Guest

Cisco Email Security Appliance

Content Security Techsupport Tunnel FAQ

Document ID: 117873

Updated: Jul 03, 2014

Contributed by Chris Haag, Cisco TAC Engineer.

   Print

Introduction

This document provides answers to frequently asked questions about the use of Techsupport Tunnels on Cisco Content Security appliances.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco Email Security Appliance (ESA)
  • Cisco Web Security Appliance (WSA)
  • Cisco Security Management Appliance (SMA)
  • AsyncOS

Components Used

The information in this document is based on the Cisco Content Security appliances that run any version of AsyncOS.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

What are Techsupport Tunnels?

Techsupport tunnels are Secure Shell (SSH) connections that are created from a Cisco Content Security appliance to a bastion host at Cisco Content Security headquarters. Tunnels allow Cisco Customer Support and Applications Engineers to analyze a system and make repairs.

How do Techsupport Tunnels work?

The Techsupport Tunnel works through most firewalls without modification. When the tunnel connection initiates, the appliance makes a SSH connection from a random high-source port to the specified port of one of these Cisco secured servers:

  • 63.251.108.107 - for older AsyncOS builds
  • upgrades.ironport.com - for older AsyncOS builds
  • c.tunnels.ironport.com - for C-Series appliances/ESA
  • x.tunnels.ironport.com - for X-Series appliances/ESA
  • m.tunnels.ironport.com - for M-Series appliances/SMA
  • s.tunnels.ironport.com - for S-Series appliances/WSA 

The ports that are available on the Cisco secured-tunnel servers are 22, 25, 53, 80, 443, and 4766. Since the connection is made to the hostname rather than a hard-coded IP address, an active Domain Name Server (DNS) is required in order to establish the tunnel.

Some protocol-aware devices block the connection due to the protocol/port mismatch and some Simple Mail Transport Protocol (SMTP)-aware devices interrupt the connection. In cases where there are protocol-aware devices or outbound connections that are blocked, the use of a port other than the default (25) might be required. Access to the remote end of the tunnel is restricted to only the Cisco Customer Support and Applications Engineers.

Note: When a Cisco Support or Applications Engineer is connected to the tunnel, the system prompt on the appliance includes (SERVICE).

Tip: The tunnels automatically attempt to reestablish themselves, such as when a network outage occurs or when the appliance is rebooted.

How do I establish a Techsupport Tunnel?

In order to establish a Techsupport Tunnel connection via the appliance CLI as an admin user, complete these steps:

  1. Enter the techsupport command.

  2. Choose Tunnel

  3. Complete the prompts.

Note: When you enable a tunnel, you must enter a temporary password and provide it to the Cisco Customer Support Engineer. This password is not used directly, but is used in order to generate a machine-specific password.

In order to establish a tunnel from the appliance admin GUI, complete these steps:

  1. Navigate to System Administration > Remote Access.

  2. Ensure that you check both the Allow remote access to this appliance and Initiate connection via secure tunnel check boxes.

  3. Submit the form.

It is important to note that any firewall must be configured in order to allow outbound connections to upgrades.ironport.com. If your firewall has SMTP protocol inspection enabled, the tunnel does not establish. In these situations, you must specify an alternative port. Choose the most suitable port from this list:

  • 22
  • 53
  • 80
  • 443
  • 4766

Note: Port 25 is used as the default destination port.

Tip: In order to disable the tunnel when it is no longer required, enter the techsupport command and choose Disable.

How can I test the Techsupport Tunnel for connectivity?

Use this example in order to perform an initial test for connectivity through your firewall:

example.run> telnet upgrades.ironport.com 25
Trying 63.251.108.107...
Connected to upgrades.ironport.com.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1 FreeBSD-200309
Updated: Jul 03, 2014
Document ID: 117873