manualshive.com logo in svg

Opengear ACM7000, User Manual

The Opengear ACM7000 is a reliable and versatile console server for secure remote access and management of network devices. Ensure smooth operations with the comprehensive User Manual available for free download on our website. Make the most of your ACM7000 with detailed instructions and troubleshooting tips. Download it now!

Share
Download
background image

Chapter 8: 

Authentication

 

 

 

178

 

 

 

2.

 

Enter the 

Server Address

 (IP or host name) of the remote Authentication / Authorization server.

 

Multiple remote servers may be specified in a comma separated list. Each server is tried in 

succession 

3.

 

Session accounting is on by default. If session accounting information is not wanted, check the 

Disable Accounting

 checkbox. (One reason for not wanting session accounting: if the 

authentication server does not respond to accounting requests, said request may introduce a 

delay when logging in.) 

4.

 

In addition to multiple remote servers you can also enter for separate lists of 

Authentication/Authorization servers and Accounting servers. If no Accounting servers are 

specified, the Authentication/Authorization servers are used instead 

5.

 

Enter the 

Server Password 

6.

 

Click 

Apply. 

RADIUS remote authentication is used for all user access to console server and 

serially or network attached devices

 

8.1.4  LDAP authentication 

LDAP authentication supports OpenLDAP servers, using the Posix style schema for user and group 

definitions. 

Performing authentication against any LDAP server (AD or OpenLDAP) is straightforward, as they both 

follow the common LDAP standards and protocols. The harder part is configuring how to get the extra 

data about the users (the groups they are in, etc). 

On an Opengear device, we may be configured to look at group information from an LDAP server for 

authentication and authorization. This group information is stored in a number of different ways. Active 

Directory has one method, and OpenLDAP has two other methods: 

 

Active Directory: Each entry for a user will have multiple 'memberOf' attributes. Each 'memberOf' 

value is the full DN of the group they belong to. (The entry for the user will be of objectClass 

"

user

") 

 

OpenLDAP / Posix: Each entry for a user must have a 'gidNumber' attribute. This will be an integer 

value, which is the user's primary group (eg. mapping to the /etc/passwd file, with the group ID 

field). To determine which group this is, we must search for an entry in the directory that has that 

group ID, which will give us the group name. (The users are of objectClass "

posixAccount

", and 

the groups are of objectClass "

posixGroup

"). 

 

OpenLDAP / Posix: Each group entry in the group tree (of objectClass 

'posixGroup'

) may have 

multiple 'memberUid' attributes. These represent secondary groups (eg. mapping to the 

/etc/groups file). Each attribute would contain a username. 

Summary of Contents for ACM7000

Page 1: ...User Manual ACM7000 Remote Site Gateway ACM7000 L Resilience Gateway IM7200 Infrastructure Manager CM7100 Console Servers Version 4 6 2019 09 11...

Page 2: ...nts FCC Warning Statement This device complies with Part 15 of the FCC rules Operation of this device is subject to the following conditions 1 This device may not cause harmful interference and 2 this...

Page 3: ...ed or implied including but not limited to the implied warranties of fitness or merchantability for a particular purpose Opengear may make improvements and or changes in this manual or in the product...

Page 4: ...73 3 15 ENROLLMENT INTO LIGHTHOUSE 75 4 FIREWALL FAILOVER OOB ACCESS 76 4 1 DIALUP MODEM CONNECTION 76 4 2 OOB DIAL IN ACCESS 76 4 3 DIAL OUT ACCESS 79 4 4 OOB BROADBAND ETHERNET ACCESS 83 4 5 BROADBA...

Page 5: ...OVERVIEW 193 9 2 CONFIGURING NAGIOS DISTRIBUTED MONITORING 194 9 3 ADVANCED DISTRIBUTED MONITORING CONFIGURATION 199 10 SYSTEM MANAGEMENT 207 10 1 SYSTEM ADMINISTRATION AND RESET 207 10 2 UPGRADE FIR...

Page 6: ...d devices Users when authorized can access and control serial or network connected devices using specified services e g Telnet HHTPS RDP IPMI Serial over LAN Power Control Remote users are users who a...

Page 7: ...p to date information on what s included with your console server visit the What s included section for your particular product Quick Start Guide This guide that shipped with your console server takes...

Page 8: ...up steps make sure that There are no other devices on the LAN with an address of 192 168 0 1 The console server and the computer are on the same LAN segment with no interposed router appliances 2 1 1...

Page 9: ...as a cellular modem you will be given the steps to configure the cellular router features Configure the cellular modem connection System Dial page See Chapter 4 Allow forwarding to the cellular destin...

Page 10: ...d in the Password and Confirm fields NOTE Checking Save Password across firmware erases saves the password so it does not get erased when the firmware is reset If this password is lost the device will...

Page 11: ...e used to display a message of the day text to users It appears on the upper left of the screen below the Opengear logo 4 Click Apply 2 3 Network Configuration Enter an IP address for the principal Et...

Page 12: ...dress The console server MAC address can be found on a label on the base plate 5 You may enter a secondary address or comma separated list of addresses in CIDR notation e g 192 168 1 1 24 as an IP Ali...

Page 13: ...dia Auto config interfaces wan mode static config interfaces wan mtu 1380 config interfaces wan netmask 255 255 255 0 2 3 1 IPv6 configuration NOTE IPv6 passthrough is not supported with this release...

Page 14: ...console server 1 Click System IP and scroll down the Dynamic DNS section Select your DDNS service provider from the drop down Dynamic DNS list You can also set the DDNS information under the Cellular...

Page 15: ...the console server is accessed remotely over the Internet Alternate HTTP lets you to configure an alternate HTTP port to listen on The HTTP service will continue listening on TCP port 80 for CMS and...

Page 16: ...config files maintain access and transaction logs etc Files transferred using tftp and ftp will be stored under var mnt storage usb tftpboot or var mnt storage nvlog tftpboot on ACM7000 series devices...

Page 17: ...e server s network interfaces Depending on the particular console server model the interfaces displayed may include Network interface for the principal Ethernet connection Management LAN OOB Failover...

Page 18: ...default once protection is enabled 3 or more failed connection attempts within 60 seconds from a specific source IP trigger it to be banned from connecting for a configurable time period Attempt limi...

