HP-3PAR Support Tiers and remote access
- Richard Siemers
- Site Admin
- Posts: 1333
- Joined: Tue Aug 18, 2009 10:35 pm
- Location: Dallas, Texas
HP-3PAR Support Tiers and remote access
Hello fellow customers. I was curious what levels/tier of support you guys use, whats the reason. And how do you have your SP setup for phone-home/remote-support. Do you allow inbound support access? Do you still use a modem? Have you deployed the "Policy Manager" server to lock down/audit all these in/out 3PAR support related communications?
Thanks!
Thanks!
Richard Siemers
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
Re: HP-3PAR Support Tiers and remote access
4 Hour onsite, we looked at mission critical but paying for a TAM that will probably be worthless when we actually need something escalated didn't seem to be a big draw for anyone here. We've got the SP set to allow remote access, I originally was switching it on and off on an as-needed basis but when it was upgraded the account/password I had stopped working so we had 3Par support open it up. I was royally pissed at first but our local guy showed us the level of logging done on the backend for remote access and it seemed more than sufficient to assure nobody is using it as a jumping off platform to get into our network. We're not using policy manager as the support model for vendor driven remote access (vs customer driven) wasn't explained to us up front, otherwise we might have had them throw it into the deal.
- Richard Siemers
- Site Admin
- Posts: 1333
- Joined: Tue Aug 18, 2009 10:35 pm
- Location: Dallas, Texas
Re: HP-3PAR Support Tiers and remote access
Account wise, we're you using 3parcust or spdood to change it?
I noticed on my older SP, 3parcust can't change it, it says cpmaint is required. However on my new SP, 3parcust can set it from none/Inbound only/both.
I would like to find a way to script it in cron or some other enterprise scheduler.
Down and dirty, I can do it with ssh-putty/plink blindly spewing commands from an input file. However I would like a more elegant method if possible.
I noticed on my older SP, 3parcust can't change it, it says cpmaint is required. However on my new SP, 3parcust can set it from none/Inbound only/both.
I would like to find a way to script it in cron or some other enterprise scheduler.
Down and dirty, I can do it with ssh-putty/plink blindly spewing commands from an input file. However I would like a more elegant method if possible.
Richard Siemers
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
Re: HP-3PAR Support Tiers and remote access
i was using cpmaint, I will have to upgrade if 3parcust can change it on currrent sp.
Re: HP-3PAR Support Tiers and remote access
The idea of trusting an unknown number of unnamed people with root access to a business critical infrastructure makes me cringe. They can claim it's logged all they want, but if an incident occurs, will you have access to those logs?
We don't give software vendors domain admin passwords - you'd be looked at strangely if you suggested it.
We don't give software vendors domain admin passwords - you'd be looked at strangely if you suggested it.
Re: HP-3PAR Support Tiers and remote access
We set the communication options to outbound only, and HP support staff have to call our 24x7 operations if they want inbound connectivity. A reason/case and name have to be given and are logged. We don't use the Policy Manager, I know this software from another vendor (where you get it FOR FREE with the software needed for remote support), and I appreciate every second I don't have to use it. But it's nevertheless a shame that one has to pay for it with HP.
We used to use cpmaint to change it, but since 3.1.2, 3parcust is sufficient.
afidel, could you share what you know about logging in the background? We asked out local support guys if we could extract some info from the logs on the SP (connection start, connection end, IP and/or user name from the one who connects, ...) but actually never got a satisfying answer...
We used to use cpmaint to change it, but since 3.1.2, 3parcust is sufficient.
I was royally pissed at first but our local guy showed us the level of logging done on the backend for remote access and it seemed more than sufficient to assure nobody is using it as a jumping off platform to get into our network.
afidel, could you share what you know about logging in the background? We asked out local support guys if we could extract some info from the logs on the SP (connection start, connection end, IP and/or user name from the one who connects, ...) but actually never got a satisfying answer...
When all else fails, read the instructions.
Re: HP-3PAR Support Tiers and remote access
We have Mission Cirtical support on our V400s and 7400s and it is useless. We get a TAM and support team that are useless and support is no different on the mission critical arrays than my 7200s that do not have mission critical. We leave all the arrays set to allow remote access, but the Instructions on our account specify that support is supposed to email and ask for permission before accessing the arrays. That is about the only thing support has done right. 3par's back end system though that provides them that access is often slow or has issues so half the time support asks for a virtual room so that can diagnose the array.
-
- Posts: 35
- Joined: Tue Feb 11, 2014 11:33 am
Re: HP-3PAR Support Tiers and remote access
4 hour, inbound/outbound allowed and no policy manager.
We did our own startup on this 7400, but I can see it can be changed with 3parcust.
We did our own startup on this 7400, but I can see it can be changed with 3parcust.
- Richard Siemers
- Site Admin
- Posts: 1333
- Joined: Tue Aug 18, 2009 10:35 pm
- Location: Dallas, Texas
Re: HP-3PAR Support Tiers and remote access
Does any one block "phone home" out bound? I have been told some military related business/locations block this, and have to phone in failures manually. My concern here is that the SP phones home with events it does not CC the customer with. Several times we have been contacted by support indicating an urgent need to perform XYZ, and we have no internal alerts at all. We get disk fails, ports down, typical hardware fails just fine. There seems to be a level of alerts that are hidden from customers for HP eyes only, and that is disturbing to me.
Josh26 - I understand your security posture when it comes to granting "root" access to an enterprise asset, however which offers your corporation a greater degree of "protection" or perhaps a better word would be "compensation" in the event of an error: your company's employment agreement, or your companies service agreements with HP/EMC/Netapp?
Josh26 - I understand your security posture when it comes to granting "root" access to an enterprise asset, however which offers your corporation a greater degree of "protection" or perhaps a better word would be "compensation" in the event of an error: your company's employment agreement, or your companies service agreements with HP/EMC/Netapp?
Richard Siemers
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
The views and opinions expressed are my own and do not necessarily reflect those of my employer.
Re: HP-3PAR Support Tiers and remote access
companies service agreements with HP/EMC/Netapp?
My answer is based on the continual, repetitive failure of that agreement.
There seems to be a level of alerts that are hidden from customers for HP eyes only
I've run into this also. I have found such alerts always show up on the checkhealth CLI command (for the ones I've seen anyway) and hence I have our monitoring system scripted to run this daily.
I have been told some military related business/locations block this
The Common Criteria guidelines for a certified deployment include clear instructions that the environment is only certified if the installer disables the phone home functionality. Anyone dealing with sensitive material in certain Government areas will only deploy CC certified hardware.
http://h20566.www2.hp.com/portal/site/hpsc/template.BINARYPORTLET/public/kb/docDisplay/resource.process/?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken&javax.portlet.rid_ba847bafb2a2d782fcbb0710b053ce01=docDisplayResURL&javax.portlet.rst_ba847bafb2a2d782fcbb0710b053ce01=wsrp-resourceState%3DdocId%253Demr_na-c03528595-1%257CdocLocale%253Den_US&javax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01_ws_BI&ac.admitted=1391223856155.876444892.199480143
Note however only certain models are evaluated to this standard - you can't deploy a 7200 to a CC required environment.