Gateway Operations Guide

EMC® Secure Remote Support Gateway
Release 1.02
Operations Guide
P/N 300-007-929
REV A01
EMC Corporation
Corporate Headquarters:
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com
Copyright © 2005-2008 EMC Corporation. All rights reserved.
Published November, 2008
EMC believes the information in this publication is accurate as of its publication date. The information is
subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS IS.” EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable
software license.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.
For the most up-to-date regulatory document for your product line, go to the Document/Whitepaper Library
on EMC Powerlink.
2 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

Contents
Preface
Introduction
ESRS Gateway architecture ............................................................. 18
Gateway server agent................................................................ 19
Gateway to EMC communication ........................................... 19
Responsibilities for the ESRS Gateway components ................... 23
Customer..................................................................................... 23
EMC Global Services ................................................................. 23
ESRS Gateway components............................................................. 24
Gateway server .......................................................................... 24
Policy Manager .......................................................................... 25
ESRS Gateway installation .............................................................. 29
High-availability installation ................................................... 29
Deployment Utility.................................................................... 29
Gateway Extract utility (GWExt)............................................. 30
Target device management....................................................... 31
PART 1 Pre-Installation Tasks
Chapter 1 Preparation for Standard Installation

Overview............................................................................................ 38
Server settings summary .......................................................... 40
.NET Framework............................................................................... 41
Version 1.1................................................................................... 41
Version 2.0................................................................................... 41
Internet Information Services (IIS) deployment........................... 42
EMC Secure Remote Support Gateway Release 1.02 Operations Guide 3

Contents
Install IIS ..................................................................................... 42

Configure OS to accommodate IIS........................................... 42
Configure IIS .............................................................................. 44
Chapter 2 Preparation for a Non-Standard Installation

Overview............................................................................................ 54
.NET Framework .............................................................................. 56
Version 1.1................................................................................... 56
Version 2.0................................................................................... 56
Internet Information Services (IIS) deployment........................... 57
Install IIS ..................................................................................... 57
Configure IIS .............................................................................. 59
Post-installation configuration ....................................................... 70
Gateway server .......................................................................... 70
Policy Manager .......................................................................... 72
Chapter 3 GatewayCheck Utility

Overview............................................................................................ 76
GatewayCheck system requirements ............................................ 77
Installation ......................................................................................... 78
Operation ........................................................................................... 79
Launching the application........................................................ 79
Entering customer information ............................................... 81
Selecting tests to be run ............................................................ 82
Setting test configuration parameters .................................... 85
Executing the test run ............................................................... 88
Viewing test results ................................................................... 90
Saving Test Results and exiting the application.................... 93
Required test failure resolution ...................................................... 94
Version information.......................................................................... 96
PART 2 Policy Management
Chapter 4 Policy Manager Administration

Installation ....................................................................................... 100
Startup/shutdown.......................................................................... 101
Modifying the login banner .......................................................... 103
Creating Policy Manager user accounts ...................................... 104
About users .............................................................................. 104
Tomcat user authentication .................................................... 104
Tomcat user account planning............................................... 105

Contents
LDAP authentication ...................................................................... 112
Chapter 5 Policy Manager Configuration and Operation

Setting policy ................................................................................... 116
Log in to home page ................................................................ 116
Policy settings........................................................................... 118
Access rights ............................................................................. 124
Access right settings ................................................................ 125
Missing devices ........................................................................ 127
Notifications.............................................................................. 128
Answering device access requests ................................................ 133
About requests.......................................................................... 133
Accept/deny pending requests ............................................. 134
Viewing the Audit Log ................................................................... 137
About log messages ................................................................. 137
Audit Log .................................................................................. 138
PART 3 Gateway Maintenance
Chapter 6 Server Maintenance

Power sequences ............................................................................. 146
Time Zone settings .......................................................................... 147
Service preparation ......................................................................... 148
Gateway server......................................................................... 148
Policy Manager server............................................................. 149
Policy Manager database management ....................................... 151
Component files ....................................................................... 151
Mode .......................................................................................... 152
Backup ....................................................................................... 152
Backup guidelines and procedures .............................................. 155
Server image backup ............................................................... 155
Policy Manager database automated backup ...................... 156
Restoration methods ....................................................................... 158
Server image backup restoration ........................................... 158
Installation restoration ............................................................ 162
PART 4 Appendixes
Appendix A SSL communication between the Gateway and Policy

Manager

Contents
Policy Manager configuration ...................................................... 166

Creating an SSL certificate to use for SSL communication 166
Enabling SSL on Policy Manager Tomcat server ................. 166
Enabling the Policy Manager application to use SSL for all
communications........................................................................ 169
Gateway configuration .................................................................. 171
Disabling SSL communication...................................................... 173
Policy Manager configuration ............................................... 173
Gateway configuration ........................................................... 173
Appendix B Default Policy Values

Actions.............................................................................................. 176
Default permissions........................................................................ 178
Appendix C Troubleshooting
Symptoms ........................................................................................ 194
Service behavior....................................................................... 194
OS and hardware failures....................................................... 194
Index

Figures
Title Page
1 Gateway architecture..................................................................................... 18
2 Heartbeat communication............................................................................. 20
3 Remote notification communication ........................................................... 21
4 Remote access communication..................................................................... 22
5 Policy Management settings......................................................................... 26
6 Pending request.............................................................................................. 27
7 Audit log sample ............................................................................................ 28
8 Default SMTP Properties............................................................................... 46
9 Default SMTP Message tab ........................................................................... 46
10 E-mail server specification ............................................................................ 47
11 Mail drop specification.................................................................................. 48
12 E-mail server test ............................................................................................ 49
13 Mail drop directory messages ...................................................................... 50
14 Sample e-mail.................................................................................................. 51
15 Windows Component Wizard ..................................................................... 57
16 Files Needed dialog box ................................................................................ 58
17 Inetpub directory............................................................................................ 59
18 Directory structure ......................................................................................... 60
19 My Computer > Manage ............................................................................... 60
20 Computer Management > Services and Applications .............................. 61
21 Rename FTP site ............................................................................................. 62
22 FTP Site IP address selection ........................................................................ 62
23 Allow anonymous connections checkbox cleared..................................... 62
24 IIS Manager data encryption warning ........................................................ 63
25 Messages tab ................................................................................................... 63
26 Inetpub path.................................................................................................... 64
27 Default SMTP Properties............................................................................... 65
28 Default SMTP Message Tab.......................................................................... 65
29 Email server specification ............................................................................. 66
30 Mail drop specification.................................................................................. 66

Figures
31 Email server test ............................................................................................. 67

32 Mail drop directory messages ...................................................................... 68
33 Sample email................................................................................................... 69
34 Policy Manager disk changes ....................................................................... 72
35 Permissions link ............................................................................................. 72
36 Editing File Upload permissions ................................................................. 72
37 Adding updated drive and path.................................................................. 73
38 Checking entry and clicking Finish ............................................................. 73
39 Updated Parameter listing............................................................................ 74
40 Main GatewayCheck application window................................................. 80
41 GatewayCheck customer information form............................................... 81
42 GatewayCheck test selection screen............................................................ 82
43 GatewayCheck Configuration Parameters screen .................................... 85
44 GatewayCheck Test Results screen before test run execution ................ 88
45 GatewayCheck Test Results screen at test run completion ..................... 90
46 GatewayCheck Test Results Logs navigation window ............................ 91
47 Sample GatewayCheck Test Results log file contents .............................. 92
48 Services listing .............................................................................................. 101
49 Stopping the service..................................................................................... 102
50 Starting the service....................................................................................... 102
51 Tomcat navigation tree................................................................................ 107
52 Users List screen........................................................................................... 107
53 Edit Existing User Properties screen ......................................................... 108
54 User Actions list box .................................................................................... 108
55 Create New User Properties screen........................................................... 109
56 Commit Changes button ............................................................................. 110
57 User Databases ............................................................................................. 110
58 Saving changes ............................................................................................. 111
59 Commiting changes and logging out........................................................ 111
60 Policy Manager login screen....................................................................... 117
61 Policy Manager home page ........................................................................ 117
62 Policy: Settings: Global................................................................................ 119
63 Policy: Explore Device Groups .................................................................. 121
64 Policy: Celerra: Remote Application Permissions................................... 123
65 Setting an access right ................................................................................. 125
66 Set All Permissions ...................................................................................... 125
67 Access right lock........................................................................................... 125
68 Locked and unlocked access rights ........................................................... 125
69 Set All Permissions Access Rights ............................................................. 127
70 Configuration: View and remove missing devices ................................. 127
71 Configuration tab ......................................................................................... 129
72 Notification form icons................................................................................ 129
73 Global group notification settings ............................................................. 130

Figures
74 Default notification email body.................................................................. 131

75 View Pending Requests and View Request Details................................. 135
76 Audit Log (Global) ....................................................................................... 138
77 Audit log message examples ...................................................................... 139
78 Symmetrix group audit logs ....................................................................... 141
79 Event Viewer System and Security Log settings...................................... 149
80 Policy Manager database location.............................................................. 151
81 Location of Policy Manager scripts............................................................ 153
82 Policy Manager backup directory .............................................................. 154
83 Backup folder ................................................................................................ 159
84 Location of apmrestore.vbs script .............................................................. 160
85 Restore prompt ............................................................................................. 161
86 Deployment Utility screen .......................................................................... 172

Figures

Tables
Title Page
1 Gateway server standard configuration requirements.............................. 40
2 GatewayCheck system requirements ........................................................... 77
3 GatewayCheck installed files ........................................................................ 78
4 GatewayCheck test failure resolution .......................................................... 94
5 Policy settings ................................................................................................ 120
6 Actions (Global group default set) ............................................................. 120
7 Access right descriptions.............................................................................. 124
8 Substitution parameters for notifications .................................................. 132
9 Policy Manager database files ..................................................................... 151
10 Backup/Restore scripts ................................................................................ 152
11 Keystore attributes ........................................................................................ 168
12 Actions defined by Gateway solution ........................................................ 176
13 Gateway default permissions ...................................................................... 179
14 Gateway Device default permissions......................................................... 180
15 Celerra default permissions......................................................................... 182
16 EMC Centera default permissions .............................................................. 183
17 CLARiiON default permissions .................................................................. 184
18 Connectrix default permissions .................................................................. 185
19 ControlCenter default permissions ............................................................ 186
20 EDL default permissions.............................................................................. 187
21 Invista default permissions.......................................................................... 188
22 Switch-Brocade-B default permissions ...................................................... 189
23 Switch-Cisco default permissions............................................................... 190
24 Symmetrix default permissions .................................................................. 191

Tables

Preface
As part of an effort to improve and enhance the performance and capabilities

of its product line, EMC from time to time releases revisions of its hardware
and software. Therefore, some functions described in this guide may not be
supported by all revisions of the software or hardware currently in use. For
the most up-to-date information on product features, refer to your product
release notes.
If a product does not function properly or does not function as described in
this guide, contact your EMC representative.
Audience This guide is a part of the EMC Secure Remote Support Gateway
release 1.02 documentation set, and is intended for use by device
policy administrators.
Readers of this guide are expected to be familiar with the following
topics:
◆ The EMC Secure Remote Support Gateway system
◆ EMC storage products
Related Related documents include:

documentation
◆ EMC Secure Remote Support Gateway Release 1.02 Technical
Description
◆ EMC Secure Remote Support Gateway Release 1.02 Site Planning
Guide
◆ EMC Secure Remote Support Gateway Release 1.02 Pre-Site Checklist
◆ EMC Secure Remote Support Gateway Release 1.02 Port Requirements
◆ EMC Secure Remote Support Gateway Release Notes

Preface
Conventions used in EMC uses the following conventions for notes, cautions, warnings,
this guide and danger notices.
Note: A note presents information that is important, but not hazard-related.
! CAUTION
A caution contains information essential to avoid a hazard that will
or can cause minor personal or property damage if you ignore the
warning.
EMC uses the following type style conventions in this guide:

Normal In running text:
• Interface elements (for example, button names, dialog box
names) outside of procedures
• Items that user selects outside of procedures
• Java classes and interface names
• Names of resources, attributes, pools, Boolean expressions,
buttons, DQL statements, keywords, clauses, environment
variables, filenames, functions, menu names, utilities
• Pathnames, URLs, filenames, directory names, computer
names, links, groups, service keys, file systems, environment
variables (for example, command line and text), notifications
Bold • User actions (what the user clicks, presses, or selects)
• Interface elements (button names, dialog box names)
• Names of keys, commands, programs, scripts, applications,
utilities, processes, notifications, system calls, services,
applications, and utilities in text
Italic • Book titles
• New terms in text
• Emphasis in text
Courier • Prompts
• System output
• Filenames
• Pathnames
• URLs
• Syntax when shown in command line or other examples
Courier, bold • User entry
• Options in command-line syntax
Courier italic • Arguments in examples of command-line syntax
• Variables in examples of screen or file output
• Variables in pathnames
<> Angle brackets for parameter values (variables) supplied by user.

Preface
[] Square brackets for optional values.

| Vertical bar symbol for alternate selections. The bar means or.
... Ellipsis for nonessential information omitted from the example.
Where to get help EMC support, product and licensing information can be obtained as
follows.
Product information — For documentation, release notes, software
updates, or for information about EMC products, licensing, and
service, go to the EMC Powerlink website (registration required) at:
http://Powerlink.EMC.com
Technical support — For technical support, go to EMC WebSupport

on Powerlink. To open a case on EMC WebSupport, you must be a
WebSupport customer. Information about your site configuration and
the circumstances under which the problem occurred is required.
Your comments Your suggestions will help us continue to improve the accuracy,
organization, and overall quality of the user publications. Please send
your opinion of this guide to:
RemoteToolDocs@EMC.com

Preface

1
Introduction
We recommend users become familiar with the EMC Secure Remote

Support Gateway Release 1.02 Site Planning Guide before reading this
guide. It is important to understand requirements and configurations
prior to executing any administrative tasks.
This chapter introduces the EMC Secure Remote Support (ESRS)
Gateway solution. Topics include:
◆ ESRS Gateway architecture .............................................................. 18
◆ Responsibilities for the ESRS Gateway components .................... 23
◆ ESRS Gateway components.............................................................. 24
◆ ESRS Gateway installation................................................................ 29
Introduction 17
Introduction
ESRS Gateway architecture

The Gateway solution's application architecture consists of a secure,
asynchronous messaging system designed to support the functions of
secure encrypted file transfer, monitoring of device status, and
remote execution of diagnostic activities. This distributed solution is
designed to provide a scalable, fault-tolerant, and minimally
intrusive extension to the customer’s system support environment.
Figure 1 on page 18 provides a schematic display of the processing
nodes and their interconnections.
The Gateway solution requires:
◆ A server for the Gateway software (two servers preferred for high
availability)
◆ A server for the Policy Manager software
The Policy Manager software may be co-located on a non-
high-availability Gateway server or on another application server (for
example, a Navisphere Management station).
The customer manages administration and access to these servers
and applications. The preferred configuration uses two Gateway
servers to create the high-availability (HA) configuration. Each
Gateway pair is capable of handling 200 devices. One Policy Manager
server can support up to three fully utilized Gateway server pairs.
Customer environment EMC backend environment

Private management LAN Customer DMZ Network
(optional) specified layer
EMC DRM
firewall application
servers
Policy Manager
EMC
Centera Connectrix Gateway Proxy server External EMC
(optional) firewall firewall
Symmetrix Public
Internet
(https)
Application
bridge servers
SB14
SB15
SB12
SB13
SB10
SB11
Security Web/access
SB8
SB9
SB6
SB7
Authority aervers
SB4
SB5
SB2
SB3
SB0
SB1
PS0 PS1 PS2 PS3 PS4 SMB0 SMB1
Celerra CLARiiON
EMC support analyst
Gateway environment
GEN-000818
Figure 1 Gateway architecture

Introduction
Gateway server The Gateway server agent is an HTTP handler. The agent functions as
agent the communications broker between the Gateway-managed devices,
the Policy Manager, and the EMC® Device Relationship Manager
(DRM). All messages are encoded using standard XML and SOAP
application protocols. Agent message types include:
◆ Device state heartbeat polling
◆ Data file transfer
◆ Remote access session initiation
◆ User authentication requests
◆ Device management synchronization
The Gateway agent acts as a proxy, carrying information to and from
the Gateway-managed devices. To maximize remote support
availability, EMC configures the Gateway agent to employ built-in
failover to redundant EMC remote-support enterprise systems in the
event that access to the primary site is unavailable. The Gateway
agent can also queue session requests in the event of a temporary
local network failure.
Network traffic can be configured to route from the Gateway through
proxy servers to the Internet. Such configurations include support for
auto-configuration, HTTP, and SOCKS proxy standards. The agent
does not have its own user interface application. All agent actions are
logged to a local runtime file.
Gateway to EMC All communication between the customer’s site and EMC is initiated
communication by the Gateway server agent at the customer’s site. Using industry
standard Secure Sockets Layer (SSL) encryption over the Internet and
EMC-signed digital certificate authentication, the Gateway creates a
communication tunnel.
The Secure Remote Support Gateway uses industry-accepted
bilateral authentication for the EMC servers and the Gateway Agent.
Each Gateway has a unique digital certificate that is verified by EMC
whenever a Gateway makes a connection attempt. The Gateway then
verifies EMC's server certificate. Only when the mutual SSL
authentication passes and the client and server negotiate a shared
secret does the Gateway transmit messages to EMC, securing the
connection against spoofing and man-in-the-middle attacks.
The Secure Remote Support Gateway uses the SSL tunnel to EMC to
perform three different functions: Heartbeat polling, remote
ESRS Gateway architecture 19

Introduction
notification and remote access. Each relies on the SSL tunnel, but
communication processes and protocols within the tunnel vary by
function. Each is discussed in the following sections.
Heartbeat polling The Heartbeat is a regular communication, at 30-second intervals,

from the Gateway to the EMC DRM. The heartbeat contains a small
datagram that identifies the Gateway server and provides the EMC
Support Center with status information on the health of the EMC
storage devices and the Gateway server. EMC servers receive the data
in XML format and respond using SOAP (the Simple Object Access
Protocol) commands. Once this response is received, the Gateway
terminates the connection. Figure 2 on page 20 is an illustration of the
heartbeat communication paths.
SSL tunnel - TLS with RSA key exchange

Device monitoring 3DES with SHA1 encryption
EMCRemote SSH socket Gateway eMessage SOAP XML
Secure Remote
Support Gateway
EMC storage EMC web and

array access servers
GEN-000826
Figure 2 Heartbeat communication
Once every 15 minutes the Gateway determines if each managed

device is available for service by making a socket connection to the
device and verifying that the service applications are responding. The
information is recorded by the Gateway. If a change in status is
detected, the Gateway notifies EMC over the next heartbeat. The
heartbeat is a continuous service and EMC monitors the values sent
and may automatically trigger service requests if a Gateway fails to
send heartbeats or if the values contained in a heartbeat exceed
certain limits.
Remote notification The Gateway also serves as a conduit for EMC products to send
remote notification event files to EMC. EMC hardware platforms use
remote notification for several different purposes. Errors, warning
conditions, health reports, configuration data, and script execution
statuses may be sent to EMC. Figure 3 on page 21 is an illustration of
the remote notification communication paths.

Introduction
SSL tunnel - TLS with RSA key exchange

File monitoring 3DES with SHA1 encryption
EMC RSC XML - HTTPS/FTP/SMTP HTTPS POST
Secure Remote
Support Gateway

GEN-000828
Figure 3 Remote notification communication
When an alert condition occurs, the storage system generates an

event message file and passes it to the ConnectEMC service (or other
services) on teh decices to format the files and request a transfer to
EMC. ConnectEMC uploads the file to the Secure Remote Support
Gateway where it is received by one of three local transport protocols:
HTTPS (if a device is qualified to send files using HTTPS), FTP, or
SMTP. When an event file is received from a device, the Gateway
compresses the file, opens the SSL tunnel to the EMC servers, and
posts the data file to EMC. At EMC, the file is decompressed and
forwarded to our DRM systems.
Remote access To establish a remote access session, the Secure Remote Support
Gateway uses asynchronous messaging to ensure that all
communication is initiated from the customer’s site. After being
properly authenticated at EMC, a support professional makes a
request to access a Gateway-managed device. The remote access
session request includes a unique identifier for the user, the serial
number of the target device, and the remote application he or she
wants to run on that device and optionally the Service Request being
used to generate the request. This request is queued at EMC until the
Gateway that manages the device in question heartbeats home.
In response to the Heartbeat message, the EMC DRM sends a special
status in the SOAP response. This response contains the request
information as well as an address and an access server session to
which the Gateway would connect. The Gateway uses its local
repository to determine the local IP address of the end device, checks
with the Policy Manager to see if the connection is permitted, and if
approved, establishes a separate SSL connection to the access servers
for the specific remote access session. This secure session allows IP
traffic from the EMC internal service person to be routed through the
ESRS Gateway architecture 21

Introduction
Gateway to the end device. IP socket traffic received by the access

server for this session is established, wrapped in a SOAP message,
and sent to the Gateway. The Gateway un-wraps the SOAP object and
forwards the traffic to the IP address of the end device for which the
session was established. SOAP communication flows between the
Gateway and the access server through this tunnel until it is
terminated or times out after a period of inactivity. Figure 4 on
page 22 is an illustration of the remote access communication paths.
SSL tunnel - TLS with RSA key

Exchange 3DES with SHA1 encryption
EMCRemote, SSH, SecureCLI... SOAP
Secure Remote
Support Gateway

GEN-000827
Figure 4 Remote access communication
As the result of an application remote access session request, the

Gateway forwards traffic only to the specific ports at the IP address
associated with the registered serial number of the device at time of
deployment.

