hp insight remote support advanced and remote device accessh20628. · aboutthisdocument...
TRANSCRIPT
HP Insight Remote Support Advanced andRemote Device AccessSecurity Overview for A.05.70
HP Part Number: 5900-1735Published: October 2011, Edition 5.0
© Copyright 2009 – 2011 Hewlett-Packard Development Company, L.P.
Legal Notices
Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, CommercialComputer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government undervendor's standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the expresswarranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shallnot be liable for technical or editorial errors or omissions contained herein.
Acknowledgments
©Cisco, Cisco Systems®, and IOS are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
Microsoft® Windows, Windows NT®, Windows Vista, and Internet Explorer are registered trademarks of Microsoft Corporation.
Linux is a U.S. registered trademark of Linus Torvalds.
Java™ is a US trademark of Sun Microsystems, Inc. UNIX® is a registered trademark of The Open Group.
Red Hat® is a registered trademark of Red Hat, Inc. in the United States and other countries.
Novell is a registered trademark and SUSE is a trademark of Novell, Inc. in the United States and other countries.
Juniper Networks is a registered trademark of Juniper Networks, Inc. in the United States and other countries.
Check Point is a registered trademark of Check Point Software Technologies Ltd.
Table of Contents
About This Document...................................................................................111 Publishing History..............................................................................................................................112 Document Organization......................................................................................................................113 Related Documents.............................................................................................................................11
1 Executive Overview...................................................................................13
2 HP Insight Remote Support Advanced.........................................................152.1 List of Components...........................................................................................................................152.2 Architectural Overview.....................................................................................................................162.3 General Security Measures...............................................................................................................16
2.3.1 Application Security.................................................................................................................172.3.2 Outbound Security..................................................................................................................172.3.3 Inbound Security.....................................................................................................................172.3.4 Data Security..........................................................................................................................17
2.4 Data Collection and Privacy..............................................................................................................172.4.1 Data Sent to HP.......................................................................................................................182.4.2 HP Data Storage and Retention Policy........................................................................................182.4.3 Data Privacy...........................................................................................................................19
2.5 Communication Protocols.................................................................................................................192.5.1 Secured Communication...........................................................................................................192.5.2 Unsecured Communication.......................................................................................................20
2.6 Central Management Server Deployment............................................................................................222.7 Remote Support Software Manager (RSSWM).....................................................................................23
2.7.1 Installation and Setup...............................................................................................................232.7.2 Data Collection and Storage.....................................................................................................232.7.3 Installation Package Security.....................................................................................................232.7.4 User Interface..........................................................................................................................232.7.5 HP Transport Security...............................................................................................................23
2.8 Remote Support Client.....................................................................................................................242.8.1 Installation and Setup...............................................................................................................242.8.2 Data Collection and Storage....................................................................................................242.8.3 User Interface - Integration with HP SIM......................................................................................242.8.4 HP Transport Security...............................................................................................................252.8.5 Communication with HP Data Center.........................................................................................25
2.9 Redundant HP Data Centers.............................................................................................................252.9.1 Global Server Load Balancing (GSLB).........................................................................................262.9.2 Firewall/Port Requirements for RSC and RSSWM.........................................................................262.9.3 How Do I Know That I Am Connecting to HP?.............................................................................262.9.4 How Do I Verify Connectivity to Each Data Center?......................................................................26
2.9.4.1 Remote Support data center..............................................................................................262.9.4.2 Remote Support Software Management data center.............................................................27
2.10 Levels of Data Collection.................................................................................................................272.11 Remote Device Monitoring...............................................................................................................28
2.11.1 Installation and Setup...............................................................................................................282.11.2 Remote Device Monitoring Components.....................................................................................282.11.3 Data Collection.......................................................................................................................31
2.12 Proactive Services...........................................................................................................................322.12.1 System Architecture.................................................................................................................322.12.2 Proactive Configuration Collection Components Installed on the CMS............................................332.12.3 Proactive Configuration Collection Components Installed on Managed Systems..............................332.12.4 Security Credentials................................................................................................................33
2.13 Browser security.............................................................................................................................34
Table of Contents 3
2.13.1 SSL.......................................................................................................................................342.13.2 Cookies................................................................................................................................342.13.3 Passwords.............................................................................................................................342.13.4 Operating System dependencies..............................................................................................342.13.5 Data Collection Scripts............................................................................................................352.13.6 Background Processes and Daemons........................................................................................352.13.7 Security Auditing....................................................................................................................352.13.8 Command-line Interface..........................................................................................................35
3 Remote Device Access (RDA)......................................................................373.1 Executive Overview..........................................................................................................................373.2 Service Description..........................................................................................................................373.3 Service Value..................................................................................................................................38
3.3.1 Authentication.........................................................................................................................383.3.2 Access Control Overview.........................................................................................................383.3.3 Secure Communications...........................................................................................................38
3.4 Unattended RDA Using SSH.............................................................................................................383.4.1 Customer Access System (CAS)..................................................................................................38
3.4.1.1 Customer-owned CASii......................................................................................................393.4.1.2 Virtual CAS.....................................................................................................................39
3.5 HP Instant Customer Access Server (iCAS)..........................................................................................403.6 Access Control Details.....................................................................................................................41
3.6.1 Access control on the HP side....................................................................................................413.6.2 Access control on the customer side...........................................................................................42
3.7 Connectivity Method: SSH-Direct – Secure Shell over Internet.................................................................433.8 Connectivity Methods for VPN Solutions.............................................................................................43
3.8.1 hpVPN...................................................................................................................................453.8.2 Customer-Owned Router (COR) VPN.........................................................................................45
3.9 Connectivity Method for Integrated Service Digital Network (ISDN).......................................................453.10 Attended RDA via Virtual Support Room............................................................................................453.11 Data Privacy..................................................................................................................................463.12 Remote Device Access Security Details..............................................................................................47
3.12.1 Outbound Security..................................................................................................................473.12.2 Inbound Security....................................................................................................................473.12.3 Secured Communication..........................................................................................................473.12.4 Unsecured Communications.....................................................................................................483.12.5 Security Auditing....................................................................................................................48
A X.509 Certificates and Insight Remote Support Advanced..............................49A.1 Overview.......................................................................................................................................49A.2 Certificate Revocation Lists...............................................................................................................49A.3 Digital Signature Verification in the Remote Support Client...................................................................49
A.3.1 Signature Checking.................................................................................................................49A.4 CRL Checking................................................................................................................................51A.5 Self-Signed Certificates....................................................................................................................51
B Summary of Network Ports for Standard Operating System Connectivity..........53B.1 Standard Operating System Network Ports..........................................................................................53
C Summary of Network Ports for Servers........................................................55C.1 Central Management Server (CMS)...................................................................................................55C.2 HP-UX Managed Systems.................................................................................................................56C.3 Integrity Linux Managed Systems.......................................................................................................57C.4 Integrity Windows Server 2003 Managed Systems.............................................................................57C.5 Integrity Windows Server 2008 Managed Systems.............................................................................58C.6 Multivendor and Application Adapter (MVAA)....................................................................................59
4 Table of Contents
C.7 NonStop Managed Systems.............................................................................................................59C.8 OpenVMS Alpha Managed Systems.................................................................................................59C.9 OpenVMS Integrity Managed Systems...............................................................................................60C.10 ProLiant Citrix Managed Systems.....................................................................................................61C.11 ProLiant Linux Managed Systems......................................................................................................61C.12 ProLiant Microsoft Hyper-V Managed Systems....................................................................................61C.13 ProLiant VMWare ESX Managed Systems..........................................................................................62C.14 ProLiant VMWare ESXi Managed Systems.........................................................................................63C.15 ProLiant Windows Server Managed Systems......................................................................................64C.16 Tru64 UNIX Managed Systems........................................................................................................65
D Summary of Network Ports for Storage........................................................67D.1 StorageWorks MSA1000/1500 Storage Systems.................................................................................67D.2 StorageWorks MSA23xx Storage Systems..........................................................................................67D.3 HP P4000 Storage Systems..............................................................................................................67D.4 StorageWorks P6000 (EVA) Storage Systems......................................................................................68D.5 StorageWorks Tape Libraries............................................................................................................68D.6 StorageWorks P9000/XP Disk Arrays................................................................................................69
E Summary of Network Ports for Networking...................................................71E.1 E-Series Switch Managed Systems......................................................................................................71E.2 Network Managed Systems..............................................................................................................71E.3 SAN Managed Systems....................................................................................................................71E.4 SAN Switch Managed Systems..........................................................................................................72
F Revision History for Insight Remote Support Advanced Network Ports...............73F.1 A.05.40..........................................................................................................................................73F.2 A.05.50.........................................................................................................................................73F.3 A.05.60.........................................................................................................................................73F.4 A.05.70.........................................................................................................................................74
G Summary of Network Ports for Remote Device Access...................................75G.1 Customer Access System (CAS).........................................................................................................75G.2 Additional Ports for Virtual CAS........................................................................................................75G.3 Additional Ports for iCAS.................................................................................................................76G.4 Additional Ports for P9000/XP Storage Array.....................................................................................76G.5 hpVPN..........................................................................................................................................77
H Revision History for Remote Device Access Network Ports..............................79H.1 Virtual CAS 8.12.............................................................................................................................79H.2 Virtual CAS 9.10.............................................................................................................................79H.3 Virtual CAS 10.03..........................................................................................................................79H.4 Virtual CAS 10.06..........................................................................................................................79H.5 iCAS 10.11-327.21152......................................................................................................................79H.6 iCAS 11.05.144-22710.....................................................................................................................79H.7 Insight Remote Support A.05.60: StorageWorks XP Arrays...................................................................79
I Recommended Firewalls.............................................................................81
Glossary....................................................................................................83
Table of Contents 5
6
List of Figures2-1 Insight Remote Support Advanced Architecture....................................................................................162-2 Proactive Services System Architecture................................................................................................333-1 Virtual CAS....................................................................................................................................403-2 Instant CAS (iCAS)..........................................................................................................................413-3 Remote Access Connection System Details..........................................................................................423-4 SSH Direct.....................................................................................................................................433-5 General IPsec VPN Access with SSH..................................................................................................443-6 General IPsec VPN Access Without SSH............................................................................................443-7 ISDN.............................................................................................................................................453-8 Virtual Support Room Architecture.....................................................................................................46A-1 Insight Remote Support (example)......................................................................................................50A-2 Remote Support Software Management (RSSWM)...............................................................................50
7
8
List of Tables2-1 Redundant data center settings.........................................................................................................26B-1 Standard Operating System Connectivity - Firewall/Port Requirements....................................................53C-1 CMS Connectivity - Firewall/Port Requirements....................................................................................55C-2 HP-UX Connectivity - Firewall/Port Requirements..................................................................................56C-3 Integrity Linux Connectivity - Firewall/Port Requirements........................................................................57C-4 Integrity Windows Server 2003 Connectivity - Firewall/Port Requirements...............................................57C-5 Integrity Windows Server 2008 Connectivity - Firewall/Port Requirements...............................................58C-6 MVAA Connectivity - Firewall/Port Requirements.................................................................................59C-7 NonStop Connectivity - Firewall/Port Requirements..............................................................................59C-8 OpenVMS Alpha Connectivity - Firewall/Port Requirements...................................................................59C-9 OpenVMS Integrity Connectivity - Firewall/Port Requirements................................................................60C-10 ProLiant Citrix Connectivity - Firewall/Port Requirements......................................................................61C-11 ProLiant Linux Connectivity - Firewall/Port Requirements......................................................................61C-12 ProLiant Microsoft Hyper-V Connectivity - Firewall/Port Requirements....................................................61C-13 ProLiant VMWare ESX Connectivity - Firewall/Port Requirements..........................................................62C-14 ProLiant VMWare ESXi Connectivity - Firewall/Port Requirements.........................................................63C-15 ProLiant Windows Server Connectivity - Firewall/Port Requirements......................................................64C-16 Tru64 UNIX Connectivity - Firewall/Port Requirements........................................................................65D-1 StorageWorks MSA1000/1500 Storage Systems Connectivity - Firewall/Port Requirements.......................67D-2 StorageWorks MSA23xx Storage Systems Connectivity - Firewall/Port Requirements.................................67D-3 HP P4000 Storage Systems Connectivity - Firewall/Port Requirements.....................................................67D-4 EVA Connectivity - Firewall/Port Requirements.....................................................................................68D-5 StorageWorks Tape Libraries Connectivity - Firewall/Port Requirements...................................................68D-6 StorageWorks P9000/XP Disk Arrays Connectivity - Firewall/Port Requirements......................................69E-1 E-Series Switch Connectivity - Firewall/Port Requirements......................................................................71E-2 Network Connectivity - Firewall/Port Requirements...............................................................................71E-3 SAN Connectivity - Firewall/Port Requirements....................................................................................71E-4 SAN Switch Connectivity - Firewall/Port Requirements..........................................................................72G-1 CAS Connectivity - Firewall/Port Requirements....................................................................................75G-2 Additional Ports for Virtual CAS Connectivity - Firewall/Port Requirements...............................................75G-3 Additional Ports for iCAS Connectivity - Firewall/Port Requirements........................................................76G-4 Additional Ports for P9000/XP Storage Array Connectivity - Firewall/Port Requirements............................76G-5 hpVPN Connectivity - Firewall/Port Requirements.................................................................................77
9
10
About This Document1 Publishing History
Publication DateEdition NumberManufacturing Part Number
August 20091.35992-5383
January 20102.05900-0564
May 20102.15900-0564
August 20103.05900-0566
April 20114.05900-1610
October 20115.05900-1735
2 Document Organization• Chapter 1: “Executive Overview”
• Chapter 2: “HP Insight Remote Support Advanced”
• Chapter 3: “Remote Device Access (RDA)”
• Appendix A: “X.509 Certificates and Insight Remote Support Advanced”
• Appendix B: “Summary of Network Ports for Standard Operating System Connectivity”
• Appendix C: “Summary of Network Ports for Servers”
• Appendix D: “Summary of Network Ports for Storage”
• Appendix E: “Summary of Network Ports for Networking”
• Appendix F: “Revision History for Insight Remote Support Advanced Network Ports”
• Appendix G: “Summary of Network Ports for Remote Device Access”
• Appendix H: “Revision History for Remote Device Access Network Ports”
• Appendix I: “Recommended Firewalls”
• Glossary
3 Related Documents• HP Systems Insight Manager Installation and Configuration Guide for Microsoft® Windows
This document provides information about installing, configuring, and using HP Systems Insight Manageron supported Windows systems. This guide includes an introduction to basic concepts, definitions, andfunctionality associated with HP Systems Insight Manager.Refer to http://h18013.www1.hp.com/products/servers/management/hpsim/infolibrary.html#b2
• HP Insight Remote Support Advanced Central Management Server Configuration GuideThis document provides information about installing, configuring and using HP Insight Remote SupportAdvanced with HP SIM.Refer to http://www.hp.com/go/insightremoteadvanced-docs
• Insight Remote Support Advanced Managed System GuideThis document gives a clear understanding on the interdependencies and communication required tosuccessfully install HP Insight Remote Support Advanced.Refer to http://www.hp.com/go/insightremoteadvanced-docs
• A.05.70 Insight Remote Support Advanced Release NotesThis document contains the full list of supported products and operating platforms.
1 Publishing History 11
Refer to http://www.hp.com/go/insightremoteadvanced-docs
• HP Systems Insight Manager User GuideThis document provides an overview of the security features available in the HP Systems Insight Managerframework.Refer to http://h18004.www1.hp.com/products/servers/management/hpsim/infolibrary.html
• WEBES User GuideThis document provides information about the features of WEBES, SEA, and CCAT and explains howto operate the software.Refer to http://h18023.www1.hp.com/support/svctools/webes/
• HP WBEM Services for HP-UX and Linux System Administrator’s GuideThis guide describes how a system administrator uses HP WBEM Services for HP-UX and Linux systems.There is a chapter on security considerations.Refer to http://docs.hp.com/en/B8465-90017/B8465-90017.pdf or http://docs.hp.com/en/B8465-90017/index.html
• HP System Management Homepage (HP SMH)Documentation can be found at: www.hp.com/go/smh-docs
Additional information is available at http://www.hp.com/go/insightremotesupport or http://www.hp.com/go/hpsim.
12 About This Document
1 Executive OverviewToday’s IT department plays a central role in meeting business objectives. Leveraging your IT infrastructureinvestments and improving overall system availability and utilization are crucial in today’s businessenvironment. HP Insight Remote Support Advanced simplifies the management of highly diverse IT environmentsby providing a single remote monitoring and support solution for multiple operating systems and technologies,thereby reducing cost and complexity.HP Insight Remote Support Advanced is a support solution that enables the delivery of HP remote monitoringand support over the Internet. Today, many security-sensitive transactions—such as e-commerce, stock trades,and online banking—are executed securely over the Internet using the same standard security technologyutilized by HP through Insight Remote Support Advanced.HP understands and shares your company’s security concerns and has leveraged its experience as atechnology leader to create a secure remote support solution. To enhance the safety and integrity of yourenterprise networks and support data, HP has incorporated a number of security technologies into its design.Specifically, HP provides a multilevel, layered security structure through encryption, authentication, standardsecurity protocols, and best practices integrated at the physical, network, application, and operational levels.Interactions between HP and your enterprise network are restricted and tightly controlled through a single,secure access point. HP’s remote monitoring and support capabilities, along with any support informationcollected, are used only to provide you with world-class HP support.
