Configuring support assistance

• Call home must be configured and functioning with a valid email server. To configure call home, select Settings > Notifications > Email in the management GUI or through system setup.
• Service IP addresses must be configured on each node on the system. To configure service IP addresses, select Settings > Network > Service IPs in the management GUI.
• A DNS server must be configured on your system. To configure a DNS server, select Settings > System > DNS in the management GUI.
  Note: DNS of your local system should allow for local and remote servers. It should not be configured to allow only a single external DNS server like Google 8.8.8.8.
• You can configure your firewall to allow traffic to pass directly from the system or you can route traffic through an HTTP proxy server within your environment. For more information, see Defining an HTTP proxy server.
• With the addition of the HTTP proxy support, Remote Support Proxy servers are no longer necessary, but they are still fully supported for existing configurations. Optionally, a Remote Support Proxy can be configured to consolidate firewall traffic from a number of storage systems. Remote upgrades cannot be completed through the Remote Support Proxy server.

esupport.ibm.com

The esupport.ibm.com network connection is used to for the following actions:

• Uploading logs to the IBM Enhanced Customer Data Repository (ECUREP)
• Connecting to Call home with cloud services (Cloud Call Home)
• Downloading software from FixCentral (new for 8.4.2)

Note: The esupport.ibm.com network connection is fully certified to securely transmit data for Blue Diamond (HIPPA) users and General Data Protection Regulation (GDPR) protected users.

If you are using a firewall to route traffic instead of an HTTP proxy server, use the following information to configure a firewall rule.

Source	Target	Port	Protocol	Direction
The service IP address of every node or node canister.	esupport.ibm.com	443	https	Outbound only

Remote Access

IBM can remotely connect to your system to perform maintenance actions by using remote access. Remote access can be permanently enabled, or it can be enabled as needed. The system supports three methods of enabling remote access to the system:

HTTP internal proxy server

It is recommended that you specify a HTTP proxy server for better security. If a HTTP proxy is configured, then the system connects through HTTP proxy server. For more information, see Defining an HTTP proxy server. If you currently have Remote Proxy Server configured on the system, you must remove the Remote Proxy Server from your configuration. For more information, see Removing a Remote Proxy Server page.

Direct network connection

If the Remote Support Proxy server is not installed and configured, use the following information to configure a firewall rule.

Source	Target	Port	Protocol	Direction
The service IP address of every node or node canister	129.33.206.139 and 204.146.30.139	22	ssh	Outbound only

Remote Proxy Server (deprecated for 8.4.2)

With the addition of the HTTP proxy support, Remote Support Proxy servers are no longer necessary, but they are still fully supported for existing configurations.

Note: One Remote Support Proxy server can be used by multiple systems, as well as other IBM storage products.

Use the following information to configure a firewall rule after you install and configure the Remote Support Proxy server.

Source	Target	Port	Protocol	Direction
IP address of the Remote Proxy Server	129.33.206.139 and 204.146.30.139	443	https	Outbound only

You also need to configure the IP address of the Remote Support Proxy server into the system.

FixCentral (deprecated in 8.4.2)

Previous methods of downloading software upgrade packages from FixCentral over SFTP are still supported, but are not required on systems running 8.4.2 or later. Software upgrade packages can be downloaded onto the system by using the FixCentral network connection. Use the following information to configure a firewall rule.

Source	Target	Port	Protocol	Direction
The service IP address of every node or node canister.	delivery04.dhe.ibm.com	22	SFTP (FTP over SSH)	Outbound only

If a domain name cannot be used for configuring firewall rules, you can use the following IP addresses: 170.225.15.105, 170.225.15.104, 170.225.15.107, 129.35.224.105, 129.35.224.104, and 129.35.224.107.

1. In the management GUI, select Settings > Support > Support Assistance > Set Up Support Assistance.
2. Select one of these options.

   I want support personnel to work onsite only

   Select this option to configure local support assistance. Use this option if your system has certain restrictions that require onsite maintenance. If you select this option, click Finish to set up local support assistance.

   I want support personnel to access my system both onsite and remotely

   Select this option to configure remote support assistance. Use this option to allow support personnel to access your system through a secure connection from the support center. Secure remote assistance requires a valid service IP address, call home, and an optional Remote Support Proxy server if a firewall is used to protect your internal network. If you select this option, click Next to specify IP addresses or domain names for the support center and optional Remote Support Proxy server. If a Remote Support Proxy server is not configured, the system uses an internal proxy to connect to support.

   Note: If you specify domain names, a DNS server must be configured on your system. To configure a DNS server for the system, select Settings > Network > DNS. You can use the mkdnsserver command to configure DNS servers.

3. If you selected to configure both local and remote support assistance, verify the pre-configured support centers. Optionally, enter the name, IP address or domain names, and port for the Remote Support Proxy server on the Remote Support Centers page. A Remote Support Proxy server is used by systems that do not directly access the internet or if traffic is routed from multiple storage systems to the same place.
4. On the Remote Support Access Settings page, select one of these options to control when support personnel can access your system to conduct maintenance and fix problems.

   At Any Time

   Support personnel can access the system at any time. For this option, remote support session does not need to be started manually and sessions remain open continuously.

   On Permission Only

   The system administrator must grant permission to support personnel before they can access the system. For this option, remote support sessions need to be started manually and you can specify a maximum time that a session can be idle before the session is automatically closed.

5. Click Finish.
6. After you configure remote support assistance with permission only, you can start sessions between the support center and the system. On the Support Assistance page, select Start New Session and specify the number of minutes the session can be idle after the support user is logged off the system.

chsra -enable

chsra -remotesupport enable