manualshive.com logo in svg

Black Box LES1516A, User Manual

Share
Download
Black Box LES1516A User Manual Download Page 211

211

1.877.877.2269

BLACKBOX.COM

NEED HELP?

LEAVE THE TECH TO US

LIVE 24/7

TECHNICAL

SUPPORT

1.877.877.2269

CHAPTER 10: AUTHENTICATION

Š

Š

Enter the Server Address (IP or host name) of the remote Authentication server. Multiple remote servers may be specified in a 

comma separated list. Each server is tried in succession.

Š

Š

Check the Server Protocol checkbox to select if SSL is to be used or enforced for communications with the LDAP server.
Console servers running firmware v3.11 and above offer three options for LDAPS (LDAP over SSL):
LDAP over SSL preferred will attempt to use SSL for authentication. If it fails, it will fall back to LDAP without SSL.
LDAP over SSL may fail due to certificate errors or the LDAP server not being contactable on the LDAPS port.
LDAP over SSL only. This setting will configure the console server to only accept LDAP over SSL. If LDAP over SSL fails, you will only 
be able to log into the console server as root.
LDAP (no SSL) only. This setting will configure the console server to only accept LDAP without SSL. If LDAP without SSL fails, you 
will only be able to log into the console server as root.

Š

Š

Check the Ignore SSL Certificate Error check box if you wish to ignore SSL certificate errors, allowing LDAP over SSL to work 

regardless of these errors.

This allows you to use any certificate, self-signed or otherwise, on the LDAP server without having to install any certificates on 
the console server.
If this setting is not checked, you must install the CA (certificate authority) certificate with which the LDAP server’s certificate was 
signed onto the console server. For example, the LDAP server is serving with a certificate signed using the certificate myCA.crt.

NOTE:  The certificate must be in CRT format and myCA.crt must be installed onto the console server at /etc/config/ldaps_ca.crt. 

The filename must be ldaps_ca.crt. Copy the file to this location and filename manually using scp or the like. For example:

 

scp /local/path/to/myCA.crt

 

rt root@console_server:/etc/config/ldaps_ca.crt

Š

Š

Enter the Server Password.

Š

Š

Click Apply.

LDAP remote authentication will now be used for all user access to console server and serially or network attached devices
Further information on configuring remote RADIUS servers can be found at the following sites: http://ldapman.org/articles/intro_
to_ldap.html, http://ldapman.org/servers.html, http://linuxplanet.com/linuxplanet/tutorials/5050/1/, and http://linuxplanet.com/
linuxplanet/tutorials/5074/4/.

10.1.5 RADIUS AND TACACS USER CONFIGURATION 

Users may be added to the local console server appliance. If they are not added and they log in via remote AAA, a user will be 
added for them. This user will not show up in the console server configurators unless they are specifically added, at which point 
they are transformed into a completely local user. The newly added user must authenticate off of the remote AAA server, and will 
have no access if it is down.
If a local user logs in, they may be authenticated or authorized from the remote AAA server, depending on the chosen priority of the 
remote AAA. A local user’s authorization is the union of local and remote privileges.

EXAMPLE 1

User Tim is locally added, and has access to ports 1 and 2. He is also defined on a remote TACACS server, which says he has 
access to ports 3 and 4. Tim may log in with either his local or TACACS password, and will have access to ports 1 through 4. If 
TACACS is down, he will need to use his local password, and will only be able to access ports 1 and 2.

Summary of Contents for LES1516A

Page 1: ...24 7 TECHNICAL SUPPORT AT 1 877 877 2269 OR VISIT BLACKBOX COM PWR OK BACK H B SER NET WIFI WIFI MAIN WIFI AUX SD CARD USB PORTS V 92 MODEM CONSOLE ERASE LES SERIES CONSOLE SERVERS LES1500 LES1600 LES...

Page 2: ...VIEW 23 2 1 Available Models Comparison Charts 23 2 2 What s Included 24 2 2 1 LES1500 Series LES1516A LES1532A LES1548A 24 2 2 2 LES1600 Series 24 2 2 3 LES1700 Series 24 2 3 Hardware Description 25...

Page 3: ...lover or Broadband OOP 52 4 6 4 Aggregating the Network Ports 53 4 6 5 Wi Fi Wireless LAN 54 4 6 6 Static Routes 56 4 7 Configuration Over DHCP ZTP 57 4 7 1 Ensuring the Console Server is Unconfigured...

Page 4: ...the VPN Gateway 88 5 10 Open VPN 90 5 10 1 Enable the OpenVPN 90 5 10 2 Configure as Server or Client 92 5 10 3 Windows OpenVPN Client and Server Setup 93 5 11 PPTP VPN 97 5 11 1 Enable the PPTP VPN S...

Page 5: ...orwarding 130 6 8 1 Configuring Network Forwarding and IP Masquerading 131 6 8 2 Configuring Client Devices 132 6 8 3 Port and Protocol Forwarding 134 6 8 4 Firewall Rules 135 6 8 5 Packet State Match...

Page 6: ...ing Using Other SSH Clients for example PuTTY 164 7 12 VNC Security 165 8 ALERTS AUTO RESPONSE AND LOGGING 166 8 1 Configure Auto Response 166 8 2 Check Conditions 168 8 2 1 Environmental 168 8 2 2 Al...

Page 7: ...2 4 UPS Alerts 200 9 2 5 UPS Status 201 9 2 6 Overview of Nework UPS Tools NUT 202 9 3 Digital I O Ports 203 9 3 1 Digital I O Output Configuration 203 9 3 2 Digital I O Input Configuration 204 9 3 3...

Page 8: ...Configuration 226 11 3 2 Basic Nagios Plug ins 230 11 3 3 Additional Plug ins 231 11 3 4 Number of Supported Devices 232 11 3 5 Distributed Monitoring Usage Scenarios 233 12 SYSTEM MANAGEMENT 235 12 1...

Page 9: ...20 Services 279 15 1 21 Nagios 281 16 ADVANCED CONFIGURATION 283 16 1 Custom Scripting 283 16 1 1 Custom Script to Run when Booting 283 16 1 2 Running Custom Scripts when Alerts are Triggered 284 16...

Page 10: ...yption Key 313 16 8 2 Generating a Self Signed Certificate with OpenSSL 313 16 8 3 Installing the Key and Certificate 313 16 8 4 Launching the HTTPS Server 314 16 9 Power Strip Control 314 16 9 1 The...

Page 11: ...Statement 336 B 2 NOM Statement 337 APPENDIX C CONNECTIVITY TCP PORTS AND SERIAL I O 338 C 1 Serial Port Pinouts 338 C 2 Local Console Port 339 C 3 RS 232 Standard Pinouts 339 C 4 Console Server Conn...

Page 12: ...12 1 877 877 2269 BLACKBOX COM NEED HELP LEAVE THE TECH TO US LIVE 24 7 TECHNICAL SUPPORT 1 877 877 2269 REVISION HISTORY RELEASE V6 38 REVISION HISTORY...

Page 13: ...hen disconnecting the power cord from the socket Do not connect or disconnect the console server during an electrical storm We recommend that you use a surge suppressor or UPS to protect the equipment...

Page 14: ...ion Physical installation of the console server and the interconnecting of managed devices 4 System configuration Initial installation and configuration of the console server and the supported service...

Page 15: ...access authorized configured devices and review port logs In this manual when the term user lower case is used it is referring to both classes of users above This document also uses the term remote u...

Page 16: ...877 2269 BLACKBOX COM NEED HELP LEAVE THE TECH TO US LIVE 24 7 TECHNICAL SUPPORT 1 877 877 2269 ABOUT THIS MANUAL WHERE TO FIND ADDITIONAL INFORMATION The Quick Start Guide that came with your consol...

Page 17: ...Management Built in web terminal SSH direct to consoles optional console keystroke logging alert on cable disconnects text pattern match and more inline power control multiple concurrent sessions Powe...

Page 18: ...B Class A ICES 003 Issue 4 February 2004 AS NZS CISPR 22 2004 Class A EN 55022 Emissions Class A 2009 A1 2010 EN 61000 3 2 Harmonics Current Emissions 2014 EN 61000 3 3 Voltage Fluctuation and Flicke...

Page 19: ...gh voltage digital outputs HVDO 5 30 VDC 100 mA drives relays alarms etc Console Management Built in web terminal SSH direct to consoles optional console keystroke logging alert on cable disconnects i...

Page 20: ...TP Certifications Emissions FCC Part 15 Subpart B 2015 EN55022 2010 CISPR 22 2008 ICES 003 Issue 5 2014 AS NZS CISPR 22 2009 A1 2010 EN 61000 3 2 2006 A2 2009 EN 61000 3 3 2008 Immunity EN 55024 2010...