Introduction
Responsibilities for the ESRS Gateway components

Responsibilities for installation, configuration, operation and
maintenance are distributed as described in the sections that follow.
Customer Your network and system administrators, storage administrators,

security administrators, and any other administrators as are
appropriate to your solution:
◆ Prepare the site for installation. This includes:
• Gateway server hardware and operating system
• Policy Manager server hardware and operating system
• Placement of the servers in your IP network according to
specifications described in the site planning guide
• Antivirus and other applicable security software
◆ Preparation and configuration of network, proxy server, and
firewall
◆ File system backup and restoration
◆ Continuing maintenance including security and operating system
updates
◆ Physical security of the hardware
◆ Protection of all files on the Gateway and Policy Manager servers,
including the SSL certificate, if applicable
◆ Configuring, administering, and updating policy management,
policies and accounts on the Policy Manager
EMC Global EMC Global Services personnel:

Services ◆ Install Gateway solution software:
• Gateway server software
• Policy Manager software
◆ Configure and deploy EMC product managed devices.
◆ Updates to the Gateway server and Policy Manager software.
Note: Maintenance of the operating system (updates, upgrades) on the

Gateway and Policy Manager servers is a customer responsibility.
Responsibilities for the ESRS Gateway components 23

Introduction
ESRS Gateway components

This section describes the components of the Secure Remote Support
Gateway solution.
Gateway server A Gateway server can be implemented in one of several

configurations to meet the customer’s network and security
requirements.
There are no technical restrictions on the network location of the
Gateway server, other than its connectivity to the customer’s devices
and Policy Manager as well as to the EMC DRM. EMC strongly
recommends the use of a firewall to block network ports not required
by the Gateway solution.
VMware support Secure Remote Support Gateway is qualified to run in a VMware

virtual machine. VMware support allows customers to leverage their
existing VMware infrastructure to benefit from the security features
of the Gateway without adding hardware. VMware VMotion
functionality also allows the Policy Manager, when installed in a
virtual machine, to be moved from one physical server to another
with no impact to remote support.
The following are the minimum requirements for VMware support:
◆ VMware ESX 2.5.2 or later
◆ 15 GB partition
◆ 2.2 GHz virtual CPU
◆ 512 MB memory allocated
◆ SMB modules optional
◆ VMotion functionality optional
High-availability To enable maximum remote access availability, EMC recommends

Gateway that the customer eliminate single point of failure by deploying a
configuration high-availability Gateway configuration which employs two
Gateway servers.
Gateway servers in this configuration are active peers that manage
the same set of devices without awareness of or contention with the
other. There is no direct communication between the peer nodes. In
the high-availability configuration the Policy Manager software
cannot be co-located on a Gateway server and must be installed on a

Introduction
separate server. Gateway high-availability configurations are limited

to two active nodes.
Synchronization of Gateway server device management is synchronized through the

Gateway peers EMC DRM during polling cycles so that changes to the configuration
on one peer are automatically propagated to the other peer. When the
customer adds, removes, or edits devices on the managed devices list
for either Gateway server in a high-availability configuration, the
Deployment Utility sends a message through the Gateway agent to
the DRM. The EMC DRM application looks up the serial number of
the peer node and creates a transaction for the device information to
be relayed to the peer node upon receipt of the next polling message.
When the peer Gateway server receives the device management
transaction information, it updates its Gateway agent's list of
managed devices. In the event that the peer Gateway server is
unavailable, the DRM application queues the transaction, and
synchronization occurs upon the next successful poll message
received from the Gateway server.
Policy Manager Using the Policy Manager, you control the authorization
requirements for remote access connections, file transfers, service
notification processes, diagnostic script executions, and other
Gateway-related activities, as shown in Figure 5 on page 26. The
Policy Manager allows you to set authorization permissions for target
devices or groups of target devices being managed by the Gateway
system and provides these permissions to the Gateway system
during polling by the Gateway server, and records all requests and
actions in local log files. When a request arrives at the Gateway server
for remote device access, the access is controlled by the Gateway
enforcing the policy from the Policy Manager.
Policy Manager permissions can be assigned in a hierarchical system,
establishing policies based on model and product groups. If required,
you can override group-level permissions down to the individual
device level.
ESRS Gateway components 25

Introduction
The Policy Manager provides three options for assigning policy

manager rule permissions for every action that the Gateway agent
can perform on a device or group of devices:
◆ Always Allow — You always allow the action.
◆ Never Allow — You always deny the action.
◆ Ask for Approval — You must approve the request (provide
authorization).
Figure 5 Policy Management settings
When you set an authorization rule to Ask for Approval, the Policy
Manager sends an email message to your designated address upon
each action request, per transaction. This email message contains the
action request itself and the user ID of the EMC Customer Service
representative requesting permission to perform the action. You use
the Policy Manager interface to accept or deny the requested action.
Figure 6 on page 27 provides an example.

Introduction
Figure 6 Pending request
As with the Gateway agent and DRM communication behavior, the

Policy Manager only responds to requests from the Gateway agent.
Since the Gateway agent caches the Policy Manager's permission
rules at startup, the agent must poll the Policy Manager for
configuration updates. In this way, the Gateway agent captures any
change to the Policy Manager rule set after its next polling cycle.The
Policy Manager agent is an HTTP listener, which must be configured
to receive messages on an agreed-upon port. The default port is 8090,
but if necessary, you can specify a different port during your Policy
Manager installation.
The Policy Manager uses the Apache Jakarta Tomcat engine and a
100% compliant local JDBC relational database to provide a secure
web-based user interface for permission management.
Logging The Policy Manager logs all remote support events. Remote access
connections, diagnostic script executions, and support file transfer
operations are stored in the audit log files. The Policy Manager also
logs all authorization activity and policy changes. The audit log files
can be viewed through the Policy Manager interface. All log files are
controlled and managed by you to enable auditing of remote support
connections executed by EMC. Figure 7 on page 28 provides a sample
audit log.
ESRS Gateway components 27

Introduction
Figure 7 Audit log sample
Device control The Gateway solution proactively monitors, alerts, and notifies the
EMC Customer Support Center when the Gateway server or any
Gateway-managed device fails to communicate back to EMC
regularly. EMC alerts you of potential failures or issues that may
affect EMC's ability to provide timely support. As an EMC customer,
you are in complete control over which devices are included in your
Gateway device management system, and you can phase them in by
product line. EMC provides applications to assist you in automating
the addition of new devices to the Gateway management. All device
management operations are logged and must be performed by
authorized EMC Customer Service professionals using EMC-issued
RSA SecurID Authenticators.

Introduction
ESRS Gateway installation

This section provides an overview of the installation of ESRS
Gateway.
High-availability During your Gateway server installation, your EMC Customer

installation Service representative assigns a system name to the servers in the
Gateway peer server pair. During the installation of the primary
Gateway server, which is the first server configured in the pair, the
Gateway installation program automatically assigns a base system
name. This system name acts as the identification handle for all of the
Gateway servers installed at your site.
This is the generic syntax of a generated base system name:
ESRS_SiteID_SiteName_TimeStamp
Since you may have multiple Gateway high-availability server pairs

or Single Gateway HA-ready pairs per site, your EMC Customer
Service representative uses an additional string value that uniquely
identifies the high-availability pairs currently being installed. This
string value becomes the subsystem name. In the previous example,
if you have one pair for managing only Symmetrix® devices, and one
pair for managing the heterogeneous storage arrays used to support
manufacturing applications, the EMC Customer Service
representative may use product-based subsystem names to uniquely
identify each high-availability pair:
ESRS_12345_ExampleCo_051104104649_Symm
ESRS_12345_ExampleCo_051104115309_Mfg
During the installation of the second Gateway server for recovery
from a hardware failure that requires re-installation of the Gateway
application, the installation program provides a drop-down list of all
the subsystem names at the site. Your EMC Customer Service
representative then selects the appropriate subsystem name
previously assigned to a primary server. The installation program
registers this information in the Gateway system's DRM database at
EMC.
Deployment Utility The Deployment Utility is a client-based application that is used to

configure and manage the Gateway and identify EMC storage
devices and switches. The term manage means that a device is
monitored and can use the Gateway system to establish remote access
ESRS Gateway installation 29

Introduction
connections. The Gateway agent proxies all Deployment Utility

requests to the EMC DRM. The Gateway agent is the only application
with which the utility communicates. The Gateway installation
program automatically installs the Deployment Utility with the
Gateway agent.
The Deployment Utility is a Java-based GUI application that
authenticates with the Gateway agent upon startup. This secure
protocol ensures that only the Deployment Utility can interface with
the agent. Here is a listing of the configuration menu items available
through the Deployment Utility:
◆ Base Configuration — Gateway model and serial number. The
Gateway installation program automatically generates these
values for you. You should change these values only upon request from
EMC Customer Service.
◆ EMC DRM Configuration — EMC primary and secondary DRM
addresses, proxy server configuration, and SSL options. The
Gateway installation program automatically generates these
values and captures them. You should change these values only upon
request from EMC support personnel.
◆ Policy Manager Configuration — DNS/IP address of Policy
Manager server. The Gateway installation program automatically
captures these values. You should change these values only upon
request from EMC support personnel.
◆ Customer Location — Your organization name, address and
contact information.
◆ Manage Devices — Allows you to view the list of currently
managed devices. Any additions, edits or removals of devices
must be performed by an EMC Customer Service professional.
One can use the Deployment Utility to manually add a single
device or use the automated batch processing of Gateway Device
Extract configuration files to add multiple devices at the same
time.
Gateway Extract To configure a device for management, the EMC Customer Service
utility (GWExt) representative on site must know the following for each managed
device: serial number, EMC site identification number, product type,
and an IP address that can be used to access the device. The Gateway
Device Extract utility (GWExt.exe), when run on the EMC device,
automates the collection of this information and transports it to the
Gateway server. EMC supplies three versions of the GWExt utility

Introduction
with the Gateway server installer to support Windows, Linux and

Solaris clients.
Your EMC Customer Service professional copies the GWExt utility
from the installation CD or the Gateway server to the managed
device.
Note: The GWExt utility cannot be run on Cisco switches, Brocade-B

switches, EDL, Centera, Invista CPCs, or CLARiiON service processors.
When running the GWExt utility, the GWExt utility first requests the
Gateway server IP address and EMC site identification number. It
then extracts the serial number and local IP address from the target,
creates a configuration file, and FTPs the file back to the Gateway
server.
The configuration files, for all devices that have used the GWext
utility, reside on the Gateway server until processed through the
Deployment Utility's Managed Devices option.
Target device Devices are added to the list of managed target devices (EMC storage
management products and select switches) in the Gateway system by using the
Deployment Utility.
Note: Use of the Deployment Utility for device deployment, undeployment,

and editing is restricted to authorized EMC Customer Service personnel. A
Customer is allowed to use the Deployment Utility only yo view
configurations.
The managed device registration process is similar whether devices

are manually added or added with the Gateway Extract Utility
(GWExt) which enables batch processing of configuration files.
Device registration requires the input of a serial number, IP address,
model (product type), and site ID number.
When attempting to manage (or unmanage) a device EMC GLobal
Services is prompted for their EMC-issued RSA SecurID
Authenticator pass code. This information is then forwarded
immediately to EMC servers for an authentication reply. No pass
codes are kept on your Gateway server or in the EMC Gateway DRM
database. All communications from the Deployment Utility are
routed through the SSL tunnel to maximize data security.
EMC Customer Service personnel must verify with your network
administrators that the IP address of the target device is accessible

Introduction
from the Gateway server and is not translated (NAT'd). For example,
the local IP address of a device is 144.10.10.3, and is only on your
internal network. Also, you are using NAT (or a NAT device) that
maps the device IP (144.10.10.3) to IP 10.10.44.22 so that the device
can be reached from within your DMZ. In this case, EMC must use
the NAT IP address of 10.10.44.22 to reach the device, and in the
Deployment Utility the IP address field must be changed to
10.10.44.22.
The final portion of the deployment process requires a validation that
a device is successfully added to the configuration in the EMC DRM
system. The Deployment Utility adds the matched device to the
current managed device list and makes the device available for
remote access. If the serial number or Party ID for a newly integrated
device does not match the EMC Customer Service registered device
lists for your site, the Deployment Utility catalogues the device under
a UI tab labeled unresolved. This indicates that the device failed
registration, and it needs to be reconciled with the serial number of
the device on record with EMC Customer Service. Until full
reconciliation is achieved, the device is not accessible for remote
support by the Gateway. The Deployment Utility is also used to edit
the IP address of a device if it has been changed.
In the event you want to unmanage a device or otherwise no longer
require it to be accessible, it can be removed from the list of managed
devices by an authorized EMC Customer Service representative
through the device management menu within the Deployment
Utility. This menu selection sends a message to the EMC DRM system
to logically disassociate this serial number from your Gateway
system.
Digital Certificate During the site Gateway server installation, digital certificates are
Management (DCM) registered on the server. This procedure can only be performed by
EMC Customer Service professionals using EMC-issued RSA
SecurID Authenticators. All certificate usage is protected by unique
password encryption. Any message received by the Gateway server,
whether pre- or post-registration, requires entity-validation
authentication.
DCM automates Gateway digital certificate enrollment by taking
advantage of EMC's existing network authentication systems, which
use the RSA SecurID Authenticator and the EMC local certificate
authority (CA). Working with EMC systems and data sources, DCM
aids in programmatically generating and authenticating each

Introduction
certificate request, as well as issuing and installing each certificate on

the Gateway.
The Gateway system DCM provides proof-of-identity of your
Gateway server host. This digital document binds the identity of the
Gateway host to a key pair that can be used to encrypt and
authenticate communication back to EMC. Because of its role in
creating these certificates, the EMC certificate authority is the central
repository for the EMC Secure Remote Support Gateway key
infrastructure.
The CA requires full authentication of a certificate requester before it
issues the requested certificate to the Gateway server. Not only must
the CA verify that the information contained in the certificate request
be accurate, it must also verify that the EMC Customer Service
professional making the request is authenticated, and that this person
belongs to the EMC Customer Service group that is allowed to
request a certificate for the customer site at which the Gateway
certificate is to be issued.
The EMC Customer Service professional requests a certificate by first
authenticating himself or herself using an EMC-issued RSA SecurID
Authenticator. Once authentication is complete, the Gateway
installation program locally generates all the information required for
the certificate on your Gateway server. It then enters the information
on the certificate request, ensures accuracy and completeness of the
information, and generates a random private key password with
encryption. The installation program then submits the request, and
after the certificate is issued, the installation program completes the
certificate installation the Gateway server automatically.
Device access control The Gateway solution achieves remote application access to a server
process running on an EMC storage device by using a strict IP and
application port-mapping process. You have complete control over
which ports and IP addresses are opened on your internal firewall to
allow connectivity. The remote access session connections are
initiated by an EMC Customer Service request at the EMC access
server and through a pull connection to the Gateway server. EMC
never initiates a connection to your Gateway server or network. Your
policies determine if and how a connection is established.
Device configuration Once your devices are configured for Gateway solution management,
access control it is imperative that any changes to the configuration of the managed
device are carefully controlled and monitored. For example, changing
the configured IP address in the Gateway system or changing the IP

Introduction
address of the storage device disables EMC's ability to perform

remote service on that device as well as the devices’s call home
capabilities. For this reason, the Gateway solution's Deployment
Utility requires that only authorized EMC Customer Service
professionals are allowed to alter the configuration of a managed
device. Each device modification, as well as the user ID of the EMC
Customer Service professional who performed the change, is tracked
in the Policy Manager and EMC DRM audit logs.
EMC enterprise Several security features are incorporated into the EMC DRM system.
access control The Gateway infrastructure is isolated from the rest of EMC's internal
networks. EMC Customer Service professionals must be logged into
the EMC corporate network system to access the DRM system. Only
authorized EMC personnel can access the DRM system, and only
those employees that have authorization approval from EMC
Customer Service can use it.
In addition, only those EMC Customer Service professionals that are
approved to access your specific devices can initiate remote
connection sessions with those devices.

PART 1
Pre-Installation Tasks
Prior to the installation of the ESRS Gateway software on your

servers, there are tasks you must perform, as described in these
chapters.
Chapter 2, “Preparation for Standard Installation”
Provides steps necessary to prepare the Gateway server when

you are using the standard system ‘C:’ drive as the install drive.
Chapter 3, “Preparation for a Non-Standard Installation”
Provides steps necessary to prepare the Gateway server when

you are using a non-standard system other than ‘C:’ drive as the
install drive.
Chapter 4, “GatewayCheck Utility”
Describes how to run the GatewayCheck utility to verify your

systems are ready for the installation of the ESRS Gateway
software.
Invisible Body Tag
2
Preparation for
Standard Installation
This chapter provides information to assist you in preparing the

Gateway server for a standard installation on the Gateway server’s
system drive ‘C:’.
Note: We define system drive as the drive where the operating system in
installed.
For non-standard installations (a system drive other than ‘C:’), go to

Chapter 3, ”Preparation for a Non-Standard Installation.”
Topics in this chapter include:
◆ Overview ............................................................................................. 38
◆ Internet Information Services (IIS) deployment ............................ 42
Preparation for Standard Installation 37

Preparation for Standard Installation
Overview
The primary task in preparation of the Gateway server prior to the
installation of the Gateway solution is preparing the Operating
System. This includes installing the Microsoft Internet Information
Services (IIS) on the system drive. Additional tasks discussed within
this chapter include setting up the FTP and SMTP servers on the
system drive.
If using a domain environment, EMC recommends beginning the OS

installation in a workgroup, then joining a domain after the
installation. You must also verify that after joining the domain all
connections are active.
To prepare the required OS configuration for a standard system drive

‘C:’ Gateway installation, perform the following steps for each
intended server:
Note: You must verify that Domain Policies have not inhibited the functions
necessary for the Gateway to function properly. In other words, verify that
services have not been removed or disabled by Domain Group Policies.
◆ Install the Windows OS and any applicable updates:

• Install Windows Server 2003 SP1 or SP2 (English only, 32-bit or
64-bit versions).
• Install and configure any device drivers required by the OS
and the hardware.
• Apply any service packs and security fixes as required by your
corporate policies, including antivirus software.
• Set the Windows Time Zone to the correct time zone for the
Gateway server’s physical location.
Note: Having the Windows Time Zone set to a setting other than the local
time zone may adversely affect remote support tool performance.
◆ Load .NET Framework versions 1.1 and 2.0. Both versions must
be loaded for complete functionality. Both versions may co-exist
on the same server without interfering with or overwriting each
other. Instructions are included in Section ”.NET Framework” on
page 41.

