background image

 

 

_____________________________________________________________________ 

 

 

724-746-5500 | blackbox.com

 

 Page 101

 

 

   

 

Click   

New   Firewall   Rule

   

 

Fill   in   the   following   fields:   
   Name:         

Name   the   rule.   This   name   should   describe   the   policy   the   firewall   rule   is   
being   used   to   implement   (e.g.   

block   ftp,   Allow   Tony)

   

Interface:      

Select   the   interface   that   the   firewall   rule   will   be   applied   to   (i.e.   

Any,   

Dialout/Cellular,   VPN,

   

Network   Interface,   Dial-­‐in

   etc)   

Port   Range:      

Specify   the   Port   or   range   of   Ports   (e.g.   1000   –   1500)   that   the   rule   will   
apply   to.   This   may   be   left   blank   for   Any   

Source   Address   Range:   Specify   the   source   IP   address   (or   address   range)   to   match.   IP   address   

ranges   use   the   format   ip/netmask   (where   netmask   is   in   bits   1-­‐32).   This   
may   be   left   blank   for   Any   

Destination   Range:      

Specify   the   destination   IP   address/address   range   to   match.   IP   address   
ranges   use   the   format   ip/netmask   (where   netmask   is   in   bits   1-­‐32).   This   
may   be   left   blank.   

Protocol:   

Select   if   the   firewall   rule   will   apply   to   

TCP

   or   

UDP

   

Direction:      

Select   the   traffic   direction   that   the   firewall   rule   will   apply   to   (

Ingress   

=   

incoming   or   

Egress

)   

Action:      

Select   the   action   (

Accept   

or   

Block

)   that   will   be   applied   to   the   packets   

detected   that   match   the   In   Port   Range+   Source/destination   
Address   Range+   P   Direction      

                           For   example,   to   block   all   SSH   traffic   from   leaving   Dialout   Interface,   the   following   settings   can   be   
used:   

                           Interface:   Dialout/Cellular   
                           Port   Range:   22   

Summary of Contents for LES1208A-R2

Page 1: ...ES1316A LES1416A LES1132A LES1232A LES1332A LES1432A LES1148A LES1248A R2 LES1348A LES1448A Order toll free in the U S Call 877 877 BBOX outside U S call 724 746 5500 FREE technical support 24 hours a day 7 days a week Call 724 746 5500 or fax 724 746 0746 Mailing address Black Box Corporation 1000 Park Drive Lawrence PA 15055 1018 Web site www blackbox com E mail info blackbox com Customer Suppor...

Page 2: ...trademark of Apple Computers Inc Linux is a registered trademark of Linus Torvalds Internet Explorer Windows Windows Me Windows NT and Windows Vista are a registered trademarks of Microsoft Corporation Nagios is a registered trademark of Nagios Enterprises LLC Java and Solaris are trademarks of Sun Microsystems Inc Unix is a registered trademark of X Open Company Ltd Any other trademarks mentioned...

Page 3: ...rvers Manual We re here to help If you have any questions about your application or our products contact Black Box Tech Support at 724 746 5500 or go to blackbox com and click on Talk to Black Box You ll be live with one of our technical experts in less than 60 seconds ...

Page 4: ...ference when the equipment is operated in a commercial environment Operation of this equipment in a residential area is likely to cause interference in which case the user at his own expense will be required to take whatever measures may be necessary to correct the interference Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority t...

Page 5: ...inetes que impidan el flujo de aire por los orificios de ventilación 10 El equipo eléctrico deber ser situado fuera del alcance de fuentes de calor como radiadores registros de calor estufas u otros aparatos incluyendo amplificadores que producen calor 11 El aparato eléctrico deberá ser connectado a una fuente de poder sólo del tipo descrito en el instructivo de operación o como se indique en el a...

Page 6: ...24 2 6 Antenna and SIM 25 SYSTEM CONFIGURATION 26 3 1 Management console connection 26 3 1 1 Connected PC workstation set up 26 3 1 2 Browser connection 27 3 2 Administrator Password 29 3 2 1 Set up new administrator 30 3 2 2 Name the console server 30 3 3 Network IP address 31 3 3 1 IPv6 configuration 32 3 3 2 Dynamic DNS DDNS configuration 32 3 4 System Services and Service access 33 3 4 1 Servi...

Page 7: ... FIREWALL FAILOVER AND OoB DIAL IN 82 5 1 OoB Dial In access 82 5 1 1 Configure Dial In PPP 83 5 1 2 Using SDT Connector client 85 5 1 3 Set up Windows XP 2003 Vista 7 client 85 5 1 4 Set up earlier Windows clients 86 5 1 5 Set up Linux clients for dial in 86 5 2 OoB broadband access 86 5 3 Broadband Ethernet Failover 87 5 4 Dial Out Failover 88 5 4 1 Always on dial out 88 5 4 2 Failover dial out ...

Page 8: ... 6 9 SDT SSH Tunnel for VNC 125 6 9 1 Install and configure the VNC Server on the computer to be accessed 125 6 9 2 Install configure and connect the VNC Viewer 126 6 10 Using SDT to IP connect to hosts that are serially attached to the gateway 128 6 10 1 Establish a PPP connection between the host COM port and console server 128 6 10 2 Set up SDT Serial Ports on console server 132 6 10 3 Set up S...

Page 9: ...3 9 1 7 Remote groups with RADIUS authentication 174 9 1 8 Remote groups with LDAP authentication 174 9 1 9 Remote groups with TACACS authentication 176 9 1 10 Idle timeout 176 9 1 11 Kerberos authentication 176 9 2 PAM Pluggable Authentication Modules 177 9 3 SSL Certificate 179 NAGIOS INTEGRATION 182 10 1 Nagios overview 183 10 2 Central management and setting up SDT for Nagios 183 10 2 1 Set up...

Page 10: ...d line 215 14 2 Serial Port configuration 218 14 3 Adding and removing Users 220 14 4 Adding and removing User Groups 222 14 5 Authentication 223 14 6 Network Hosts 223 14 7 Trusted Networks 225 14 8 Cascaded Ports 225 14 9 UPS connections 226 14 10 RPC connections 227 14 11 Environmental 228 14 12 Managed Devices 229 14 13 Port Log 229 14 14 Alerts 230 14 15 SMTP SMS 232 14 16 SNMP 233 14 17 Admi...

Page 11: ...ure Shell SSH Public Key Authentication 252 15 6 1 SSH Overview 252 15 6 2 Generating Public Keys Linux 253 15 6 3 Installing the SSH Public Private Keys Clustering 254 15 6 4 Installing SSH Public Key Authentication Linux 254 15 6 5 Generating public private keys for SSH Windows 256 15 6 6 Fingerprinting 258 15 6 7 SSH tunneled serial bridging 258 15 6 8 SDT Connector Public Key Authentication 26...

Page 12: ...________________________ 724 746 5500 blackbox com Page 12 APPENDIX A CLI Commands and Source Code B Hardware Specification C Safety and Certifications D Connectivity and Serial I O E Terminology F End User License Agreement G Service and Warranty ...

Page 13: ...ual 2 Installation Physical installation of the console server and how to interconnect controlled devices 3 System Configuration Describes the initial installation and configuration using the Management Console Covers configuration of the console server on the network and the services that will be supported 4 Serial Network Covers configuring serial ports and connected network hosts and setting up...

Page 14: ...e Administrator with specific limits of their access and control authority These users are set up as members of the users user group or some other user groups the Administrator may have added They are only authorized to perform specified controls on specific connected devices and are referred to as Users These Users when authorized can access serial or network connected devices and control these d...

Page 15: ...e serial port connect via ssh or telnet through the LAN or connect through an SSH tunneling to the console server Manual Conventions This manual uses different fonts and typefaces to show specific actions Note Text presented like this indicates issues to note Text presented like this highlights important information Make sure you read and follow these warnings Text presented with an arrow head ind...

Page 16: ...______________________________________ 724 746 5500 blackbox com Page 16 October 2011 2 0 Release for V2 8 firmware and later December 2012 3 0 Release for V3 5 firmware and later February 2014 4 0 Release for V3 9 firmware and later ...

Page 17: ...d in this manual at any time This manual could include technical inaccuracies or typographical errors Changes are periodically made to the information herein these changes may be incorporated in new editions of the publication Notice to Users Use proper back up systems and necessary safety devices to protect against injury death or property damage caused by system failure This protection is the us...

Page 18: ... Modem RJ Pinout Power Memory flash RAM LES1508A 8 2 2 1 02 Ext AC DC 16 64MB 4GB LES1448A 48 2 2 1 Internal CDMA 01 Dual AC 16 64MB 16GB LES1432A 32 2 2 1 Internal CDMA 01 Dual AC 16 64MB 16GB LES1416A 16 2 2 1 Internal CDMA 01 Dual AC 16 64MB 16GB LES1408A 8 2 2 1 Internal CDMA 01 Dual AC 16 64MB 16GB LES1348A 48 2 2 1 Internal GSM 01 Dual AC 16 64MB 16GB LES1332A 32 2 2 1 Internal GSM 01 Dual A...

Page 19: ...nect your console server to the network to the serial ports of the controlled devices and to power as outlined next 2 1 1 Kit components LES1508A Console Server LES1508A Console Server 2 UTP CAT5 blue cables DB9F RJ45S straight and DB9F RJ45S cross over connectors Power Supply 12VDC 1 0A Wall mount Printed Quick Start Guide 2 1 2 Kit components LES1308A LES1348A and LES1408A LES1448A Advanced Cons...

Page 20: ...le Antenna with 10 foot extension cable Dual IEC AC power cords Printed Quick Start Guide 2 1 3 Kit components LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 Advanced Console Servers LES1208A R2 LES1216A R2 LES1232A or LES1248A R2 Advanced Console Server 2 UTP CAT5 blue cables DB9F RJ45S straight and DB9F RJ45S cross over connectors Dual IEC AC power cords Printed Quick Start Guide ...

Page 21: ...onents LES1108A Console Server LES1108A Console Server 2 UTP CAT5 blue cables DB9F RJ45S straight and DB9F RJ45S cross over connectors 5 VDC 2 0A Power Supply with IEC Socket and AC power cable Printed Quick Start Guide 2 2 Power connection 2 2 1 LES1508A power The LES1508A includes an external DC power supply unit This unit accepts an AC input voltage between 100 and 250 VAC with a frequency of 5...

Page 22: ...ds Power cords for various regions are available although the North American power cord is provided by default There is a warning notice printed on the back of each unit To avoid electrical shock connect the power cord grounding conductor to ground 2 2 2 LES1116A LES1132A and LES1148A power The LES1116A LES1132A and LES1148A models have a built in universal auto switching AC power supply This powe...

Page 23: ... Use industry standard Cat5 cabling and connectors Make sure that you only connect the LAN port to an Ethernet network that supports 10BASE T 100BASE T To initially configure the console server you must connect a PC or workstation to the console server s principal network port labeled NETWORK1 or LAN 2 4 Serial Port connection The RJ 45 serial ports are located on the rear panel of the LES1108A an...

Page 24: ...sole Modem port on rear panel With the LES1508 Serial Port 1 is configured by default in Local Console modem mode Conventional CAT5 cabling with RJ 45 jacks is used for serial connections Before connecting an external device s console port to the console server serial port confirm that the device supports the standard RS 232C EIA 232 Black Box supplies a range of cables and adapters that may be re...

Page 25: ...orage etc 2 6 Antenna and SIM The LES1408A LES1416A LES1432A and LES1448A console servers also have an internal CDMA cellular modem requiring external antenna connection The LES1308A LES1316A LES1332A and LES1348A console servers have an internal GSM cellular modem that requires a SIM card and an external antenna Before powering on the console server Screw the external antenna coax cable onto the ...