Page 19: ...o hosts that are network connected to the console server can be found in Chapter 5 SDT Connector can be installed on Windows PCs Mac OS X and on most Linux UNIX and Solaris systems 2 6 Management Netw...

Page 20: ...eave the DNS fields blank 3 Click Apply The management gateway function is enabled with default firewall and router rules configured so the Management LAN is only accessible by SSH port forwarding Thi...

Page 21: ...n seconds This is the amount of time that a dynamically assigned IP address is valid before the client must request it again 7 Click Apply The DHCP server issues IP addresses from specified address po...

Page 22: ...sing the console server an alternate access path is used To enable failover 1 Select the Network Interface page on the System IP menu 2 Select the Failover Interface to be used in the event of an outa...

Page 23: ...y retain their unique MAC addresses o With bonding the network traffic is carried between the ports but present with one MAC address Both modes remove all the Management LAN Interface and Out of Band...

Page 24: ...s Select a country from the Country list or if it isn t there select the World Regulatory Domain Select a unique SSID for the network Broadcast SSID Tick this to broadcast the SSID Network Channel Sel...

Page 25: ...f that hardware mode is selected WPA Password The password that clients use to connect to the AP 3 Once the Wireless AP Settings have been filled out click Apply Wait for the page to refresh The next...

Page 26: ...he appropriate SSID Set Service Identifier of the wireless access point to connect to o Select the Wireless Network Type where Infrastructure is used to connect to an access point and Ad hoc to connec...

Page 27: ...uter that will routes packets to the destination network This may be left blank 7 Select the Interface to use to reach the destination may be left as None 8 Enter a value in the Metric field that repr...

Page 28: ...hapter 8 Network Hosts configuring access to local network connected computers or appliances hosts Configuring Trusted Networks nominate IP addresses that trusted users access from Cascading and Redir...

Page 29: ...mode Click Edit next to the port to be reconfigured Or click Edit Multiple Ports and select which ports you wish to configure as a group 3 When you have reconfigured the common settings and the mode f...

Page 30: ...lled Set the DTR mode This allows you to choose if DTR is always asserted or only asserted when there is an active user session Before proceeding with further serial port configuration you should conn...

Page 31: ...on the console server SDT Connector can be installed on Windows PCs and most Linux platforms and it enables secure Telnet connections to be selected with point and click To use SDT Connector to acces...

Page 32: ...RAW TCP also enables the serial port to be tunneled to a remote console server so two serial port devices can transparently interconnect over a network see Chapter 3 1 6 Serial Bridging RFC2217 Selec...

Page 33: ...to the serial port using a specific IP address specified in CIDR format Each serial port can be assigned one or more IP aliases configured on a per network interface basis A serial port can for examp...

Page 34: ...ted before being sent as a packet over the network Escape Character Change the character used for sending escape characters The default is Replace Backspace Substitute the default backspace value of C...

Page 35: ...Select the desired Device Type UPS RPC or Environmental 2 Proceed to the appropriate device configuration page Serial Network UPS Connections RPC Connection or Environmental as detailed in Chapter 7 3...

Page 36: ...fy the IP address of the Server console server and the TCP port address of the remote serial port for RFC2217 bridging this will be 5001 5048 By default the bridging client uses RAW TCP Select RFC2217...

Page 37: ...1 8 NMEA Streaming The ACM7000 L can provide GPS NMEA data streaming from the internal GPS cellular modem This data stream presents as a serial data stream on port 5 on the ACM models The Common Sett...

Page 38: ...12 USB If the particular ACM7008 2 is a cellular model port 13 for the GPS will also be listed The 7216 24U has 16 RJ45 serial ports and 24 USB ports on its rear face as well as two front facing USB p...

Page 39: ...Services They can also access any of the connected Hosts or serial port devices using any of the services that have been enabled for these connections Only trusted users should have administrator acc...

Page 40: ...ers 3 2 1 Set up new group To set up new groups and new users and to classify users as members of particular groups 1 Select Serial Network Users Groups to display all groups and users 2 Click Add Gro...

Page 41: ...ublic key authentication for this user when using SSH 8 Check Enable Dial Back in the Dial in Options menu to allow an out going dial back connection to be triggered by logging into this port Enter th...

Page 42: ...sers and groups be kept under 250 The administrator can also edit the access settings for any existing users Select Serial Network Users Groups and click Edit to modify the user access privileges Clic...

Page 43: ...vice or a server with IPMI power control specify RPC for IPMI and PDU or UPS and the Device Type The administrator can configure these devices and enable which users have permission to remotely cycle...

Page 44: ...tering a Network Mask for that permitted IP range e g To permit all the users located with a particular Class C network connection to the nominated port add the following Trusted Network New Rule Netw...

Page 45: ...s clustering connects each Slave to the Master with an SSH connection This is done using public key authentication so the Master can access each Slave using the SSH key pair rather than using passwor...

Page 46: ...ether to generate keys using RSA and or DSA if unsure select only RSA Generating each set of keys require two minutes and the new keys destroy old keys of that type While the new generation is underwa...

Page 47: ...tem Administration on the Master s Management Console 2 Browse to the location you have stored RSA or DSA Public Key and upload it to SSH RSA DSA Public Key 3 Browse to the stored RSA or DSA Private K...

Page 48: ...sole server 1 Select Serial Network Cascaded Ports on the Master s Management Console 2 To add clustering support select Add Slave You can t add Slaves until you have generated SSH keys To define and...

Page 49: ...rial port such as alter the baud rates These changes are overwritten next time the Master sends out a configuration file update While the Master is in control of all Slave serial port related function...

Page 50: ...ded from the ftp site This PortShare serial port redirector allows you to use a serial device connected to the remote console server as if it were connected to your local serial port The portshare ser...

Page 51: ...device connections by selecting Manage Devices Administrators can also edit and add delete these managed devices and their connections To edit an existing device and add a new connection 1 Select Edi...

Page 52: ...o add a UPS RPC power connection or network connection or another serial connection click Add Connection 6 Click Apply NOTE To set up a serially connected RPC UPS or EMD device configure the serial po...

Page 53: ...urely connected to the serially controlled devices at the remote sites The road warrior administrator can use a VPN IPsec software client to remotely access the console server and every machine on the...

