VPN based call-home for DMX

yep ..i am looking at Secure Gateway. I am going to read all the planning guides ..but in short ..do you just string rj11 cables from service processors to this appliance ? Is it an appliance or just software package (looking at Allen's comment)

We have been investigating the Secure Gateway solution from EMC, but haven't actually implemented it yet. So far it looks good, but we have to provide our own servers to run on. I believe they just recently certified this running on a VM, so that may make the move easier.

I'll let you know if we make any progress on this, as we are really looking toward getting rid of the MODEMs to improve our security.

I'm looking for additional information to give, but I believe ESRS would be an option.

EMC Secure Remote Support (ESRS). If you do a search in power link you should find a manual called Secure Remote Support Gateway Operations Guide that would give additional information but I will try to give a scaled down version. Basically here is what it is, your DXM service processor is connected to a local LAN that goes into a gateway then out thru the public internet to connect to EMC's backend environment. All communication between the customer's site and EMC is initiated by the Gateway server agent at the customer's site. Using industry standard Secure Sockets Layer (SSL) encryption over the Internet and EMC-signed digital certificate authentication, the Gateway creates a communications tunnel.

We use ESRS to enable call-home for our DMX, Centeras, and CLARiiONs because our data center doesn't have any phone lines.

Dynamox,
You just run a network cable to the service processor on the DMX, your CE will have to enable network access for ESRS on the service processor. We used cheap 1U servers and setup the redundant gateway solution. So far it has worked well, we set it up about four months ago and haven't had to touch it since.

ok, in my shop i am not allowed to put management interfaces on local LAN, too many kids with way too much time trying to hack into everything ( i work at university) ...do you know if this Gateway service is extra cost to customer ?

Nope. The Centera, Celerra, and CLARiiON are already on the local LAN right and are accessed that way for management purposes? So the service processor gets put on the local LAN as well.

i see .. I am looking at the diagram in the document Mike mentioned and they show Symm,Celerra, Centera connected to private LAN. Is that how you have it setup ?

thanks Aran ...are all 3 servers have to be running Windows ? I looked through documentation but could not find anything. I am thinking since gateway server has to run EMConnect it's windows only ..but how about policy server ?

We have the EMC Secure Remote Support Gateway set up and running, monitoring 5 DMX's in 3 data centers. So far it works just fine with 1 remark: if you have firewalls inbetween with improper rules or if you have some other sort of communication failure between data centers, you will have an issue. I believe that EMC monitors DMX's in such a way that when no life sign is detected from a DMX for more than a week, they'll call you to ask what's going on.

We have 2 gateways and 1 policy server. The 2 GW's are in 2 different DC's and since the policy server is not redundant we accept downtime of the policy server (meaning we cannot make changes to policies when it's down), but access from EMC is granted based upon existing policies which are cached on the GW's.

I love this thread .. it's all about networking and security .. my private passion !!!

A lot to learn .. a lot to read .. ThX Dynamox, Rob, AranH and everybody else !!

thanks Rob, since gateway servers have to be dual-homed (one NIC to private network, one NIC to LAN), i will try to lock down gateway's LAN interface as much as possible but at the same time i don't want to kill functionality. I have to get whatever design i come up with past my security people as they hate to see dual-homed systems. If somebody hacks my gateway they will have access to all my EMC hardware ...and that to me is worth then hacking a modem.

The ESRSG only uses so many ports. I think the installation manual lists all ports used for DMX, Clariion, Celerra, Centera...... so you don't need to have all ports open !

I want points !!!!