Overview: On-demand tech support SSH tunnel
A support engineer may request remote access to your virtual appliance (VA) in order to further diagnose a support case and possibly review or update settings to improve the VA availability. In order for an Umbrella support engineer to gain access to an Umbrella VA on-prem at your location, the following guidelines must be followed.
The following information only applies to VA with version 2.1.0 or above.
- All requirements for configuring a VA on either VMWare or Hyper-V from the setup documentation must be met.
- Any firewall must be configured in order to allow outbound connections to s.tunnels.ironport.com.
- The VA will try connecting on TCP ports 22, 25, 53, 80, 443, or 4766 in succession.
To test connectivity, you can telnet to the support tunnel:
telnet s.tunnels.ironport.com 25
Connected to s.tunnels.ironport.com.
Escape character is '^]'.
Enabling the tunnel
The SSH tunnel connects to s.tunnels.ironport.com. The duration of the connection is configurable, with a default of 72 hours. Tunnels can be enabled from VA's console using the keyboard command "CTRL+T".
Select Yes when prompted:
First, you'll be asked to define the length of the tunnel session:
Select OK and a window will appear that shows the serial number and password for the support tunnel. This information must be transmitted to the support technician. After selecting OK, the VA will attempt to make a connection to the support tunnel server:
Click OK to close off the window. Verify that the VA console shows "Remote Support Tunnel: Connected".
Getting your credentials to share with Support
The serial number and password displayed in the VA's console must be given to the support technician. There are three different methods of accomplishing this:
Note that this method does not obtain the SSH key. If the VA has been created within the past week, the SSH key is needed; in that event, please use one of the other two methods to obtain it.
3) To get the serial number SSH key from curl command, sample command line:
curl http://<VA IP>:8080/support_tunnel_info
[Update: From VA version 2.3.2+, the password is no longer exposed to option 2 & 3 above due to security fix]
Disabling/Re-enabling the Tunnel
The tunnel will remain established for 72 hours by default, however you do have the ability to extend the tunnel duration using the Re-enable option. The tunnel can be disabled or re-enabled at any time with the CTRL-T keyboard command:
If you try to re-enable the tunnel immediately after disabling it, this can lead to an odd condition and error message as the tunnel is not fully disabled at this stage.
Re-enabling the tunnel will not change the password for the VA’s existing tunnel session. By default, selecting the Re-enable option will add 72 hours of tunnel duration from the current time.
If the VA's SSH key has already been added to our servers, the status will change from Disabled to Connected as soon you enable the tunnel. If the connection is successful, note that the status will stay in Connecting mode for roughly a minute or so as the VA attempts to establish its tunnel with the server.
If you have not explicitly enabled the tunnel, the Disabled status will show. Please note that after you have explicitly disabled the tunnel, it takes roughly a minute for the tunnel status to change from Connected to Disabled.
In the connecting state, the VA is attempting to establish the tunnel (trying ports 22, 25, 53, 80, 443, and 4766 sequentially) with a 5 minute delay between each attempt. The VA will remain in this state until a connection is established, or 30 minutes have elapsed with no successful connection made.
The connection can fail due to either the SSH key not yet existing in our database (this only affects newly-deployed VAs) or networking issues (e.g. blocked ports).
If the VA is unable to establish a connection with the remote server, then the status will go to Time out. The time out will occur roughly 30 minutes after the VA has attempted to establish a tunnel with the remote server.
Once a support tunnel is enabled, the VA will respect the duration value entered even if the VA is rebooted or upgrades. No additional actions are needed by you. If the VA reboots, or upgrades, and time is still remaining in the specified duration, the VA will attempt to reconnect to the SSH tunnel server automatically.