Page 54: ...nsole server the Left Public Key Locate the key to be used on the remote gateway cut and paste it into the Right Public Key o If you select Shared secret enter a Pre shared secret PSK The PSK must mat...

Page 55: ...e server end This can only be initiated from the VPN gateway Left if the remote end is configured with a static or dyndns IP address 12 Click Apply to save changes NOTE Configuration details set up on...

Page 56: ...the server and client certificates This Root CA Certificate is a crt file type For a server you may also need dh1024 pem Diffie Hellman parameters See http openvpn net easyrsa html for a guide to basi...

Page 57: ...Client has been selected the Primary Server Address is the address of the OpenVPN Server o If Server has been selected enter the IP Pool Network address and the IP Pool Network mask for the IP Pool Th...

Page 58: ...tion certificates and files select the Manage OpenVPN Files tab Upload or browse to relevant authentication certificates and files 4 Apply to save changes Saved files are displayed in red on the right...

Page 59: ...button 7 Apply to save changes NOTE Make sure that the console server system time is correct when working with OpenVPN to avoid authentication issues 8 Select Statistics on the Status menu to verify...

Page 60: ...GUI for Windows software which includes the standard OpenVPN package plus a Windows GUI can be downloaded from http openvpn net Once installed on the Windows machine an OpenVPN icon is added to the N...

Page 61: ...client server configuration file options are Options Description description This is a comment describing the configuration Comment lines start with and are ignored by OpenVPN Client server Specify wh...

Page 62: ...d location of the client s or server s key Each client should have its own certificate and key files Note Ensure each in the directory path is replaced with dh file name This is used by the server onl...

Page 63: ...n traffic being sent across the tunnel PPTP establishes a tunnel between the physical PPP endpoints and securely transports data across the tunnel The strength of PPTP is its ease of configuration and...

Page 64: ...1 Enable the PPTP VPN server 1 Select PPTP VPN on the Serial Networks menu 2 Select the Enable check box to enable the PPTP Server 3 Select the Minimum Authentication Required Access is denied to remo...

Page 65: ...Opengear appliance 7 Enter the desired value of the Maximum Transmission Unit MTU for the PPTP interfaces into the MTU field defaults to 1400 8 In the DNS Server field enter the IP address of the DNS...

Page 66: ...n is for the VPN tunnel to the Opengear appliance NOTE This procedure sets up a PPTP client in the Windows 7 Professional operating system The steps may vary slightly depending on your network access...

Page 67: ...local network you need to know the username and password for the PPTP account you added as well as the Internet IP address of the Opengear appliance If your ISP has not allocated you a static IP addr...

Page 68: ...accessing the Managed Console Servers and the managed devices connected to the Managed Console Server To manage Local Console Servers or console servers that are reachable from the CMS the SSH connect...

Page 69: ...ole servers that are connected via Call Home For more details see the Lighthouse CMS User Manual 1 Enter a new Call Home Password on the CMS This password is used for accepting Call Home connections f...

Page 70: ...nter the Remote Root Password i e System Password that has been set on this Managed Console server This password is used by the CMS to propagate auto generated SSH keys and is not stored Click Apply T...

Page 71: ...have two or more WAN interfaces NOTE Failover in IP Passthrough context is performed by the downstream router and the built in out of band failover logic on the Opengear is not available while in IP P...

Page 72: ...passed through to the downstream router For the required service of HTTP HTTPS or SSH check Enable Optionally modify the Intercept Port to an alternate port e g 8443 for HTTPS this is useful if you wa...

Page 73: ...Save Backup A backup configuration file model name_iso format date_config opg is downloaded from the Opengear device to the local system You can save the configuration as an xml file 1 Select System C...

Page 74: ...e USB flash drive to the Opengear device Generate an X 509 certificate for the Opengear device Concatenate the certificate and its private key into a single file named client pem Copy client pem onto...

Page 75: ...e Wed Dec 13 22 22 27 UTC 2017 5127 notice odhcp6c eth0 NTP skipped no server Wed Dec 13 22 22 27 UTC 2017 5127 info odhcp6c eth0 vendorspec 1 http fd07 2218 1350 44 1 tftpboot config sh Wed Dec 13 22...

Page 76: ...Dialup Modem Connection To enable dial in or dial out you must first ensure there is a modem attached to the console server Models with an internal modem allow OOB dial in access These models display...

Page 77: ...dress It must be in the same network range as the Local IP Address e g 200 100 1 12 and 200 100 1 67 5 In the Local Address field enter the IP address for the Dial In PPP Server This is the IP address...

Page 78: ...t type of authentication to use this is the recommended option Weakly Encrypted Authentication CHAP This is the weakest type of encrypted password authentication to use It is not recommended that clie...

Page 79: ...ct Set up my connection manually and click Next 4 On the Internet Connection screen select Connect using a dial up modem and click Next 5 Enter a Connection Name any name you choose and the dial up Ph...

Page 80: ...such as modems Override DNS allows the use of alternate DNS servers from those provided by your ISP For example an alternative DNS may be required for OpenDNS used for content filtering To enable Over...

Page 81: ...l Console or Internal Modem Port 4 Select the Baud Rate and Flow Control that will communicate with the modem 5 Check the Enable Dial Out Access box and enter the access details for the remote PPP ser...

Page 82: ...ses while in original and failover states The original state is automatically set as a priority and reestablished following three successful pings of the probe addresses during failover The failover s...

Page 83: ...ink Ensure when configuring the principal Network Interface connection the Failover Interface is set to None 4 5 Broadband Ethernet Failover The second Ethernet port can also be configured for failove...

Page 84: ...r continually pings probe addresses whilst in original and failover states The original state is set as a priority and reestablished following three successful pings of the probe addresses during fail...

Page 85: ...the other fields blank 3 Enter the carrier s APN e g for AT T USA enter i2gold for T Mobile USA enter epc tmobile com for InterNode Aust enter internode and for Telstra Aust enter telstra internet 4 I...

Page 86: ...rier 4 6 2 Connecting to a CDMA EV DO carrier network GV and GS models have an internal CDMA modem Both connect to the Verizon network in North America After creating an account with the CDMA carrier...

