62614: Providing Remote Access to Acronis Cyber Infrastructure

use Google Translate

Last update: 08-02-2021

In order to troubleshoot issues with Acronis Cyber Infrastructure Support Engineers may need remote access to your Acronis Cyber Infrastructure environment.

Please keep in mind that for all the interfaces listed below you need to whitelist only the Acronis IP addresses listed in this article of specified by Acronis Support Engineers. Any port might be exploited by an external third party unless access is limited only to whitelisted IP addresses.

There are three methods for accessing for Acronis Cyber Infrastructure remotely:

Method 1. Via the admin panel

https://<management_node_IP_address>:8888

This panel allows you to manage and monitor your cluster as well as set up SSH connections to it.

In order to let Acronis Support Engineers access the admin panel remotely, make sure that the TCP port 8888 is open for the management node IP address or virtual HA IP address.

We recommend that you create a separate admin panel account for Acronis Support Engineers (“acronis_support”) with administrator rights. Navigate to Settings > Users or Settings > Projects and users > Default (depending on ACI/SDI version), click Add User and select the System Administrator role with System permission set - Full for the new account. Paste the account password into a text file, pack this file into an encrypted ZIP archive using your support case number as a password, and send the archive to Acronis Support Engineers by email. 

This method works with any Acronis Cyber Infrastructure installation.

Method 2: Via SSH

SSH access is required for troubleshooting and log analysis. It is essential for resolving issues with Acronis Cyber Infrastructure.

You will need to whitelist Acronis IP addresses for accessing the management node IP address on TCP port 22 (or the custom port that you use) and add OpenSSH public keys sent by Acronis Support Engineers on the Settings > Security screen as pictured below.

If you need to provide the root credentials for your cluster, please do that by means of an encrypted ZIP archive (see Method 1)

This method works with any Acronis Cyber Infrastructure installation.

Method 3: Via IPMI

IPMI (Intelligent Platform Management Interface) is used for remote hardware management. Access to this interface is required for troubleshooting any potential hardware issues with the Acronis Cyber Appliance. In this case, Acronis Support Engineers will need access to the IPMI of each appliance node. Please make sure that RJ45 patch cables are connected to the IPMI ports of your appliance as per the Appliance Quick Start Guide. This is mandatory.

You can hide the IPMI IP addresses behind NAT but open the following ports for IPMI to work properly:

TCP ports:
Web port: 80
Web SSL Port: 443
WebUI for Self-Service Portal Port: 8800
IKVM Server port: 5900
Virtual Media Port: 623
SSH port: 22

UDP ports:
Remote IPMI management: 623 (immutable)

The IPMI and admin panel do not communicate with each other. Therefore you must create IPMI users separately from admin panel users. We recommend that you create a separate IPMI account for Acronis Support Engineers (“acronis_support”) via the IPMI WebUI by navigating to Configuration > Users and clicking any of the reserved lines. This operation must be repeated for each node of the appliance. Please send the account password in an encrypted ZIP archive as described in Method 1.

This method  only works with Acronis Cyber Appliance.

Closing remote access after troubleshooting

After the troubleshooting is over and all the issues are resolved, disable the remote access and remove the accounts created for Acronis Support Engineers:

a. In the admin panel, navigate to Settings > Users and remove the acronis_support account 

b. In the admin panel, navigate to Settings -> Security > SSH and remove the SSH keys, as described in the documentation

c. In IPMI WebUI of each node, navigate to Configuration > Users and remove the acronis_support account 

d. Close all ports described above

Performing all of these steps will minimize potential breach risks.

Tags: