Remote code load (RCL) is a service that allows remote support engineers to complete code
updates on the storage system.
IBM® storage implemented a remote capability to upgrade code
on clients’ entitled storage products. RCL is the process of having IBM support personnel securely connect to and update the microcode on the storage system. The
RCL service is the preferred code delivery method, which proves to be both efficient and secure for
IBM clients. RCL is fast and easy to coordinate because it
does not require an onsite visit of an IBM services technician
and is the preferred alternative to the existing on-premises microcode upgrade service.
Remote code load requires a set of firewall settings to be open in the client network to
facilitate the following activities.
- Access IBM Fix Central to download code
- Access Enhanced Customer Data Repository (ECUREP) system to upload logs
- Remote dial in to complete code load
Note: This access is the same set of access requirements that is needed for normal remote
support operations.
The
following network connections between IBM and the system are required to enable support
assistance.
- esupport.ibm.com
- The esupport.ibm.com network connection is used to upload logs to the IBM Enhanced Customer Data
Repository (ECUREP). An esupport.ibm.com firewall rule is not necessary if Storage Insights is
configured because Storage Insights provides a feature to upload logs. However, an esupport.ibm.com
firewall rule is still recommended because Call Home with cloud services uses the same
port.
Note: The esupport.ibm.com network connection is fully certified to securely transmit data for
Blue Diamond (HIPPA) users and General Data Protection Regulation (GDPR) protected
users.
Use the following information to configure a firewall rule.
| Source |
Target |
Port |
Protocol |
Direction |
| The service IP address of every node or node canister. |
esupport.ibm.com |
443 |
https |
Outbound only |
If a transparent proxy service is available in the management network, then no
firewall rules are required for esupport.ibm.com. If a domain name cannot be used for configuring
firewall rules, you can use the follow IP addresses: 129.42.56.189, 129.42.54.189 and
129.42.60.189.
- FixCentral
- Software upgrade packages can be downloaded onto the system by using the FixCentral network
connection. Use the following information to configure a firewall rule.
| Source |
Target |
Port |
Protocol |
Direction |
| The service IP address of every node or node canister. |
delivery04.dhe.ibm.com |
22 |
SFTP (FTP over SSH) |
Outbound only |
If a domain name cannot be used for configuring firewall rules, you can use the follow IP
addresses: 170.225.15.105, 170.225.15.104, 170.225.15.107, 129.35.224.105, 129.35.224.104, and
129.35.224.107.
- Remote Access
- IBM can remotely connect to your system to perform maintenance actions by using remote access.
Remote access can be permanently enabled, or it can be enabled as needed.
It is recommended that
you install and configure the Remote Support Proxy service to simplify firewall configurations. One
Remote Support Proxy can be used by multiple systems and by other IBM storage products.
- With a Remote Support Proxy server
- Use the following information to configure a firewall rule after you install and configure the
Remote Support Proxy server.
-
| Source |
Target |
Port |
Protocol |
Direction |
| IP address of the Remote Proxy Server |
129.33.206.139 and 204.146.30.139 |
443 |
https |
Outbound only |
- Without a Remote Support Proxy server
- If the Remote Support Proxy server is not installed and configured, use the following
information to configure a firewall rule.
| Source |
Target |
Port |
Protocol |
Direction |
| The service IP address of every node or node canister. |
129.33.206.139 and 204.146.30.139 |
22 |
ssh |
Outbound only |