Page 87: ...rrors are displayed and you no longer see the CDMA Modem Activation form If OTASP is unsuccessful you can consult the System Logs for clues to what went wrong at Status Syslog 4 When OTASP has complet...

Page 88: ...n Status Statistics 4 Navigate to the Internal Cellular Modem tab on System Dial To connect to your carrier s 3G network enter the appropriate phone number usually 777 and a Username and Password if d...

Page 89: ...Servers box Enter the IP of the DNS servers into the spaces provided 7 Check Apply A radio connection is established with your cellular carrier 4 6 4 Verifying the cellular connection Out of band acc...

Page 90: ...You can also see the connection status from the LEDs on top of unit 4 6 5 Cellular modem watchdog Select Enable Dial Out on the System Dial menu under Internal Cellular Modem to configure a cellular...

Page 91: ...for the timeout period The timeout period is either the default value of 600 seconds or the number of seconds you have specified in the Failback Timeout field 4 Configure each SIM connection with as m...

Page 92: ...lti carrier capable models ship with cellular modem firmware for each supported carrier pre loaded onto internal non volatile or USB storage Periodically new cellular modem firmware becomes available...

Page 93: ...completed the System Firmware page displays the status of the firmware update 7 To automate this operation enable the Automatic Cellular Modem Firmware Check and Upgrade option This allows the user to...

Page 94: ...work This mode is used for out of band access to remote sites This OOB mode is the default for IM7200 appliances with internal cellular modems Out of Band access is enabled by default and the cellular...

Page 95: ...r state If the primary and secondary probe addresses are not available it brings up the cellular connection and connects back to the cellular carrier 1 Navigate back to the Network Interface on the Sy...

Page 96: ...squerading as detailed in Chapter 4 8 4 7 4 Cellular CSD dial in setup Once you have configured carrier connection the cellular modem can be configured to receive Circuit Switched Data CSD calls a leg...

Page 97: ...external interface of the console server and be redirected to a specified internal address for a device on the internal network With Firewall Rules packet filtering inspects each packet passing throu...

Page 98: ...behind the console server IP Masquerading performs Source Network Address Translation SNAT on outgoing packets to make them appear like they ve come from the console server rather than devices on the...

Page 99: ...e DNS server address to be the same as used on the external network i e if the console server is acting as an internet gateway or a cellular router Use the ISP provided DNS server address DHCP Configu...

Page 100: ...ernet gateway or a cellular router Use the ISP provided DNS server address 7 Enter the Default Lease time and Maximum Lease time in seconds The lease time is the time that a dynamically assigned IP ad...

Page 101: ...the external interface of the console server cellular router and have the console server cellular router redirect the data to a specified internal address and port range To setup a port protocol forw...

Page 102: ...ce on the input port range are sent Output Port Range The port or range of ports that the packets will be redirected to on the Output Address Ranges use the format start finish Only valid for TCP and...

Page 103: ...to be matched This may be left blank for any MAC addresses use the format XX XX XX XX XX XX where XX are hex digits Source Address Range Specifies the source IP address or address range to match IP ad...

Page 104: ...e processed in a set order from top to bottom For example with the following rules all traffic coming in over the Network Interface is blocked except when it comes from two nominated IP addresses SysA...

Page 105: ...l your users with point and click access to all the systems and devices in the secure network SDT Connector sets up a secure SSH tunnel from the client to the selected console server establishes a por...

Page 106: ...or can first set up groups with group access permissions users can be classified as members of particular groups 5 2 SDT Connector Client Configuration The SDT Connector client works with all Opengear...

Page 107: ...nects the console server to the Internet as assigned by the ISP One way to find the public IP address is to access or from a computer on the same network as the console server and note the reported IP...

Page 108: ...ervices TCP UDP ports are blocked 5 2 2 Auto configure SDT Connector client with the user s access privileges Each user on the console server has an access profile which has been configured with those...

Page 109: ...ctor client can be configured with unlimited number of Gateways Each Gateway can be configured to port forward to an unlimited number of locally networked Hosts There is no limit on the number of SDT...

Page 110: ...on Adding a new service and return here 4 Optionally enter a Descriptive Name for the host to display instead of the IP or DNS address and Notes or a Description of this host 5 Click OK 5 2 5 Manually...

Page 111: ...ists of a single SSH port redirection and a local client to access it It may consist of several redirections some or all of with clients associated with them An example is the Dell RAC service The fir...

Page 112: ...of the redirection If this is left blank a random port is selected NOTE SDT Connector can also tunnel UDP services SDT Connector tunnels the UDP traffic through the TCP SSH redirection so in effect i...

Page 113: ...ng the command line format When launching the client SDT Connector substitutes these keywords with the appropriate values path is path to the executable file i e the previous field host is the local a...

Page 114: ...ration If the client PC is dialing into Local Console port on the console server here is how to set up a dial in PPP link 1 Configure the console server for dial in access following the steps in the C...

Page 115: ...access the gateway command line console NOTE To enable SDT access to the gateway console you must configure the console server to allow port forwarded network access to itself Browse to the console se...

Page 116: ...1 Browse to the Console server and select Serial Port from Serial Network 2 Click Edit next to selected Port e g Port 2 if the target device is attached to the second serial port Ensure the port s ser...

Page 117: ...ction Starting an OOB connection may be achieved by initiating a dial up connection or adding an alternate route to the gateway SDT Connector allows for maximum flexibility is this regard by allowing...

Page 118: ...a pre configured dial up connection under Linux use the following Stop Command poff network_connection To make the OOB connection using SDT Connector select the gateway and click Out Of Band The stat...

Page 119: ...l OpenSSH http www openssh org OpenSSH Windows http sshwindows sourceforge net download 3 Upload the public part of your SSH key pair this file is named id_rsa pub or id_dsa pub to the SSH gateway or...

Page 120: ...to Windows XP and later computers and to Windows 2000 Terminal Servers and to have access to all of the applications files and network resources with full graphical interface as though they were in f...

Page 121: ...ote client PC and point it to the SDT Secure Tunnel port in the console server 5 9 SDT SSH Tunnel for VNC Users can securely access and control Windows Linux Macintosh Solaris and UNIX computers with...

