

e. Check the File Transfer Protocol (FTP) Service and SMTP Service options

f. Click OK to exit the Internet Information Services (IIS) options window

g. Click OK to exit the Application Server options window

h. Click Next at the Windows Components window

i. If you receive a Files Needed prompt, insert the required CD-ROM and/or provide the path to

the Windows Installation i386 directory. Click OK to continue.

j. Click Finish when the IIS component installation has completed.

k. Close the Add or Remove Programs application

2. Create the onalert local user account

a. Right-click on My Computer and select Manage

b. Double-click on Local Users and Groups

c. Right-click Users and select New User

d. Enter onalert in the User name field

e. Enter EMCCONNECT (case sensitive) in the Password field

f. Enter EMCCONNECT (case sensitive) in the Confirm Password field

g. Clear the user must change password and next logon checkbox

h. Select the Password Never Expires checkbox

i. Select the User cannot change password checkbox

j. Click Create

3. Create the esrsconfig local user account

a. Enter esrsconfig in the User name field

b. Enter esrsconfig (case sensitive) in the Password field

c. Enter esrsconfig (case sensitive) in the Confirm Password field

d. Clear the user must change password and next logon checkbox

e. Select the Password Never Expires checkbox

f. Select the User cannot change password checkbox

g. Click Create

h. Click Close

i. Close the Computer Management application


Configure Windows 2008 R1 & R2 Gateway Client

1. Install the Internet Information Services and the FTP service

a. Go to Start > Server Manager to start the Server Manager console

b. In the Roles Summary section, click Add Roles

c. If this is the first time you have added a role on this server, the Before You Begin window will

appear. Check the Skip this page by default option and click Next

d. In the Select Server Roles window, select the Web Server (IIS) role and click Next

e. If the Add features required for Web Server (IIS)? window appears, click Add Required

Features

f. Ensure that the Web Server (IIS) role is still selected in the Select Server Roles window.

g. Click Next

h. Read the information in the Web Server (IIS) Introduction window and click Next

i. In the Select Roles Services window, scroll down to the Management Tools section and select

the following features:

i. IIS Management Console

ii. IIS Management Scripts and Tools

iii. IIS 6 Management Compatibility

j. Under the IIS 6 Management Compatibility section, select all the options with that section

k. Scroll down to the FTP Publishing Service and select the FTP Server feature

l. Click Next

m. Click Install at the bottom of the Confirm Installation Selections window

n. The Installation Progress window appears and displays the progress of the installation

o. If the installation is successful, the Installation Results window appears with the message

Installation Succeeded

p. Review the results and click Close

2. Install the SMTP service


b. In the Features Summary section, click Add Features

c. In the Select Features window select the SMTP Server feature

d. If the Add features required for SMTP Server ? window appears, click Add Required Features

e. Ensure that the SMTP Server feature is still selected in the Select Features window.

f. Click Next

g. Click Install at the bottom of the Confirm Installation Selections window

h. The Installation Progress window appears and displays the progress of the installation

i. If the installation is successful, the Installation Results window appears with the message

Installation Succeeded

j. Review the results and click Close

k. Close the Server Manager console

3. Temporarily Disable password complexity requirements to allow default local account passwords

a. Go to Start > Administrative Tools > Local Security Policy

b. Double-click Account Policies in the left pane

c. Click Password Policy in the left pane

d. In the right pane, double-click Password must meet complexity requirements

e. In the Properties window, select Disable and click OK

f. Close the Local Security Policy window


4. Create the onalert local user account


b. Double-click on Local Users and Groups

c. Right-click Users and select New User

d. Enter onalert in the User name field

e. Enter EMCCONNECT (case sensitive) in the Password field

f. Enter EMCCONNECT (case sensitive) in the Confirm Password field

g. Clear the user must change password and next logon checkbox

h. Select the Password Never Expires checkbox

i. Select the User cannot change password checkbox

j. Click Create

5. Create the esrsconfig local user account

a. Enter esrsconfig in the User name field

b. Enter esrsconfig (case sensitive) in the Password field

c. Enter esrsconfig (case sensitive) in the Confirm Password field

d. Clear the user must change password and next logon checkbox

e. Select the Password Never Expires checkbox

f. Select the User cannot change password checkbox

g. Click Create

h. Click Close

i. Close the Server Manager application

6. Re-enable password complexity requirements

a. Go to Start > Administrative Tools > Local Security Policy

b. Double-click Account Policies in the left pane

c. Click Password Policy in the left pane

d. In the right pane, double-click Password must meet complexity requirements

e. In the Properties window, select Enable and click OK

f. Close the Local Security Policy window


Configure Domain Name Resolution for EMC Enterprise Servers

The Gateway Client must be able to resolve the EMC Enterprise server hostnames listed below. If the

Gateway Client does not have access to DNS, then these Hostname/Address pairs should be added to the

Windows hosts file located in C:\Windows\system32\drivers\etc\ directory.