◆ Install, configure, and test Microsoft IIS according to the

instructions in this chapter: Start with “Internet Information
Services (IIS) deployment” on page 42.
◆ When the configuration is complete, run the GatewayCheck
utility to verify the system configuration and connectivity to EMC
target devices. Go to Chapter 4, ”GatewayCheck Utility.”
Overview 39
Server settings Prior to having Gateway software installed, you must configure its
summary server operating system with the settings shown in Table 1 on
page 40. The procedure to establish these IIS settings is provided in
“Internet Information Services (IIS) deployment” on page 42.
Table 1 Gateway server standard configuration requirements

Category Variable Value
Internet Information Services (IIS) Startup type Manual
State Started
Note: The following settings describe the FTP services and directory structure required for Gateway server installation. Once the
server has been installed, the FTP or SMTP service may be disabled, but not both—however, the FTP directory structure must
remain in place.
Default FTP Sitea > Properties

FTP Site Description ESRS Gateway FTP Site
IP address Local/Internal IP
TCP port 21
Security Accounts Allow anonymous connections No (unchecked)
Home Directory Local path C:\inetpub\ftproot
Read Yes (checked)
Write Yes (checked)
Log visits Yes (checked)
User Isolation Yes
Default SMTP Virtual Server > Properties
Description ESRS Gateway SMTP Site
Domain emc.com
Drop directory C:\inetpub\mailroot\drop
E-mail message maximum size of 15 MB
Local Users and Groups > New User Default User Group Yes
New User (1) User name OnAlert
Password EMCCONNECT (case sensitive)
User cannot change password Yes (checked)
Password never expires Yes (checked)
New User (2) User name ESRSConfig
Password esrsconfig (case sensitive)
User cannot change password Yes (checked)
Password never expires Yes (checked)
New directories C:\inetpub\ftproot\LocalUser
C:\inetpub\ftproot\LocalUser\OnAlert
C:\Inetpub\ftproot\LocalUser\OnAlert\incoming
C:\inetpub\ftproot\LocalUser\ESRSConfig
a. These settings describe the FTP services and directory structure required for Gateway server installation. Once the server has been installed,
these FTP services may be disabled—however, the FTP directory structure must remain in place on the system drive.

.NET Framework
Two versions of Microsoft .NET Framework are required for full
functionality of the Gateway server and its utilities: 1.1 and 2.0. Both
version may co-exist on the same server without interfering with or
overwriting each other.
Note: The .NET Framework runs as a 32-bit application.
Version 1.1 Version 1.1 is required for the GatewayCheck Utility.
◆ For 32-bit Windows Server 2003, the .NET Framework is

integrated with the OS, and should be loaded and running. You
can verify this by going to the Control Panel and running Add or
Remove Programs and verifying that “Microsoft .NET
Framework 1.1“ is installed.
If you need to install the .NET Framework, use Windows Update
or navigate to Microsoft .NET Framework 1.1 Service Pack 1 at the
Microsoft Download Center website.
◆ For 64-bit Windows Server 2003, you must download and install
the .NET Framework (minimum rev. 1.1) from the Microsoft
website. Use Windows Update and select the .NET Framework
1.1 package or navigate to the Microsoft .NET Framework Version
1.1 Redistributable Package at the Microsoft Download Center
website.
Version 2.0 Version 2.0 is required for the Gateway server application.
You must download and install the .NET Framework (version 2.0)
from the Microsoft website. Use Windows Update and select the
.NET Framework 2.0 package or navigate to the Microsoft .NET
Framework Version 2.0 at the Microsoft Download Center website:
Microsoft .NET Framework 2.0 Service Pack 1 (x86)
-or-
.NET Framework 41
Internet Information Services (IIS) deployment

Install Microsoft Windows Internet Information Services (IIS) and
enable FTP and SMTP services on the system drive.
Install IIS To install IIS:
1. Open the Control Panel, and from there open Add/Remove

Programs.
2. Select Add/Remove Windows Components.
3. Highlight Application Server and click Details.
4. Highlight Internet Information Services (IIS) and click Details.
5. Select the File Transfer Protocol (FTP) and SMTP Service
checkboxes. (Leave the Common Files and Internet Information
Services Manager checkboxes enabled, as per the default
settings.)
6. Click OK to exit the Internet Information Services (IIS) setup.
7. Click OK to exit the Application Server setup.
8. Click Next at the bottom of the Add/Remove Windows
Components setup page.
9. If prompted, insert the Windows Server 2003 installation CD into
the CD-ROM drive, or provide the path to the i386 directory on
the CD or network share drive.
Example: Enter D:\i386 if ‘D’ is the CD-ROM drive designation.
Configure OS to accommodate IIS

This section details how to configure the OS to accommodate IIS.
OnAlert user account Use this procedure to set up OnAlert user accounts:
setup
1. Right-click My Computer on the desktop, and select Manage
from the pop-up menu.
2. Double-click Local Users and Groups.
3. Right-click Users and select New User from the pop-up menu.
4. Enter OnAlert in the User Name field.

5. Enter EMCCONNECT (case sensitive) in the Password field.

6. Re-enter EMCCONNECT (case sensitive) in the Confirm
Password field.
7. Deselect the User must change password at next logon checkbox.
8. Select the Password Never Expires checkbox.
9. Select User cannot change password.
10. Click Create.
ESRSConfig user Use this procedure to set up ESRSConfig user accounts:

account setup
1. Right-click Users and select New User from the pop-up menu.
2. Enter ESRSConfig in the User Name field.
3. Enter esrsconfig (case sensitive) in the Password field.
4. Re-enter esrsconfig (case sensitive) in the Confirm Password
field.
5. Deselect the User must change password at next logon checkbox.
6. Select the Password Never Expires checkbox.
7. Select User cannot change password.
8. Click Create, and then click Close.
9. Exit the Computer Management application.
Account folders Create the folders in the following list:

creation
! IMPORTANT
The folders in the following list must be created on the same drive
where IIS is installed.
C:\Inetpub\ftproot\LocalUser
C:\Inetpub\ftproot\LocalUser\OnAlert
C:\Inetpub\ftproot\LocalUser\ESRSConfig
Internet Information Services (IIS) deployment 43

Configure IIS This section provides details on how to configure IIS.
FTP server setup To set up the FTP server:
1. Open the Internet Information Services (IIS) Manager: Start >

Programs > Administrative Tools > Internet Information
Services (IIS) Manager
2. In the left pane of the Internet Information Services (IIS) Manager
window, highlight Default FTP Site.
3. Right-click Default FTP Site, select Delete from the pop-up
menu, and click Yes to confirm the deletion.
4. Right-click FTP Sites and select New FTP Site from the pop-up
menu.
5. Click Next at the Welcome screen.
6. Enter the description ESRS Gateway FTP, and click Next.
7. Enter the IP address being used for the FTP server.
Note: On a Multihomed Server the IP adress is the internal IP address

that connects to the devices.
(Do not change the default TCP port 21.) Click Next.
8. Select Isolate users, and click Next.
9. Browse to C:\Inetpub\ftproot, click OK, then click Next.
10. Select the Read and Write checkboxes, and click Next.
11. Click Finish.
12. In the Internet Information Services (IIS) Manager, right-click on
the FTP site ESRS Gateway FTP and select Properties from the
pop-up menu.
13. Click Security Accounts and deselect Allow anonymous
connections.
14. At the alert, continue anyway?, click Yes.
15. Click Messages.
16. In the Welcome field, type a welcome message.
For example:
Welcome to the name_of_your_FTP_server FTP server

17. In the Exit field, type an exit message.

For example:
You are leaving the name_of_your_FTP_server FTP server.
Goodbye!
18. Click Home Directory.
19. Enter C:\Inetpub\ftproot in the Local Path field.
20. Select the Read, Write, and Log visits checkboxes.
21. Click OK to exit.
SMTP server setup To set up the SMTP server:

window, right-click Default SMTP Virtual Server, and select
Rename from the pop-up menu.
2. Type the new SMTP virtual server name ESRS Gateway SMTP
Server.
3. Double-click ESRS Gateway SMTP Server.
4. Double-click Domains.
5. On the right side of the Domains window, highlight the domain
name.
6. Right-click on the domain name and select Rename from the
pop-up menu.
7. Type the name emc.com, and click Done.
Configure and test You must set the e-mail message size to 15 MB:
e-mail
window, right-click Default SMTP Virtual Server and select
Properties, as shown in Figure 8 on page 46.

Figure 8 Default SMTP Properties
2. Click Messages, as shown in Figure 9 on page 46.
Figure 9 Default SMTP Message tab
3. Change the Limit message size to 15000.

4. Change the Limit session size to 30000.

5. Click OK.
window, click on Domain under Default SMTP Virtual Server.
7. Right-click on emc.com and select Properties. See Figure 10 on
page 47.
Figure 10 E-mail server specification
8. Point to the maildrop directory on the C: drive

(C:\inetpub\mailroot\Drop), as shown in Figure 11 on page 48.

Figure 11 Mail drop specification
9. Test e-mail server and verify mail is in proper directory (Figure 12

on page 49).
Note: This is Primus solution emc136619

Command that you enter [bold]

Response that you receive [plain]
telnet ip_address 25
220 jerry.lab.pvt.dns Microsoft ESMTP MAIL Service,

Version: 6.0.3790.1830 ready at Thu, 25 Jan 2007
15:20:31 -0500
vrfy onalert
252 2.1.5 Cannot VRFY user, but will take message for
<onalert@emc.com>
helo
250 jerry.lab.pvt.dns Hello [192.1.7.203]
mail from:esrs@emc.com
250 2.1.0 esrs@emc.com....Sender OK
rcpt to:onalert@emc.com
250 2.1.5 onalert@emc.com
data
354 Start mail input; end with <CRLF>.<CRLF>
subject:testemailserver<CR>
This is a test of the email server<CR>
.<CR>
250 2.6.0
<JERRYexICnDdNUbr6TU00000001@jerry.lab.pvt.dns> Queued
mail for delivery
Figure 12 E-mail server test

10. Return to \\inetpub\mailroot\drop directory.
Figure 13 Mail drop directory messages
11. Right-click on one of the listed mail messages.

12. Open the mail using Notepad.
You see contents similar to that in Figure 14 on page 51.

Figure 14 Sample e-mail
13. Close and delete all e-mail from the directory.

This completes the installation and configuration of the base OS. At
this point:
◆ All devices should be properly installed and functioning,

including appropriate Service Pack and patches
◆ AV should be installed and configured
◆ OS hardened according to your specifications
◆ Run the GatewayCheck utility to verify the system configuration
and connectivity to EMC target devices. Go to Chapter 4,
”GatewayCheck Utility.”


Invisible Body Tag
3
Preparation for a
Non-Standard
Installation
This chapter provides information to assist you in preparing the

Gateway server for a non-standard installation on a drive other than
the server’s system drive ‘C:’.
Note: We define system drive as the drive where the operating system in
installed.
For standard installations (default system drive ‘C:’), go to Chapter 2,

”Preparation for Standard Installation.”
Topics in this chapter include:
◆ Overview ............................................................................................. 54
◆ .NET Framework................................................................................ 56
◆ Post-installation configuration......................................................... 70
Preparation for a Non-Standard Installation 53

Preparation for a Non-Standard Installation
Overview
The primary task in preparation of the Gateway server prior to the
installation of the Gateway solution is preparing the Operating
System. This includes installing the Microsoft Internet Information
Services (IIS) on the same drive to be used for the OS and Gateway
software. Additional tasks discussed within this chapter include
setting up the FTP and SMTP servers on this drive.
If using a domain environment, EMC recommends beginning the OS

installation in a workgroup, then joining a domain after the
installation. You must also verify that after joining the domain all
connections are active.
To prepare the required OS configuration for a non-standard system

drive (non-‘C:’) Gateway installation, perform the following steps for
each intended server:
◆ Install the Windows OS and any applicable updates:

• Install Windows Server 2003 SP1 or SP2 (English only, 32-bit or
64-bit versions).
Note: You must verify that Domain Policies have not inhibited the functions
necessary for the Gateway to function properly. In other words, verify that
services have not been removed or disabled by Domain Group Policies.
• Install and configure any device drivers required by the OS

and the hardware.
• Apply any service packs and security fixes as required by your
corporate policies, including antivirus software.
• Set the Windows Time Zone to the correct time zone for the
Gateway server’s physical location.
Note: Having the Windows Time Zone set to a setting other than the local
◆ Load .NET Framework versions 1.1 and 2.0. Both versions must
be loaded for complete functionality. Both versions may co-exist
on the same server without interfering with or overwriting each
other. Instructions are included in Section ”.NET Framework” on
page 56.

◆ Install, configure, and test Microsoft IIS according to the

instructions in this chapter: Start with “.NET Framework” on
page 56.
◆ When the configuration is complete, run the GatewayCheck
utility to verify the system configuration and connectivity to EMC
target devices. Go to Chapter 4, ”GatewayCheck Utility.”
Overview 55
.NET Framework
Two versions of Microsoft .NET Framework are required for full
functionality of the Gateway server and its utilities: 1.1 and 2.0. Both
version may co-exist on the same server without interfering with or
overwriting each other.
Note: The .NET Framework runs as a 32-bit application.
Version 1.1 Version 1.1 is required for the GatewayCheck Utility.
◆ For 32-bit Windows Server 2003, the .NET Framework is

integrated with the OS, and should be loaded and running. You
can verify this by going to the Control Panel and running Add or
Remove Programs and verifying that “Microsoft .NET
Framework 1.1“ is installed.
If you need to install the .NET Framework, use Windows Update
or navigate to Microsoft .NET Framework 1.1 Service Pack 1 at the
Microsoft Download Center website.
◆ For 64-bit Windows Server 2003, you must download and install
the .NET Framework (minimum rev. 1.1) from the Microsoft
website. Use Windows Update and select the .NET Framework
1.1 package or navigate to the Microsoft .NET Framework Version
1.1 Redistributable Package at the Microsoft Download Center
website.
Version 2.0 Version 2.0 is required for the Gateway server application.
You must download and install the .NET Framework (version 2.0)
from the Microsoft website. Use Windows Update and select the
.NET Framework 2.0 package or navigate to the Microsoft .NET
Framework Version 2.0 at the Microsoft Download Center website:
-or-

Internet Information Services (IIS) deployment

This section provides details on deploying IIS.
Install IIS To install IIS:
1. Open the Control Panel and select Add/Remove Programs.

2. On the left panel of the new window, click Add or Remove
Windows Programs.
3. Select Application Server, and click Details.
4. Select Internet Information Services Manager, and click Details.
5. Select:
• FTP Service
• IIS Manager
• SMTP Services
6. Click OK.
7. Click OK.
8. Click Next.
The screen in Figure 15 on page 57 appears.
Figure 15 Windows Component Wizard

9. Point to the location of the I386 directory in the installation

media, or other applicable location. If Insert disk appears, click
OK.
10. Browse to location.
11. Click Open.
12. Click OK.
Note: You may need to browse again then click Open.
Figure 16 Files Needed dialog box
13. Click Finish.

14. Close Add or remove programs window.
IIS installs Common Files, and FTP and SMTP services in the OS
system drive.
15. Open Windows Explorer.
16. Find the inetpub directory.

17. Copy (DO NOT MOVE) the inetpub directory to the non-C: drive
used for the OS installation. In the example in Figure 17 on
page 59, this is drive E:.
Figure 17 Inetpub directory
18. Build a directory structure according to the format specified in the

Site Planning Guide, as shown in Figure 18 on page 60.
19. Verify that mailroot and its subdirectories were included in
copying the inetpub directory from the C: drive to the new drive.
Configure IIS Configure IIS according to the directions in Chapter 2, ”Preparation

for Standard Installation,” substituting the non-C: drive in the
directory paths (E: in this case).
! IMPORTANT
You must also keep the directory structure for the inetpub directory
on the C: drive. See Figure 18 on page 60

Figure 18 Directory structure
FTP server To set up the FTP server:
1. Right-click My Computer, and select Manage, as shown in

Figure 19 on page 60.
Figure 19 My Computer > Manage

2. Double-click Services and Applications as shown in Figure 20 on

page 61.
Figure 20 Computer Management > Services and Applications
3. Double-click Internet Information Services.

4. Double-click FTP Sites.
5. Select Default FTP Sites.
6. Right-click Properties.
7. Change the description line in the Default FTP Site Properties
window from Default FTP Site to ESRS Gateway as shown in

Figure 21 Rename FTP site
8. Select the proper IP address (if multi-homed, this is the internal IP

address) (Figure 22 on page 62).
Figure 22 FTP Site IP address selection
9. Click Security Accounts and clear the Allow anonymous

connections checkbox (Figure 23 on page 62).
Remove this check

mark
Figure 23 Allow anonymous connections checkbox cleared

10. Click Yes in warning message dialog box (Figure 24 on page 63).
Figure 24 IIS Manager data encryption warning
11. Click Apply.

12. Click Messages.
13. Fill in appropriate information for Messages, and click Apply
(Figure 25 on page 63).
Figure 25 Messages tab

14. Under the Home Directory tab, point to the home directory
structure on the non-system drive ('E:', in this case. or
E:\Inetpub\ftproot\) (Figure 26 on page 64).
Figure 26 Inetpub path
15. Click OK.

16. Check both the Read and Write options.
17. Click Apply.
18. Click OK.
Configure and test You must set the email message size to 15 MB.
email
window, right-click Default SMTP Virtual Server and select
Properties, as shown in Figure 27 on page 65.

Figure 27 Default SMTP Properties
2. Click Messages as shown in Figure 28 on page 65.
Figure 28 Default SMTP Message Tab
3. Change the Limit message size to 15000.

4. Change the Limit session size to 30000.

5. Click OK.
window, click on Domain under Default SMTP Virtual Server.
7. Right-click on emc.com and select Properties. See Figure 29 on
page 66.
Figure 29 Email server specification
8. Point to the maildrop directory on the installation drive (in this

case, E:\inetpub\mailroot\Drop), as shown in Figure 30 on
page 66.
Figure 30 Mail drop specification

9. Test email server and verify mail is in proper directory (Figure 31

on page 67).
Note: This is Primus solution emc136619.
Command that you enter [bold]

Response that you receive [plain]
telnet ip_address 25
220 jerry.lab.pvt.dns Microsoft ESMTP MAIL Service,

Version: 6.0.3790.1830 ready at Thu, 25 Jan 2007
15:20:31 -0500
vrfy onalert
252 2.1.5 Cannot VRFY user, but will take message for
<onalert@emc.com>
helo
250 jerry.lab.pvt.dns Hello [192.1.7.203]
mail from:esrs@emc.com
250 2.1.0 esrs@emc.com....Sender OK
rcpt to:onalert@emc.com
250 2.1.5 onalert@emc.com
data
354 Start mail input; end with <CRLF>.<CRLF>
subject:testemailserver<CR>
This is a test of the email server<CR>
.<CR>
250 2.6.0
<JERRYexICnDdNUbr6TU00000001@jerry.lab.pvt.dns> Queued
mail for delivery
Figure 31 Email server test

10. Return to \\inetpub\mailroot\drop directory.
Figure 32 Mail drop directory messages
11. Right-click on one of the listed mail messages.

12. Open the mail using Notepad.
You see contents similar to that in Figure 33 on page 69.

Figure 33 Sample email
13. Close and delete all email from the directory.

This completes the installation and configuration of the base OS. At
this point:
◆ All devices should be properly installed and functioning,

including appropriate Service Pack and patches
◆ AV should be installed and configured
◆ OS hardened according to your specifications
◆ Follow instructions in Section ”Post-installation configuration”
on page 70.
◆ Run the GatewayCheck utility to verify the system configuration
and connectivity to EMC target devices. Go to Chapter 4,
”GatewayCheck Utility.”

Post-installation configuration
This section provides instructions for tasks following server software
installation.
Gateway server After the finishing the Gateway server software installation, complete
the instructions in the following sections (from Primus emc141688).
Edit registry When the system has been rebooted after installation:
1. Open a Command Prompt window.

2. Run the following command:
C:\Inetpub\AdminScripts> CScript.exe adsutil.vbs get
/MSFTPSVC/PassivePortRange
Note: Specification of “C:” drive may or may not be correct—it depends

upon on the directory where IIS is installed.
You see the following output:

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
PassivePortRange : (STRING) "5400-5413"
3. If you do not see the previous response, run the following

command on the Gateway:
C:\Inetpub\AdminScripts> CScript.exe adsutil.vbs set
/MSFTPSVC/PassivePortRange "5400-5413"
4. Now run the following command:

C:\Inetpub\AdminScripts>iisreset /restart
You see the following output:
Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted

5. Using Notepad, edit the file:

<Install_Drive>:\EMC\Gateway\ESRS\Gateway Device\xgFileWatch.xml
so that the paths reflect the proper drive letter.
Note: There are multiple entries in the file. Verify and edit all paths as
necessary.
See following example for one instance of a path to edit.

Example ~
filewatchschema
name="ESRS Connect Home FTP"
action="upload"
transient="yes"
initialaction="no"
method="timesize"
changenotify="none"
missingnotify="none"
hint="ESRSFTP"
missingseverity="10"
changeseverity="10"
delay="15">

<directory
name="[install_drive]:\Inetpub\ftproot\LocalUser\onalert\incoming"
pattern="*.*"
recursive="no"/>
</filewatchschema><filewatchschema
name="ESRS Connect Home SMTP"
action="upload"
transient="yes"
~
Post-installation configuration 71
Policy Manager After the Policy Manager server software installation is complete,
edit the FileUpload attributes of all Policies on the Policy Manager
Global group to reflect the correct paths of the file locations on the
Gateway server. We recommend that you first copy all applicable
policies and then make edits to one set, leaving the original policies
with the original locations. Figure 34 on page 72 shows edits that
must be made to the policies.
Figure 34 Policy Manager disk changes
1. Click on the link for the permission as shown in Figure 35 on

page 72.
Figure 35 Permissions link
2. A screen appears for editing the File Upload permissions. Click

Next as shown in Figure 36 on page 72.
Figure 36 Editing File Upload permissions

3. The edit parameters screen appears. In the File: field, enter the
correct drive and path for the directory listed in the Parameters
field, and click Add as shown in Figure 37 on page 73.
Figure 37 Adding updated drive and path
4. Check the path now listed with the original. If listed correctly,
click Finish, as shown in Figure 38 on page 73.
Figure 38 Checking entry and clicking Finish
5. The screen now returns to the Global group permissions. The

Parameters field now shows the drive and path you entered for
the associated permission, as shown in Figure 39 on page 74.
Post-installation configuration 73
Figure 39 Updated Parameter listing
6. Repeat step 1 on page 72 through step 5 on page 73 for each File

Upload action.

Invisible Body Tag
4
GatewayCheck Utility
This chapter provides instructions on installing and running the

GatewayCheck utility (GatewayCheck.exe), which verifies that a
candidate server meets the hardware, software, and network
configuration requirements for successful Gateway and Policy
Manager software installation. Topics include:
◆ Overview ............................................................................................. 76
◆ GatewayCheck system requirements.............................................. 77
◆ Installation........................................................................................... 78
◆ Operation ............................................................................................ 79
◆ Required test failure resolution........................................................ 94
◆ Version information ........................................................................... 96
GatewayCheck Utility 75
Overview
The EMC Secure Remote Support Gateway solution has specific
requirements for the hardware, software, and network configurations
of the customer-supplied Gateway and Policy Manager servers. If a
Gateway or Policy Manager server does not meet one or more of the
requirements (listed in Table 2 on page 77), various problems may
occur both during and after Gateway software installation.
The GatewayCheck utility tests candidate Gateway and Policy

Manager servers to verify that each server meets all the configuration
requirements necessary for successful Gateway software installation.
When you run the GatewayCheck utility on a candidate server, the

utility performs a full series of automated system requirement tests
on the server. Each test verifies the server’s compliance with a
specific system requirement, and GatewayCheck assigns a Passed or
Failed status to each test result.
Each time you run a new series of tests, the GatewayCheck utility
creates a new report file and stores all the test results in that file. You
can then use the GatewayCheck application (or Notepad or
WordPad) to view the report files for all the test series that you have
run on a server.
Note: You must install and run this application on every Gateway and Policy
Manager server, verifying that each server passes the required
GatewayCheck tests before your Gateway installation date.
.NET Framework 1.1 needs to be installed and functioning for the

GatewayCheck Utility to function correctly.
Some ports may fail the connectivity test. This is due to the existence of
secondary connections, and does not effect the overall test result.
You will need to supply a copy of the test results to EMC Global Services
before the Gateway software installation is performed.

GatewayCheck system requirements

GatewayCheck checks that your server and its environment meet
requirements. These requirements are listed in Table 2 on page 77.
Table 2 GatewayCheck system requirements
Item Requirement
Operating system Microsoft Windows Server 2003 SP1 or later
Microsoft .NET Framework 1.1
Storage 0.5 GB disk space available
Memory 512 MB RAM (1024 MB RAM preferred)
Minimum single 10/100 Ethernet adapter, preferred Gigabit
Ethernet adapters, optional additional NIC for data backups
Network connectivity to devices Network connections open between server and devices
Internet access Internet connection open on server
GatewayCheck system requirements 77

Installation
To install the GatewayCheck utility:
1. On the targeted Gateway or Policy Manager server, create a

directory called GatewayCheck.
Note: For best results, you should create the GatewayCheck directory on
the drive where you intend to install the Gateway and Policy Manager
software on the server, but this is not a requirement.
2. Do one of the following:

• Follow EMC Customer Support instructions to open or
download the latest version of the GatewayCheck utility from
the EMC Powerlink web site (http://Powerlink.EMC.com) to
a staging location or removable disk.
• Insert the Gateway software installation CD. Then use
Microsoft Windows Explorer to open the following directory
on the CD:
Utilities\ESRS Site Validation Tool
3. Copy the three files identified in Table 3 on page 78 to the new

GatewayCheck directory on the target server.
Table 3 GatewayCheck installed files
Filename Description
GatewayCheck.exe Application
GatewayCheck.exe.config Application configuration file
TextMask.dll Custom edit control for text field validation

Operation
The GatewayCheck utility provides a suite of tests that you can run
on a candidate Gateway or Policy Manager server in order to verify
that the target server meets the hardware, software, and network
configuration requirements for successful installation of the Gateway
and Policy Manager software:
There are tests specific to Gateway servers and to Policy Manager

servers.
◆ If you plan to run the Gateway and Policy Manager applications

on the same server, you should run all available tests on that
server.
◆ If you plan to run the Gateway and Policy Manager applications
on separate servers, you should run the Gateway-related tests
only on the Gateway server, and you should run the Policy
Manager tests only on the Policy Manager server.
To run a series of tests using the GatewayCheck application:
1. Launch the GatewayCheck application.

2. Enter your customer site and contact information.
3. Select the tests you want to run.
4. Set the configuration parameters for each test.
5. Execute the test run.
6. View the test results.
7. Save the test results to a log file in the GatewayCheck directory.
8. Exit the GatewayCheck application.
Launching the To launch the GatewayCheck application:

application
1. Use Microsoft Windows Explorer to open the GatewayCheck
directory, and then double-click the GatewayCheck.exe program
file.
The EMC Secure Remote Support Gateway Installation Check
window appears, displaying a blank white application screen, as
shown in Figure 40 on page 80. This is the main GatewayCheck
application window.
Operation 79
Figure 40 Main GatewayCheck application window
2. The GatewayCheck utility creates the following three directories

within the GatewayCheck installation root directory:
[INSTALL_ROOT]
LOGS
ERROR
TRACE
• The LOGS directory contains the report files in which

GatewayCheck stores the test results for each test series that
you run.
• The ERROR directory contains the GatewayCheck
application’s runtime error messages.
• The TRACE directory contains the GatewayCheck
application’s program execution logs.
! IMPORTANT
If you encounter a problem with the GatewayCheck application,
you must forward the contents of all three directories to your EMC
Global Services Representatives so that they can assist you in
solving the problem.

Entering customer You must register your customer site and contact information with
information the GatewayCheck application before you can select and run any
tests on your server. To enter your information:
1. From the main GatewayCheck application menu, select Edit,

Gateway Customer Info.
A new window appears, displaying the Customer Information
form shown in Figure 41 on page 81.
Figure 41 GatewayCheck customer information form
2. Complete all text fields, as shown in Figure 41, and click OK.
The Test Selection screen appears, as shown in Figure 42 on
page 82.
Operation 81
Selecting tests to be After you have entered your site and contact information in the
run Customer Information form, you can select the specific tests to be
performed during the test run. To do this:
1. From the main application menu, select Tests > EMC Secure
Remote Support Install Checks:
• If you did not yet enter your site and contact information, the
utility prompts you to do so. When you click OK from the
prompt, the Customer Information form appears, as shown in
Figure 41 on page 81. You must enter your customer
information before you can select and run any tests.
• If you have entered your customer site and contact
information, a new window appears, showing the Test
Selection screen with all test options selected by default, as
shown in Figure 42 on page 82.
Figure 42 GatewayCheck test selection screen
2. Decide which tests you want to include in this run.

The Test Selection screen lets you select options from any of the
following four test groups:
• Gateway Environment Tests — Verify that the Gateway
server hardware meets the minimum requirements and verify
that Microsoft Windows Server 2003 SP1 is installed on the
server.
• Policy Mgr Environment Tests — Verify that the Policy
Manager server hardware meets the minimum requirements
and verify that Microsoft Windows Server 2003 SP1 is installed
on the server.
• Network Connectivity Tests — Verify that all required
network connections have been configured properly, so that
communications are enabled between the Gateway server and
EMC and between the Gateway and Policy Manager servers.
• System Applications Tests — Verify that the Gateway server
has Microsoft IIS installed, has FTP and SMTP services
enabled and configured properly, has the required directory
structure in place on the installation root drive, has the
required user accounts configured properly, and has the
proper ports open for communication with each application
installed on each of its managed devices.
Different tests are designed to run on each type of server, as
follows:
• Co-Located Gateway and Policy Manager — You should run
all available tests. This is the default Test Selection screen
setting, as shown in Figure 42 on page 82.
Note: If you select at least one test option in each of the Gateway and
Policy Manager test groups, the GatewayCheck application assumes
that the Gateway and Policy Manager servers are to be co-located.
(GatewayCheck only tests the server on which it is installed.)
• Gateway Only — You should run all available tests except the
four tests for the Policy Manager.
• Policy Manager Only — You should run only the four tests in
the Policy Mgr Environment Tests group.
3. Using the checkboxes in the Test Selection screen shown in
Figure 42 on page 82, choose the tests you want to run on this
server. By default, all available test options are selected.
Operation 83
Note: GatewayCheck runs the selected tests only after you click Run
Tests on the Test Results screen. “Executing the test run” on page 88
provides instructions for running the selected tests.
4. If you want to run the Free Disk Space test from the Gateway
Environment Tests group, perform the following steps:
a. Check the box next to Free Disk Space:
b. Using the scroll bar, select the correct drive letter:
c. Highlight the drive letter with your mouse:
Note: If you do not highlight the drive letter, after step 5 on page 84,
you are asked to select the install drive letter even though the correct
letter is showing.
5. Click Next. Then:

• If, in the Test Selection screen, you selected:
– Any test option in the Policy Mgr Environment Tests
group
– The Gateway to Policy Manager Connection test option in
the Network Connectivity Tests group
– The EMC Registration Authority Connect HTTPS test
option in the Network Connectivity Tests group
– The EMC Secure Remote Support Connect HTTPS test
option in the Network Connectivity Tests group
– The Device Application Port Connection Test option in
the System Applications Tests group
The Test Configuration Parameters screen appears, as shown
in Figure 43 on page 85.
Go to “Setting test configuration parameters” on page 85 for
instructions on using this screen.
• If you did not select any of the previous test options, the Test
Results screen appears, as shown in Figure 44 on page 88.

Go to “Executing the test run” on page 88 for instructions on

using the Test Results screen to run the selected tests and view
the test results.
Setting test If you have selected any of the tests listed in step 5 on page 84, when
configuration you click Next on the Test Selection screen, the Test Configuration
parameters Parameters screen appears, as shown in Figure 43 on page 85.
Figure 43 GatewayCheck Configuration Parameters screen
To go back to the Test Selection screen and choose different test

options, click Previous.
Operation 85
To set the parameters for the tests you selected, enter the information
required to perform the selected tests, as follows:
Note: If you wish to change the information in any text field on this screen,
you must use the Backspace key to delete the existing information and then
re-enter the correct information. You cannot highlight and overwrite existing
text, and you cannot click to insert new text in an existing entry.
1. In the Policy Manager area (upper-left corner of screen):

a. In the Policy Mgr IP Address field, enter the Policy Manager
server’s IP address.
b. If the Policy Manager is not yet installed on this server, select
No to answer the Policy Mgr currently installed: question.
c. If the Policy Manager is installed, select Yes to answer the
Policy Mgr currently installed: question, and select the Check
if Policy Manager is Installed on Gateway checkbox if you
have installed co-located Gateway and Policy Manager servers
on this machine.
2. In the Proxy Server area (upper-right corner of screen):
a. If a proxy server routes outbound Internet traffic from the
Gateway server, select Yes to answer the Gateway using
Proxy Server: question.
b. If they are active, complete the four proxy server information
fields:
– Proxy IP Address — Proxy server IP address
– Proxy Port — Port over which proxy server communicates
with Gateway server
– User Name — User name for an authorized proxy server
user account
– Password — Password for previously-named proxy server
user account (valid characters do not include %, &, <,
and >)
Note: If the password field is not filled in, you receive warning message. You
may continue with the installation.

3. In the Device area (middle section of screen), if you are running

GatewayCheck on a Gateway server in the DMZ, and you wish to
ensure that the internal firewall rules allow network connections
between the Gateway server and the targeted EMC devices, using
the required application-specific ports, then for each device:
a. Click to select the Product Type from the scrolling list.
(Symmetrix is selected by default.)
b. Click to select the Applications to be tested on the device.
(Press and hold the Ctrl key and click to select multiple
applications.)
c. Enter the device’s IP address.
d. Click Add to add the device to the Device List at the bottom of
the screen.
To remove a device from the Device List:
a. Click the box to the left of a Device ID to select the row. (You
can also press and hold the Ctrl key and click to select
multiple rows.)
b. Click Remove.
4. If you have added any devices to the Device List, click Save Cfg.
GatewayCheck creates one test record for each application
selected. If an application requires more than one port,
GatewayCheck tests the ports for that application one at a time
until either one port fails, causing the application test to fail, or all
ports pass, causing the application test to pass.
5. When you have completed all available fields in the Policy
Manager and Proxy Server areas, and you have added all the
devices that you want to test to the Device List, click Next.
The Test Results screen appears, as shown in Figure 44 on
page 88.
Operation 87
Figure 44 GatewayCheck Test Results screen before test run execution
Executing the test Once you have selected the tests you want to run and configured the
run parameters for those tests if necessary, the Test Results screen
appears, as shown in Figure 44 on page 88.
To go back to the Test Configuration Parameters screen shown in

Figure 43 on page 85 and reset your Policy Manager, proxy server,
and device information, click Previous.
Note: If you wish to change the information in any text field on the Test
Configuration Parameters screen, you must use the Backspace key to delete
the existing information and then re-enter the correct information. You
cannot highlight and overwrite existing text, and you cannot click to insert
new text in an existing entry.

To go back to the Test Selection screen shown in Figure 42 on page 82

and select a different set of tests for this run, click Previous twice –
first on the Test Results screen and then on the Test Configuration
Parameters screen.
To use the Test Results screen to execute the test run and view results:
1. Click Run Tests.

2. GatewayCheck runs all selected tests, one at a time. As each test
runs, the name of that test appears beneath a test progress bar in
the middle of the application window. As each test completes, its
progress bar disappears, and the progress bar for the next test
appears instead.
Note: If you have selected many devices or applications to be tested, the

test run may take some time. Please be patient.
3. When the tests are complete, the basic status of each test (Passed
or Failed) appears in the Summary Test Results pane, and the
detailed results of each test appear in the Detailed Test Notes
pane. Figure 45 on page 90 shows some sample test results.
Operation 89
Figure 45 GatewayCheck Test Results screen at test run completion
Viewing test results This section describes how to view test results.
Test Results log files When the test names and results appear in the Test Results screen as
shown in Figure 45 on page 90, you can use the Test Results screen to
view each test result in detail. You can also use a text editor such as
Notepad to view test results from the file system.
To view the detailed results of any test:
1. Select the desired test status (Passed or Failed) in the Summary

Test Results pane. The selected test is marked by an arrow in the
far-left column in the pane.
2. The Detailed Test Notes pane automatically shows the detailed
results for the selected test:
• The system configuration values obtained from the test

• If the test status is Failed, available information about why the

test failed
For example, in Figure 45 on page 90, you can see that the
Gateway Server OS version Windows 2003 test failed because the
server’s operating system is Microsoft Windows 2000
Professional.
3. When you have finished reviewing the test results, click Cancel.
The Test Results window closes, but the main application
window remains, as shown in Figure 41 on page 81.
From the main GatewayCheck application window, you can view
detailed test results for all the tests you have performed in any
GatewayCheck test run that you have executed on this server. To do
this:
1. From the menu bar, select View > Gateway Test Logs.
The Test Results Logs navigation window appears, as shown in
Figure 46 GatewayCheck Test Results Logs navigation window
2. In the Files of type: drop-down list box, select Log files (*.log).
Operation 91
The Test Results Logs window displays the log files for every
GatewayCheck test series that you have completed on this server.
3. Select the log file for the test results you want to view and click
Open.
The Test Results Logs window closes, and the contents of the log
file that you selected appear in the main GatewayCheck
application window, as shown in Figure 47 on page 92.
Figure 47 Sample GatewayCheck Test Results log file contents
4. Use the View, Find option in main application window to search

within the log file for specific text string values.
5. When you are finished viewing the log file, you can use the File,
Close menu option to close the log file and leave the
GatewayCheck application running.
Once you close the log file containing your test results, you can use
the View, Gateway Test Logs menu option to reopen the Test Results
Logs navigation window (shown in Figure 46 on page 91) to open
and view the other log files that pertain to your run.

GatewayCheck Runtime error logs

application log files To see the GatewayCheck application’s runtime error messages:
1. In the Test Results Logs navigation window, open the Error
directory.
2. In the Files of type: drop-down list box, select Error files (*.err).
The Test Results Logs window displays the application’s runtime
error files for every GatewayCheck test series that you have
completed on this server.
3. Select the error file for your test run and click Open.
The Test Results Logs window closes, and the contents of the
error file that you selected appear in the main GatewayCheck
application window.
Program execution logs

To see the GatewayCheck application’s program execution logs:
1. In the Test Results Logs navigation window, open the Trace
directory.
2. In the Files of type: drop-down list box, select Trace files
(*.trace).
The Test Results Logs window displays the application’s
program execution logs for every GatewayCheck test series that
you have completed on this server.
3. Select the trace file for your test run and click Open.
The Test Results Logs window closes, and the contents of the
trace file that you selected appear in the main GatewayCheck
application window.
Saving Test Results When you have finished viewing all of your log files in the main
and exiting the application window, you can do any of the following:
application
◆ Close the log file, using the File > Close menu option, and use the
main application window to start another test run or view
another file.
◆ Save the log file in the current display window to a new filename,
using the File > Save As menu option to open a standard
Windows Save As dialog box.
◆ Exit the application, using the File > Exit menu option or the X
button in the upper-right corner of the window to close the
application window.
Operation 93
Required test failure resolution

To successfully run the Gateway and Policy Manager software
installation program, each target server must pass the tests required
for its server type, as specified in Table 4 on page 94. If any required
tests show a Failed status, you must resolve those failures before your
Gateway installation date.
Note: If the Gateway and Policy Manager are to be co-located on a single

server, the target server must pass the required tests for both server types.
Table 4 GatewayCheck test failure resolution (page 1 of 2)
Test name Notes

Gateway Environment Tests Required tests must pass on Gateway server
Memory Required: At least 512 MB RAM
Free Disk Space Required: At least 500 MB
Processor Speed Required: Each at least 2.1 GHz total speed (one or more processors)
Operating System Required: Windows Server 2003 SP1 or later 32-bit or 64 bit installed
Drive Required: Designated drive available
Policy Mgr Environment Tests Required tests must pass on Policy Manager server
Memory Required: At least 512 MB RAM
Free Disk Space Required: At least 1 GB
Processor Speed Required: Each at least 750 MHz total speed (one or more processors)
Operating System Required: Windows Server 2003 SP1 or later 32-bit or 64 bit installed
Network Connectivity Tests Required tests must pass on Gateway server
Note: The EMC Registration Authority Connect and EMC Secure Remote
Support Connect tests can be performed using either the HTTPS protocol or a
simple TCP/IP connection to the EMC application servers.
Required: Gateway server must pass both TCP/IP connection tests to proceed
with Gateway software installation.
EMC Registration Authority Connect Required: Gateway server can connect to EMC servers over TCP port 443.
EMC Registration Authority Connect HTTPS HTTPS tests may fail for any of several reasons — for example, time-out and
proxy configuration / authorization errors. You can test connections by using a
local web browser to open the URLs provided in the detailed test results.
EMC Secure Remote Support Connect Required: Gateway server can connect to EMC servers over TCP port 443.
EMC Secure Remote Support Connect HTTPS HTTPS tests may fail for any of several reasons — for example, time-out and
proxy configuration / authorization errors. You can test connections by using a
local web browser to open the URLs provided in the detailed test results.

Table 4 GatewayCheck test failure resolution (page 2 of 2)
Test name Notes

System Applications Tests Required tests must pass on Gateway server
IIS Administration Service Required: IIS installed on Gateway server
File Transfer Service Required: FTP enabled on Gateway server and configured as specified in Site
Planning Guide
Simple Mail Transport Protocol Required: SMTP enabled on Gateway server and configured as specified in Site
Planning Guide
Required Local User Accounts Required: OnAlert and ESRSConfig user accounts created on Gateway
server and configured as specified in Site Planning Guide
Required Directories and Permissions Required: Directories created on Gateway server for use by FTP service, as
specified in Site Planning Guide:
C:\inetpub\ftproot\LocalUser\ESRSConfig
IIS and ESRS Installation Drive Check Required: IIS and Gateway software installed on the same local drive
Note: If EMC has not yet installed the Gateway software, this test has a Failed
status. However, the detailed test results state that the failure is a warning, and
identify the drive on which EMC should install the Gateway software.
Device Application Port Connection Test Required: Internal firewall rules must be updated to allow communication between
the Gateway server and each of its managed devices, using the required ports for
each remote support application, as specified in Site Planning Guide.
Note: GatewayCheck tests the required port connections only for the devices and
applications that you specify in the Test Configuration Parameters screen shown
in Figure 43 on page 85. You should test the port connections for every
application on every device that you want to manage through the Gateway
system.
Note: For devices not yet on the network, this test has a Failed status. For those
devices, you should manually check the firewall rules to ensure that
communication is allowed between the Gateway server and each device, using
the required ports for each remote support application, as specified in Site
Planning Guide.
Required test failure resolution 95

Version information
You can use the main GatewayCheck menu shown in Figure 40 on
page 80 to get version and copyright information.
To get version and copyright information for the GatewayCheck

application, select About from the main application menu.

PART 2
Policy Management
The Policy Manager enforces the rules for customer-controlled

Gateway site access and activity.
Chapter 5, “Policy Manager Administration”
Provides instructions for setting up Policy Manager user accounts
for policy administrators
.Chapter 6, “Policy Manager Configuration and Operation”
Provides explanations and procedures for policy configuration
and storage array access control.
5
Policy Manager
Administration
This chapter presents the initial Policy Manager server configuration

procedures, including Tomcat web server administration. Your
primary activity here is user account setup:
◆ Installation......................................................................................... 100
◆ Startup/shutdown ........................................................................... 101
◆ Modifying the login banner............................................................ 103
◆ Creating Policy Manager user accounts ....................................... 104
◆ LDAP authentication ....................................................................... 112
Policy Manager Administration 99

Policy Manager Administration
Installation
EMC Customer Service performs all installations of the Policy
Manager software on a server that you provide and maintain at your
site.
Note: The Policy Manager uses Apache Tomcat 5.0.x. Only Tomcat operations
that are relevant to Policy Manager use are discussed here. For complete
documentation on Apache Tomcat, refer to http://tomcat.apache.org
During Policy Manager installation, the EMC Customer Engineer

specifies the following information:
◆ Root installation directory
◆ Port used by Policy Manager’s Tomcat web service (default: 8090)
◆ Tomcat administrator’s email address
◆ Notification email address
To change any of the previous information, you must contact EMC
Customer Service.
Startup/shutdown
Upon Policy Manager server startup, its web server automatically
starts as a Windows service.
You can manually start or stop the Policy Manager from the Windows
Services item, as described here:
1. Open the Control Panel in Windows.
2. Open Administrative Tools.
3. Open Services.
4. Select EMC Secure Remote Service Policy Manager as shown in
step 48 on page 101.
Figure 48 Services listing
5. Click Stop to stop the service, as shown in step 49 on page 102.
Startup/shutdown 101
Figure 49 Stopping the service
6. Click Start to restart the Policy Manager service, as shown in step

50 on page 102.
Figure 50 Starting the service
7. Wait 10 seconds after starting the service to permit the Policy

Manager to stabilize.
Modifying the login banner

You have the option to change the text that displays in the disclaimer
section of the Policy Manager login screen. To change the text:
1. Browse to:
[install drive]:\EMC\Policy Manager\Tomcat5
\webapps\applications\apm\disclaimer
2. Using a text editor program (such as Notepad), edit the file
named disclaimer.txt using any valid HTML text.
3. Save the file using the same file name (disclaimer.txt).
Modifying the login banner 103

Creating Policy Manager user accounts

This section provides details about users and user accounts.
About users You have the option of using your own Lightweight Directory Access
Protocol (LDAP) authentication by following the procedure in
“LDAP authentication” on page 112. The default authentication
scheme is an Apache Tomcat file realm. This realm controls local user
access to web server administration and Policy Manager application
user interface pages.
Tomcat user With the Tomcat scheme, you administer the Policy Manager through
authentication a web interface.
Note: For complete documentation on Apache Tomcat, refer to

http://tomcat.apache.org
To configure the Tomcat web server for use with the Policy Manager
software, you must specify users at two access levels, represented by
two roles, APMAdmin and APMUsers:
◆ APMAdmin — System administrators: log in to the Tomcat web
server; configure server settings; add, configure, and delete user
accounts; and add, configure, and delete roles and user groups;
log in to the Policy Manager application; set permissions for all
policies, devices, and device groups defined in the Policy
Manager; define, configure, and delete policies, devices, and
device groups; and view all Audit Log messages, approve remote
access requests.
◆ APMUsers — Policy administrators: log in to the Policy Manager
application; set permissions for all policies, devices, and device
groups defined in the Policy Manager; define, configure, and
delete policies, devices, and device groups; and view all Audit
Log messages, approve remote access requests.
Passwords for Policy Manager accounts are stored encrypted.
Tomcat user The Tomcat web server, installed as a component of the Policy
account planning Manager, is installed with predefined roles and a predefined
administrator user account.
These predefined settings include:
◆ Roles: APMAdmin and APMUsers
Note: You may also see additional listed roles: admin, manager, role1,
tomcat. The only groups used by the Policy Manager are APMAdmin
and APMUsers.
◆ User Groups: (None)

◆ Username: admin
• Roles assigned: APMAdmin, APMUsers
• Password assigned: EMCPMAdm7n
Note: Change the admin account password immediately to avoid the

possibility of a targeted Denial of Service (DoS) attack that could target
ESRS solutions that still contain the default password for the Tomcat web
server administrative account. “Changing the Tomcat administrator
password” on page 107 provides instructions.
Before you configure the Tomcat web server for the Policy Manager,
you should record the following information for later entry into the
Tomcat Web Server Administration Tool’s user interface:
◆ Full names of all new Policy Manager and Tomcat users
◆ Username and password to be assigned to each new user account
◆ Roles to be assigned to each new user account
◆ New password for default admin account
Creating Policy Manager user accounts 105

Logging into the Once you have recorded the information mentioned in the previous
Tomcat server section, you can make configuration changes to the Tomcat and
Policy Manager applications.
Note: You must restart the Policy Manager service after creating a user
account.
1. Open a web browser, and type the Policy Manager server’s IP

address or domain name and the port number that the Tomcat
web server uses (8090 or the alternate port number designated at
installation):
http://domain_name_or_IP_address:port_number/admin/
for example:
http://server1.customer.com:8090/admin/
-or-
http://10.241.172.13:8090/admin/
If you open the web browser on the Policy Manager server itself,
type:
http://localhost:port_number/admin/
for example:
http://localhost:8090/admin/
The Tomcat Web Server Administration Tool login page appears.
2. Type the username admin and the password EMCPMAdm7n.
The Tomcat Web Server Administration Tool home page appears,
with the navigation tree in the left-hand pane and a blank
dimmed screen in the right-hand pane, as shown in Figure 51 on
page 107.
Figure 51 Tomcat navigation tree
Changing the Tomcat To change the default admin password:

administrator
password 1. In the navigation tree, under User Definition, click Users. The
Users List screen appears, as shown in Figure 52 on page 107.
Figure 52 Users List screen
Note: Three users are predefined by the Tomcat default configuration:

both, role1, and tomcat. These are not used in Policy Manager.
2. In the Username column, click admin.

The Edit Existing User Properties screen appears, as shown in

Figure 53 Edit Existing User Properties screen
3. Delete the default password, and carefully type the new admin
user account password (that you chose earlier), and click Save.
Note: Do not use reserved UNIX or Windows characters for passwords or

usernames. Username and password entries are case sensitive.
The Users List screen reappears, as shown in Figure 52 on

page 107.
Creating a Policy To create a new Policy Manager user account:

Manage ruser
account 1. Log into the Tomcat server.
2. In the navigation tree, under User Definition, click Users.
3. From the User Actions list box, select Create New User, as shown
Figure 54 User Actions list box
The Create New User Properties screen appears, as shown in

4. For the first new user account, type the Username, Password, and
(optionally) the Full Name.
Note: The Username and Password entries are case-sensitive. Do not use
reserved UNIX or Windows characters for passwords or usernames.
Figure 55 Create New User Properties screen
5. Scroll down until you can see the entire Role Name column in the
Create New User Properties screen, and use the checkboxes to
select the roles that you want to assign to the new user. For a
particular user, you should select either or both of APMAdmin
and APMUsers, as described in “About users” on page 104.
Note: Two roles are predefined in the Tomcat default configuration: role1
and tomcat. These are not used in Policy Manager.
You can assign both the APMAdmin and APMUsers roles to a

single user, so that the user can access both the Tomcat Web
Server Administration Tool and the Policy Manager application.
Note: For APMAdmin roles to be able to add, delete, or modify users the
must also be assigned the admin role.
6. Click Save.

The Users List screen reappears, with the user account you have
just created included in the list.
7. Repeat step 3 on page 108 through step 6 on page 109 for every
new user account.
8. Click Commit Changes as shown in Figure 56 on page 110.
Figure 56 Commit Changes button
9. In the left pane, select User Databases, as shown in Figure 57 on

page 110.
Figure 57 User Databases
10. In the right pane, again select User Databases.

11. When the pane expands, click Save, as shown in Figure 58 on
page 111.
Figure 58 Saving changes
12. Click Commit Changes as shown in Figure 59 on page 111.
Figure 59 Commiting changes and logging out
13. Click Log Out.

14. Restart the Policy Manager service.
! IMPORTANT
For changes to take effect, restart the Policy Manager service as
described in “Startup/shutdown” on page 101.

LDAP authentication
If you want to use your current domain accounts to manage access to
the Policy Manager, thereby not having to use a shared account or
configuring duplicate accounts in Policy Manager, you have the
option to use your standard LDAP instead of the default Tomcat user
list. For complete documentation on LDAP versions supported by
Tomcat, refer to
http://tomcat.apache.org
Note: Customers are required to work with their own internal Security Team
for LDAP configuration. Please be advised it is a very complex configuration.
EMC is not responsible for the LDAP Policy Manager configuration.
Not having a shared account increases security as auditing can be

used to determine who performed actions on the Policy Manager.
Additionally, there are fewer chances of unauthorized access.
Configuring the Tomcat application server to use an LDAP server for
user authentication is non-trivial and requires assistance from your IT
department as well as some knowledge of configuring Tomcat.
Limiting the use of the Policy Manager to specific groups or
individuals may require changes to your LDAP organization.
Note: Only a system administrator that with a high level of knowledge about
LDAP should make the changes detailed in this procedure.
To change the authentication:

1. Download JNDI version 1.2.1 to get copy of the ldap.jar file by
using the following steps:
a. Browse to the Sun Microsystems web site:
http://java.sun.com/products/jndi/downloads/index.html
b. Click associated with:

Download JNDI 1.2.1 & More
c. Open the file named ldap-1_2_4.zip

d. Extract the lib\ldap.jar file
2. Create a JNDI realm following the instructions provided in the

online documentation at the Apache Tomcat website:
http://tomcat.apache.org/tomcat-5.5-doc/realm-howto.html#JNDIRealm
Note: Before editing the server.xml file, make copies of server.xml and
tomcat-users.xml.
3. Remove the realm for authenticating users configured in

tomcat-users.xml file:
a. Edit the file named:
[install_drive]:\EMC\Policy Manager\conf\server.xml
b. Delete or comment out the line:
<Realm className="org.apache.catalina.realm.MemoryRealm"
debug="0" pathname="conf/tomcat-users.xml" validate="true"
digest="SHA"/>
4. Save the server.xml file.

5. Restart the Policy Manager service as described in
“Startup/shutdown” on page 101.
LDAP authentication 113

6
Policy Manager
Configuration and
Operation
This chapter presents the main policy management interface for the
Policy Manager. Remote user access and activity is initially specified,
and then managed while the Gateway is operational, for particular
devices and groups of devices:
◆ Setting policy .................................................................................... 116

◆ Answering device access requests................................................. 133
◆ Viewing the Audit Log.................................................................... 137
Policy Manager Configuration and Operation 115

Policy Manager Configuration and Operation
Setting policy
If you are unfamiliar with the Policy Manager interface, follow the
tour outlined in these subsections:
◆ “Policy settings” on page 118
◆ “Access rights” on page 124
◆ “Notifications” on page 128
Log in to home Once your Policy Manager system administrator has assigned you a
page username and password, you can log into the Policy Manager
application as follows:
1. Open a web browser, and type the Policy Manager server’s IP
address or domain name and the port number that the Tomcat
web server uses (8090 or the alternate port number designated at
installation) in the URL shown here:
http://DomName_or_IPAddr:PortNumber/actions/index
for example:
http://server1.customer.com:8090/actions/index
If you open the web browser on the Policy Manager server itself,
you can type:
http://localhost:port_number/actions/index
for example:
http://localhost:8090/actions/index
The Policy Manager Login screen appears as shown in Figure 60

on page 117. “Modifying the login banner” on page 103 describes
how to configure the disclaimer section of this screen.
Figure 60 Policy Manager login screen
2. Type the username and password given to you by your system

administrator and click Log in.
The Policy Manager home page appears, with links to the
user-accessible features of the Policy Manager application, as
shown in Figure 61 on page 117. Notice that the Policy Manager
version number is displayed near the under the first heading.
Figure 61 Policy Manager home page
Setting policy 117

3. Access the main Policy Manager features by clicking on the tabs:

• Policy — Edit policy settings, as described in “Policy settings”
on page 118. This is where you initially set or modify the
policy settings for the Global group.
• Pending Requests — Review and edit currently active
transactions, as described in “When a request is sent using the
embedded web address, the policy administrator receiving the
email has direct access to the Policy Manager interface to
approve or deny the request.” on page 132.
• Audit Log — Review completed transactions, as described in
“Viewing the Audit Log” on page 137.
• Configuration — Configure device groups (a single set of
policies applies to all devices in a group), as described in
“Notifications” on page 128.
Policy settings This section describes the global policy settings, group hierarchies,
and device type settings.
Global For the Global settings:

settings page
1. Log in to the Policy Manager home page, following the procedure
given in “Log in to home page” on page 116.
2. Click Policy to view settings for the top-level Global group.
Figure 62 on page 119 shows the Global group page.
Figure 62 Policy: Settings: Global
There are six fields that represent the policy record for a each
permission. A permission is an action with defined parameters. The
permission also has an access right setting that tells you whether it is
allowed for that group. Table 5 on page 120 provided an explanation
and example of the policy settings.
Setting policy 119

Table 5 Policy settings
Action Permission Parameters Access right Inheritance Lock

Behavior regulated by Specific version of Defines a general Allows or denies Shows source level Can lock
Policy Manager an action action through the permission: The of access right, at or access right
use of specified value of the above current level for lower levels
limits (permission) permission
Listed in Table 6 on See Tables 13 See Table 7 on
page 120 and Table 12 on through 24 page 124
page 176 beginning on
page 179
Example
Remote Application Celerra® Remote Remote Application Always Allow Celerra [optional]
Access Application - Name: CelerraMgr [can choose from menu]
CelerraMgr
Scrolling the policy settings window shows all line-item Global

action/permission records. Although a number of actions are
available to the Gateway solution, only a subset are currently used in
the Policy Manager (the grayed out text are the actions currently not
used). The actions are listed in Table 6 on page 120.
Table 6 Actions (Global group default set)
Enable a Script Set Time Restart Agent

Register Script Package Execute
Disable a Script Alarms Remote Application
Run Script Events Remote Terminal
UnSchedule a Script Data Item Values Enable a Timer
Schedule a Script Emails Remove a Timer
Stop Script Modify Ping Update Rate Disable a Timer
UnRegister Script File Download Create a Timer
Set Data Item Values File Upload Stop Remote Session
Group hierarchy The Global group is the top-level parent providing default settings.
page
There is a group for each device type at the level lower than Global,
such as CLARiiON® and Symmetrix, with its own set of rules. Global
permissions and access rights are inherited by device type groups:
Select the Explore Device Groups link at upper right of the page.
This brings up the page shown in Figure 63 on page 121. It shows the
hierarchy of preset groups as well as the devices registered with the
Policy Manager. Examine the structure of the groups you see.
Figure 63 Policy: Explore Device Groups
Configure policy Use the following procedure to configure policy settings:

settings
1. Log in to the Policy Manager home page following the procedure
given in “Log in to home page” on page 116.
2. Navigate to the correct policy settings page by clicking the Policy
tab, then the Explore Device Groups link, and then a group
(name) link.
This opens the policy settings page for the selected group.
3. For each action/permission line item desired, select the desired
access right in the policy settings page.
4. Click Done at the bottom of the page, and click OK on the Update
this policy? dialog box.
5. Repeat step 2 on page 121 through step 4 on page 121 for other
groups desired.
Setting policy 121

Group hierarchy: Each policy group is designated by a line item that links to further
Preset groups information for each group. Your Policy Manager installation
includes a default set of second-level groups:
• Celerra
• EMC Centera®
• CLARiiON
• Connectrix®
• EMC ControlCenter®
• EDL
• Invista®
• Switch-Brocade-B
• Switch-Cisco
• Symmetrix
Note: You cannot alter these group names. EDM™ may also appear among
the EMC products displayed, but is not supported in Gateway release
1.02.xx.
The following groups are also found under the Name column:
ESRS Gateway
ESRS_Site_ID_ …
…
Gateway Device
ESRS_DEVICE_Site_ID_ …
The ESRS Gateway group represents the Gateway server, and
contains policy you may want to edit as you would with the EMC
product devices.
Note: The Gateway Device group should not be edited. It is used only to
support internal processing of connect home operations.
From the top level, the default structure of policy settings groups
reflects Device Types (EMC product families) and particular Devices:
Global [the sole top-level group]
Device Type [group named by product name]
Device [group named by product serial number]
To see the policy settings for a particular group, locate the group in
the hierarchy and click on its name to open the corresponding policy
settings page.
Device type If you select Celerra from the group hierarchy, you see policy settings
settings page for Celerra, which are also the default settings for specific Celerra
devices (the next lower level).
Settings for the Celerra group are identical to those for the Global
group except that there are several additional Remote Application
actions. (See example in Figure 64 on page 123.) When an EMC
product (in this case Celerra) registers with the Policy Manager, its
policy settings are initially supplied from the default set of
permissions from the device (Celerra) template.
Among other things, this permission set identifies particular
applications for which EMC Customer Service needs access. For
example, if EMC Customer Support needs to work on a Celerra
problem, a support engineer needs to remotely access these Celerra
applications:
◆ CelerraMgr
◆ Telnet
◆ CLIviaSSH
Although other applications are denied access, those specific
applications are set at Always Allow.
Figure 64 Policy: Celerra: Remote Application Permissions
Device From the group hierarchy, select the group for a particular (Celerra)
settings page device. It is represented below the device type name by a serial
number — for example, ML2805000499.
You now see policy settings for that device only. Some may be
inherited from the Global settings, some from the Celerra settings,
and some may be specific to that device.
Setting policy 123

Access rights Policy settings are embodied in access rights. Each permission has an
access right specifying whether it can be executed.
Identify default The policy for each new device registering with the Policy Manager is
settings inherited from the device type. Device type policy is preset by EMC,
but can be edited.
Policy for a particular group consists of a set of permissions
(action-parameter combination), each with an associated access right.
For a particular permission, one of three allowed access right options
is set:
◆ Always Allow
◆ Ask for Approval
◆ Never Allow
These options are fully described in Table 7 on page 124.
Table 7 Access right descriptions
Name Description
Always Allow The Agent can execute these permissions without asking for approval or sending the action information to
Policy Manager (the Agent does log an entry in the Policy Manager Audit log). To see which actions of
Always allow rights were performed on a device, refer to the device’s log file.
Ask for Approval The Agent forwards the action and its parameters to Policy Manager for approval. When Policy Manager
receives the action, it sends an email to the address specified for the device’s policy and then stores the
action request in the Pending Requests queue. The action request remain shown in the Pending Request
page until it is approve or denied, or it times out. (If timed out, the action is denied and needs to be
requested again, if desired, and a message is logged to the Policy Manager Audit Log.)
If approved or denied, the action request is removed from the Pending Requests page. A message
regarding the approval or denial is logged to the Policy Manager Audit Log. Policy Manager sends its
response (accept or deny) to the Gateway server. If the action request was approved, the device processes
the action.
Never Allow The Agent does not execute these permissions and sends information for these requests to Policy
Manager only when Never Allow actions are requested from the Gateway server. To see which
device-initiated actions of Never Allow rights were denied on a device, refer to the device’s log file.
Access right settings This section describes parent/child permissions and settings.
Set access rights Set (or reset) an access right by choosing from the list box menu
provided for the particular permission, as shown in Figure 65 on
page 125 for Default package permission.
Figure 65 Setting an access right
You can set all access rights for a group to a single value by using the
checkbox Set All Permissions at the bottom left side of the page. For
example, Set All Permissions: Never Allow can be used in
emergencies to block all requests.
Figure 66 Set All Permissions
At the far right of each (unlocked) permission line item

is the Lock checkbox (Figure 67 on page 125) allowing
you to lock that permission. Selecting this box prevents
the corresponding access right in any child group from
being changed.
Figure 67 Access right lock
If an access right is locked in a parent group, then for any child group
this right appears as uneditable text (no list box menu) and cannot be
reset. The first three access rights listed in Figure 68 on page 125 are
locked by a parent group.
Figure 68 Locked and unlocked access rights
Setting policy 125

Lock permission for Lock

child You can force the inheritance of a permission’s access rights from a
parent group or device to its child by locking the parent permission.
Access rights that are locked in a parent’s policy appear as plain text,
rather than a list box, in the child’s View or change the policy
settings page.
To Lock Permission of Child — Navigate to the View or change
the policy settings page under the Configuration tab. For each
permission that you want to lock, select the Lock checkbox for the
related permissions.
To Unlock a Permission — Navigate to the next parent (or higher)
policy in which that permission is locked. If the parent permission
has a selected Lock checkbox, clear it and click Done. If you do not
find a checkbox on that permission at all, navigate to the next higher
parent until you do, clear it and click Done.
Reset all permissions Reset to Parent’s Policy

to match parent’s You can force the policy of a child group or device to match that of its
values parent, by clicking the Reset to Parent’s Policy button in the child’s
View or change the policy settings page.
Note: The Reset to Parent’s Policy option does not appear in any device
model (Connectrix, EMC Centera, and so on) policy settings page, where its
use would not be practical.
Reset all permissions Set All Permissions

to a single value You can force the access rights for all permissions in the current
policy to the same setting. In the lower left corner of a View or change
the policy settings page:
1. Choosing the desire access right
2. Select the Set All Permissions checkbox for a selected group
3. Click Done
Reverse Set All Permissions

This option is reversible, and useful if, for example, you need to
prevent the Gateway server from performing any actions for a period
of time, perhaps while that device is in maintenance mode or you are
troubleshooting a problem. When the devices for that policy are
ready to resume normal policy management:
1. Clear the Set All Permissions checkbox for that policy
2. Click Done
The Access Right column shows the previously defined access rights
for all permissions in that policy.
Figure 69 Set All Permissions Access Rights
Missing devices If a device is offline or not connected to the Gateway server, it may be
enforcing an outdated policy. This could mean that the device is
allowing actions that should be set to Never Allow or Ask for
Permission, or denying actions that it should be allowing.
To determine if a device is offline to the Gateway server, use the View
and remove missing devices page. Any devices shown in this page
have missed their last contact (ping) with the Gateway and are now
considered offline. See examples in Figure 70 on page 127.
Figure 70 Configuration: View and remove missing devices
Setting policy 127

Before removing a device from the Policy Manager, make sure that
you know the true status of the device:
◆ Any devices you remove should also be undeployed by EMC
Global Services.
◆ If you accidentally remove a device still in production, it will
reregister when placed back online.
◆ Any devices on the missing list that have an unknown status
need to be investigated. Contact EMC Global services for
assistance.
Notifications If an access right is set to Ask for Approval, when an EMC support
engineer requests a session. The Gateway server sends an action
request to the Policy Manager for approval. The Policy Manager then
sends an email notification to the individual or group alias specified in
the notification configuration.
Setting notifications Notifications are specified for each device group. Each notification is
sent with a message based on that group’s standard form. Any
permission requested for a particular group thus uses the same
notification form that is sent to the same person.
The Global group notification message template is set during
installation.
Note: If you make no changes to any notification settings, all email is

delivered with the same message form to the same original recipient.
To change the notification format for a group (and its children):

1. Click Configuration (from any Policy Manager page).
A group hierarchy appears, similar to that in Figure 71 on
page 129.
Figure 71 Configuration tab
Notice that the Global group has an envelope icon associated

with it, as does the Celerra group and the Celerra devices. The
icon for the Global group is colored yellow, indicating that the
original contents of the notification form has been overwritten. In
the case of the Global group, the form was originally blank and
then filled in during the Policy Manager installation with the
default notification message and recipient.
The Celerra group icon is colored white, indicating that it is
inheriting the contents of its parent group (Global). The Celerra
devices show icons indicating that at least one field in their forms
have been overwritten. Figure 72 on page 129 shows example
icons of overwritten and inherited. Figure 71 on page 129 shows
the icons in a complete list in the Configurations tab.
= Overwritten content
= Inherited content
Figure 72 Notification form icons
2. From the hierarchy, click the name of a particular group.
Setting policy 129

The group notification form opens for editing (the form may
display as blank—you may have to copy contents from the global
notification if you want to use the same addresses, subject, and
body text). The notification fields and settings for the Global
group are shown in Figure 73 on page 130. The full default Body
is shown in Figure 74 on page 131.
Figure 73 Global group notification settings
Hello,
Your current authorization policy manager rules require your approval for
the following EMC support action:
Date: <$TMST>
Action: <$ACTN>
Description: <$ACTD>
Device Model:<$A_MN>
Device Serial Number:<$A_SN>
EMC Username:<$USRN>
Please click the URL link listed below to approve or deny this request.
http://000.000.000.000:8090/actions/request/show_requests Link to
access
This email was automatically generated by the EMC Secure Remote Support authorization
Policy Manager in response to the following permission settings: page
Model : <$A_MN>
Permission Name: <$PR_N>
Permission Description: <$PR_D>
Permission Detail Setting : <$PRDT>
Please note that details of the action request can be viewed in the Policy
Manager Audit Log web pages. Please use your browser to log into the
Policy Manager server to approve or deny this request.
Thank You,
EMC Customer Service
Figure 74 Default notification email body
3. Fill in the notification information, then click Submit to save your

settings and return to the group hierarchy window:
a. Notification information fields specify form and function for
the email to be sent in an approval request.
To Single recipient email address.
Note: Multiple email recipients requires the use of an alias or
group address.
From Single sender (return) email address. Multiple

recipients require use of an alias or group address.
Note: The from address may need to be a registered user of
your e-mail server for the notification feature to operate
correctly.
Subject Any text. May include any substitution parameters

identified in Table 8 on page 132.
Body Any text. May include substitution parameters

identified in Table 8 on page 132, or a link to server.
Setting policy 131

b. Substitution parameters are also available to automate a

custom message, listed in Table 8 on page 132.
A sample notification email is the default notification email body
Table 8 Substitution parameters for notifications
Tag Description
<$A_MN> Gateway server model number
<$A_SN> Gateway server serial number
<$A_GN> Gateway server associated group name
<$A_GD> Gateway server associated group description
<$ACTN> Action name
<$ACTD> Action description
<$PR_N> Permission name
<$PR_D> Permission description
<$PRDT> Permission details (parameter names and values)
<$SMSG> SOAP message
<$TMST> Timestamp when action was forwarded from Gateway server
<$USRN> Username
Default notification form

During Policy Manager installation, a default notification Body field
for the Global group is created, as shown in Figure 74 on page 131.
Within this field, a line has been automatically inserted with the
address of the Policy Manager access authorization page. In addition,
several substitution parameters, shown in Table 8 on page 132, are
used. When (manually) copied and pasted into the notification body
for any other group, the contents of this field can be used as a
notification form template.
When a request is sent using the embedded web address, the policy
administrator receiving the email has direct access to the Policy
Manager interface to approve or deny the request.
Answering device access requests

During operation, the Policy Manager runs without manual
intervention until an Ask for Approval permission is activated. These
are called requests.
About requests If using the Ask for Approval policy when a Gateway-managed
device needs approval to perform a requested action, it sends a
request to the Gateway. The Gateway sends a message to the Policy
Manager that it needs to get its approval (if the action is a request from
the Gateway server), and then waits for the Policy Manager’s
response.
When the Policy Manager receives the request, it sends an email
notification, such as the message in Figure 74 on page 131, to the
individual defined for that device’s policy (or device group’s policy),
and then queues it for approval.
If the responsible individual does not accept the request within the
period specified for that permission, the Policy Manager removes the
action from the Pending Request queue and posts an entry to its
Audit Log (see example message in Figure 77 on page 139). The
device is sent a denied request due to time-out message. When a
timeout occurs, a new request may be submitted.
Pending requests are shown in the Policy Manager’s Pending
Requests tab, View all pending single or container1 requests for
<selected> group. This is a list of all pending requests for a group. In
this page you can accept or deny a single action request or a container
of pending action requests or all actions shown.
1. A container is a grouping of requests containing multiple sub actions.
Answering device access requests 133

Accept/deny This section provides details on how to accept or deny requests for
pending requests the Ask for Approval setting. Figure 75 on page 135 shows the details
for the following steps:
1. Click Pending Requests and the View all pending single or

container requests for <selected> group page appears.
You can view all requests pending for all groups, for a selected
group, or for a selected device.
2. From the line-item’s list box menu at right, choose Accept or
Deny for any number of selected actions, or all actions shown.
3. Click Submit to apply all changes made to this page.
The Policy Manager notifies the Gateway server of all accepted or
denied actions. The Gateway server then performs the accepted
actions.
View request details View details, and accept or deny pending request
You can view more information for a single permission before
accepting or denying it. You cannot view more information on a
container, which can contain multiple permissions. Click the name of
the permission from the Name column in the View Pending Requests
page, as shown in Figure 75 on page 135.
Figure 75 View Pending Requests and View Request Details
The View Request Details page appears showing further details about
the action, including the time the action request was received by the
Gateway server. This detail page is shown in Figure 75 on page 135.
Acceptance repetition time-out

If you Accept the action in the View Request Details page, another
page appears in which you can specify the length of time for which
the related Gateway server continues to Accept this action (for the
specified permission). This is useful if you anticipate that the same
permission may be sent to the Gateway server repeatedly for a period
of time, and you want the device to continue to execute the action
without requesting permission from the Policy Manager and
approval from you.
Answering device access requests 135

Pending time-out When a request is made for a permission with an access right set to
Ask for Approval, if an email reply is not received within the
time-out period, the request expires. The Pending Time-out setting is
an action parameter (Permissions of the same action have the same
Pending Time-out). As part of the action configuration, you can
specify a length of time (minutes) for a permission request to be
granted.
Note: Changing the setting at a device level changes the global policy setting
for all devices. Use with caution.
To change the time-out setting:

1. Click Policy.
2. Click the name of the desired action. The View or change details
for <name> action page appears.
3. Type the desired value into Pending Time-out field.
4. Click Submit to record new setting and return to settings page.
When a device sends a request to the Policy Manager, the user
specified for the policy has a limited amount time to permit the
Gateway server to perform the action. This amount of time is defined
as the Pending Time-out period.
Note: Recognize that if EMC is attempting a remote connection and you have
your remote access settings set to Ask for Approval, but no one responds to
the email within the time-out period (five minutes by default), the request is
denied. This may prevent service on your devices from occurring within a
reasonable time.
Viewing the Audit Log

The Audit Log displays the activity generated by the Policy Manager
and the Gateway server during a 365 day log rollover period.
Through the Policy Manager you can view global log entries (up to
1000 lines) or only those entries for selected groups or a selected
device.
About log Logs contain user interaction activity records for the Gateway server
messages and Policy Manager.
The View audit log entries for Global group page shows audit log
entries generated during the current rollover period. Logs from
previous rollover periods (and logs larger than 1000 lines) are
viewable within the file system using a text editor such as Notepad.
Audit log entries are stored to the server running the Policy Manager;
by default, under the apm/audit directory. Each day a file is created
and all audit log messages generated by the Policy Manager for that
day are saved to the file. By default, the daily files are created with
the following syntax:
ESRS_Audit_yyyy_mm_dd.txt
where yyyy is the current four-digit year, mm is the current month,
and dd is the current day.
Note: There are no limits on how large these files can grow or how many files
are stored on disk, so make sure to keep track of disk use and space, and
archive the files as needed.
Failure to maintain sufficient free disk space will result in the Policy Manager
failing to function and corruption of the Policy Manager Database.
Viewing the Audit Log 137

Audit Log To view the Audit log, click Audit Log tab. The View audit log entries
for Global group page appears, as shown in Figure 76 on page 138.
Figure 76 Audit Log (Global)
Parameters Logs record these types of parameters for log display:

recorded
◆ Group Name: The relevant policy level
◆ Username: The user prompting policy response
◆ Service Request: The corresponding EMC database device
record, if any
◆ Date Message Posted: Time stamp
◆ Message: Description of policy management action performed:
• Type of action taken (nonbold text)
• Parameters of action (bold text)
Message examples are shown in Figure 77 on page 139.
Processed request for device APM00062405681-2 to deny pending action: Action:

Remote Application; Permission: ESRS Celerra Remote Access Application -
CLIviaSSH; Parameters [Remote Application Name = CLIviaSSH]
Device APM00062405681-2 successfully processed Action: Stop Remote Session:
interfacename=CLIviaSSH;
Device APM00062405681-2 did not process Action: Remote Application: Remote
Application Name=Telnet; Permission was denied.
Device APM00062405681-2 successfully processed Action: Remote Application:
Remote Application Name=CLIviaSSH;
Processed request for device APM00062405681-2 to accept pending action: Action:
Remote Application; Permission: ESRS Celerra Remote Access Application -
CLIviaSSH; Parameters [Remote Application Name = CLIviaSSH]
Figure 77 Audit log message examples
Log scope examples To see Audit Logs for only certain groups, you can select logs for:
◆ any group
-and-
◆ group (only) -or- group + all child groups
Activity of one device type

To see a log—for example—of Symmetrix-related activity, you look at
Symmetrix-level activity as well as the activity for specific devices:
Note: Callhome activities are only shown on the Gateway instance of the
Policy Manager.
1. From any Audit Log view, click Explore Device Groups.

You see the group hierarchy.
2. Click Symmetrix.
This gives you to an audit log view, but now only entries for
groups named Symmetrix and groups with Symmetrix serial
number are shown. See the upper left of two screens in Figure 78
on page 141.
3. From the Audit Log: Symmetrix view, click Show audit log
entries for the selected group only.

You see that the Group Name column on the left, now shows only
Symmetrix entries, while the link you selected now toggled to
Show all audit log entries for the selected group and subgroups.
(Click that link if you want to return to the all-Symmetrix view.)
See the lower right of two screens in Figure 78 on page 141.
Specific device-only activity

To see a log of only specific device activity, you need to return to the
group hierarchy:
1. From any Audit Log view, click Explore Device Groups.
2. Click any serial number.
Note: If you leave the audit log to enter another tab such as Policy or
Configuration and later return to the audit log tab, you see the previous log
view.
Figure 78 Symmetrix group audit logs

Sources Activities from the following sources are recorded in the audit log:
Gateway:
◆ Gateway registers with the Policy Manager,
◆ Gateway sends a request to perform an action with a permission
access right of for example.
◆ Gateway performs an action defined for a permission access right
of Always. The message sent to the Policy Manager Audit Log
includes the name of the user who performed the action, the
action performed, and the success or failure of executing the
action.
◆ Gateway denies an action defined for a permission access right of
Never Allow. The message sent to the Policy Manager audit log
includes username of the person who attempted the action,
information about the rejected action (specific to the type of
action), and the policy permission that caused the action to be
rejected.
◆ Gateway sends a Remote Session Disconnect message.
Policy Manager:
All activity.
PART 3
Gateway Maintenance
This section describes necessary and recommended customer site

operations for EMC Secure Remote Support Gateway:
Chapter 7, “Server Maintenance”
Gateway and Policy Manager server backup and other
maintenance setup procedures are described here.
7
Invisible Body Tag
Server Maintenance
EMC advises that you take advantage of the best practice of backing
up data on the Gateway and Policy Manager servers. It is your
responsibility to perform backups and ensure that the servers can be
restored through the use of the backup data. Either image backup or
data file backup is satisfactory. Topics in this chapter include:
◆ Power sequences .............................................................................. 146
◆ Time Zone settings ........................................................................... 147
◆ Service preparation .......................................................................... 148
◆ Policy Manager database management ........................................ 151
◆ Backup guidelines and procedures ............................................... 155
◆ Restoration methods........................................................................ 158
Server Maintenance 145

Server Maintenance
Power sequences
EMC's customers routinely perform maintenance tasks that include
powering down and powering up their data centers based on
scheduled timeframes. While these powerdown/powerup sequences
are defined by the customers' internal processes, the presence of the
EMC Secure Remote Support Gateway in customer environments can
affect the sequence in which powerdown/powerup actions are
carried out.
! IMPORTANT
Improper shutdown procedures generate service requests. Be sure
to notify your EMC Customer Engineer of any shutdown plans to
avoid necessary service calls.
Typically, the order in which powerdown sequences take place is as

follows:
1. Hosts—so that the data has a chance to destage to disk and be
captured.
2. Arrays—to allow destaging time for any pending writes to get to
the disks for storage last.
3. Networking devices—after all data has been transported to the
arrays
4. Gateway and Policy Manager servers.
! IMPORTANT
EMC recommends that the EMC Secure Remote Support Gateway
server(s) and Policy Manager servers be the last devices powered
down and the first devices powered up after maintenance is
complete, to allow support level access to the EMC end devices at
all stages in the power up/down sequence.
Server Maintenance
Time Zone settings

The Windows Time Zone must be set to the correct time zone for the
location of Gateway and Policy Manager servers.
Having the Windows Time Zone set to a setting other than the local
Note: When changing the time zone on existing server installations, you
must reboot the Gateway server after changing the setting.
Time Zone settings 147

Server Maintenance
Service preparation
This section describes steps that need to be taken prior to performing
maintenance procedures on the Gateway and Policy Manager
servers.
Gateway server Follow the procedures in this section before performing maintenance
on the Gateway server.
Logging preparation Overwrite Events turned on

To prevent the Event Viewer log from locking and failing to record:
◆ Starting/stopping services
◆ Logging in
◆ Installing/uninstalling applications
in the Windows Event Viewer, set the Event Viewer log to overwrite
as needed, for both system logs and security logs, as shown in
Figure 79 on page 149:
1. Select Start > Settings > Control Panel > Administrative Tools >
Event Viewer.
2. Right-click on System Log and then select Properties.
3. Select option Overwrite events as needed, and click OK under
the tab General.
4. Repeat Step 2 and Step 3 to set properties for Security Logs.
Note: You or your system administrator may decide, instead or in addition,

that other adjustments should be made; for example, the maximum log size
should be increased if overwriting is not allowed by corporate policy.
! IMPORTANT
If the Gateway disk becomes full, the Gateway server will fail to
function properly for callhome messages, and possibly for support
connections. If the problem is severe enough the server OS ceases
to function.
It is the customer’s responsibility to monitor and manage disk

utilization on both the Gateway and Policy Manager servers
Server Maintenance
Figure 79 Event Viewer System and Security Log settings
Policy Manager Follow the procedures in this section before performing maintenance
server on the Policy Manager server.
Backup preparation Windows Task Scheduler turned on

For automated daily backups of the Policy Manager database to
occur, the Windows Task Scheduler must be running and
unrestricted, allowing new tasks to be added.
Your company’s IT security policies determine if this has been set up
on your server at the time the Policy Manager was installed by EMC.
Disk space for log files

Your Policy Manager server should be set up with a minimum of 1
GB available disk space. Monitor your log file usage and plan your
archiving policy accordingly.
! IMPORTANT
If the system runs out of disk space for log files, the Policy
Manager database will become corrupted, needing to be
reinstalled.
Service preparation 149

Server Maintenance
To maintian flat audit logs and conserve disk space, compress audit
logs an copy them to a repository. Audit logs typically compress by
greater the 85%.
Server Maintenance
Policy Manager database management

The Policy Manager database is located at:
[install dive]:\EMC\Policy Manager\hsqldb
Figure 80 on page 151 shows an example database location.
Figure 80 Policy Manager database location
It is configured to run as in-process (or in standalone) mode.