Page 21: ...al Ethernet aggregation and redundancy remote access automatic network failover easy browser UI IPv6 Console Management Built in web terminal SSH direct to consoles optional console keystroke logging...

Page 22: ...Part 15 Subpart B Class A ICES 003 Issue 4 February 2004 AS NZS CISPR 22 2004 Class A EN 55022 Emissions Class A 2009 A1 2010 EN 61000 3 2 Harmonics Current Emissions 2014 EN 61000 3 3 Voltage Fluctu...

Page 23: ...ngle AC LES1604A R 4 4 2 256 32 MB 4 GB cellular 4G WiFi Single AC LES1608A 8 4 2 256 32 MB 4 GB Single AC LES1708A 8 2 2 256 64 MB 16 GB POTS WiFi Dual AC LES1716A 16 2 2 256 64 MB 16 GB POTS WiFi Du...

Page 24: ...S1548A 1 Console Server 2 CAT5 UTP cables 1 DB9F to RJ 45 straight through adapter 1 DB9F to RJ 45 crossover adapter 1 IEC AC power cord 1 Quick Start Guide 2 2 2 LES1600 SERIES 1 Console Server 1 Ext...

Page 25: ...S1548A FRONT PANEL 9 10 11 12 8 FIGURE 2 2 LES1548A BACK PANEL TABLE 2 3 LES1548A CONSOLE SERVER COMPONENTS NUMBER IN FIGURE 2 1 OR 2 2 COMPONENT DESCRIPTION 1 1 PWR LED Lights when power is on 2 1 H...

Page 26: ...BACK PANEL TABLE 2 4 LES1604A CONSOLE SERVER COMPONENTS NUMBER IN FIGURE 2 3 OR 2 4 COMPONENT DESCRIPTION 1 H B LED Heartbeat LED lights when firmware is running 1 Serial LED Active serial communicati...

Page 27: ...OK button Confirm selection 3 BACK button Go back to previous selection 4 PWR LED Lights when power is on 5 H B LED Heartbeat LED lights when firmware is running 6 Serial LED Active serial communicati...

Page 28: ...ION All Black Box console servers ship with Ethernet ports These ports are located on the rear panel of the rackmount LES1516A LES1532A LES1548A units and on the front of the smaller LES1600 units All...

Page 29: ...nnections Black Box supplies a range of cables and adapters that may be required to connect to the more popular servers and network appliances Before connecting the console port of an external device...

Page 30: ...al Ground n a 5 CTS Clear To Send Input 6 RXD Receive Data Input 7 DCD Data Carrier Detect Input 8 DSR Data Set Ready Input 3 3 2 CISCO RJ 45 PINOUT The LES1600 LES1516A LES1532A and LES1548A models h...

Page 31: ...ires at least one external WiFi antenna to be attached 3 5 1 LES1604A V T R MODELS LES1600s come with internal 4G LTE modems and dual mini SIM card slots LES1604A V T R The T models work with AT T USA...

Page 32: ...S1700 MODELS The LES1700 models have an internal 802 11 WiFi adapter and come with an external WiFi antenna Before powering on the LES1700 Screw wireless antenna on to the WIFI MAIN SMA connector The...

Page 33: ...ddress and subnet mask IP address 192 168 0 1 Subnet mask 255 255 255 0 For initial configuration we recommend that you connect the console server directly to a single computer If you choose to connec...

Page 34: ...y to the ARP table and ping the console server to assign the IP address to the console server In the example below a console server has the MAC Address 00 13 C6 00 02 0F designated on the label on the...

Page 35: ...ent versions of the popular browsers Internet Explorer Firefox Chrome Safari and more You will be prompted to log in Enter the default administration username and administration password Username root...

Page 36: ...nto a console server So only those people who know the root password can access and reconfigure the console server itself The corollary is that anyone who correctly guesses the root password can gain...

Page 37: ...ld be set up and this new user should be used for ongoing console server administration rather than relying on the root user This new user can be configured in the admin group with full access privile...

Page 38: ...w IP Address Subnet Mask Gateway and DNS server details This selection automatically disables the DHCP client By default the console server LAN port auto detects the Ethernet connection speed To lock...

Page 39: ...as detailed earlier in this chapter Click Apply Reconnect the browser on the computer that is connected to the console server by entering https new ip address here 4 3 1 IPV6 CONFIGURATION By default...

Page 40: ...erly operated as 3322 org NOTE Two previously supported DDNS providers are ODS which is no longer operating and TZO which was bought by Dyn and is no longer operating independently Upon registering wi...

Page 41: ...as changed Specify the Maximum attempts per update that is the number of times to attempt an update before giving up By default this is set to 3 4 4 SERVICES AND SERVICE ACCESS The Administrator can a...

Page 42: ...where the Administrator connects to the console server over the Internet or any other public network This will provide authenticated communications between the SSH client program on the remote compute...

Page 43: ...to configuration succeeded The Services Access settings can now be set to allow or block access This specifies which enabled services the Administrator can use over each network interface to connect t...

Page 44: ...hile remote administrators using Dial In or Cellular have no telnet access unless they set up a VPN FIGURE 4 13 SERVICE ACCESS EXAMPLE The Respond to ICMP echos that is ping service access options can...

Page 45: ...connecting for the next 60 seconds Active Bans are also listed and may be refreshed by reloading the page NOTE When a Black Box device is running on an untrusted network we recommend that you use a va...

Page 46: ...database servers Web server Desktop PCs Network appliance LAN FIGURE 4 15 SDT CONNECTOR APPLICATION EXAMPLE SDT Connector is a Java client program that couples the trusted SSH tunneling protocol with...

Page 47: ...erminal session from a Windows client you enter the console server s IP address as the Host Name or IP address To access the console server command line you select SSH as the protocol and use the defa...

Page 48: ...e system will prompt you for a username and password Enter these to login to the console server 4 6 MANAGEMENT NETWORK CONFIGURATION The LES1700 LES1516A LES1532A LES1548A LES1508A and LES1600 console...

Page 49: ...consoles Management network FIGURE 4 18 MANAGEMENT LAN ENABLED NOTE The second ethernet port Network LAN2 on the LES1700 LES1516A LES1532A LES1548A or LES1600 can be configured as either a Management...

Page 50: ...er Eth 1 32 or 2 4 Management LAN Serially connected consoles FIGURE 4 19 CONFIGURE AS MANAGEMENT LAN OR OOB FAILOVER PORT Management LAN features are disabled by default To configure a Management LAN...

Page 51: ...to devices on the Management LAN that are running DHCP clients To enable the DHCP server Navigate to System IP Select the Management LAN Interface tab Check the Enable DHCP Server checkbox Enter the...

Page 52: ...hese into the pre assigned list so the same IP address will be reallocated in the event of a reboot FIGURE 4 22 PRE ASSIGN IP ADDRESSES 4 6 3 SELECT FAILOVER OR BROADBAND OOB The LES1700 LES1516A LES1...

Page 53: ...or by establishing an IPsec VPN tunnel to the console server All the wired network ports on the console servers can be aggregated by being bridged or bonded Navigate to System IP Click the General Se...

Page 54: ...rrect country is not listed select the World Regulatory Domain Select an SSID for the network This should be unique Check the Broadcast SSID check box This should in general be done Not broadcasting a...

Page 55: ...hat will serve as the main network connection to the console server Select the correct country from the Country list If the correct country is not listed select the World Regulatory Domain Enter the S...

Page 56: ...Enter a value in the Destination netmask field that identifies the destination network or host Any number between 0 and 32 A subnet mask of 32 identifies a host route Fill the Route Gateway field wit...

Page 57: ...ocument paste the copied data into the empty document and save the file Whatever file name you choose it must include the xml filename suffix Copy the saved opg or xml file to a public facing director...

Page 58: ...the file server and a to be configured Black Box device includes an untrusted network a two handed approach can mitigate the issue NOTE This approach introduces two physical steps where trust can be...

Page 59: ...nssl req new key client key out client csr subj CN ExampleClient openssl ca days 365 in client csr out client crt keyfile ca key policy policy_anything batch notext cat client key client crt client pe...

Page 60: ...tails 4 7 6 USING UNCONFIGURED CONSOLE SERVER ON FIRST BOOT TO UPDATE FIRMWARE This process requires three things a console server running firmware 3 16 6 or later a file containing the current config...

Page 61: ...les1700 version the firmware s version number 4 1 0u3 Once downloaded a configuration file is checked if it is a opg file its header is checked for compatibility with the current device if it is a xml...

Page 62: ...is whichever one of the following files is found first client AABBCCDDEEFF pem AABBCCDDEEFF is the MAC address of the console server s primary network interface client MODEL pem MODEL is the vendor c...

Page 63: ...Windows UNIX BSD servers VoIP PBX Switch Router Firewall Power strip UPS FIGURE 5 1 This chapter covers each of the steps in configuring network connected and serially attached devices TABLE 5 1 STEPS...