Page 122: ...al in connection and the VNC Host computer is serially connected to the console server enter the IP address of the console server unit with the TCP port that the SDT tunnel uses The TCP port is 7900 p...

Page 123: ...This step is only necessary for serially connected computers First physically connect the COM port on the host computer that is to be accessed to the serial port on the console server Next For non Wi...

Page 124: ...on the Windows computer should be configured to its maximum baud rate Click Next 5 On the Incoming VPN Connection Options screen select Do not allow virtual private connections and click Next 6 Specif...

Page 125: ...s user permission to use the advance connection to access the Windows computer The console server default Username is portXX where XX is the serial port number on the console server The default Passwo...

Page 126: ...ode which enables port forwarding and SSH tunneling and enter a Username and User Password If you leave the Username and User Password fields blank they default to portXX and portXX where XX is the se...

Page 127: ...r Internet or local VPN connections connections this is the public IP address of the console server 2 Select the SSH Protocol The Port is set to 22 3 Go to the SSH Tunnels menu and in Add new forwarde...

Page 128: ...t the Client PC to the console server You are prompted for the Username Password for the console server user If you are connecting as a user in the users group you can only SSH tunnel to Hosts and Ser...

Page 129: ...ed serial devices A log of all system activity is also maintained as is a history of the status of any attached environmental monitors Some models can also log access and communications with network a...

Page 130: ...r the time in seconds after resolution to delay before this Auto Response can be triggered again 4 Check Repeat Trigger Actions to continue to repeat trigger action sequences until the check is resolv...

Page 131: ...to be configured as the trigger for this new Auto Response in the Auto Response Settings menu 6 2 1 Environmental Before configuring Environmental Checks as the trigger in Auto Response configure the...

Page 132: ...ysteresis of 4 the trigger condition won t be resolved until the temp reading is below 45 C 6 Check Save Auto Response 6 2 2 Alarms and Digital Inputs Before configuring Alarms Digital Inputs checks i...

Page 133: ...ntil the battery charge is above 25 6 Check Save Auto Response 6 2 4 UPS Status Before configuring UPS state checks in Auto Response you first must configure the attached UPS To use the alert state of...

Page 134: ...t of a successful pattern match NOTE For devices with a cellular modem with GPS enabled the GPS is displayed as an additional port and can be monitored for trigger events 4 Check Save Auto Response 6...

Page 135: ...New Action button 6 2 7 ICMP Ping To use a ping result as the Auto Response trigger event 1 Click on ICMP Ping as the Check Condition 2 Specify which Address to Ping i e IP address or DNS name to send...

Page 136: ...c config which is writeable The default lldpd configuration file lldpd conf is stored in etc config It is not a safe location to store custom configuration details There are circumstances in which thi...

Page 137: ...script 0 exit 7 fi touch etc config customscript 0 exit 1 See online FAQ for a sample web page html check and other script file templates 3 Enter the Script Executable file name e g etc config test sh...

Page 138: ...g SMS command from a nominated caller can trigger an Auto Response 1 Click on SMS Command as the Check Condition 2 Specify which Phone Number in international format of the phone sending the SMS messa...

Page 139: ...out of the CLI 3 Check Trigger on Authentication Error to trigger when a user fails to authenticate to the CLI This check is not resolvable so Resolve actions are not run 6 2 13 Web UI Log In Out Che...

Page 140: ...Interface Ethernet Failover OOB Interface or Modem or VPN to monitor 3 Check what type of network interface Event to trigger on interface Down Starting Up or Stopping This check is not resolvable so...

Page 141: ...onitor An optional Source MAC IP Address to monitor traffic from a host Data Limit threshold the Auto Response triggers when this is reached in the specified Time Period The Auto Response resolves if...

Page 142: ...existing action click the Modify or Delete icon in the Scheduled Trigger Action table A message text can be sent with Email SMS and Nagios actions This configurable message can include selected values...

Page 143: ...S alert can only be sent if there is an internal cellular modem 1 Click on Send SMS as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time 2 Specify the Phone number that t...

Page 144: ...Send Nagios Event 1 Click on Send Nagios Event as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time 2 Edit the Nagios Event Message text to display on the Nagios status...

Page 145: ...se with a defined trigger Check Condition click on Add Resolve Action e g Send Email or Run Custom Script to select the action type to take 6 5 Configure SMTP SMS SNMP and or Nagios service for alert...

Page 146: ...bject Line for the email 7 Click Apply to activate SMTP 6 5 2 Send SMS alerts You can use email to SMS services to send SMS alert notifications to mobile devices Almost all mobile phone carriers provi...

Page 147: ...only forward email to SMS when the email has been received from authorized senders 5 Enter a Username and Password as some SMS gateway service providers use SMTP servers which require authentication 6...

Page 148: ...agement Protocol SNMP agent that resides on the console server to send SNMP trap alerts to an NMS management application 1 Select Alerts Logging SNMP 2 Select Primary SNMP Manager tab The Primary and...

Page 149: ...hich devices and management stations running SNMP belong and defines where information is sent SNMP default communities are private for Write and public for Read 8 Configure SNMP v3 if required For SN...

Page 150: ...on to work 9 Click Apply 6 5 4 Send Nagios Event alerts To notify the central Nagios server of Alerts NSCA must be enabled under System Nagios and Nagios must be enabled for each applicable host or po...

Page 151: ...erial ports are to have activities recorded and to what level of data to log 1 Select Serial Network Serial Port and Edit the port to log 2 Specify the Logging Level of for each port as Level 0 Turns...

Page 152: ...tions with network attached Hosts 1 For each Host when you set up the Permitted Services are authorized you also must set up the logging level for each service 2 Specify the logging level that for tha...

Page 153: ...dor This generally runs on a remote Windows PC and you could configure the console server serial port to operate with a serial COM port redirector in the PC Network attached PDUs can be controlled wit...

Page 154: ...specific RPC device If you select Connect Via for a Network RPC connection enter the Host Name Description that you set up for that connection as the Name and Description for the power device If you s...

Page 155: ...ed PowerMan and Opengear s power manager 7 Enter the Username and Password used to login into the RPC These login credentials are not related the users and access privileges you configured in Serial N...

Page 156: ...erver will configure the RPC with the number of outlets specified in the selected RPC Type or will query the RPC for this information NOTE Opengear s console servers support the majority of the popula...

