Where can I find more information on AOS Security?
Resolving the problem
Assist On-Site Security
Security and privacy are fundamental concerns when granting remote access to corporate IT assets. Assist On-Site uses the latest security technology to ensure that the data exchanged between IBM Support engineers and our customers is completely secure. Identities are verified and protected with industry standard authentication technology, and Assist On-Site sessions are kept secure and private with the use of randomly generated session keys and advanced encryption.
Assist On-Site allows IBM Support engineers to remotely access customers' computers to identify and resolve technical issues in real time. Assist On-Site facilitates problem determination and remediation by providing a powerful suite of tools that enables IBM Support engineers to quickly complete root cause analysis and take appropriate corrective action.
How Assist On-Site Works
When a customer contacts IBM Support via ESR or 800-IBM-SERV and opens a PMR with an issue or question, an IBM Support engineer can initiate a screen-sharing session in order to facilitate problem determination. An IBM Support Engineer will refer the customer to the Assist On-Site URL- http://www.ibm.com/support/assistonsite where the customer will need to enter their name, customer number, PMR number, and a connection code (supplied by the IBM Support Engineer). The connection code is a one time use, seven digit, randomly generated code that is only valid for five minutes. The Support Engineer can extend the code time-out for ten additional minutes if necessary in order to accommodate slow network connectivity. The connection code is validated via a relay server, session keys are generated and the connection is established. On average, the length of time to fill out the form and begin the session is about one minute. There is no installation of software required, the plug-in is downloaded automatically via the customers’ web browser and is less than 50kb in size. The plug-in is kept secure and virus free on IBM’s Relay Servers and must be downloaded each time a session is established.
Once a screen-sharing session has begun, the Support engineer is connected to the customers’ computer via a relay server. Large, randomly generated session keys are issued to both participants to ensure that only the designated parties are connected. During the session, all transferred information, including screen views, file-transfer data and identities, are encrypted. Encryption and decryption are from end to end, so data can not be intercepted during transit and can only be viewed via the Assist On-Site console.
Authorization and Access Control
Assist On-Site sessions can only be initiated by a customer. During the initiation of a session, the customer can refuse receipt of the browser plug-in, thus refusing the download. If the customer accepts the connection, they can choose chat only, view only, or shared control modes of operation. During the session, the customer can retake control of the mouse and keyboard or end screen sharing altogether. Once a session has ended, the Support engineer can no longer connect to the customers’ computer. Any future sessions will require new session keys and can only be initiated by the customer.
Strong Password Protection
Assist On-Site sessions are protected by strong password authentication. Support engineers are authenticated using a challenge and response password exchange. IBM administrators can view audit reports detailing log-in failures associated with incorrect IDs or passwords via the Management Center.
Assist On-Site implements outbound connections protected by state-of-the-art 128-bit MARS or TLS encryption over an HTTPS browser session to prevent intruder access to the information exchanged during all Assist On-Site sessions. Chat, screen viewing, screen sharing and file transfer data is encrypted end to end, and packets are never decrypted in transit by the communication servers.
Assist On-Site works seamlessly with most firewalls. Usually, Assist On-Site connections are possible without any firewall reconfiguration. Assist On-Site requires access to outbound ports at both ends of a connection, so there is normally no need to open holes in firewalls.
Ports, Relay Hosts, and IP Information
If additional configuration is required with a customers’ firewall or proxy, the following table describes required IP and port configuration->
|Hostname / GEO||IP||Ports|
|aos.us.ihost.com||18.104.22.168||8200 or 80|
|Americas Relay (3.3 Sessions)||22.214.171.124||8200 or 80 or 443|
|Americas Relay (3.3 Sessions)||126.96.36.199||8200 or 80 or 443|
|EMEA Broker (4.0 Sessions)||188.8.131.52||443|
|US Broker (4.0 Sessions)||184.108.40.206||443|
220.127.116.11 on port 8200 or 80
In order to leverage geographically specific relay servers and realize improved throughput, the customer should also allow encrypted non-SSL (TLS encryption) outbound traffic to one of the geographically specific relay servers - for either port 8200, 443, or 80:
18.104.22.168 aos.us.ihost.com (hosted in North America, best for most geographies)
22.214.171.124 aosback.us.ihost.com (hosted in North America, best for most geographies)
126.96.36.199 aosrelay1.us.ihost.com (hosted in North America, best for most geographies)
188.8.131.52 aoshats.us.ihost.com (hosted in North America, best for most geographies)
184.108.40.206 aos.uk.ihost.com (hosted in Europe, best for European, African, and some of Asia) Port (443 only)
Assist On-site will automatically choose the relay server or broker and port which will provide the best end-to-end performance. All relay & broker servers are available from all geographies, with performance typically better from the relay server closest to the client system.
Logging and Auditing
Server side logging captures session information to include customer name and number, Support engineer name and number, customer and Support engineer IP and MAC address, and connection and disconnection time stamps. In addition to server side logging, customers’ can choose to audit the session locally. The recording can be initiated by the customer or support engineer. The recording can be explicitly activated by the customer upon accepting the support session. To start the recording, the customer has to select the checkbox in the session acceptance dialog, as shown below.
Assist On-Site events are then written to the log. Events stored are stored in the trc_base_<day>.log:
- Connection and disconnection
forth_con: broker wants to disconnect
- Initial session mode and subsequent changes to different connection modes
Changing to mode 0x0001 (Chat only)
Changing to mode 0x0008 (Active Session)
- Names of files received and transferred
ft_mgr: File RECEIVE started for file
- When the system information is requested from the console
Asking user if it agrees to send SYSINFO
The main driver for the AOS 4.0 application is a jar file ODTJPlugin.jar that is loaded as a java plugin through the session initiation page.
The main driver for the AOS 3.3 application is ibmaos.exe. It bundles Forthook.dll, tgrab.sys aosdel.exe.
Tgrab.sys is used to support full screen text mode windows.
Forthook.dll and tgrab.sys are deleted by the main executable (ibmaos.exe) when the session ends.
Aosdel.exe is tasked with deleting ibmaos.exe. Aosdel.exe is marked for removal so windows will automatically delete it on the next reboot.
Lastly, if the customer user is an administrator and system information is requested, a driver (egathdrv.sys) is copied to system32 and loaded in order to get system information such as the serial number of the machine. This driver is unloaded and deleted automatically once this operation finishes.
Additional Documents IBM Internal
If you require assistance from Support, follow the information on this link:
This link is also accessible from the AOS-Admin portal:
login and then click on "Get Support"