Page 64: ...hical console access with RDP VNC HTTPS etc to hosts that are serially connected Terminal server Sets the serial port to await an incoming terminal login session Serial bridge Enables the transparent...

Page 65: ...the port Select the appropriate Baud Rate Parity Data Bits Stop Bits and Flow Control for each port Set the Signaling Protocol This menu item only presents in ports with RS 422 485 options all ports o...

Page 66: ...r 8 Enable or disable Telnet access When the Telnet service is enabled on the console server a Telnet client on a User s or Administrator s computer can connect to a serial device attached to this ser...

Page 67: ...rators can use SDT Connector to set up secure Telnet connections that are SSH tunneled from their client computers to the serial port on the console server SDT Connector can be installed on Windows PC...

Page 68: ...Administrator connects to the console server or connects through the console server to the attached serial consoles over the Internet or any other public network This will provide authenticated SSH co...

Page 69: ...ently interconnect over a network see Section 5 1 6 Enable or disable RFC 2217 access Enabling RFC 2217 access enables serial port redirection on that port For RFC 2217 the default port address is IP...

Page 70: ...sible using the standard protocol TCP port numbers of the console server services For example SSH on serial port 3 would be accessible on port 22 of a serial port IP alias whereas on the console serve...

Page 71: ...ng escape characters The default is Enable or disable the Power Menu 5 1 3 SDT MODE This Secure Tunneling setting allows port forwarding of RDP VNC HTPP HTTPS SSH Telnet and other LAN protocols throug...

Page 72: ...ironmental as detailed in Chapter 9 5 1 5 TERMINAL SERVER MODE Enable Terminal Server Mode and set the Terminal Type vt220 vt102 vt100 Linux or ANSI to enable a getty on the selected serial port FIGUR...

Page 73: ...is set in Console Server mode with either RFC2217 or RAW enabled as described in Section 5 1 2 Local Ethernet LAN Serially connected device e g security appliance COM port connected control PC FIGURE...

Page 74: ...slog Priority to critical At this priority if the console server syslog server does receive a message it will automatically raise an alert See Chapter 8 for more 5 1 8 NMEA STREAMING The LES1600 can p...

Page 75: ...Moreover and aside from their utility as USB connections all the USB ports on these console servers can function as plain RS 232 serial ports when a USB to serial adapter is connected These USB ports...

Page 76: ...configures the running LLDP service Persistent custom configuration changes can be added to the system through configuration files placed in etc config lldpd d Custom configuration files which must ha...

Page 77: ...they can reconfigure the console server settings e g to enabled HTTP Telnet for future access They can also access any of the connected Hosts or serial port devices using any of the services that hav...

Page 78: ...he Accessible Hosts Accessible Ports and Accessible RPC Outlet s that you wish any users in this new Group to be able to access Click Apply The Administrator can Edit or Delete any added group 5 2 2 S...

Page 79: ...plus if the user is a Group member they can also access any other device port outlet that was set up as accessible to the Group NOTE There are no specific limits on user number nor on the number of us...

Page 80: ...be logged and monitored for each Host access See Chapter 8 for more information If the Host is a PDU or UPS power device or a server with IPMI power control specify RPC for IPMI and PDU or UPS and the...

Page 81: ...applied to FIGURE 5 19 SERIAL NETWORK TRUSTED NETWORKS SCREEN Enter the Network Address of the subnet to be permitted access Specify the range of addresses that are to be permitted by entering a Netw...

Page 82: ...essed through one IP address and managed through the one Management Console One console server the Master controls other console servers as Slave units and all the serial ports on the Slave units appe...

Page 83: ...ually upload the key public and private key pair to the Master console server Select System Administration on the master s Management Console Browse to the location you have stored RSA or DSA Public K...

Page 84: ...e any need to supply a password 5 6 3 CONFIGURE THE SLAVES AND THEIR SERIAL PORTS You can now begin setting up the slaves and configuring slave serial ports from the master console server Select Seria...

Page 85: ...rt setting on the master the updated configuration files will be sent out to each slave in parallel Each slave will then automatically make changes to their local configurations and only make those ch...

Page 86: ...pseudo tty port receives data from the pseudo tty port transmits it to the console server through network and receives data from the console server through network and transmits it to the pseudo tty p...

Page 87: ...the name of the powered Managed Device To add a new serially connected Managed Device Configure the serial port using the Serial Network Serial Port menu see Section 5 1 Select Serial Network Managed...

Page 88: ...w net to remotely access the advanced console server and every machine on the Management LAN subnet at the remote location Configuration of IPsec is quite complex so Black Box provides a simple GUI in...

Page 89: ...mask For example 192 168 0 0 24 indicates an IP address where the first 24 bits are used as the network address This is the same as 255 255 255 0 If the VPN access is only to the console server itself...

Page 90: ...o allows the use of Dynamic IP addresses by both the server and client thus providing client mobility For example an OpenVPN tunnel may be established between a roaming windows client and an Black Box...

Page 91: ...tp openvpn net index php documentation howto html auth For more information also see http openvpn net howto html Select the Device Driver to be used either Tun IP or Tap Ethernet The TUN network tunne...

Page 92: ...LS SCREEN If Server is selected enter the IP Pool Network address and the IP Pool Network mask for the IP Pool The IP Pool Network provides addresses for connecting clients Click Apply To enter authen...

Page 93: ...ng up a VPN connection to a console server Console servers with firmware V3 5 2 and later will generate Windows client config automatically from the GUI for Pre shared Secret Static Key File configura...

Page 94: ...Program Files OpenVPN config client ovpn An example OpenVPN Windows client configuration file description LES1416A_client client proto udp verb 3 dev tun remote 192 168 250 152 port 1194 ca c openvpn...

Page 95: ...ur verb level Set log file verbosity Values range from 0 15 0 silent except for fatal errors 3 medium output logging Good for general use 5 helps with debugging connection problems 9 extremely verbose...

Page 96: ...CBC Triple DES Sets the cryptographic cipher BF CBC Blowfish is the default if no cipher is explicitly set The client and server must use the same settings comp lzo Enables compression on the OpenVPN...

Page 97: ...lly used for connecting single remote Windows clients If you take your portable computer on a business trip you can dial a local number to connect to your Internet access service provider ISP and then...

Page 98: ...nable to encrypt traffic Unencrypted Authentication PAP This is plain text password authentication When using this type of authentication the client password is transmitted unencrypted None No encrypt...

Page 99: ...ord stored in clear text Note the username and password for when you connect to the VPN connection Click Apply 5 11 3 SETUP A REMOTE PPTP CLIENT Ensure the remote VPN client PC has Internet connectivi...

Page 100: ...ss is available even when the remote console server is behind a third party firewall or has a private IP addresses which is often the case when the console server is connected via a cellular modem con...

Page 101: ...lick Apply FIGURE 5 39 CALL HOME CONNECTION This initiates the Call Home connection from the console server to the VCMS creating an SSH listening port on the VCMS and setting the console server up as...

Page 102: ...ected Console Servers section shows the Local Console Servers drop down list which lists all the console servers which are on the same subnet as the VCMS but are not currently being monitored and the...

Page 103: ...dem IP address and DNS details to the downstream device over DHCP and transparently passes network traffic to and from the modem and router While IP Passthrough essentially turns an Black Box into a m...

Page 104: ...r the other interfaces configure as you would normally on the local network For both interfaces leave Gateway blank Configure the modem in Always On Out of band mode For a cellular connection click Sy...

Page 105: ...ring a Routed Data Usage Check under Alerts Logging Auto Response 5 13 6 CAVEATS Some downstream routers may be incompatible with the gateway route This may happen when IP Passthrough is bridging a 3G...

Page 106: ...nt broadband failover Models with an internal cellular modem can be configured for OOB cellular access or for cellular transparent failover or can be configured as a cellular router 6 1 DIAL UP MODEM...

Page 107: ...u change the Serial Settings to 38400 Baud Rate with Hardware Flow Control NOTE You can further configure the console modem port e g to include modem init strings by editing etc mgetty config files as...

Page 108: ...up Earlier firmware only supports one PPP dial in account Chapter 16 has Linux command examples to control modem port operation at the shell 6 2 2 USING SDT CONNECTOR CLIENT Administrators can use the...

Page 109: ...ible distributions This configures the scripts ifup and ifdown to start and stop a PPP connection Using the Gnome control panel configuration tool Using WVDIAL and the Redhat Dialup configuration tool...

Page 110: ...nter the access details for the remote PPP server to be called The Override DNS section is available for PPP Devices such as modems Override DNS allows the use of alternate DNS servers from those prov...

Page 111: ...blished the administrator can connect to the console server via SSH or HTTPS on console servers running firmware 3 0 2 or later and fix the problem When configuring the principal network connection in...