Confirm the Gateway Client server can resolve these names by trying to PING the hostname via Command

prompt as per the example below:


Compatible Windows OS installed on Gateway Client and Policy Manager servers

Microsoft .NET Framework 2.0 Installed on Gateway Client and Policy Manager servers

Visual C++ Redistributable installed on Gateway Client servers

Internet Information Services installed and configured on Gateway Client servers

Local User Accounts configured on Gateway Client servers

Gateway Client able to resolve EMC Enterprise server hostnames

Gateway Client and Policy Manager server configuration information populated in Pre-Install

Checklist

128.221.192.14 esrs-core.emc.com

168.159.218.21 esrs-coredr.emc.com

128.221.192.13 esrs.emc.com

168.159.218.20 esrs-dr.emc.com

128.221.204.210 esrgweprd01.emc.com



168.159.209.11 esrghoprd01.emc.com



152.62.177.11 esrgckprd01.emc.com



137.69.120.170 esrgscprd01.emc.com



152.62.45.11 esrgspprd01.emc.com




Network Preparation

The Customer is responsible for configuring their network environment to support the ESRS IP Solution.

Refer to the Secure Remote Support Port Requirements and Secure Remote Support Technical Description

documents for more information about the network requirements of the ESRS Gateway solution.

Gateway Client to EMC Communication

The Gateway Client server(s) must be able to communicate with the EMC Enterprise servers listed below on

ports 443 and 8443 OUTBOUND using the HTTPS protocol. Use the table below to generate rules for the

external firewall and/or Proxy Server.

If the Gateway Client does not have access to DNS, these hostname/IP Address pairs must be added to the

Windows hosts file.

GATEWAY CLIENT

Port and Direction Destination Hostname Destination IP Address

443 & 8443 esrs-core.emc.com 128.221.192.14

443 & 8443 esrs-coredr.emc.com* 168.159.218.21

443 & 8443 esrs.emc.com 128.221.192.13

443 & 8443 esrs-dr.emc.com* 168.159.218.20

443 & 8443 esrgweprd01.emc.com 128.221.204.210



443 & 8443 esrghoprd01.emc.com 168.159.209.11



443 & 8443 esrgckprd01.emc.com 152.62.177.11



443 & 8443 esrgscprd01.emc.com 137.69.120.170



443 & 8443 esrgspprd01.emc.com 152.62.45.11



NOTE: EMC hosts esrs-coredr.emc.com and esrs-dr.emc.com are DR servers and may not be

responsive during normal operation.

Gateway Client to Policy Manager Communication

If Policy Manager is being configured, the Gateway Client server(s) must be able to communicate with the

Policy Manager server on both HTTP port 8090 and HTTPS port 8443. To generate Access Request

Notifications (Ask for Approval), the Policy Manager must be able to connect to the customer SMTP server.

If an internal firewall exists between the Gateway Client and Policy manager, configure the firewall rules as

per the table below. The ESRS IP Solution Operations Guide contains instructions on how to force the

Gateway Client and Policy Manager to only use HTTPS port 8443 for all communication.

POLICY MANAGER

Port and Direction Destination Function

8090 Gateway Client Access Policy Referral

8443 Gateway Client Access Policy Referral

25 SMTP Server Access Approval Emails


Device Management Interfaces

Refer to the table on Page 11 for the Management IP Address requirements for each EMC device. These are

the minimum requirements for ESRS Gateway connectivity and do not include any additional network

connectivity for data traffic.

Gateway Client to EMC Device Communication The table below lists the network port requirements for communication between the Gateway Client server

and the EMC managed devices. If there is an internal firewall between the Gateway Client server(s) and the

EMC devices, use this table to generate the list of firewall rules to allow communication.

ATMOS


22 Gateway Client CLI via SSH

443 Gateway Client Atmos WebUI

25 SMTP Server Call-Home

NOTE: Connection to Atmos Appliance management Interface

AVAMAR



80, 443 Gateway Client Enterprise manager


NOTE: Connection to Avamar Utility Node Management interface

BROCADE



23 Gateway Client Telnet (optional)

162 Connectrix Manager SNMP Notifications

NOTE: Connection to switch Management Interface.

CELERRA




80, 443, 8000 Gateway Client Celerra Manager

25 Primary SMTP Server Call-Home

25 Backup SMTP Server Call-Home

25 Gateway Client Call-Home (Optional)

ALL CELERRA MODELS: Connection to Primary Control Station required

DUAL CONTROL STATION: Connection to Secondary Control Station required

DUAL CONTROL STATION: Connection to Alias IP Address (if configured) optional

CENTERA



3218,3682 Gateway Client Centera Viewer


NOTE: Connection to Centera Node external interface, deploy minimum of two nodes.

CISCO




2162 Fabric Manager SNMP Notifications

NOTE: Connection to switch Management Interface.


CLARIION


80,433 Gateway Client Navisphere Manager

5414 Gateway Client EMCRemote

9519 Gateway Client RemotelyAnywhere

6389,6390,6391,6392 Gateway Client Navisphere CLI

60020 Gateway Client RemoteDiagAgent

13456,22 Gateway Client KTConsole



NOTE: Connection to BOTH SPA and SPB required

CONNECTRIX





NOTE: Connection to Windows Workstation running Connectrix Manager and EMC Remote

DATADOMAIN



80, 443 Gateway Client Enterprise Manager


NOTE: Connection to DataDomain Management interface

DL3D ENGINE



443 Gateway Client WebUI


NOTE: Connection to DL3D Management interface

DLM


22 CLI via SSH CLI via SSH

80,443,8000 Unisphere Manager Unisphere Manager

443 Call-Home Call-Home

25 Call-Home (Optional) Call-Home (Optional)

25 Call-Home (Optional) Call-Home (Optional)

ALL DLM MODELS: Connection to Primary Control Station or ACP required

DUAL CONTROL STATION OR ACP: Connection to Secondary Control Station or ACP required

DUAL CONTROL STATION OR ACP: Connection to Alias IP Address (if configured) optional

EDL ENGINE



443 Gateway Client DL Console



SINGLE ENGINE MODEL: Connection to DL Engine Management Interface

DUAL ENGINE MODEL: Connection to Engine-A and Engine-B Service Address

ALL MODELS: Deploy Clariion backend SPA and SPB as Clariion devices.


GREENPLUM

(DCA)




NOTE: Connection to DCA Appliance Management Interface

RECOVERPOINT




NOTE: Connection to Recoverpoint Appliance Management Interface

SYMMETRIX

&

VMAX




1300 Gateway Client SGBD

1400 Gateway Client SWUCH

5555 Gateway Client Chat Server

2223003,23004,23005 Gateway Client InlineCS

443 Gateway Client Call-Home


NOTE: Connection to Service Processor Management Interface

VNX-BLOCK


22 Gateway Client RemoteKTrace


80,443 Gateway Client Unisphere Manager

13456 Gateway Client KTConsole

6391,6392,60020 Gateway Client RemoteDiagAgent



NOTE: Connection to both SPA and SPB Management Interfaces

VNX-FILE



80,443,8000 Gateway Client Unisphere Manager

443 Gateway Client Call-Home

25 SMTP Server Call-Home (Optional)


ALLVNX UNIFIED MODELS: Connection to Primary Control Station required

DUAL CONTROL STATION: Connection to Secondary Control Station required

DUAL CONTROL STATION: Connection to Alias IP Address (if configured) optional

VNXE



80,443 Gateway Client Unisphere Manager



NOTE: Connection to both SPA and SPB Management Interfaces


VPLEX



443 Gateway Client Element Manager


NOTE: Connection to Appliance Management Interface


Configure external firewall rules for Gateway Client to EMC Enterprise communication

Configure internal firewall rules for Gateway Client to EMC managed device communication

Configure internal firewall rules for Gateway Client to Policy Manager communication


Environment Validation

The Customer Environment Check Tool (CECT) is used to verify the readiness of the ESRS Gateway Client

server(s) for installation of the ESRS software. The CECT will check that the server meets all the

specifications and configuration requirements. It will also confirm network connectivity to the EMC

Enterprise servers, the Policy Manager and EMC devices.

Install Customer Environment Check Tool (CECT)

Refer to the ESRS Gateway CECT Procedures documents for installation instructions.

Install the CECT on all Gateway Client servers in the environment.

Configure CECT Test Parameters

Configure the CECT Tool Server Environment Tests as per Scenario 1 of the ESRS Gateway Solution CECT

Procedures document.

If Policy Manager is going to be configured, make sure the CECT Test Parameters screen contains the Policy

Manager address.

Configure the Device List to contain all the tests for the EMC devices that will be managed by the Gateway

Client server(s).

Run CECT Tests

Run the CECT tests and review the test results for obvious errors.

Analyse CECT Test Results

The CECT Analyser Tool is a HTML based utility that will analyse the CECT Test Log File and provide a

graphical summary of the test results and provide recommendations for tests that have failed.

Refer to Appendix C of the ESRS Gateway CECT Procedures document for instructions on how to use the

CECT Analyser Tool.

Collect CECT Test Logs

Refer to the section Collect Logs in the ESRS Gateway CECT Procedures document for instructions on how

to obtain the CECT Test logs.

If you require assistance with the analysis of the CECT Test results, forward the CECT log files to your EMC

Account Representative to arrange a specialist to assist.

If the CECT Test results are Passed by the CECT Analyser Tool, forward the successful CECT log from each

Gateway Client server for EMC Change Control submission.


Install Customer Environment Check Tool on each Gateway Client server

Configure CECT Test parameters for Gateway Pre-Installation Scenario

Configure Device tests for each EMC device that will be managed by the Gateway Client server

Run CECT Test

Use CECT Analyser Tool to verify CECT Test results

Forward successful CECT Test log file to EMC Account Representative (one per Gateway Client)


Change Control (EMC)

All new ESRS Gateway installations are subject to an EMC Change Control process. This process ensures

that all preparation tasks have been completed and verified by a subject matter expert. EMC is responsible

for submitting and gaining Change Control approval prior to the scheduled installation date.

CCA Requirements

The following is required to submit Change Control:

A completed ESRS Gateway Pre-Install Checklist (including both EMC and Customer required

information)

A successful CECT test log file for each Gateway Client server. Use CECT Analyser Tool with the

Gateway Pre-Install Scenario selected to verify the CECT test log.

Solution Implementation

The ESRS Gateway solution must be installed by a qualified EMC employee or Authorised Service Partner.

An RSA SecurID key is required to download and provision the Digital Certificate used by the ESRS Gateway

Client to authenticate communication with EMC.

Obtaining ESRS Software

The ESRS Gateway solution software includes the following:

Customer Environment Check Tool used to verify the environment

Provisioning Tool used to install the ESRS Gateway Client software

Policy Manager Policy Manager software

The Provisioning Tool and Policy Manager are not available for public download and must be supplied by

the installer. Typically the packages are made available at an FTP location so that the customer can

download the packages and copy to the Gateway Client and Policy Manager servers prior to the agreed

installation time.

Installation

The installation can be performed remotely via a Webex session to the customers workstation and then

using Remote Desktop to access the Gateway servers. If Webex is not allowed or supported then the

installer will need to perform the install from the customers premises.

The high level steps to install the ESRS IP Solution are as follows:

1. Install first Gateway Client via the Provisioning Tool

2. Create HA Cluster and enrol first Gateway Client via Servicelink

3. Under Manage Devices, edit the Party ID list to include all required Party IDs associated with that

customer

For HA Gateway Configuration:

4. Install second Gateway Client via Provisioning Tool

5. Enrol second Gateway Client to HA Cluster via Servicelink

For Policy Manager:

6. Install Policy Manager

7. Configure Gateway Client(s) to use Policy Manager via the Configuration Tool


Deploy EMC Devices

The EMC or Authorised Partner installer will deploy the devices listed in the ESRS Gateway Pre-Install

Checklist that was submitted and approved by the EMC Change Control Process. The devices will be

deployed via the Servicelink Portal website and the process may not be visible to the customer.

Some devices have multiple interfaces associated with the same serial number; these interfaces are

designated with suffixes as per the table below.

PRODUCT SUFFIX DESTINATION

ATMOS -1 to -16 Node ID

AVAMAR None Utility Node

CELERRA

-P Primary Control Station

-S Secondary Control Station (for Dual Control Stations only)

-A Active Control Station (Alias for Dual Control Station only)

CENTERA -1 to -36 Node ID

CLARIION -A Storage Processor A

-B Storage Processor B

DATA DOMAIN None Appliance

DL3D -1 to -3 Engine ID

DLM

-P Primary Control Station

-S Secondary Control Station (for Dual Control Stations only)

-A Active Control Station (Alias for Dual Control Station only)

DLM 6000 & 8000

-ACP1 Primary Access Control point

-ACP2 Secondary Access Control point (for Dual ACP only)

-ACPA Active Access Control Point (Alias for Dual ACP only)

EDL -A Engine A Service IP

-B Engine B Service IP

GREENPLUM DCA -B Backup Node

-P Primary Node

RECOVERPOINT -1 to -16 Node ID

SWITCH-BROCADE None Switch

SWITCH-CISCO None Switch

SYMMETRIX None Service Processor

VNX BLOCK

-BLOCKA Storage Processor A

-BLOCKB Storage Processor B

-FILEP Primary Control Station

-FILES Secondary Control Station (for Dual Control Station Only)

-FILEA Active Control Station (Alias for Dual Control Station Only)

VNXE None Management Interface

VPLEX None Appliance


RemotelyAnywhere Support

If you have deployed any VNX BLOCK devices or Clariion devices running FLARE 29 or higher, follow the

procedure in Appendix B to allow RemotelyAnywhere access via ESRS.

Configure and Test Device Call-Home

The EMC or Authorised Partner installer is responsible for configuring the managed devices to call-home via

ESRS (where applicable. Each device type has its own specific procedures to configure and test call-home

via ESRS Gateway Client.

Test Remote Connectivity

The EMC or Authorised Partner installer should confirm remote connectivity to the managed devices via

the Servicelink website.


APPENDIX A: Troubleshooting Device Connectivity Issues

If an ESRS Gateway reports a connectivity issue to a particular device the customer should be instructed to

run the Customer Environment Check Tool from the ESRS Gateway that is reporting the issue.

1. From the Gateway server, go to Start > Programs > ESRS > Customer Environment Check Tool or click

on the Desktop icon

2. From the main CECT application screen, select Tests from the menu bar and click on ESRS IP Customer

Environment Check as shown below.

3. In the Server Environment Tests screen, click on Clear All to clear the existing selection and then select

the Device Application and Port Connection Test. Click Next to continue.

4. In the Configuration Parameters screen, select the Product Type from the scroll list. In this example

Clariion is selected.


5. Select the Check All Apps checkbox to enable all possible application test for this device type.

6. Enter the devices IP Address (you cannot use DNS name) and Serial Number. Click Add Device to add

the selected tests to the Device List.

7. The Device List will now contain one test entry per selected Application for the device. The Status of

the test will show New Device until the configuration is saved.

8. To remove a test entry from the Device List:

Click the box to the left of a Device ID to select the row. (You can also press and hold the

Ctrl key and click to select multiple rows.)

Click Remove.


9. Click on SaveCfg to save the Device List configuration. The Status of newly created entries will change

to Device Added.

10. When the Device List is configured correctly, click Next to continue. At the Test Results screen, click on

Run Tests and wait for the tests to complete.


11. Review the test results. Click on each failed test to view the test information and the particular port

that is being tested.

12. If in doubt about the results, obtain the CECT test Log File for the test run you have just completed.

Open Windows Explorer and find the most recent CECT Test Log file (sort by Date Modified) in the

C:\EMC\ESRS\CECT\Logs directory.


APPENDIX B RemotelyAnywhere Access Filter Configuration

For all VNX Block devices and Clariion devices running FLARE 29 or higher, the RemotelyAnywhere Access

Filter needs to be updated to allow the ESRS Gateway to provide RemotelyAnywhere sessions to the

Storage Processor device. This can be done remotely via ESRS or directly from the customers network.

1. Establish a browser session to the setup page of one of the Storage processor devices:

a. If performing the steps from customer network, open Internet Explorer and browse to

https:///setup where is the IP Address on either Storage processor. Click

on Continue to this website at the security prompt.

b. If performing remotely via ESRS, establish a UnisphereUSMNaviSecureCLI (VNX-BLOCK) or

NaviMgr/NaviSecureCLI (Clariion) connection to one of the Storage Processors. When the session

goes ready, browse to https:///setup where is the IP Address supplied by

the ESRS Remote Session application. Click on Continue to this website at the security prompt.


2. Enter valid Domain admin account credentials at the login prompt.

3. Scroll down and click on Set RemotelyAnywhere Access Restrictions option


4. Add the ESRS Gateway server(s) IP Address to the Filters that apply to all storage systems in the

Domain section and click Apply. Note if there are two ESRS Gateway servers, make sure both IP

addresses are included in this section.

5. Close the session.

Date post:	23-Nov-2015
Category:	Documents
Upload:	vakul-bhatt
View:	1,636 times
Download:	8 times

ESRS Gateway Customer Implementation Guide

Documents