EMC VNX Series Version VNX1, VNX2 EMC Secre Remote Spport for VNX 300-014-340 REV 03
Copyright 2012-2014 EMC Corporation. All rights reserved. Pblished in USA. Pblished Jly, 2014 EMC believes the information in this pblication is accrate as of its pblication date. The information is sbject to change withot notice. The information in this pblication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this pblication, and specifically disclaims implied warranties of merchantability or fitness for a particlar prpose. Use, copying, and distribtion of any EMC software described in this pblication reqires an applicable software license. EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other contries. All other trademarks sed herein are the property of their respective owners. For the most p-to-date reglatory docment for yor prodct line, go to EMC Online Spport (https://spport.emc.com). EMC Corporation Hopkinton, Massachsetts 01748-9103 1-508-435-1000 In North America 1-866-464-7381 www.emc.com 2 VNX1, VNX2 EMC Secre Remote Spport for VNX
CONTENTS Figres 5 Chapter 1 Introdction 7 ESRS embedded device client on a control station overview... 8 ESRS embedded device client on a storage processor overview...8 ESRS IP Client for VNX overview... 8 VNX gateway installations... 8 Chapter 2 ESRS device client on control station featre 11 ESRS embedded device client on control station reqirements...12 ESRS embedded device client operational description... 12 Provision ESRS embedded device client on control station... 14 Add storage processor to RemotelyAnywhere IP address filter tables...15 Re-provision ESRS embedded device client on the control station... 16 Upgrade ESRS embedded device client on control station... 16 Chapter 3 ESRS device client on storage processor featre 17 ESRS embedded device client on storage processor reqirements... 18 ESRS embedded device client on storage processor operational description... 18 Provision ESRS embedded device client on storage processor...19 Re-provision ESRS embedded device client on the storage processor...21 Upgrade ESRS embedded device client on storage processor... 21 Captre array configration data settings... 21 Chapter 4 ESRS IP Client for VNX featre 23 ESRS IP Client reqirements... 24 New installation... 25 Upgrade... 28 Verify HTTPS connectivity dring pre-installation... 29 Installation wizard...30 Download and install ESRS IP Client software...30 Add monitor station to RemotelyAnywhere IP address filter tables...31 Change HTTPS commnications secrity... 33 Make changes sing Unisphere UI...33 VNX1, VNX2 EMC Secre Remote Spport for VNX 3
CONTENTS 4 VNX1, VNX2 EMC Secre Remote Spport for VNX
FIGURES 1 2 3 ESRS device client featre cstomer-side network topology example...13 ESRS IP Client commnication infrastrctre - Call Home example... 26 ESRS IP Client commnication infrastrctre - Remote access example...27 VNX1, VNX2 EMC Secre Remote Spport for VNX 5
FIGURES 6 VNX1, VNX2 EMC Secre Remote Spport for VNX
CHAPTER 1 Introdction This chapter introdces yo to the EMC Secre Remote Spport (ESRS) embedded device client on a control station and the ESRS embedded device client on a storage processor featres, which are for single systems. It also introdces yo to the ESRS IP Client for VNX and VNX gateway installations, which reqire a server in addition to the storage system and can be sed for mltiple systems. Major topics inclde: ESRS embedded device client on a control station overview... 8 ESRS embedded device client on a storage processor overview...8 ESRS IP Client for VNX overview... 8 VNX gateway installations... 8 Introdction 7
Introdction ESRS embedded device client on a control station overview The ESRS embedded device client software is packaged into the VNX operating environment (OE) for file/nified systems and resides on the control station. This featre provides yor athorized EMC service provider with remote access capabilities to yor VNX file/nified system sing a secre and encrypted tnnel. For otbond access, the VNX management IP network mst allow otbond and inbond HTTPS traffic. The secre tnnel that ESRS establishes between the VNX device and athorized systems on the EMC network can also be sed to transfer files ot to the VNX system or transfer files back to EMC's network. For more information concerning this featre, see ESRS device client on control station featre on page 11. ESRS embedded device client on a storage processor overview ESRS IP Client for VNX overview VNX gateway installations The ESRS embedded device client software is packaged into the VNX OE for block systems and resides on the storage processors. This featre provides yor athorized EMC service provider with remote access capabilities to yor VNX block system sing a secre and encrypted tnnel. For otbond access, the VNX management IP network mst allow otbond and inbond HTTPS traffic. The secre tnnel that ESRS establishes between the VNX device and athorized systems on the EMC network can also be sed to transfer files ot to the VNX system or transfer files back to EMC's network. For more information concerning this featre, see ESRS device client on storage processor featre on page 17. Yo install the ESRS IP Client for VNX software on an external monitor station (a host or virtal machine). This software monitors the operation of yor EMC VNX or legacy CLARiiON systems for error events and atomatically notifies yor service provider and provides a path to secrely connect to yor monitored VNX or legacy systems. For more information concerning ESRS IP Client for VNX, see ESRS IP Client for VNX featre on page 23. An ESRS Gateway configration spports a wide range of EMC prodcts, and is appropriate for a cstomer environment with a heterogeneos mix of EMC prodcts. Only trained EMC or EMC partner personnel shold install and configre a VNX gateway system configration. This incldes the setp of remote connectivity to contact EMC Cstomer Service or a third-party service provider for problem resoltion assistance. ESRS embedded device client on control station (inclded with OE for file version 7.1.56.x or later) and ESRS IP Gateway 2.0 or later (version 2.22 as a minimm is reqired for later model VNX gateway systems) is spported as a remote connectivity and callhome soltion for a VG2/VG8 gateway configration; ESRS Gateway 1.x is not spported. 8 VNX1, VNX2 EMC Secre Remote Spport for VNX