For example, in a default installation the database is located in the
following directory:
C:\EMC\Policy Manager\hsqldb\apm
Component files The data for each database consists of five files in the same directory
apm. The endings are *.properties, *.script, *.data, *.backup, and *.log.
All these files are essential and thus should never be deleted or
allowed to get corrupted.
These files are identified in Table 9 on page 151.
Table 9 Policy Manager database files
File Description
apm.backup Zipped backup of the last known consistent state of the data file
apm.data Data for cached tables
apm.log Recent changes within the database
apm.properties General settings for the database
apm.scripts Definition of tables and other database objects, plus data for
noncached tables
Policy Manager database management 151

Server Maintenance
Mode The default mode for the hsqldb is the In_Process mode (Standalone
Mode).
Backup The five component files of the database are backed up together.
There are three scripts in hsqldb\lib:
◆ apmbackup.vbs
◆ apmrestore.vbs
◆ schbackup.bat
Description for the scripts are given in Table 10 on page 152.
Table 10 Backup/Restore scripts
File Description
apmbackup.vbs Backs up the [install_drive]:\EMC\Policy Manager\hsqldb\apm
folder. This must be installed in
[install_drive]:\EMC\Policy Manager\hsqldb\lib.
This script runs every day at 5:00 A.M., copying the apm folder to
[install_drive]:\EMC\Policy Manager\hsqldb\backup.
It maintains 31 days history of the apm database.
apmrestore.vbs Simple GUI script to help restore the desired backup image to
[install_drive]:\EMC\Policy Manager\hsqldb\apm.
This script must be installed in
[install_drive]:\EMC\Policy Manager\hsqldb\lib.
You must stop the Policy Manager service before you do a
database restore.
The original[install drive]:\EMC\Policy Manager\hsqldb\apm
is moved to
[install_drive]:\EMC\Policy Manager\hsqldb\apm_dateoftherestore
schbackup.bat Batch file to add the schedule command apmbackup.vbs to run
every day at 5:00 A.M.
Server Maintenance
A view of the hsqldb\lib directory is shown in Figure 81 on page 153.
Figure 81 Location of Policy Manager scripts
Numbered directories and an index are accumulated in the backup

directory. The directory numbering starts at 0 the day after Gateway
is installed. An example is shown in Figure 82 on page 154. After 31
backups have occurred (0-30) the directories are reused and the
previous backup in each directory is overwritten.
Policy Manager database management 153

Server Maintenance
Figure 82 Policy Manager backup directory
Server Maintenance
Backup guidelines and procedures

You need to prepare backup procedures to protect Gateway servers
and Policy Manager servers in case of hardware failure, software
failure, or data corruption.
Specific procedures depend on your:
◆ Gateway site architecture
◆ Backup software
◆ Existing procedures
and possibly other conditions. Consult your system and network
administrators.
Backup 1. Gateway or Policy Manager server image — See “Server image

backup” on page 155 for recommended Gateway and Policy
Manager server backup guidelines.
2. Policy Manager database — See “Policy Manager database
automated backup” on page 156 for the recommended Policy
Manager database backup procedure.
Restoration 3. Gateway or Policy Manager server — See “Restoration methods”

on page 158 for recommended guidelines on restoring your
server from image backup and, if applicable, the Policy Manager
database.
Server image Image backup is the preferred method for backing up a Gateway or
backup Policy Manager server and data.
Initial setup At installation time:

For each Gateway and Policy Manager server:
1. Perform all needed installation stages—hardening, Gateway
software installation, configuration, deployment—first.
2. Using your company’s approved procedure, create an image of
the drive containing the installation root directory.
Additionally, for each Policy Manager server:
Backup guidelines and procedures 155

Server Maintenance
Set up the Policy Manager database for daily (or other periodic)
automated database backup: If your EMC Customer Engineer has
not done so already, perform the procedure outlined in “Policy
Manager database automated backup” on page 156.
Note that the Policy Manager database includes Audit Log files as
well as configuration settings.
Regular For the Policy Manager server:

maintenance
Database backup should occur automatically if automation has
been set up, described in “Policy Manager database automated
backup” on page 156.
Optionally, for each Gateway and Policy Manager server:
To provide a more complete configuration and data match to your
server, periodically create a new drive image.
Policy Manager If on the Pre-Site Checklist you had indicated that you wanted to set
database up Gateway’s automated Policy Manager database backup, this
automated backup feature is ready to use.
Whether or not you have preset the automated backup, you may
examine and possibly customize the script provided with your Policy
Manager and activate it with the Windows Task Scheduler.
To configure and activate your backup tasks:
1. Check whether there is a backup task already scheduled by first,
in Windows, opening Start > Settings > Control Panel >
Scheduled Tasks.
a. If the automated backup has been activated by your EMC
Customer Engineer, you find the scheduled task Policy
Manager Database Backup listed. In this case your backup
has been configured and activated—you are done.
b. However, if you are unsure of the location of the backup path,
or if you want to change that path, you can also perform step 2
and then exit.
c. If there is no existing backup task, you first edit the backup
script to specify the backup path, and then schedule the
backup task—continue with the next step.
Server Maintenance
2. Edit the backup script:
Note: Unless you edit the script file to provide a pathname, the backup is
created in the root directory of the Policy Manager application.
a. Decide where you want to put your backup files—preferably,

on a different server or network share to ensure against
complete loss of the server. Identify the absolute pathname or
the pathname relative to the database location (inside
[install_drive]:\EMC\Policy Manager\hsqldb\apm).
b. Navigate to:
[install_drive]:\EMC\Policy Manager\hsqldb\lib\
c. Make a backup copy of apmbackup.vbs.

d. Right-click on apmbackup.vbs, select Open with, and select
Notepad.
Note: There are three instances of the text backup in this script file,
indicating (by default) the relative location of the backup directory.
e. Substitute the pathname string inside quotes (default:

...\backup) with your preferred path for creating a backup
directory. Recheck your edits before saving and closing this
file.
3. Specify and schedule the backup task:
a. From the Scheduled Tasks window in step 1, double-click Add
Scheduled Task to open the task creation wizard.
b. In the next window, select the script (task) to run by choosing
Browse and navigating to:
[install drive]:\EMC\Policy Manager\hsqldb\lib
to see the scripts available, and select apmbackup.vbs

c. Select Daily, and click Next.
d. Specify the activation time of day, frequency, and start date,
and click Next.
e. Type the domain, \, and username, and type and confirm the
password, and click Next. Click Confirm on the next window.
Backup guidelines and procedures 157

Server Maintenance
Restoration methods
Restoration procedures differ based on the method of backup you are
using.
Note: The Policy Manager service must be stopped before performing a

restoration.
Server image For a Gateway or Policy Manager server:

backup restoration Restore the disk drive by copying a backup image to that drive (use
the most recent backup prior to the incident causing the problem).
Additionally, for a Policy Manager server:
Policy Manager database files are stored for up to 30 days. After 30
days, the most recent backup file overwrites the oldest backup file.
Backup images are numbered 0 through 30, and are created by the
automated Policy Manager backup script starting on the day after the
Policy Manager install is completed.
For example, as shown in Figure 83 on page 159, the Policy Manager
was installed on 3/06/08. The first backup was made to folder 0 on
3/07/08. On each successive day a new folder was created and the
backup was written to that directory (the backup for 3/08/08 was
written to folder 1; the backup for 3/09/08 was written to folder 2,
and so on). The 31st backup occured on 4/05/08 and was written to
folder 30. On 4/06/08 the backup was written to folder 0, replacing
the original backup files that were written on 3/07/08. The date on
the folder did not change, but the date on the backup files inside the
folder did. (This backup process occurs every morning at 5 a.m. and
is handled by the Windows Scheduler Applicaton.) (In earlier
versions of the Policy Manager, this occurred at 3 a.m.)
Choose to restore the Policy Manager database with files that are
more recent than those on the drive image but prior to the incident
causing you to perform a restoration.
Server Maintenance
Figure 83 Backup folder
To restore a backup image:

1. Stop the Policy Manager service (Section “Startup/shutdown”
on page 101).
2. Navigate to
[install_drive]:\EMC\Policy Manager\hsqldb\lib
as shown in Figure 84 on page 160.
3. Double click the script named apmrestore.vbs.
Restoration methods 159

Server Maintenance
Figure 84 Location of apmrestore.vbs script
4. You are prompted about which backup image you want to

restore, similar to that shown in Figure 85 on page 161. To restore
the Policy Manager database, you must have located the backup
for the date from which you wish to restore. This is done by
looking through the directories of the backups to locate the file
with the proper date. Make note of the folder name (0 through
30).
Note that the date listed for each folder is the date the folder was
created, and not necessarily the date the actual backup files were
written.
Server Maintenance
Figure 85 Restore prompt
5. Type the proper backup folder number and click OK.

6. You are now prompted with a confirmation. Click OK.
The script completes the restoration.
7. Restart the Policy Manager service (Section “Startup/shutdown”
on page 101).
Note: Audits occurring after the date of the restore date are not displayed in
the audit history of the Policy Manager web interface. Any new audits are
appended to the database as they occur. Even though the audits are not
displayed in the web interface, they are viewable through the file system,
located in the <install_drive>:\EMC\Policy Manager\Audit directory.
Restoration methods 161

Server Maintenance
Installation This section provides details on installation restoration.

restoration
! IMPORTANT
If you need to restore a Policy Manager, start with a clean
installation only if you have an recent database backup on a
separate drive. Reinstall only the same software release version as
that of the database backup.
For a Gateway or Policy Manager server:

With the assistance of your EMC Customer Engineer or the EMC
Customer Service help desk, reinstall the server software.
Additionally, for a Policy Manager server:
Restore Policy Manager database files from a database backup
located on a separate drive by using apmrestore.vbs as shown in
step 1 on page 159 through step 6 on page 161 in the previous
section.
! IMPORTANT
If the Gateway disk becomes full, the Gateway server will fail to
function properly for callhome messages, and possibly for support
connections. If the problem is severe enough the server OS ceases
to function.
It is the customer’s responsibility to monitor and manage disk

utilization on both the Gateway and Policy Manager servers
PART 4
Appendixes
This section provides detailed site maintenance reference

information.
Appendix A, “SSL communication between the Gateway and Policy

Manager”
This appendix provides instructions on how to configure the

communication path between the Gateway and Policy Manager
to use a SSL certificate.
Appendix B, “Default Policy Values”
This appendix provides details about the Policy Manager GUI.

Appendix C, “Troubleshooting”
This appendix provides details about troubleshooting and

repairing Policy Manager issues
A
SSL communication
between the Gateway
and Policy Manager
This appendix contains information to enable SSL communication

between the ESRS Gateway an the Policy Manager. The steps in this
section are to be performed by an EMC Customer Engineer.
Topics include:
◆ Policy Manager configuration........................................................ 166
◆ Gateway configuration.................................................................... 171
◆ Disabling SSL communication ....................................................... 173
SSL communication between the Gateway and Policy Manager 165

SSL communication between the Gateway and Policy Manager
Policy Manager configuration

This section describes the steps for making changes to Policy
Manager configuration to support SSL communication.
Creating an SSL certificate to use for SSL communication

Refer to your security provider for SSL certificates. For additional
information regarding creation of SSL certificates (an Identity
Keystore File) for Tomcat, refer to:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Enabling SSL on Policy Manager Tomcat server

Use the following procedure for enabling SSL on Policy Manager
Tomcat server:
1. Copy the Identity Keystore File (PMIdentityStore.jks) created in
previous section to the
<install_root>\EMC\Policy Manager\Tomcat5\bin directory.
2. Locate the
<install_root>\EMC\Policy Manager\Tomcat5\conf\ server.xml
file.
3. Make a copy of the server.xml file.
Open server.xml file using a text editor such as Notepad.
4. Locate the <Connector> element inside the
<Service name="Tomcat-Standalone"> element with the
Connector port="8090" value and verify that the value for the
redirectPort attribute is 8443, as shown in bold text.
<Service name="Tomcat-Standalone">
......
<Connector port="8090"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort=”8443” acceptCount="100"
debug=”0” connectionTimeout=”20000”
disableUploadTimeout=”true”/>
......
</Service name="Tomcat-Standalone">
5. Locate and delete all the text between and including the
<!-SSL and --> tags in the section inside the
<Service name="Tomcat-Standalone"> element as shown in bold
text.
......
......

6. Add a new <Connector> element inside the

<Service name="Tomcat-Standalone"> element as shown in bold
text (you can copy and paste text from the text box to the file).
......
......

<Connector port="8443" maxHttpHeaderSize="8192"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug=”0” connectionTimeout=”20000”
scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystorePass="PMStorePass1234"
keystoreFile="C:/EMC/Policy Manager/Tomcat5/bin/PMIdentityStore.jks"/>
......
......
Policy Manager configuration 167

Table 11 on page 168 lists the values and definitions for keystore.
Table 11 Keystore attributes
Attribute Description
keystoreFile Add this attribute if the keystore file you
created is not in the default location Tomcat
uses (a file named .keystore in the user home
directory under which Tomcat is running).
You can specify an absolute pathname, or a
relative pathname that is resolved against
the $CATALINA_BASE environment
variable.
keystorePass Add this element if you used a keystore (and
Certificate) password other than the default
keystore password (changeit).
keystoreType Add this element if using a keystore type
other than JKS.
keyAlias Add this element if your have more than one
key in the KeyStore. If the element is not
present the first key read in the KeyStore is
used.
7. Save the file with the updated configuration.
Enabling the Policy Manager application to use SSL for all communications
Use the following procedure for enabling the Policy Manager to use
SSL for all communications:
1. Locate the
<install_root>\EMC\Policy Manager\Tomcat5\webapps\
applications\apm\WEB-INF\web.xml file.
2. Create a copy of the web.xml file and rename it web.xml.bak.
3. Replace the web.xml file with the file attached to this document
(see pane at bottom of window), or manually edit the existing file
as shown in the following steps.
4. Open web.xml file using a text editor such as Notepad.
5. Find the <security-constraint> with any web-resource-name and
modify a portion of it to include the <user-data-constraint>
element as shown in bold text.
<web-app>
......
......
<security-constraint>
<web-resource-collection>
<web-resource-name>anything</web-resource-name>
......
</web-resource-collection>
......
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
......
</security-constraint>
......
</web-app>
Policy Manager configuration 169

6. Also add a new <security-constraint > element inside the

<web-app> element as shown in the bold text.
<web-app>
......
......
<web-resource-name>Message Servlet</web-resource-name>
<url-pattern>/message</url-pattern>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</web-app>

8. Restart the Policy Manger service.
Gateway configuration
This section describes the steps for making changes to Gateway
configuration to support SSL communication:
1. Locate the
<install_root>\EMC\ EMC\Gateway\ xgAPMProxy.xml file.
2. Create a copy of the xgAPMProxy.xml file and rename it
xgAPMProxy.xml.bak.
3. Open the xgAPMProxy.xml file using a text editor such as
Notepad.
4. Add the following <Encryption> element inside the
<APMProxyConfig> element as shown in bold text.
<APMProxyConfig>
......
......
<Encryption>
<Bits>128</Bits>
<Validate>false</Validate>
</Encryption>
</APMProxyConfig>
Note: The value of the Bits element denotes the strength (in bits) of the SSL
certificate used in the Policy Manager.
5. Change the value of the <Port> element from the default value of
8090 to 8443 (or to the value which is chosen for SSL port) as
shown in bold text.
<APMProxyConfig>
......
......
<Port>8443</Port >
</APMProxyConfig>
6. Save the file with the updated configuration and restart the
Gateway service.
7. Launch the EMC Secure Remote Support Deployment Utility
from Start > Programs > ESRS > Deployment Utility.
8. Connect to the Gateway for which the configuration is modified.
Gateway configuration 171

9. In the left pane on the Deployment Utility (Figure 86 on

page 172), click on the Policy Manager link.
10. In the right pane of the deployment utility, verify that a green
check displays below the Host name field along with the
following text:
The Agent is currently connected to this Policy Manager.
11. If a red cross displays in the right pane, update the following
fields with the specified values to reset the cache:
• Port = 8443 (or the value specified for SSL port in server.xml)
• Enable SSL = Checked
• Strength = 128 bits (or the strength of SSL used)
Figure 86 Deployment Utility screen
12. Click Deploy on the top level menu to update the changes to the
Gateway.
Disabling SSL communication

This section describes how to disable SSL communication on the
Policy Manager and Gateway.
Policy Manager To configure the Policy Manager:

configuration 1. Locate the <install_root>\EMC\Policy Manager\Tomcat5
\webapps\applications\apm\WEB-INF\web.xml file.
2. Create a copy of the web.xml file and rename it web..xml.bak.
3. Open the web.xml file using a text editor such as Notepad.
4. Find <security-constraint> and modify a portion of it that
includes the <transport-guarantee> element as shown in bold text
<web-app>
......
......
<web-resource-name>Message Servlet</web-resource-name>
<url-pattern>/message</url-pattern>
<transport-guarantee>SSL_ENABLE-NONE</transport-guarantee>
</web-app>
to include SSL-ENABLE-NONE to disable communications, and

CONFIDENTIAL to enable communications:
6. Restart the Policy Manger service.
Gateway To configure the Gateway:

configuration 1. Locate the
<install_root>\EMC\ EMC\Gateway\ xgAPMProxy.xml file.
2. Create a copy of the xgAPMProxy.xml file and rename it
xgAPMProxy.xml.bak.
Disabling SSL communication 173

3. Open the xgAPMProxy.xml file using a text editor such as

Notepad.
4. Find <Encryption> and modify a portion of it that includes the
<Bits> element as shown in bold text to include PM_BITS to
disable communications, and 128 to enable communications.
<APMProxyConfig>
......
......
<Encryption>
<Bits>PM_BITS</Bits>
<Validate>false</Validate>
</Encryption>
</APMProxyConfig>
5. Save the file with the updated configuration and restart the
Gateway service.
B
Invisible Body Tag
Default Policy Values
This reference provides additional details on the Policy Manager

default policy values:
◆ Actions ............................................................................................... 176
◆ Default permissions ......................................................................... 178
Default Policy Values 175

