topic Re: ISEE without browser in Insight Remote Support

ISEE without browser

michael denny_1 — Thu, 05 May 2005 22:38:43 GMT

Is there a way to check (and confirm) ISEE connectivity with HP without starting up a browser (ie from the command line?). The mad.log file doesnt look overly reliable (ie reports failures even when working ok..)

Secondly, to ensure ISEE connectivity with HP thru a firewall, what ports should be allowed?

Any info much appreciated.
Thx

Re: ISEE without browser

Robert Bennett_3 — Fri, 06 May 2005 22:39:23 GMT

This is how I test my isee connection with HP:

/etc/opt/resmon/lbin/send_test_event -a sysstat_em

run this command on the server in question as root and notify HP that you are running this command for them to check that it reaches them.

The firewall question is more complicated. Here are a few questions we had for HP and their answers before we implemented our SPOP.

1. What steps are taken to "harden" the SPOP?
From a software perspective, the person who installs the OS can do whatever they need to as for a standard Windows system according to their internal company requirements â anti-virus, security tools, etc.
HP does not make recommendations as to additional security measures.
The SPOP protection depends largely on the Firewall. Communication is set up to/from specific sets of IP addresses.

2. Which web server is running on the SPOP?
IIS: Supports http 80 and https 443. http 80 listens for monitored client connections. https 443 listens for Map requests from HP.

Apache Tomcat: Supports https 8080 and http 2112. https 8080 supports guest connection for Map requests from HP. http 2112 is used internally and needs no external access capability.

3. Why aren't the MAP protocols tunneled via VPN?
The communication that goes back and forth between the SPOP and the content server is HTTPS. The engineer uses the VPN tunnel for Remote Access. Setting up the VPN is not automatic. It is user driven and requires user (real-time) authentication. Again, the VPN connection is user-based not system based. To use this for system access is not the purpose of the VPN. Since the communication associated with MAP requests and telemetry transfer is HTTPS, any gain realized by tunneling https via a VPN connection would be negligible.

MAP functionality was developed by Motive before Remote Access was developed by HP, thus they truly are independent. For the next release of ISEE MAP requests are pulled by the SPOP thus the inbound 443, 8080 requirements will be going away.

Today, MAPs will not work until we release an SPOP patch what will change the way MAPs are executed. Because of this, do not TCP 443 and 8080 through your firewall. Why open holes that can't/won't be used.

4. Would it be possible to tunnel http from the monitored client to the SPOP in the DMZ config via SSL?
The communication today from the client to the SPOP is HTTP. It is RSA encrypted then communicated via HTTP. This is built into the product. So at this point tunneling these types of communications is not supported nor planned.

Motive uses RSA technology to encrypt and protect connections from client to SPOP. This connection can be routed through a proxy.

At this point it would not be possible to modify Motive to use SSL.

5. Can we change the REP port to be something other then 3389?
Since this is built-in to Windows and we perform the connect to this port for any connections to the SPOP changing this would break the product. We could no longer perform the TS connection from HP to the SPOP. Currently, we do not "collect" or manage what the port is or could be. There is currently no plan to use anything but the standard port number.

6. Who provides the VPN software that resides on the SPOP?
HP uses the integrated into W2K; Routing and Remote Access service to implement L2TP/IPSec VPN connections.

Hope this helps

Re: ISEE without browser

Frank Alden Smith — Sat, 07 May 2005 06:42:14 GMT

Michael,

One way to test ISEE connectivity without a browser installed on the ISEE monitored server is to use telnet as follows:

strauss:/# telnet isee.americas.hp.com 80
Trying...
Connected to awtf907.external.hp.com.
Escape character is '^]'.

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Sat, 07 May 2005 11:11:41 GMT
Content-Type: text/html
Content-Length: 87

ErrorThe parameter is incorrect.

Connection closed by foreign host.
strauss:/#

There are other tools to test connectivity that are accessible only to HP folks; if you have access to HP internal sites contact me by company mail for more details.

The firewall port that must be opened for ISEE varies with ISEE architecture. The standard configuration requires port 80 be opened 'established' back. For the advanced configuration, which uses an SPOP (Support Point Of Presence) to forward the ISEE incidents from every ISEE Client in the enterprise to the HP Support Center, port 443 must be opened 'established' back.

Hope that answers your questions.

Take care,
frank

Re: ISEE without browser

Frauke Denker_2 — Mon, 09 May 2005 02:08:34 GMT

Hello Michael,
you can as well use the test scripts that ISEE provides, like /opt/hpservices/RemoteSupport/bin/iseeConnectivity.sh. If the test works that system will provide an ID to you (format: 123456789.1@). Go to the directory /opt/hpservices/incidents/123456789.1@ (or how ever your ID looks like). In this directory you will find a file named incident.dat, open it and check for "State =". If the connection works it should change to the value "9" which is the same like "CLOSED" in the UI.
Regards
Frauke

Re: ISEE without browser

michael denny_1 — Mon, 09 May 2005 19:12:40 GMT

Thx all for your input, Im nearly there now. First posting for me, a very helpful tool.

Lastly, can someone please tell me the the different values possible for 'State' in the incident log (as mentioned by Frauke) and the meaning of each?
Eg If 9=closed, what do 0, 4, 5, etc mean?

Cant find anything in the HP doco on this one...