Page 26: ...initial configuration we recommend that you connect the console server directly to a single PC or workstation However if you choose to connect your LAN before completing the initial setup steps it is important that you make sure that there are no other devices on the LAN with an address of 192 168 0 1 the console server and the PC workstation are on the same LAN segment with no interposed router a...

Page 27: ...he console server In the example below a console server has a MAC Address 00 13 C6 00 02 0F designated on the label on the bottom of the unit and we are setting its IP address to 192 168 100 23 Also the PC workstation issuing the arp command must be on the same network segment as the console server that is have an IP address of 192 168 100 xxx Type arp s 192 168 100 23 00 13 C6 00 02 0F Note for U...

Page 28: ... administration password on the Users page Chapter 3 Configure the local network settings on the System IP page Chapter 3 Configure port settings and enable the Serial Network Serial Port page Chapter 4 Configure users with access to serial ports on the Serial Network Users page Chapter 4 If your system has a cellular modem you will also be given the steps to configure the cellular router features...

Page 29: ... guesses the root password could gain access and the default root password is default To avoid this enter and confirm a new root password before giving the console server any access to or control of your computers and network appliances The system password can be changed by editing the root user on the Serial Network Users Groups form Select Change default administration password on the Welcome sc...

Page 30: ... group with full access privileges through the Serial Network Users Groups menu refer Chapter 4 for details 3 2 2 Name the console server It is also recommended that you set up a System Name for your console server to make it simple to identify Select System Administration and enter a System Name and System Description for the console server to give it a unique ID Note The System Name can contain ...

Page 31: ...ion details from a DHCP server on your management LAN This selection automatically disables any static address The console server MAC address is printed on a label on the base plate Note In its factory default state with no Configuration Method selected the console server has its DHCP client enabled so it automatically accepts any network IP address assigned by a DHCP server on your network In thi...

Page 32: ...e provider you will select a username and password as well as a hostname that you will use as the DNS name to allow external access to your machine using a URL The Dynamic DNS service providers allow the user to choose a hostname URL and set an initial IP address to correspond to that hostname URL Many Dynamic DNS providers offer a selection of URL hostnames available for free use with their servi...

Page 33: ...network interface using Service Settings Then the Services Access can be set to allow or block access 3 4 1 Service Access Service Access specifies which access protocols services can be used to access the console server and connected serial ports To change the access settings Select the Service Access tab on the System Services page This will displays the services currently enabled for the consol...

Page 34: ... managed over any public network for example the Internet HTTP By default HTTP is disabled We recommend that the HTTP service remain disabled if the console server will be remotely accessed over the Internet Telnet This gives the Administrator Telnet access to the system command line shell Linux commands This may be suitable for a local direct connection over a management LAN By default Telnet is ...

Page 35: ... service after initial configuration Nagios Access to the Nagios NRPE monitoring daemons refer Chapter 8 NUT Access to the NUT UPS monitoring daemon refer Chapter 10 SNMP This will enable netsnmp in the console server which will keep a remote log of all posted information SNMP is disabled by default To modify the default SNMP settings the Administrator must make the edits at the command line as de...

Page 36: ...r telnet access is 2000 and the range for telnet is IP Address Port 2000 serial port i e 2001 2048 If the Administrator sets 8000 as a secondary base for telnet then serial port 2 on the console server can be accessed via telnet at IP Address 2002 and at IP Address 8002 The default base for SSH is 3000 for Raw TCP is 4000 and for RFC2217 it is 5000 RAW Direct You can also specify that serial port ...

Page 37: ...et SSH HTTP HTTPS VNC and RDP to provide point and click secure remote management access to all the systems and devices being managed Information on using SDT Connector for browser access to the console server s Management Console Telnet SSH access to the console server command line and TCP UDP connecting to hosts that are network connected to the console server is in Chapter 6 Secure Tunneling SD...

Page 38: ...sshtools To use SSHTerm for an SSH terminal session from a Windows Client simply Select the File option and click on New Connection A new dialog box will appear for your Connection Profile Type in the host name or IP address for the console server unit and the TCP port that the SSH session will use port 22 Then type in your username choose password authentication and click connect You may receive ...

Page 39: ...ES1232A and LES1248A R2 console servers provide a firewall router and DHCP server You need to connect an external LAN switch to Network 2 to attach hosts to this management LAN This Management LAN feature is disabled by default To configure the Management LAN gateway Select the Management LAN page on the System IP menu and uncheck Disable Configure the IP Address and Subnet Mask for the Management...

Page 40: ...nd line 3 6 2 Configure the DHCP server The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers also host a DHCP server which by default is disabled The DHCP server enables the automatic distribution of IP addresses to hosts on the Management LAN that are running DHCP clients To enable the DHCP server On ...

Page 41: ...ses and reserving IP addresses to be used by connected hosts with fixed IP addresses To reserve an IP addresses for a particular host Click Add in the Reserved Addresses field Enter the Hostname the Hardware Address MAC and the Statically Reserved IP address for the DHCP client and click Apply When DHCP has initially allocated hosts addresses copy these addresses into the pre assigned list so the ...

Page 42: ...ort on the LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console server or o Internal Modem the internal V 92 modem in the LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console server or o Internal Cellular Modem the CDMA modem in the LES1408A LES1416A LES1432 and LES1448 or theGSM modem in the LES1308A LES1316A...

Page 43: ...er 5 Note You can configure the second Ethernet port as either a gateway port or as an OOB Failover port but not both Make sure you did not enable the Management LAN function on Network 2 3 6 4 Aggregating the network ports By default you can only access the console server s Management LAN network ports using SSH tunneling port forwarding or by establishing an IPsec VPN tunnel to the console serve...

Page 44: ...between the ports but they present with one MAC address o Both modes remove all the Management LAN Interface and Out of Band Failover Interface functions and disable the DHCP Server o All the Ethernet ports are all transparently connected at the data link layer layer 2 and they are configured collectively using the Network Interface menu 3 6 5 Static routes Static routes provide a very quick way t...

Page 45: ...tination network host that the route provides access to Enter a value in the Destination netmask field that identifies the destination network or host Any number between 0 and 32 A subnet mask of 32 identifies a host route Enter Route Gateway with the IP address of a router that will route packets to the destination network Enter a value in the Metric field that represents the metric of this conne...

Page 46: ...ols to be used in accessing serially connected devices Users Groups setting up users and defining the access permissions for each of these users Authentication covered in more detail in Chapter 9 Network Hosts configuring access to network connected devices referred to as hosts Configuring Trusted Networks nominate user IP addresses Cascading and Redirection of Serial Console Ports Connecting to P...

Page 47: ...urrently set up for each serial port By default each serial port is set in Console Server mode To reconfigure the port click Edit When you have reconfigured the common settings Chapter 4 1 1 and the mode Chapters 4 1 2 4 1 6 for each port you can set up any remote syslog Chapter 4 1 7 then click Apply Note If you want to set the same protocol options for multiple serial ports at once click Edit Mu...

Page 48: ...devices they will be controlling and make sure they have matching settings Note The serial ports are all set at the factory to RS232 9600 baud no parity 8 data bits 1 stop bit and Console server Mode You can change the baud rate to 2400 230400 baud using the management console You can configure lower baud rates 50 75 110 134 150 200 300 600 1200 1800 baud from the command line Refer to Chapter 14 ...

Page 49: ...or s computer can connect to a serial device attached to this serial port on the console server The Telnet communications are unencrypted so this protocol is generally recommended only for local connections With Win2000 XP NT you can run telnet from the command prompt cmd exe Vista and Windows 7 include a Telnet client and server but they are not enabled by default To enable Telnet Log in as Admin...

Page 50: ...ateway then configure it as a host Next you enable Telnet service on Port 2000 serial port i e 2001 2048 Refer to Chapter 6 for more details on using SDT Connector for Telnet and SSH access to devices that are attached to the console server serial ports You can also use standard communications packages like PuTTY to set a direct Telnet or SSH connection to the serial ports refer to the Note below ...

Page 51: ...erver is secure For SSH access to the consoles on devices attached to the console server serial ports you can use SDT Connector Configure SDT Connector with the console server as a gateway then as a host and enable SSH service on Port 3000 serial port i e 3001 3048 Chapter 6 Secure Tunneling has more information on using SDT Connector for SSH access to devices that are attached to the console serv...

Page 52: ...ing RFC2217 enables serial port redirection on that port For RFC2217 the default port address is IP Address _ Port 5000 serial port that is 5001 5048 Special client software is available for Windows UNIX and Linux that supports RFC2217 virtual com ports so a remote host can monitor and manage remote serially attached devices as though they were connected to the local serial port see Chapter 4 6 Se...

Page 53: ...incoming characters will be collected before then being sent as a packet over the network Escape Character This enables you to change the character used for sending escape characters The default is Power Menu This setting enables the shell power command A user can control the power connection to a Managed Device from command line when they are connected to the device via telnet or ssh To operate t...

Page 54: ...device configuration page Serial Network UPS Connections RPC Connection or Environmental as detailed in Chapter 8 Power Environmental Management 4 1 5 Terminal Server Mode Select Terminal Server Mode and the Terminal Type vt220 vt102 vt100 Linux or ANSI to enable a getty on the selected serial port The getty will then configure the port and wait for a connection to be made An active connection on ...

Page 55: ...ode and specify the IP address of the Server console server and the TCP port address of the remote serial port for RFC2217 bridging this will be 5001 5048 By default the bridging client will use RAW TCP Select RFC2217 if this is the console server mode you have specified on the server console server You may secure the communications over the local Ethernet by enabling SSH You will need to generate...

Page 56: ...17 or RawTCP to get at the stream 4 1 9 Cisco USB console connection The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers support direct USB2 0 connection to one or two Cisco USB console ports in addition to the traditional RS 232 serial console port connections With such a USB console connection users...

Page 57: ...in clear text dialin Group to allow dialin access via modems Users in this group will have their password stored in clear text ftp Group to allow ftp access and file access to storage devices pmshell Group to set default shell to pmshell users Provides users with basic management privileges Note 1 Members of the admin group have full Administrator privileges The admin user Administrator can access...

Page 58: ...evice serial port and host access permissions However users in these additional groups don t have any access to the Management Console menu nor do they have any command line access to the console server itself 5 The Administrator can also set up users with specific power device serial port and host access permissions who are not a member of any Groups Similarly these users don t have any access to...

Page 59: ... user to join SSH pass key authentication can be used This is more secure than password based authentication Paste the public keys of authorized public private keypairs for this user in the Authorized SSH Keys field Check Disable Password Authentication if you wish to only allow public key authentication for this user when using SSH Check Enable Dial Back in the Dial in Options menu to allow an ou...

Page 60: ...he default user group then he will not be able to use the Management Console to manage ports The time allowed to re configure increases as the number and complexity increases We recommend that you keep the aggregate number of users and groups under 250 The Administrator can also edit the access settings for any existing users Select Serial Network Users Groups and click Edit for the User to be mod...

Page 61: ... specifies the level of information to be logged and monitored for each Host access refer to Chapter 7 Alerts and Logging If the Host is a PDU or UPS power device or a server with IPMI power control then specify RPC for IPMI and PDU or UPS and the Device Type The Administrator can then configure these devices and enable which users have permission to remotely cycle power etc refer to Chapter 8 Oth...

Page 62: ...ocated with a particular Class C network for example 204 15 5 0 connection to the nominated port then you would add the following Trusted Network New Rule Network Address 204 15 5 0 Network Mask 255 255 255 0 If you want to permit only the one user who is located at a specific IP address for example 204 15 5 13 say to connect Network Address 204 15 5 0 Network Mask 255 255 255 255 If however you w...

