Search
Clear search
Close search
Google apps
Main menu
true

Remote access methods for technical support

Google Search Appliance (G100 and G500) software version 7.0 and later
Updated June 2016



This document describes the methods Google Cloud Support can use to connect to a Google Search Appliance to provide remote technical support.

The following tables list the methods that Google supports for remote access to search appliances.

Remote Access Methods for Standard Support and Premium Support

Method Description Model Software Version
SupportCall A process on the search appliance that opens a secure connection to a Google server. All 4.6.4 and later
Direct SSH A secure shell (SSH) connection across the internet. All All
Software VPN Software that creates a secure communications channel to the customer's private network. Google Search Appliance only All

Remote Access Methods for Customers who have Purchased Collaborative Support

Method Description Model Software Version
GoToAssist A third-party applet that allows a secure connection to a Windows PC inside the customer's private network, then uses SSH to connect to the search appliance across the customer's network. Google Search Appliance only All

SupportCall

SupportCall is a process on the search appliance that opens an SSH connection to a Google server.

Technical support using SupportCall is available on the Google Search Appliance, as part of the standard support terms. SupportCall is available on software versions 4.6.4 and later. You can initiate a SupportCall session using the Admin Console or login console.

Initiating SupportCall from the Admin Console

The Admin Console for your search appliance is accessed through port 8000.

By default, SupportCall connects to port 443 of host supportcall.google.com, but it is also possible to configure a proxy if direct access to the host is not possible. The following two sections provide instructions for both ways to configure a SupportCall.

SupportCall Using a Direct Connection

This section applies to SupportCall sessions that make a direct connection to port 443 of the host supportcall.google.com.

If your search appliance is running a software version earlier than 6.2, you must ensure that your configuration meets the following requirements for making a direct connection to supportcall.google.com:

If your search appliance is running software version 6.2 or later, the configuration must meet the following requirements:

  • Ensure that connectivity is possible between the search appliance and port 443 on supportcall.google.com.

  • If the search appliance is unable to resolve supportcall.google.com, you can override the DNS entry and specify the IP address of supportcall.google.com by using the DNS Override tab of the Admin Console (Google Search Appliance > Administration > System Settings).

  • Your firewall permits non-SSL traffic to port 443 on supportcall.google.com.

To initiate a SupportCall session from the Admin Console to port 443 on supportcall.google.com:

  1. Log in to the Admin Console on the search appliance.

  2. Access the SupportCall page.

    The Administration > Support Call page appears.

    • On software version 6.0 and earlier, enter the following URL into the browser's location field:
      http://appliance-hostname:8000/EnterpriseController?actionType=supportCall

    • On software version 6.2 and later, in the left navigation pane, click Administration -> Remote Support.

  3. Click Test to test the connectivity between the search appliance and the support call server.

    If there is a connectivity issue, an error message appears in the Call Status area. Otherwise, the following message appears: Test successful, Support Call ready.

  4. To begin the SupportCall connection, click Initiate Call.
  5. On recent versions, a confirmation dialog will appear to explain how Support Call works. Review it and click OK.
  6. The Call Status area shows the ports that were forwarded, along with the following message: All connections have been started successfully. A Google Cloud Support engineer can now connect to your search appliance.
  7. After your support request is resolved, click Stop Call to disconnect the SupportCall session.
SupportCall Using a Proxy

Before you initiate a SupportCall session from the Admin Console using a proxy, you must ensure that your configuration meets the following requirements:

  • The search appliance is running software version 6.2 or later.

  • You know the host name and port number of the proxy.

  • If credentials are required to authenticate with the proxy, you know the required user name and password.

  • DNS resolution for supportcall.google.com is not required on the search appliance itself but the proxy needs to be able to resolve the host.

  • Your installation uses one of the following proxies:
    • Gauntlet
    • CacheFlow
    • JunkBuster
    • Squid
    • Apache's mod_proxy

To initial a SupportCall session from the Admin Console using a proxy:

  1. Log in to the Admin Console on the search appliance.

  2. Click Administration -> Remote Support.

    The Administration > Support Call page appears.

