A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)
Figure 3-1 Virtual CAS
3.5 HP Instant Customer Access Server (iCAS)
HP Instant Customer Access Server (iCAS) is a lightweight connection tool that allows an HP support agent
to quickly and securely connect to a customer's environment to aid in diagnosis and repair of supported
hardware devices. The customer runs the iCAS software run as a browser plug-in on any Windows or Linux
desktop with Internet access and network access to the device the HP support engineer is attempting to
access. HP iCAS uses a Meet in the Middle connection paradigm to facilitate a remote access session by
establishing a tunnelled SSH session to a Remote Access Meeting Server (RAMS). The HP engineer generates
a unique connection key that is used to couple the HP Engineer and Customer SSH connections together
creating an end-to-end SSH tunnel between the HP Support engineer desktop and the iCAS host. Once the
session key is exchanged, the session is established as follows:
1. HTTP connection occurs (using TCP/80) from iCAS host to RAMS using URL and Session key provided
by HP Support Engineer.
2. Customer’s SSH connection (using TCP/ 2022) over HTTP to RAMS Server.
3. The HP engineer session sees the customer session connected to the RAMS.
4. An HTTP connection is made from HP engineer browser to the RAMS.
5. The HP engineer’s SSH connection (using TCP/2022) over HTTP to RAMS occurs.
6. The unique session key insures that both sessions rendezvous on the RAMS and create a secure SSH
tunnel.
From this point the HP Engineer can request access to the affected system in the customer network by tunneling
through the SSH tunnel to the target device inside the customer network. The customer must specifically grant
access and provide the access credentials to the HP engineer before the connection to the target device can
be established.
40 Remote Device Access (RDA)