My favorites | English | Sign in

Faster apps faster - GWT 2.0 with Speed Tracer New!

Google Search Appliance

Remote Access for Technical Support

Google Search Appliance (GB-1001, GB 7007, and GB-9009) software version 6.0 and later
Google Search Appliance (GB-8008) software version 5.0.4
Google Mini software version 5.0.4
Posted October, 2009

Contents

  1. About This Document
  2. Remote Access Methods
    1. SupportCall
    2. Direct SSH
    3. Modem
    4. GoToAssist Direct Support
    5. Software VPN
  3. Frequently Asked Questions

About this Document

This document describes the methods Google Enterprise Support can use to connect to a Google Mini or Google Search Appliance to provide remote technical support.

Remote Access Methods

The following table lists the methods that Google supports for remote access to search appliances.

Method Description Models Support Offering
GSA Mini
SupportCall A process on the search appliance that opens a secure connection to a Google server. 4.6.4 and later 4.6.4 and later Standard Support:
Available to all customers
Direct SSH A secure shell (SSH) connection across the internet. All All Standard Support:
Available to all customers
Modem A secure connection using an analog telephone line. All All Standard Support:
Available to all customers
GoToAssist A third-party applet that allows a secure connection to a Windows PC inside the customer's private network, then uses SSH to connect to the search appliance across the customer's network. All No Collaborative Support:
Available only to Collaborative Support customers
Software VPN Software that creates a secure communications channel to the customer's private network. All No Standard Support or Collaborative Support:
Depending on the nature of the VPN software

SupportCall

SupportCall is a process on the search appliance that opens an SSH connection to a Google server.

Technical support using SupportCall is available on the Google Search Appliance and Google Mini, as part of the standard support terms. SupportCall is available on software versions 4.6.4 and later. You can initiate a SupportCall session using the Admin Console or login console.

Initiating SupportCall from the Admin Console

The Admin Console for your search appliance is accessed through port 8000.

SupportCall does not work through HTTP proxies. It must have a direct connection to port 443 to supportcall.google.com. Before you initiate a SupportCall Session from the Admin Console, you must ensure that your configuration meets the following requirements:

  • Your firewall permits connections on outbound TCP port 443 to supportcall.google.com
  • The DNS server for the search appliance can successfully resolve supportcall.google.com
  • A route is available from the search appliance to supportcall.google.com, either directly or through a proxy
  • Your firewall permits non-SSL traffic on port 443 to supportcall.google.com

To initiate a SupportCall session from the Admin Console, complete the following steps:

  1. Log in to the Admin Console on the search appliance.
  2. Access the SupportCall page.
    • On software version 6.0 and earlier, enter the following URL into the browser's location field: http://appliance-hostname:8000/EnterpriseController?actionType=supportCall
    • On software version 6.2 and later, n the left navigation pane, click  Administration -> Remote Support.

      • The Administration > Support Call page appears.

  3. Click Test to test the connectivity between the search appliance and the support call server.

    If there is a connectivity issue, an error message appears in the Call Status area. Otherwise, the following message appears: Test successful, Support Call ready.

  4. To begin the SupportCall connection, click Initiate Call.

    The Call Status area shows the ports that were forwarded, along with the following message: All connections have been started successfully. A Google Enterprise Support engineer can now connect to your search appliance.

  5. After your support request is resolved, click Stop Call to disconnect the SupportCall session.

Initiating SupportCall from the Login Console

If the Admin Console for your search appliance is unavailable, you can start a SupportCall session from the login console. This method requires that you connect a keyboard and monitor to the search appliance.

To use the login console for a SupportCall session, complete the following steps:

  1. Initiate the session by entering the following command at the login prompt: startsupportcall
  2. To get the current session status, enter the following command: supportcallstatus
  3. To end an open session, enter the following command: stopsupportcall

If you reboot your search appliance, the SupportCall session is automatically terminated.

Direct SSH

Secure Shell (SSH) provides a secure, encrypted connection through which Google Enterprise Support can access your search appliance to provide remote technical support. Technical support using a direct SSH connection across the internet is available on the Google Search Appliance and Google Mini as part of the standard support terms. Support using SSH is available in all software versions.

Note: For security reasons, the SSH port is disabled by default.