Introdction For additional information on ESRS IP Gateway, go to the EMC Online Spport website (Spport.EMC.com) VNX gateway installations 9
Introdction 10 VNX1, VNX2 EMC Secre Remote Spport for VNX
CHAPTER 2 ESRS device client on control station featre This chapter describes the reqirements for the ESRS embedded device client on control station software and provides an operational description of the featre. The chapter also describes the processes to provision the featre and to re-provision the featre. Major topics inclde: ESRS embedded device client on control station reqirements...12 ESRS embedded device client operational description... 12 Provision ESRS embedded device client on control station... 14 Add storage processor to RemotelyAnywhere IP address filter tables...15 Re-provision ESRS embedded device client on the control station... 16 Upgrade ESRS embedded device client on control station... 16 ESRS device client on control station featre 11
ESRS device client on control station featre ESRS embedded device client on control station reqirements The ESRS embedded device client on control station featre reqires the following: VNX operating environment (OE) for VNX version 7.1.56.x or later. At least one DNS server mst be configred on yor VNX before yo set p the ESRS commnication channel and provision the featre; otherwise, the featre will not work. Unrestricted access to *.emc.com over the Internet sing HTTPS (for non-proxy environments). EMC online spport accont. Provisioning or re-provisioning the ESRS device client on a control station in a VNX file/ nified system reqires an active accont on the EMC Online Spport website. This accont associates specific credentials with a particlar organization and email domain. When yo provision or re-provision the ESRS device client on a control station in a VNX file/nified system, yo mst specify these credentials (a ser name password pair) to set p the ESRS commnication channel for the system. The following reqirements are dependent on yor ESRS device client on a control station implementation: If yor ESRS implementation will inclde a proxy server to connect to the Internet, yo mst indicate this when yo provision the ESRS featre. If yor ESRS implementation will inclde a Policy Manager for more control over remote access to yor VNX system, yo mst indicate this when yo provision the ESRS featre. If yor ESRS implementation will inclde a proxy server for yor VNX to connect to a Policy Manager, yo mst indicate this when yo provision the ESRS featre. ESRS embedded device client operational description The ESRS embedded device client on control station featre provides an IP-based connection that enables EMC Spport to receive error files and alerts from yor VNX file/ nified system, and to perform remote trobleshooting reslting in a fast and efficient time to resoltion. EMC strongly recommends that yo provision the ESRS device client on control station featre and select it as the primary transport mechanism for Connect Home notifications. These actions will help to accelerate problem diagnosis, perform trobleshooting, and help speed time to resoltion. If yo do not provision ESRS, yo may need to collect system information manally to assist EMC Spport with trobleshooting and resolving problems with the VNX file/nified system. The ESRS device client on control station featre offers a secre architectre from end to end, inclding the following featres: EMC isses X.509 digital certificates to athenticate the ESRS device client on control station to EMC. 12 VNX1, VNX2 EMC Secre Remote Spport for VNX
ESRS device client on control station featre EMC professionals are athenticated sing two niqe factors. All EMC service professionals have a niqe sername that is logged with all their actions. All commnication originates from the control station. The ESRS device client on control station does not accept nsolicited connections from EMC or the Internet. All commnications between EMC and the ESRS device client on control station incldes the latest secrity practices and encryption technologies, inclding certificate libraries based on RSA Lockbox technology, and Advanced Encryption Standard (AES) 256-bit encryption. Those who implement the ESRS device client on control station soltion can frther control remote access by sing the Policy Manager. The Policy Manager gives fll control of how EMC interacts with VNX systems. SSL is available between the ESRS device client on control station and the Policy Manager. ESRS device client on control station management Yo can initially setp the ESRS device client on control station featre sing the VNX Installation Assistant (VIA). When sing VIA, it is important to have all information for setp at the time of installation/initialization. Yo can manage the ESRS device client on control station featre sing Unisphere. Yo can provision or re-provision the service, set p a proxy server or Policy Manager, or both. Yo mst provide yor spport accont credentials to provision or re-provision the ESRS device client on a control station. The VNX file/nified system itself does not implement any policies. If yo reqire more control over remote access to yor VNX file/nified system, yo can se a Policy Manager to set athorization permissions. The Policy Manager software component can be installed on a cstomer-spplied server (see ESRS device client featre cstomer-side network topology example on page 13). It controls remote access to yor devices, maintains an adit log of remote connections, and spports file transfer operations. Yo can control by whom, what, and when access to yor VNX file/nified system occrs. For additional information abot the Policy Manager, go to the EMC Online Spport website (Spport.EMC.com). After logging in, locate the applicable Spport by Prodct page and search for the link to the specific ESRS prodct technical docmentation. Figre 1 ESRS device client featre cstomer-side network topology example Private management network (optional) Site-specific layer Proxy Server (optional) Pblic network VNX5700 system Policy Manager (optional) GEN-001938 ESRS embedded device client operational description 13