13
14
2 HP Insight Remote Support AdvancedThis chapter provides an overview of the security features available in HP Insight Remote Support Advanced.Insight Remote Support Advanced is designed to collect reactive and proactive event data from servers andstorage devices using the various network protocols described in this paper. Insight Remote Support Advancedprovides the core device level communication means for gathering data, while HP Systems Insight Manager(HP SIM) and HP System Management Homepage (HP SMH) provide device discovery, security, and userinterface hosting services.Because the Insight Remote Support Advanced user interface is directly accessible through the Systems InsightManager user interface and utilizes many of HP SIM’s features including security, several sections that followwere directly extracted from the Systems Insight Manager Security White Paper. In addition, lower leveldetails regarding encryption ciphers, certificate management, and host security are available in securitytechnical references.Insight Remote Support Advanced is composed of three parts:
• Remote Hardware Event ManagementDiagnostic software monitors the status of your hardware and generates notification events when errorconditions are detected for supported servers, connected peripherals, and storage devices connectedto supported systems. Notification events are received and analyzed by monitoring software installedon the Central Management Server (CMS) at the customer site and if necessary the event will beforwarded to HP for further analysis, review and possible support action. This capability can helpidentify potential critical issues before they occur and prevent them, increasing your system uptime.Automated notification decreases downtime for unexpected outages by automatically notifying HP offailures as they are detected. This results in faster response times, better and more accurate failuredescriptions and shorter downtime.
• Remote Data Collection and Proactive ServicesThis is an option available in addition to the remote device monitoring. It collects system informationand logs so that proactive assessments can be made by HP support. Assessments can include systemhealth-checks, current patching levels, system audits, and system availability reports. By using theproactive assessments, HP can help customers manage their IT environment and increase the overallavailability of their enterprise. Remote data collection does not collect any business data, but like remotedevice monitoring, it may contain configuration information such as IP addresses, system details, aswell as system administrator contact information. As such, the same industry standard techniques (forexample, SNMP, WBEM, DCOM, HTTP, HTTPS, SSH, and FTP) that are used in the remote devicemonitoring are applied for remote data collection.
• Remote Device AccessRemote Device Access allows highly trained HP support personnel direct access to the systems anddevices under support. This can significantly reduce the time needed to troubleshoot an issue and restorethe system/device to production status.
NOTE: This function operates independently from Insight Remote Support Advanced.
2.1 List of ComponentsThe installation of HP System Insight Manager and HP Insight Remote Support Advanced provides severalsoftware components which include:
• HP Remote Support Software Manager (RSSWM)
• Remote Support Client
• Remote Support Common Components (MC3)
• Remote Support Eligible Systems List
• Web-Based Enterprise Services (WEBES)
2.1 List of Components 15
• Event Log Monitoring Collector (ELMC)
• Remote Support Configuration Collector (RSCC)
• Remote Support Configuration Collector Extension (RSCCE)
• Advanced Configuration Collector Commands and Rules
• Unreachable Device Notification (UDN)
• Remote Support Network Component (RSNC)
• Multivendor and Application Adapter (MVAA)
NOTE: Only components that communicate outside of the CMS require security considerations and areincluded in the document.
NOTE: For a detailed description of each listed component and further details on how they interact todeliver Remote Support services, refer the HP Insight Remote Support Advanced Central Management ServerConfiguration Guide available at http://www.hp.com/go/insightremoteadvanced-docs.
2.2 Architectural OverviewThe following diagram describes the HP Insight Remote Support Advanced architecture:
Figure 2-1 Insight Remote Support Advanced Architecture
The CMS communicates with agents running on the managed systems. Events are processed and filtered.Qualified events are forwarded to HP for further diagnostic analysis. Events that require attention, such asdisk failures, will trigger action from an HP support specialist.
2.3 General Security MeasuresThe HP Insight Remote Support Advanced solution transmits information via a secure (HTTPS) connectionover the Internet, so it is vital to protect the customer’s and HP’s confidentiality, integrity and availability.Therefore, HP offers a number of industry standard security solutions (depending on the service levelagreement) to address customers’ IT security policy requirements.
16 HP Insight Remote Support Advanced
2.3.1 Application SecurityHP Insight Remote Support Advanced is a plug-in component that utilizes an existing customer server (knownas the Central Management Server or CMS) with HP Systems Insight Manager (HP SIM) installed. Since theCMS is customer-owned and installed, it can be installed and configured according to the customer’s ITsecurity policy. It is important that the integrity and authenticity of the Insight Remote Support Advancedsoftware is maintained to prevent unauthorized changes. HP's Remote Support Software Management solutionallows customers to choose how they wish to manage the software applications for Insight Remote SupportAdvanced. These options include, automatic on-line updates (install all updates during a predeterminedmaintenance window), manual on-line updates (notify the administrator when updates are available, andlet the administrator choose when to install them), and do not use automatic software management (thisoption requires the administrator to periodically install updates manually from the HP Software Depot). Allupdates downloaded by the HP SIM software update mechanism are digitally signed and verified beforethey are executed.
2.3.2 Outbound SecurityBecause HP SIM and Insight Remote Support Advanced collect event information from all monitored serversinside of the customer’s IT environment, external firewalls only need to be configured to allow outboundHTTPS connections between the CMS and the HP data center. Details of the connection requirements areprovided later in this document. Both remote device monitoring and remote data collection establish anoutbound connection to HP using SSL/TLS over HTTPS, providing both confidentiality and integrity of theinformation being transmitted tio HP.
2.3.3 Inbound SecurityHP Remote Device Access requires an inbound connection from a Secure Access Server at HP to acustomer-designated access server (CAS) on the customer corporate network. HP understands that securitypolicies can vary significantly by customer and even by organization or network compartment within thecustomer enterprise. Therefore, HP offers a number of remote access solutions (depending on the servicelevel agreement) that are designed to meet most customer’s security requirements. All HP RDA solutions usestandard techniques that include one or more of the following services: SSH, IPSEC and HTTPS. HP offersboth hardware and software based remote access solutions that can be configured to ensure that the customeralways has control of the connection. HP also has an option that allows the customer to actively view andmonitor a support specialist’s activities during a remote access session.All HP support specialists engaged in a remote access session, must adhere to the same standard of businessconduct as onsite HP engineers. Remote engineers must have a valid business need and customer approvalprior to engaging in a remote access session. Access to the HP Remote Access infrastructure is restricted toHP Employees providing remote support services directly to customers. Access to a specific customer can befurther restricted to subset of support personnel within HP, based on country, region, job function or on awhite-list of named HP support personnel. HP requires two factor authentication for all users accessing theremote access infrastructure inside of HP. Only authenticated users that are granted permission to access aspecific customer connection will be allowed to initiate a connection with that customer. All connectionattempts (successful and unsuccessful) are logged by the HP Remote Access infrastructre.
2.3.4 Data SecurityHP maintains the availability of the Insight Remote Support Advanced infrastructure and collected data withhighly-available servers housed in redundant data centers. Configuration and Event data is stored in theRemote Support Data Center. Specific data elements in the event and configuration data sent to HP that maycontain potentially sensitive configuration information such as IP address and full hostname as well asadministrator contact information are encrypted using AES encryption with a 192-bit key in the databaseand on backup media. This data may be extracted and temporarily stored in an unencrypted database ina secure HP Datacenter facility while analysis is being performed. Only authorized HP personnel can accessthe data stored in the HP Datacenter.
2.4 Data Collection and PrivacyAs part of HP Mission Critical Support, customer information and event data may be transmitted to andstored at HP for the purpose of delivering contractual services and support.
2.4 Data Collection and Privacy 17
2.4.1 Data Sent to HPFor event monitoring, the information collected and transmitted to HP may include:
• Hardware model number
• Hardware serial number
• Operating system version
• IP address
• Fully qualified domain name (FQDN)
• Failing device configuration information
• Failing device firmware information
• Hardware event information; for example a failed power supply or temperature readings
• Memory configuration information
As part of event handling, the following information may be requested by HP Support to aid in further analysisand diagnosis of failures. Collection and transmission of this additional information may be performed ona scheduled basis as part of standard or advanced configuration collections, or it may be requested to aidin the resolution of a hardware failure event:
• Error logs and failure event details
• Performance data for the system
• Memory configuration details
• Memory stack traces
• Running processes
• Performance metrics
• Installed patches
• Installed applications
• Detailed hardware configuration
• Detailed network configuration
• Memory stack trace (this information requires manual intervention)
• Memory crash dump (this information requires manual intervention)
The following information is transferred with every event and stored at HP. This information is necessary tofacilitate HP-to-Customer communications if an event requires human intervention.
• Company name
• Site name and address where the equipment is located
• Customer contact phone number
• Customer contact e-mail address
2.4.2 HP Data Storage and Retention PolicyCustomer data is stored in a physically secure data center located in Austin Texas, Houston Texas, or AtlantaGeorgia (USA). The data is stored across encrypted and unencrypted databases. Physical and logical accessto the systems hosting these databases is restricted to HP IT data center personnel and HP Support teams.Logical access to the above customer data is provided via a Web User Interface called the ApplicationManagement Console (AMC), as well as HP’s Electronic Site Management Guide and the Internal HP StorageEnvironment System. HP Support personnel request management approval to access this data and areauthenticated using their HP domain account (Domain\username & password) or their HP issued X.509digital certificate. The type of authentication required is determined by the type and classification of the dataheld in the database. The database underlying the AMC UI application is encrypted.The AMC and Storage Portal are available only within HP's intranet. The Electronic Site Management Guide(eSMG) has both an internal (HP) and an external (Customer) user interface. Access within eSMG is
18 HP Insight Remote Support Advanced
constrained by a unique customer identifier . This insures that information is only available to authorized(and authenticated) users.Data is kept for varying lengths of time: Mission Critical server data is kept for 6 months, warranty data iskept for 1 week, SAN configuration information and event data is kept for 6 months. Hardware event detailsare kept for 6 months.
2.4.3 Data PrivacyHP respects customer privacy and is committed to ensuring that all customer information is protected. Thepersonal information provided in the HP SIM and Insight Remote Support Advanced user interface and anydata collected by this tool or other associated tools and utilities will not be shared with third parties. It maybe shared with other HP entities or authorized support providers who provide support services described inthe Insight Remote Support documentation and who may be located in other countries. HP entities andauthorized support providers are required to keep confidential the information received on behalf of HP andmay not use it for any purpose other than to carry out the services they are performing for HP. Our privacypractices are designed to provide protection for your personal information, all over the world. See the HPWorldwide Privacy Statement at http://welcome.hp.com/country/us/en/privacy/worldwide_privacy.html.
2.5 Communication Protocols2.5.1 Secured Communication
These protocols are used either inside the customer’s intranet or over the Internet between the customer andHP:
• ESPEncapsulating Security Payload (ESP), or IP protocol 50, is a protocol header inserted into an IP datagramto provide data encryption and authentication. Remote Device Access uses ESP in tunnel mode toestablish VPN connectivity.
• HTTPSHTTPS is HTTP with SSL or TLS encryption for security. All communications between the CentralManagement Server and the HP Remote Support Data Center are carried out over HTTPS. HTTPS isalso used for the marshalling and transfer of collected device data between the CMS and the managedsystems. HTTPS typically uses TCP port 443, but other services, like STE and WEBES, may specify adifferent port number for HTTPS communications.
• IPsecIP Security, or IPsec, is a suite of protocols for securing IP communications. IPsec operates in two modes.In transport mode it can be configured to provide end-to-end security of all communications betweentwo systems. In tunnel mode, IPsec can be used to provide VPN connectivity over insecure networks.A typical IPsec deployment uses two protocols: either Encapsulating Security Payload (ESP) orAuthentication Header (AH), which are IP protocols, and ISAKMP. Note that AH is seldom used as itdoes not provide encryption.
• ISAKMPThe Internet Security Association and Key Management Protocol (ISAKMP) is an application layerprotocol that defines the procedures for authenticating a communicating peer, creation and managementof Security Associations, key generation techniques, and threat mitigation.
• Secure Task Execution and Single LoginSecure Task Execution (STE) is a mechanism for securely executing a command against a managedsystem using the Web agents. It provides authentication, authorization, privacy, and integrity in a singlerequest. Single Login provides the same features but is performed when browsing a system. SecureTask Execution and Single Login are implemented in very similar ways.SSL is used for all communication during the STE and Single Login exchange. A single-use value isrequested from the system prior to issuing the STE or Single Login request to help prevent against replayor delay intercept attacks. After request validation, HP Systems Insight Manager issues the digitallysigned Secure Task Execution or Single Login request. The managed system uses the digital signature
2.5 Communication Protocols 19
to authenticate the Central Management Server. Note that the managed system must have a copy ofthe CMS SSL certificate imported into the Web agent and be configured to “trust by certificate” tovalidate the digital signature. STE uses TCP port 2381.
• SSHThe Secure Shell (SSH) protocol is an application-layer protocol which permits secure remote accessover a network from one computer to another. SSH negotiates and establishes an encrypted, andauthenticated connection between an SSH client and an SSH managed server. SSH provides dataintegrity checks, prevents eavesdropping, and modification of sensitive data transferred between theCMS and managed systems. SSH typically uses TCP port 22, but alternative port numbers may beassigned to the SSH server.Although the SSH protocol is typically used to log into a remote machine and execute commands, italso supports tunneling, forwarding arbitrary TCP ports and X11 connections. It can transfer files usingthe associated SFTP or SCP protocols.The SSH protocol exists in two versions. Several security vulnerabilities have been identified in theoriginal SSH protocol version 1, therefore it should be considered insecure and should not be used ina secure environment. Its successor, SSH protocol version 2, strengthened security by changing theprotocol and adding Diffie-Hellman key exchange and strong integrity checking via messageauthentication codes. HP RDA uses SSH protocol version 2 for most connections.
• SSL and TLSThe Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are application-layerprotocols which provide data encryption and authentication. TLS is an updated version of SSL v3. SSLand TLS use X.509 certificates, also known as “digital” certificates, for authentication. Although mostusers are accustomed to working only with server certificates, SSL and TLS can be configured to requireclient-side certificates which provides password-less two-way authentication. The CMS and managedsystems authenticate using X.509 certificates. Also, all communications between the client browsersand the CMS are protected by SSL. The Remote Support Configuration Collector System supports bothSSL v3 and TLS 1.0.These two protocols are most ubiquitous in HTTPS on TCP port 443. Other protocolsand applications also utilize SSL and TLS for security.
• WBEMWeb Based Enterprise Management (WBEM) is an initiative based on a set of management and Internetstandard technologies developed by the Distributed Management Task Force (DMTF) to unify themanagement of enterprise computing environments. WBEM is really a collection of Internet standardsand DMTF open standards: CIM infrastructure and schema, CIM-XML, CIM operations over HTTP, andWS-Management. The Common Information Model (CIM) provides a common definition of managementinformation for systems, networks, applications and services, and allows for vendorextensions.WS-Management is a specification of a SOAP-based protocol for the management of servers,devices, and applications. WBEM can be encapsulated inside either HTTP or HTTPS. HP Insight RemoteSupport does not support unencrypted WBEM communications. All WBEM traffic is encrypted usingSSL over HTTPS on TCP port 5989.WMI is the Microsoft proprietary implementation of WBEM. WMI runs as a DCOM (DistributedComponent Object Model) service which in turn uses RPC (Remote Procedure Call) and other associatedDCOM services. The WMI Mapper is an application that provides a two way translation interfacebetween DCOM and WBEM. WMI Mapper is required for any Windows managed system supportingWBEM Indications to be monitored by HP SIM and Insight Remote Support.
2.5.2 Unsecured CommunicationHP uses the following unsecure protocols only inside the customer’s internal network HP will not initiate anyexternal communications between the customer and HP using these protocols:
• HTTPThe Hypertext Transfer Protocol (HTTP) is an application-layer protocol used for exchanging data. HTTPis described in RFC 2616. Its most popular usage is for transferring text, graphic images, sound, video,and other multimedia files to Web browsers. HTTP’s capabilities are also general enough for non-webapplications. The CMS remote data collection can use HTTP to identify devices. Once devices are
20 HP Insight Remote Support Advanced
identified, all other data transfers use HTTPS, a secure protocol. HTTP typically uses TCP port 80;however some HP SIM components may use other TCP ports, in particular 5988 for WBEM.