Page 63: ...ter controls other console servers as Slave units and all the serial ports on the Slave units appear as if they are part of the Master Black Box s clustering connects each Slave to the Master with an SSH connection This uses public key authentication so the Master can access each Slave using the SSH key pair rather than using passwords This ensures secure authenticated communications between Maste...

Page 64: ... have been successfully generated Click here to return and the keys will automatically be uploaded to the Master and connected Slaves 4 6 2 Manually generate and upload SSH keys Or if you have an RSA or DSA key pair you can manually upload them to the Master and Slave console servers Note If you already have an RSA or DSA key pair that you do not want to use you will need to create a key pair usin...

Page 65: ...r 15 6 Also refer to this chapter if you need to use more than one set of Authorized Keys in the Slave Select System Administration on the Slave s Management Console Browse again to the stored RSA or DSA Public Key and upload it to Slave s SSH Authorized Key Click Apply The next step is to Fingerprint each new Slave Master connection This one time step will validate that you are establishing an SS...

Page 66: ...ment Console To add clustering support select Add Slave Note You can t add any Slaves until you automatically or manually generate SSH keys To define and configure a Slave Enter the remote IP Address or DNS Name for the Slave console server Enter a brief Description and a short Label for the Slave use a convention here that enables you to effectively manage large networks of clustered console serv...

Page 67: ...Management Console to change the settings on any Slave serial port such as alter the baud rates These changes will be overwritten next time the Master sends out a configuration file update Also while the Master is in control of all Slave serial port related functions it is not master over the Slave network host connections or over the Slave console server system itself You must access each Slave d...

Page 68: ...splays all the Managed Devices with their Description Notes It also lists all the configured Connections that is Serial Port if serially connected or USB if USB connected IP Address if network connected Power PDU outlet details if applicable and any UPS connections Devices such as servers will commonly have more than one power connections for example dual power supplied and more than one network c...

Page 69: ... configure the relevant connection A corresponding new Managed Device with the same Name Description as the RPC UPS Host is not created until you complete this connection step refer Chapter 8 Power and Environment Note The outlet names on this newly created PDU will by default be Outlet 1 and Outlet 2 When you connect a particular Managed Device that draws power from the outlet then the outlet wil...

Page 70: ...te Network VPN The VPN allows multiple sites or remote administrators to access the console server and Managed Devices securely over the Internet The administrator can establish an encrypted authenticated VPN connection between advanced console serves distributed at remote sites and a VPN gateway such as Cisco router running IOS IPsec on their central office network o Users and administrators at t...

Page 71: ...ey to be used on the remote gateway then cut and paste it into the Right Public Key o If you select Shared secret you will need to enter a Pre shared secret PSK The PSK must match the PSK configured at the other end of the tunnel In Authentication Protocol select the authentication protocol to be used Either authenticate as part of ESP Encapsulating Security Payload encryption or separately using ...

Page 72: ...nsole server referred to as the Left or Local host exactly matches the set up entered when configuring the Remote Right host gateway or software client 4 10 OpenVPN The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 console servers include OpenVPN which is based on TSL Transport Layer Security and SSL Secure Socket L...

Page 73: ...tion to upload custom configuration files Custom configurations must be stored in etc config Note If you select PKI public key infrastructure you will need to establish Separate certificate also known as a public key This Certificate File will be a crt file type Private Key for the server and each client This Private Key File will be a key file type Master Certificate Authority CA certificate and ...

Page 74: ...pply to save changes Note Please make sure that the console server system time is correct when working with OpenVPN Otherwise authentication issues may arise Select Statistics on the Status menu to verify that the tunnel is operational 4 10 3 Windows OpenVPN Client and Server set up Windows does not come with an OpenVPN server or client This section outlines the installation and configuration of a...

Page 75: ...guration file is shown below server 10 100 10 0 255 255 255 0 port 1194 keepalive 10 120 proto udp mssfix 1400 persist key persist tun dev tun ca c openvpnkeys ca crt cert c openvpnkeys server crt key c openvpnkeys server key dh c openvpnkeys dh pem comp lzo verb 1 syslog LES1216_OpenVPN_Server The Windows client server configuration file options are Options Description description This is a comme...

Page 76: ...location Each client should have its own certificate and key files Note Ensure each in the directory path is replaced with key file name Enter the file name and location of the client s or server s key Each client should have its own certificate and key files Note Ensure each in the directory path is replaced with dh file name This is used by the server only Enter the path to the key with the Diff...

Page 77: ...isplay a message notifying of the successful connection and assigned IP This information as well as the time the connection was established is available anytime by scrolling over the OpenVPN icon Note An alternate OpenVPN Windows client can be downloaded from http www openvpn net index php openvpn client downloads html Refer to http www openvpn net index php openvpn client howto openvpn client htm...

Page 78: ...tructure It is generally used for connecting single remote Windows clients If you take your portable computer on a business trip you can dial a local number to connect to your Internet access service provider ISP and then create a second connection tunnel into your office network across the Internet and have the same access to your corporate network as if you were connected directly from your offi...

Page 79: ...t password authentication When using this type of authentication the client password is transmitted unencrypted None Select the Required Encryption Level Access is denied to remote users attempting to connect not using this encryption level Strong 40 bit or 128 bit encryption is recommended In Local Address enter IP address to assign to the server s end of the VPN connection In Remote Addresses en...

Page 80: ...ote PPTP client Ensure the remote VPN client PC has Internet connectivity To create a VPN connection across the Internet you must set up two networking connections One connection is for the ISP and the other connection is for the VPN tunnel to the console server Note This procedure sets up a PPTP client in the Windows 7 Professional operating system The steps may vary slightly depending on your ne...

Page 81: ...o the local network you need to know the user name and password for the PPTP account you added as well as the Internet IP address of the console server If your ISP has not allocated you a static IP address consider using a dynamic DNS service Otherwise you must modify the PPTP client configuration each time your Internet IP address changes ...

Page 82: ...l up modem out dial failover OoB access using an alternate broadband link LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 models only broadband failover firewall and routing 5 1 OoB Dial In access To enable OoB dial in access you first configure the console server Once it s set up for dial in PPP access the console se...

Page 83: ...e front of the unit 5 1 1 Configure Dial In PPP To enable dial in PPP access on the modem Select the System Dial menu option and the port to be configured Serial DB9 Port or Internal Modem Port Check Enable Dial In Note The console server console modem serial port is set by default to 115200 baud No parity 8 data bits and 1 stop bit with software Xon Xoff flow control enabled for the Serial DB9 Po...

Page 84: ...trators who dial in to the console server For dial in access the username and password received from the dial in client are verified against the local authentication database stored on the console server The Administrator must also configure the client PC workstation to use the selected authentication scheme Select PAP CHAP MSCHAPv2 or None and click Apply None With this selection no username or p...

Page 85: ...ine level 5 1 2 Using SDT Connector client Administrators can use their SDT Connector client to set up secure OoB dial in access to all their remote console servers With a point and click you can initiate a dial up connection Refer to Chapter 6 5 5 1 3 Set up Windows XP 2003 Vista 7 client Open Network Connections in Control Panel and click the New Connection Wizard Select Connect to the Internet ...

Page 86: ...thods for establishing a dial up PPP connection Command line PPP and manual configuration works with any Linux distribution Using the Linuxconf configuration tool for Red Hat compatible distributions This configures the scripts ifup ifdown to start and stop a PPP connection Using the Gnome control panel configuration tool WVDIAL and the Redhat Dialup configuration tool GUI dial program X isp Downl...

Page 87: ... you configure the principal Network 1 Settings connection the Failover Interface is set to None 5 3 Broadband Ethernet Failover The second Ethernet port on the LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers can also be configured for failover to ensure transparent high availability When configuring ...

Page 88: ...ial out connection is always on In both of the above cases in the event of a disruption in the dial out connection the console server will endeavor to re establish the connection 5 4 1 Always on dial out The console server modem can be configured for out dial to be always on with a permanent external dial up ppp connection Select the System Dial menu option and check Enable Dial Out to allow outgo...

Page 89: ..._____________________________________________________________________ 724 746 5500 blackbox com Page 89 ...

Page 90: ... modem port for example to include modem init strings by editing etc mgetty config files as described in Chapter 13 5 5 Cellular Modem connection The LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A and LES1348A console servers have an internal cellular modem The LES1508A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers support external cellular modems These modems fi...

Page 91: ...ther fields blank Enter the carrier s APN e g for AT T USA simply enter i2gold for T Mobile USA enter epc tmobile com for InterNode Aust enter internode and for Telstra Aust enter telstra internet If the SIM Card is configured with a PIN Code you will be required to unlock the Card by entering the PIN Code If the PIN Code is entered incorrectly three times then the PUK Code will be required to unl...

Page 92: ...em Dial menu A particular phone number will need to be dialed to complete OTASP e g Verizon uses 22899 Telus uses 22886 Click Activate to initiate the OTASP call The process is successful if no errors are displayed and you no longer see the CDMA Modem Activation form If OTASP is unsuccessful you can consult the System Logs for clues to what went wrong at Status Syslog When OTASP has completed succ...

Page 93: ...ics screen This will display the current state of the cellular modem including the Received Signal Strength Indicator RSSI Note Received Signal Strength Indicator RSSI is a measurement of the Radio Frequency RF power present in a received radio signal at the mobile device It is generally expressed in dBm and the best throughput comes from placing the device in an area with the highest RSSI 100 dbm...

Page 94: ... the Public IP Address provided by the carrier However by default only HTTPS and SSH access is enabled on the OOB connection So you can browse to the console server but you cannot ping it If you have a dynamic Public IP address plan then a DDNS service will need to be configured to enable the remote administrator to initiate incoming access Once this is done you can then also try accessing the con...

Page 95: ...ace failover alert You can check the connection status by selecting the Cellular panel on the Status Statistics menu o The Operational Status will change as the cellular modem finds a channel and connects to the network o The Failover Out of Band screen will display information relating to a configured Failover OOB interface and the status of that connection The IP Address of the Failover OOB inte...

Page 96: ...nsole server to devices on remote networks IP Masquerading is used to allow all the devices on your local private network to hide behind and share the one public IP address when connecting to a public network This type of translation is only used for connections originating within the private network destined for the outside public network and each outbound connection is maintained by using a diff...

Page 97: ...low all the devices on your local private network to hide behind and share the one public IP address when connecting to a public network This type of translation is only used for connections originating within the private network destined for the outside public network and each outbound connection is maintained by using a different source IP port number By default all console server models are con...

Page 98: ...he System Firewall menu Check Enable IP Masquerading SNAT on the network interfaces where masquerading is be enabled Generally this masquerading would be applied to any interface that is connecting with a public network such as the Internet 5 8 2 Configuring client devices Client devices on the local network must be configured with Gateway and DNS settings This can be done statically on each devic...

Page 99: ... addresses To reserve an IP addresses for a particular host Once applied devices on the internal network will be able to access resources on the external network Note The DHCP server feature is available only on the LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers It is not supported on LES1108A LES111...

Page 100: ...l network where packets sent to the Input Interface on the input port range are sent Output Port Range The port or ports that the packets will be redirected to on the Output Address For example to forward port 8443 to an internal HTTPS server on 192 168 10 2 the following settings would be used Input Interface Any Input Port Range 8443 Protocol TCP Output Address 192 168 10 2 Output Port Range 443...

Page 101: ... or address range to match IP address ranges use the format ip netmask where netmask is in bits 1 32 This may be left blank for Any Destination Range Specify the destination IP address address range to match IP address ranges use the format ip netmask where netmask is in bits 1 32 This may be left blank Protocol Select if the firewall rule will apply to TCP or UDP Direction Select the traffic dire...

Page 102: ...ses SysAdmin and Tony To allow all incoming traffic on all interfaces from the SysAdmin To allow all incoming traffic from Tony To block all incoming traffic from the Network Interface Interface Any Any Network Interface Port Range Any Any Any Source IP IP address of SysAdmin IP address of Tony Any Destination IP Any Any Any Protocol TCP TCP TCP Direction Ingress Ingress Ingress Action Accept Acce...

Page 103: ...r install and launch SSH client software on the User Administrator s PC Black Box recommends you use the SDT Connector client software supplied with the console server for this SDT Connector is simple to install and auto configure and it provides all your users with point and click access to all the systems and devices in the secure network With one click SDT Connector sets up a secure SSH tunnel ...

Page 104: ...warded inside tunnel 80 HTTP on local LAN forwarded inside tunnel 3389 RDP on local LAN forwarded inside tunnel 5900 VNC on local LAN forwarded inside tunnel 73XX RDP over serial from local LAN where XX is the serial port number that is 7301 to 7348 on a 48 port console server 79XX VNC over serial from local LAN where XX is the serial port number Add the new Users using Serial Network Users Groups...

Page 105: ... desktop Click the SDT Connector icon on your desktop to start the client Note SDT Connector is a Java application so it must have a Java Runtime Environment JRE installed You can download this for free from http java sun com j2se It installs on Windows 2000 XP 2003 Vista and 7 PCs and on most Linux platforms Solaris platforms are also supported but they must have Firefox installed SDT Connector c...

Page 106: ...nternet or routed network you will need to Determine the public IP address of the console server or of the router firewall that connects the console server to the Internet as assigned by the ISP One way to find the public IP address is to access http checkip dyndns org or http www whatismyip com from a computer on the same network as the console server and note the reported IP address Set port for...

Page 107: ... to that console server that user must first be setup on the console server and must be authorized to access the specific ports hosts refer to Chapter 5 Only these permitted services will be forwarded through by SSH to the Host All other services TCP UDP ports will be blocked 6 2 3 Auto configure SDT Connector client with the user s access privileges Each user on the console server has an access p...

Page 108: ...Note The Retrieve Hosts function will auto configure all user classes that is they can be members of user or admin or some other group or no group SDT Connector will not auto configure the root and we recommend that you only use this account for initial config and to add an initial admin account to the console server 6 2 4 Make an SDT connection through the gateway to a host Simply point at the ho...

Page 109: ...te through the on site console server Gateway 6 2 5 Manually adding hosts to the SDT Connector gateway For each gateway you can manually specify the network connected hosts that you will access through that console server and for each host specify the services that you will use to communicate with the host Select the newly added gateway and click the Host icon to create a host that will be accessi...

Page 110: ...HTTP Or select the client to use to access the local endpoint of the redirection Select which Client application is associated with the new service A range of client application options are pre configured in the default SDT Connector RDP client VNC client HTTP browser HTTPS browser Telnet client etc If you want to add new client applications to this range proceed to the next section Adding a new c...

Page 111: ...he RAC web console It automatically loads in a Java client served through the web browser so it does not need to have a local client associated with it On the Add Service screen you can click Add as many times as needed to add multiple new port redirections and associated clients You may also specify Advanced port redirection options Enter the local address to bind to when creating the local endpo...

Page 112: ...tor binds as the local endpoint of the tunnel Note that for UDP services you still need to specify a TCP port under General This will be an arbitrary TCP port that is not in use on the gateway An example of this is the SOL Proxy service It redirects local UDP port 623 to remote UDP port 623 over the arbitrary TCP port 6667 6 2 7 Adding a client program to be started for the new service Clients are...

Page 113: ...ddress to which the local endpoint of the redirection is bound that is the Local Address field for the Service redirection Advanced options port is the local port to which the local endpoint of the redirection is bound that is the Local TCP Port field for the Service redirection Advanced options If this port is unspecified that is Any the appropriate randomly selected port will be substituted For ...

Page 114: ... secure SSH tunnel from the remote Client PC to the console server 6 3 SDT Connector to Management Console You can also configure SDT Connector for browser access to the console server s Management Console and for Telnet or SSH access to the command line For these connections to the console server itself you must configure SDT Connector to access the Gateway itself by setting the Gateway console s...

Page 115: ...roll to the bottom and click Apply Administrators by default have gateway access privileges For Users to access the console server Management Console you will need to give those Users the required access privileges Select Users Groups from Serial Network Click Add User Enter a Username Description and Password Confirm Select 127 0 0 1 from Accessible Host s and click Apply 6 4 SDT Connector telnet...

Page 116: ...erver and select Serial Port from Serial Network Click Edit next to selected Port for example Port 2 if the target device is attached to the second serial port Make sure the port s serial configuration is appropriate for the attached device Scroll down to Console server Setting and select Console server Mode Check Telnet or SSH and scroll to the bottom and click Apply Select Network Hosts from Ser...

Page 117: ... the network diagnose any connectivity issues and restore the gateway s primary link In SDT Connector to configure OoB access you provide the secondary IP address of the gateway and tell SDT Connector how to start and stop the OoB connection You can start an OoB connection by initiating a dial up connection or adding an alternate route to the gateway SDT Connector allows for maximum flexibility It...

Page 118: ...t of Band Connection wait min rasdial network_connection disconnect where network connection is the name of the network connection as displayed in Control Panel Network Connections To stop a pre configured dial up connection under Linux use the following Stop Command poff network_connection To make the OoB connection using SDT Connector Select the console server and click Out Of Band The status ba...

Page 119: ...n or a similar tool You may use RSA or DSA however leave the passphrase field blank PuTTYgen http www chiark greenend org uk sgtatham putty download html OpenSSH http www openssh org OpenSSH Windows http sshwindows sourceforge net download Upload the public part of your SSH key pair this file is typically named id_rsa pub or id_dsa pub to the SSH gateway or otherwise add to ssh authorized keys in ...

Page 120: ...ugh an authenticated and encrypted tunnel SDT with RDP also allows remote Users to connect to Windows XP Vista Server2003 and Server 2008 computers and to Windows 2000 Terminal Servers and to access to all of the applications files and network resources with full graphical interface just as though they were in front of the computer screen at work To set up a secure Remote Desktop connection enable...

Page 121: ...l sessions More than one user can have active sessions on a single computer When the remote user connects to the accessed computer on the console session Remote Desktop automatically locks that computer no other user can access the applications and files When you come back to your computer at work you can unlock it by typing CTRL ALT DEL 6 8 2 Configure the Remote Desktop Connection client Now tha...

Page 122: ...rt 3 on a console server located at 192 168 0 50 then you would enter 192 168 0 50 7303 Where there is an SSH tunnel over a dial up PPP connection or over a public internet connection or private network connection simply enter the localhost as the IP address 127 0 0 1 For Port Number enter the source port you created when setting SSH tunneling port forwarding in Section 6 1 6 for example 1234 Clic...

Page 123: ...n Windows Me Windows NT 4 0 and Windows 2000 When run this software allows these older Windows platforms to remotely connect to a computer running current Windows B On a Linux or UNIX client PC Launch the open source rdesktop client rdesktop u windows user id p windows password g 1200x950 ms windows terminal server host name option description a Color depth 8 16 24 r Device redirection Redirect so...

Page 124: ... Hat 8 0 or other distributions of Linux download source untar configure make make then install rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http www rdesktop org C On a Macintosh client Download Microsoft s free Remote Desktop Connection client for Mac OS X http www microsoft com mac otherproducts otherproducts aspx pid remotedesktopclie...

Page 125: ... other architectures There is a Windows server allowing you to view the desktop of a remote Windows machine on any of these platforms using exactly the same viewer RealVNC was founded by members of the AT T team who originally developed VNC TightVNC http www tightvnc com is an enhanced version of VNC It has added features such as file transfer performance improvements and read only password suppor...

Page 126: ...either come with VNC bundled or have third party VNC software that you can download 6 9 2 Install configure and connect the VNC Viewer VNC is truly platform independent so a VNC Viewer on any operating system can connect to a VNC Server on any other operating system There are Viewers and Servers from a wide selection of sources for example UltraVNC TightVNC or RealVNC for most operating systems Th...

Page 127: ...iewer PC is connected directly to the console server i e locally or remotely through a VPN or dial in connection and the VNC Host computer is serially connected to the console server enter the IP address of the console server unit with the TCP port that the SDT tunnel will use The TCP port will be 7900 plus the physical serial port number i e 7901 to 7948 so all traffic directed to port 79xx on th...

Page 128: ...magazine 007may05 features vnc Wikipedia general background on VNC http en wikipedia org wiki VNC 6 10 Using SDT to IP connect to hosts that are serially attached to the gateway Network IP protocols like RDP VNC and HTTP can also be used for connecting to host devices that are serially connected through their COM port to the console server To do this you must establish a PPP connection Section 6 7...

Page 129: ...C HTTP X connection to the console server Open Network Connections in Control Panel and click the New Connection Wizard Select Set up an advanced connection and click Next On the Advanced Connection Options screen select Accept Incoming Connections and click Next Select the Connection Device i e the serial COM port on the Windows computer that you cabled through to the console server By default se...

Page 130: ...t TCP IP and click Properties Select Specify TCP IP addresses on the Incoming TCP IP Properties screen select TCP IP Nominate a From and a To TCP IP address and click Next Note You can choose any TCP IP addresses so long as they are addresses that are not used anywhere else on your network The From address will be assigned to the Windows XP 2003 computer and the To address will be used by the cons...

Page 131: ...rial port number on the console server The default Password is portXX To use the defaults for a RDP connection to the serial port 2 on the console server you would have set up a Windows user named port02 When the PPP connection has been set up a network icon will appear in the Windows task bar Note The above notes describe setting up an incoming connection for Windows XP The steps are similar for ...

Page 132: ...er COM port Select the Serial Network Serial Port menu option and click Edit for the particular Serial Port that is connected to the Windows computer COM port On the SDT Settings menu select SDT Mode this will enable port forwarding and SSH tunneling and enter a Username and User Password Note When you enable SDT it will override all other Configuration protocols on that port Note If you leave the...

Page 133: ... g PuTTY As covered in the previous sections of this chapter we recommend that you use the SDT Connector client software that is supplied with the console server There s also a wide selection of commercial and free SSH client programs that can provide the secure SSH connections to the console servers and secure tunnels to connected devices PuTTY is a complete though not very user friendly freeware...

Page 134: ...d in Add new forwarded port enter any high unused port number for the Source port for example 54321 Set the Destination IP details If your destination device is network connected to the console server and you are connecting using RDP set the Destination as Managed Device IP address DNS Name 3389 For example if when setting up the Managed Device as Network Host on the console server you specified i...

Page 135: ...rtXX 3389 where XX is the SDT enabled serial port number For example if port 4 is on the console server is to carry the RDP traffic then specify port04 3389 Note http www jfitz com tips putty_config html has useful examples on configuring PuTTY for SSH tunneling Select Local and click the Add button Click Open to SSH connect the Client PC to the console server You will now be prompted for the User...

Page 136: ...ecurity is very important VNC uses a random challenge response system to provide the basic authentication that allows you to connect to a VNC server This is reasonably secure and the password is not sent over the network Once connected all subsequent VNC traffic is unencrypted A malicious user could snoop your VNC session There are also VNC scanning programs available which will scan a subnet look...

Page 137: ...ved Section 7 4 All console server models can maintain log records of all access and communications with the console server and with the attached serial devices A log of all system activity is also maintained as is a history of the status of any attached environmental monitors Some models also log access and communications with network attached hosts and maintain a history of the UPS and PDU power...

Page 138: ...Specify the Reset Timeout for the time in seconds after resolution to delay before this Auto Response can be triggered again Check Repeat Trigger Actions to continue to repeat trigger action sequences until the check is resolved Enter any required delay time before repeating trigger actions in Repeat Trigger Action Delay This delay starts after the last action is queued Check Disable Auto Response...