  3. Click Change Settings.

  4. Type the host name of the proxy in the Host field.

  5. Type the port number of the proxy in the Port Number field.

  6. Optionally, to prevent the connection from being broken, click Enable Connection KeepAlive. This causes a keepAlive signal to be sent every 60 seconds.

  7. If the proxy requires user credentials for authentication, type the user name and password.

  8. Click Save.

  9. Click Test to test the connectivity between the search appliance and the support call server.

    If there is a connectivity issue, an error message appears in the Call Status area. Otherwise, the following message appears: Test successful, Support Call ready.

  10. To begin the SupportCall connection, click Initiate Call.

    The Call Status area shows the ports that were forwarded, along with the following message: All connections have been started successfully. A Google Cloud Support engineer can now connect to your search appliance.

  11. After your support request is resolved, click Stop Call to disconnect the SupportCall session.

Using Support Call when the Admin Console is Unresponsive

If the Admin Console becomes unresponsive or times out, you can try to start or stop a SupportCall session using direct links. The direct links do not work under all circumstances. For example, if the Admin Console is down completely, the direct links do not work. If the Admin Console is less responsive than usual because the search appliance is overloaded, the direct links might work.

If you are running version 7.2 or later, the new Admin Console does not support this feature. Start a Support Call from the local console or Version Manager instead.

Use these directions if your search appliance runs software version 6.2 through 7.0:

  • To start a SupportCall session, enter the following URL in your browser's address bar:

    http://appliance_ip_or_hostname:8000/EnterpriseController?actionType=remoteSupport&startCall=Initiate+Call

  • To stop a SupportCall session, enter the following URL in your browser's address bar:

    http://appliance_ip_or_hostname:8000/EnterpriseController?actionType=remoteSupport&stopCall=Stop+Call

Use these directions if your search appliance runs software versions before 6.2:

  • To start a SupportCall session, enter the following URL in your browser's address bar:

    http://appliance_ip_or_hostname:8000/EnterpriseController?actionType=supportCall&startCall=Initiate+Call

  • To stop a SupportCall session, enter the following URL in your browser's address bar:

    http://appliance_ip_or_hostname:8000/EnterpriseController?actionType=supportCall&stopCall=Stop+Call

Initiating SupportCall from the Login Console

If the Admin Console for your search appliance is unavailable, you can start a SupportCall session from the login console. This method requires that you connect a keyboard and monitor to the search appliance.

To use the login console for a SupportCall session, complete the following steps:

  1. Initiate the session by entering the following command at the login prompt: startsupportcall

  2. To get the current session status, enter the following command: supportcallstatus

  3. To end an open session, enter the following command: stopsupportcall

If you reboot your search appliance, the SupportCall session is automatically terminated.

Initiating SupportCall from Version Manager

If your search appliance runs software version 6.4 or later and the Admin Console is unavailable, you can start a SupportCall session from Version Manager. This feature is available for the G100, G500, GB-1001, GB-7007, and GB-9009 only. It is not available on the Google Search Appliance models GB-5005 or GB-8008.

If you are running version 7.2 or later:

  1. Login to the Version Manager at the normal URL: http://your_Appliance_ip_or_hostname:9941/ or, for a secure connection, https://your_Appliance_ip_or_hostname:9942/
  2. In the left-hand navigation menu, click "Remote Support".
  3. Click "Initiate Call" to initiate the Support Call. Note that if your system requires a proxy to access supportcall.google.com, and it has not been previously set up, you will not be able to configure it from here.
  4. A confirmation dialog will appear to explain how Support Call works. Review it and click OK.
  5. The Call Status area shows the ports that were forwarded, along with the following message: All connections have been started successfully. A Google Cloud Support engineer can now connect to your search appliance.
  6. After your support request is resolved, click Stop Call to disconnect the SupportCall session.