• ICMPInternet Control Message Protocol (ICMP), or IP protocol 1, is a network-layer control protocol that isconsidered to be an integral part of IP, it is architecturally layered upon IP, i.e., it uses IP to carry itsdata end-to-end just as a transport protocol like TCP or UDP does. ICMP provides error reporting,congestion reporting, and first-hop gateway redirection [RFC1122]. The major feature of ICMP, though,is its diagnostic capabilities. The PING command, for example, uses the ICMP ECHO message to testan Internet connection. ICMP is used in the RSCC system to discover devices on the network and toverify that a monitored system is ready to communicate.
• IPIP (Internet Protocol) is a network-layer protocol that moves datagrams through an interconnected setof networks. IP does not guarantee delivery of datagrams and provides no security. Data may be lost,received out-of-order, or even duplicated. Upper-layer protocols, such as TCP and SSL/TLS, must beused for providing reliable communication and security. IP is described in RFC 791. The next-layerprotocols referenced in this document are:
FunctionProtocolProtocol Number
Error and congestion reporting, diagnosticsICMP1
Reliable data transmissionTCP6
Datagram transmissionUDP17
Encrypted IP encapsulationIPsec-ESP50
• SNMPSNMP (Simple Network Management Protocol) is an application-layer protocol used by network hoststo exchange information used in the management of networks. When discussing SNMP, systems arecategorized as either “managed” or “managing”: a managing system manages a managed system.Managing systems in turn may also be managed. Each managed system runs a process called anagent. The agent performs two functions. It responds to information requests from a managing systemusing the GET, GETNEXT and GETBULK protocol operations. The managed system agent will also sendunsolicited data to a managing system using the TRAP or INFORM protocol operations.By default SNMP agents listen on UDP port 161. An SNMP manager sending requests to an agentmay use any ephemeral port for the source. The agent will reply to the manager on that port. Likewise,by default SNMP managers listen on UDP port 162 for TRAP and INFORM messages from agents onmanaged systems. The agent may use any ephemeral port for the source. Because SNMP traps arenotifications, the manager will not reply. If the manager does wish to respond to an agent trap, it mustdo so to the agent’s listening port, UDP port 161 by default.In the current RSCC system, SNMP version 1 is used to gather system configuration and status data.Because SNMP utilizes UDP (User Datagram Protocol), which does not guarantee message delivery inthe way that TCP (Transmission Control Protocol) does, datagrams may arrive out of order, appearduplicated, or go missing without notice. SNMP V1 security is limited to a clear-text community stringincluded with the request, similar to a password. SNMP V1 data is not encrypted, so the entire payloadcan be easily snooped on the network. The operating system of the managed system may provideadditional security capabilities for SNMP such as IP address restrictions for valid requests. CERT maintainsa list of frequently asked questions about SNMP security at http://www.cert.org/tech_tips/snmp_faq.html.WEBES uses SNMP v2 as well. However, like v1, v2 does not provide encryption services. SNMP v3provides encryption services, however it is not supported on Microsoft Windows and therefore is notsupported by HP Insight Remote Support Advanced.
• SyslogThe BSD system logging protocol, syslog, is an unencrypted protocol for transmitting system log messagesand is described in RFC 3164. Syslog has been assigned UDP port 514 but many implementations
2.5 Communication Protocols 21
allow for TCP communications for a more reliable transmission of data. Alternate ports may also beused.
• TCPTransmission Control Protocol (TCP), or IP protocol 6, is a transport-layer protocol that provides reliablein-order delivery of data. TCP is described in RFC 793.
• TelnetTelnet is an application-layer protocol that was developed for providing remote terminal sessions. Someolder storage devices, routers, switches, and other devices will support only telnet for network access.Although it is insecure, Insight Remote Support Advanced uses this protocol to provide support for theselegacy devices. Telnet does not provide encrypted transport of data and is considered to be an insecurecommunication service. Most current operating systems use SSH in place of telnet as the standardterminal communication protocol. Telnet is described in RFC 854. Telnet has been assigned to TCP port23, however it may be configured to run on other ports.
• UDPUser Datagram Protocol (UDP), or IP protocol 17, is a transport-layer protocol that does not guaranteedata reliability or ordering the way that TCP does. Avoiding the overhead of checking whether everypacket actually arrived makes UDP faster and more efficient, at least for applications that do not needguaranteed delivery. It is useful for simple applications that can withstand occasional drops of data. Ifdata reliability is required over UDP, application-layer protocols are responsible for providing retryand ordering mechanisms. Examples of application-layer protocols that use UDP are SNMP, NFS V2,DNS, NTP, and OpenVPN. UDP is described in RFC 768.
2.6 Central Management Server DeploymentHP Systems Insight Manager (HP SIM) is the foundation for HP's unified server-storage management strategy.It is a multi-platform hardware-level management product that supports HP ProLiant, Integrity and HP 9000servers, HP StorageWorks MSA, EVA, XP arrays, third-party arrays, HP E-series switches and other HP andnon-HP platforms. HP SIM provides the basic management features of system discovery and identification,single event view, inventory data collection, and reporting. HP SIM leverages a distributed architecture thatis broken into three types of systems:
• Central Management Server (CMS)
• Managed systems
• WEB Browser clients
The CMS and the managed systems together are called the HP SIM managed domain. The CMS executesHP SIM software and initiates central operations within the domain. It also maintains a database for thestorage of persistent objects.The Central Management Server (CMS) is a customer-provided HP ProLiant server running Windows Serveror VMware ESX or ESXi with Windows Server running as a VMware guest. Besides general systemadministration, the customer is also responsible for all software installation and security updates. InsightRemote Support Advanced is supported on Windows Server 2003 (SP1) or higher, Windows Server 2008,Windows Storage Server 2008 and Windows Server 2008 R2. Microsoft SQL Server 2005 or 2008 anda supported version of HP SIM are also required. The HP SIM installation will automatically install MicrosoftSQL Server 2008 R2 Express Edition if no other version of SQL Server is already installed. The WEBESinstallation automatically installs the PostgreSQL database.
NOTE: WEBES uses PostgreSQL 8.4.1. HP SIM uses Microsoft SQL Server 2008 R2 Express Edition.PostgreSQL uses port 7950 instead of the default 5432. PostgreSQL settings can be viewed in the fileC:\Program Files\HP\svctools\specific\desta\database\data\postgresql.conf.
Insight Remote Support Advanced serves as a plug-in to HP SIM on the CMS and extends the HP SIM databasewith Insight Remote Support Advanced elements. In order to use Insight Remote Support Advanced with HPSIM, the CMS must be a supported HP ProLiant server running a supported version of Microsoft WindowsServer.
22 HP Insight Remote Support Advanced
NOTE: For further details, refer to the HP Insight Remote Support Advanced Central Management ServerConfiguration Guide available at http://www.hp.com/go/insightremoteadvanced-docs.
NOTE: For a complete description of system requirements, see the A.05.70 Insight Remote SupportAdvanced Release Notes available at http://www.hp.com/go/insightremoteadvanced-docs.
2.7 Remote Support Software Manager (RSSWM)2.7.1 Installation and Setup
The HP Remote Support Software Manager (RSSWM) is bundled with Insight Remote Support Advancedinstallation kit. RSSWM facilitates the download and installation of Insight Remote Support Advancedcomponents. During installation, RSSWM application folders and three local SYSTEM services will be createdon the Central Management Server (CMS). The customer is asked to provide a company name and optionalcontact information to initiate registration with HP.HP recommends using RSSWM to manage Insight Remote Support Advanced software. However, HP alsorecognizes that HP managed software updates may not fit all change management models. TheInstall-Then-Manage (ITM) option allows applications and their updates to be manually installed at thediscretion of the system administrator, either by directly accessing HP’s Software Depot at https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=RSADVANCED from theCMS, or by downloading software onto another system and transferring to the CMS via physical mediasuch as CD, DVD, or USB flash and updating from a local depot.
2.7.2 Data Collection and StorageThe RSSWM agent periodically collects, stores, and transports CMS software inventory and system data toHP using SSL or TLS over HTTPS. Note that this is done only for the CMS itself – the RSSWM agent does notcollect or transport data associated with any supported devices. A copy of the information sent to HP isstored in the RSSWM agent folders located at:
<SWM Install Location>\Lib\RADSETUP\<SWM Install Location>\Lib\RSSWM\RSPS\SWMAUDIT\
2.7.3 Installation Package SecuritySoftware applications downloaded from HP are stored in the Installers directory, typically located at: <SWMInstall Location>\Installers\. MD5 checksums are used to verify that the installation files havenot been modified since they were packaged at HP.During installation of HP SIM, a SIM administrator user is configured. The RSSWM agent sets up the HPRSSWM-SIM Context Service during agent installation. This service facilitates an installer digitally signedby HP to run in the context of the HP SIM administrator thus enabling the installer to run integration commandswith HP SIM. Not all packages deployed through RSSWM require HP SIM integration.
2.7.4 User InterfaceThe RSSWM interface is only available to users logged into the CMS. In addition to a direct console session,the user can employ Microsoft Remote Desktop Client, mstsc.exe, to access the RSSWM interface. Theuser must specify the connect-to-console option, specified by the option '/admin', from the command line.The RSSWM User Interface allows the administrator user to specify the software update policy, scheduleupdate installation windows and configure software packages and installation depots on the CMS.
2.7.5 HP Transport SecurityThe RSSWM agent uses server-side authentication to ensure that it is connecting to a valid HP RSSWMserver. Upon installation, the RSSWM agent generates an install ID which is stored in the system registry (HKEY_LOCAL_MACHINE\SOFTWARE\Hewlett-Packard\RSSWM\GUID) and used during subsequentRSSWM connections to uniquely identify itself. All communications and application downloads are doneover HTTPS (TCP port 443) connections. HP RSSWM uses a HP CA signed X.509 digital certificate for
2.7 Remote Support Software Manager (RSSWM) 23
encryption and authentication with the HP Datacenter. HP CA certificates can be verified using the VeriSignCertificate Authority.
2.8 Remote Support ClientThe Remote Support Client is primarily responsible for providing secure and reliable communications withthe HP Remote Support Data Center to deliver hardware event information and configuration collection data.Additionally, this component integrates as an HP SIM plug-in to provide the customer with an integratedremote support user experience. This component is configured via the Remote Support Configuration andServices option in HP SIM.
2.8.1 Installation and SetupThe Remote Support Client is installed via the Install Then Manage (ITM) software kit, and subsequentlymanaged via the Remote Support Software Management (RSSWM) application. The client installation createsnecessary application folders and establishes a local SYSTEM service. Access to the application folders iswrite-restricted to Power Users and those in the Administrators group. The client has no communications withthe HP Data Center until it is configured via the HP SIM plug-in user interface.During setup, the installer will be asked to enter company, contact and connection information. If the clientneeds to access the public Internet via a proxy server, the installer can enter the relevant connection andauthentication data in the client interface. The proxy password is encrypted via 128-bit AES encryption andstored on the file system in the folder:
<Client Install Location>\config
The AES key itself is compiled into the client service executable.
NOTE: Insight Remote Support Advanced supports connecting directly to the Internet or connecting througha proxy server and supports all proxy servers conforming to the HTTP/1.0 Specification. Insight RemoteSupport Advanced does not support proxies using proxy auto-configuration scripts, NTLM authentication(also known as Integrated Windows Authentication), or Kerberos authentication.
2.8.2 Data Collection and StorageFor each device enabled for remote support, the client will collect a set of attributes used for identification(the specific fields depend on the device) and send a registration event to HP. All data sent to HP is encryptedusing SSL/TLS encryption prior to transport to the HP Remote Support Data Center (RSDC) over HTTPS.Confidential data elements in the information sent to HP and stored in the Remote Support Database andon backup media are encrypted using the Advanced Encryption Standard (AES) symmetric block cipher witha 192-bit key. To enable customers to see the information sent to HP, the client stores a copy of each datasubmission. These are stored in the client folder structure under
<Client Install Location>\data
and are removed 14 days after the submission has been closed. (The customer can configure this retentiontime). Access to this directory should be restricted to protect the client object code and sensitive data whichit manages.
2.8.3 User Interface - Integration with HP SIMThe Insight Remote Support Advanced user interface is a plug-in to HP SIM via the HP System ManagementHomepage (HP SMH) and leverages the user account authentication provided by that application. All webbrowser connections to the Insight Remote Support Advanced interface are available only through HTTPS.The Remote Support Client interacts directly with several HP SIM web services during its operation. Toestablish these secure connections, the client utilizes server and client certificate information managed bythe HP SMH tool, which is installed as a required product with HP SIM. As a part of its installation, HP SMHstores HP SIM’s public server certificate as well as generates a client certificate and imports it for HP SIM’suse.
24 HP Insight Remote Support Advanced
IMPORTANT: The implementation of HP-UX Advanced Configuration Collector (via SMH) introduces apotential privilege elevation security vulnerability for the monitored HP-UX servers. Once the SMH Certificatesare exchanged between SMH and HP SIM, any HP SIM user with permissions to view the device status (inHP SIM) has the ability to execute privileged user commands on the HP-UX server as the root user.
2.8.4 HP Transport SecurityThe Insight Remote Support Client uses a VeriSign CA signed server-side X.509 certificate for authenticationand confidentiality of Insight Remote Support Advanced data in transit between the CMS and the HP RemoteSupport Data Center.When initial setup is complete, the Remote Support Client will register itself with the HP Data Center. Thisregistration is performed over an HTTPS connection and includes the company and contact data entered inthe Remote Support Configuration and Services HP SIM user interface as well as a set of CMS device attributes(the same information as is collected for remote support devices). The CMS data is used to uniquely identifythe client instance. The HP registration service creates, encrypts and digitally signs a unique registrationtoken that is returned to the client and stored on the file system at
<Client Install Location>\config\.isee_token
Each subsequent communication from the client will include the registration token and a new collection ofCMS identification data. The token is verified and checked against the CMS data to authenticate the client.If a discrepancy is uncovered during authentication, the client will re-register itself to ensure that the operationcan continue and the HP application support team will be notified.
2.8.5 Communication with HP Data Center
2.9 Redundant HP Data CentersThe HP Insight Remote Support Data Center consists of two fully redundant database instances located intwo separate HP Data Centers. Redundant data centers provide resiliency for both the Insight Remote SupportAdvanced data transport and the Remote Support Software Management communications. Global ServerLoad Balancing is used to provide load balancing and resiliency across multiple data centers.
2.9 Redundant HP Data Centers 25
2.9.1 Global Server Load Balancing (GSLB)GSLB uses DNS to return the IP address of an available server. Subsequent DNS queries may return differentIP addresses based on server load and availability. Thus, the actual IP addresses returned will vary overtime as servers are taken in and out of service. HP has limited the number of IP addresses that will be usedin these DNS aliases so that network administrators can configure packet filtering firewalls appropriately.
2.9.2 Firewall/Port Requirements for RSC and RSSWMTo accommodate this change, HP recommends that you configure your firewalls to use URL rules with theDNS names listed in the table below. With a URL rule configuration, future HP infrastructure changes maynot require any firewall changes.If your firewall does not support URL rule configuration, you will need to add rules to allow outbound accessto three IP addresses for each of the three aliases in the table below. This enables the redundant data centeroffering by letting GSLB return the IP address of the active site. Note that these addresses may change overtime as the HP infrastructure evolves.Table 2-1 Redundant data center settings
ProtocolIP addressesAliasHP Remote Support Service
HTTPS15.216.12.26
15.217.96.178
15.192.8.184
services.isee.hp.comClient
HTTPS15.193.0.153
15.192.17.239
15.201.40.169
rsswm.software.hp.comSoftware Manager Software
SSL15.193.0.152
15.192.17.238
15.201.40.168
rsswm.policy.hp.comSoftware Manager Policy
2.9.3 How Do I Know That I Am Connecting to HP?You may have concerns, especially during this transition time, that RSC and RSSWM are actually connectingto HP and not an impostor. Both RSC and RSSWM use SSL with certificates that can be verified by VeriSign.Both clients verify the HP data center certificates using either the VeriSign Certification Authority (CA) or theHP Class 2 CA certificate. Both certificates are shipped with the RSC and RSSWM software. This protectsRSC and RSSWM from DNS and IP address spoofing attacks.
2.9.4 How Do I Verify Connectivity to Each Data Center?The sections below define procedures for verifying connectivity to the Remote Support and Remote SupportSoftware Management data centers.
2.9.4.1 Remote Support data centerIf the IP addresses were configured in the firewall, connectivity for the RSC can be verified as follows:With a web browser on the CMS/host device, connect to the following URLs. The response should be aversion number, for example: ##.##.##.###. Note that on rare occasions a system may not be accessibledue to periodic maintenance and upgrade.
• https://rsdc-pro1-services.austin.hp.com/version/
• https://rsdc-pro2-services.austin.hp.com/version/
• https://rsdc-itg1-services.atlanta.hp.com/version/ (The ITG server is for disaster recovery purposes.)
