Configuring support assistance

• Call home must be configured and functioning with a valid email server. To configure call home, select Settings > Notifications > Email in the management GUI or via system setup.
• Service IP addresses must be configured on each node on the system. To configure service IP addresses, select Settings > Network > Service IPs in the management GUI.
• A DNS server must be configured on your system. To configure a DNS server, select Settings > System > DNS in the management GUI.
  Note: DNS of your local system should allow for local and remote servers. It should not be configured to allow only a single external DNS server like Google 8.8.8.8.
• Optionally, a remote support proxy server can be configured to consolidate firewall traffic from a number of storage systems. Remote upgrades cannot be completed through the remote support proxy server.

esupport.ibm.com

The esupport.ibm.com network connection is used to upload logs to the IBM Enhanced Customer Data Repository (ECUREP). An esupport.ibm.com firewall rule is not necessary if Storage Insights is configured because Storage Insights provides a feature to upload logs. However, an esupport.ibm.com firewall rule is still recommended because Call Home with cloud services uses the same port.

Note: The esupport.ibm.com network connection is fully certified to securely transmit data for Blue Diamond (HIPPA) users and General Data Protection Regulation (GDPR) protected users.

Use the following information to configure a firewall rule.

Source	Target	Port	Protocol	Direction
The service IP address of every node or node canister.	esupport.ibm.com	443	https	Outbound only

If a transparent proxy service is available in the management network, then no firewall rules are required for esupport.ibm.com. If a domain name cannot be used for configuring firewall rules, you can use the follow IP addresses: 129.42.56.189, 129.42.54.189 and 129.42.60.189.

FixCentral

Software upgrade packages can be downloaded onto the system by using the FixCentral network connection. Use the following information to configure a firewall rule.

Source	Target	Port	Protocol	Direction
The service IP address of every node or node canister.	delivery04.dhe.ibm.com	22	SFTP (FTP over SSH)	Outbound only

If a domain name cannot be used for configuring firewall rules, you can use the follow IP addresses: 170.225.15.105, 170.225.15.104, 170.225.15.107, 129.35.224.105, 129.35.224.104, and 129.35.224.107.

Remote Access

IBM can remotely connect to your system to perform maintenance actions by using remote access. Remote access can be permanently enabled, or it can be enabled as needed.

It is recommended that you install and configure the Remote Support Proxy service to simplify firewall configurations. One Remote Support Proxy can be used by multiple systems and by other IBM storage products.

With a Remote Support Proxy server

Use the following information to configure a firewall rule after you install and configure the Remote Support Proxy server.

Source	Target	Port	Protocol	Direction
IP address of the Remote Proxy Server	129.33.206.139 and 204.146.30.139	443	https	Outbound only

You also need to configure the IP address of the Remote Support Proxy server into the system.

Without a Remote Support Proxy server

If the Remote Support Proxy server is not installed and configured, use the following information to configure a firewall rule.

Source	Target	Port	Protocol	Direction
The service IP address of every node or node canister.	129.33.206.139 and 204.146.30.139	22	ssh	Outbound only

1. In the management GUI, select Settings > Support > Support Assistance > Set Up Support Assistance.
2. Select one of these options.

   I want support personnel to work onsite only

   Select this option to configure local support assistance. Use this option if your system has certain restrictions that require onsite maintenance. If you select this option, click Finish to set up local support assistance.

   I want support personnel to access my system both onsite and remotely

   Select this option to configure remote support assistance. Use this option to allow support personnel to access your system through a secure connection from the support center. Secure remote assistance requires a valid service IP address, call home, and an optional Remote Support Proxy server if a firewall is used to protect your internal network. If you select this option, click Next to specify IP addresses for the support center and optional Remote Support Proxy server.

3. If you selected to configure both local and remote support assistance, verify the pre-configured support centers. Optionally, enter the name, IP address, and port for the Remote Support Proxy server on the Remote Support Centers page. A Remote Support Proxy server is used by systems that do not directly access the internet or if traffic is routed from multiple storage systems to the same place.
4. On the Remote Support Access Settings page, select one of these options to control when support personnel can access your system to conduct maintenance and fix problems.

   At Any Time

   Support personnel can access the system at any time. For this option, remote support session does not need to be started manually and sessions remain open continuously.

   On Permission Only

   The system administrator must grant permission to support personnel before they can access the system. For this option, remote support sessions need to be started manually and you can specify a maximum time that a session can be idle before the session is automatically closed.

5. Click Finish.
6. After you configure remote support assistance with permission only, you can start sessions between the support center and the system. On the Support Assistance page, select Start New Session and specify the number of minutes the session can be idle after the support user is logged off the system.

chsra -enable

chsra -remotesupport enable