To enable SSH on a search appliance, complete the following steps:

  1. (Optional) If your search appliance is not on a public network, you can set up NAT port forwarding to map the private IP address of your search appliance to an external IP address.
  2. Ensure that your firewall allows inbound connections on TCP port 22 from the Google IP address 216.239.45.4 to the IP address of your search appliance.
  3. Enable SSH access in the Admin Console by performing the following steps:
    1. In the left navigation pane, if the search appliance is on software version 6.0 or earlier click Administration > System Settings. On software version 6.2 or later, click Administration > Remote Support.
    2. On version 6.0 or earlier, under Remote Support, select the Enable SSH for Remote Support check box. On version 6.2 or later, under SSH, select the Enable SSH for Remote Support check box
    3. Click Update System Settings.
  4. Use SSH from a computer that routes across the public internet to connect to your search appliance.

    If you receive a login prompt, the connection is successful. Otherwise, run tracepath <appliance-public-IP>/22 to find out where the connection gets blocked or dropped. The last host you see responding is the last one that let the connection through.

  5. Provide Google Enterprise Support with the IP address for your search appliance.

    If you are using NAT to map to a non-default SSH port, provide Google Enterprise Support with this information as well.

  6. When a Google Enterprise Support engineer verifies that the session has concluded, disable SSH.

    This is a security measure to ensure that no one else can connect to your search appliance.

If the Admin Console is not available, see the instructions for enabling SSH from the configuration web interface.

Modem

Technical support using a modem connection is available on the Google Search Appliance and Google Mini as part of the standard support terms. Support using a modem is available in all software versions.

You can use your own modem for remote access, or you can contact Google Enterprise Support and request that a modem be shipped to you. Google does not provide a list of supported modems.

To initiate remote technical support using a modem, complete the following steps:

  1. Plug the modem into an analog phone line, and attach it to the serial port on the search appliance.
  2. Provide Google Enterprise Support with the telephone number for the modem. SSH for remote support does not need to be enabled for modem connections.
  3. When the support session is completed, disconnect the modem from the search appliance.

To troubleshoot a modem connection, complete the following steps:

  1. Attach a telephone to the line that you are using for the modem, and then dial the number to ensure that the telephone rings.
  2. Dial the number and watch the lights on the modem.
  3. If the modem answers but a PPP connection is not enabled, try using a shorter cable to plug the modem into the telephone jack.

    Some problems can be caused by bad cables or by cables that are too long.

GoToAssist™ Direct Support

Technical support using the GoToAssist direct support method is available if you have purchased the Collaborative support package. Support using GoToAssist is available on all software versions.

To use GoToAssist direct support, an SSH client, such as PuTTY, must be installed on your Windows PC. In some cases, Google Enterprise Support also requires that an SCP client, such as WinSCP, be installed on your Windows PC to copy files.

GoToAssist uses an applet provided by Citrix GoToAssist. You can run the applet within a web browser running on a Windows PC by logging into the Google Enterprise Support web site with the username provided by Google Enterprise Support. You do not need to install special software to run a GoToAssist session because the applet is automatically run by the web browser.

Note: GoToAssist traffic is tunneled securely through GoToAssist servers. You must unblock access to these servers at your firewall. The IP addresses and ports used by GoToAssist servers are documented at http://www.citrixonline.com/iprange.

The applet sets up a secure connection between Google Enterprise Support and the Windows PC on your private network. Google Enterprise Support can then SSH from your PC to the search appliance across the private network. For instructions for enabling SSH on the search appliance, refer to Direct SSH. You can test whether or not the GoToAssist applet will work on your network with its Connection Wizard.

During the session, you can view all actions taken by Google Enterprise Support. You can end the session at any time.

Software VPN

A software Virtual Private Network (VPN) uses software supplied by your VPN vendor. To create a secure communications channel to your private network, the VPN software is installed on a Google computer. Connections using software VPN may be available with either Standard or Collaborative support, depending on the nature of the VPN software.

Before VPN remote support can be used, Google Enterprise Support must:

  1. Successfully test the VPN software.
  2. Approve it for use with the Google Search Appliance.
  3. Establish a mutually satisfactory authentication/token retrieval process with you.

Also SSH must be enabled on the search appliance for Software VPN remote access. Instructions for enabling SSH on the search appliance are covered in the Direct SSH connections section of this document.

Typically, you must provide the Google Enterprise Support engineers with access to a hosted key/token generator or provide key/token generators to Google Support Engineers, allowing access to your private network.

Back to top

Frequently Asked Questions

Q: Does Google need my password?