ESRS device client on control station featre ESRS device client on control station commnication Access to a DNS server is reqired for the ESRS device client on control station featre to work. Yo shold set the ESRS device client on control station featre to be the primary (defalt) method sed by ConnectEMC to commnicate with EMC backend systems. Provision ESRS embedded device client on control station As a prereqisite for yo to provision the ESRS device client on control station featre in yor VNX file/nified system, yo mst have an existing EMC Online Spport accont. Also, at least one DNS server mst be configred on yor VNX before yo set p the ESRS commnication channel and provision the featre; otherwise, the featre will not work. Yo or yor EMC service provider can provision the ESRS device client on the control station throgh either the VNX Initialization Assistant (VIA, for fresh installs) or Unisphere. To provision the featre reqires either yo to provide yor EMC Online Spport accont credentials (sername and password) or yor EMC service provider to provide their SecrID credentials. To provision the ESRS device client on control station featre in Unisphere, yo mst be logged in to the control station as User root and Scope Local. Select yor system and from the task list, nder Service Tasks, select Manage ESRS for File. For a VNX with two control stations, in Unisphere a dialog box for selecting the target control station (Primary or Standby) appears first. The Primary control station will be selected by defalt. If necessary, yo can change the selection and click Contine to navigate to the Manage ESRS page for the corresponding control station. Also, as an alternate method to access the ESRS parameters, nder Service Tasks, yo can select Manage Connect Home for File and click Manage ESRS Settings in the ESRS Priority field. This link navigates directly to the Manage ESRS page for the primary Control Station. To manage the ESRS on a standby control station, yo mst select Manage ESRS for File from the task list nder Service Tasks. When provisioning the ESRS device client on the control station, yo can provision an optional Proxy Server or a Policy Manager, or both. Once yo have provisioned the featre, yo shold ensre that the primary transport mechanism for Connect Home notifications is set to ESRS. Yo can do this by selecting yor system and from the task list, nder Service Tasks, select Manage Connect Home for File. After yo configre yor Connect Home settings, yo shold test them sing Test on the Manage Connect Home page. For detailed instrctions and more information abot provisioning the ESRS device client on control station featre and testing the transport mechanisms for Connect Home notifications, see the Unisphere online help. Proxy Server If the VNX file/nified system will se a proxy server to connect to the Internet, yo mst indicate this when yo configre the ESRS. Yo mst provide the following information for the proxy server: Protocol (HTTPS or SOCKS) IP address Port nmber 14 VNX1, VNX2 EMC Secre Remote Spport for VNX
ESRS device client on control station featre If the proxy server reqires athentication, yo mst also indicate this dring the ESRS configration and spply login credentials for the proxy server. Yo mst spply both a sername and password for athentication. If yo install a proxy server on a non-standard port, yo will need to enter a port nmber to se the proxy server. If the port is not specified, the system defalts to the appropriate standard port for the given proxy type, port 3128 for the HTTP protocol or port 1080 for the SOCKS protocol. Policy Manager If the VNX file/nified system will se a Policy Manager to set athorization permissions, yo mst indicate this when yo configre the ESRS. Yo mst provide the following information for the Policy Manager: Indicate whether the connection to the Policy Manager needs to be secre (SSL will be sed in the connection to the Policy Manager); otherwise, SSH is sed in the connection to the Policy Manager. IP address Port nmber If the Policy Manager will se a proxy server to connect to the VNX file/nified system, yo mst indicate this when yo configre the ESRS. Yo mst provide the following information for the Policy Manager's proxy server: Protocol (HTTPS or SOCKS) IP address Port nmber If the Policy Manager's proxy server reqires athentication, yo mst also indicate this dring the ESRS configration and spply login credentials for the proxy server. Yo mst spply both a sername and password for athentication. While yo configre the policy manager, yo have the option to change the defalt port if yo choose to se a non-secre transport. In this case, yo will need to enter a port nmber for the policy manager proxy server. If yo do not specify the port, then a defalt proxy server port is sed. The system defalts to the appropriate standard port for the given protocol, port 3128 for the HTTP protocol or port 1080 for the SOCKS protocol. The defalt ports for the Policy Manager are 8443 for secre commnication or 8090 if not secre. Add storage processor to RemotelyAnywhere IP address filter tables When yo provision ESRS embedded device client on CS yo mst also add the internal storage processor (SP) IP addresses to the RemotelyAnywhere filter tables on the SPs. Procedre 1. Enter the SP A or SP B IP address or hostname in a spported browser address field and append the setp page path to the IP address or hostname, for example, http://ip address/setp or http://hostname/setp. The SP setp login page opens. 2. Enter the system Unisphere administrator access sername and password. The SP setp page opens. 3. Scroll down to Set RemotelyAnywhere Access Restriction and click the name panel to open the page. Add storage processor to RemotelyAnywhere IP address filter tables 15