Page 157: ...s Select the Manage Power and the particular Target power device to be controlled and the Outlet to be controlled if the RPC supports outlet level control The outlet status is displayed Initiate the d...

Page 158: ...u to the Manage Power screen 7 2 Uninterruptible Power Supply UPS Control All Opengear console servers can be configured to manage locally and remotely connected UPS hardware using Network UPS Tools N...

Page 159: ...wn in event of low UPS battery The console server may or may not be drawing power itself through the Managed UPS When the UPS s battery power reaches critical the console server signals and waits for...

Page 160: ...clicking Apply No such configuration is required for USB connected UPS hardware 3 Select the Serial Network UPS Connections menu The Managed UPSes section will display all the UPS connections that hav...

Page 161: ...S or Shut down all Managed UPSes or Run until failure NOTE The shutdown script etc scripts ups shutdown can be customized so in the event of a critical power failure when the UPS battery runs out you...

Page 162: ...at is connected as a managed device to some remote console server which is being monitored but not managed by your console server The upsc and upslog clients in the Opengear console server can configu...

Page 163: ...ging their UPS This will set the conditions that will be used to initiate a power down of the computer Non critical servers may be powered down some second after the UPS starts running on battery wher...

Page 164: ...lect UPS System appears 3 Click on any particular All Data for any UPS System in the table for more status and configuration information on the select UPS System 4 Select UPS Logs The log table of the...

Page 165: ...NUT You can find full documentation at http www networkupstools org documentation NUT is built on a networked model with a layered scheme of drivers server and clients The driver programs talk to the...

Page 166: ...o Powerman open source software from Livermore Labs that also is embedded in Opengear console servers These NUT clients and servers all are embedded in each Opengear console server with a Management C...

Page 167: ...ration sensors or open door sensors Using the Management Console administrators can view the ambient temperature in C or F and humidity percentage and configure alerts to monitor the status and sensor...

Page 168: ...to each EMD The EMD can only be used with an Opengear console server and cannot be connected to standard RS232 serial ports on other appliances 1 Select Environmental as the Device Type in the Serial...

Page 169: ...en close status sensors into the SENSOR or DIO terminals on the green connector block 3 When configured as Inputs the SENSOR and DIO ports are notionally attached to the internal EMD Go to the Serial...

Page 170: ...onmental menu This will display any external EMDs or any internal EMD i e sensors that may be attached to an ACM that have already been configured 2 To add a new EMD click Add and configure an externa...

Page 171: ...us 4 Provide Labels for each of the alarm sensors e g Door Open or Smoke Alarm 5 Check Log Status and specify the Log Rate minutes between samples if you wish the status from this EMD to be logged The...

Page 172: ...lect the Status Environmental Status menu and a table with the summary status of all connected EMD hardware will be displayed 2 Click on View Log or select the Environmental Logs menu A table and grap...

Page 173: ...ystem I O Ports menu page The DIO1 and DIO2 pins are current limited by the chip to 20mA and accept 5V levels so they cannot drive a relay etc Alternately you can change the output states using the io...

Page 174: ...ine state change For example to light a 12v LED using the high voltage outputs connect the positive leg of the LED to the 12v reference and the negative leg to output pin 4 Due to the way that the I O...

Page 175: ...erver platform is a dedicated Linux computer and it embodies a myriad of popular and proven Linux software modules for networking secure access OpenSSH and communications OpenSSL and sophisticated use...

Page 176: ...first falling back to local if remote fails TACACS RADIUS LDAP Kerberos Down Local Tries remote authentication first falling back to local if the remote authentication returns an error condition e g...

Page 177: ...ve as an admin user There is a special case where a user with a priv lvl of 15 is also given access to all configured serial ports When the Ignore Privilege Level option is enabled i e checked in the...

Page 178: ...server AD or OpenLDAP is straightforward as they both follow the common LDAP standards and protocols The harder part is configuring how to get the extra data about the users the groups they are in etc...

Page 179: ...follows LDAP Username Attribute The LDAP attribute that corresponds to the login name of the user commonly sAMAccountName for Active Directory and uid for OpenLDAP LDAP Group Membership Attribute The...

Page 180: ...Opengear device to only accept LDAP over SSL If LDAP over SSL fails only the root account will be able to log in to the console server o LDAP no SSL only this setting will configure the Opengear devi...

Page 181: ...will only be able to access ports 1 and 2 Example 2 User Lynn is only defined on the TACACS server which says she has access to ports 5 and 6 When she attempts to log in a new user will be created for...

Page 182: ...3 Edit the Radius user s file to include group information and restart the Radius server When using RADIUS authentication group names are provided to the console server using the Framed Filter Id attr...

Page 183: ...d serial port access but limited console access Default groups available on the console server include admin for administrator access and users for general user access TomFraser AmandaJones FredWhite...

Page 184: ...1 connected to the router and another group UPS_Admin with access to port 2 connected to the UPS Once LDAP is setup users that are members of each group will have the appropriate permissions to acces...

Page 185: ...Click Apply 5 Ensure the LDAP service is operational and group names are correct within the Active Directory NOTE When you are using remote groups with LDAP remote auth you need to have corresponding...

Page 186: ...e provided to the console server using the groupname custom attribute of the raccess service An example Linux tac plus config snippet might look like user myuser service raccess groupname users groupn...

Page 187: ...er expire 8 1 11 Kerberos authentication The Kerberos authentication can be used with UNIX and Windows Active Directory Kerberos servers This form of authentication does not provide group information...

Page 188: ...for remote authentication RADIUS pam_radius_auth http www freeradius org pam_radius_auth TACACS pam_tacplus http echelon pl pubs pam_tacplus html LDAP pam_ldap http www padl com OSS pam_ldap html Fur...

Page 189: ...connected user During the connection establishment the console server has to expose its identity to the user s browser using a cryptographic certificate The default certificate that comes with the con...

Page 190: ...differ the browser will pop up a security warning when the console server is accessed using HTTPS Organizational Unit This field is used for specifying to which department within an organization the c...

Page 191: ...ersions will give warnings if this is not done 2 Once this is done click on the button Generate CSR which will initiate the Certificate Signing Request generation The CSR can be downloaded to your adm...

