Remote code load (RCL) is a service that allows remote support engineers to complete code
updates on the storage system.
IBM® storage implemented a remote capability to upgrade code
on clients’ entitled storage products. RCL is the process of having IBM support personnel securely connect to and update the microcode on the storage system. The
RCL service is the preferred code delivery method, which proves to be both efficient and secure for
IBM clients. RCL is fast and easy to coordinate because it
does not require an onsite visit of an IBM services technician
and is the preferred alternative to the existing on-premises microcode upgrade service.
Remote code load requires a set of firewall settings to be open in the client network to
facilitate the following activities.
- Access IBM Fix Central to download code
- Access Enhanced Customer Data Repository (ECUREP) system to upload logs
- Remote dial in to complete code load
Note: This access is the same set of access requirements that is needed for normal remote
support operations.
The following network connections between IBM and the system are
required to enable support assistance.
- esupport.ibm.com
- The esupport.ibm.com network connection is used to for the following
actions:
- Uploading logs to the IBM Enhanced Customer Data Repository (ECUREP)
- Connecting to Call home with cloud services (Cloud Call Home)
- Downloading software from FixCentral (new for 8.4.2)
Note: The esupport.ibm.com network connection is fully certified to securely transmit data for
Blue Diamond (HIPPA) users and General Data Protection Regulation (GDPR) protected
users.
If you are using a firewall to route traffic instead of an HTTP proxy server, use
the following information to configure a firewall rule.
| Source |
Target |
Port |
Protocol |
Direction |
| The service IP address of every node or node canister. |
esupport.ibm.com |
443 |
https |
Outbound only |
- Remote Access
- IBM can remotely connect to your system to perform maintenance actions by
using remote access. Remote access can be permanently enabled, or it can be enabled as needed. The
system supports three methods of enabling remote access to the system:
- HTTP internal proxy server
- It is recommended that you specify a HTTP proxy server for better security. If a HTTP proxy is
configured, then the system connects through HTTP proxy server. For more
information, see Defining an HTTP proxy server.
If you
currently have Remote Proxy Server configured on the system, you must remove the Remote Proxy Server
from your configuration. For more information, see Removing a Remote Proxy Server page.
- Direct network connection
- If the Remote Support Proxy server is not installed and configured, use the following
information to configure a firewall rule.
| Source |
Target |
Port |
Protocol |
Direction |
| The service IP address of every node or node canister |
170.225.126.11, 170.225.126.12, 170.225.127.11 and 170.225.127.12 |
22 |
ssh |
Outbound only |
- Remote Proxy Server (deprecated for 8.4.2)
- With the addition of the HTTP proxy support, Remote Support Proxy servers are no longer
necessary, but they are still fully supported for existing configurations.
Note: One Remote Support
Proxy server can be used by multiple systems, as well as other IBM storage products.
Use
the following information to configure a firewall rule after you install and configure the Remote
Support Proxy server.
| Source |
Target |
Port |
Protocol |
Direction |
| IP address of the Remote Proxy Server |
170.225.126.11, 170.225.126.12, 170.225.127.11, and 170.225.127.12 |
443 |
https |
Outbound only |
You also need to configure the IP address of the Remote Support Proxy server into the
system.
- FixCentral (deprecated in 8.4.2)
- Previous methods of downloading software upgrade packages from FixCentral
over SFTP are still supported, but are not required on systems running 8.4.2 or later. Software
upgrade packages can be downloaded onto the system by using the FixCentral network connection. Use
the following information to configure a firewall rule.
| Source |
Target |
Port |
Protocol |
Direction |
| The service IP address of every node or node canister. |
delivery04.dhe.ibm.com |
22 |
SFTP (FTP over SSH) |
Outbound only |
If a domain name cannot be used for configuring firewall rules, you can use the following IP
address: 170.225.126.44.