Page 112: ...for OpenDNS used for content filtering To enable Override DNS Check the Override returned DNS Servers checkbox Enter the IP address of the alternative DNS servers in the DNS Server 1 and DNS Server 2...

Page 113: ...wo active broadband access paths to these advanced console servers in the event you are unable to access through the primary management network LAN1 Network or Network1 you can still access it through...

Page 114: ...6 6 SYSTEM IP NETWORK INTERFACE TAB Select Management LAN from the Failover Interface pop up menu Enter the Primary Probe Address and the Secondary Probe Address These are the IP addresses or hostnam...

Page 115: ...3 1 0 and later the advanced console server by default supports automatic failure recovery back to the state prior to the failover The advanced console server continually pings probe addresses while i...

Page 116: ...ion in Always on cellular router or OOB mode or in Failover mode as documented in Section 6 7 6 6 1 CONNECTING TO A GSM HSUPA UMTS CARRIER NETWORK Console server models denoted with R have an internal...

Page 117: ...P LEAVE THE TECH TO US LIVE 24 7 TECHNICAL SUPPORT 1 877 877 2269 FIGURE 6 8 INTERNAL CELLULAR MODEM TAB Check the Enable Dial Out radio button in the Internal Cellular Modem Dial Settings section CHA...

Page 118: ...E APNS CARRIER APN AT T USA i2gold T Mobile USA epc tmobile com Internode Australia internode Telstra Australia telstra internet NOTE The APN is in most cases the only value needed The other fields ca...

Page 119: ...and an activated device are required In this case an activated device is a Black Box console server which has had its ESN Electronic Serial Number registered with an appropriate plan on your carrier s...

Page 120: ...c to your carrier and for manual activation you will have to learn what values your carrier uses in each field Verizon for example has been known to use an MSL of 000000 and the phone number assigned...

Page 121: ...le server install the SIM card provided by your cellular carrier and attach the external aerial Navigate to System Dial Click the Internal Cellular Modem tab Check the Enable Dial Out radio button in...

Page 122: ...equired to unlock the Card You may also need to use Override DNS to set alternate DNS servers from those provided by your carrier If this is necessary On System Dial Internal Cellular Modem check the...

Page 123: ...0 dBm medium to strong 69 dBm very strong RSSI is a measure of the Radio Frequency RF power present in a received radio signal It is generally expressed in decibel milliwatts dBm The best throughput c...

Page 124: ...SIM to the Primary SIM There are two options On Disconnect With this option the console server will failback to the Primary SIM only after the connection on the failover SIM has failed its ping test...

Page 125: ...navailable During this time the page periodically refreshes with status information Upon successful completion the page displays the message Cellular Firmware carrier change completed Multi carrier ca...

Page 126: ...utput is the remote fingerprint followed by the list of actions that would be taken by cell fw update d Download latest firmware for all carriers supported by the modem etc scripts cell fw update d Fl...

Page 127: ...IP address plan you can try accessing the console server using the Public IP Address provided by the carrier By default only HTTPS and SSH access is enabled on the OOB connection you can browse to the...

Page 128: ...ites the console server pings to determine if the principal network is operational If the principal network fails the cellular network connection is activated as the access path to the console server...

Page 129: ...etailed in Section 6 8 6 7 4 CELLULAR CSD DIAL IN CSD is a legacy form of data transmission developed for TDMA based mobile phone systems like GSM CSD uses a single radio time slot to deliver 9 6 kbps...

Page 130: ...network This type of translation is only used for connections originating within the private network destined for the outside public network and each outbound connection is maintained by using a diffe...

Page 131: ...on is only used for connections originating within the private network destined for the outside public network and each outbound connection is maintained by using a different source IP port number Nav...

Page 132: ...be the same as used on the external network That is if the console server is acting as an internet gateway or a cellular router use the ISP provided DNS server address DHCP configuration Navigate to...

Page 133: ...times are the number of seconds a dynamically assigned IP address is valid before the client must request it again Click Apply The DHCP server issue IP addresses sequentially from a specified address...

Page 134: ...e port from a specific interface In most cases this should be left as Any Source Address Address Range This allows the user to restrict access to a port forward to a specific source IP address or IP a...

Page 135: ...e to System Firewall Click the Firewall Rules tab NOTE Prior to firmware v3 4 this tab was labeled Port Rules and fewer firewall rules could be configured Click New Firewall Rule Fill in the following...

Page 136: ...ULE EXAMPLE 1 FIELD PURPOSE Name Administrator s choice Interface Dialout Cellular Port Range 22 Source MAC Address Left blank Source Address Range Left blank Any Destination Range Left blank Protocol...

Page 137: ...he firewall rule is to apply to a particular destination address or address range enter this address or address range in the Destination Address Address Range field As with the Source Address Address...

Page 138: ...Rule it is the equivalent of running one of the following at a shell prompt ip6tables m state state NEW ip6tables m state state ESTABLISHED RELATED For example ip6tables I INPUT p tcp dport 23 m state...

Page 139: ...ware on the User s or Administrator s PC Black Box recommends that you use the SDT Connector client software that is supplied with the console server for this SDT Connector is simple to install and au...

Page 140: ...4 Only these permitted services will be forwarded through by SSH to the host All other services TCP UDP ports will be blocked Following are some of the TCP Ports used by SDT in the console server TAB...

Page 141: ...ernate OOB access It can also access the console server itself and devices connected to the console server s serial ports 7 2 1 SDT CONNECTOR CLIENT INSTALLATION SDT Connector s set up tool SDTConnect...

Page 142: ...GURING A NEW GATEWAY IN THE SDT CONNECTOR CLIENT To create a secure SSH tunnel to a new console server Select File New Gateway or click the New Gateway icon FIGURE 7 5 Enter the IP address or hostname...

Page 143: ...user on the console server has an access profile which has been configured with those specific connected hosts and serial port devices the user has authority to access and a specific set of the enable...

Page 144: ...to be used in accessing that host The SSH tunnel to the gateway is established the appropriate ports redirected through to the host and the appropriate local client application is launched pointing a...

Page 145: ...that will be accessed through that console server and for each host specify the services that will used in communicating with the host Select File New Host or select a gateway and click the Host icon...

Page 146: ...the General tab enter the TCP Port that this service runs on for example port 80 for HTTP Optionally select the client to use to access the local endpoint of the redirection Select which client applic...

Page 147: ...port redirections and associated clients FIGURE 7 12 EDIT SERVICE SCREEN You may also specify Advanced port redirection options Enter the local address to bind to when creating the local endpoint of t...

Page 148: ...of the redirection Three keywords specify the command line format When launching the client SDT Connector substitutes these keywords with appropriate values TABLE 7 2 KEYWORDS KEYWORD DESCRIPTION path...

Page 149: ...e SSH tunnel from the remote computer to the console server 7 3 SDT CONNECTOR TO MANAGEMENT CONSOLE SDT Connector can also be configured for browser access to the gateway s Management Console and for...

Page 150: ...firmware versions prior to v3 3 do the following Navigate to Serial Network Network Hosts Click Add Host In the IP Address DNS Name field enter 127 0 0 1 This is the loopback address Enter Loopback in...

Page 151: ...as the Host Address Optionally add details in the Descriptive Name and Description Notes fields Click OK Click the Serial Port 2 icon for Telnet access to the serial console on the device attached to...

Page 152: ...gateway and telling SDT Connector how to start and stop the OOB connection Starting an OOB connection may be achieved by initiating a dial up connection or adding an alternate route to the console se...

Page 153: ...f Band under Gateway Actions is clicked off at which point the status bar will return to its normal color 7 6 IMPORTING AND EXPORTING PREFERENCES To enable the distribution of pre configured client co...

Page 154: ...tication Essentially what you are using is SSH over SSH and the two SSH connections are entirely separate 7 8 SETTING UP SDT FOR REMOTE DESKTOP ACCESS Microsoft s Remote Desktop Protocol RDP enables t...

Page 155: ...FIGURE 7 18 REMOTE DESKTOP USERS SCREEN Click the Add button to add users to the list of those allowed to remotely access the system using the RDP protocol Click OK to close the Remote Desktop Users...

Page 156: ...appropriate IP address and port number in Computer Where there is a local connection or enterprise VPN connection enter the IP Address of the console server and the port number of the SDT Secure Tunne...

Page 157: ...k Computing VNC Users and Administrators can securely access and control computers running Windows Linux macOS Solaris and UNIX To set up a secure VNC connection you must Install if necessary and conf...

Page 158: ...k the Computer Settings button Check the VNC viewers may control screen with password checkbox Create and enter the password said VNC viewer applications will need to supply Click OK 7 9 2 INSTALL CON...

Page 159: ...it with the TCP port that the SDT tunnel will use The TCP port will be 7900 plus the physical serial port number that is 7901 to 7948 All traffic directed to port 79xx on the console server is tunnele...

Page 160: ...o the console server To do this you must Establish a PPP connection between the host and the gateway See Section 7 10 1 Set up Secure Tunneling Ports on the console server See Section 7 10 2 Configure...

Page 161: ...ion This should be the same users given Remote Desktop access privileges in the earlier step Click Next Select TCP IP in the Network Connections window Click Properties Select Specify TCP IP addresses...

Page 162: ...ar The above notes describe setting up an incoming connection for Windows XP The steps are similar for later versions of Windows although the setup screens present slightly differently If an Incoming...

Page 163: ...s COM port Click Apply RDP and VNC forwarding over serial ports is enabled on a per Port basis You can add Users who can have access to these ports or reconfigure User profiles by navigating to Seria...

Page 164: ...you assigned to the console server when you set it up as the Dial In PPP Server For Internet or local VPN connections this will be the public IP address of the console server Leave the port number as...

Page 165: ...than port 3389 used for RDP in the Destination IP field To set up the secure SSH tunnel from the Client PC to the console server for VNC configure the VNC port redirection by specifying port 5900 in t...

Page 166: ...tus of any attached environmental monitors Some models can also log access and communications with network attached hosts and maintain a history of the UPS and PDU power status If port logs are to be...

Page 167: ...esponse can be triggered again Check Repeat Trigger Actions to repeat trigger actions until the check is resolved Enter any required delay time before repeating trigger actions in Repeat Trigger Actio...

Page 168: ...U TEMPERATURE SELECTED Specify the Trigger value in C or F for temperature and for humidity that the check measurement must exceed or drop below to trigger the AutoResponse Select Comparison type as b...

Page 169: ...e sensor DIO that is to be attached to your EMD or LES1200 8 2 3 UPS AND POWER SUPPLY To use the properties of any attached UPS as the trigger event Select UPS Power Supply as the Check Condition Sele...

Page 170: ...IN SIGNAL OR PATTERN To monitor serial ports and check for login logout or pattern matches for Auto Response triggers events Click on Serial Login Logout as the Check Condition In the Serial Login Lo...

Page 171: ...the USB port labels printed on a console server with two exceptions Some console servers include discrete pairs of USB ports that do not have printed labels In this case the Web interface denotes them...

Page 172: ...xample the Management LAN or Wireless network Set the Check Frequency This is the time in seconds between checks Set the Number of ICMP Ping packets to send Check Save Auto Response 8 2 8 CELLULAR DAT...

Page 173: ...ple etc config test sh Set the Check Frequency This is the time in seconds between re running the script Set the Script Timeout This is the maximum run time for the script Specify the Successful Retur...

Page 174: ...ger on Authentication Error checkbox sets the Auto Response to run when the console s shell returns an authentication error An Auto Response can be set to trigger on one two or all three of these even...

Page 175: ...9 Check Trigger on Authentication Error to trigger when Web UI user authentication fails NOTE This check is not resolvable Resolve actions will not as a consequence run Click Save Auto Response 8 2 1...

Page 176: ...specified Time Period The Auto Response will trigger when the limit is reached in the specified time The Auto Response will resolve if no matching data is routed for the Resolve Period 8 3 TRIGGER AC...

Page 177: ...VAL 8 3 1 SEND E MAIL Select Send Email as the Add Trigger Action Enter a unique Action Name Set the Action Delay Time Specify the Recipient Email Address to send this email to For multiple recipients...

Page 178: ...is the maximum run time for the script Set this at 0 for unlimited time Enter any Arguments that are to be passed to the script Click Save New Action 8 3 5 SEND SNMP TRAP Select Send SNMP Trap as the...

Page 179: ...ed the same way as Trigger Actions except the designated Resolve Actions are all executed on resolution of the trigger condition and there are no Action Delay Times to set 8 5 CONFIGURE SMTP SMS SNMP...

Page 180: ...e phones on their networks There s also a wide selection of SMS gateway aggregators that provide email to SMS forwarding to phones on any carriers Alternately if your console server has an embedded or...

Page 181: ...er requires authentication enter the required Username and Password Optionally enter a Subject Line that will be sent with all notifications NOTE Generally the email subject will contain a truncated v...

Page 182: ...bs are used to configure where and how outgoing SNMP alerts and notifications are sent If you require your console server to send alerts via SNMP a Primary SNMP Manager must be configured Optionally a...

Page 183: ...equired Security Level is authNoPriv or authPrive select an Authentication Protocol either SHA or MD5 and an Authentication Password The password must contain at least 8 characters If the required Sec...

Page 184: ...ter 11 NOTE In a VCMS centrally managed environment you can check the Nagios alert option On the trigger condition for matched patterns logins power events and signal changes an NSCA check warning res...

Page 185: ...and to what level data is to be logged Navigate to Serial Network Serial Port Click Edit for the port to be logged Specify the Logging Level for each port TABLE 8 3 LOGGING LEVEL OPTIONS LEVEL USER CO...

Page 186: ...Specify the logging level that is to be maintained for that particular TCP UDP port service on that particular Host TABLE 8 4 LOGGING LEVEL OPTIONS LOGGING LEVEL DESCRIPTION 0 Turns off logging for th...

Page 187: ...BOX COM NEED HELP LEAVE THE TECH TO US LIVE 24 7 TECHNICAL SUPPORT 1 877 877 2269 CHAPTER 8 ALERTS AUTO RESPONSE AND LOGGING FIGURE 8 18 To activate and set the desired levels of logging for UPS and P...

Page 188: ...configure the console server serial port to operate with a serial COM port redirector in the PC as detailed in Chapter 5 Similarly network attached PDUs can be controlled with a browser with SDT as de...

Page 189: ...he RPC connections that have already been configured will present FIGURE 9 2 Click Add RPC Connected Via presents a list of serial ports and network Host connections that you have set up with device t...

Page 190: ...u will be presented with the IPMI protocol options and the SNMP RPC Types currently supported by the embedded Network UPS Tools If you are connecting to the RPC by a serial port you will be presented...

Page 191: ...given to the RPC will be created The console server will then configure the RPC with the number of outlets specified in the selected RPC Type or will query the RPC itself for this information NOTE Bla...

Page 192: ...ets on each RPC via Serial Network User Groups see Chapter 5 9 1 3 USER POWER MANAGEMENT The Power Manager allows users and administrators to access and control configured serial and network attached...

Page 193: ...you have selected Turn ON Turn OFF Cycle Status FIGURE 9 8 9 1 4 RPC STATUS You can monitor the current status of your network and serially connected PDUs and IPMI RPCs Select Status RPC Status A tabl...

Page 194: ...ith a layered scheme of drivers server and clients It is covered in some detail in Section 9 2 6 9 2 1 MANAGED UPS CONNECTIONS A Managed UPS is a UPS that is directly connected as a Managed Device to...

Page 195: ...GURE 9 12 Serial and network connected UPSes must first be connected to and configured to communicate with the console server For serial UPSes attach the UPS to the selected serial port on the console...

Page 196: ...ion that you set up for that connection will be entered as the Name and Description for the power device Alternatively if you select to Connect Via a USB or serial connection you will need to enter a...

Page 197: ...last gasp actions by triggering Auto Response on the UPS pressing batt or lowbatt See Chapter 8 If you have multiple UPSes and require them to be shut down in a specific order specify the Shutdown Or...

Page 198: ...hardware directly from the command line 9 2 2 REMOTE UPS MANAGEMENT A Remote UPS is a UPS that is connected as a Managed Device to some remote console server that is being monitored but not managed by...

Page 199: ...ame must be the name that the remote UPS was configured with on the remote console server as the remote console server may itself have multiple UPSes attached that it is managing locally with NUT Opti...

Page 200: ...own of the computer For example non critical servers may be powered down some seconds after the UPS starts running on battery where more critical servers may not be shut down until a low battery warni...

Page 201: ...UPS Status A table with the summary status of all connected UPS hardware will display FIGURE 9 21 Click on any given UPS System name in the table More detailed graphical information on the select UPS...

Page 202: ...n cache the status from multiple UPSes and then serve this status data to many clients upsd also contains access control features to limit the abilities of the clients for example so only authorized h...

Page 203: ...the unit DIO1 and DIO2 are two TTL level digital I O ports 5V max 20mA OUT1 and OUT2 are two High Voltage digital output ports 5V to 30V 100mA LES1600 models ship with a built in black spring cage I...

Page 204: ...n 4 Due to the way that the I O port is connected internally the output has to be set high to pull the output to ground The following command will switch on the led ioc p 4 d 0 v 1 OUT1 and OUT2 trans...