Page 192: ...DOR Opengear ATTRIBUTE Opengear MappedGroups 1 string END VENDOR Opengear Edit etc freeradius VERSION dictionary to include that file INCLUDE dictionary opengear Add the following update reply block t...

Page 193: ...e console server gateways in a distributed monitoring server capacity only If this case and you are already familiar with Nagios skip ahead to section 9 3 9 1 Nagios Overview Nagios provides central m...

Page 194: ...e hosts Each of the Serial Ports and each of the Hosts connected to the console server which are to be monitored must have Nagios enabled and any specific Nagios checks configured Lastly the central u...

Page 195: ...bling NRPE allows you to execute plug ins such as check_tcp and check_ping on the remote Console server to monitor serial or network attached remote servers This will offload CPU load from the upstrea...

Page 196: ...own list and enter a Secret password and specify a check Interval 3 See the sample Nagios configuration section below for some examples of configuring specific NSCA checks 9 2 4 Configure selected Ser...

Page 197: ...e monitored must also be configured for Nagios checks 1 Select Serial Network Network Port and click Edit on the Network Host to be monitored 2 Select Enable Nagios specify the name of the device as i...

Page 198: ...documentation http www nagios org documentation for configuring the upstream server The section entitled Distributed Monitoring steps through what you need to do to configure NSCA on the upstream ser...

Page 199: ...gear Console server define host use generic host host_name opengear alias Console server address 192 168 254 147 Managed Host define host use generic host host_name server alias server address 192 168...

Page 200: ...efine service service_description Port Log host_name server use generic service check_command check_port_log define service service_description port log server host_name server use generic service che...

Page 201: ...mmand_name check_conn_via_opengear command_line USER1 check_nrpe H 192 168 254 147 p 5666 c host_ HOSTNAME _ ARG1 _ ARG2 define service service_description SSH Port host_name server use generic servic...

Page 202: ...e is used to execute arbitrary plug ins in other devices Each console server is preconfigured with two checks check_serial_signals is used to monitor the handshaking lines on the serial ports check_po...

Page 203: ...the plug in in a Perl script it must be rewritten as the console server does not support Perl However if you do require Perl support make a feature request to support opengear com Individual compiled...

Page 204: ...rity When the console server submits NSCA results it staggers them over a certain time period e g 20 checks over 10 minutes will result in two check results every minute Staggering the results like th...

Page 205: ...o be configured to service NRPE commands to perform checks on demand In this situation the console server will perform checks based on both serial and network access Remote site with restrictive firew...

Page 206: ...e with no network access In this scenario the console server allows dial in access for the Nagios server Periodically the Nagios server establishes a connection to the console server and execute any N...

Page 207: ...en you switch OFF power from the console server and switch the power back ON However if you cycle the power and the unit is writing to flash you could corrupt or lose data so the software reboot is th...

Page 208: ...re to return to the Management Console Your Opengear device will have retained all its pre upgrade configuration information 10 3 Configure Date and Time It is important to set the local Date and Time...

Page 209: ...once Internet connection has been established 1 Select the Enable NTP checkbox in the Network Time Protocol section of the System Date Time page 2 Enter the IP address of the remote NTP Server 3 If yo...

Page 210: ...d date to be maintained across reboots or when the appliance has been powered down for longer periods of time NOTE With the NTP peering model the Opengear appliance can share its time information with...

Page 211: ...al USB flash drive installed To backup and restore using USB 1 Ensure the USB flash is the only USB device attached to the console server 2 Select the Local Backup tab and click here to proceed This w...

Page 212: ...G_DEFAULT o Insert this USB storage device into an external USB port on the console server and reset to factory defaults as per section 10 1 After recovering your console server ensure the problematic...

Page 213: ...Connector access to all services on the console servers will use the embedded FIPS compliant cryptographic module To connect you must also be using cryptographic algorithms that are FIPs approved in...

Page 214: ...Access Administrators can also see the current status of users who have active sessions on those ports Select the Status Active Users The Status Active Users menu enables administrators to selectively...

Page 215: ...sers and all connected ports that allow the user to choose who do disconnect If you wish to disconnect the user tester from all ports choose tester in the user s box and All ports in the Ports box and...

Page 216: ...a record of all system messages and errors select Status Syslog 11 4 1 Global System Logging The Global System Logging setting lets you specify the level of detail of the timestamp and domain name in...

Page 217: ...to 10 seconds emit syslog PSU xxx power down When both PSU 1 and 2 are on the syslog reports it For example 14 May 7 16 57 37 psmon 2508 INFO psmon Internal Voltage PSU 1 status OPERATIONAL value 12...

Page 218: ...can reconfigure the default dashboard The Status Dashboard screen is the first screen displayed when admin users other than root log into the console manager If you log in as John are in the admin gro...

Page 219: ...a new screen that shows the current alerts status When an alert gets triggered a corresponding XML file is created in var run alerts The dashboard scans all these files and displays a summary status...

Page 220: ...he dashboard choose widget name sh in the drop down list The dashboard will run the script and display the output of the script commands on the screen inside the widget The best way to format the outp...

Page 221: ...or click the Manage Devices icon in the top right of the UI Admin group users are presented with a list of all configured managed devices and their constituent connections user group users only see th...

Page 222: ...r The Web Terminal service uses AJAX to enable the web browser to connect to the console server using HTTP or HTTPS as a terminal without the need for additional client installation on the user s PC T...

Page 223: ...rminal service for each serial port you want to access 1 Select Serial Network Serial Port and click Edit Ensure the serial port is in Console server Mode 2 Check Web Terminal and click Apply 12 3 2 S...

Page 224: ...to the command line or serial port using SSH NOTE SDT Connector must be installed on the computer you are browsing from and the console server must be added as a gateway 12 4 Power Management Users ca...

Page 225: ...88F6W11 ACM7000 800MHz ARM SoC Marvell 88F6W11 Others Micrel KS8695P controller Memory ACM7004 ACM7004 2 L V A R MA MV MCR MCT 254MB SDRAM 256MB 4GB Flash IM7216 32 48 256MB SDRAM 64MB 16 GB Flash CM...

Page 226: ...AWS 1700 2100 MHz 850 MHz 900 MHz Cellular 800 MHz PCS 1900 MHz Secondary 800 MHz Infrastructure Manager IM7200 Cellular Modem LTE UMTS HSDPA HSUPA HSPA CDMA GSM EGSM DCS PCS IM72xx 2 LR Sierra MC730...

Page 227: ...ns 1 This device may not cause harmful interference and 2 this device must accept any interference that may cause undesired operation WEEE Statement The symbol on the product or its packaging indicate...

Page 228: ...CM7000 models have Cisco Straight serial pinouts on its RJ45 connectors The IM7200 has software selectable Cisco Straight or Cisco Rolled RJ45 Cisco Straight RJ45 pinout option X2 Straight through RJ...

Page 229: ...Carrier Detect Input 8 DSR Data Set Ready Input Local Console Port Console servers with a dedicated LOCAL console modem port use a standard DB9 connector for this port To connect to the LOCAL modem c...

Page 230: ...tector 9 Reserved for data set testing 10 Reserved for data set testing 11 Unassigned 12 SCF Secondary Rcvd Line Signal Detector 13 SCB Secondary Clear to Send 14 SBA Secondary Transmitted Data 15 DB...

Page 231: ...and network appliances More detailed information can be found online at http www opengear com cabling html For Local Console connection These adapters connect the console server LOCAL Console port via...

Page 232: ...Opengear classic pinout to Netscreen and Dell and OOB modem connection 319005 DB25F to RJ45 crossover DCE adapter Console server with Opengear classic pinout to Cisco 7200 AUX 440016 5ft Cat5 RJ 45 to...

Page 233: ...n Protocol UDP 49 TACACS TACACS UDP 53 DNS UDP 67 BOOTP server UDP 68 BOOTP client UDP v69 TFTP UDP 70 Gopher TCP 79 Finger TCP 80 HTTP TCP 110 POP3 TCP 119 NNTP Network News Transfer Protocol TCP 161...

Page 234: ...g or Failover is the ability to detect communication failure transparently and switch from one LAN connection to another BOOTP Bootstrap Protocol A protocol that allows a network user to automatically...

Page 235: ...A network device that allows more than one computer to be connected as a LAN usually using UTP cabling Internet A worldwide system of computer networks a public cooperative and self sustaining networ...

Page 236: ...nected to a dedicated management network that is not used to carry customer traffic or to a BMC service processor Any management done over the same channels and interfaces used for user customer data...

Page 237: ...oller Access Control System TACACS security protocol is a more recent protocol developed by Cisco It provides detailed accounting information and flexible administrative control over the authenticatio...

Page 238: ...lecommunication infrastructure and Internet to provide remote offices or individual users with secure access to their organization s network WAN Wide Area Network WINS Windows Internet Naming Service...

Page 239: ...copies of the electronic documentation accompanying the Software for each Software license you acquire provided that you must reproduce and include all copyright notices and any other proprietary rig...

Page 240: ...ill be uninterrupted or error free or that all defects in the Software will be corrected OPENGEAR DISCLAIMS ANY AND ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY IMP...

Page 241: ...d by this License they are outside its scope The act of running the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program ind...

Page 242: ...bove The source code for a work means the preferred form of the work for making modifications to it For an executable work complete source code means all the source code for all modules it contains pl...

Page 243: ...se from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distinguishing version numb...

Page 244: ...import offer to sell and sell Utilize this software but solely to the extent that any such patent is necessary to Utilize the software alone or in combination with an operating system licensed under a...

Page 245: ...if the serial number or seal or any part thereof has been altered defaced or removed If Opengear does not find the product to be defective the Purchaser will be invoiced for said inspection and testin...

Page 246: ...15 of the Uniform Commercial Code Opengear waives the benefit of any rule that disclaimer of warranty shall be construed against Opengear and agrees that such disclaimers herein shall be construed lib...

Reviews:

No comments

Related manuals for ACM7000

Linksys NSLU2 - Network Storage Link NAS Server Quick Installation Manual preview
NSLU2 - Network Storage Link NAS Server
Brand: Linksys Pages: 64
Sun Oracle SPARC T3-2 Service Manual preview
SPARC T3-2
Brand: Sun Oracle Pages: 222
IBM 84894MU User Manual preview
84894MU
Brand: IBM Pages: 48
Bull NovaScale T840 E2 User Manual preview
NovaScale T840 E2
Brand: Bull Pages: 210
Supermicro A+ AS -2114GT-DNR User Manual preview
A+ AS -2114GT-DNR
Brand: Supermicro Pages: 126
Aviosys IP Video 9100B User Manual preview
IP Video 9100B
Brand: Aviosys Pages: 30
BITMAIN T19 Hydro Server Installation Manual preview
T19 Hydro Server
Brand: BITMAIN Pages: 17
ORing Industrial Networking Corp. IDS-181A Quick Installation Manual preview
IDS-181A
Brand: ORing Industrial Networking Corp. Pages: 2
Habey EPC-6668 Quick Setup Manual preview
EPC-6668
Brand: Habey Pages: 3
Multitech RASFinder RF300E User Manual preview
RASFinder RF300E
Brand: Multitech Pages: 199
Symetrix Control Server Quick Start Manual preview
Control Server
Brand: Symetrix Pages: 4
Supero Supero SUPERSERVER 5015A-EHF-D525 User Manual preview
Supero SUPERSERVER 5015A-EHF-D525
Brand: Supero Pages: 90
Supero MicroCloud 5038ML-H12TRF User Manual preview
MicroCloud 5038ML-H12TRF
Brand: Supero Pages: 111
Supero A+ SERVER 4042G-6RF User Manual preview
A+ SERVER 4042G-6RF
Brand: Supero Pages: 116
Interlink network 7.1 Getting Started Manual preview
7.1
Brand: Interlink network Pages: 25
Lantronix WiPort NR User Manual preview
WiPort NR
Brand: Lantronix Pages: 72
Gigabyte H273-Z80-AAN1 User Manual preview
H273-Z80-AAN1
Brand: Gigabyte Pages: 166
Gigabyte R283-S90-AAE1 User Manual preview
R283-S90-AAE1
Brand: Gigabyte Pages: 131

Brands by name

Popular brands

Load more brands