When you contact Cisco IronPort customer support for assistance with an issue related to your appliance the support engineer may request that you open a support tunnel. This is one of many tools that can help the support engineer assist you in diagnosing and possibly correcting a problem with your appliance. The support tunnel is a secure tunnel created using ssh. There are a variety of ports that can be used for this process however port 25 is chosen by default. Cisco IronPort Customer Support can not establish the support tunnel with out intervention from the appliance. When the Support tunnel is active , you will see the word 'Service' at the command prompt in the CLI interface. When the support tunnel is active you will not be able to see session (screen) that the support engineer is using. While it is possible to access the GUI using some additional techniques the support tunnel initially allows the support engineer access to the CLI and this is the preferred method for initial contact with the appliance.
This process is the same across all IronPort appliances however we do find in some cases that some customers restrict access to SMA (M series) appliances since they typically do not have any need to connect outside of the customers infrastructure. If this is the case it may still be possible to open a tech support tunnel on the M series and one of your ESA appliances. The support engineer can typically connect to the ESA first and then simply ssh over to the M series appliance using the support tunnel.
It's important to note that the tech support tunnel will remain open until it is either closed by the customer or by the support engineer. Its typically a good idea to close the tunnel when all work has been completed.
Below is some additional information on how to establish a tech support tunnel, how they work and what ports can be used to establish the support tunnel.
Techsupport tunnels are secure ssh connections made from an IronPort appliance to a bastion host at IronPort headquarters. Tunnels allow Customer Support and Applications Engineers to analyse a running system and effect repairs.
- Establishing a techsupport tunnel from the CLI:
- To establish a tunnel connect to the command line interface as "admin" and run the "techsupport" command then choose "tunnel". Follow the dialogue. When enabling a tunnel the user must invent a temporary password and provide this to their Customer Support Engineer. This password is not used directly, but as salt to generate a machine specific password.
- Establishing a tunnel from the Admin GUI:
- Tunnels may also be established through the web interface. Go to "System Administration" on the top menu then "Remote Access" on the left menu. Ensure that both "Allow remote access to this appliance" and "Initiate connection via secure tunnel" are ticked before submitting the form.
- Any firewall must be configured to allow outbound connections to upgrades.ironport.com. If your firewall has SMTP protocol inspection enabled the tunnel will not establish. In these situations specify an alternative port. Choose the most suitable to you of 22, 53, 80, 443 or 4766. Port 25 is used as the default destination port.
- An initial test of connectivity through your firewall can be made as follows:
example.run> telnet upgrades.ironport.com 25
Trying 63.251.108.107...
Connected to upgrades.ironport.com.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1 FreeBSD-20030924
How does the SSH Support Tunnel Work?
The Support Tunnel works through most firewalls without modification. When the tunnel connection initiates, the IronPort device makes a SSH connection from a random high source port to the specified port on upgrades.ironport.com, 63.251.108.107.
The ports that are available on IronPort's secured tunnel server are 22, 25, 53, 80, 443, & 4766. Because the connection is made to the hostname, rather than a hard-coded IP, working DNS is required to establish the tunnel.
Some protocol-aware devices will block the connection due to the protocol/port mismatch and some SMTP-aware devices will interrupt the connection. In cases where there are protocol-aware devices or outgoing connections are blocked, a port other than the default of 25 may need to be used. Access to the remote end of the tunnel is restricted to the just the IronPort Customer Support and Applications Engineers. When somebody is connected to the tunnel the system prompt on the IronPort device includes "(SERVICE)"
- Tunnels will automatically try to re-establish themselves. For example if there is a network outage or the IronPort appliance is rebooted.
- When the tunnel is no longer required it can be disabled by running "techsupport" and choosing the "disable" option.
Starting the support tunnel from the CLI.
ironport.example.com> techsupport
Service Access currently disabled.
Serial Number: 0012345655E240-1232121
Choose the operation you want to perform:
- SSHACCESS - Allow an IronPort customer service representative to remotely access your
system, without establishing a tunnel.
- TUNNEL - Allow an IronPort customer service representative to remotely access your
system, and establish a secure tunnel for communication.
- STATUS - Display the current techsupport status.
[]> tunnel
Enter a temporary password for customer support to use. This password will not be able to
be used to directly access your system.
- the password must be between 6 and 128 characters long;
- it cannot be blank or consist only of spaces;
- it must be different from the administrator's password.
[]> supportpassword
Enter the port number for tunnel connection:
[25]> 25
Are you sure you want to enable service access? [N]> y
Service access has been ENABLED. Please provide your temporary password to your Cisco IronPort Customer Support representative.
Waiting for ssh tunnel to connect, Ctrl-C to cancel...
If you have any additional questions about the support tunnels you contact customer support and we will happy to assist you.
Christopher C Smith
CSE
Cisco IronPort Customer Support
