HPE OneView

OneView 6.30 - Firewall Destination for Software Update

 
MarioE
Valued Contributor

OneView 6.30 - Firewall Destination for Software Update

There is a new feature in HPE OneView starting with version 6.30:

https://support.hpe.com/hpesc/public/docDisplay?docId=c05245290

HPE OneView User Experience Key Features
Software Update
Notification of new HPE Service Pack content —HPE OneView provides an option for users to receive notifications when a new HPE
Service Pack for ProLiant (SPP) or HPE Synergy Service Packs (SSP) is released. Within the user interface (UI), you can opt to receive
connected notifications from HPE. Additional details about the release are also included in the UI to help you make an informed decision
about updating. A direct link to the HPE portal for downloading the content is also available from within the UI.

According to the documentation "HPE Remote Support Enablement in HPE OneView 6.0" HPE OneView communicates via port 443 to api.support.hpe.com.
What destination address and port does HPE OneView need for software update?

I can't find any documentation about this.

11 REPLIES 11
DanCernese
HPE Pro

Re: OneView 6.30 - Firewall Destination for Software Update

This picture might help.   HPE OneView 6.3 User Guide (which is in HTML now):

https://support.hpe.com/hpesc/public/docDisplay?docId=a00118217en_us&docLocale=en_US&page=s_security-open-ports-cic.html

 

I am an HPE Employee
Accept or Kudo
ChrisLynch
HPE Pro

Re: OneView 6.30 - Firewall Destination for Software Update

Our new notification service uses the following endpoints (both via HTTPS, 443/TCP):

  • app.computeupdate.cloud.hpe.com 
  • midway.ext.hpe.com 

We are updating our end user docs to reflect these FQDN's.


I am an HPE employee

Accept or Kudo

cesarpegado
Valued Contributor

Re: OneView 6.30 - Firewall Destination for Software Update

im glad someone already asked about this, as i was coming on the forum to ask this question.

those 2 urls' can you confirm if 443 needs opening in both directions. or is it just from OneView to those URLs

Thanks

ChrisLynch
HPE Pro

Re: OneView 6.30 - Firewall Destination for Software Update

im glad someone already asked about this, as i was coming on the forum to ask this question.

those 2 urls' can you confirm if 443 needs opening in both directions. or is it just from OneView to those URLs

Thanks

This is outbound only.  The external service does NOT initiate the connection back to the appliance(s) you have onsite behind your firewall.


I am an HPE employee

Accept or Kudo

MarioE
Valued Contributor

Re: OneView 6.30 - Firewall Destination for Software Update

We have released the two endpoints in our proxy.
However, I have an error message when activating them:

04-10-_2021_10-34-51.jpg
The problem now is that the OneView appliance does not query the domain midway.ext.hpe.com, but always does the query via the IP address (e.g. 15.241.48.251). However, this is blocked for us.

If I allow the IP address from midway.ext.hpe.com in the proxy, the connection works.

Does this new feature still have a problem with resolving the domain?

DanCernese
HPE Pro

Re: OneView 6.30 - Firewall Destination for Software Update

I am aware of ~15 addresses that midway.ext.hpe.com may resolve to.  Your OneView is likely getting one of them and your firewall is getting a different one when you use the name.  Maybe your firewall is only using one of the resolutions.  nslookup will respond with ~15 IP addresses (and some IPv6) so it should allow all of those.  

I am an HPE Employee
Accept or Kudo
MarioE
Valued Contributor

Re: OneView 6.30 - Firewall Destination for Software Update

Our firewall engineer explained it to me like this:

We have enabled the domain midway.ext.hpe.com in the proxy. However, HPE OneView queries the proxy with the IP address, e.g. 15.241.48.251 (this is one IP address of 16, which resolves midway.ext.hpe.com). However, since the IP address 15.241.48.251 is not enabled in the proxy, HPE OneView cannot reach it externally.
Why does HPE OneView request the IP address 15.241.48.251 and not the domain midway.ext.hpe.com?

DanCernese
HPE Pro

Re: OneView 6.30 - Firewall Destination for Software Update

 
I am an HPE Employee
Accept or Kudo
MarioE
Valued Contributor

Re: OneView 6.30 - Firewall Destination for Software Update

If HPE OneView requests the IP address from the proxy and not the domain midway.ext.hpe.com this will never work for us.

For Call Home, OneView seems to do this to others because we can do Call Home.