Justification of firewall/NAT rules for MERT Access

Justification of firewall/NAT rules for MERT Access

Mirapoint Emergency Response Team (MERT) is a small set of highly skilled engineers who are authorized to connect to customer systems for debugging and/or emergency repair. MERT access allows us access to the lower level operating system on the Mirapoint device. We hope it is a very rare requirement for customers to need assistance from our MERT support team.

MERT-level remote access to a Mirapoint machine is only possible when the debug-5 patch is installed. This access will not be possible if the patch is uninstalled or after the machine has rebooted (as the patch automatically disables itself), so you have control over when Synchronoss can gain remote access, should you wish it. The connection is encrypted (SSH protocol) and uses one-time passwords for authentication.

Use the following CLI commands to install debug-5 and enable MERT access to the machine:

CLI> Update Uninstall debug-5

CLI> Update Install ftp://ftp.mirapoint.com/pub/mira/debug-5

Please let the Synchronoss support engineer know the public address(es) needed to reach your Mirapoint device(s).

After debug-5 is installed, the MERT engineer will access port 10145/tcp on your Mirapoint system(s) from one of our secure servers [199.3.178.11 and 209.228.129.100]. You must configure sufficient NAT and firewall rules to allow this access.

In short, we require the following firewall/NAT rules (requires a unique public IP address for each Mirapoint device):

 From : [199.3.178.11 or 209.228.129.100]

 To : [Your machine(s)]

 Port : 10145/tcp

Alternatively, Synchronoss can connect to an intermediate machine via ssh, and from there connect to the Mirapoint Appliance. This indirect access configuration will change the firewall/NAT requirements, so we can discuss this further if required.

If you wish for your engineer to connect via a different method this may be possible with the following points understood:

• Debug-5 still needs to be installed on the system to enable the diagnostic listener on port 10145.
• Your Synchronoss engineer must be able to control the session.
• The system that your engineer takes control of must be equipped to connect to the server (an OS X terminal, a copy of Putty on Windows etc) and on a network with access to the host.
• The method must not require Synchronoss to possess any commercial software licenses (e.g. TeamViewer) unless you provide them.
• Synchronoss takes no responsibility for the security of the connection or for any loss or intrusion into your network caused by it.

When the MERT engineer has completed the work, disable the remote access by typing:

CLI  > Update Uninstall debug-5

If debug-5 is still installed from a previous occasion, you should uninstall debug-5 and re-install it again whenever MERT access is required. This is to make sure that it really is active (as it may disable itself but appear installed after a reboot).

*Note:* If "Update List" shows any other debug* patches installed, you may remove them.

Please save the above information for your future reference when working with the Synchronoss Support Team.