A: Please do not communicate your username or password to Google. A small number of Google Enterprise Support staff have the ability to obtain administrative passwords for your appliance.

Q: What information does Google need from me?

A: Google Enterprise Support must confirm your appliance ID. Your appliance ID is an identifier that you can find on the Administration > License page in the Admin Console or from the search appliance itself. Your appliance ID has one of the formats described in the following table.

Model Identifier formats Location of appliance ID label on appliance hardware
Mini MID-XXXXX
M2-XXXXXXXXXXXXX		 Depending on the model of your Google Mini, this information appears either on a white label on the lower right corner of the rear panel or on a silver label on the underside of the Google Mini chassis. The appliance ID also appears on the outside of the original shipping container.
GB-1001 GIX-XXXXX
S4-XXXXXXXXXXXXX
S5-XXXXXXXXXXXXX		 This information appears on a white label on the lower right corner of the rear panel or on a silver label on the underside of the Google Search Appliance GB-1001 chassis. The appliance ID also appears on the outside of the original shipping container.
GB-5005 or GB-8008 GEX-XXXXX
C4-XXXXXXXXXXXXX
C5-XXXXXXXXXXXXX		 Not available. Use the Administration > License page in the Admin Console to get the appliance ID.
GB-7007 T1-XXXXXXXXXXXXX or T2-XXXXXXXXXXXXX This information appears on a white label on the lower right corner of the rear panel or on a silver label on the underside of the Google Search Appliance GB-7007 chassis. The appliance ID also appears on the outside of the original shipping container.
GB-9009 U1-XXXXXXXXXXXXX  

Q: How secure is my root password?

A: The root password is a random string that is different for each search appliance. It is stored at Google in an encrypted format, and is only accessible to certain Google Enterprise Support personnel.

Q: Can you give me the root password?

A: The root password to the search appliance is not available to customers.

Q: Does Google offer disconnected support?

A: Google offers disconnected support agreements to government and military customer and some commercial customers that do not allow remote access. Please contact your salesperson for details.

Q: Does Google offer on-site visits?

A: Google Enterprise Support does not offer on-site visits, except for node replacements on Google Search Appliance GB-5005 and GB-8008 models. All other technical support that requires access to the search appliance must be performed through remote access.

Q: Can Google access information on my search appliance?

A: Google Enterprise Support personnel that are allowed access to a customer's search appliance can view documents in the index on the search appliance and can also make outbound network connections through the customer's private network. All Google Enterprise Support personnel are bound by the non-disclosure agreement that Google signed with the customer.

Q: How do you enable SSH if the Admin Console is unavailable?

A: If your Admin Console is unavailable, you can establish an SSH connection from a web server that is running on the configuration network interface on port 1111.

To enable SSH when the Admin Console is unavailable, complete the following steps:

  1. Attach a computer to the administrative network interface of your search appliance.
  2. Do one of the following actions:
    • If you have a Google Mini or Google Search Appliance GB-1001 or GB-7007, connect a computer that is configured to accept a DHCP IP address to the orange network port of your search appliance. Use the orange cable provided, or a standard cross-over cable. Your computer will be assigned an IP address in the 192.168.255/24 subnet.
    • If you have a Google Search Appliance GB-5005 or GB-8008, connect your computer to the yellow cable attached to the internal hub of the cluster. Manually assign your computer an IP address of 192.168.255.254 and a subnet mask of 255.255.255.0.
  3. In your web browser, enter the following URL:

    http://192.168.255.1:1111/enablesshd

    You are prompted with a challenge, consisting of a string of letters and numbers.

  4. Respond to the challenge with the first six characters of the string, but reverse the case of all letters when you enter the response.

    This means all upper-case letters become lower-case letters, and vice-versa.

    For example, suppose you receive the following challenge:

    xt5CS5GunQ045513Msr9XROlhJcQ==

    The correct response to this challenge is: XT5cs5

    When you are successful, you receive the following message:

    The Google Search Appliance will now allow maintenance access via SSH    .

    If you are unsuccessful, you receive a new challenge.

Q: Does Google support remote access using Webex?

A: Google does not support remote access using Webex, except for some existing customers who are exempt from this condition.

Q: Does Google support SSL VPNs?

A: Google does not support remote access using SSL VPNs, in which the SSH client is a Java applet. SSL VPNs that allow a regular SSH client, such as PuTTY, are supported. Some existing customers are exempt from this condition.

Back to top