Page 205: ...ATUS MIB ogDioStatusCounter 1 Counter64 0 OG STATUS MIB ogDioStatusCounter 2 Counter64 0 OG STATUS MIB ogDioStatusCounter 3 Counter64 0 OG STATUS MIB ogDioStatusCounter 4 Counter64 0 OG STATUS MIB ogD...

Page 206: ...entication can be performed locally or remotely using an LDAP Radius Kerberos or TACACS authentication server The default authentication method for the console server is Local Any authentication metho...

Page 207: ...on server Multiple remote servers may be specified in a comma separated list Each server is tried in succession Session accounting is on by default If session accounting information is not wanted chec...

Page 208: ...ntrol System TACACS security protocol is a protocol developed by Cisco It provides detailed accounting information and flexible administrative control over the authentication and authorization process...

Page 209: ...ser and group definitions Performing simple authentication against any LDAP server AD or OpenLDAP is straight forward as they both follow the common LDAP standards and protocols The harder part is con...

Page 210: ...r what parameters to use the descriptions for these fields have been updated to prompt the user for common or likely attributes For example the two configuration fields have descriptions as follows LD...

Page 211: ...ificate signed using the certificate myCA crt NOTE The certificate must be in CRT format and myCA crt must be installed onto the console server at etc config ldaps_ca crt The filename must be ldaps_ca...

Page 212: ...ified and will still need locally defined users NOTE To interact with RADIUS TACACS and LDAP with console server firmware v2 4 2 and earlier user accounts on the local console server must also be set...

Page 213: ...nformation and restart the Radius server When using RADIUS authentication group names are provided to the console server using the Framed Filter Id attribute This is a standard RADIUS attribute and ma...

Page 214: ...or access and users for general user access TomFraser Cleartext Password FraTom70 Framed Filter Id group_name admin AmandaJones Cleartext Password JonAma83 FredWhite Cleartext Password WhiFre62 Framed...

Page 215: ...er Complete the fields for standard LDAP authentication including LDAP Server Address Server Password LDAP Base DN LDAP Bind DN and LDAP User Name Attribute Enter memberOf for LDAP Group Membership At...

Page 216: ...motely authenticated user privileges The first is to set the priv lvl and port attributes of the raccess service to 12 See Section 10 2 for more information Additionally or alternatively group names c...

Page 217: ...f authentication does not provide group information so a local user with the same username must be created and permissions set NOTE Kerberos is sensitive to time differences between the Key Distributi...

Page 218: ...nijhof pam_tacplus LDAP pam_ldap http padl com OSS pam_ldap html Further modules can be added as required Changes made to files in etc config pam d will persist even if the authentication configurator...

Page 219: ...ommend that you generate and install a new base64 X 509 certificate that is unique for each particular console server To generate a new base64 X 509 certificate the console server must be enabled to g...

Page 220: ...igning Request CSR generation is initiated Click Download to copy the CSR to your administration machine Send the saved CSR string to a Certification Authority CA for certification You will get the ne...

Page 221: ...gios forms the core of many leading commercial system management solutions such as GroundWork https gwos com Nagios does take some time to install and configure Once it is up and running it provides a...

Page 222: ...gios monitoring server Check the Disable SDT Nagios Extensions option to disable SDT Connector integration with your Nagios server at the head end Only check to run vanilla Nagios monitoring If not en...

Page 223: ...server and the NRPE server with SSL encryption without SSL or tunneled through SSH The security for the connection is configured at the Nagios server 11 2 3 ENABLE NSCA MONITORING NSCA is the mechani...

Page 224: ...red for Nagios checks See Section 5 4 for details on enabling Nagios monitoring for Hosts that are network connected to the console server To enable Nagios to monitor on a device connected to the cons...

Page 225: ...eck which will be run on this host Select Check Permitted TCP or Check Permitted UDP to monitor a service that you have previously added as a permitted service Alternatively select Check TCP or Check...

Page 226: ...executed once over the period of the check interval If NRPE is enabled then the upstream server will be able to request status updates under its own scheduling 11 3 ADVANCED DISTRIBUTED MONITORING CO...

Page 227: ...USER1 check_nrpe H 192 168 254 147 p 5666 c check_serial_ HOSTNAME define service service_description Serial Status host_name server use generic service check_command check_serial_status define servic...

Page 228: ...ce service_description port log server host_name server use generic service check_command check_port_log active_checks_enabled 0 passive_checks_enabled 1 define servicedependency name Black Box_nrpe_d...

Page 229: ...dependent_host_name server dependent_service_description Host Ping service_description NRPE Daemon execution_failure_criteria w u c SSH Port define command command_name check_conn_via_Black Box comma...

Page 230: ...ck a connected host or service This status is communicated to the Nagios server which uses the results to monitor the status of the network Console servers are preconfigured with a selection of checks...

Page 231: ...mp check_spop check_ssh check_ssmtp check_swap check_tcp check_time check_udp check_ups check_users To get these plug ins from the Nagios plug ins package contact Black Box Technical Support at 877 87...

Page 232: ...OUS CHECKS BEFORE TIMEOUTS NO ENCRYPTION 3DES SSH TUNNEL 1 port and 2 port 30 20 25 8 port 30 20 25 16 port and 48 port 30 25 35 The results were from running tests 5 times in succession with no timeo...

Page 233: ...atch The console server may be augmented at the local office site by one or more Intelligent Power Distribution Units IPDUs to remotely control the power supply to the managed devices REMOTE SITE In t...

Page 234: ...hrough NSCA NAGIOS Internet SSH travel initiated for remote site NRPE Server at branch server s request Console Server FIGURE 11 9 Another may be to provide an SSH tunnel to allow the Nagios server to...

Page 235: ...lt settings To effect a soft reset Navigate to System Administration Select Reboot Click Apply The console server reboots with all settings for example the assigned network IP address preserved This s...

Page 236: ...com to get the latest firmware For LES1600 family you will need LES1600 flash For LES1500 family you will need LES1516A LES1532A LES1548A flash For LES1708A 16 32 48 you will need LES1700 flash Save t...

Page 237: ...x and click Set Time NOTE With firmware v3 2 0 and later the Time Zone can also be set to UTC which replaced Greenwich Mean Time as the World standard for time in 1986 Configuring NTP ensures the Blac...

Page 238: ...BACKUP CONFIGURATION We recommend that you back up the console server configuration whenever you make significant changes such as adding new Users or Managed Devices or before performing a firmware up...

Page 239: ...onsole server Navigate to System Configuration Backup Select the Local Backup tab Click click here to proceed This will set a Volume Label on the USB storage device This preparation step is only neces...

Page 240: ...storage device This specially prepared USB storage device Must be formatted with a Windows FAT32 VFAT file system on the first partition or the entire disk Most USB thumb drives are sold already form...

Page 241: ...e OpenVPN tunnel or modify system time Click the Commit Config button This will generate the System Commit Configuration screen displaying all the configurators to be run FIGURE 12 10 Click Apply All...

Page 242: ...d by NIST for use government wide NIST develops FIPS when there are government requirements such as for security and interoperability and no acceptable industry options Black Box advanced console serv...

Page 243: ...m the command line login and run these commands config s config system fips on touch etc config FIPS chmod 444 etc config FIPS flatfsd b The final command saves to flash and reboots the unit The unit...

Page 244: ...e v3 11 and later the Status Active Users menu has been extended to enable Administrators to selectively terminate serial sessions Connection types telnet SSH raw TCP and unauthenticated telnet can be...

Page 245: ...all ports choose tester in the Users box and All ports in the Ports box then click Disconnect Sessions NOTE You can also disconnect serial sessions from the command line using the disconnect option wi...

Page 246: ...erial number can be retrieved there is now a Feature Set section displaying the serial number LES1200 LES1508A LES1600 LES1516A LES1532A LES1548A and LES1700 can display their serial number For device...

Page 247: ...only those entries that include the specified pattern 13 5 DASHBOARD The Dashboard provides the administrator with a summary of the status of the console server and its Managed Devices Custom dashboa...

Page 248: ...onfigure which of these widgets is to be displayed where Go to the Dashboard layout panel and select the widgets to display in each Widget Slot Click Apply NOTE Dashboard configuration is stored in et...

Page 249: ...evices or click the Manage Devices icon in the top right of the UI admin group users are presented with a list of all configured Managed Devices and their constituent connections user group users only...

Page 250: ...browser The Web Terminal service uses AJAX to enable the browser to connect to the console server using HTTP or HTTPS as a terminal without additional client installation on the user s PC Browser acc...

Page 251: ...ply Administrators can now communicate with the console server shell from their browser Select Manage Terminal to display the Web Terminal from which you can log in to the console server command line...

Page 252: ...Terminal feature was introduced in firmware v3 3 Earlier releases had an open source jcterm java terminal applet that could be downloaded into your browser to connect to the console server and attach...

