Page 1 of 1
HP-3PAR Support Tiers and remote access
Posted: Fri May 09, 2014 2:37 pm
by Richard Siemers
Hello fellow customers. I was curious what levels/tier of support you guys use, whats the reason. And how do you have your SP setup for phone-home/remote-support. Do you allow inbound support access? Do you still use a modem? Have you deployed the "Policy Manager" server to lock down/audit all these in/out 3PAR support related communications?
Thanks!
Re: HP-3PAR Support Tiers and remote access
Posted: Fri May 09, 2014 3:59 pm
by afidel
4 Hour onsite, we looked at mission critical but paying for a TAM that will probably be worthless when we actually need something escalated didn't seem to be a big draw for anyone here. We've got the SP set to allow remote access, I originally was switching it on and off on an as-needed basis but when it was upgraded the account/password I had stopped working so we had 3Par support open it up. I was royally pissed at first but our local guy showed us the level of logging done on the backend for remote access and it seemed more than sufficient to assure nobody is using it as a jumping off platform to get into our network. We're not using policy manager as the support model for vendor driven remote access (vs customer driven) wasn't explained to us up front, otherwise we might have had them throw it into the deal.
Re: HP-3PAR Support Tiers and remote access
Posted: Fri May 09, 2014 5:23 pm
by Richard Siemers
Account wise, we're you using 3parcust or spdood to change it?
I noticed on my older SP, 3parcust can't change it, it says cpmaint is required. However on my new SP, 3parcust can set it from none/Inbound only/both.
I would like to find a way to script it in cron or some other enterprise scheduler.
Down and dirty, I can do it with ssh-putty/plink blindly spewing commands from an input file. However I would like a more elegant method if possible.
Re: HP-3PAR Support Tiers and remote access
Posted: Fri May 09, 2014 9:24 pm
by afidel
i was using cpmaint, I will have to upgrade if 3parcust can change it on currrent sp.
Re: HP-3PAR Support Tiers and remote access
Posted: Sun May 11, 2014 5:45 pm
by Josh26
The idea of trusting an unknown number of unnamed people with root access to a business critical infrastructure makes me cringe. They can claim it's logged all they want, but if an incident occurs, will you have access to those logs?
We don't give software vendors domain admin passwords - you'd be looked at strangely if you suggested it.
Re: HP-3PAR Support Tiers and remote access
Posted: Mon May 12, 2014 1:54 am
by apol
We set the communication options to outbound only, and HP support staff have to call our 24x7 operations if they want inbound connectivity. A reason/case and name have to be given and are logged. We don't use the Policy Manager, I know this software from another vendor (where you get it FOR FREE with the software needed for remote support), and I appreciate every second I don't have to use it. But it's nevertheless a shame that one has to pay for it with HP.
We used to use cpmaint to change it, but since 3.1.2, 3parcust is sufficient.
I was royally pissed at first but our local guy showed us the level of logging done on the backend for remote access and it seemed more than sufficient to assure nobody is using it as a jumping off platform to get into our network.
afidel, could you share what you know about logging in the background? We asked out local support guys if we could extract some info from the logs on the SP (connection start, connection end, IP and/or user name from the one who connects, ...) but actually never got a satisfying answer...
Re: HP-3PAR Support Tiers and remote access
Posted: Mon May 12, 2014 5:25 am
by hdtvguy
We have Mission Cirtical support on our V400s and 7400s and it is useless. We get a TAM and support team that are useless and support is no different on the mission critical arrays than my 7200s that do not have mission critical. We leave all the arrays set to allow remote access, but the Instructions on our account specify that support is supposed to email and ask for permission before accessing the arrays. That is about the only thing support has done right. 3par's back end system though that provides them that access is often slow or has issues so half the time support asks for a virtual room so that can diagnose the array.
Re: HP-3PAR Support Tiers and remote access
Posted: Mon May 12, 2014 7:31 am
by spencer.ryan
4 hour, inbound/outbound allowed and no policy manager.
We did our own startup on this 7400, but I can see it can be changed with 3parcust.
Re: HP-3PAR Support Tiers and remote access
Posted: Tue May 13, 2014 2:53 pm
by Richard Siemers
Does any one block "phone home" out bound? I have been told some military related business/locations block this, and have to phone in failures manually. My concern here is that the SP phones home with events it does not CC the customer with. Several times we have been contacted by support indicating an urgent need to perform XYZ, and we have no internal alerts at all. We get disk fails, ports down, typical hardware fails just fine. There seems to be a level of alerts that are hidden from customers for HP eyes only, and that is disturbing to me.
Josh26 - I understand your security posture when it comes to granting "root" access to an enterprise asset, however which offers your corporation a greater degree of "protection" or perhaps a better word would be "compensation" in the event of an error: your company's employment agreement, or your companies service agreements with HP/EMC/Netapp?
Re: HP-3PAR Support Tiers and remote access
Posted: Tue May 13, 2014 6:04 pm
by Josh26
companies service agreements with HP/EMC/Netapp?
My answer is based on the continual, repetitive failure of that agreement.
There seems to be a level of alerts that are hidden from customers for HP eyes only
I've run into this also. I have found such alerts always show up on the checkhealth CLI command (for the ones I've seen anyway) and hence I have our monitoring system scripted to run this daily.
I have been told some military related business/locations block this
The Common Criteria guidelines for a certified deployment include clear instructions that the environment is only certified if the installer disables the phone home functionality. Anyone dealing with sensitive material in certain Government areas will only deploy CC certified hardware.
http://h20566.www2.hp.com/portal/site/hpsc/template.BINARYPORTLET/public/kb/docDisplay/resource.process/?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken&javax.portlet.rid_ba847bafb2a2d782fcbb0710b053ce01=docDisplayResURL&javax.portlet.rst_ba847bafb2a2d782fcbb0710b053ce01=wsrp-resourceState%3DdocId%253Demr_na-c03528595-1%257CdocLocale%253Den_US&javax.portlet.tpst=ba847bafb2a2d782fcbb0710b053ce01_ws_BI&ac.admitted=1391223856155.876444892.199480143Note however only certain models are evaluated to this standard - you can't deploy a 7200 to a CC required environment.