ESRS device client on control station featre System secrity mst be enabled and configred before yo can access the Set RemotelyAnywhere Access Restriction IP address filter table. The IP Filter Configration for RemotelyAnywhere page opens. 4. Enter the control station IP addresses in the following list to the filters that apply to the connected storage system inpt table. Primary control station CS0: 128.221.252.100 (eth0) 128.221.253.100 (eth1) Secondary control station CS1 (if applicable): 128.221.252.101 (eth0) 128.221.253.101 (eth1) 5. Click Apply Settings. The following text message shold appear: RemotelyAnywhere IP Filter reqest was sccessfl. The RemotelyAnywhere IP Filter Configration - Apply page opens. 6. Click Back. The main setp page appears. 7. Click the Logot and close the browser. Re-provision ESRS embedded device client on the control station Yo may need to re-provision the ESRS device client on the control station featre for any of the following reasons: To add or remove a Proxy Server or change existing Proxy Server settings To add or remove a Policy Manager or associated Proxy Server or change existing Policy Manager settings, inclding settings for an associated Proxy Server As a prereqisite for yo to re-provision the ESRS embedded device client on the control station in yor VNX file/nified system, yo mst have already provisioned the ESRS featre. Also, to re-provision the ESRS device client on control station featre in Unisphere, yo mst be logged in to the control station as User root and Scope Local. See Provision ESRS embedded device client on control station on page 14 for information. Upgrade ESRS embedded device client on control station The ESRS embedded device client on control station featre is packaged into the VNX file/nified software image. Upgrade of the device client or associated featres will only be delivered as part of a fll VNX file/nified system software pgrade. 16 VNX1, VNX2 EMC Secre Remote Spport for VNX
CHAPTER 3 ESRS device client on storage processor featre This chapter describes the reqirements for the ESRS embedded device client on storage processor software and provides an operational description of the featre. The chapter also describes the processes to provision the featre and to re-provision the featre. Major topics inclde: ESRS embedded device client on storage processor reqirements...18 ESRS embedded device client on storage processor operational description... 18 Provision ESRS embedded device client on storage processor...19 Re-provision ESRS embedded device client on the storage processor... 21 Upgrade ESRS embedded device client on storage processor... 21 Captre array configration data settings... 21 ESRS device client on storage processor featre 17
ESRS device client on storage processor featre ESRS embedded device client on storage processor reqirements The ESRS embedded device client on storage processor featre reqires the following: VNX operating environment (OE) for block versions 5.32 that are later than version 5.32.000.5.209 and block versions 5.33 that are later than 5.33.000.5.051. At least one DNS server mst be configred on yor VNX before yo set p the ESRS commnication channel and provision the featre; otherwise, the featre will not work. Unrestricted access to *.emc.com over the Internet sing HTTPS (for non-proxy environments). EMC online spport accont Provisioning or re-provisioning the ESRS device client on a storage processor in a VNX block system reqires an active accont on the EMC Online Spport website. This accont associates specific credentials with a particlar organization and email domain. When yo provision or re-provision the ESRS device client on a storage processor in a VNX block system, yo mst specify these credentials (a ser name password pair) to set p the ESRS commnication channel for the system. The following reqirements are dependent on yor ESRS device client on a storage processor implementation: If yor ESRS implementation will inclde a proxy server to connect to the Internet, yo mst indicate this when yo provision the ESRS featre. If yor ESRS implementation will inclde a Policy Manager for more control over remote access to yor VNX system, yo can indicate this when yo either provision or re-provision the ESRS featre. If yor ESRS implementation will inclde a proxy server for yor VNX to connect to a Policy Manager, yo can indicate this when yo either provision or re-provision the ESRS featre. ESRS embedded device client on storage processor operational description The ESRS embedded device client on storage processor featre provides an IP-based connection that enables EMC Spport to receive error files and alerts from yor VNX block system, and to perform remote trobleshooting reslting in a fast and efficient time to resoltion. NOTICE 18 VNX1, VNX2 EMC Secre Remote Spport for VNX After sccessflly initializing yor system, EMC strongly recommends that yo provision the ESRS device client on storage processor featre and select it as the primary transport mechanism for ConnectEMC notifications. These actions will help to accelerate problem diagnosis, perform trobleshooting, and help speed time to resoltion. If yo do not provision ESRS, yo may need to collect system information manally to assist EMC Spport with trobleshooting and resolving problems with the VNX block system. The ESRS device client on storage processor featre offers a secre architectre from end to end, inclding the following featres:
ESRS device client on storage processor featre EMC isses X.509 digital certificates to athenticate the ESRS device client on storage processor to EMC. EMC professionals are athenticated sing two niqe factors. All EMC service professionals have a niqe sername that is logged with all their actions. All commnication originates from the storage processor. The ESRS device client on storage processor does not accept nsolicited connections from EMC or the Internet. All commnications between EMC and the ESRS device client on storage processor incldes the latest secrity practices and encryption technologies, inclding certificate libraries based on RSA Lockbox technology, and Advanced Encryption Standard (AES) 256-bit encryption. Those who implement the ESRS device client on storage processor soltion can frther control remote access by sing the Policy Manager. The Policy Manager gives fll control of how EMC interacts with VNX systems. SSL is available between the ESRS device client on storage processor and the Policy Manager. ESRS device client on storage processor management Yo can manage the ESRS device client on storage processor featre sing Unisphere. Yo can provision or re-provision the service, set p a proxy server or Policy Manager, or both. Yo mst provide yor spport accont credentials to provision or re-provision the ESRS device client on a storage processor. The VNX block system itself does not implement any policies. If yo reqire more control over remote access to yor VNX block system, yo can se a Policy Manager to set athorization permissions. The Policy Manager software component can be installed on a cstomer-spplied server (see ESRS device client featre cstomer-side network topology example on page 13). It controls remote access to yor devices, maintains an adit log of remote connections, and spports file transfer operations. Yo can control by whom, what, and when access to yor VNX block