Actions
Table 12 on page 176 provides descriptions for the available Actions
used in the Gateway solution.
Although a number of Actions are defined by the Gateway solution,
only a subset are currently used. You see all Actions defined for a
particular Group when you examine that Group’s policy settings.
(For example, see Figure 62 on page 119.)
In Table 12 on page 176 through Table 24 on page 191, Actions and
Permissions defined, but not currently used, are shown dimmed.
! IMPORTANT
Change only the Access Rights for group or device Remote
Application actions.
Do not edit the Global Permissions in any way without assistance

from EMC Customer Service; you may experience unexpected
behavior.
Table 12 Actions defined by Gateway solution (page 1 of 2)
Action Used by Description
Register Script Gateway Determines whether or not the Agent can register a script on the device as requested, or
Device needs to receive approval for the permission first. Permission parameters: name of the script
only to register.
Run Script Gateway Determines whether or not the Agent can run a script, or needs to receive approval for the
Device permission first. Permission parameters: name of the script to run.
only
Schedule a Script Gateway Determines whether or not the Agent can schedule a script for operation on the device as
Device requested, or needs to receive approval for the permission first. This action has no specific
only parameters.
Set Data Item All except Controls whether or not the Agent can write values to its data items as requested, or needs to
Values Gateway receive approval for the permission first. This action has no specific parameters.
Device
Table 12 Actions defined by Gateway solution (page 2 of 2)
Action Used by Description
Package Gateway Determines whether or not the Agent accepts a package, or needs to receive approval for the
Device permission first. Permission parameters: Name and version number of the package to execute
only on the device. All contents of a package are included in the permission. (Packages are
(Can be handled differently than other permissions; check with EMC Customer Service.)
modified)
Data Item Values All except Determines whether or not the Agent can send data item values, or needs to receive approval
Gateway for the permission first. (This does not affect data item values sent as the result of a Write
Device Data Item action, configured in a logic schema.) For this release, only one permission can be
set for all data items, meaning all data items are included in the action.
File Download Gateway Determines whether or not the Agent can accept files downloaded to it from the DRM, or
Device needs to receive approval for the permission first. Permission parameters: Fully-qualified path
only of the file(s) to download to the device. The name(s) of the file(s) and path(s) may be explicit
(Can be (for example, “c:\error.log” or include wildcards (for example, “c:\*.log” or “c:\*.*”).
modified)
File Upload Gateway Determines whether or not the Agent can upload files to the DRM (whether an DRM-based
Device request or Agent-initiated process), or needs to receive approval for the permission first.
only Permission parameters: Fully-qualified path of the file(s) to upload to the DRM. The pathname
on the device can be explicit or relative (which the Agent interprets to be the root of the Agent
installation). File names can be explicit (for example, “error.log” or include wildcards (for
example, “*.log” or “*.*”). Gateway defines File Upload permissions for connect home device
configuration, FTP, and SMTP.
Restart Agent Gateway Determines whether or not the Agent can restart itself as requested, or needs to receive
Device approval for the permission first. This action has no specific parameters.
only
(Can be
modified)
Remote A different Determines whether the Agent can start a remote application session as requested, or needs
Application set of to receive approval for the permission first. Although applications are in general denied
instances access,permissions for specific applications are set at “Always Allow.” Permission Parameters:
is used by name of the remote application interface.
each
device
model
177
Default permissions
The following tables identify the permission and access right settings
provided with the default Policy Manager installation:
◆ Table 13 on page 179 provides descriptions for the available
permissions for the Gateway group, as well as the default access
right values.
◆ Table 14 on page 180 provide descriptions for the available
permissions for the Gateway Device server group, as well as the
default access right values.
◆ Tables 18 through 23, page 185 though page 190, provide
descriptions for the available permissions for the various EMC
models or device types supported, as well as the default access
right values.
When a new device registers with the Gateway for the Policy
Manager, it copies the default settings for its particular device type.
! IMPORTANT
Change only the Access Rights for group or device Remote
Application actions.
Do not edit the Global Permissions in any way without assistance

from EMC Customer Service; you may experience unexpected
behavior.
Table 13 Gateway default permissions

Action Permission Parameters Access Right
Enable a Script Default enable a script permission Script name : * Never Allow
Register Script Default register script permission Script Name : * Always Allow
Disable a Script Default disable a script permission Script name : * Always Allow
Run Script Default run script permission Script Name : * Always Allow
UnSchedule a Script Default permission for unscheduling a Script name : * Never Allow
script
Schedule a Script Default permission for scheduling a script Script name : * Always Allow
Stop Script Default stop script permission Script Name : * Always Allow
UnRegister Script Default unregister script permission Script Name : * Always Allow
Set Data Item Values Permission for All Data Items Data Item Name : * Always Allow
Set Time Default set time permission Time : * Never Allow
Package Default package permission Name : * Ask for Approval
Version : *
Alarms Permission for All Alarms Alarm Name : * Never Allow
Events Permission for All Events Event Name : * Never Allow
Data Item Values Permission for All Data Items Data Item Name : * Always Allow
Emails Permission for All Emails Email to : * Never Allow
Modify Ping Update Default ping rate permission Update Rate : * Never Allow
Rate
File Download Default file download permission File : * Ask for Approval
File Upload ESRS Connect Home File Upload - File : Always Allow
Device Config C:\Inetpub\ftproot\LocalUser\esrsconfig
File Upload Default file upload permission File : * Always Allow
File Upload ESRS Connect HomeFile Upload - FTP File : Always Allow
C:\Inetpub\ftproot\LocalUser\onalert\incoming
SMTP C:\Inetpub\mailroot\drop
Restart Agent Default restart permission Hard restart : * Always Allow
Execute Default execute permission Application : * Ask for Approval
Remote Application Default application permission Remote Application Name : * Always Allow
Remote Terminal Default terminal permission Remote Interface Name : * Never Allow
Enable a Timer Default enable timer permission Timer name : * Never Allow
Remove a Timer Default remove timer permission Timer name : * Never Allow
Disable a Timer Default disable timer permission Timer name : * Never Allow
Create a Timer Default create timer permission Timer name : * Never Allow
179
Table 14 Gateway Device default permissions (page 1 of 2)

Enable a Default enable a script permission Script name : * Never Allow
Script
Register Default register script permission Script Name : * Always Allow
Script
Disable a Default disable a script permission Script name : * Always Allow
Script
Run Script ESRS GW Network Information Script Name : ESRS GW Diags - Network Always Allow
Information
Run Script EMC ESRS ConnectHome Directory File Count Script Name : ESRS GW Diags - Get File Always Allow
Counts
Run Script ESRS Gateway Diags - Device Certificate Manager Script Name : ESRS GW Diags - DCM Log Always Allow
Run Script ESRS GW Diags - Get Configuration Files Script Name : ESRS GW Diags - Get Always Allow
Configuration Files
Run Script ESRS Gateway Diags - FTP Log Script Name : ESRS GW Diags - FTP Log Always Allow
Run Script ESRS Gateway - Obtain Operating System Script Name : ESRS GW Diags - Operating Always Allow
Information System
Run Script ESRS Gateway Diags Services Info Script Name : ESRS GW Diags - Services Info Always Allow
Run Script ESRS Gateway Diags SMTP Mail service log file Script Name : ESRS GW Diags - SMTP Log Always Allow
Run Script ESRS Gateway Scripts Execution Log File Script Name : ESRS GW Diags - Scripts Log Always Allow
Run Script ESRS Gateway Diagnostics WatchDog Log Script Name : ESRS GW Diags - WatchDog Log Always Allow
Run Script ESRS Gateway Diagnostics GW Agent Log File Script Name : ESRS GW Diags - Gateway Log Always Allow
File
Run Script ESRS Gateway Diags - Collect Windows Event Log Script Name : ESRS GW Diags - Events Log Always Allow
UnSchedule Default permission for unscheduling a script Script name : * Never Allow
a Script
Schedule a Default permission for scheduling a script Script name : * Always Allow
Script
UnRegister Default unregister script permission Script Name : * Always Allow
Script
Set Data Permission for All Data Items Data Item Name : * Always Allow
Item Values
Set Time Default set time permission Time : * Never Allow
Package Default package permission Name : * Ask for
Version : * Approval
Data Item Permission for All Data Items Data Item Name : * Always Allow
Values
Modify Ping Default ping rate permission Update Rate : * Never Allow
Update Rate
Table 14 Gateway Device default permissions (page 2 of 2)

File Default file download permission File : * Ask for
Download Approval
File Upload ESRS Connect Home File Upload - Device Config File : Always Allow
C:\Inetpub\ftproot\LocalUser\esrsconfig
File Upload ESRS Connect Home File Upload - SMTP File : Always Allow
C:\Inetpub\mailroot\drop
Restart Default restart permission Hard restart : * Always Allow
Agent
Execute Default execute permission Application : * Ask for
Approval
Remote Default application permission Remote Application Name: DEFAULT Never Allow
Application
Remote Remote_Desktop Remote Application Name: Remote_Desktop Ask for
Application Approval
Remote Default terminal permission Remote Interface Name : * Never Allow
Terminal
Enable a Default enable timer permission Timer name : * Never Allow
Timer
Remove a Default remove timer permission Timer name : * Never Allow
Timer
Disable a Default disable timer permission Timer name : * Never Allow
Timer
Create a Default create timer permission Timer name : * Never Allow
Timer
181
Table 15 Celerra default permissions

UnSchedule a Script Default permission for unscheduling a script Script name : * Never Allow
Set Time Default set time permission Time : * Always Allow
Version : *
Rate
File Upload ESRS Connect Home File Upload - Device File : Always Allow
Config C:\Inetpub\ftproot\LocalUser\esrsconfig
File Upload ESRS Connect HomeFile Upload - FTP File : C:\Inetpub\ftproot\LocalUser Always Allow
\onalert\incoming
File Upload ESRS Connect Home File Upload - SMTP File: C:\Inetpub\mailroot\drop Always Allow
Remote Application Remote_Desktop Remote Application Name: Ask for Approval
Remote_Desktop
Remote Application Default application permission Remote Application Name: DEFAULT Always Allow
Remote Application EMC Celerra Remote Access Application - Remote Application Name: CelerraMgr Always Allow
CelerraMgr
Remote Application EMC Celerra Remote Access Application - Telnet Remote Application Name: Telnet Always Allow
Remote Application EMC Celerra Remote Access Application - Remote Application Name: CLIviaSSH Always Allow
CLIviaSSH
Table 16 EMC Centera default permissions

Version : *
Rate
File Upload ESRS Connect Home File Upload - Device File: Always Allow
File Upload ESRS Connect HomeFile Upload - FTP File: C:\Inetpub\ftproot\LocalUser Always Allow
\onalert\incoming
File Upload ESRS Connect Home File Upload - SMTP File : C:\Inetpub\mailroot\drop Always Allow
Remote Application Remote_Desktop Remote Application Name: Remote_Desktop Ask for Approval
Remote Application EMC Centera Remote App - Control Center Remote Application Name: CtrlCenter Always Allow
Remote Application EMC Centera Remote App - CLI via SSH Remote Application Name: CLIviaSSH Always Allow
Remote Application EMC Centera Remote App - Centera Viewer Remote Application Name: CV Always Allow
183
Table 17 CLARiiON default permissions

script
Version : *
Rate
File Upload ESRS Connect Home File Upload - Device
File : C:\Inetpub\ftproot Always Allow
Config \LocalUser\esrsconfig
File Upload ESRS Connect HomeFile Upload - FTP File : C:\Inetpub\ftproot\LocalUser\onalert Always Allow
\incoming
Remote Application EMC CLARiiON Remote App - Navisphere Remote Application Name: Always Allow
Mgr / NaviSecureCLI NaviMgr/NaviSecureCLI
Remote Application EMC CLARiiON Remote App - Remote Application Name: Always Allow
RemoteDiagAgent RemoteDiagAgent
Remote Application EMC CLARiiON Remote App - Remote Application Name: EMCRemote Always Allow
EMCRemote
Remote Application EMC CLARiiON Remote App - KTCONS Remote Application Name: KTCONS Always Allow
Remote Application EMC CLARiiON Remote App - Navi Remote Application Name: NaviCLI Always Allow
Command Line
Table 18 Connectrix default permissions

Version : *
Rate
File Upload ESRS Connect Home File Upload - DeviceFile : Always Allow
File Upload ESRS Connect HomeFile Upload - FTP File :C:\Inetpub\ftproot\LocalUser\onalert Always Allow
\incoming
Remote_Desktop
Remote Application EMC Connectrix Remote App - EMCRemote Remote Application Name: EMCRemote Always Allow
185
Table 19 ControlCenter default permissions

script
Version : *
Rate
File Download Default file download permission File: * Ask for Approval
File Upload ESRS Connect Home File Upload - Device File: Always Allow
File Upload ESRS Connect HomeFile Upload - FTP File: Always Allow
Remote Application Default application permission Remote Application Name: DEFAULT Never Allow
Remote Application ESRS Control Center Remote App - Remote Application Name: EMCRemote Always Allow
EMCRemote
Table 20 EDL default permissions

Version : *
Rate
File Upload ESRS Connect Home File Upload - Device File : Always Allow
C:\Inetpub\ftproot\LocalUser\onalert\incomin
g
File Upload ESRS Connect Home File Upload - SMTP File : Always Allow
C:\Inetpub\mailroot\drop
Remote Application EDL Remote App - CLIviaSSH Remote Application Name: CLIviaSSH Always Allow
Remote Application EDL Remote App - EDL Management Remote Application Name: EDL Always Allow
Console Management Console
Stop Remote Default permission interface Name : * Ask for Approval
Session
187
Table 21 Invista default permissions

script
Version : *
Rate
Device Config C:\Inetpub\ftproot\LocalUser\esr
sconfig
C:\Inetpub\ftproot\LocalUser\on
alert\incoming
Remote_Desktop
Remote Application Default application permission Remote Application Name: Always Allow
DEFAULT
Remote Application ESRS Invista Remote App - Element Remote Application Name: Always Allow
Manager Element Manager
Remote Application ESRS Invista Remote App - EMCRemote Remote Application Name: Always Allow
EMCRemote
Remote Application ESRS Invista Remote App - Invista CLI Remote Application Name: Always Allow
Invista CLI
Stop Remote Session Default permission interface Name : * Ask for Approval
Table 22 Switch-Brocade-B default permissions

script
Version : *
Rate
sconfig
alert\incoming
Remote_Desktop
DEFAULT
Remote Application ESRS Switch-Brocade-B Remote App - Remote Application Name: Always Allow
CLIviaSSH CLIviaSSH
Web Tools Web-Tools
telnet Telnet
189
Table 23 Switch-Cisco default permissions

script
Version : *
Rate
sconfig
alert\incoming
Remote_Desktop
DEFAULT
Remote Application ESRS Switch-Cisco Remote App - Remote Application Name: Always Allow
CLIviaSSH CLIviaSSH
Remote Application ESRS Switch-Cisco Remote App - Web Remote Application Name: Always Allow
Tools Web-Tools
Remote Application ESRS Switch-Cisco Remote App - telnet Remote Application Name: Always Allow
Telnet
Table 24 Symmetrix default permissions

script
Version : *
Rate
sconfig
alert\incoming
Remote_Desktop
DEFAULT
Remote Application EMC Symmetrix Remote Access App - Remote Application Name: Always Allow
SWUCH SWUCH
EMCRemote EMCRemote
Remote Browser Remote Browser
SGDB SGDB
191
C
Invisible Body Tag
Troubleshooting
You are responsible for backing up Gateway and Policy Manager

server data. In the event of any data loss, this ensures that the server
can be restored with minimal reconstruction. Either image backup,
full file system backup, or application directory backup is
satisfactory:
◆ Symptoms.......................................................................................... 194
Troubleshooting 193
Troubleshooting
Symptoms
Use the symptoms of a problem to narrow down the troubleshooting
procedures.
Service behavior This section describes symptoms related to Gateway or Policy

Manager service behavior.
Service If the Gateway or Policy Manager service appears to malfunction, try

malfunction first to reboot and restart services.
Service does not If the Gateway or Policy Manager service is down and fails to
start up manually start up from the Services window, it is likely from one of
these causes:
◆ Missing (inadvertently deleted or moved) files:
1. Examine the server log file to confirm missing-file errors.
2. Attempt restoration from image backup, or possibly
reinstallation if image backup is not available. See
“Restoration methods” on page 158 .
◆ Virus damage (corrupted files):
1. Run virus checker program to confirm presence of virus, and
if so, attempt virus checker repair.
2. If virus repair is not possible, you may be able to attempt a
reinstallation, as described in “Restoration methods” on
page 158.
OS and hardware If the server failure is clearly occurring at a more basic level than the
failures Gateway or Policy Manager service, you may want to perform a
reinstallation, as described in “Restoration methods” on page 158.
Index
Symbols D
.NET Framework 38, 54, 77 DCM 32
denying requests 134
Deployment Utility 29
A
device access control 33
accepting requests 134
device configuration access control 33
access requests 133
device management 19, 31
access rights 124
digital certificate 19
setting 125
Digital Certificate Management 32
APMAdmin 104
APMUsers 104
Approval email notifications E
changing settings 128 email
architecture 18 configuring 45, 64
audit log 137 testing 64
global 138 EMC access control 34
parameters 138 EMC responsibilites 23
sources 142 ESRSConfig user account 43
authenitcation
LDAP 112
F
file transfer 19
B FileUpload attributes 72
backup FTP
configuring 156 server setup 44
preparation 149
procedure 155
G
restoration 155
Gateway
acrhitecture 18
C components 24
customer responsibilities 23 Deployment Utility 29
Device Extract Utility 30
device management 31
high-availability 29
Index
server agent 19 N
Gateway server installation 37 non-standard installation 53
GatewayCheck notifications
configuring 85 default 132
failure resolution 94 setting 128
installation 78
logs 90
operation 79 O
registering 81 OnAlert 42
saving results 93 operating system 38, 54
starting 79 OS 38, 54
GatewayCheck utility 75 OS failure 194
GWExt 30
P
H Password
hardware failure 194 APMAdmin 105
heartbeat 19, 20 APMUsers 105
high availablility 24 proxy server 86
password
ESRSConfig 40
I OnAlert 40
Identiry Keystore File 166 Permissions
IIS 39, 55 match parent 126
Internet Information Services 57 parent vs child 126
set all to single value 126
J Policy Maanger
JNDI realm 113 restsart service 101
Policy Manager
device control 28
K installation 100
keystore attributes 168 introduction 25
logging 27
L maintenance 147
LDAP authentication 112 permissions 25
ldap.jar 112 rules 26
Lock shutdown 101
checkbox 126 startup 101
same permission in child’s policy 126 stopping/restarting service 111
unlock a locked permission 126 user accounts 104
policy settings
default settings 124
M global 118
maildrop 47 preset groups 122
Microsoft IIS 39, 55 power sequences 146
preparing a server 37
Index
R startup 101
registry editing 70 stop service 111
remote access 21 syncronization 25
remote notification 20
requests 133 T
accepting/denying 134 time zone 38, 54, 147
requirement time-out 135
Internet access 77 Tomcat 166
memory 77
network connectivity 77
operating system 77 U
storage 77 user account
restart service 101, 111 configuration 106, 108
restoration 158 planning 105
user account folders 43
user accounts 104
S user authentication 19
server agent 19 username
server installation 37 Policy Manager 105, 116
server settings 40
service restart 101
Setting Notifications 128 V
shutdown 101 version number 117
SMTP VMotion 24
server setup 45 VMware support 24
SSL communication
disabling 173 W
enabling 166 Windows Server 2003 38, 54
standard installation 37
Index

Gateway Operations Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Gateway Operations Guide

Hochgeladen von

Copyright:

Verfügbare Formate

EMC® Secure Remote Support Gateway

Published November, 2008

2 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

PART 1 Pre-Installation Tasks

Chapter 1 Preparation for Standard Installation

EMC Secure Remote Support Gateway Release 1.02 Operations Guide 3

Install IIS ..................................................................................... 42

Chapter 2 Preparation for a Non-Standard Installation

Chapter 3 GatewayCheck Utility

PART 2 Policy Management

Chapter 4 Policy Manager Administration

4 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

LDAP authentication ...................................................................... 112

Chapter 5 Policy Manager Configuration and Operation

PART 3 Gateway Maintenance

Chapter 6 Server Maintenance

Appendix A SSL communication between the Gateway and Policy

EMC Secure Remote Support Gateway Release 1.02 Operations Guide 5

Policy Manager configuration ...................................................... 166

Appendix B Default Policy Values

6 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

EMC Secure Remote Support Gateway Release 1.02 Operations Guide 7

31 Email server test ............................................................................................. 67

8 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

74 Default notification email body.................................................................. 131

EMC Secure Remote Support Gateway Release 1.02 Operations Guide 9

10 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

EMC Secure Remote Support Gateway Release 1.02 Operations Guide 11

12 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

As part of an effort to improve and enhance the performance and capabilities

Related Related documents include:

EMC Secure Remote Support Gateway Release 1.02 Operations Guide 13

EMC uses the following type style conventions in this guide:

14 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

[] Square brackets for optional values.

Technical support — For technical support, go to EMC WebSupport

EMC Secure Remote Support Gateway Release 1.02 Operations Guide 15

16 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

We recommend users become familiar with the EMC Secure Remote

ESRS Gateway architecture

Customer environment EMC backend environment

PS0 PS1 PS2 PS3 PS4 SMB0 SMB1

EMC support analyst

Figure 1 Gateway architecture

18 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

ESRS Gateway architecture 19

Heartbeat polling The Heartbeat is a regular communication, at 30-second intervals,

SSL tunnel - TLS with RSA key exchange

EMCRemote SSH socket Gateway eMessage SOAP XML

EMC storage EMC web and

Figure 2 Heartbeat communication

Once every 15 minutes the Gateway determines if each managed

20 EMC Secure Remote Support Gateway Release 1.02 Operations Guide

SSL tunnel - TLS with RSA key exchange

EMC RSC XML - HTTPS/FTP/SMTP HTTPS POST

EMC storage EMC web and

Figure 3 Remote notification communication

When an alert condition occurs, the storage system generates an

ESRS Gateway architecture 21

Gateway to the end device. IP socket traffic received by the access

SSL tunnel - TLS with RSA key

EMCRemote, SSH, SecureCLI... SOAP

EMC storage EMC web and