Insight Remote Support
Showing results for 
Search instead for 
Did you mean: 

ISEE without browser

Go to solution
michael denny_1
Occasional Contributor

ISEE without browser

Is there a way to check (and confirm) ISEE connectivity with HP without starting up a browser (ie from the command line?). The mad.log file doesnt look overly reliable (ie reports failures even when working ok..)

Secondly, to ensure ISEE connectivity with HP thru a firewall, what ports should be allowed?

Any info much appreciated.
Robert Bennett_3
Respected Contributor

Re: ISEE without browser

This is how I test my isee connection with HP:

/etc/opt/resmon/lbin/send_test_event -a sysstat_em

run this command on the server in question as root and notify HP that you are running this command for them to check that it reaches them.

The firewall question is more complicated. Here are a few questions we had for HP and their answers before we implemented our SPOP.

1. What steps are taken to "harden" the SPOP?
From a software perspective, the person who installs the OS can do whatever they need to as for a standard Windows system according to their internal company requirements â anti-virus, security tools, etc.
HP does not make recommendations as to additional security measures.
The SPOP protection depends largely on the Firewall. Communication is set up to/from specific sets of IP addresses.

2. Which web server is running on the SPOP?
IIS: Supports http 80 and https 443. http 80 listens for monitored client connections. https 443 listens for Map requests from HP.

Apache Tomcat: Supports https 8080 and http 2112. https 8080 supports guest connection for Map requests from HP. http 2112 is used internally and needs no external access capability.

3. Why aren't the MAP protocols tunneled via VPN?
The communication that goes back and forth between the SPOP and the content server is HTTPS. The engineer uses the VPN tunnel for Remote Access. Setting up the VPN is not automatic. It is user driven and requires user (real-time) authentication. Again, the VPN connection is user-based not system based. To use this for system access is not the purpose of the VPN. Since the communication associated with MAP requests and telemetry transfer is HTTPS, any gain realized by tunneling https via a VPN connection would be negligible.

MAP functionality was developed by Motive before Remote Access was developed by HP, thus they truly are independent. For the next release of ISEE MAP requests are pulled by the SPOP thus the inbound 443, 8080 requirements will be going away.

Today, MAPs will not work until we release an SPOP patch what will change the way MAPs are executed. Because of this, do not TCP 443 and 8080 through your firewall. Why open holes that can't/won't be used.

4. Would it be possible to tunnel http from the monitored client to the SPOP in the DMZ config via SSL?
The communication today from the client to the SPOP is HTTP. It is RSA encrypted then communicated via HTTP. This is built into the product. So at this point tunneling these types of communications is not supported nor planned.

Motive uses RSA technology to encrypt and protect connections from client to SPOP. This connection can be routed through a proxy.

At this point it would not be possible to modify Motive to use SSL.

5. Can we change the REP port to be something other then 3389?
Since this is built-in to Windows and we perform the connect to this port for any connections to the SPOP changing this would break the product. We could no longer perform the TS connection from HP to the SPOP. Currently, we do not "collect" or manage what the port is or could be. There is currently no plan to use anything but the standard port number.

6. Who provides the VPN software that resides on the SPOP?
HP uses the integrated into W2K; Routing and Remote Access service to implement L2TP/IPSec VPN connections.

Hope this helps
"All there is to thinking is seeing something noticeable which makes you see something you weren't noticing which makes you see something that isn't even visible." - Norman Maclean
Frank Alden Smith
Trusted Contributor

Re: ISEE without browser


One way to test ISEE connectivity without a browser installed on the ISEE monitored server is to use telnet as follows:

strauss:/# telnet 80
Connected to
Escape character is '^]'.

HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Sat, 07 May 2005 11:11:41 GMT
Content-Type: text/html
Content-Length: 87

ErrorThe parameter is incorrect.

Connection closed by foreign host.

There are other tools to test connectivity that are accessible only to HP folks; if you have access to HP internal sites contact me by company mail for more details.

The firewall port that must be opened for ISEE varies with ISEE architecture. The standard configuration requires port 80 be opened 'established' back. For the advanced configuration, which uses an SPOP (Support Point Of Presence) to forward the ISEE incidents from every ISEE Client in the enterprise to the HP Support Center, port 443 must be opened 'established' back.

Hope that answers your questions.

Take care,

All knowing is doing.
Frauke Denker_2
Esteemed Contributor

Re: ISEE without browser

Hello Michael,
you can as well use the test scripts that ISEE provides, like /opt/hpservices/RemoteSupport/bin/ If the test works that system will provide an ID to you (format: 123456789.1@). Go to the directory /opt/hpservices/incidents/123456789.1@ (or how ever your ID looks like). In this directory you will find a file named incident.dat, open it and check for "State =". If the connection works it should change to the value "9" which is the same like "CLOSED" in the UI.
michael denny_1
Occasional Contributor

Re: ISEE without browser

Thx all for your input, Im nearly there now. First posting for me, a very helpful tool.

Lastly, can someone please tell me the the different values possible for 'State' in the incident log (as mentioned by Frauke) and the meaning of each?
Eg If 9=closed, what do 0, 4, 5, etc mean?

Cant find anything in the HP doco on this one...