A.05.80 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2012)
Security Overview
Chapter 3: Remote Device Access (RDA)
HP Instant Customer Access Server (iCAS)
HP Instant Customer Access Server (iCAS) is a lightweight connection tool that allows an HP support
agent to quickly and securely connect to a customer's environment to aid in diagnosis and repair of
supported hardware devices. The customer runs the iCAS software run as a browser plug-in on any
Windows or Linux desktop with Internet access and network access to the device the HP support
engineer is attempting to access. HP iCAS uses a Meet in the Middle connection paradigm to facilitate a
remote access session by establishing a tunnelled SSH session to a Remote Access Meeting Server
(RAMS). The HP engineer generates a unique connection key that is used to couple the HP Engineer and
Customer SSH connections together creating an end-to-end SSH tunnel between the HP Support
engineer desktop and the iCAS host. Once the session key is exchanged, the session is established as
follows:
1. HTTP connection occurs (using TCP/80) from iCAS host to RAMS using URL and Session key
provided by HP Support Engineer.
2. Customer’s SSH connection (using TCP/ 2022) over HTTP to RAMS Server.
3. The HP engineer session sees the customer session connected to the RAMS.
4. An HTTP connection is made from HP engineer browser to the RAMS.
5. The HP engineer’s SSH connection (using TCP/2022) over HTTP to RAMS occurs.
6. The unique session key insures that both sessions rendezvous on the RAMS and create a secure
SSH tunnel.
From this point the HP Engineer can request access to the affected system in the customer network by
tunneling through the SSH tunnel to the target device inside the customer network. The customer must
HP Insight Remote Support Advanced and Remote Device Access (A.05.80)Page 41 of 97