If a URL rule was configured in the firewall, verify connectivity by sending a test event. Execute the followingcommand from the RemoteSupport\bin directory:
26 HP Insight Remote Support Advanced
C:\Program Files\HP\RemoteSupport\bin> iseeinterfaces.exe -send_support_information -test_event
9F0C94C1-5515-4328-A6C4-CE68FA7A103C
A successful run will return a globally unique identifier (GUID) as shown in the example. Any other returnvalue is a failure.
2.9.4.2 Remote Support Software Management data centerIf the IP addresses were configured in the firewall, connectivity for RSSWM can be verified as follows:With a web browser on the CMS/host device, connect to the following RSSWM software URLs. You willsee a certificate error, this is expected. Note that on rare occasions a system may not be accessible due toperiodic maintenance and upgrade.
• https://rsswm-software1.atlanta.hp.com/site/
• https://rsswm-software2.atlanta.hp.com/site/
• https://rsswm-software.houston.hp.com/site/
If the communications between the CMS/host device do not use a proxy server, use telnet to verify theconnectivity to the RSSWM policy addresses. If a proxy server is used, it is not possible to manually checkthis connectivity for each address; please use the procedure in the next section.
telnet rsswm-policy1.atlanta.hp.com 443telnet rsswm-policy2.atlanta.hp.com 443telnet rsswm-policy.houston.hp.com 443
If a URL rule was configured in the firewall, verify RSSWM connectivity from the RSSWM UI:1. Select Start → All Programs → Hewlett-Packard → Remote Support Software Manager → Remote
Support Software Manager User Interface.2. Select the Actions screen.3. Click the Test button to test connectivity.4. A screen will show the results when the connectivity test is complete.This verifies that whatever IP address comes back from the RSSWM data center as the active site, the RSSWMagent can communicate with that address.
2.10 Levels of Data CollectionData collection levels are a set of non-deterministic guidelines to help categorize the deployment modelsand potential services enabled by deployment of tools. Four levels are currently defined:
• Device Discovery (Level 0):Determine if an endpoint device is reachable across the network. For example, ICMP ECHO and ECHOREPLY messages and traceroute probes are used to determine network reachability. No credentials arerequired for this type of probing.
• Identity Collection (Level 1):Utilize network protocol such as SNMP to properly identify an endpoint device manufacturer, modeland serial number. Public credentials such as SNMP community strings are used for probing the manageddevices.
• Configuration Collection (Level 2):Utilize standard network protocols such as SNMP and WBEM to get attributes from the endpoint device,for example operating system type and version, kernel parameters, and installed software. Thisinformation will then be used to deliver as many remote support services as possible. Non-privileged
2.10 Levels of Data Collection 27
system-specific access credentials are usually used, that is, the customer need not divulge administratoror root passwords.
• Proprietary Collection (Level 3):Utilize proprietary agents and/or processes hosted by the endpoint device’s operating system to deliverdifferentiating services, for example, performance information, operating system command output, logfile contents, and agent data. Privileged access credentials are required. The system administrator maybe required to divulge the managed system’s administrator or root password.
2.11 Remote Device MonitoringThe Remote Device Monitoring collects and monitors hardware events from the monitored device. If an eventrequires HP intervention, such as a hardware failure, it is automatically sent to HP for analysis and is actedupon as per the service level agreement. Systems supported by the Insight Remote Support Advanced solutioninclude (but are not limited to) servers, storage devices and network devices.
NOTE: A detailed list of supported hardware devices can be found in the document A.05.70 Insight RemoteSupport Advanced Release Notes available at http://www.hp.com/go/insightremoteadvanced-docs.
Although the events sent to HP do not involve any business data, they do contain information about thefailing device. This information may include sensitive information such as IP addresses and fully qualifiedhost names. To ensure that HP customers are protected, HP has implemented a range of standard securitytechniques that are highlighted later in this document.
2.11.1 Installation and SetupVarious components within the Insight Remote Support Advanced application suite perform RDM activities.The Insight Remote Support Advanced Software Manager is included to manage the installation andmaintenance of these components.
2.11.2 Remote Device Monitoring ComponentsThe following Insight Remote Support Advanced components comprise Remote Device Monitoring:
• Remote Support Common Components (MC3)MC3 provides tools used to enable the collection of information used to uniquely identify the CentralManagement Server (CMS).
• Remote Support Eligible List (RSE)The Remote Support Eligible List (RSE) is actually a collection that is automatically created by HP SIMwhen the Insight Remote Support Advanced Client plug-in is successfully installed. The RSE List displayswith other collections in the HP SIM UI and includes systems discovered by HP SIM that are supportableby Insight Remote Support Advanced. There is also a Remote Support Systems List in the Services Tabof the Remote Support Option in the HP SIM UI. This list should contain the same systems as the RSElist; however, enabling Remote Support event submission only happens through the Remote SupportSystems List, not the RSE List.
• Web-Based Enterprise Services (WEBES)WEBES is a set of service tools, specifically WEBES Director, WEBES Common Components, andSystem Event Analyzer, that run on the HP SIM CMS with Insight Remote Support Advanced installed.These tools are built upon a common set of services included in WEBES, called the WEBES CommonComponents. WEBES acts upon platform-specific data using common services to present results to usersin platform-independent ways.Currently, WEBES integrates three components and service tools, System Event Analyzer (SEA, ComputerCrash Analysis Tool (CCAT), and Event Logging Monitoring Collector (ELMC).
28 HP Insight Remote Support Advanced
NOTE: Only one instance of WEBES per CMS is required for enterprise-wide monitoring regardlessof the product to be monitored.
• WEBES DirectorThe Director is a required WEBES process (or set of processes) that runs continuously. The Directormanages a system - either a standalone system or a node in a cluster - on behalf of WEBES, andexecutes functionality added to it by individual WEBES tools.
• WEBES Common Components (WCC)The WEBES Common Components (WCC) is the set of core service tool functionality providing acommon:
• Analysis engine
• Information repository
• Data interface to the repository
• Distributed messaging service for inter-process communication between tool services onheterogeneous platforms
• Set of notification mechanisms
The included tools of WEBES (SEA and CCAT) use the WCC to minimize the tool-specificfunctionality and the differences between the tools.
• System Event Analyzer (SEA)SEA is a fault analysis utility designed to provide analysis for single error/fault events, as well asmultiple event correlation and complex analysis. In addition to the traditional binary error log,SEA provides system analysis capabilities that use other error/fault data sources.SEA provides background automatic analysis by monitoring the active binary error sources andprocessing events as they occur. The events are checked against the analysis rules. If one or moreof the events meets the conditions specified in the analysis rules, the analysis engine uses therelevant event data to create a problem report containing a description of the problem and therecommended corrective action. Once the problem report is created, it is distributed in accordancewith the customer’s notification preferences. SEA does not offer the end user the ability to view ormodify the analysis rules as to when it will create a problem report. The analysis rules or a list ofcallouts are not available to the end-user as they are considered to be the intellectual property ofHP.
• Event Log Monitoring Collector (ELMC)The Event Log Monitoring Collector (ELMC), formerly known as WCCProxy, is included with WEBESin some cases and downloaded separately in others. The platform-specific functionality to interface withthe operating system and with certain other service tools is contained in the ELMC. It provides errorcondition detection on the managed endpoint system on which it is installed. It communicates theseevents to WEBES, which can be running either on the same system as the ELMC system or anothersystem on the same TCP/IP network. Different ELMC packages exist for the same ELMC version,depending on the operating system and hardware platform.
• Insight Management AgentsInsight Management Agents are available as part of the ProLiant Support Pack and are required tocapture hardware events and to send them to WEBES. WEBES sends qualified incidents to the RemoteSupport Client, which in turn submits the incidents to HP for reactive support.
• HP Remote Support XP Application Integration Module (XP AIM)XP AIM is an optional software component that is installed on the CMS to enable monitoring of HPP9000/XP Disk Arrays. This component integrates with Insight Remote Support Advanced and facilitates
2.11 Remote Device Monitoring 29
event and data collections from XP Continuous Track (C-Track) on the XP Service Processor (SVP). XPAIM performs the following functions:
• Proactively informs remote HP support personnel about potential XP issues by sending themincident/event data for analysis.
• Transfers array enhanced configuration files and configuration change event bundles for remoteHP support personnel access, whenever the a configuration change is detected.
The SVP sends event information on to the HP SIM CMS using HTTPS on TCP port 50000. The informationis deposited in a temporary directory on the CMS that is monitored by the XP AIM module. The XP AIMmodule will forward the information to the Remote Support Client for transmission to the HP RemoteSupport Data Center. HP Remote Access to the SVP is done via the Remote Desktop Protocol on TCPport 3389 or pcAnywhere on TCP port 5631. The SVP runs either Windows 7, Windows Vista orWindows XP.
• Remote Support Network ComponentRemote Support Network Component (RSNC) is a network discovery and inventory software packagethat provides information for all the devices located on a network. It does not require the deploymentof proprietary agents. Discovery is performed by probing network devices on the host’s subnet. Notethat Remote Support Network Component may trigger alarms on network intrusion detection systems.The CMS must have access to the following ports for Remote Support Network Component detectionto work:
Remote Support Network ComponentPort Usage
NotesProtocolPortIP Protocol
n/an/aICMP
SSH22TCP
Telnet23TCP
HTTP80TCP
epmap135TCP
NetBIOS139TCP
NetBIOS445TCP
The Windows NetBIOS RPC mechanism negotiates ports in thisrange via TCP port 135 (epmap).
1024-65535TCP
TFTP69UDP
NetBIOS137UDP
NetBIOS138UDP
SNMP161UDP
SNMP TRAP162UDP
• Multivendor and Application Adapter (MVAA)HP Multivendor and Application Adapter (MVAA) synchronizes incidents between HP Services and acustomer’s HP OpenView Operations (OVO) Management Server. Communication between the CMSand OVO use the HTTPS (SSL/TLS) protocol over TCP port 443 and TCP port 8444 for Windows andUNIX OVO Management Servers, respectively.
• Unreachable Device Notification (UDN)Unreachable Device Notification (UDN) performs reachability monitoring of Insight Remote SupportAdvanced managed devices and provides notifications of unreachable managed systems to HP SupportCenter and appropriate personnel at the customer site. UDN first attempts to verify reachability usingSNMP from the CMS to devices. If there is no response, UDN will make ICMP echo requests in attempt
30 HP Insight Remote Support Advanced
to solicit an ICMP echo replies from the devices. UDN events are sent to HP via an SSL/TLS connection(HTTPS over TCP 443). Email notifications can be sent locally using SMTP on TCP 25.
• StorageWorks P4000 Centralized Management Console (CMC)The CMC application is used to configure individual P4000 storage nodes, as well as for creatingvolumes, snapshots, remote copies, and storage clusters of multiple P4000 storage nodes. CMC is usedto configure SNMP settings on the P4000 nodes to allow Insight Remote Support to monitor and collectsystem logs on the P4000 nodes in cases of system faults.
2.11.3 Data CollectionWEBES collects the following types of information from endpoint devices:
• Binary Event Log DataThe System Event Analyzer component of WEBES monitors binary event logs. These events are collectedby the Event Log Monitoring Collector (ELMC) client that is installed on the end point device. A persistentconnection is established from WEBES on the CMS to ELMC on the managed device and events aresent across a socket connection as they are detected.
• EVA Command View DataThe System Event Analyzer (SEA) component of WEBES requires detailed configuration informationabout Enterprise Virtual Array (EVA) devices. This information is obtained using the Command ViewEVA software running on the storage management server. SEA uses an ELMC connection to the nodeto get access to this information. The information may be collected at any time, and is not always relatedto the processing of an event, for example, comparing configuration states during analysis. This dataincludes various EVA components: storage cell, disks, controllers, disk groups, folder, container, cabinet,controller shelf, disk shelf, host, virtual disk, and DRM group. In addition, information about the errorcounts on fiber ports is collected.
• WBEM IndicationsThe System Event Analyzer (SEA) component of WEBES is used to monitor WBEM indications from endpoint devices. SEA connects to the end point device using the CIM over XML WBEM protocol in orderto set up subscriptions to indications. Once the subscription is made the connection is closed.When an indication is detected by the CI-MOM, it makes an HTTPS connection back to the WEBESweb interface on TCP port 7906 to deliver the indication. As part of the analysis of the indication, SEAmay make a connection back to the CI-MOM to collect configuration information (a WBEM “get”) asdiscussed below.
• Configuration InformationAs part of analysis of an event, additional configuration information may be needed to isolate thelocation of the fault, or to provide information to HP about the Field Replaceable Unit (FRU) that needsto be replaced. In these cases, WEBES will make a connection back to the end point device using theprotocols described above.This information is generally related to the location of FRUs in the device, as well as serial and partnumbers. Note that this is not an inclusive list of the types of information collected.For Alpha machines the FRU Configuration Tree (FCT) entries are stored in the event log files. Thisinformation describes all of the components in the machine along with part numbers and serial numbers.For Integrity machines the information provided in the IPMI log is collected. This information is verysimilar in content to the information in the FCT. WBEM and SNMP gets are used to get informationabout the configuration of a device. In addition, a set of identifying information called CSID data iscollected for each managed device and sent to HP so that we can insure that incoming data andindications can be traced to a particular device.
2.11 Remote Device Monitoring 31
• SNMP TrapsWEBES analyzes SNMP traps that are sent to it. As part of this analysis, WEBES may connect back tothe SNMP agent to get additional information about the device as described below in configurationinformation.
• Object of Service DataInformation about the entitlement parameters (serial number, product number, contract IDs, etc) arecollected for every device WEBES monitors. In addition, contact and location information for thesedevices is collected as well. Finally, protocol credentials are captured (SNMP community strings, WBEMusernames and passwords, Command View usernames and passwords).All of this information is stored in the WEBES database on the CMS. The entitlement, site, and contactinformation is sent to HP when an incident is created. The passwords are encrypted in the databaseusing 128-bit AES encryption. This information can be entered via the WEBES or HP SIM User Interface.Both of those interfaces use HTTPS to secure communication between the browser and the server. Inaddition, the actual passwords are not sent to the browser, which precludes revealing them by viewingthe source of the page.
2.12 Proactive ServicesThe CMS collects various data from the managed systems for the purpose of delivering proactive support.Copies of the collected data and events are stored unencrypted on the CMS file system (owned byAdministrator or application users). The data is always encrypted before being transmitted to HP, and initiallystored in an encrypted database in the RSDC. Some data my be stored in an unencrypted database whenit is being used for analysis.HP internal access to this data is controlled via remote support global groups. If an HP support specialistneeds to access the data, he/she requires manager approval to access customer data. Each user must adhereto the HP Acceptable Use Policy when interacting with the Insight Remote Support Advanced solution.Event data stored at HP is removed after six months, but summary data may be kept up to several years forhistorical reporting purposes. Other types of data have different retention policies ranging from strict six-monthaging to the number of copies to be retained. In the latter case, the data may be kept for several years.Aggregate data may be kept indefinitely.Remote support aggregate data is available for internal HP use by product divisions, support delivery, andprogram teams for quality purposes. Aggregate data contains no identifying information that can be tracedback to a specific customer, this includes MTBF (Mean Time Between Failure) and other reliability statisticsused to gain insight into product and automation quality. Customers may opt in to allow their data to beused to recommend additional HP products and services, but by default the data will not be used in thisway.
2.12.1 System ArchitectureOn a scheduled basis, data collection requests are made by RSCC via device plug-ins. The plug-in eitherdirectly or via web application proxies, communicates with the managed system using the protocols shownin the diagram below including: HTTPS, SSH, Telnet, SNMP, ICMP, and DCOM. Keystores and truststoresare contained on both the central management server and the managed systems in order to support publicand private key encryption and digital certificate based authentication.
32 HP Insight Remote Support Advanced
Figure 2-2 Proactive Services System Architecture
2.12.2 Proactive Configuration Collection Components Installed on the CMS• Remote Support Configuration Collector (RSCC)
The Remote Support Configuration Collector (RSCC) schedules and consolidates configuration informationcollections from entitled servers and devices using standard collection agents (Level 2 collectors) likeWBEM and SNMP, it can also collect information using (Level 3 collectors) proprietary agents like theHP-UX ACC (Advanced Configuration Collector). RSCC can also collect information using SSH or Telnetto a device to manually execute a command and capture the results. The RSCC is updated regularlyto extend support for new products as they become available.This component is configured in the Remote Support Configuration and Services option in HP SIM.
NOTE: For more details on how to configure configuration collections, please refer to the HP InsightRemote Support Advanced Central Management Server Configuration Guide at http://www.hp.com/go/insightremoteadvanced-docs.
• Remote Support Configuration Collector ExtensionThis component is designed to extend the capabilities of the Remote Support Configuration Collectorfor SAN Environments by enabling remote execution capabilities for Windows SAN managementservers to allow collection of SAN environment configuration and status information.
2.12.3 Proactive Configuration Collection Components Installed on Managed SystemsAdvanced Configuration Collector (ACC) Depot for HP-UX 11.XThe HP-UX ACC is used to collect configuration information for proactive reporting. Proactive reporting is apremium service for mission critical support agreements. The HP-UX ACC is installed on the HP-UX managedsystems and is accessed via the System Management Homepage. Collection data is sent to HP for analysis.Reports are generated and delivered via an HP account team representative.