Page 139: ...pe as being Above Trigger Value or Below Trigger Value to trigger Specify any Hysteresis factor that is to be applied to environmental measurements e g if an Auto Response was set up with a trigger event of a battery charge below 20 with a Hysteresis of 5 then the trigger condition would not be seen as having been resolved till the battery charge was above 25 Check Save Auto Response Note Before c...

Page 140: ...nse Note Before configuring serial port checks in Auto Response you first must configure the serial port in Console server mode Also most serial port checks are not resolvable so resolve actions will not be run 7 2 4 ICMP Ping To use a ping result as the Auto Response trigger event Click on ICMP Ping as the Check Condition Specify which Address to Ping i e IP address or DNS name to send ICMP Ping ...

Page 141: ...ig test sh Set the Check Frequency i e the time in seconds between re running the script and the Script Timeout i e the maximum run time for the script Specify the Successful Return Code An Auto Response is triggered if the return code from the script is not this value Enter Arguments that are to be passed to the script e g with a web page html check script these Arguments might specify the web pa...

Page 142: ...tion So you can add follow on actions to create a sequence of actions that will be taken in the event of the one trigger condition To edit or delete an existing action click the Modify or Delete icon in the Scheduled Trigger Action table Note A message text can be sent with Email SMS and Nagios actions This configurable message can include selected values AR_TRIGGER_VAL the trigger value for the c...

Page 143: ...lick on Perform RPC Action as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time Select a power Outlet and specify the Action to be performed power On OFF or Cycle Click Save New Action 7 3 4 Run Custom Script Click on Run Custom Script as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time Create a script file to execute when this action is...

Page 144: ...action type to be taken Note Resolve Actions are configured exactly the same as Trigger Actions except the designated Resolve Actions are all executed on resolution of the trigger condition and there are no Action Delay Times set 7 5 Configure SMTP SMS SNMP and or Nagios service for alert notifications The Auto Response facility enables remote alerts to be sent as Trigger and Resolve Actions Befor...

Page 145: ...Line that will be sent with the email Click Apply to activate SMTP 7 5 2 Send SMS alerts With any model console server you can use email to SMS services to send SMS alert notifications to mobile devices Almost all mobile phone carriers provide an SMS gateway service that forwards email to mobile phones on their networks There s also a wide selection of SMS gateway aggregators who provide email to ...

Page 146: ...milarly you can specify the specific Subject Line that will be sent with the email Generally the email subject will contain a truncated version of the alert notification message which is contained in full in the body of the email However some SMS gateway service providers require blank subjects or require specific authentication headers to be included in the subject line Click Apply Settings to ac...

Page 147: ... management application Select Alerts Logging SNMP Enter the SNMP transport protocol SNMP is generally a UDP based protocol though infrequently it uses TCP instead Enter the IP address of the SNMP Manager and the Port to use for connecting default 162 Select the version being used The console server SNMP agent supports SNMP v1 v2 and v3 Enter the Community name for SNMP v1 or 2c An SNMP community ...

Page 148: ... details 7 5 4 Nagios alerts To notify the central Nagios server of Alerts NSCA must be enabled under System Nagios and Nagios must be enabled for each applicable host or port under Serial Network Network Hosts or Serial Network Serial Ports refer to Chapter 10 7 6 Logging The console server can maintain log records of auto response events and log records of all access and communications events wi...

Page 149: ...ng the web terminal or by ssh telnet connecting to the console server 7 6 2 Serial port logging In Console Server mode activity logs can be maintained of all serial port activity To specify which serial ports are to have activities recorded and to what level data is to be logged Select Serial Network Serial Port and Edit the port to be logged Specify the Logging Level of for each port as Level 0 T...

Page 150: ...are authorized to be used you also must set up the level of logging that is to be maintained for each service Specify the logging level that is to be maintained for that particular TDC UDP port service on that particular Host Level 0 Turns off logging for the selected TDC UDP port to the selected Host Level 1 Logs all connection events to the port Level 2 Logs all data transferred to and from the ...

Page 151: ...server serial port to operate with a serial COM port redirector in the PC as detailed in Chapter 4 Similarly you can control network attached PDUs with a browser for example with SDT as detailed in Chapter 6 3 an SNMP management package or using the vendor supplied control software Servers and network attached appliances with embedded IPMI service processors or BMCs invariably have their own manag...

Page 152: ... presents a list of serial ports and network Host connections that you have set up with device type RPC but have yet to connect to a specific RPC device When you select Connect Via for a Network RPC connection then the corresponding Host Name Description that you set up for that connection will be entered as the Name and Description for the power device Or if you select to Connect Via a Serial con...

Page 153: ...onnected If you are connecting to the RPC via the network you will be presented with the IPMI protocol options and the SNMP RPC Types currently supported by the embedded Network UPS Tools If you are connecting to the RPC by a serial port you will be presented with all the serial RPC types currently supported by the embedded PowerMan and the Black Box power manager ...

Page 154: ...s If your PDU is not on the default list then you can add support directly as covered in Chapter 14 Advanced Configurations or add the PDU support to either the Network UPS Tools or PowerMan open source projects Configure IPMI service processors and BMCs so that all authorized users can use the Management Console to remotely cycle power and reboot computers even when their operating system is unre...

Page 155: ... you will be presented with a table of the history and detailed graphical information on the selected RPC Click Manage to query or control the individual power outlet This will take you to the Manage Power screen 8 2 Uninterruptible Power Supply control UPS You can configure all Black Box console servers to manage locally and remotely connected UPS hardware using Network UPS Tools Network UPS Tool...

Page 156: ...this UPS and runs a upsd server to allow other computers that are drawing power through the UPS slaves to monitor the UPS status and take appropriate action such as shutdown when the UPS battery is low The console server may or may not be drawing power itself through the Managed UPS When the UPS s battery power reaches critical the console server signals and waits for slaves to shut down then powe...

Page 157: ...s etc required by the UPS refer to Chapter 4 1 1 Common Settings Then select UPS as the Device Type For each network connected UPS go to the Serial Network Network Hosts menu and configure the UPS as a connected Host by specifying it as Device Type UPS and clicking Apply No such configuration is required for USB connected UPS hardware Select the Serial Network UPS Connections menu The Managed UPSe...

Page 158: ...r device Or if you selected to Connect Via a USB or serial connection then you will need to enter a Name and Description for the power device and these details will also be used to create a new Managed Device entry for the serial USB connected UPS devices Enter the login details This Username and Password is used by slaves of this UPS that is other computers that are drawing power through this UPS...

Page 159: ...onitored using Nagios central management Check Enable Shutdown Script if this is the UPS providing power to the console server itself and if a critical power failure occurs you can perform any last gasp actions on the console server before power is lost Place a custom script in etc config scripts ups shutdown you may use the provided etc scripts ups shutdown as a template This script only runs whe...

Page 160: ...t these remote sites would enable the system manager to centrally monitor the status of the power supplies at all sites and centralize alarms So he she can be warned to initiate a call out or shut down Check Log Status and specify the Log Rate minutes between samples if you want the status from this UPS to be logged You can view these logs from the Status UPS Status screen Check Enable Shutdown Sc...

Page 161: ...ame of the Managed UPS password is the Password of the Manager UPS There are NUT monitoring clients available for Windows computers WinNUT If you have an RPC PDU you can shut down UPS powered computers and other equipment if if the they don t have a client running for example communications and surveillance gear Set up a UPS alert and using this to trigger a script that controls a PDU to shut off ...

Page 162: ...s information from all the Managed and Monitored UPS systems This information will be logged for all UPSes that were configured with Log Status checked The information is also presented graphically 8 2 6 Overview of Network UPS Tools NUT NUT is built on a networked model with a layered scheme of drivers server and clients Configure NUT using the Management Console as described above or configure t...

Page 163: ...network upsd can cache the status from multiple UPSes and then serve this status data to many clients upsd also contains access control features to limit the abilities of the clients only authorized hosts may monitor or control the UPS hardware There are a number of NUT clients that connect to upsd to check on the status of the UPS hardware and do things based on the status These clients can run o...

Page 164: ...single UPS using only their network connections There is a wide selection of client programs that support monitoring UPS hardware via NUT Big Sister Cacti Nagios and more Central management of multiple NUT servers A central NUT client can monitor multiple NUT servers that may be distributed throughout the data center across a campus or around the world NUT supports the more complex power architect...

Page 165: ... handshake protocol It is not an RS 232 device and should not be connected without the adapter Plug the male RJ plug on the EMD Adapter into EMD and then connect it to the console server serial port using the provided UTP cable If the 6 foot 2 meter UTP cable provided with the EMD is not long enough you can replace it with a standard CAT5 UTP cable up to 33 feet 10 meters long Screw the bare wires...

Page 166: ... Box console server you cannot connect it to standard RS 232 serial ports on other appliances Select Environmental as the Device Type in the Serial Network Serial Port menu for the port to which the EMD will be attached No particular Common Settings are required Click Apply Select the Serial Network Environmental menu This will display all the EMD connections that have already been configured Clic...

Page 167: ...ed Device with the same name 8 3 2 Environmental alerts You can now set temperature humidity and probe status alerts using Alerts Logging Alerts refer to Chapter 7 8 3 3 Environmental status You can monitor the current status of all EMDs and their probes Select the Status Environmental Status menu and a table with the summary status of all connected EMD hardware will be displayed Click on View Log...

Page 168: ...for all connections to the console server and attached serial and network host devices This chapter also covers how to establish a secure link to the Management Console using HTTPS and using OpenSSL and OpenSSH to establish a secure Administration connection to the console server 9 1 Authentication configuration Authentication can be performed locally or remotely using an LDAP Radius or TACACS aut...

Page 169: ...uthentication first falling back to local if the remote authentication returns an error condition for example if the remote authentication server is down or inaccessible 9 1 1 Local authentication Select Serial and Network Authentication and check Local Click Apply 9 1 2 TACACS authentication Perform the following procedure to configure the TACACS authentication method to use whenever the console ...

Page 170: ...CS The Terminal Access Controller Access Control System TACACS security protocol is a recent protocol developed by Cisco It provides detailed accounting information and flexible administrative control over the authentication and authorization processes TACACS allows for a single access control server the TACACS daemon to provide authentication authorization and accounting services independently Ea...

Page 171: ...ce RADIUS protocol was developed by Livingston Enterprises as an access server authentication and accounting protocol The RADIUS server can support a variety of methods to authenticate a user When it is provided with the username and original password given by the user it can support PPP PAP or CHAP UNIX login and other authentication mechanisms You can find further information on configuring remo...

Page 172: ...ed to add the user account Click Apply LDAP remote authentication will now be used for all user access to console server and serially or network attached devices LDAP The Lightweight Directory Access Protocol LDAP is based on the X 500 standard but is significantly simpler and more readily adapted to meet custom needs The core LDAP specifications are all defined in RFCs LDAP is a protocol used to ...

Page 173: ...User Paul is defined on a RADIUS server only He has access to all serial ports and network hosts Example 4 User Don is locally defined on an appliance using RADIUS for AAA Even if Don is also defined on the RADIUS server he will only have access to those serial ports and network hosts he has been authorized to use on the appliance If a no local AAA option is selected then root will still be authen...

Page 174: ...are ignored When setting the Framed Filter Id the system may also remove the leading colon for an empty field To work around this add some dummy text to the start of the string For example dummy group_name testgroup1 users If no group is specified for a user for example AmandaJones then the user will have no User Interface and serial port access but limited console access Default groups available ...

Page 175: ... fields for standard LDAP authentication including LDAP Server Address Server Password LDAP Base DN LDAP Bind DN and LDAP User Name Attribute Enter memberOf for LDAP Group Membership Attribute as group membership is currently only supported on Active Directory servers If required enter the group information for LDAP Console Server Group DN and or LDAP Administration Group DN A user must be a membe...