system occrs. For additional information abot the Policy Manager, go to the EMC Online Spport website (https:// spport.emc.com/prodcts/). After logging in, locate the applicable Spport by Prodct page and search for the link to the specific ESRS prodct technical docmentation. ESRS device client on storage processor commnication Access to a DNS server is reqired for the ESRS device client on storage processor featre to work. Yo shold set the ESRS device client on storage processor featre to be the primary (defalt) method sed by ConnectEMC to commnicate with EMC backend systems. Provision ESRS embedded device client on storage processor NOTICE As a prereqisite for yo to provision the ESRS device client on storage processor featre in yor VNX block system, yo mst have an existing EMC Online Spport accont. Also, at least one DNS server mst be configred on yor VNX before yo set p the ESRS commnication channel and provision the featre; otherwise, the featre will not work. Yo or yor EMC service provider can provision the ESRS device client on the storage processor throgh Unisphere. To provision the featre reqires either yo to provide yor EMC Online Spport accont credentials (sername and password) or yor EMC service provider to provide their SecrID credentials. To provision the ESRS device client on storage processor featre in Unisphere, yo mst be logged in to the storage processor as User administrator. Select yor system and from the task list, nder Service Tasks, select Manage ESRS. Provision ESRS embedded device client on storage processor 19
ESRS device client on storage processor featre When provisioning the ESRS device client on the storage processor, yo can provision an optional Proxy Server or a Policy Manager, or both. Once yo have provisioned the featre, yo shold ensre that the primary transport mechanism for ConnectEMC notifications is set to ESRS. Yo can do this by selecting yor system and from the task list, nder Service Tasks, select Manage ConnectEMC. For detailed instrctions and more information abot provisioning the ESRS device client on storage processor featre, see the Unisphere online help. Proxy Server If the VNX block system will se a proxy server to connect to the Internet, yo mst indicate this when yo configre the ESRS. Yo mst provide the following information for the proxy server: Protocol (HTTPS or SOCKS) IP address Port nmber If the proxy server reqires athentication, yo mst also indicate this dring the ESRS configration and spply login credentials for the proxy server. Yo mst spply both a sername and password for athentication. If yo install a proxy server on a non-standard port, yo will need to enter a port nmber to se the proxy server. If the port is not specified, the system defalts to the appropriate standard port for the given proxy type, port 3128 for the HTTP protocol or port 1080 for the SOCKS protocol. Policy Manager If the VNX block system will se a Policy Manager to set athorization permissions, yo mst indicate this when yo configre the ESRS. Yo mst provide the following information for the Policy Manager: Indicate whether the connection to the Policy Manager needs to be secre (SSL will be sed in the connection to the Policy Manager); otherwise, SSH is sed in the connection to the Policy Manager. IP address Port nmber If the Policy Manager will se a proxy server to connect to the VNX block system, yo mst indicate this when yo configre the ESRS. Yo mst provide the following information for the Policy Manager's proxy server: Protocol (HTTPS or SOCKS) IP address Port nmber If the Policy Manager's proxy server reqires athentication, yo mst also indicate this dring the ESRS configration and spply login credentials for the proxy server. Yo mst spply both a sername and password for athentication. While yo configre a policy manager, yo have the option to change the defalt port if yo choose to se a non-secre transport. In this case, yo will need to enter a port nmber for the policy manager proxy server. If yo do not specify the port, then a defalt proxy server port is sed. The system defalts to the appropriate standard port for the given protocol, port 3128 for the HTTP protocol or port 1080 for the SOCKS protocol. The 20 VNX1, VNX2 EMC Secre Remote Spport for VNX
ESRS device client on storage processor featre defalt ports for the Policy Manager are 8443 for secre commnication or 8090 if not secre. Re-provision ESRS embedded device client on the storage processor Yo may need to re-provision the ESRS device client on the storage processor featre for any of the following reasons: To add or remove a Proxy Server or change existing Proxy Server settings To add or remove a Policy Manager or associated Proxy Server or change existing Policy Manager settings, inclding settings for an associated Proxy Server As a prereqisite for yo to re-provision the ESRS embedded device client on the storage processor in yor VNX block system, yo mst have already provisioned the ESRS featre. Also, to re-provision the ESRS device client on storage processor featre in Unisphere, yo mst be logged in to the storage processor as User administrator. See Provision ESRS embedded device client on storage processor on page 19 for information. Upgrade ESRS embedded device client on storage processor The ESRS embedded device client on storage processor featre is packaged into the VNX OE for block. Upgrade of the device client or associated featres will only be delivered as part of a VNX OE for block software pgrade. Captre array configration data settings VNX OE for block versions later than 5.32.000.5.209 and earlier than 5.33 provide a mechanism in Unisphere to manage the schedling of captring yor VNX Block system configration data. The resltant file will be sent throgh ConnectEMC to EMC backend systems. Yo mst be logged in to Unisphere with Administrator privileges to se this featre. To manage the schedle to captre yor VNX Block system configration data, select yor system and from the task list, nder Service Tasks, select Captre Configration Data. The following is a list of the actions that yo can take: EMC recommends sing the defalt settings, especially the setting for the time of day to start the captre of yor VNX Block system configration data and the settings for those days on which to captre yor VNX Block system configration data. Enable or disable the related fields and controls. Select the freqency, in weeks to captre yor VNX Block system configration data. Schedle the time of day to start the captre of yor VNX Block system configration data. Select those days on which to captre yor VNX Block system configration data. Select to immediately captre yor VNX Block system configration data and send the reslting file throgh ConnectEMC to EMC backend systems. Re-provision ESRS embedded device client on the storage processor 21
ESRS device client on storage processor featre 22 VNX1, VNX2 EMC Secre Remote Spport for VNX
CHAPTER 4 ESRS IP Client for VNX featre This chapter describes the reqirements for installing the ESRS IP Client for VNX software. It explains how to access and download the ESRS IP Client UI-based installer wizard from the EMC Online Spport website. It describes how to rn the installation wizard that is sed to download and se ESRS IP Client Management Utility to manage all the ESRS IP Client software components. These components are reqired so yo can: Set p a centralized monitoring environment for yor VNX or legacy systems Specify control stations rnning on each version of VNX or legacy systems that can connect to the monitor station and send ConnectHome notifications to yor service provider. After completing the installation or pgrade of yor ESRS IP Client software on the monitor station, what yo do next depends on the type of systems that have been added to yor ESRS IP Client configration. Major topics inclde: ESRS IP Client reqirements... 24 New installation... 25 Upgrade... 28 Verify HTTPS connectivity dring pre-installation... 29 Installation wizard...30 Download and install ESRS IP Client software...30 Add monitor station to RemotelyAnywhere IP address filter tables...31 Change HTTPS commnications secrity... 33 Make changes sing Unisphere UI...33 ESRS IP Client for VNX featre 23
ESRS IP Client for VNX featre ESRS IP Client reqirements Refer to the EMC Serviceability Release s for the latest ESRS IP Client environment and systems reqirements. The version of ESRS IP Client software mst be at or later than the version of the management software bndled with the VNX Operating Environment (OE) rnning on each VNX for block or legacy system that is being monitored. Also, legacy Celerra systems are not spported by ESRS IP Client; only VNX for file/nified is spported. ESRS IP Client installation reqires: Monitor station: The monitor station mst be a host or virtal machine with one or more CPUs at a minimm speed of 2.2 GHz, mst be SSE and/or SSE2 spported, have a total physical memory size of 2 GB or greater and 1 GB of hard disk space, mst be rnning a spported Windows operating system, have the.net Framework version 2.0 installed, and se JRE revision 6.0 pdate 29 or later for 32-bit system (JRE for 32-bit system is also reqired for 64-bit Windows). The monitor station cannot be a client (host connected to storage-system data ports), and the monitored systems mst be able to connect to it over yor network. Also, the ESRS IP Client for VNX and the Unisphere Server for Windows cannot coexist on the same server. A preinstallation check in the ESRS IP Client for VNX prevents installation of the ESRS IP Client for VNX on a system that already has the Unisphere Server installed on it. For more information abot the monitor station, refer to the Setting Up a Unisphere Management Station for the VNX Series docment. For the latest list of spported Windows operating systems, refer to the EMC Serviceability Release s. If yo do not have an existing monitor station Yo can create a monitor station by installing ESRS IP Client on a Windows host. If yo have an existing monitor station rnning CLARalert (precrsor to ESRS IP Client for VNX) Yo can pgrade to the ESRS IP Client on the monitor station. If yo have an existing monitor station rnning event monitor Yo can install the ESRS IP Client on the monitor station. Fixed or static IP address: The monitor station mst have a fixed or static IP address. If dynamic host control protocol (DHCP) is sed, yo mst configre a reserved IP address. The ESRS IP Client wizard atomatically detects and configres the ESRS IP Client with the IP address for the monitor station, which is reqired for the ESRS IP Client installation. Open TCP Ports from the monitor station to yor service provider: The monitor station ses the following TCP ports to connect to yor service provider: TCP port 443 (for HTTPS, otbond) TCP port 8443 (for HTTPS, otbond); not reqired for fnctionality, however withot this port being opened there will be a significant decrease in remote spport performance. Open TCP Ports from the monitor station to yor storage systems: The monitor station ses the following TCP ports to connect to the storage systems: TCP port 80 (for HTTP, inbond/otbond) 24 VNX1, VNX2 EMC Secre Remote Spport for VNX
ESRS IP Client for VNX featre TCP port 443 (for HTTPS, inbond/otbond) TCP port 25 (for the SMTP server, otbond) TCP port 6389 (for the Unisphere Host Agent, inbond/otbond) TCP port 5414 (for the EMCRemote Client, otbond) TCP port 9519 (for RemotelyAnywhere on VNX OE for block or legacy systems, otbond) TCP port 6391, 6392, and 60020 (for the Remote Diagnostic Agent, otbond) TCP port 22 (for the CLI with SSH) TCP port 13456 (for KTCONS) TCP port 22 and 9519 (for RemoteKtrace) TCP port 80, 443, 2162, 2163, and 8000 (for Unisphere Service Manager, Unisphere, and Navisphere Secre CLI) Proxy server: If the monitor station connects to the Internet throgh a proxy server, yo mst indicate this dring the ESRS IP Client installation and provide the IP address, port, and protocol (HTTPS or SOCKS) for the proxy server. If the proxy server reqires athentication (SOCKS is spported only with athentication), yo mst also indicate this dring installation and spply login credentials for the proxy server. Yo mst spply both a sername and password for athentication. EMC Online Spport accont: Yo mst have an existing EMC Online Spport accont. Yo are reqired to log in to the EMC Online Spport website at http:// Spport.EMC.com and spply yor valid storage-system serial nmber before yo can download and install the ESRS IP Client software. Registered monitoring site: The monitoring site mst be registered on EMC Online Spport. Dring the ESRS IP Client installation, yo mst specify contact information that incldes the name, email address and phone nmber of a person to contact at the monitoring site. New installation For a new ESRS IP Client installation, the installation wizard atomatically installs a commnication infrastrctre that spports secre inbond/otbond commnication (SSL) as the primary commnication method with yor service provider. This commnication infrastrctre notifies yor service provider of events (Call Home featre, see Figre 2 on page 26). New installation 25
ESRS IP Client for VNX featre Figre 2 ESRS IP Client commnication infrastrctre - Call Home example Centralized monitor station rnning ESRS IP Client Call Home (SSL) Service provider (SSL) (SSL) LAN (SSL) (SSL) (SSL) Event Event Event Storage Systems (VNX shown) GEN-001578 This same commnication infrastrctre is sed to send ConnectHome data from yor specified VNX device(s) (the associated control station(s) that are connected to the monitor station) or legacy systems to yor service provider and to provide yor service provider with remote access to yor VNX devices or legacy systems (see Figre 3 on page 27). 26 VNX1, VNX2 EMC Secre Remote Spport for VNX
ESRS IP Client for VNX featre Figre 3 ESRS IP Client commnication infrastrctre - Remote access example Centralized monitor station rnning ESRS IP Client Remote access (SSL) Service provider LAN (SSL) (SSL) (SSL) (SSL) (SSL) Storage Systems (VNX shown) GEN-001579 The defalt athorization permission for remote access to yor VNX or legacy systems is set to always allow. If yo reqire more control over remote access to yor VNX or legacy systems, yo can se a Policy Manager to set athorization permissions. The Policy Manager software component is installed on a cstomer-spplied server. It controls remote access to yor devices, maintains an adit log of remote connections, and spports file transfer operations. Yo can control who, what, and when, and even why access to yor system has occrred. For additional information on Policy Manager, go to the EMC Online Spport website (Spport.EMC.com). After logging in, locate the applicable Spport by Prodct page and the link for the specific prodct technical docmentation. Before the ESRS IP Client software installation starts, yo need to configre the proxy settings if the server ses a proxy server to connect to the Internet. Also, yo are reqired to enter the credentials to log in and provide the Cstomer Contact Information as commnication methods. When the ESRS IP Client software installation completes, yo need to lanch the ESRS IP Client Management Utility to add new system(s) to be monitored. Yo enter the IP address of a system to access it. Once yo log into the system, the ESRS IP Client Management Utility will obtain a list of all the systems in the same domain. Yo can add one or more discovered systems to be monitored by selecting them in Add System dialog. The application will ignore the system(s) that are already being monitored. It will also designate an Storage Processor that is rnning on the latest VNX OE for block as the Host Agent portal system if there is no existing portal system. If the version of the VNX OE for New installation 27
ESRS IP Client for VNX featre block of the existing portal system is older than the VNX OE for block of the newly added system, the portal system will be migrated to the new SP atomatically. The ESRS IP Client Management Utility application allows yo to configre and manage the systems yo added throgh the following operations: Add System. Add a system to be monitored. Save Changes. Save the changes yo made to systems being monitored. Cancel Changes. Drop the changes yo made to the systems being monitored. Configre Local Email. Specify an email address of a designated local ser. Configration Captre Settings. Captre the configration data of selected system(s) and send it to EMC periodically. Captre Configration Now. Captre the real-time configration data of selected system(s) manally. Remove System. Remove the selected system(s) from the list of systems being monitored. Send Test Alert. Send ot an email alert for the prpose of testing. Upgrade Only ESRS IP client pgrades within versions 1.3.x.x or later are spported. Upgrades from previos ESRS IP Client or CLARalert versions (1.0.x.x, 1.1.x.x, or 1.2.x.x to 1.3.x.x) are not spported. For these previos versions, record the IP addresses of the system(s) that are crrently being monitored, ninstall the crrent software and reboot the client, install this version and then re-add the systems. Yo can ninstall the ESRS IP Client for VNX, by selecting Add/Remove Programs from the Windows control panel. If AHA or UDoctor have been installed, they shold be ninstalled. Dring the installation, yo will need: Internet access An EMC Online Spport (Powerlink) accont The serial nmber of one system installed at the cstomer site and associated with the ser s Powerlink accont The name of the cstomer site Internet proxy settings, if reqired SMTP server name, if backp email will be configred Record the systems that are being monitored by this configration: Start the ESRS Configration Tool GUI and select the Managed Devices tab and execte the Refresh btton. Record the systems serial nmbers and IP addresses that will be re-added to the new installation. (Program Files > ESRS > Configration Tool). 28 VNX1, VNX2 EMC Secre Remote Spport for VNX
ESRS IP Client for VNX featre There is also a Configration Tool text file that contains the monitored systems data. First execte the Refresh btton from the Managed Devices tab. Navigate to Program Files\EMC\ESRS IP Client\Gateway directory. Open the EsrsConfigTool text file and scroll to the end of the file. All monitored systems are recorded in this file after the refresh. CLARiiON and VNX for Block systems: record the address of SPA VNX for File systems: record the address of the Control Station This version of the ESRS IP Client will not block the ser from installing over an existing version, bt EMC does not recommend doing so. After the ESRS IP Client installation, lanch the Management Utility to add or remove systems. The software will atomatically create a portal system and configre yor centralized monitoring environment for VNX and CLARiiON storage systems. Yo can add VNX for Block and CLARiiON storage systems to yor centralized monitoring environment sing Unisphere/Navisphere Manager. See the EMC Unisphere/Navisphere Manager online help for more information. Installation on a Windows 7 or Windows Server 2008 host with the Windows firewall enabled reqires yo to open TCP/IP port 6389 inbond/otbond for C:\Program Files (x86)\emc\hostagent\hostagent.exe to allow the Unisphere Host Agent to fnction properly. This mst be done before yo install the ESRS IP Client. If the port is blocked, the installation will fail becase the client will not be able to commnicate with the target storage systems. Verify HTTPS connectivity dring pre-installation The ESRS IP Client installer wizard verifies the following IP address names for HTTPS connectivity dring pre-installation: EMC Registration: https://esrs.emc.com https://esrs.emc.com:443 ESRS Core (for gateway pings): https://esrs-core.emc.com:80 https://esrs-core.emc.com:443 Global access server: https://esrgweprd01.emc.com:443 https://esrgweprd02.emc.com:443 https://esrgweprd03.emc.com:443 https://esrghoprd01.emc.com:443 https://esrghoprd02.emc.com:443 https://esrghoprd03.emc.com:443 https://esrgckprd01.emc.com:443 https://esrgckprd02.emc.com:443 Verify HTTPS connectivity dring pre-installation 29