2.12.4 Security CredentialsDigital CertificatesCertificates generated by HP Systems Insight Manager and the Web Agents are by default self-signed. PublicKey Infrastructure (PKI) support is provided so that certificates may be signed by an internal certificate serveror a third-party Certificate Authority (CA). In addition, System Management Homepage also creates self-signedcertificates and maintains a key store where it stores these certificates for the purposes of exchange withCMS nodes.RSCC utilizes both HP SIM and HP SMH keys for signing and authentication of messages as well as forbrowser to system HTTPS access. HP SIM and HP SMH self-signed digital certificates are set to expire tenyears from the time of creation. If a certificate expires, the UC system will sense that the certificate has expired
2.12 Proactive Services 33
and log the event. Credentials can be regenerated and exchanged between CMS nodes and managedsystems using the System Insight Manager command line and certificate import and export utilities.
2.13 Browser security2.13.1 SSL
All communication between the browser and the CMS or any managed server occurs using HTTP over SSL,i.e., HTTPS. Any navigation using HTTP (not using SSL) is either denied or automatically redirected to HTTPS.
2.13.2 CookiesAlthough cookies are required to maintain a logged in session, only a session identifier is maintained in thecookie. No confidential information is stored in the cookie. All cookies are marked as secure and thereforemust be transmitted over SSL.
2.13.3 PasswordsAll password fields displayed by HP Systems Insight Manager and the Insight Remote Support Advancedapplication do not display cleartext passwords. Passwords transmitted between the browser and CMS aswell as between the CMS and managed devices are encrypted using SSL/TLS and transmitted over HTTPS.
2.13.4 Operating System dependencies• User accounts and authentication
The HP Systems Insight Manager and Insight Remote Support Advanced system accounts areauthenticated against the CMS host operating system. Any operating system features that affects userauthentication will affect signing into HP Systems Insight Manager and Insight Remote Support Advanced.The operating system of the CMS can implement a lock-out policy to disable an account after a specifiednumber of invalid sign in attempts. Additionally, an account can be manually disabled in the Microsoft®Windows® domain. Any account that cannot authenticate against the operating system prevents signinginto the HP SIM and Insight RSA using that account.
NOTE: A user, who is already signed into HP Systems Insight Manager is not re-authenticated againstthe operating system until the next sign in attempt and continues to remain signed into HP SystemsInsight Manager, retaining all rights and privileges therein, until signing out of HP Systems InsightManager.
IMPORTANT: If creating operating system accounts exclusively for HP Systems Insight Manageraccounts, give users the most limited set of operating system privileges necessary to accomplish therequired function. Any root or administrator accounts should be properly guarded. Configure allpassword restrictions, lock-out policies, and user profiles in the operating system.
• File systemAccess to the file system should be restricted to protect the object code of HP Insight Remote SupportAdvanced. Inadvertent modifications to the object code can adversely affect the operation of InsightRSA. Malicious modification can allow for covert attacks, such as capturing sign in credentials ormodifying commands to managed systems. Read-level access to the file system should also be controlledto protect sensitive data such as private keys and passwords, which are stored in a recoverable formaton the file system. The Insight Remote Support Advanced installation wizard sets appropriate restrictionson the application files and directories. These restrictions should not be changed because this couldadversely impact the operation of Insight RSA or allow unintended access to the files.
• Signed appletPrevious versions of HP Systems Insight Manager use a Java plug-in that may additionally display awarning about trusting a signed applet. Those previous versions of HP Systems Insight Manager usean applet signed by Hewlett-Packard Company, whose certificate is signed by VeriSign.
34 HP Insight Remote Support Advanced
2.13.5 Data Collection ScriptsIf creating operating system accounts exclusively for HP Systems Insight Manager accounts, give users themost limited set of operating system privileges necessary to accomplish the required function. Any root oradministrator accounts should be properly guarded. Configure all password restrictions, lock-out policies,and user profiles, in the operating system.
2.13.6 Background Processes and DaemonsOn Windows, HP Systems Insight Manager and Insight Remote Support Advanced are installed and run asa Windows service. By default, they run using the administrator account used during product installation.The HP-UX Advanced Configuration Collector does not run as a daemon on HP-UX systems, but insteadexecutes a series of collection commands with restricted root access when invoked via the HP SystemManagement Homepage during data collection periods.
2.13.7 Security AuditingThe HP Systems Insight Manager and Insight Remote Support Advanced security audit logs contain entriesfor important system activities, such as executed tasks, authorization modifications, and user sign in andsign out, and so on. Tools by default are configured to log results in the windows system audit log. Propersecurity precautions should be taken to prevent users from modifying the tool definition files to defeat thedefault security auditing.
2.13.8 Command-line InterfaceMuch of HP Systems Insight Manager and Insight Remote Support Advanced functionality can be accessedthrough the command line. To access the command-line interface, you must be logged on to the CMS usinga valid HP Systems Insight Manager user account. That account’s authorizations and privileges within HPSystems Insight Manager apply to the command line interface as well.
NOTE: On a Windows system, the HP SIM administrator system account must be a member of theAdministrators group on the CMS for all of the commands to work properly.
2.13 Browser security 35
36
3 Remote Device Access (RDA)3.1 Executive Overview
Remote Device Access (RDA) is a support solution that enables the delivery of HP remote support servicesover the Internet or other connectivity methods. Today, many security-sensitive transactions, such ase-commerce, stock trades, and online banking, are executed securely over the Internet using the same securitytechnology utilized in RDA by HP.Enhanced security features like strong encryption, authentication, audit and target authorization addressstringent customer compliance regulations. Customizable policies, customers can control and define for aremote control session, allow for a consistent and firewall-friendly remote support solution for use across theHP product and services portfolio.
3.2 Service DescriptionHP offers several options for establishing a secure connection between HP and the customer network, allowingan HP support specialist—with prior authorization—to remotely access monitored systems and devices ona custmoer network. Using HP RDA, an HP support specialist can log in to a customer system, observingnormal security processes and procedures in order to provide remote hardware or software support for fasterresolution of problems.HP Remote Access can be setup up on demand (Ad Hoc), or preconfigured (Entitled) prior to use.Ad Hoc:Ad Hoc connections can be used if there is no pre-configured solution installed, or if your security policydoes not allow static inbound B2B access connections into your corporate network. In the Ad Hoc solution,the customer administrator and HP remote support representative agree to engage in an immediate RDAsession. This connection type allows for the creation of an ad hoc, or spontaneous, remote connection tothe customer administrator desktop using lightweight applications such as HP Virtual Support Room (VSR)or the HP Instant Customer Access Server (iCAS). Once an ad hoc session is established, a customeradministrator can share their desktop within the Virtual Support Room, or allow HP to connect via the iCAS,the support engineer can leverage this connection to provide access to target systems inside the customer'scorporate network. This solution should only be used during normal business hours as it must be initiatedfrom a customer administrator system connected to the corporate network.Entitled:Entitled Remote Device Access describes a connection solution which must be deployed and configured ata customer site before support can be delivered (this is sometimes called a pre-configured solution). Thismay include routers or other hardware specifically configured to allow connections between HP and acustomer network. This connection type allows a support engineer to connect to or through a pre-configuredCustomer Access System (CAS) on a customer's corporate network in order to gain access to HP supportedsystems and devices. With prior consent, HP can initiate an Entitled connection. No assistance is requiredto establish the connection between networks. However, customer administrator's assistance will be requiredto provide access credentials for the supported devices.Ad Hoc RDA options include:
• HP Virtual Support Rooms (VSR) – A web-based desktop sharing application.
• HP Instant Customer Access Server (iCAS) – A meet in the middle access model that allows HP remoteaccess connections between HP and a customer network using SSH tunneled over a HTTP connection.
Entitled Remote Access options include:
• SSH-Direct – The SSH tunnel runs bare over the Internet.
• IPSec VPN Connectivity – The SSH tunnel runs over a peer to peer IPSec VPN tunnel between HP anda customer's network.
• SSL VPN Connectivity – This solution requires a SSL VPN concentrator on the customer network to beconfigured to allow access for HP Support. Connections are tunneled through a secure SSL (HTTPS)connection over the Internet.
• ISDN Connectivity – The SSH tunnel runs over an ISDN connection.
3.1 Executive Overview 37
NOTE: The ISDN Connectivity option is not available in all countries.
Most of the Entitled Remote Access solutions leverage the end-to-end encryption and application tunnelingcapabilities of SSHv2. While using SSHv2 is strongly recommended, some versions of Entitled Remote Accesscan be configured without SSHv2. Not using SSHv2 can lower the security profile and limit the functionalityof the RDA solution.
3.3 Service ValueThe RDA solution provides HP customers an information security compliance level so that customers can meetmost government and industry regulations. Authentication, access control and secure communications conformto industry best practices.
3.3.1 AuthenticationCustomers can identify that they are securely connected to HP support specialists. Only authorized HP supportspecialists are able to establish connections, authenticated with digital certificates.
3.3.2 Access Control OverviewHP customers using RDA have full control of all incoming connections. Authorization and access restrictionscan be configured to meet the requirements of most IT network security policies. For unattended RDA, audittrails are stored in audit log files.
3.3.3 Secure CommunicationsAll HP RDA communication options use strong encryption technologies and two factor authenticationmethodologies to insure all remote access connections are secured. A multi-layer security approach insuresthe confidentiality, integrity and availability of every connection and insures that HP Customers and HPSupport can use RDA with confidence.
3.4 Unattended RDA Using SSHAll unattended RDA solutions rely on an SSH (SSH-2 protocol) tunnel running between the support specialist'sdesktop and a designated Customer Access System (CAS) deployed either in the customer DMZ or on atrusted network.An SSH server is required on the customer network acting as a so called customer access system (see CASbelow). A SSH client is typically used for establishing connections to a SSH server accepting remoteconnections. SSH server are commonly present on most modern operating systems, including MicrosoftWindows, Mac OS X, Linux, FreeBSD, HP-UX, Tru64 UNIX, and OpenVMS. Proprietary, freeware and opensource versions with various levels of complexity and functionality exist.Most SSH implementations can be configured to comply with customers’ security policies. For example:
• The protocol can be limited to SSH-2 only.
• Selection of encryption algorithm (3DES, AES, AES-256, etc).
• Allow only private/public key authentication (disallow password authentication).
• Use SecurID and other token-based authentication methods.
Additionally some implementations support the use of X.509 certificates (also called an HP DigitalBadge)and two-factor authentication.
3.4.1 Customer Access System (CAS)Customer Access Systems (CASii) are required for all unattended RDA methods. By hosting the SSH server,the CAS provides a central access point for customers to control remote access into their environment.Customers determine the login of each HP user individually to allow or deny specific services or access tospecific computers within their network. The HP SIM Central Management Server (CMS) or the HostingDevice used by the HP Insight Remote Support Solution can also function as a CAS.
38 Remote Device Access (RDA)
TIP: To learn more about HP Insight Remote Support Solutions please visit:http://h18013.www1.hp.com/products/servers/management/hpsim/index.html.
A CAS may be implemented on any customer-owned system capable of running a compatible SSH server.HP also offers a virtualized CAS (vCAS) solution that can be used to manage HP access into a customerenvironment.
3.4.1.1 Customer-owned CASiiThe customer may choose to provide their own CAS. The primary requirement is a functional SSH serversuch as OpenSSH. Microsoft Windows, Linux, HP-UX, OpenVMS, and Tru64 UNIX operating systems maybe used. HP recommends that the customer configure SSH to accept only protocol version 2 and strongencryption, for example AES (128 or better) or Triple DES. Firewalls should also be configured to allow SSH(version 2) access only from HP’s access servers.
3.4.1.2 Virtual CASThe Virtual CAS is provided by HP free of charge for HP RDA customers and is the HP preferred method forcustomers using an Entitled Remote Access solution. The Virtual CAS provides enhanced security andmanagement functionality to restrict access into customer networks. Access restrictions on the vCAS solutioncan be easily defined by the customer administrator through a web interface. There are three basic accesscontrol settings:
• Open Access: allow access to all HP users
• Closed Access: deny access to all HP users
• White List: Allow/Deny access to specific users
The HP vCAS solution can assign specific access rules to HP users. These rules can restrict users to specificdevices (and services) based on the rules defined in the vCAS admin interface. It is a software-only solutionbased on a VMware image of a virtual machine running Ubuntu Server. Virtual CAS features include:
• Runs on VMware Server ESX or ESXi. Can also run on VMware Server (available from VMware at nocost for Microsoft Windows or Linux).
• Can run as a VM Guest on a virtualized Central Management Server (CMS) or Hosting Device.
• Based on open source software.
• An easy to use administration web interface.
• Implements SSH authentication using HP issued X.509 certificates.
The authentication is compatible with HP’s VeriSign-administered internal PKI (known internally asHP DigitalBadge).
•
• CRL access is available either via file or Online Certificate Status Protocol (OCSP).
• Fine-granularity access control – customers can specify user level access to targets including TCP ports.
• Easy-to-use software update mechanism based on apt-get. The virtual CAS will poll HP for softwareupdates and security patches. The Customer has full control on how and when these updates may beapplied to the Virtual CAS.
• Can be used with SSH-Direct, hpVPN, or CorVPN solutions.
3.4 Unattended RDA Using SSH 39
Figure 3-1 Virtual CAS
3.5 HP Instant Customer Access Server (iCAS)HP Instant Customer Access Server (iCAS) is a lightweight connection tool that allows an HP support agentto quickly and securely connect to a customer's environment to aid in diagnosis and repair of supportedhardware devices. The customer runs the iCAS software run as a browser plug-in on any Windows or Linuxdesktop with Internet access and network access to the device the HP support engineer is attempting toaccess. HP iCAS uses a Meet in the Middle connection paradigm to facilitate a remote access session byestablishing a tunnelled SSH session to a Remote Access Meeting Server (RAMS). The HP engineer generatesa unique connection key that is used to couple the HP Engineer and Customer SSH connections togethercreating an end-to-end SSH tunnel between the HP Support engineer desktop and the iCAS host. Once thesession key is exchanged, the session is established as follows:1. HTTP connection occurs (using TCP/80) from iCAS host to RAMS using URL and Session key provided
by HP Support Engineer.2. Customer’s SSH connection (using TCP/ 2022) over HTTP to RAMS Server.3. The HP engineer session sees the customer session connected to the RAMS.4. An HTTP connection is made from HP engineer browser to the RAMS.5. The HP engineer’s SSH connection (using TCP/2022) over HTTP to RAMS occurs.6. The unique session key insures that both sessions rendezvous on the RAMS and create a secure SSH
tunnel.From this point the HP Engineer can request access to the affected system in the customer network by tunnelingthrough the SSH tunnel to the target device inside the customer network. The customer must specifically grantaccess and provide the access credentials to the HP engineer before the connection to the target device canbe established.
40 Remote Device Access (RDA)
Figure 3-2 Instant CAS (iCAS)
3.6 Access Control Details3.6.1 Access control on the HP side
HP manages all remote access customers in an internal web application called Remote Access Portal (RAP).Customers and their connection details are centrally and securely managed via the RAP user interface. Everycustomer connection is associated with a unique set of access rights allowing the HP Account Team to restrictHP access to customer remote access information. Customer connection information, configuration detailsand access credentials are stored in an encrypted Remote Connectivity Database located in a secure HPdata center facility.An HP Support specialist must authenticate to the HP RDA Infrastructure using his or her HP issued X.509digital certificate, internally called Class A DigitalBadges, that employ two-factor authentication. The HPsupport specialist must have a physical ActivKey or ActivCard which is enabled by a password or passphrase.This is a physical hand held token issued to appropriate HP support personnel and issuance is controlled byHP business and security policies.An HP support specialist must be granted permission to access a customer in RAP before they can see theconnection details necessary to initiate a remote access session to a CAS on a customer network. If they arenot able to see the connection details, they must contact the HP account owner and request access to thecustomer network in RAP.
3.6 Access Control Details 41
Figure 3-3 Remote Access Connection System Details
A Remote Access Connection System (RACS) is an SSH server that can forward an SSH connection to anappropriate CAS. When the HP support specialist connects and is authenticated to the RACS, the SSH serveron the RACS checks the security token issued by the RAP to ensure that the support specialist is allowed toconnect to customer’s IP address. Upon successful authorization, the RACS will forward the SSH connectionto the HP routing device. RACS servers are located in various HP data center locations.