If you are running any version from 6.4 through 7.0, perform the following steps to use Version Manager for a SupportCall session:

  1. Login in to Version Manager at one of these URLs: http://your_Appliance_ip_or_hostname:9941/vmverbose or, for a secure connection, https://your_Appliance_ip_or_hostname:9942/vmverbose

  2. Click Enable SupportCall.

  3. Confirm that you want to start a SupportCall session by clicking the appropriate button. A status update is displayed.

  4. Log in to Version Manager again and verify that an open connection is available.

Initiating SupportCall from WebConfig

If your search appliance runs software version 6.4 or later and the Admin Console is unavailable, you can start a SupportCall session from WebConfig. This feature is available for the GB-1001, GB-7007, and GB-9009 only. It is not available on the Google Search Appliance models GB-5005 or GB-8008.

To use WebConfig to initiate a SupportCall session, complete the following steps:

  1. Attach a computer to the administrative network interface card of your search appliance. You can use the orange cable that came with the search appliance or a standard crossover cable. The computer must be configured to accept a DHCP IP address. Your computer is assigned an IP address in the 192.168.255/24 subnet.

  2. In a web browser running on the computer attached to the search appliance, enter the following URL:

    http://192.168.255.1:1111/enablesupportcall

    You are prompted with a challenge that consists of a string of letters and numbers.

  3. Respond to the challenge with the first six characters of the string, but reverse the case of all letters when you enter the response. All upper-case letters become lower-case letters and all lower-case letters become upper-case letters.

    For example, suppose you receive the following challenge:

    xt5CS5GunQ045513Msr9XROlhJcQ==

    The correct response to this challenge is:

    XT5cs5

    When you are successful, you receive the following message: The appliance will now allow Remote Access access via SupportCall. If you are unsuccessful, you receive a new challenge.

  4. To stop the SupportCall session, enter the following URL in the browser on the computer attached to the search appliance:

    http://192.168.255.1:1111/disablesupportcall


Direct SSH

Secure Shell (SSH) provides a secure, encrypted connection through which Google Cloud Support can access your search appliance to provide remote technical support. Technical support using a direct SSH connection across the internet is available on the Google Search Appliance as part of the standard support terms. Support using SSH is available in all software versions.

Note: For security reasons, the SSH port is disabled by default.

To enable SSH on a search appliance, complete the following steps:

  1. (Optional) If your search appliance is not on a public network, you can set up NAT port forwarding to map the private IP address of your search appliance to an external IP address.

  2. Ensure that your firewall allows inbound connections on TCP port 22 from the Google IP address 216.239.45.4 to the IP address of your search appliance.

  3. Enable SSH access in the Admin Console by performing the following steps:

    1. In the left navigation pane, if the search appliance is on software version 6.0 or earlier click Administration > System Settings. On software version 6.2 or later, click Administration > Remote Support.

    2. On version 6.0 or earlier, under Remote Support, select the Enable SSH for Remote Support check box. On version 6.2 or later, under SSH, select the Enable SSH for Remote Support check box

    3. Click Update.

  4. Use SSH from a computer that routes across the public internet to connect to your search appliance.

    If you receive a login prompt, the connection is successful. Otherwise, run tracepath <appliance-public-IP>/22 to find out where the connection gets blocked or dropped. The last host you see responding is the last one that let the connection through.

  5. Provide Google Cloud Support with the IP address for your search appliance.

    If you are using NAT to map to a non-default SSH port, provide Google Cloud Support with this information as well.

  6. When a Google Cloud Support engineer verifies that the session has concluded, disable SSH.

    This is a security measure to ensure that no one else can connect to your search appliance.

If the Admin Console is not available, see the instructions for enabling SSH from the configuration web interface.


GoToAssist™ Direct Support

Technical support using the GoToAssist direct support method is available if you have purchased the Collaborative support package. Support using GoToAssist is available on all software versions.

To use GoToAssist direct support, an SSH client, such as PuTTY, must be installed on your Windows PC. In some cases, Google Cloud Support also requires that an SCP client, such as WinSCP, be installed on your Windows PC to copy files.

GoToAssist uses an applet provided by Citrix GoToAssist. You can run the applet within a web browser running on a Windows PC by logging into the Google Cloud Support web site with the username provided by Google Cloud Support. You do not need to install special software to run a GoToAssist session because the applet is automatically run by the web browser.

Note: GoToAssist traffic is tunneled securely through GoToAssist servers. You must unblock access to these servers at your firewall. The IP addresses and ports used by GoToAssist servers are documented at http://www.citrixonline.com/iprange.

The applet sets up a secure connection between Google Cloud Support and the Windows PC on your private network. Google Cloud Support can then SSH from your PC to the search appliance across the private network. For instructions for enabling SSH on the search appliance, refer to Direct SSH. You can test whether or not the GoToAssist applet will work on your network with its Connection Wizard.

During the session, you can view all actions taken by Google Cloud Support. You can end the session at any time.


Software VPN

A software Virtual Private Network (VPN) uses software supplied by your VPN vendor. To create a secure communications channel to your private network, a VPN client may be installed onto a Google computer. Connections using software VPN may be available with either Standard or Collaborative support, depending on the amount of work required by Google to use the VPN.

To qualify for Standard support, a VPN must allow the following.

  1. Initiation of a connection from within Google's internal network
  2. SSH connection to the appliance
  3. Ports tunneling
  4. File transfer

Before VPN remote support can be used, Google Cloud Support must perform the following tasks.

  1. Successfully test the VPN software.
  2. Approve the VPN software for use with the Google Search Appliance.
  3. Establish and document a mutually satisfactory authentication or token retrieval process with you.

Google supports the following authentication methods for software VPNs.

  1. A single user ID and password for the whole Google Technical Support team or a user ID and password for each Google Technical Support Engineer.
  2. A 24/7 phone number that Google Technical Support Engineers can call for an authentication token.
  3. A one-time authentication token submitted with the support case.
  4. A Web site that Google Technical Support Engineers can obtain an authentication token by providing a user ID and password.
  5. A software token generator that Google Technical Support Engineers can install on their PC.
  6. Hardware token generators for five locations (US West, US Central, Japan, India, Switzerland) or for each Google Technical Support Engineer.

To start the approval process, open a case with Google Cloud Support.

IPSec Vitual Private Networks

For IPSec VPNs, Google only supports clients running on Windows 7, 64-bit Operating system. Please provide the following information to Google.

  1. Type and version of client software. You will need to provide the client software to Google, unless one of the following can be used:

    • Cisco Systems VPN Client Version 5.0.07.0240

  2. Connection profile for configuring the client.

  3. Details of how authentication or token retrieval will occur.

SSL Virtual Private Networks

For security reasons, Google does not permit SSL VPNs that use Java applets that run within the web browser. We do permit standalone Java applications that run from the desktop.

For SSL VPNs, please provide the following information to Google:

  1. URL of web site.
  2. Step-by-step instructions for login.
  3. Details of how authentication or token retrieval will occur.

Conditions Requiring Approval

Google's support manager will need to approve any of the following requirements, if needed:

  • Additional software such as specific anti-virus software.
  • Limitations on which Google support engineers can access the VPN, such as US citizens or named support persons only.
  • Additional agreements or documentation requirements relating to VPN access, beyond the purchase contract for the search appliance.

SSH must be enabled on the search appliance for Software VPN remote access. Instructions for enabling SSH on the search appliance are covered in the Step 3 of the Direct SSH connections section of this document.


Frequently Asked Questions

Q: Does Google need my password?

A: Please do not communicate your username or password to Google. A small number of Google Cloud Support staff have the ability to obtain administrative passwords for your appliance.

Q: What information does Google need from me?