Page 176: ...f the attribute value string is 255 characters To use an attribute name other than groupname set Authentication TACACS TACACS Group Membership Attribute 9 1 10 Idle timeout You can specify amount of time in minutes the console server waits before it terminates an idle ssh pmshell or web connection Select Serial and Network Authentication Web Management Session Timeout specifies the browser console...

Page 177: ...ules The console server supports RADIUS TACACS and LDAP for two factor authentication via PAM Pluggable Authentication Modules PAM is a flexible mechanism for authenticating users Nowadays a number of new ways of authenticating users have become popular The challenge is that each time a new authentication scheme is developed you need to rewrite all the necessary programs login ftpd etc to support ...

Page 178: ...o log in to the console server RADIUS users will be authorized each time they access a new resource Admin rights granted over AAA Users may be granted Administrator rights via networked AAA For TACACS a priv lvl of 12 of above indicates an Administrator For RADIUS Administrators are indicated via the Framed Filter ID See the example configuration files below for example Authorization via TACACS fo...

Page 179: ...Activate your preferred browser and enter https IP address Your browser may respond with a message that verifies the security certificate is valid but notes that it is not necessarily verified by a certifying authority To proceed you need to click yes if you are using Internet Explorer or select accept this certificate permanently or temporarily if you are using Mozilla Firefox You will then be pr...

Page 180: ... department within an organization the console server belongs to Organization The name of the organization that the console server belongs to Locality City The city where the organization is located State Province The state or province where the organization is located Country The country where the organization is located This is the two letter ISO code for example DE for Germany or US for the USA...

Page 181: ...ration The CSR can be downloaded to your administration machine with the Download button Send the saved CSR string to a Certification Authority CA for certification You will get the new certificate from the CA after a more or less complicated traditional authentication process depending on the CA Upload the certificate to the console server using the Upload button as shown below After completing t...

Page 182: ...ributed monitoring Additionally the Advanced Console Server LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A LES1248A R2 family supports extensive customizable distributed monitoring Even if distributed monitoring is not required the console servers can be deployed locally alongside the Nagios monitoring host server to provide additional diag...

Page 183: ...y available plug ins to make detailed checks of specific services for example don t just check that a database is accepting network connections check that it can actually validate requests and return real data Display warnings and send warning e mails pager or SMS alerts when a service failure or degradation is detected Assign contact groups who are responsible for specific services in specific ti...

Page 184: ...ation Wizard on the central Nagios server Section 10 2 3 Set up SDT Nagios on central Nagios server and perform any additional configuration tasks iv Install SDT Connector on each client Section 10 2 4 Set up clients 10 2 1 Set up central Nagios server SDT for Nagios requires a central Nagios server running Nagios 2 x or 3 x Nagios 1 x is not supported The Nagios server software is available for m...

Page 185: ...le server Management Console Check Nagios service Enabled Enter the Host Name and the Nagios Host Address for example IP address that the central Nagios server will use to contact the distributed Black Box console server Enter the IP address that the distributed Black Box console server will use to contact the central Nagios server in Nagios Server Address Enter the IP address that the clients run...

Page 186: ... menu Locate the serial port that has the router console port attached and click Edit Make sure the serial port settings under Common Settings are correct and match the attached router s console port Click Console server Mode and select Logging Level 1 Check Telnet SSH access is not required as SDT Connector is used to secure the otherwise insecure Telnet connection Scroll down to Nagios Settings ...

Page 187: ... console server that you want to monitor must have Nagios enabled and any specific Nagios checks configured Configure the central upstream Nagios monitoring host 10 3 1 Enable Nagios on the console server Select System Nagios on the console server Management Console and tick the Nagios service Enabled Enter the Nagios Host Name that the Console server will be referred to in the Nagios central serv...

Page 188: ...he sample Nagios configuration example below for details about how to configure specific NRPE checks By default the console server will accept a connection between the upstream Nagios monitoring server and the NRPE server with SSL encryption without SSL or tunneled through SSH The security for the connection is configured at the Nagios server 10 3 3 Enable NSCA monitoring NSCA is the mechanism tha...

Page 189: ... monitor a service that you have previously added as a Permitted Service Select Check TCP UDP to specify a service port that you want to monitor without allowing external SDT Connector access Select Check TCP to monitor The Nagios Check nominated as the check host alive check is the check used to determine whether the network host itself is up or down Typically this will be Check Ping although in ...

Page 190: ...if a check was late for details see the Nagios documentation http www nagios org docs on Service and Host Freshness Checks Host definitions Black Box console server define host use generic host host_name Black Box alias Console server address 192 168 254 147 Managed Host define host use generic host host_name server alias server address 192 168 254 227 NRPE daemon on gateway define command command...

Page 191: ...ndency name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description Serial Status service_description NRPE Daemon execution_failure_criteria w u c Port Log define command command_name check_port_log command_line USER1 check_nrpe H 192 168 254 147 p 5666 c port_log_ HOSTNAME define service service_description Port Log host_name server use generic servi...

Page 192: ...host_name server use generic service check_command check_ping_via_Black Box define service service_description host ping server host_name server use generic service check_command check_ping_via_Black Box active_checks_enabled 0 passive_checks_enabled 1 define servicedependency name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description Host Ping serv...

Page 193: ...vice This status is then communicated to the upstream Nagios server that uses the results to monitor the current status of the distributed network Each console server is preconfigured with a selection of the checks that are part of the Nagios plug ins package check_tcp and check_udp are used to check open ports on network hosts check_ping is used to check network host availability check_nrpe is us...

Page 194: ...ts primarily check_log sh To configure additional checks save the downloaded plug in program in the tftp addins directory on the USB flash and save the downloaded text plug in file in etc config To enable these new additional checks select Seria l Network Network Port then Edit the Network Host you want to monitor and select New Checks The additional check option is included in the updated Nagios ...

Page 195: ... be avoided by setting up an SSH session to the console server and tunneling the NRPE port This allows the NRPE daemon to run securely without SSL encryption because SSH will provide the security When the console server submits NSCA results it staggers them over a certain time period for example 20 checks over 10 minutes will result in two check results every minute Staggering the results like thi...

Page 196: ...the Nagios server that s waiting passively You can also configure it to service NRPE commands to perform checks on demand In this situation the console server will perform checks based on both serial and network access Remote site with restrictive firewall In this scenario the role of the console server will vary One aspect may be to upload check results through NSCA Another may be to provide an S...

Page 197: ...00 blackbox com Page 197 Remote site with no network access In this scenario the console server allows dial in access for the Nagios server Periodically the Nagios server will establish a connection to the console server and execute any NRPE commands before dropping the connection ...

Page 198: ...e System IP Address Chapter 3 3 Setting the permitted Services by which to access the gateway Chapter 3 4 Setting up OoB Dial in Chapter 5 Configuring the Dashboard Chapter 12 11 1 System Administration and Reset The Administrator can reboot or reset the gateway to default settings A soft reset is affected by Selecting Reboot in the System Administration menu and clicking Apply The console server ...

Page 199: ...s displayed in each page s header Or select Status Support Report and note the Firmware Version To upgrade you first must download the latest firmware image from the Black Box web site Save this downloaded firmware image file to a system on the same subnet as the console server Download and read the release_notes txt for the latest information To upload the firmware image file to your console serv...

Page 200: ...y time the console server is powered up To set the system time using NTP Select the Enable NTP checkbox on the Network Time Protocol page Enter the IP address of the remote NTP Server and click Apply Settings You must now also specify your local time zone so the system clock can show local time and not UTP Set your appropriate region locality in the Time Zone selection box and click Apply 11 4 Con...

Page 201: ...ervers LES1208A R2 LES1216A R2 LES1232A LES1248A R2 you can save the backup file locally on the console server USB storage To do this you must have an external USB flash drive installed To backup and restore using USB Make sure the USB flash is the only USB device attached to the console server and click Prepare Storage in the Local Configuration Backup menu This will set a Volume Label on the USB...

Page 202: ...to factory settings using the following steps If the configuration is stored on an external USB storage device unplug the storage device and reset to factory defaults as per section 11 1 of the user manual If the configuration is stored on an internal USB storage device reset it to factory defaults using a specially prepared USB storage device o The USB storage device must be formatted with a Wind...

Page 203: ...VPN tunnel or modify system time Click the Commit Config button This will generate the System Commit Configuration screen displaying all the configurators to be run Click Apply to run all the configurators in the queue Alternately click Cancel and this will discard all the delayd configuration changes Note All the queued configuration changes will be lost if Cancel is selected To disable the Delay...

Page 204: ... R2 use an embedded OpenSSL cryptographic module that has been validated to meet the FIPS 140 2 standards and has received Certificate 1051 When configured in FIPs mode all SSH HTTPS and SDT Connector access to all services on the advanced console servers will use the embedded FIPS compliant cryptographic module To connect you must also be using cryptographic algorithms that are FIPs approved in y...

Page 205: ...that are covered elsewhere include UPS Status Chapter 8 2 RPC Status Chapter 8 1 Environmental Status Chapter 8 3 12 1 Port Access and Active Users The Administrator can see which Users have access privileges with which serial ports Select the Status Port Access The Administrator can also see the current status as to Users who have active sessions on those ports Select the Status Active Users 12 2...

Page 206: ...ur console server If you do experience a problem and have to contact tech support make sure you include the Support Report with your email support request The Support Report is generated when the issue is occurring and is attached in plain text format Select Status Support Report and you will be presented with a status snapshot Save the file as a text file and attach it to your support email 12 4 ...

Page 207: ...or for example the search for mount is shown below and click Apply The Syslog will then be represented with only those entries that actually include the specified pattern 12 5 Dashboard The Dashboard provides the Administrator with a summary of the status of the console server and its Managed Devices You can configure custom dashboards for each user group 12 5 1 Configuring the Dashboard Only user...

Page 208: ...u item If there is no dashboard layout configured for John but there is an admin group dashboard configured then you will see the admin group dashboard instead If there is no user dashboard or admin group dashboard configured then you will see the default dashboard The root user does not have its own dashboard Use the above configuration options to enable admin users to setup their own custom dash...

Page 209: ...leted the corresponding XML files that belong to that alert are also deleted To configure what is to be displayed by each widget Go to the Configure widgets panel and configure each selected widget for example specify which UPS status is to be displayed on the ups widget or the maximum number of Managed Devices to be displayed in the devices widget Click Apply Note Dashboard configuration is store...

Page 210: ...script and display the output of the script commands directly on the screen inside the specific widget The best way to format the output would be to send HTML commands back to the browser by adding echo commands in the script echo table You can of course run any command and its output will be displayed in the widget window directly Below is an example script that writes the current date to a file ...

Page 211: ...vice Management To display the Managed Devices and their associated serial network and power connections Select Manage Devices The Administrator will be presented with a list of all configured Managed Devices whereas the User will only see the Managed Devices they or their Group has been given access privileges for Select Serial Network or Power for a view of the specific connections The user can ...

Page 212: ...ecure SSH access then uses pre installed client software on the client PC to connect to the console server Web browser access is available to users who are a member of the admin or users groups 13 3 1 Web Terminal The AJAX based Web Terminal service may be used to access the console server command line or attached serial devices Note Any communication using the Web Terminal service using HTTP is u...

Page 213: ...erminal icon to display the Web Terminal connected directly to the attached serial device 13 3 2 SDT Connector access Administrator and Users can communicate directly with the console server command line and with devices attached to the console server serial ports using SDT Connector and their local tenet client or using a Web terminal and their browser Select Manage Terminal Click Connect to SDT ...