ESRS IP Client for VNX featre https://esrgckprd03.emc.com:443 https://esrgscprd01.emc.com:443 https://esrgscprd02.emc.com:443 https://esrgscprd03.emc.com:443 https://esrgspprd01.emc.com:443 https://esrgspprd02.emc.com:443 https://esrgspprd03.emc.com:443 HTTPS connectivity is reqired for the ESRS core and ESRS UI IP address names and at least for of the global access server IP address names. EMC recommends that all the global access server IP address names listed above shold be accessible for HTTPS connectivity. Installation wizard The installation wizard will prompt yo to select an installation mode for ESRS IP Client. This docment describes the cstomer installation mode only. It is the recommended installation mode and is spported for cstomers performing a new ESRS IP Client installation or pgrade. The installation wizard gides yo throgh the ESRS IP Client installation process. Yo can se the wizard for a new ESRS IP Client installation, or to pgrade an existing 6.22 or later CLARalert or ESRS IP Client for CLARiiON environment. An EMC service provider or EMC athorized partner mst perform pgrades to an existing CLARalert environment that is rnning a CLARalert version earlier than 6.22. Download and install ESRS IP Client software Yo can access and download the ESRS IP Client UI-based installer wizard from the EMC Online Spport website. Use the wizard to download and configre all the ESRS IP Client software components reqired to set p a centralized monitoring environment for yor VNX and legacy systems. Before yo begin 30 VNX1, VNX2 EMC Secre Remote Spport for VNX Do not install the ESRS IP client for VNX on an ESRS gateway server. Before installing the ESRS IP client for VNX on a Windows 7 host with the Windows firewall enabled, ensre TCP/IP port 6389 is open. TCP/IP port 6389 mst be open to allow the Unisphere Host Agent to fnction properly. If TCP/IP port 6389 is blocked, the installation will fail becase the client will not be able to commnicate with the target storage systems. The HostAgent.exe is located at C:\Program Files\EMC\HostAgent \HostAgent.exe for 32 bit Windows versions and C:\Program Files (x86)\emc \HostAgent\HostAgent.exe for 64 bit Windows versions. Also, the ESRS IP Client for VNX and the Unisphere Server for Windows cannot coexist on the same server. A pre-installation check in the ESRS IP Client for VNX will prevent installation of the ESRS IP Client for VNX on a system that already has the Unisphere Server installed on it. If this is the case, ninstall the Unisphere Server before installing the ESRS IP Client for VNX. The ESRS IP Client for VNX ses the presence of the registry key HKEY_LOCAL_MACHINE\Software\EMC\ManagementServer to determine if the Unisphere Server is installed. If that key is not removed by the Unisphere Server ninstaller, it can prevent the ESRS IP Client for VNX from being installed. Yo can delete
ESRS IP Client for VNX featre the key from the registry by sing regedit command and then yo shold be able to install the ESRS IP Client for VNX. From the monitor station: Procedre 1. Go to the EMC Online Spport website at http://spport.emc.com and locate the Download page and the link to download the ESRS IP Client for VNX software. 2. Select Download ESRS IP Client and save the software to yor monitor station. 3. In the folder where yo saved the ESRS IP Client, doble-click the ESRS IP Client exectable file or if necessary, right-click the file and select Rn as to rn the installation wizard sing a different ser's credentials. 4. Follow the steps in the wizard to complete the installation. For VNX OE for block and legacy systems that are deployed in this ESRS IP Client configration, yo mst add the monitor station IP address to the RemotelyAnywhere filter tables of those systems. See Add monitor station to RemotelyAnywhere IP address filter tables on page 31 for detailed information. Reslts For a list of the IP address names verified for HTTPS connectivity dring the preinstallation checks, see Verify HTTPS connectivity dring pre-installation on page 29. Also, the ESRS IP Client software installation generates for log files. Two of these log files (esrsagent_installer.log and esrsipclient_installer.log) are located nder the ser's home directory in the EMC\ESRSIPClient folder. The other two logs, esrs_rscapi.log, and esrs_jema.log, are located in the directory where the ESRS IP Client is installed. The esrs_rscapi.log log is created for VNX for block registrations only. The esrs_jema.log log is created for VNX for file registrations only. Add monitor station to RemotelyAnywhere IP address filter tables Perform this procedre for VNX OE for block and legacy systems in this ESRS IP Client configration. By defalt, this featre adds an always-on, additional layer of secrity that restricts the se of remote service tools to the system's service ports. Administrators and secrity administrators can extend remote service tool access to a system's management ports by entering the IP addresses of the attached, trsted service clients. For IPv6 configrations, temporary private addresses are disabled on the system by defalt. EMC strongly recommends that yo also disable them on the client system. Procedre 1. Enter the SP A or SP B IP address or hostname in a spported browser address field and append the setp page path to the IP address or hostname, for example, http://ip address/setp or http://hostname/setp. The SP setp login page opens. Add monitor station to RemotelyAnywhere IP address filter tables 31