3.6.2 Access control on the customer sideFor a primary defense, the customer’s firewall can be configured to allow only RACS systems at HP to accesstheir VPN routers or CASii. Although standard passwords can be used, it is recommended to configure SSHpublic/private keys instead. Some versions of SSH servers can be configured to use HP’s DigitalBadgecertificates for authentication. HP recommends that customers use the HP provided Virtual CAS as this providesenhanced access control capabilities for customers.One-time password systems, such as RSA’s SecurID, can also be used if the customer’s SSH server or accessinfrastructure supports them.The CAS itself provides the second layer of defense. Depending on the CAS type, customers can definenamed employees, target systems or even ports that HP support specialists are allowed to connect to.The customer owns the security policies and access control into his/her environment and can specificallyrestrict connections to named HP support personnel and can terminate connections as needed.The HP Support specialist is also subject to customer’s own access control and security policies in that thecustomer must provide login credentials if needed for the device that HP connects to. For example if the HPsupport engineer wishes to logon to a UNIX server within a customer network, the customer provides thelogon name and controls what activities, the HP support agent can perform. In this way the customer oversees
42 Remote Device Access (RDA)
whom from HP connects to their network and then controls where they can go and what they are allowedto do.The third layer is the login credentials on the target system that must be known by the HP support specialist,typically pre-shared or shared on demand by the customer to HP either via phone or using a different securecommunication channel.
3.7 Connectivity Method: SSH-Direct – Secure Shell over InternetThe direct SSH option provides a simple and easy unattended RDA solution. The customer need only provideHP with an Internet Routable IP address for the CAS and allow one or more of the HP access servers toaccess it on TCP port 22. The SSH-2 protocol is considered as secure as SSL because it uses comparableencryption ciphers.
Figure 3-4 SSH Direct
3.8 Connectivity Methods for VPN SolutionsMany customers’ security policies require that all inbound connections be protected inside a VPN connectionthat is terminated in a DMZ. HP offers site to site IPsec VPN access solutions for entitled remote access. SSHport-forwarding is still used, except that it is tunneled over IPsec using VPN routers. The combination of SSHand IPsec provides enhanced security.SSH is recommended as it provides better end to end security as well as enhanced functionality (file transfercapabilities and application tunneling), but HP recognizes that this may not fit all security policies. Thereforewe offer site to site IPsec VPN connectivity with and without SSH tunneling. The following two figures showboth options.
3.7 Connectivity Method: SSH-Direct – Secure Shell over Internet 43
Figure 3-5 General IPsec VPN Access with SSH
Figure 3-6 General IPsec VPN Access Without SSH
44 Remote Device Access (RDA)
3.8.1 hpVPNWith hpVPN, HP provides a router to the customer. The router is deployed in the customer’s DMZ. HP’s VPNrouter establishes an IPsec VPN connection with a so called Customer Premises Equipment (CPE) router, atthe customer’s site. HP maintains the software and router configurations on both ends. Currently, all hpVPNconnections use triple-DES or AES encryption and SHA-1 HMAC. The access lists on the CPE routers allowonly connections from authorized HP systems. HP manages and configures the hpVPN routers.
NOTE: The hpVPN solution is offered in limited areas, please check with your HP representative to determineif this option is available in your country.
3.8.2 Customer-Owned Router (COR) VPNWith COR VPN, HP establishes an IPsec VPN with a customer-owned router. HP’s RDA VPN routers aresuccessfully inter-operating with ProCurve, Cisco IOS, Cisco PIX, Check Point, Juniper, and other VPN routersat customer sites. COR VPN connections can be configured according to the customers unique configurationrequirements. The customer manages and configures their own equipment.
3.9 Connectivity Method for Integrated Service Digital Network (ISDN)In some countries HP offers the option of ISDN connectivity. As with VPN solutions, SSH port-forwarding isused over ISDN to provide secure remote access.
Figure 3-7 ISDN
3.10 Attended RDA via Virtual Support RoomVirtual Support Room (VSR) is a lightweight, web-hosted meeting place that enables HP support specialiststo connect to a customer enterprise covered under warranty or contractual agreement. Attended RDA is anad-hoc connection method that can be used without any complex configuration or hardware setup.VSR is a lightweight version of HP Virtual Rooms and offers web collaboration functionality such as desktopsharing, file transfer, and desktop control. Like a real private meeting room, securely locked with doors, the
3.9 Connectivity Method for Integrated Service Digital Network (ISDN) 45
HP Virtual Support Room is a secure private protected online meeting place for two or more meetingparticipants.The VSR meeting session involves two or more users virtually meeting in a Virtual Support Room and sharinga desktop for collaboration purposes. The collaboration session is initiated by an HP support specialist.The HP support specialist will generate room keys for the Virtual Support Room and share those keys viaemail or phone with the customer. The keys are required to enter the Virtual Support Room. The room keysare valid for one hour and must be re-generated after that timeJoining a VSR session is simple. Customers can connect from any desktop with a supported browser andInternet access to the HP VSR infrastructure. The VSR server infrastructure is owned and hosted entirely byHP. The first time use of the HP Virtual Support Room will require installation of the VSR Client plug-in (lessthan 600 KB).The HP VSR allows HP support personnel to diagnose problems, transfer files, and resolve issues. HP supportpersonnel can:
• View and control a remote desktop and applications
• Take a snapshot of customer’s desktop and save the results to a file
• Collect, display and save system information to a file
• Chat
• Provide support with their customer’s confidence. All actions requested by the support engineer (takingdesktop control or snapshot, collecting system information, file transfer) must first be approved by theremote user – via a popup permissions window, and are completed with secure transmissions.
• The customer views all activity in real time and can suspend a remote access session immediately if sorequired.
NOTE: All sessions are encrypted using SSL over HTTPS on port 443. Because VSR is a web application,web proxy servers can be used to access the HP VSR infrastructure.
Figure 3-8 Virtual Support Room Architecture
3.11 Data PrivacyHP is committed to protecting Customer privacy. Personal information provided to HP and any data collectedby this RDA tool or other associated tools and utilities will not be shared with third parties. It might be shared
46 Remote Device Access (RDA)
with other HP entities and business partners who are providing the services described in the Remote SupportDocumentation and who might be located in other countries. Suppliers and service providers are requiredto keep confidential the information received on behalf of HP and may not use it for any purpose other thanto carry out the services they are performing for HP. Our privacy practices are designed to provide protectionfor your personal information, all over the world. See the HP Worldwide Privacy Statement at http://welcome.hp.com/country/us/en/privacy/worldwide_privacy.html.
3.12 Remote Device Access Security Details3.12.1 Outbound Security
All HP RDA Solutions are designed to be used for inbound access from HP to customer networks. All RDASolutions, with the exception of the Virutal CAS, do not initiate outbound connections without direct userinteraction. Confidentiality for outbound connections is provided by the connection service (SSL over HTTPS,SSH, IPSec etc). Authentication mechanisms can vary from solution to solution, but all solutions are designedto insure the privacy and security of all parties. The Virtual Customer Access System (vCAS) initiates outboundconnections to VeriSign.com to validate certificates, using either OCSP to check the CRL status of an individualcertificate, or HTTP to periodically fetch the entire CRL for the HP Class 2 Certification Authority. The VirtualCAS also periodically connects to the HP repository server using HTTPS to check for and fetch softwareupdates.
3.12.2 Inbound SecurityRemote device access requires an inbound connection from HP to a customer-designated access server. HPunderstands that IT security policies within organizations vary considerably. Therefore, HP offers a numberof remote access solutions (depending on the service level agreement) designed to meet customer’s securityrequirements. All of HP solutions use standard techniques that include SSH, IPsec, and HTTPS. HP offers bothhardware and software solutions which can be configured to ensure that the customer is always in controlof the connection. HP also has options that allow the customer to view and monitor a support specialist’sactivities.All HP support specialists must adhere to the same standards of business conduct as onsite HP engineers,and are only allowed to initiate a connection with the customer’s approval and a valid business need. Accessrestrictions can be placed on specific connection profiles to limit HP's access to a subset of support personnel.Access restrictions can be restricted by region and/or country. It can also be restricted to HP support personnelfor a specific product platform. Access controls can also be restricted to specific HP personnel. Accesscontrols can be enforced both at HP (before the connection is initiated) and again at the CAS (see the vCASsolution). This model insures that both the HP Account Manager and the customer administrator can controlHP access to the customer network. Internally, HP uses two-factor authentication to control access throughthe HP Remote Access Connectivity (RACS). Additionally, all connections, attempted and successful, tocustomer systems are logged.
3.12.3 Secured CommunicationThese protocols are used either inside the customer’s intranet or over the Internet between the customer andHP.
• ESPEncapsulating Security Payload (ESP), or IP protocol 50, is a protocol header inserted into an IP datagramto provide data encryption and authentication. Remote Device Access uses ESP in tunnel mode toestablish VPN connectivity.
• HTTPSHTTPS is HTTP with SSL or TLS encryption for security. All communications between the browser andthe remote data collection system are carried out over HTTPS. HTTPS is also used for the marshallingand transfer of collected device data between the CMS and the managed systems. The default port forHTTPS is TCP port 443, but it can be configured to run on other TCP ports.
• IPsecIP Security, or IPsec, is a suite of protocols for securing IP communications. IPsec operates in two modes.In transport mode it can be configured to provide end-to-end security of all communications between
3.12 Remote Device Access Security Details 47
two systems. In tunnel mode, IPsec can be used to provide VPN connectivity over insecure networks.A typical IPsec deployment uses two protocols: either Encapsulating Security Payload (ESP) orAuthentication Header (AH), which are IP protocols, and ISAKMP. Note that AH is seldom used as itdoes not provide encryption.
• ISAKMPInternet Security Association and Key Management Protocol (ISAKMP) is an application-layer IPsecprotocol used for negotiating encryption keys. It is run over UDP port 500.
• SSHThe Secure Shell (SSH) protocol is an application-layer protocol which permits secure remote accessover a network from one computer to another. SSH negotiates and establishes an encrypted, andauthenticated connection between an SSH client and an SSH managed server. SSH provides dataintegrity checks, prevents eavesdropping, and modification of sensitive data transferred between theCMS and managed systems. The default port for SSH is TCP port 22, but it can be configured to runon other TCP ports.Although the SSH protocol is typically used to log into a remote machine and execute commands, italso supports tunneling, forwarding arbitrary TCP ports and X11 connections. It can transfer files usingthe associated SFTP or SCP protocols.The SSH protocol exists in two versions. The original SSH protocol version 1 is somewhat insecure andshould not be used. Its successor, SSH protocol version 2, which is incompatible with SSH protocolversion 1, strengthened security by changing the protocol and adding Diffie-Hellman key exchangeand strong integrity checking via message authentication codes. HP RDA uses SSH protocol version 2for most connections.
• SSL and TLSThe Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are application-layerprotocols which provide data encryption and authentication. TLS is an updated version of SSL V3. SSLand TLS use X.509 certificates, also known as “digital” certificates, for authentication. Although mostusers are accustomed to working only with server certificates, SSL and TLS can be configured to requireclient-side certificates which provides password-less two-way authentication. The CMS and managedsystems authenticate one using X.509 certificates. Also, all communications between the client browsersand the CMS are protected by SSL. The Remote Support Configuration Collector System supports bothSSL V3 and TLS 1.0.These two protocols are most ubiquitous in HTTPS on TCP port 443. Other protocolsand applications also utilize SSL and TLS for security.
3.12.4 Unsecured CommunicationsHP uses the following unsecure protocols only inside the customer’s internal network HP will not initiate anyexternal communications between the customer and HP using these protocols.
• HTTPThe Hypertext Transfer Protocol (HTTP) is an application-layer protocol used for exchanging data. Itsmost popular usage is for transferring text, graphic images, sound, video, and other multimedia filesto Web browsers. HTTP’s capabilities are also general enough for non-web applications.
• OCSPThe Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocationstatus of an X.509 digital certificate. It is described in RFC 2560. Although the protocol is not encrypted,the sent information is somewhat anonymous (for example, a certificate serial number) and all responsesare digitally signed. OCSP runs on top of HTTP.
3.12.5 Security AuditingAll attended RDA connection attempts from HP to customers are logged. The acting user, start and stop timesof the connection, and the connection status are logged. The connection status will indicate failures such asimproper authentication and authorization. This tracking information is retained for 13 months.
48 Remote Device Access (RDA)
A X.509 Certificates and Insight Remote Support AdvancedA.1 Overview
An X.509 certificate contains a public key that can be used to check the validity of a digital signature. Thisdigital signature verifies the authenticity of a document, a message, another X.590 certificate, or any datumof interest. The digital signature is generated using the X.509 certificate’s corresponding private key. X.509certificates are the basis of trust in most secure Internet protocols, the most pervasive being SSL and TLS.An X.509 certificate is identified by its subject name, which should be an X.500 name that is unique acrossthe Internet. For example, the X.500 subject name for one of VeriSign’s root certificates is C=US,O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Subject names not only identify certificates, they also identify the entity that issued the certificate. Thesecertificate issuers, called Certification Authorities (CAs), should be trusted third-party organizations. CommercialCAs include VeriSign, Thawte, Entrust, and RSA.The contents of an X.509 certificate that are relevant to this discussion are:
• Subject Name• Issuer’s Subject Name• Subject’s Public Key• Serial Number• Validity Period• CRL Distribution Point• Authority Information AccessThe following documents provide more information:
• X.509 Certificates and Certificate Revocation Lists (CRLs)http://download.oracle.com/javase/1.5.0/docs/guide/security/cert3.html
• What is X.509?http://www.tech-faq.com/x.509.shtml
• X.509 Style Guide by Peter Gutmannhttp://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
A.2 Certificate Revocation ListsIn an X.509 Public Key Infrastructure (PKI), a Certificate Authority (CA) attests a certificate’s authenticity bysigning the certificate with the CA’s private key. Anyone wishing to verify the certificate checks the signatureusing the CA’s public key (that is, the CA’s certificate). If the certificate’s private key has been stolen, thecertificate can be revoked by the CA. The CA maintains revoked certificates in a Certificate Revocation List(CRL). The CRL, which is a list of revoked certificates’ serial numbers, is signed by the CA. For a user tovalidate a certificate, he/she must have a priori knowledge of the CA’s certificate.
A.3 Digital Signature Verification in the Remote Support ClientA.3.1 Signature Checking
The Remote Support Client (RSC) running on the CMS connects to a server at HP, https://services.isee.hp.com,using SSL or TLS. The server signs a message containing a copy of its X.509 certificate and returns themessage to the RSC. The RSC must then verify the identity of the server:1. The client checks the validity period of the server’s certificate. If the current date is not between the start
and end times of the certificate, the check fails.2. Using the public key contained in the server’s certificate the client checks the message’s digital signature.
Failure at this point causes validation failure.3. The client attempts to verify the server’s certificate. This is done by finding the certificate of the server
certificate’s issuer. This issuer’s certificate can be sent along with the server’s certificate or stored locallyon the client. (Most web browsers have a built-in certificate store of well-known certificate issuers.) If
A.1 Overview 49
the issuer’s certificate is found and it verifies the server certificate’s signature, the verification processcontinues.
4. The issuer’s certificate must now be verified. There are two ways this can go:a. If the issuer’s certificate is a CA root certificate, the client must have a copy of it for verification.
The client cannot rely on a root certificate that was sent along with a server certificate.b. If the issuer’s certificate is not a CA root certificate, the client can use either the issuer’s certificate
sent from the server or one stored locally.5. The issuer’s certificate is checked just as the server’s certificate is checked in steps 1, 2, and 3. Failure
in any of these steps causes verification failure.6. The recursive process of steps 4 and 5 (and hence, 1, 2, and 3) are repeated until the CA root certificate
is encountered.In practice, most server certificates are no more than three levels deep. For example, services.isee.hp.comhas the following certificate chain:VeriSign Class 3 Public Primary CAVeriSign Class 2 Secure Server CA - G2services.isee.hp.com (g1w3054g.austin.hp.com)
Figure A-1 Insight Remote Support (example)
Figure A-2 Remote Support Software Management (RSSWM)
50 X.509 Certificates and Insight Remote Support Advanced
A.4 CRL CheckingThe RSC can optionally check each certificate in the chain for revocation. At least three methods are used:1. Checking a local copy of the associated CRL2. Checking a copy of the associated CRL available in an LDAP database3. Querying a certificate status server using the Online Certificate Status Protocol (OCSP)The CRL Distribution Point attribute of an X.509 certificate is a Uniform Resource Identifier (URI) list thatindicates where the CRL can be located. Likewise, the certificate’s Authority Information Access attribute cancontain the URI of an OCSP server. Whichever method is used, the information must be signed by thecertificate’s issuer to verify its authenticity. Otherwise, denial-of-service attacks are possible.Some of these CRL checks can cause unexpected network traffic. Some CRL-checking mechanisms first try alocal copy of the CRL. If a local CRL is unavailable or out-of-date it will then try the URIs found in the CRLDistribution Point attribute. OSCP activity can also trigger some network activity. When the RSC checks therevocation status of the services.isee.hp.com certificate, it may try the following URIs:
• http://crl.verisign.com/pca3.crl - URI for the VeriSign Class 3 Public Primary CA CRL• http://SVRSecure-crl.verisign.com/SVRSecure2005.crl - URI for the VeriSign Class 3 Secure Server CA
CRL• http://ocsp.verisign.com - Location of VeriSign’s OCSP serverAll of this means that a network manager could see attempts to contact these three systems on TCP port 80if no HTTP proxy server is used.If the CRL is not present or accessible, the RSC will assume the certificate is valid.
A.5 Self-Signed CertificatesA self-signed certificate is a certificate that has been signed with its own private key. A CA root certificateis a self-signed certificate. Unlike CA-issued certificate verification, successful verification using a self-signedcertificate requires a copy of the certificate. Several observations of self-signed certificates are:
• The use of self-signed certificates does not scale well. If a group of systems wish to authenticate eachother using self-signed certificates, each system must have a copy of all of the other systems’ certificates.
• Self-signed certificates are administrated just like SSH public keys except that they have an expirationdate.
• CRLs do not exist and thus if a self-signed certificate is compromised, each copy must be found andremoved. Note that the same would be true for a CA root certificate.
A.4 CRL Checking 51
52
B Summary of Network Ports for Standard Operating SystemConnectivity
The following tables summarize all ports that might be used in Insight Remote Support Advanced for StandardOperating System Connectivity. See Table B-1 for ports that are required for basic system operation.
B.1 Standard Operating System Network PortsTable B-1 Standard Operating System Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoDomain Name Service (DNS) - Hostname resolution.
DNS ServerSystem53UDP
RecommendedNoNetwork Time Protocol - Synchronizessystem clock
NTP ServerSystem123UDP
OptionalYesRemote Desktop Protocol - Remotemanagement (to change port number,seehttp://support.microsoft.com/kb/306759)
SystemCustomer'sMSRDP (TerminalServices) Client
3389TCP
OptionalYesSecure Shell - Remote managementSystemCustomer's SSHClient
22TCP
OptionalYesHTTP web accessWeb Server orWeb Proxy
Customer's WebBrowser
80 or webproxy port
TCP
OptionalYesHTTPS web accessWeb Server orWeb Proxy
Customer's WebBrowser
443 orweb proxyport
TCP
OptionalNoSimple Mail Transfer Protocol -Sending email
SMTP ServerSystem25TCP
B.1 Standard Operating System Network Ports 53
54
C Summary of Network Ports for ServersThe following tables summarize all ports that might be used in Insight Remote Support Advanced for Servers.See Table B-1 for ports that are required for basic system operation.
C.1 Central Management Server (CMS)Table C-1 CMS Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoEmail notificationsCustomer-DesignatedSMTP Server
CMS25TCP
RequiredNoHTTPS Software version controlrsswm.policy.hp.comor Web Proxy
CMS443 orweb proxyport
TCP
RequiredNoHTTPS Software applicationdownload.
rsswm.software.hp.comor Web Proxy
CMS443 orweb proxyport
TCP
RequiredNoTransport of hardware eventsand data collections to HP,synchronization of submissionstatus from HP to CMS, requestsfor device contract, warrantyinformation and health-checkdata
services.isee.hp.comor Web Proxy
CMS443 orweb proxyport
TCP
RecommendedNoProvides system reachability(ping) check during systemdiscovery and before otheroperations. Note that HP SIMcan be configured to use TCPport 5989 to simplify firewallsettings.
Managed SystemsCMSN/AICMP
RecommendedNoSoftware application downloadsoftware.hp.com orWeb Proxy
CMS80 or webproxy port
TCP
RecommendedNoHP SMH secure web server(HTTPS) and RDC frommanaged systems
CMSCustomer's WebBrowser
2381TCP
RecommendedNoHP SIM Web serverCMSCustomer's WebBrowser
50000TCP
OptionalNoSNMP. This is the standard portused by SNMP agents onmanaged systems. The CMSsends requests to devices on thisport.
Managed SystemsCMS161UDP
OptionalNoMicrosoft Remote DesktopConnection (RDC) used forremote management by HP orcustomer
Target SystemIncluding CMS
Customer'sMSRDP (TerminalServices) Client
3389TCP
OptionalNoHP SIM Web Server redirectedto port 50000
CMSCustomer's WebBrowser
280TCP
OptionalYesHP SMH port for InsightManager Web Agents; HTTP(unencrypted) ? redirected to2381 (HTTPS)
CMSCustomer's WebBrowser
2301TCP
OptionalNoLegacy HTTP port used by thelistener running in the Director'sWeb interface. Used only toredirect connecting Webbrowsers from this old port (usedbefore WEBES v5.0.1) to thenew HTTPS port 7906. (e.g.,http://target.sys.name.here:7902)
CMSCustomer's WebBrowser
7902TCP
C.1 Central Management Server (CMS) 55
OptionalConfigurableFunctionDestinationSourcePortsProtocol
OptionalNoCommunication between SEA'sapplet (running inside the webbrowser) and the Director.
CMSCustomer's WebBrowser
7903TCP
OptionalNoSecure HTTP (HTTPS) port usedby the listener running in theDirector's Web Interface. TheWeb browser connects to thisport in the URL (e.g.https://target.sys.name.here:7906)
CMSCustomer's WebBrowser
7906TCP
OptionalNoSNMP Trap. This is the standardport used by SNMP managersfor listening to traps.
CMSManaged Systems162UDP
C.2 HP-UX Managed SystemsTable C-2 HP-UX Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
Required forSuperdome 2OA
NoHTTPSWEDGE configuration requestsOnboardAdministrator
CMS443TCP
Required forSuperdome 2OA
NoHTTPS WS-MAN OnboardAdministrator (OA)
CMSOnboardAdministrator
7906TCP
Required forSuperdome 2OA
NoHP SIM HTTPS/SOAPCMSOnboardAdministrator
50001TCP
Required forSuperdome 2OA
NoHP SIM HTTPS/SOAP with clientcertificate authentication
CMSOnboardAdministrator
50002TCP
Required forSuperdome 2OA
YesWBEM event receiver (HTTP andHTTPS)
CMSOnboardAdministrator
50004TCP
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
RequiredNoHP SIM HTTPS/SOAPCMSManaged Systems50001TCP
RequiredNoHP SIM HTTPS/SOAP with clientcertificate authentication
CMSManaged Systems50002TCP
RequiredYesWBEM event receiver (HTTP andHTTPS)
CMSManaged Systems50004TCP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalNoHP SMH secure web server (HTTPS)and RDC from managed systems
ManagedSystems
CMS2381TCP
OptionalNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
56 Summary of Network Ports for Servers
C.3 Integrity Linux Managed SystemsTable C-3 Integrity Linux Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
OptionalNoHP SIM HTTPS/SOAPCMSManaged Systems50001TCP
OptionalNoHP SIM HTTPS/SOAP with clientcertificate authentication
CMSManaged Systems50002TCP
OptionalYesWBEM event receiver (HTTP andHTTPS)
CMSManaged Systems50004TCP
C.4 Integrity Windows Server 2003 Managed SystemsTable C-4 Integrity Windows Server 2003 Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoThe WEBES ELMC (formerlyWCCProxy) process communicateswith the Director on this port. This isa proprietary protocol. Anyconnections that exchange usernameand passwords use SSL. Not allconnections are SSL.
ManagedSystems
CMS7920TCP
RequiredNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
RequiredNoDCE endpoint resolution. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems135TCP
RequiredNoNETBIOS Session Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems139TCP
RequiredNoWindows Server 2003 WindowsManagement Interface (WMI)Communications DCOM dynamicport assignment. Note that the CMScan be configured to limit this range.The source port will always be 135.
CMSManaged Systems1024-65535TCP
C.3 Integrity Linux Managed Systems 57
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoNETBIOS Name Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems137UDP
RequiredNoNETBIOS Datagram Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems138UDP
RequiredNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
RequiredNoMicrosoft File Sharing. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems445UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
C.5 Integrity Windows Server 2008 Managed SystemsTable C-5 Integrity Windows Server 2008 Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoDCE endpoint resolution. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems135TCP
RequiredNoNETBIOS Session Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems139TCP
RequiredNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
RequiredNoHP SIM HTTPS/SOAPCMSManaged Systems50001TCP
RequiredNoHP SIM HTTPS/SOAP with clientcertificate authentication
CMSManaged Systems50002TCP
RequiredYesWBEM event receiver (HTTP andHTTPS)
CMSManaged Systems50004TCP
RequiredNoWindows Server 2008 WindowsManagement Interface (WMI)Communications DCOM dynamicport assignment. Note that the CMScan be configured to limit this range.The source port will always be 135.
CMSManaged Systems49152-65535TCP
RequiredNoNETBIOS Name Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems137UDP
RequiredNoNETBIOS Datagram Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems138UDP
58 Summary of Network Ports for Servers
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoMicrosoft File Sharing. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems445UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
C.6 Multivendor and Application Adapter (MVAA)Table C-6 MVAA Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredYesHTTPS Used by MPS whencommunicating with a WindowsOVO Management Server
Customer'sOVOManagementServer(Windows)
CMS443 orweb proxyport
TCP
RequiredYesHTTPS (SSL/TLS). Used by MPS whencommunicating with a UNIX OVOManagement Server.
Customer'sOVOManagementServer(Windows)
CMS8444TCP
C.7 NonStop Managed SystemsTable C-7 NonStop Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
RequiredYesWBEM event receiver (HTTP andHTTPS)
CMSManaged Systems50004TCP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalNoSNMP Trap. This is the standard portused by SNMP manager on HPNeoView for listening to traps comingfrom HP SIM / WEBES.
ManagedSystems
CMS162UDP
C.8 OpenVMS Alpha Managed SystemsTable C-8 OpenVMS Alpha Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
C.6 Multivendor and Application Adapter (MVAA) 59
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoThe WEBES ELMC (formerlyWCCProxy) process communicateswith the Director on this port. This isa proprietary protocol. Anyconnections that exchange usernameand passwords use SSL. Not allconnections are SSL.
ManagedSystems
CMS7920TCP
RecommendedNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
OptionalNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
OptionalNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
C.9 OpenVMS Integrity Managed SystemsTable C-9 OpenVMS Integrity Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoThe WEBES ELMC (formerlyWCCProxy) process communicateswith the Director on this port. This isa proprietary protocol. Anyconnections that exchange usernameand passwords use SSL. Not allconnections are SSL.
ManagedSystems
CMS7920TCP
RequiredNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
RequiredNoHP SIM HTTPS/SOAPCMSManaged Systems50001TCP
RequiredNoHP SIM HTTPS/SOAP with clientcertificate authentication
CMSManaged Systems50002TCP
RequiredYesWBEM event receiver (HTTP andHTTPS)
CMSManaged Systems50004TCP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
OptionalNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
60 Summary of Network Ports for Servers
C.10 ProLiant Citrix Managed SystemsTable C-10 ProLiant Citrix Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
RequiredNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
C.11 ProLiant Linux Managed SystemsTable C-11 ProLiant Linux Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
RequiredNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
OptionalNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
OptionalNoHP SIM HTTPS/SOAPCMSManaged Systems50001TCP
OptionalNoHP SIM HTTPS/SOAP with clientcertificate authentication
CMSManaged Systems50002TCP
OptionalYesWBEM event receiver (HTTP andHTTPS)
CMSManaged Systems50004TCP
C.12 ProLiant Microsoft Hyper-V Managed SystemsTable C-12 ProLiant Microsoft Hyper-V Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
C.10 ProLiant Citrix Managed Systems 61
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoDCE endpoint resolution. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems135TCP
RequiredNoNETBIOS Session Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems139TCP
RequiredNoWindows Server 2008 WindowsManagement Interface (WMI)Communications DCOM dynamicport assignment. Note that the CMScan be configured to limit this range.The source port will always be 135.
CMSManaged Systems49152-65535TCP
RequiredNoNETBIOS Name Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems137UDP
RequiredNoNETBIOS Datagram Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems138UDP
RequiredNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
RequiredNoMicrosoft File Sharing. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems445UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
C.13 ProLiant VMWare ESX Managed SystemsTable C-13 ProLiant VMWare ESX Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
RequiredNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalYesSSH: Remote Data CollectionManagedSystems
CMS22TCP
62 Summary of Network Ports for Servers
C.14 ProLiant VMWare ESXi Managed SystemsTable C-14 ProLiant VMWare ESXi Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoDCE endpoint resolution. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems135TCP
RequiredNoNETBIOS Session Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems139TCP
RequiredNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
RequiredNoHP SIM HTTPS/SOAPCMSManaged Systems50001TCP
RequiredNoHP SIM HTTPS/SOAP with clientcertificate authentication
CMSManaged Systems50002TCP
RequiredYesWBEM event receiver (HTTP andHTTPS)
CMSManaged Systems50004TCP
RequiredNoWindows Server 2003 WindowsManagement Interface (WMI)Communications DCOM dynamicport assignment. Note that the CMScan be configured to limit this range.The source port will always be 135.
CMSManaged Systems1024-65535TCP
RequiredNoWindows Server 2008 WindowsManagement Interface (WMI)Communications DCOM dynamicport assignment. Note that the CMScan be configured to limit this range.The source port will always be 135.
CMSManaged Systems49152-65535TCP
RequiredNoNETBIOS Name Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems137UDP
RequiredNoNETBIOS Datagram Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems138UDP
RequiredNoMicrosoft File Sharing. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems445UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
C.14 ProLiant VMWare ESXi Managed Systems 63
C.15 ProLiant Windows Server Managed SystemsTable C-15 ProLiant Windows Server Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoDCE endpoint resolution. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems135TCP
RequiredNoNETBIOS Session Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems139TCP
RequiredNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
RequiredNoHP SIM HTTPS/SOAPCMSManaged Systems50001TCP
RequiredNoHP SIM HTTPS/SOAP with clientcertificate authentication
CMSManaged Systems50002TCP
RequiredYesWBEM event receiver (HTTP andHTTPS)
CMSManaged Systems50004TCP
RequiredNoWindows Server 2003 WindowsManagement Interface (WMI)Communications DCOM dynamicport assignment. Note that the CMScan be configured to limit this range.The source port will always be 135.
CMSManaged Systems1024-65535TCP
RequiredNoWindows Server 2008 WindowsManagement Interface (WMI)Communications DCOM dynamicport assignment. Note that the CMScan be configured to limit this range.The source port will always be 135.
CMSManaged Systems49152-65535TCP
RequiredNoNETBIOS Name Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems137UDP
RequiredNoNETBIOS Datagram Service. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems138UDP
RequiredNoMicrosoft File Sharing. Used byDCOM, and hence, WindowsManagement Interface (WMI) andWEBES
CMSManaged Systems445UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
OptionalNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
64 Summary of Network Ports for Servers
C.16 Tru64 UNIX Managed SystemsTable C-16 Tru64 UNIX Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoThe WEBES ELMC (formerlyWCCProxy) process communicateswith the Director on this port. This isa proprietary protocol. Anyconnections that exchange usernameand passwords use SSL. Not allconnections are SSL.
ManagedSystems
CMS7920TCP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalYesSSH: Remote Data CollectionManagedSystems
CMS22TCP
OptionalNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
C.16 Tru64 UNIX Managed Systems 65
66
D Summary of Network Ports for StorageThe following tables summarize all ports that might be used in Insight Remote Support Advanced for Storage.See Table B-1 for ports that are required for basic system operation.
D.1 StorageWorks MSA1000/1500 Storage SystemsTable D-1 StorageWorks MSA1000/1500 Storage Systems Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoTelnet (unencrypted). Status checkingof legacy storage and networkdevices
ManagedSystems
CMS23TCP
RequiredYesHP SMH port for Insight ManagerWeb Agents; HTTP (unencrypted) ?redirected to 2381 (HTTPS)
CMSCustomer's WebBrowser
2301TCP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
D.2 StorageWorks MSA23xx Storage SystemsTable D-2 StorageWorks MSA23xx Storage Systems Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoTelnet (unencrypted). Status checkingof legacy storage and networkdevices
ManagedSystems
CMS23TCP
RequiredYesHP SMH port for Insight ManagerWeb Agents; HTTP (unencrypted) ?redirected to 2381 (HTTPS)
CMSCustomer's WebBrowser
2301TCP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
D.3 HP P4000 Storage SystemsTable D-3 HP P4000 Storage Systems Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoHP P4000 Centralized ManagementConsole (CMC)
ManagedSystems
CMC (can berunning on CMS)
5988TCP
RequiredNoHP P4000 Centralized ManagementConsole (CMC)
ManagedSystems
CMC (can berunning on CMS)
5989TCP
RequiredYesRemote Support P4000 IntegrationModule - HP P4000 CLI API
ManagedSystems
CMS5989TCP
RequiredNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
D.1 StorageWorks MSA1000/1500 Storage Systems 67
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
D.4 StorageWorks P6000 (EVA) Storage SystemsTable D-4 EVA Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoCommandView - Storage Collectionsfor EVA (HTTPS)
EVACMS2372TCP
RequiredYesSecured WBEM CI-MOM protocolover HTTPS/SOAP. This port is usedto communicate with WBEM endpoint nodes.
ManagedSystems
CMS5989TCP
RequiredNoThe WEBES ELMC (formerlyWCCProxy) process communicateswith the Director on this port. This isa proprietary protocol. Anyconnections that exchange usernameand passwords use SSL. Not allconnections are SSL.