Page 253: ...or serial port using SSH NOTE SDT Connector must be installed on the computer you are browsing from and the console server must be added as a gateway as detailed in Chapter 7 14 4 POWER MANAGEMENT Adm...

Page 254: ...to configure the console server and ensure the changes are stored in the console server s flash memory etc In particular the config utility allows manipulation of the system configuration from the com...

Page 255: ...path TABLE 15 1 CONFIG OPTIONS OPTION DESCRIPTION a run all Run all registered configurators This performs every configuration synchronization action pushing all changes to the live system h help Disp...

Page 256: ...ing config commands Incorrect spelling for a node will not be flagged Most configurations made to the XML file will be immediately active To make sure that all configuration changes are active especia...

Page 257: ...bridge mode All these modes are mutually exclusive CONSOLE SERVER MODE The command to set the port in portmanager mode config s config ports port5 mode portmanager To set the following optional confi...

Page 258: ...rts port5 mode sdt config s config ports port5 sdt ssh on To configure a username and password when accessing this port with Username user1 and Password secret config s config ports port sdt username...

Page 259: ...u see config users total this means you have 0 Users configured Your new User will be the existing total plus 1 So if the previous command gave you 0 then you start with user number 1 if you already h...

Page 260: ...ers user1 John config s config sdt hosts host5 users total 1 The last command sets the total number of users having access to host To give another user called Peter access to the same host config s co...

Page 261: ...groups total 1 The second command sets the total number of groups with access to host To give another group called Group8 access to the same host config s config sdt hosts host5 groups group2 Group8...

Page 262: ...entiction and authorization servers In the second command comma separated list is a list of remote accounting servers If unset Authentication and Authorization Server Address will be used To configure...

Page 263: ...config s config sdt hosts host4 device type ups config s config sdt hosts host4 tcpports tcpport1 22 config s config sdt hosts host4 tcpports tcpport1 loglevel 0 config s config sdt hosts host4 udppor...

Page 264: ...168 3 10 config s config devices device2 connections connection1 type Host config s config devices device2 name OfficePC config s config devices device2 description MyPC config s config devices total...

Page 265: ...config s config cascade slaves slave1 address 192 168 0 153 config s config cascade slaves slave1 description Office 42 config s config cascade slaves slave1 label cm7116 5 config s config cascade sl...

Page 266: ...iption Room 5 UPS config s config ups monitors monitor1 username user2 config s config ups monitors monitor1 password A secret for 2 config s config ups monitors monitor1 sdorder 2 config s config ups...

Page 267: ...en deleting a managed UPS REMOTE UPSES To add a remote UPS with the following details assuming this is our first remote UPS TABLE 15 8 REMOTE UPSES SETTING VALUE UPS name oldUPS Description Room 2 UPS...

Page 268: ...ion Driver argument argument Logging enabled Log interval 600 seconds Number of power outlets 4 Run the following commands config s config ports port2 power type APC 7900 config s config ports port2 p...

Page 269: ...ections connection1 type type config s config devices total 8 type can be serial Host UPS or RPC To delete the above managed device config d config devices device8 NOTE The config devices total total...

Page 270: ...eps below THE GENERAL SETTING FOR ALL ALERTS Assume this is our second alert and we want to send email alerts to john Black Box com and sms alerts to peter Black Box com config s config alerts alert2...

Page 271: ...tream config s config alerts alert2 pattern 0 0 id config s config alerts alert2 port10 on config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts ale...

Page 272: ...alarmrange mon until min 30 config s config alerts alert2 description description config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 type...

Page 273: ...config s config system smtp password2 A little secret for 2 config s config system smtp subject2 SMTP alerts In both setups the value for encryption can be SSL TLS or None The following command will s...

Page 274: ...eter will prompt the user for a password Enter the desired string and press Return config will accept and encrypt the string NOTE Any config element value can be encrypted using the P parameter Only e...

Page 275: ...v6 enabled on To enable the management LAN interface run the following command config d config interfaces lan disabled config r ipconfig NOTE Not all devices have a management LAN interface To configu...

Page 276: ...olumn in the Gregorian Year are theoretically optional it is strongly recommended that these values be set explicitly The second command saves this new system time to the hardware clock Alternatively...

Page 277: ...lback phone number 0800223665 User to dial as user1 Password for user A little secret for 2 Run the following commands config s config console ppp localip 172 24 1 1 config s config console ppp remote...

Page 278: ...you do not wish to use out of band dial in access the procedure for enabling start up messages on the console port is documented in chapter 14 3 2 The following command will synchronize the live syste...

Page 279: ...s lan dhcpd pools pool1 end 192 168 0 100 config s config interfaces lan dhcpd pools total 1 config s config interfaces lan dhcpd staticips staticip1 ip 192 168 0 50 config s config interfaces lan dhc...

Page 280: ...s TABLE 15 18 DEFAULT PORT NUMBERS SERVICE DEFAULT PORT NUMBER Telnet 2000 SSH 3000 TCP 4000 RFC2217 5000 unauthtel Unauthorized Telnet 6000 To set secondary port ranges for any service the following...

Page 281: ...system nagios name cm7116 config s config system nagios address 192 168 0 1 config s config system nagios server address 192 168 0 10 config s config system nagios sdt disabled on config s config syst...

Page 282: ...nterval 2 minutes NSCA port 5650 Defaults to 5667 User to run as user1 Defaults to nsca Group to run as group1 Defaults to nobody Run the following commands config s config system nagios nsca enabled...

Page 283: ...anagement raw data access to the ports and modems iptables modifications and updating IP filtering rules retrieving status information using SNMP and modifying SNMP with net snmpd public key authentic...

Page 284: ...failover alert All these scripts do a check to see whether you have created a custom script to run instead The code that does this check is shown below an extract from the file etc scripts portmanage...

Page 285: ...cript from the new script to prevent an infinite loop The pmpower utility is used to send power commands to RPC device in order to power cycle our telecom device pmpower l port01 o 3 cycle The RPC is...

Page 286: ...e script to delete user 3 then user 4 will become user 3 and user 5 will become user 4 This creates an obvious complication as this script does not check for any other dependencies that the node being...

Page 287: ...in xml LASTFIELD 1 ROOTNODE 1 NUMBER echo LASTFIELD sed s a zA Z g TOTALNODE echo 1 sed s 1 total TOTAL config g TOTALNODE sed s NEWTOTAL TOTAL 1 Make backup copy of config file cp etc config config...

Page 288: ...echo WARNING TOTALNODE greater than number of items fi COUNTER 1 while COUNTER TOTAL NUMBER 1 do config g ROOTNODE LASTFIELDTEXT NUMBER COUNTER while read LINE do config s echo LINE sed e s LASTFIELDT...

Page 289: ...tc config rc local using vi or another text editor Add the following line to rc local etc config scripts ping detect 192 168 22 2 bin bash c pmpower l port01 o 3 cycle date tmp output log The above co...

Page 290: ...nineteen configurators each one responsible for a specific group of config For example the users configurator makes the user configurations in the config xml file live To see all the available config...

Page 291: ...c Set volume label save file Save configuration to USB delete file Delete a configuration tarball from USB list List available config backups on USB load file Load a specific config from USB load defa...

Page 292: ...a restore Backup and restore should be done by the root user to ensure correct file permissions are set The config command is used to create a backup tarball config e Output File The tarball will be s...

Page 293: ...Generates a BREAK on the connected to serial port h h Generates a history on the connected to serial port Depends on port logging being enabled p p Opens the power menu for the connected to serial por...

Page 294: ...ort session see the control codes table immediately below The second command killall HUP portmanager tells portmanager to reload the configuration so that the new control code will take effect Rebooti...

Page 295: ...orts If users are connected it will respond with a sorted list of usernames per active port For example Port 1 user1 user2 Port 2 user1 Port 8 user2 The above output indicates that a user named user1...

Page 296: ...robertw u pchunt n 4 n 6 Disconnect users robertw pchunt from ports 4 6 y n y 10 sessions were disconnected pmusers disconnect u tester no prompt No sessions were disconnected portmanager d mon There...

Page 297: ...the serial port If you wish to communicate with the port use pmshell or pmchat from within the script If the script cannot be executed the alert will be mailed to the address configured in the system...

Page 298: ...t things are done to the serial port outside of portmanager 16 3 2 ACCESSING THE CONSOLE MODEM PORT Console dial in is handled by mgetty with automatic PPP login extensions mgetty is a smart getty rep...

Page 299: ...cripts firewall post containing iptables commands to amend the firewall policy Thorough documentation regarding iptables is available at the Linux netfilter website at https netfilter org documentatio...

Page 300: ...heckbox for the required interface This allows SNMP requests through the specified interface s firewall 16 5 3 CHECK FIREWALL RULES Console servers support different SNMP versions including SNMPv1 SNM...

