Ask the Expert: Unleash your inner IT superhero with EMC’s next-gen customer experience roll-out and ESRS v3 Virtual Edition

This Ask the Expert session is now open for questions. For the next couple of weeks our Subject Matter Expert will be around to reply to your questions, comments or inquiries about our topic.

Let’s make this conversation useful, respectful and entertaining for all. Enjoy!

We are a Policy server user that actually uses the approval process to allow access. Any consideration to having Service Request information be provided (maybe even required) to request access to a system? Today you need to be aware of an ongoing issue to really know why someone is attempting access, not always the case with larger staffs and a 24/7 support team.

Hi,

We are in the process of building a pair of v3 gateways and the topic of where to place these is something I would like to get some direction on. As I see it in the implementation and planning guides, the recommended location of the gateways looks to be not in a DMZ, but inside, more "local" to the devices. In the old setup, we have the thing sitting in a DMZ, but of course you then have to punch a ton of holes through the FW's to allow in/out traffic, so my thinking is that locating the GW's internal and using NAT in conjunction with other security controls (policy manager, etc.), and only allowing the secure port in and out to the EMC remote IPs, seems to be the better approach. Of course, security folks disagree, but what do you see in the real world in complex environments with a LOT of devices?

thanks

(great idea BTW! for the discussion)

We are planning to have PM implemented with AD authentication.The problem is that customer has a strict rule to change password for Pricipal DN every 90 days.

So questions are:

1. If customer will change password on AD side after 90 days will it impact PM working?
2. Is there any way to change password for Pricncipal DN on PM side also to match changes on AD side?

we have a lot of devices per site (~30). Is that a lot ?

Our EMC devices are connected to our normal local LAN and so the ESRS gateways are placed on the same network. We have specific subnets that allow inbound access from the internet only if the connection was first initiated from within the that subnet. So in case of ESRS gateway, it talks to EMC first and only then EMC techs can connect through the gateway.

hershal wrote: We are a Policy server user that actually uses the approval process to allow access. Any consideration to having Service Request information be provided (maybe even required) to request access to a system? Today you need to be aware of an ongoing issue to really know why someone is attempting access, not always the case with larger staffs and a 24/7 support team.

Hi,  currently we have the ability to enter the SR# and a description on a device that requires approval through the Policy Manager - but as you eluded to, it's optional.   We have considered making it mandatory but determined that it would result in bad information being entered.   We have an enhancement request in to automate some information so that it will auto-populate but we don't have a date on when it will be available.

In the meantime, your account team should be able to enter site messages in our customer database to note what information you would like provided every time access is requested.  

-Patrick

ysitnikov wrote: We are planning to have PM implemented with AD authentication.The problem is that customer has a strict rule to change password for Pricipal DN every 90 days. So questions are: If customer will change password on AD side after 90 days will it impact PM working? Is there any way to change password for Pricncipal DN on PM side also to match changes on AD side?

Hi,  if the password expires prior to changing it in the PM then users will not be able to log in until it's changed.  Everything else will continue to function outside of items that would require someone to log in (approval requests etc).   To change the password on the PM, see page 362 of the PM Ops Guide.

downhill wrote: Hi, We are in the process of building a pair of v4 gateways and the topic of where to place these is something I would like to get some direction on. As I see it in the implementation and planning guides, the recommended location of the gateways looks to be not in a DMZ, but inside, more "local" to the devices. In the old setup, we have the thing sitting in a DMZ, but of course you then have to punch a ton of holes through the FW's to allow in/out traffic, so my thinking is that locating the GW's internal and using NAT in conjunction with other security controls (policy manager, etc.), and only allowing the secure port in and out to the EMC remote IPs, seems to be the better approach. Of course, security folks disagree, but what do you see in the real world in complex environments with a LOT of devices? thanks (great idea BTW! for the discussion)

Hi,   great question!    One of the things that many customers like about ESRS is how flexible it is.   We don't dictate where it should go because every customers security policies differ, but real world I have typically seen it 50/50.  

-Patrick

Interesting concept. I don't know how that works if the things dial home say at 7pm but nobody gets the ticket for an hour or 2, how do you make the outbound initiated call? Right before they need to login?

Is it purely a firewall rule then?

thanks

downhill wrote: Interesting concept. I don't know how that works if the things dial home say at 7pm but nobody gets the ticket for an hour or 2, how do you make the outbound initiated call? Right before they need to login? Is it purely a firewall rule then? thanks

Hi, when a device connects home at 7pm - the file is processed and queued appropriately.  When the SR is picked up the technician requests a remote session to the device for a specific application which will be one or more ports against the device's IP address.   That requests sits on our system until the ESRS server connects to EMC over it's 30 second heartbeat.  During that heartbeat if a remote session request is found it will initiate another outbound connection to our GAS (Global Access Servers) based on your polices.  Once that connection is created, we tunnel in directly to the device requested and the associated ports.   In our Technical Description document this process is more detailed on pages 20 and 21.  

-Patrick

Wow, that is even slicker than I imagined. That seems like the ticket.

Thanks

when ESRS gateway does its normal heartbeat call to mothership at EMC, it establishes a firewall session (outbound), the same session is used for EMC to connect to the device (if someone at EMC is actually trying to get into the device)

We found recently that there is a new IP addresses scheme for EMC ESRS (KB000013285).

Article keep been modified several times (last time it was modified today 11/11). Are we good to go with new scheme?

Customer submitted  firewall requests 2-4 weeks ago with old scheme.

So questions are:

1.Can we still use old scheme? For how long?

2.There is a built-in networking checking in ESRS VE which uses addresses from the old scheme. Will it work with new scheme?

Hi, i have a problem were ESRS-VE is sending encrypted notifications to EMC and the customer. No encryption is set in ConnectEMC on VMAX. Customer is asking so he can read the notifications.

Hi,

We disabled ESRS some time ago due to the outcome of an external security audit on ESRSv2. From an operational perspective we really miss the flexibility of having remote support via ESRS.

However, we are not allowed to re-enable ESRS without a clean bill-of-health from a reputable security auditor.

Was ESRSv3 audited by a reputable external security specialist?

If so, can we obtain a report of their findings? (If required we are willing to sign an NDA).

If EMC does not conduct such audits on ESRS, why not?