Dell EMC uses Secure Remote Services (SRS, formerly known as ESRS) to enhance the tech support experience for their products. There’s two sides to this support: connect home, and connect in. Connect home is your device itself dialing back home to Dell EMC to report various things such as errors, automatic support uploads, etc. If either of this results in a Service Request at Dell EMC, a engineer can then use SRS to dial in / connect in and have a look at the faulty system. The latter saves you from having to host a Webex session.
Dell EMC likes to have all Dell EMC systems connected to SRS, again for two reasons. First of all, it reduces the time spent by engineers in troubleshooting an issue. If an engineer can dial in himself, without having to negotiate a Webex session with the customer, that means more SRs per engineer per day and lower support costs for Dell EMC. Secondly, it will result in faster incident resolution, and thus a happier customer. The support engineer can look up the state of a defective drive independently, and order new parts while the customer is sleeping. Win-win!
As such, Dell EMC motivates us partners to connect all new systems to SRS. I have been doing that for some years now, but noticed I was using an antiquated approach. It turns out many of the new systems have REST API-based methods to register themselves with SRS. Here’s how!
The SRS infrastructure
The SRS infrastructure in the customer network hasn’t changed too much over the years. There’s a SRS vApp (based on SuSe Linux) that you typically deploy in your DMZ. You can cluster these vApps to get some additional redundancy in case one of them breaks or is being updated.
There’s also a SRS Policy Manager, which you would deploy in your internal network. The main reasons I’ve seen why anyone uses this Policy Manager is either for audit logging and/or access control:
- A SRS gateway without policy manager has a default “Accept All” policy. Now, that doesn’t mean every Dell EMC engineer will and can connect to your Dell EMC system at random. However with a “Ask for Permission” or “Deny All” policy, you can do just that: manually approve access, or deny it all (for example during enterprise wide change freezes).
- The logging in the SRS gateways is fairly basic. With the policy manager you get some additional insight and audit logging, which could be useful if you like such a thing.
In my experience though, many customers hardly ever look at the SRS audit logs and set the policy to “Accept all” anyway…
The SRS gateway is typically located in the DMZ, with the Policy Manager and the Dell EMC equipment in the rest of the network behind additional firewalls. This means that you will need to punch a few holes in your firewall(s) at initial setup (internet <-> gateway), and for every additional Dell EMC device you add to the gateway. SRS Port requirements are well documented.
Deployment of this SRS infrastructure is something that a Dell EMC partner of Dell EMC engineer will do with the first Dell EMC system install. It doesn’t take too much time (deploy a vApp, install a policy manager on an existing or new server, register it and you’re done). Next, you need to register your devices in this SRS gateway. Most modern Dell EMC systems can achieve this with REST API calls originating from the device itself.
First of all, there’s the Data Domains. Open the necessary ports in the firewall. If needed, you can create a hostname to IP mapping in the Data Domain:
net host add 10.10.10.10 <Hostname SRS server>
Then run the following command:
support connectemc device register <IP ADDRESS DD> esrs-gateway <DNS hostname (not FQDN) of SRS server>
The command will prompt you for a Dell EMC Support login, and should confirm that the device was successfully registered. Next, you can use the following commands to verify your current (non-SRS) configuration and change it:
Show the current configuration and test SRS connectivity:
support notification show all
support connectemc test
Switch over to SRS for the automatic support uploads:
support notification method set connectemc
Show the configuration changes, and test everything:
support notification show all
support connectemc config show
support connectemc show history
Finally, I typically send myself an autosupport dump after making any big changes on a Data Domain. Just run the following command:
autosupport send <email address>
You can connect your Isilons to SRS in a similar fashion, via the GUI:
Navigate to General Settings -> Remote Support, enter the ESRS details, select which subnet/pool to use for this (management) traffic, and click Save Configuration. You should receive a notification that the settings were applied correctly. It’s highly likely that the Connected to Gateway and Enabled status fields will display a big, solid NO for at least 15-30 minutes afterwards. Don’t panic, go for lunch and check it again after an hour.
The Unity mid-range storage systems are connected to SRS via the HTML5 GUI. Simply navigate to Settings -> Support Configuration -> EMC Secure Remote Services, and select the options you want:
You have two SRS options: Integrated, or Centralized. With Integrated, each Unity system connects back to the SRS infrastructure at Dell directly, without an additional SRS gateway in between. This is quick and easy if you only have one or two Unity arrays, but does require you to punch more holes in the firewall for each additional system. The Centralized option works with the SRS gateway: enter the IP address of the SRS gateway and you’re done.
Now, while you’ve set up ESRS, do make sure that you enable the CloudIQ data upload as well. It offers valuable insight in your devices’ capacity growth, performance and health. Here’s some more info on CloudIQ.
A Dell EMC internal engineer will typically install VMAX3 arrays, at least in our region. He/she will take care of the SRS configuration at initial start-up of the systems. There’s two steps in this process: connecting to the SRS gateway, and registering it in an Dell EMC internal SLC database that’s used to generate credentials/tokens. Without that last step, the system will dial home okay but engineers can’t connect to the VMAX3 remotely.
My thoughts on SRS/ESRS
I like it, plain and simple. It makes the customers life easier because you don’t have to sit in so many Webex sessions. Additionally, it makes the Dell EMC engineer’s life easier because they can work more autonomously and fix problems quicker. I have noticed that engineers still request Webex sessions once in a while, even though they could connect via SRS. This ratio is improving over time though.
From a partner perspective, SRS is improving as well. With the REST API calls, device registration on an ESRS gateway is simple and quick. I no longer need to open service requests for device approvals, which saves me time.
I would like it if partners could register new SRS gateways independently of a Dell EMC internal engineer. Previous installs I’ve done involved scheduling a local Dell EMC CE, sharing screens, token codes, etc. Just to continue past the “register ESRS GW” screen. This would take up a significant portion of project time to arrange, which doesn’t make sense if the actual storage systems are simpler to install. If I recall correctly, there were a few improvements on the roadmap for this, but I lost track of the status. If you have some more information on this aspect, feel free to share it in the comments!