Page 301: ...ation of the Black Box and will be used in response to requests for the SNMPv2 MIB sysLocation 0 of the device The Contact field refers to the person responsible for the Black Box such as the System A...

Page 302: ...Level of auth set the Auth Protocol SHA or MD5 and the Auth Password A password of at least 8 characters is required For a Security Level of priv set the Privacy Protocol DES or AES and the Privacy P...

Page 303: ...ell as root or an admin user Set the SNMP Manager Address field config set config system snmp address3 w x y z replacing w x y z with the IP address or hostname Set the Manager Trap Port field config...

Page 304: ...pload the keys to the master and to each slave console server fingerprint each connection to validate 16 6 1 SSH OVERVIEW Popular TCP IP applications such as telnet rlogin ftp and others transmit thei...

Page 305: ...r identification has been saved in home user ssh id_ r dsa Your public key has been saved in home user ssh id_ r dsa pub The key fingerprint is 28 aa 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user ser...

Page 306: ...or UNIX based system in ssh id_dsa pub Given this run the following command from the Linux or UNIX based system scp ssh id_dsa pub root 192 168 0 1 etc config users fred ssh authorized_keys This copie...

Page 307: ...ich includes the key generator PuTTYgen exe is used in the following procedure Before beginning make sure you have the most recent PuTTYgen release installed PuTTYgen is available for download from ht...

Page 308: ...o StrictHostKeyChecking no testuser server ip This will run the tunnel redirecting local port 9001 to the server port 4001 16 6 6 FINGERPRINTING Fingerprints are used to ensure you are establishing an...

Page 309: ...ed If the host key has legitimately changed it can be removed from the ssh known_hosts file and the new fingerprint added If it has not changed legitimately this indicates a serious problem that shoul...

Page 310: ...o your situation keys may be generated on the console servers themselves It is possible to generate only one set of keys and reuse them for every SSH session While this is not recommended each organiz...

Page 311: ...ating public private rsa key pair Enter file in which to save the key keys control_room Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in keys...

Page 312: ...shut down any existing tunnels that were established using password authentication If you have a host behind the console server that you connect to by clicking the SSH button in SDT Connector you can...

Page 313: ...y form and does not officially recommend any specific binary distributions The project does however maintain a page on its community wiki https wiki openssl org index php Binaries This page lists 3rd...

Page 314: ...t as follows Edit the inetd configuration file From the unit command line vi etc config inetd conf Append a line 443 stream tcp nowait root sslwrap cert etc config ssl_cert pem key etc config ssl_key...

Page 315: ...ot interpreted by powerman and is reported as received from the RPC on one line per target prefixed by target name h help Display option summary L license Show powerman license information d destinati...

Page 316: ...utlet u username p password action TABLE 16 10 PMPOWER OPTIONS OPTION NOTES h This help message The serial port to use o The outlet on the power target to apply to r The remote host address for the po...

Page 317: ...l This file can be created on a host system and copied to the Management Console device using scp Alternatively login to the Management Console and use ftp or wget to transfer files Here is a brief de...

Page 318: ...d and set LAN configuration parameters and perform remote chassis power control The ipmitools man page is not shipped with Black Box hardware It is reproduced below Synopsis ipmitool c h v V I open co...

Page 319: ...lves minor hacks in place in the code to work around quirks in various BMCs from various manufacturers Use o list to see a list of current supported OEM types p port Remote server UDP port to connect...

Page 320: ...placed at the end of commands to get option usage help raw Send a RAW IPMI request and print response lan Configure LAN Channels chassis Get chassis status and set power state event Send pre defined...

Page 321: ...ance you are working with from ftp ftp Black Box com cdk Further information is avalable at http Black Box com faq284 html 16 12 SCRIPTS FOR MANAGING SLAVES When the console servers are cascaded the M...

Page 322: ...e to a WAP or MMS capable mobile phone The program can be run as an SMS daemon which can be started automatically when the operating system starts High availability can be ensured by using multiple GS...

Page 323: ...b drive Login via the CLI to complete configuration using setup wizard Optional On VCMS use enrollment wizard to automatically place appliances under management This may be local routable appliances o...

Page 324: ...pem Set up a HTTPS server that restricts access to the opg or xml file for HTTPS connections providing the client certificate Put a copy of the CA cert that signed the HTTP server s certificate onto t...

Page 325: ...t section Each URL in the list obtained from option 43 sub option 1 is tried in sequence until one succeeds the URL undergoes substring replacement from the following table TABLE 16 14 URL SUB STRING...

Page 326: ...t 16 17 INTERNAL STORAGE Some models have an internal USB flash drive a non volatile NAND flash partition or both which can be used by portmanager for log storage and the TFTP FTP server for file stor...

Page 327: ...eady exist 16 17 4 MOUNTING A PREFERRED USB DISK BY LABEL Currently the first USB storage device is mounted at var mnt storage usb by detecting the lowest numbered disk partition for example dev sda1...

Page 328: ...standard uCLinux commands ucl Busybox commands bb and some custom Black Box commands og included in the default build tree The shorthand immediately right of each listed command shows which source is...

Page 329: ...attern gunzip bb Compress or expand files gzip bb Compress or expand files hd ucl ASCII decimal hexadecimal octal dump hostname bb Get or set hostname or DNS domain name httpd ucl Listen for incoming...

Page 330: ...ns routing tables interface statistics etc ntpd ucl Network Time Protocol NTP d mon pgrep ucl Display process es selected by regex pattern pidof ucl Find the process ID of a running program ping ucl S...

Page 331: ...rial port redirector ssh ucl OpenSSH SSH client remote login program ssh keygen ucl Authentication kkey generation management and conversion sshd ucl OpenSSH SSH d mon stty ucl Change and print termin...

Page 332: ...tivated by running the relevant configurator which performs the action necessary to make the configuration changes live portmanager which provides a buffered interface to each serial port It is suppor...

Page 333: ...name complete pr DE name continue n declare aAfFgilnrtux p name value dirs clpv N N disown ar h jobspec pid echo neE arg enable a dnps f filename name eval arguments exec cl a name command arguments...

Page 334: ...ile commands do commands done while test commands do consequent commands done A 2 SOURCE CODE Many console server software components are licensed under the GNU General Public License Version 2 A copy...

Page 335: ...e code openly available from http denx de wiki U Boot The console server CGIs the html code xml code and web config tools for the Management Console are proprietary to Black Box The code will be provi...

Page 336: ...ed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference i...

Page 337: ...tes que impidan el flujo de aire por los orificios de ventilaci n 10 El equipo el ctrico deber ser situado fuera del alcance de fuentes de calor como radiadores registros de calor estufas u otros apar...

Page 338: ...A and LES1600 models have Cisco Straight serial pinouts on their RJ 45 connectors The LES1700 has software selectable Cisco Straight or Cisco Rolled RJ 45 CISCO STRAIGHT RJ 45 PINOUT Straight through...

Page 339: ...Black Box console server is supplied with UTP CAT5 cables C 3 RS 232 STANDARD PINOUTS The RS 232 pinout standards for the DB9 and DB25 connectors are listed in the table below TABLE C 3 RS 232 STANDA...

Page 340: ..._______________________________________________________________ C 5 TCP AND UDP PORT NUMBERS Port numbers are divided into three ranges Well Known Ports Registered Ports and Dynamic Private Ports Well...

Page 341: ...NDIX C CONNECTIVITY TCP PORTS AND SERIAL I O TABLE C 5 CONTINUED TCP AND UDP PORT NUMBERS PORT NUMBER PROTOCOL TCP UDP 53 DNS UDP 67 BootP server UDP 68 BootP client UDP 69 TFTP UDP 70 Gopher TCP 79 F...

Page 342: ...nformation about an entity and the entity s public key thus binding these two pieces of information together A certificate is issued by a trusted organization or entity called a Certification Authorit...

Page 343: ...s The MAC address is used by the local Internet router in order to direct console server traffic to it rather than something else in the local area It is a 48 bit number usually written as a series of...

Page 344: ...redirection to serial remote managers can view the BIOS POST output during power on and reconfigured SSH Secure Shell is secure transport protocol based on public key cryptography SSL ecure Sockets La...

Page 345: ...e consequential or cost of cover damages resulting from any errors in the product information or specifications set forth in this document and Black Box Corporation may revise this document at any tim...

Page 346: ..._________________________________________________________ __________________________________________________________________________________________________ ___________________________________________...

Page 347: ...________ __________________________________________________________________________________________________ ____________________________________________________________________________________________...

Page 348: ...COPYRIGHT 2016 BLACK BOX CORPORATION ALL RIGHTS RESERVED NEED HELP LEAVE THE TECH TO US LIVE 24 7 TECHNICAL SUPPORT 1 877 877 2269...

Reviews:

No comments

Brands by name

Popular brands

Load more brands