A: Google Cloud Support must confirm your appliance ID. Your appliance ID is an identifier that you can find on the Administration > License page in the Admin Console or from the search appliance itself. Your appliance ID has one of the formats described in the following table.

Model Identifier formats Location of appliance ID label on appliance hardware
G100 storage unit T4-XXXXXXXXXXXXX or T5-XXXXXXXXXXXXX This information appears on a white label on the left, right sides and top left side of the front panel or on a silver label (if present) of the Google Search Appliance G100 storage unit chassis. The appliance ID also appears on the outside of the original shipping container.
G500 storage unit U3-XXXXXXXXXXXXX or U4-XXXXXXXXXXXXX This information appears on a white label on the left, right sides and top left side of the front panel or on a silver label (if present) of the Google Search Appliance G500 storage unit chassis. The appliance ID also appears on the outside of the original shipping container.

Q: How secure is my root password?

A: The root password is a random string that is different for each search appliance. It is stored at Google in an encrypted format, and is only accessible to certain Google Cloud Support personnel.

Q: Can you give me the root password?

A: The root password to the search appliance is not available to customers.

Q: Does Google offer disconnected support?

A: Google offers disconnected support agreements to government and military customer and some commercial customers that do not allow remote access. Please contact your salesperson for details.

Q: Does Google offer on-site visits?

A: Google Cloud Support does not offer on-site visits. All other technical support that requires access to the search appliance must be performed through remote access.

Q: Can Google access information on my search appliance?

A: Google Cloud Support personnel that are allowed access to a customer's search appliance can view documents in the index on the search appliance and can also make outbound network connections through the customer's private network. All Google Cloud Support personnel are bound by the non-disclosure agreement that Google signed with the customer.

Q: How do you enable SSH if the Admin Console is unavailable?

A: If your Admin Console is unavailable, you can establish an SSH connection from a web server that is running on the configuration network interface on port 1111.

To enable SSH when the Admin Console is unavailable, complete the following steps:

  1. Attach a computer to the administrative network interface of your search appliance.

  2. For a Google Search Appliance G100, G500: connect a computer that is configured to accept a DHCP IP address to the orange network port of your search appliance. Use the orange cable provided, or a standard cross-over cable. Your computer will be assigned an IP address in the 192.168.255/24 subnet.

  3. In your web browser, enter the following URL:

    http://192.168.255.1:1111/enablesshd

    You are prompted with a challenge, consisting of a string of letters and numbers.

  4. Respond to the challenge with the first six characters of the string, but reverse the case of all letters when you enter the response.

    This means all upper-case letters become lower-case letters, and vice-versa.

    For example, suppose you receive the following challenge:

    xt5CS5GunQ045513Msr9XROlhJcQ==

    The correct response to this challenge is: XT5cs5

    When you are successful, you receive the following message:

    The Google Search Appliance will now allow maintenance access via SSH.

    If you are unsuccessful, you receive a new challenge.

Q: Does Google support remote access using Webex?

A: Webex is technology that can be used for support as an alternative to GotoAssist. Webex can be used when GotoAssist does not work well in your environment. Like GotoAssist, Webex is only available if you have purchased the Collaborative support package.

A Google technical support engineer will start the Webex session and send you email with the link for initiating your side of the Webex session. The Webex session presents you with a form to complete, which helps identify the participants in the session. If this is the first Webex session from your computer, a browser plugin is installed. A connection is established that enables Google support personnel to request control of the customer computer. From that computer, the Google support engineer can start an SSH session from the computer to the search appliance.

To prepare for a Webex, ensure that an SSH client, such as Putty, and an SSH file transfer tool, such as Putty's PSCP or WinSCP, are installed on the computer you will use to host the Webex session. The network port that is required for Webex sessions is documented at the Webex support site.

Q: Does Google support hardware VPNs?

A: No. Google does not support any VPN solutions that require Google to modify our network infrastructure.

Was this article helpful?
How can we improve it?