Page 214: ..._____________________________________________________________________ 724 746 5500 blackbox com Page 214 Administrators and Users can access and manage the connected power devices Select Manage Power ...

Page 215: ...n configure the console server and manage connected devices from the command line using standard Linux and Busybox commands and applications such as ifconfig gettyd stty powerman nut etc Without care these configurations may not withstand a power cycle reset or reconfigure Black Box provides a number of custom command line utilities and scripts to make it simple to configure the console server and...

Page 216: ... config tree is called config To address a specific element place a between each node branch e g to access and display the description of user1 type config g config users user1 description The root node of the config tree is config To display the entire config tree type config g config To display the help text for the config command type config h The config application resides in the bin directory...

Page 217: ... Hash the value then save it in id The registered configurators are alerts auth cascade console dhcp dialin eventlog hosts ipaccess ipconfig nagios power serialconfig services slave systemsettings time ups users There are three ways to delete a config element value The simplest way is use the delete node script detailed later in Chapter 15 You can also assign the config element to or delete the en...

Page 218: ... example setup serial port 5 to use the following properties Baud Rate 9600 Parity None Data Bits 8 Stop Bits 1 label Myport log level 0 protocol RS232 flow control None To do this use the following commands config s config ports port5 speed 9600 config s config ports port5 parity None config s config ports port5 charsize 8 config s config ports port5 stop 1 config s config ports port5 label mypor...

Page 219: ...s port5 rfc2217 on config s config ports port5 singleconn on config s config ports port5 ssh on config s config ports port5 tcp on config d config ports port5 telnet config d config ports port5 unauthtel Device Mode For a device mode port set the port type to ups rpc or enviro config s config ports port5 device type ups rpc enviro For port 5 as a UPS port config s config ports port5 mode reserved ...

Page 220: ... ports port5 bridge address 192 168 3 3 config s config ports port5 bridge port 2500 To enable RFC 2217 access config s config ports port5 bridge rfc2217 on To redirect the serial bridge over an SSH tunnel to the server config s config ports port5 bridge ssh enabled on Syslog settings Additionally the global system log settings can be set for any specific port in any mode config s config ports por...

Page 221: ...onfig s config users user2 groups group2 groupname2 etc To give this user access to a specific port config s config users user2 port1 on config s config users user2 port2 on config s config users user2 port5 on etc To remove port access config s config users user2 port1 the value is left blank or simply config d config users user2 port1 The port number can be anything from 1 to 48 depending on the...

Page 222: ...ted to port 1 on the console manager and the RPC is configured To give this group access to RPC outlet number 3 on the RPC device run the two commands below config s config ports port1 power outlet3 groups group1 Group7 config s config ports port1 power outlet3 groups total 1 total number of groups that have access to this outlet If more groups are given access to this power outlet then increment ...

Page 223: ...figure RADIUS authentication config s config auth radius auth_server comma separated list list of remote authentiction and authorization servers config s config auth radius acct_server comma separated list list of remote accounting servers If unset Authentication and Authorization Server Address will be used config s config auth radius password password To configure LDAP authentication config s co...

Page 224: ...level 0 The loglevel can have a value of 0 or 1 The default services that you should configure are 22 tcp ssh 23 tcp telnet 80 tcp http 443 tcp https 1494 tcp ica 3389 tcp rdp 5900 tcp vnc Add other network host To add any other type of network host with the following details IP address DNS name 192 168 3 10 Host name OfficePC Description MyPC Allowed sevices ssh port 22 https port 443 log level f...

Page 225: ...he existing total plus 1 So if the previous command gave you 0 then you start with rule number 1 If you already have 1 rule your new rule will be number 2 etc If you want to restrict access to serial port 5 to computers from a single class C network 192 168 5 0 for example you need to issue the following commands assuming you have a previous rule in place Add a trusted network config s config port...

Page 226: ... 2 minutes Run script when power is critical Enabled config s config ups monitors monitor1 port dev port01 If the port number is higher than 9 eg port 13 enter config s config ups monitors monitor1 port dev port13 config s config ups monitors monitor1 name My UPS config s config ups monitors monitor1 description UPS in room 5 config s config ups monitors monitor1 username User2 config s config ups...

Page 227: ...92 168 50 50 config d config ups remotes remote1 log enabled config s config ups remotes remote1 log interval 240 config s config ups remotes remote1 script enabled on config s config ups remotes total 1 The following command will synchronize the live system with the new configuration config a 14 10 RPC connections You can add an RPC connection from the command line We do not recommend that you do...

Page 228: ...4 Monitor Description Monitor in room 5 Temperature offset 2 Humidity offset 5 Enable alarm 1 yes Alarm 1 label door alarm Enable alarm 2 yes Alarm 2 label window alarm Logging enabled yes Log interval 120 seconds config s config ports port3 enviro name Envi4 config s config ports port3 enviro description Monitor in room 5 config s config ports port3 enviro offsets temp 2 config s config ports por...

Page 229: ...connections connection1 type serial Host UPS RPC config s config devices total 8 decrement this value when deleting a managed device To delete the above managed device config d config devices device8 The following command will synchronize the live system with the new configuration config a 14 13 Port Log To configure serial network port logging config s config eventlog server address remote server...

Page 230: ...fig alerts alert2 email2 peter Black Box com To use NAGIOS to notify of this alert config s config alerts alert2 nsca enabled on To use SNMP to notify of this alert config s config alerts alert2 snmp enabled on Increment the total alerts config s config alerts total 2 Below are the specific settings depending on the type of alert required Connection Alert To trigger an alert when a user connects t...

Page 231: ...specific RPC power outlets config s config alerts alert2 rpc RPC name config s config alerts alert2 sensor temp humid load charge config s config alerts alert2 signal DSR config s config alerts alert2 type enviro config s config alerts alert2 ups1 UPSname hostname Example1 To configure a temperature sensor alert for a sensor called SensorInRoom42 config s config alerts alert2 sensor temp config s ...

Page 232: ...om min 0 config s config alerts alert2 alarmrange mon until hour 0 config s config alerts alert2 alarmrange mon until min 0 The following command will synchronize the live system with the new configuration config r alerts 14 15 SMTP SMS To set up an SMTP mail or SMS server with the following details Outgoing server address mail Black Box com Secure connection type SSL Sender John Black Box com Ser...

Page 233: ...sword config s config system location Device in office 2 NOTE The P parameter will prompt the user for a password and encrypt it You can encrypt the value of any config element using the P parameter but only encrypted user passwords and system passwords are supported If any other element value were to be encrypted the value will become inaccessible and will have to be reset The following command w...

Page 234: ...un ipconfig The following command will synchronize the live system with the new configuration config r ipconfig 14 19 Date Time settings To enable NTP using a server at pool ntp org issue the following commands config s config ntp enabled on config s config ntp server pool ntp org Alternatively you can manually change the clock settings To change running system time date 092216452005 05 Format is ...

Page 235: ...onsole ppp defaultroute on Please note that supported authentication types are None PAP CHAP and MSCHAPv2 Supported serial port baud rates are 9600 19200 38400 57600 115200 and 230400 Supported parity values are None Odd Even Mark and Space Supported data bits values are 8 7 6 and 5 Supported stop bits values are 1 1 5 and 2 Supported flow control values are Hardware Software and None If you do no...

Page 236: ...an manually enable or disable network servers from the command line For example if you wanted to guarantee the following server configuration HTTP Server Enabled HTTPS Server Disabled Telnet Server Disabled SSH Server Enabled SNMP Server Disabled Ping Replies Respond to ICMP echo requests Disabled TFTP server Enabled config s config services http enabled on config d config services https enabled c...

Page 237: ...oup group1 Group to run as Defaults to nobody Allow command arguments Enabled config s config system nagios nrpe enabled on config s config system nagios nrpe port 5600 config s config system nagios user user1 config s config system nagios nrpe group group1 config s config system nagios nrpe cmdargs on To configure NSCA with the following settings NSCA encryption BLOWFISH can be None XOR DES TRPLE...

Page 238: ...anced and custom management tasks using Black Box commands Linux commands and the open source tools embedded in the console server portmanager serial port management raw data access to the ports and modems iptables modifications and updating IP filtering rules modifying SNMP with net snmpd public key authenticated SSH communications SSL configuring HTTPS and issuing certificates using pmpower for ...

Page 239: ...ead The code that does this check is shown below an extract from the file etc scripts portmanager pattern alert If there s a user configured script run it instead scripts 0 etc config scripts pattern alert ALERT_PORTNAME scripts 1 etc config scripts portmanager pattern alert for i 0 i scripts i do if f scripts i then exec bin sh scripts i fi done This code shows that there are two alternative scri...

Page 240: ... email when an alert triggers you have to create a replacement script using the method described above and add the appropriate lines to your new script Currently there is a script etc scripts alert email that runs from within all the alert scripts for example portmanager user alert or environmental alert The alert email script sends the email The line that invokes the email script is as follows bi...

Page 241: ...g number of arguments echo Usage delnode full delimited node path exit 2 fi test for spaces TEMP echo 1 sed s N if TEMP N then echo Wrong input format echo Usage delnode full delimited node path exit 2 fi testing if node exists TEMP config g config grep 1 if z TEMP then echo Node 1 not found exit 0 fi LASTFIELD is the last field in the node path e g user1 ROOTNODE is the upper level of the node e ...

Page 242: ...eleting node echo Deleting 1 config d 1 Modifying item total config s TOTALNODE 0 echo Done exit 0 elif NUMBER lt TOTAL more than one item exists then Modify the users list so user numbers are sequential by shifting the users into the gap one at a time echo Deleting 1 LASTFIELDTEXT echo LASTFIELD sed s 0 9 g CHECKTOTAL config g ROOTNODE LASTFIELDTEXT TOTAL if z CHECKTOTAL then echo WARNING TOTALNO...

Page 243: ... have a serially controlled RPC connected to port01 on a console server and have a router powered by outlet 3 on the RPC and the router has an internal IP address of 192 168 22 2 The following instructions will show you how to continuously ping the router When the router fails to respond to a series of pings the console server will send a command to RPC outlet 3 to power cycle the router and write...

Page 244: ...ing the device 10 times PINGREP ping c 10 i 1 TARGET get the packet loss percentage LOSS echo PINGREP grep sed e s 0 9 1 if LOSS eq 100 then COUNTER expr COUNTER 1 else COUNTER 0 sleep 30s fi if COUNTER eq 5 then COUNTER 0 sleep 2s fi done 15 1 7 Running custom scripts when a configurator is invoked A configurator is responsible for reading the values in etc config config xml and making the approp...

Page 245: ...ce you want to use Usage etc scripts backup usb COMMAND FILE COMMAND check magic check volume label set magic set volume label save FILE save configuration to USB delete FILE delete a configuration tarbal from USB list list available config backups on USB load FILE load a specific config from USB load default load the default configuration set default FILE set which file becomes the default The fi...

Page 246: ... by the root user to make sure correct file permissions are set The config command is used to create a backup tarball config e Output File The tarball will be saved to the indicated location It will contain the contents of the etc config directory in an uncompressed and unencrypted form Example nfs storage mount t nfs 192 168 0 2 backups mnt config e mnt les4108 config umount mnt Example transfer ...

Page 247: ...will generate a history on the serial port Quit pmshell Typing the character sequence will exit from pmshell Set RTS to 1 run the command pmshell rts 1 Show all signals pmshell signals DSR 1 DTR 1 CTS 1 RTS 1 DCD 0 Read a line of text from the serial port pmshell getline pmchat The pmchat command acts similar to the standard chat command but all serial port access is directed via the portmanager E...

Page 248: ...ute etc config scripts portXX init where XX is the number of the port e g 08 The script is run with STDIN and STDOUT both connected to the serial port If the script cannot be executed then portmanager will execute etc config scripts portXX chat via the chat command on the serial port When an alert occurs on a port The portmanager will attempt to execute etc config scripts portXX alert where XX is ...