ManagedSystems
CMS7920TCP
RequiredNoHP SIM HTTPS/SOAPCMSManaged Systems50001TCP
RequiredNoHP SIM HTTPS/SOAP with clientcertificate authentication
CMSManaged Systems50002TCP
RequiredYesWBEM event receiver (HTTP andHTTPS)
CMSManaged Systems50004TCP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
RecommendedNoSecure HTTP (HTTPS) port used by thelistener running in the Director's WebInterface. The Web browser connectsto this port in the URL (e.g.https://target.sys.name.here:7906)
CMSManaged Systems7906TCP
OptionalNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
OptionalNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
D.5 StorageWorks Tape LibrariesTable D-5 StorageWorks Tape Libraries Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoTelnet (unencrypted). Status checkingof legacy storage and networkdevices
ManagedSystems
CMS23TCP
RequiredYesHP SMH port for Insight ManagerWeb Agents; HTTP (unencrypted) ?redirected to 2381 (HTTPS)
CMSCustomer's WebBrowser
2301TCP
68 Summary of Network Ports for Storage
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
D.6 StorageWorks P9000/XP Disk ArraysTable D-6 StorageWorks P9000/XP Disk Arrays Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoXP Data TransportCMSXP SVP50000TCP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
D.6 StorageWorks P9000/XP Disk Arrays 69
70
E Summary of Network Ports for NetworkingThe following tables summarize all ports that might be used in Insight Remote Support Advanced forNetworking. See Table B-1 for ports that are required for basic system operation.
E.1 E-Series Switch Managed SystemsTable E-1 E-Series Switch Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
RequiredNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalYesSSH: Remote Data CollectionManagedSystems
CMS22TCP
E.2 Network Managed SystemsTable E-2 Network Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
RecommendedYesSSH: Remote Data CollectionManagedSystems
CMS22TCP
OptionalNoTelnet (unencrypted). Status checkingof legacy storage and networkdevices
ManagedSystems
CMS23TCP
OptionalNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
OptionalNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
E.3 SAN Managed SystemsTable E-3 SAN Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
OptionalNoTelnet (unencrypted). Status checkingof legacy storage and networkdevices
ManagedSystems
CMS23TCP
E.1 E-Series Switch Managed Systems 71
OptionalConfigurableFunctionDestinationSourcePortsProtocol
OptionalNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
OptionalNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
E.4 SAN Switch Managed SystemsTable E-4 SAN Switch Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoSNMP. This is the standard port usedby SNMP agents on managedsystems. The CMS sends requests todevices on this port.
ManagedSystems
CMS161UDP
RequiredNoSNMP Trap. This is the standard portused by SNMP managers for listeningto traps.
CMSManaged Systems162UDP
RecommendedNoProvides system reachability (ping)check during system discovery andbefore other operations. Note that HPSIM can be configured to use TCPport 5989 to simplify firewall settings.
ManagedSystems
CMSN/AICMP
72 Summary of Network Ports for Networking
F Revision History for Insight Remote Support AdvancedNetwork Ports
This section describes firewall configuration changes that have occurred between releases of Insight RemoteSupport Advanced.
F.1 A.05.40The following port changes have been made for A.05.40:
• EVA: SNMP ports 161 and 162 changed from "Optional" to "Recommended".• Integrity Linux: SNMP 161 and 162 changed from "Optional" to "Required".• ProLiant: SNMP ports 161 and 162 changed from "Optional" to "Required for Linux".
F.2 A.05.50The following port changes have been made for A.05.50:
• CMS: Ports 280 and 2301 changed from "Recommended" to "Optional".• HP-UX: Removed TCP port 5988 and UDP port 162.• HP StorageWorks P4000 Storage Systems: New product support.• NonStop: Added TCP ports 5989 and 50004; removed UDP port 162.• Added table for ports used by operating system.• ProLiant: Split table into ProLiant Linux and ProLiant Windows tables.• All Devices: Removed port 2069 (OSEM); OSEM has been retired.
F.3 A.05.60The following port changes have been made for A.05.60:
• TCP port 5989 (WBEM) is noted as configurable.• TCP ports 50000 (HP SIM) are noted as configurable.• TCP ports 50001 and 50002 (HP SIM) are noted as not configurable.• E-Series Switches: Added new table.• HP-UX: Added TCP ports for Superdome 2 and Onboard Administrator (OA); changed TCP port 2381
to "Optional".• Integrity Linux: Added TCP ports 5989, 7906, 50001, 50002, and 50004; removed UDP port 162;
changed UDP port 161 from "Required" to "Optional"; .• Integrity Windows Server: Split into two tables for Windows Server 2003 and Windows Server 2008.• Integrity Windows Server 2008: Added TCP ports 5989, 50001, 50002, and 50004; removed UDP
ports 161 and 162.• Network Managed Systems: Added TCP port 22.• OpenVMS: Split into two tables for Integrity and Alpha Platforms.• OpenVMS Integrity: Added TCP ports 5989, 50001, 50002, and 50004.• ProLiant Citrix: Added new table.• ProLiant Linux: Added TCP ports 5989, 7906, 50001, 50002, and 50004.• ProLiant Microsoft Hyper-V: Added new table.• ProLiant VMware ESX: Added new table.• ProLiant VMware ESXi: Added new table.• ProLiant Windows Server: Added TCP ports 5989, 7906, 50001, 50002, and 50004.• SAN Switches: Added new table.
F.1 A.05.40 73
• StorageWorks MSA1000/1500: Added new table.• StorageWorks MSA23xx: Added new table.• StorageWorks P4000: Added TCP port 5989 for CMC.• StorageWorks P6000 (EVA) Storage Systems: Changed product name from EVA to P6000; added
TCP port 7906; removed TCP ports 445 and 5988; changed UDP ports 161 and 162 from"Recommended" to "Optional".
• StorageWorks Tape Libraries: Added new table.• StorageWorks XP Array: Moved RDA ports to RDA table.• Tru64 UNIX: Removed TCP port 7906 and UDP port 162; added TCP port 22.
F.4 A.05.70The following changes have been made for A.05.70:
• HP-UX: Onboard Administrator port 7902 (unencrypted) changed to port 7906 (encrypted)• Integrity Windows Server 2003/2008, ProLiant VMware ESXi, and ProLiant Windows Server
2003/2008: Corrected DCOM port usage. TCP ports 1024-65535 or 49152-65535 with source port135 are the correct DCOM ports on these managed systems.
• StorageWorks P9000: Changed product name from XP to P9000.
74 Revision History for Insight Remote Support Advanced Network Ports
G Summary of Network Ports for Remote Device AccessThe following tables summarize all ports that might be used in Remote Device Access. See Table B-1 forports that are required for basic system operation.
G.1 Customer Access System (CAS)Table G-1 CAS Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
Required forSSH-Direct
NoSSH Tunnel (SSH-Direct only)CASHP Remote AccessConnectivitySystem (RACS)
22TCP
RecommendedNoProvides system reachability(ping) check during installation.
Customer CorVPNand hpVPN Routers
CASN/AICMP
RecommendedNoProvides system reachability(ping) check during installation
Target SystemIncluding CMS
CASN/AICMP
RecommendedNoProvides system reachability(ping) check during installation
CASCustomer CorVPNand hpVPNRouters
N/AICMP
RecommendedNoProvides system reachability(ping) check during installation.
CASTarget SystemIncluding CMS
N/AICMP
OptionalYesHTTPS connection forwardedfrom HP through CAS to CMSor managed system
Customer hpVPNRouter
CAS443TCP
OptionalYesSSH command-line accessTarget SystemIncluding CMS
CAS22TCP
OptionalYesTelnet command-line access ifSSH is not available.
Target SystemIncluding CMS
CAS23TCP
OptionalYesHTTP connection forwardedfrom HP through CAS to CMSor managed system
Target SystemIncluding CMS
CAS80TCP
OptionalYesMS RDP. Remote DesktopConnection forwarded from HPthrough CAS to CMS ormanaged system
Target SystemIncluding CMS
CAS3389TCP
OptionalYesVNC Web accessTarget SystemIncluding CMS
CAS5800TCP
OptionalYesVNC accessTarget SystemIncluding CMS
CAS5900TCP
OptionalYesCustomer-specified port andapplication protocolSSH-forwarded from HP
Target SystemIncluding CMS
CASotherTCP
OptionalYesOther access methods for CASadministration
CASCustomer ClientsotherTCP
OptionalYesSSH Command-line accessTarget SystemIncluding CMS
Customer's SSHClient
22TCP
G.2 Additional Ports for Virtual CASTable G-2 Additional Ports for Virtual CAS Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoHTTPS port for web UI formanaging Virtual CAS
Virtual CASCustomer's WebBrowser
443TCP
RequiredNoDomain Name Service (DNS) -Host name resolution
DNS ServerVirtual CAS53UDP
G.1 Customer Access System (CAS) 75
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RecommendedNoNetwork Time ProtocolNetwork Time ServerVirtual CAS123UDP
RecommendedNoHTTP (Unencrypted) Daily fetchof HP Class 2 CA certificaterevocation list (CRL)
onsitecrl.verisign.comor Web Proxy
Virtual CAS80 or webproxy port
TCP
RecommendedNoOCSP (Online Certificate StatusProtocol) for certificaterevocation check
onsite-ocsp.verisign.comVirtual CAS80TCP
OptionalNoSSH command-line access forVirtual CAS management
Virtual CASCustomer's SSHClient
22TCP
OptionalNoEmail notificationsCustomer-DesignatedSMTP Server
Virtual CAS25TCP
OptionalNoHTTPS connection to the HP RDACAS Kit server to downloadupdates
h20529.www2.hp.comor Web Proxy
Virtual CAS443 orweb proxyport
TCP
OptionalYesSyslog remote logging(unencrypted)
Logging ServerVirtual CAS514TCP
OptionalYesSyslog remote logging(unencrypted)
Logging ServerVirtual CAS514UDP
OptionalYesCustomer-specified TCP port andapplication protocolSSH-forwarded from HP via therelay application
Target SystemVirtual CASotherTCP
OptionalYesCustomer-specified UDP portand application protocolSSH-forwarded from HP via therelay application
Target SystemVirtual CASotherUDP
G.3 Additional Ports for iCASTable G-3 Additional Ports for iCAS Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoDomain Name Service (DNS) -Host name resolution
DNS ServeriCAS Host53UDP
RequiredNoHTTP Tunnelling for SSHHP Regional RAMSServer or Web Proxy
iCAS Host80 or webproxy port
TCP
RequiredNoHTTPS to retrieve iCAS plug-inHP Regional RAMSServer or Web Proxy
iCAS Host443 orweb proxyport
TCP
OptionalYesCustomer-specified TCP port andapplication protocolSSH-forwarded from HP
Target SystemiCAS HostotherTCP
OptionalYesCustomer-specified UDP portand application protocolSSH-forwarded from HP
Target SystemiCAS HostotherUDP
G.4 Additional Ports for P9000/XP Storage ArrayTable G-4 Additional Ports for P9000/XP Storage Array Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
OptionalNoMicrosoft Remote DesktopConnection (RDC) used forremote management by HP orcustomer
XP SVPCAS3389TCP
76 Summary of Network Ports for Remote Device Access
OptionalConfigurableFunctionDestinationSourcePortsProtocol
OptionalYespcAnywhere data connectionfor accessing XP SVP. In case ofXP1024/XP128, Pcanywhereis the only option to access SVPsince RDC is not supported forWin2k. Engineers may have tofirst login to XPSVP usingpcanywhere to know whichCMS the XP is pointed.
XP SVPCAS5631TCP
OptionalYespcAnywhere status for accessingXP SVP
XP SVPCAS5632UDP
G.5 hpVPNTable G-5 hpVPN Connectivity - Firewall/Port Requirements
OptionalConfigurableFunctionDestinationSourcePortsProtocol
RequiredNoIPsec Encapsulaton for IPSectunneling
HP Regional VPNRouter
Customer hpVPNRouter
N/AESP
RequiredNoIPsec Internet SecurityAssociation and KeyManagement Protocol
HP Regional VPNRouter
Customer hpVPNRouter
500UDP
RequiredNoIPsec Encapsulaton for IPSectunneling
Customer hpVPNRouter
HP Regional VPNRouter
N/AESP
RequiredNoIPsec Internet SecurityAssociation and KeyManagement Protocol
Customer hpVPNRouter
HP Regional VPNRouter
500UDP
OptionalNoHTTPS VPN Router Web UICustomer hpVPNRouter
Customer's WebBrowser
443TCP
G.5 hpVPN 77
78
H Revision History for Remote Device Access Network PortsThis section describes firewall configuration changes that have occurred between releases of Remote DeviceAccess.
H.1 Virtual CAS 8.12Virtual CAS version 8.12 was the first release.
H.2 Virtual CAS 9.10There were no port changes for this release.
H.3 Virtual CAS 10.03There were no port changes for this release.
H.4 Virtual CAS 10.06The following port changes have been made for Virtual CAS 10.06:
• Added ports for syslog.• Added TCP and UDP ports for relay application.
H.5 iCAS 10.11-327.21152iCAS version 10.11-327.21152 is the first version.
H.6 iCAS 11.05.144-22710The following changes have been made for iCAS 11.05.144-22710:
• Added NTLM support for authenticating proxy servers.• Fixed timeout issue.• iCAS software is now signed and no longer emits warnings on Windows 7.• Fixed various anomalies concerning Microsoft Internet Explorer browsers.
H.7 Insight Remote Support A.05.60: StorageWorks XP ArraysAdded table for StorageWorks XP Arrays.
H.1 Virtual CAS 8.12 79
80
I Recommended FirewallsHP recommends the following firewalls:
Support URLVendor
http://www.3com.com/services3COM
https://supportcenter.checkpoint.com/Check Point
http://www.cisco.com/cisco/web/support/index.htmlCisco
http://www.juniper.net/supportJuniper Networks
http://www.nortel.com/supportNortel
http://www.procurve.com/customercare/index.htmProCurve
http://www.stonesoft.com/support/Stonesoft
For unlisted firewalls, contact the manufacturer for support.
81
82
GlossaryAdvancedConfiguration
The Advanced Configuration Collector component is made available on the Central ManagementServer for your convenience. It should be distributed to endpoint server systems that require this
Collector (ACC) forHP-UX
client to enable configuration collection in order for HP to provide proactive services. Thedistribution can be accomplished using the facility in HP SIM or your own software distributionapplication.
AdvancedConfiguration
The Advanced Configuration Collector installed on your endpoint server system is controlled bya set of commands and rules that reside on the CMS. This gives you the advantage of minimizing
Collector the frequency of the extra effort required to update a distributed Advanced Configuration Collector.Yet, it still allows you to benefit from the latest features and enhancements when made available.Commands and
RulesEvent LogMonitoringCollector
This client provides error condition detection of the event log of the monitored endpoint systemand communicates these events to WEBES remotely for analysis. It is made available on theCentral Management Server for your convenience, but should be distributed to the endpoint serversystem. There are different packages available dependent on operating system.NOTE: It is a required component to monitor devices which utilize event logs for fault monitoringand reporting.
Remote SupportClient
It allows two-way ('phone-home') secure communication with HP and updates hardware incidentswith the case ID and its status. Additionally, it enables configuration information to be sent to HPfor further analysis to deliver proactive services. This client is also needed to activate the contract,HP Care Pack and warranty entitlement feature of HP SIM.
Remote SupportCommonComponents (MC3)
Allows all remote support components on the Central Management Server (CMS) to share commoninformation (e.g. contact, name and telephone information.
Remote SupportConfigurationCollector
This component schedules and consolidates configuration information collections from all systemsthat are entitled for proactive services. This may be a collection directly from a system or via theAdvanced Configuration Collector that resides on the endpoint system itself. The Remote SupportConfiguration Collector is updated regularly to extend support for new products when madeavailable.
Remote SupportConfigurationCollector Extension
This component is designed to extend the capabilities of the Remote Support ConfigurationCollector when SAN support is required.
Remote SupportEligible SystemsList
This component identifies the devices that are eligible for remote support services including remote‘phone-home’ monitoring. This list is updated on a regular basis to add new device support tothis service automatically.
Remote SupportSoftware Manager
This component, under your control, allows you to initially and securely download and subsequentlyupdate all of the Insight Remote Support components to your Central Management Server. Thisallows you to take advantage of new enhancements and updates as they become available. Italso allows you to apply different software management policies for each of the differentcomponents if required.
Web BasedEnterprise Services(WEBES)
Designed to perform real-time service event analysis through product specific rule sets. These rulesets are updated regularly as improvements become available. We recommend that you takeadvantage of these improvements by configuring the Remote Support Software Manager toautomatically update these commands and rules sets and application updates that includes newproduct support. It is recommended that you install the latest version of WEBES to ensure largestproduct coverage and benefit from the latest analysis engine features.NOTE:Only one instance of WEBES per CMS is required for Enterprise wide monitoring regardlessof the product to be monitored.
83