Page 249: ...is closed and opened again People probably will not want to use stty for more than initial debugging of the serial connection If you want to use stty to configure the port you can put stty commands in etc config scripts portXX init which gets run whenever portmanager opens the port Otherwise any setup you do with stty will get lost when the portmanager opens the port The reason that portmanager se...

Page 250: ... performed Standard policies are inserted that will drop all traffic not explicitly allowed to and through the system Rules are added which explicitly allow network traffic to access enabled services for example TTP SNMP etc Rules are added that explicitly allow traffic network traffic access to serial ports over enabled protocols e g Telnet SSH and raw TCP If the standard system firewall configur...

Page 251: ... sysdescr Black Box syscontact root root localhost configure etc default snmpd conf sysname Not defined edit etc default snmpd conf syslocation Not defined edit etc default snmpd conf Simply change the values of sysdescr syscontact sysname and syslocation to the desired settings and restart snmpd The snmpd conf provides is extremely powerful and too flexible to completely cover here The configurat...

Page 252: ...sword with the password Once the fields are set apply the configuration with the following command config run snmp You can add a third or more SNMP servers by incrementing the 2 in the above commands e g config system snmp protocol3 config system snmp address3 etc 15 6 Secure Shell SSH Public Key Authentication This section covers how to generate public and private keys in a Linux and Windows envi...

Page 253: ...ssh 15 6 2 Generating Public Keys Linux To generate new SSH key pairs use the Linux ssh keygen command This will produce an RSA or DSA public private key pair and you will be prompted for a path to store the two key files for example id_dsa pub the public key and id_dsa the private key For example ssh keygen t rsa dsa Generating public private rsa dsa key pair Enter file in which to save the key h...

Page 254: ...he Master and apply the Authorized key to the slave and is described in Chapter 4 Once complete you then proceed to Fingerprinting as described below 15 6 4 Installing SSH Public Key Authentication Linux Alternately the public key can be installed on the unit remotely from the linux host with the scp utility as follows Assuming the user on the Management Console is called fred the IP address of th...

Page 255: ...l be clients of the server then the authorized_keys file will contain a copy of all of the public keys RSA and DSA keys may be freely mixed in the authorized_keys file For example assume we already have one server called bridge_server and two sets of keys for the control_room and the plant_entrance ls home user keys control_room control_room pub plant_entrance plant_entrance pub cat home user keys...

Page 256: ... example uses a user called testuser making sure it is a member of the users group If you do not already have a public private key pair you can generate them now using ssh keygen PuTTYgen or a similar tool PuTTYgen http www chiark greenend org uk sgtatham putty download html OpenSSH http www openssh org OpenSSH Windows http sshwindows sourceforge net download For example using PuTTYgen make sure y...

Page 257: ...file Make sure there is only one line of text in this file Use WinSCP to copy this authorized_keys file into the users home directory e g etc config users testuser ssh authorized_keys of the Black Box gateway which will be the SSH server You will need to make sure this file is in the correct format with the correct permissions with the following commands dos2unix etc config users testuser ssh auth...

Page 258: ...mhost 192 168 0 1 RSA to the list of known hosts You may be prompted for a password but there is no need to log in you have received the fingerprint and can Ctrl C to cancel the connection If the host key changes you will receive the following warning and not be allowed to connect to the remote host WARNING REMOTE HOST IDENTIFICATION HAS CHANGED IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY...

Page 259: ... keys Ideally you will use a separate secure machine to generate and store all keys to be used on the console servers If this is not ideal for your situation keys may be generated on the console servers themselves It is possible to generate only one set of keys and reuse them for every SSH session While we do not recommend this each organization will need to balance the security of separate keys a...

Page 260: ...ir keys ssh keygen t rsa Generating public private rsa key pair Enter file in which to save the key home user ssh id_rsa home user keys control_room Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user keys control_room Your public key has been saved in home user keys control_room pub The key fingerprint is 28 aa 29 38 ba 40 f4 11 5e ...

Page 261: ...is file is typically named id_rsa or id_dsa to SDT Connector client Click Edit Preferences Private Keys Add locate the private key file and click OK You do not have to add the public part of your SSH key pair it is calculated using the private key SDT Connector will now use public key authentication when SSH connecting through the console server You may have to restart SDT Connector to shut down a...

Page 262: ...our new address 15 8 1 Generating an encryption key To create a 1024 bit RSA key with a password issue the following command on the command line of a linux host with the openssl utility installed openssl genrsa des3 out ssl_key pem 1024 15 8 2 Generating a self signed certificate with OpenSSL This example shows how to use OpenSSL to create a self signed certificate OpenSSL is available for most Li...

Page 263: ...fig inetd conf Append a line 443 stream tcp nowait root sslwrap cert etc config ssl_cert pem key etc config ssl_key pem exec bin httpd home httpd Save the file and signal inetd of the configuration change kill HUP cat var run inetd pid The HTTPS server should be accessible from a web client at a URL similar to this https common name of unit More detailed documentation about the openssl utility can...

Page 264: ... the powerman version number and exit D device Displays RPC status information If targets are specified only RPC s matching the target list are displayed T telemetry Causes RPC telemetry information to be displayed as commands are processed Useful for debugging device scripts x exprange Expand host ranges in query responses For more details refer http linux die net man 1 powerman Also refer powerm...

Page 265: ...werstrips xml If an action is attempted which has not been configured for a specific Power Device pmpower will exit with an error 15 9 3 Adding new RPC devices There are a number of simple paths to adding support for new RPC devices The first is to have scripts to support the particular RPC included in either the open source PowerMan project http sourceforge net projects powerman or the open sourc...

Page 266: ...ively The script can be anything that can be executed within the shell All of the existing scripts in etc powerstrips xml use the pmchat utility pmchat works just like the standard unix chat program only it ensures interoperation with the port manager The final options speed charsize stop and parity define the recommended or default settings for the attached device 15 10 IPMItool The console serve...

Page 267: ... Prompt for the remote server password A authtype Specify an authentication type to use during IPMIv1 5 lan session activation Supported types are NONE PASSWORD MD5 or OEM c Present output in CSV comma separated variable format This is not available with all commands C ciphersuite The remote server authentication integrity and encryption algorithms to use for IPMIv2 lanplus connections See table 2...

Page 268: ...efore enabling the IPMI LAN interface A remote station has the ability to control a system s power state as well as being able to gather certain platform information To reduce vulnerability we strongly advise that the IPMI LAN interface only be enabled in trusted environments where system security is not an issue or where there is a dedicated secure management network or access has been provided t...

Page 269: ...ands status on off cycle reset diag soft You will find more details on ipmitools at http ipmitool sourceforge net manpage html 15 11 Custom Development Kit CDK As detailed in this manual customers can copy scripts binaries and configuration files directly to the console server Black Box also freely provides a development kit that allows changes to be made to the software in console server firmware...

Page 270: ...logs only buffer 8K of data and don t persist between reboots This script would for example parse each port log file line by line each time it sees LOGIN username it adds username to the list of connected users for that port each time it sees LOGOUT username it removes it from the list The list can then be nicely formatted and displayed You can run the script on the remote log server To enable log...

Page 271: ...onsole server and monitor and manage attached serial console and host devices addgroup Add a group or add an user to a group adduser Add an user agetty alternative Linux getty arp Manipulate the system ARP cache arping Send ARP requests replies bash GNU Bourne Again Shell busybox Swiss army knife of embedded Linux commands cat Concatenate FILE s and print them to stdout chat Useful for interacting...

Page 272: ...Send a signal to a process to end gracefully ln Make links between files login Begin session on the system loopback Black Box loopback diagnostic command loopback1 Black Box loopback diagnostic command loopback2 Black Box loopback diagnostic command loopback8 Black Box loopback diagnostic command loopback16 Black Box loopback diagnostic command loopback48 Black Box loopback diagnostic command ls L...

Page 273: ...le routed Show or manipulate the IP routing table routef IP Route tool to flush IPv4 routes routel IP Route tool to list routes rtacct Applet printing proc net rt_acct rtmon RTnetlink listener scp Secure copy remote file copy program sed Text stream editor setmac Sets the MAC address setserial Sets and reports serial port configuration sh Shell showmac Shows MAC address sleep Delay for a specified...

Page 274: ...X howtos html and http www faqs org docs Linux HOWTO Remote Serial Console HOWTO html An updated list of the commands may found using ls command to view all the commands actually available in the bin directory in your console server There were a number of Black Box tools listed above that make it simple to configure the console server and make sure the changes are stored in the console server s fl...

Page 275: ...e are proprietary to Black Box however the code will be provided to customers under NDA Also inbuilt in the console server is a Port Manager application and Configuration tools as described in Chapters 14 and 15 These both are proprietary to Black Box but open to customers as above The console server also supports GNU bash shell script enabling the Administrator to run custom scripts GNU bash vers...

Page 276: ...box com Page 276 hash r p pathname name help s pattern history c d offset n or hi if COMMANDS then COMMANDS elif jobs lnprs jobspec or job kill s sigspec n signum si let arg arg until COMMANDS do COMMANDS done variables Some variable names an wait n while COMMANDS do COMMANDS done COMMANDS ...

Page 277: ...5P controller Memory LES1408A 16A 32A 48A LES1308A 16A 32A 48A LES1208A R2 16A R2 32A 48A R2 64MB SDRAM 16MB Flash 16GB USB Flash LES1116A 32A 48A 64MB SDRAM 16MB Flash LES1108A 16MB SDRAM 8MB Flash Serial Connectors LES1508A 8 RJ 45 RS 232 serial ports LES1408A LES1308A LES1208A R2 8 RJ 45 RS 232 serial ports LES1416A LES1316A LES1216A R2 16 RJ 45 RS 232 serial ports LES1432A LES1332A LES1232A 32...

Page 278: ... UPS to protect the equipment from transients FCC Warning Statement This device complies with Part 15 of the FCC rules Operation of this device is subject to the following conditions 1 This device may not cause harmful interference and 2 this device must accept any interference that may cause undesired operation WEEE Statement The symbol on the product or its packaging indicates that this product ...

Page 279: ...source code This license does not grant you any rights to patents copyright trade secrets trademarks or any other rights with respect to the Software You may make a reasonable number of copies of the electronic documentation accompanying the Software for each Software license you acquire provided that you must reproduce and include all copyright notices and any other proprietary rights notices app...

Page 280: ...urchase price paid by you for the Software on the defective media or to replace the Software on new media Black Box makes no warranty or representation that its Software will meet your requirements will work in combination with any hardware or application software products provided by third parties that the operation of the software products will be uninterrupted or error free or that all defects ...

Page 281: ... the copyright holder saying it may be distributed under the terms of this General Public License The Program below refers to any such program or work and a work based on the Program means either the Program or any derivative work under copyright law that is to say a work containing the Program or a portion of it either verbatim or with modifications and or translated into another language Hereina...

Page 282: ... above on a medium customarily used for software interchange or b Accompany it with a written offer valid for at least three years to give any third party for a charge no more than your cost of physically performing source distribution a complete machine readable copy of the corresponding source code to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for softw...

Page 283: ...use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if writt...

Page 284: ...NABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS ...

Page 285: ..._____________________________________________________________________ 724 746 5500 blackbox com Page 285 ...

Page 286: ...l supported by free live 24 7 Tech support available in 60 seconds or less Copyright 2014 All rights reserved Black Box and the Double Diamond logo are registered trademarks of BB Technologies Inc Any third party trademarks appearing in this white paper are acknowledged to be the property of their respective owners Black Box Tech Support FREE Live 24 7 Tech support the way it should be Great tech ...

Reviews: