4000 Series CM-o-IP Gateway
Contents
1. Local Address SEES Remote Addresses Administration SSL Certificates MTU Maximum transmission unit of the PPTP interface Defaults to 1400 Select the Enable check box to enable the PPTP Server Select the Minimum Authentication Required Access is denied to remote users attempting to connect using an authentication scheme weaker than the selected scheme The schemes are described below from strongest to weakest e Encrypted Authentication MS CHAP v2 The strongest type of authentication to use this is the recommended option e Weakly Encrypted Authentication CHAP This is the weakest type of encrypted password authentication to use It is not recommended that clients connect using this as it provides very little password protection Also note that clients connecting using CHAP are unable to encrypt traffic e Unencrypted Authentication PAP This is plain text password authentication When using this type of authentication the client password is transmitted unencrypted e None Select the Required Encryption Level Access is denied to remote users attempting to connect not using this encryption level Strong 40 bit or 128 bit encryption is recommended In Local Address enter IP address to assign to the server s end of the VPN connection In Remote Addresses enter the pool of IP addresses to assign to the incoming client s VPN connections e g 192 168 1 10 20 This must be a free IP address or a range of free I2. To set up new Groups and new users and to classify users as members of particular Groups gt Select Serial amp Network Users amp Groups to display the configured Groups and Users gt Click Add Group to add a new Group gt Adda Group name and Description for each new Group then nominate the Accessible Hosts Accessible Ports and Accessible RPC Outlets s that you want any users in this new Group to be able to access gt Click Apply System Name les1308a Modet LE A Firmware 3 5 3u5 X Uptime 0 days 8 hours 53 mins cs Current User root NETWORK SERVICES Serial amp Network Add a New user Serial Port oui Username C A unique name for the user Description E A brief description of the user s role Groups I admin Provic ers with unlimited configuration and management privileges I pptpa have their Environmental Di dia Managed Devices their pa D tp Alerts amp Logging E pmshell A group with predefined privileges the user will belong to Password The users authenticatio Note A password may not be required if remote authentication is beir gt Click Add User to add a new user gt Add a Username and a confirmed Password for each new user You may also include information related to the user for example contact details in the Description field 724 746 5500 blackbox com Page 58 Note The User Name can contain from 1 to 127 alphanumeric characters you ca
3. config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 type ups config s config alerts alert2 ups1 myUPS localhost config s config alerts alert2 ups2 thatUPS 192 168 0 50 Environmental and Power Sensor Alert config s config alerts alert2 enviro high critical critical value config s config alerts alert2 enviro high warning warning value config s config alerts alert2 enviro hysteresis value config s config alerts alert2 enviro low critical critical value config s config alerts alert2 enviro low warning warning value config s config alerts alert2 enviro1 Enviro sensor name config s config alerts alert2 outlet RPCname outlet alert2 outlet increments sequentially with each added outlet The second outlet refers to the specific RPC power outlets config s config alerts alert2 rpc RPC name config s config alerts alert2 sensor temp humid load charge config s config alerts alert2 signal DSR config s config alerts alert2 type enviro config s config alerts alert2 ups1 UPSname hostname Example1 To configure a temperature sensor alert for a sensor called SensorInRoom42 config s config alerts alert2 sensor temp config s config alerts alert2 enviro high critical 60 config s config alerts alert2 enviro high warning 50 config s config alerts alert2 enviro hysteresis 2
4. Black Box command similar to the standard tip or cu but all serial port access is directed via the portmanager Black Box command to query portmanager for active user sessions Black Box command that handles all serial port access DARPA port to RPC program number mapper Point to Point protocol daemon Report a snapshot of the current processes Print name of current working directory Soft reboot Remove files or directories Remove empty directories Show or manipulate the IP routing table Show or manipulate the IP routing table IP Route tool to flush IPv4 routes IP Route tool to list routes Applet printing proc net rt_acct RTnetlink listener Secure copy remote file copy program Text stream editor Sets the MAC address Sets and reports serial port configuration Shell Shows MAC address Delay for a specified amount of time Helper utility for mounting SMB file systems Mount an SMBFS file system SMBFS umount for normal users SNMP daemon Sends an SNMP notification to a manager RFC 2217 compliant serial port redirector OpenSSH SSH client remote login program Authentication key generation management and conversion OpenSSH SSH daemon Program that allows plain services to be accessed via SSL Change and print terminal line settings Universal SSL tunnel 724 746 5500 blackbox com Page 273 sync Flush file system buffers sysctl Configure kernel parameters at runtime syslogd System logging utility
5. Dial in internal or external V90 modem OoB Failover second Ethernet connections VPN IPSec or Open VPN connection over any network interface gt Check uncheck for each network which service access is to be enabled disabled In the example shown below local administrators on local Network Interface LAN have HTTP and Telnet and HTTPS and SSH access to the console server and attached serial consoles However while remote administrators using Dial In only can access using the console server using HTTPS and SSH they can Telnet access attached serial consoles 724 746 5500 blackbox com Page 33 System Name les1308a Model LES1308A Firmware 3 5 3u5 a 0 aw i Uptime 0 days 7 hours 25 mins 20 secs Current User root Q BaduP Log Out NETWORK SERVICES Service Settings Service Access Services Service Network Management Dialout Cellular Dial in VPN Enabled Interface LAN HTTP Web Enabled Vv m o 5 0 Management HTTPS Web Enabled Vv Vv Vv Vv Vv Management Telnet Enabled Vv Oo O mj mj command shell SSH command Enabled Vv Vv Vv Vv Vv shell Telnet direct to NIA Vv Vv m Vv K serial ports SSH direct to NJA Vv Vv Vv Vv Vv serial ports The Services Access settings specify which services the Administrator can use over which network interface to access the console server It also nominates the enabled services that the Administrator and the User can use to connect through the console server to attached serial and netw
6. IP Date amp Time Dial Firewall Nagios Configure Dashboard Service Access Port Forwarding Firewall Rules Forwarding amp Masquerading Create Modify Port Forward Name New Port Forward Rule Name for the rule Interface Any E The interface thatthe rule applies to Source Address Address Range Input Port Range 0 Protocol Output Address Output Port Range 0 ange of ports se the format start finish For example to forward port 8443 to an internal HTTPS server on 192 168 10 2 the following settings would be used Input Interface Any Input Port Range 8443 Protocol TCP Output Address 192 168 10 2 Output Port Range 443 5 8 4 Firewall rules Firewall rules can be used to block or allow traffic through an interface based on port number the source and or destination IP address range the direction ingress or egress and the protocol This can be used to allow custom on box services or block traffic based on policy To setup a firewall rule gt Navigate to the System Firewall page and click on the Firewall Rules tab 724 746 5500 blackbox com Page 99 lt SBLAC System Name le M Firmware 3 4 2 N Uptime 2 days 14 nins 3 Current User root a Backup Log Out NETWORK SERVICES Serial amp Network Service Access Port Forwarding Firewall Rules Forwarding amp Masquerading Serial Port Users amp Groups Authentication Create Modify F
7. Serial amp Network Authentication Configuration Authentication Testing Serial Port L Gro Authentication Configuration Authentication Local Method Alerts amp Logging Port Log Auto Response SMTP amp SMS SNMP 90000000000 r rz Fd oi Fr se for Web Console Telnet SSH and FTP Use Remote Groups ga Any authentication method that is configured will be used for authentication of any user who attempts to log in through Telnet SSH or the Web Manager to the console server and any connected serial port or network host devices 724 746 5500 blackbox com Page 166 You can configure the console server to the default Local or using an alternate authentication method TACACS RADIUS or LDAP Optionally you can select the order in which local and remote authentication is used Local TACACS RADIUS LDAP Tries local authentication first falling back to remote if local fails TACACS RADIUS LDAP Local Tries remote authentication first falling back to local if remote fails TACACS RADIUS LDAP Down Local Tries remote authentication first falling back to local if the remote authentication returns an error condition for example if the remote authentication server is down or inaccessible 9 1 1 Local authentication gt Select Serial and Network Authentication and check Local gt Click Apply 9 1 2 TACACS authentication Perform the following procedure
8. Specify the Probe Addresses of two sites the Primary and Secondary that the Advanced Console Server is to ping to determine if Network 1 ethO is still operating 724 746 5500 blackbox com Page 86 gt On the Management LAN Interface Network 2 configure the IP Address Subnet Mask Gateway the same as Network Interface Network 1 In this mode Network 2 eth1 is available as the transparent back up port to Network 1 ethO for accessing the management network Network 2 will automatically and transparently take over the work of Network 1 if Network 1 becomes unavailable for any reason When Network 1 becomes available again it takes over the work again 5 4 Dial Out Failover The internal or externally attached modem on the console server can be set up either in Failover mode where a dial out connection is only established in event of a ping failure or with the dial out connection is always on In both of the above cases in the event of a disruption in the dial out connection the console server will endeavor to re establish the connection 5 4 1 Always on dial out The console server modem can be configured for out dial to be always on with a permanent external dial up ppp connection gt Select the System Dial menu option and check Enable Dial Out to allow outgoing modem communications gt Select the Baud Rate and Flow Control that will communicate with the modem gt In the Dial Out Settings Always On Out of
9. a To initiate a pre configured dial up connection under Windows use the following Start Command cmd c start Starting Out of Band Connection wait min rasdial network_connection login password 724 746 5500 blackbox com Page 116 where network_connection is the name of the network connection as displayed in Control Panel gt Network Connections login is the dial in username and password is the dial in password for the connection To initiate a pre configured dial up connection under Linux use the following Start Command pon network_connection where network_connection is the name of the connection gt Enter the command or path to a script to stop the OoB connection in Stop Command To stop a pre configured dial up connection under Windows use the following Stop Command cmd c start Stopping Out of Band Connection wait min rasdial network_connection disconnect where network connection is the name of the network connection as displayed in Control Panel gt Network Connections To stop a pre configured dial up connection under Linux use the following Stop Command poff network_connection To make the OoB connection using SDT Connector gt Select the console server and click Out Of Band The status bar will change color to indicate that this console server is now accessed using the OoB link rather than the primary link sDTConnector File Edit Help 22738 208 64 91 182 S
10. ss Certificates command shell Completely enable or disable the SSH service Configuration Backup Firmware SSH Port a P Date amp Time Port to listen for the SSH command shell gt To enable a service check Enable For some servces you will be asked to specify the TCP IP port to be used for thie service gt There are also some serial port access parameters that you can configure on this menu Base The console server uses specific default ranges for the TCP IP ports for the various access services that Users and Administrators can use to access devices attached to serial ports as covered in Chapter 4 Configuring Serial Ports The Administrator can also set alternate ranges for these services and these secondary ports will then be used in addition to the defaults The default TCP IP base port address for telnet access is 2000 and the range for telnet is IP Address Port 2000 serial port i e 2001 2048 If the Administrator sets 8000 as a secondary base for telnet then serial port 2 on the console server can be accessed via telnet at IP Address 2002 and at IP Address 8002 The default base for SSH is 3000 for Raw TCP is 4000 and for RFC2217 it is 5000 RAW Direct You can also specify that serial port devices can be accessed from nominated network interfaces using Raw TCP direct Telnet SSH unauthenticated Telnet services etc 3 5 Communications Software You have configured access protocols for the Adm
11. Antenna with 10 foot extension cable Se Se Dual IEC AC power cords bos Printed Quick Start Guide and User s Manual on CD ROM 2 1 3 Kit components LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 Advanced Console Servers Ee LES1208A R2 LES1216A R2 LES1232A or LES1248A R2 Advanced Console Server KO KO 2 UTP CATS blue cables E DB9F RJ45S straight and DB9F RJ45S cross over connectors Se Se Dual IEC AC power cords bo Printed Quick Start Guide and User s Manual on CD ROM 724 746 5500 blackbox com Page 20 2 1 4 Kit components LES1116A LES1132A and LES1148A Console Servers o SS LES1116A LES1132A or LES1148A Console Server KO 2 UTP CATS blue cables a amp DB9F RJ45S straight and DB9F RJAS5S cross over connectors Se IEC AC power cord bo Printed Quick Start Guide and User s Manual on CD ROM 2 1 5 Kit components LES1108A Console Server LES1108A Console Server CO KO 2 UTP CAT5 blue cables a amp DB9F RJ45S straight and DB9F RJ45S cross over connectors Se 5 VDC 2 0A Power Supply with IEC Socket and AC power cable bos Printed Quick Start Guide and this User s Manual on CD ROM 2 2 Power connection 2 2 1 LES1508A power The LES1508A includes an external DC power supply unit This unit accepts an AC input voltage between 100 and 250 VAC with a frequency of 50Hz or 60Hz The DC power supply comes with a selection of wall socket adapters for each geographic region North American
12. Domain Client Hostname Protocol File O e 9 Heip x Cancel 4P connect Note The rdesktop client is supplied with Red Hat 9 0 rpm ivh rdesktop 1 2 0 1 i386 rpom For Red Hat 8 0 or other distributions of Linux download source untar configure make make then install rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from hittp www rdesktop org C Ona Macintosh client gt Download Microsoft s free Remote Desktop Connection client for Mac OS X http www microsoft com mac otherproducts otherproducts aspx pid remotedesktopclient 724 746 5500 blackbox com Page 123 6 9 SDT SSH Tunnel for VNC With SDT and Virtual Network Computing VNC Users and Administrators can securely access and control Windows 98 NT 2000 XP 2003 Linux Macintosh Solaris and UNIX computers There s a range of popular free and commercial VNC software available UltraVNC RealVNC TightVNC To set up a secure VNC connection install and configure the VNC Server software on the computer the user will access then install and configure the VNC Viewer software on the Viewer PC 6 9 1 Install and configure the VNC Server on the computer to be accessed Virtual Network Computing VNC software enables users to remotely access computers running Linux Macintosh Solaris UNIX all versions of Windows and most other operating systems A For Microsoft Windo
13. config s config system smtp encryption2 SSL can also be TLS or None config s config system smtp sender2 John Black Box com config s config system smtp username2 john config s config system smtp password2 secret config s config system smtp subject2 SMTP alerts The following command will synchronize the live system with the new configuration config a 14 16 SNMP To set up the SNMP agent on the device config s config system snmp protocol UDP TCP config s config system snmp trapport port number default is 162 config s config system snmp address NMS IP network address config s config system snmp commnity community name v1 and v2c only config s config system snmp engineid ID v3 only config s config system snmp username username v3 only config s config system snmp password password v3 only config s config system snmp version 1 2c 3 The following command will synchronize the live system with the new configuration config a 14 17 Administration To change the administration settings to System Name og mydomain com System Password root account secret Description Device in office 2 config s config system name og mydomain com config P config system password will prompt user for a password config s config system location Device in office 2 NOTE The P parameter will prompt the user for a password and encrypt it You can encr
14. Note How secure is VNC VNC access generally allows access to your whole computer so security is very important VNC uses a random challenge response system to provide the basic authentication that allows you to connect to a VNC server This is reasonably secure and the password is not sent over the network Once connected all subsequent VNC traffic is unencrypted A malicious user could snoop your VNC session There are also VNC scanning programs available which will scan a subnet looking for PCs that are listening on one of the ports that VNC uses Tunneling VNC over a SSH connection ensures all traffic is strongly encrypted No VNC port is ever open to the internet so anyone scanning for open VNC ports will not be able to find your computers When tunneling VNC over a SSH connection the only port that you re opening on your console server is the SDT port 22 Sometimes it may be prudent to tunnel VNC through SSH even when the Viewer PC and the console server are both on the same local network 724 746 5500 blackbox com Page 134 Chapter 7 Alerts Auto response and Logging Introduction This chapter describes the automated response alert generation and logging features of the console server The new Auto Response facility in firmware V3 5 1 and later extends on the basic Alert facility available in earlier firmware revisions With the new facility the console server monitors selected serial ports logins the power
15. Or enter a Descriptive Name for the host to display instead of the IP or DNS address and any Notes or a Description of this host such as its operating system release or anything special about its configuration Click OK 724 746 5500 blackbox com Page 108 6 2 6 Manually adding new services to the new hosts To extend the range of services that you can use when accessing hosts with SDT Connector gt Select Edit Preferences and click the Services tab Click Add gt Enter a Service Name and click Add gt Under the General tab enter the TCP Port that this service runs on for example 80 for HTTP Or select the client to use to access the local endpoint of the redirection ce SDTConnector j SDTConnector Preferences vices Private Keys System Defaults HTTP browser HTTPS browser Telnet client SOL Telnet client HTTP browser RSA II IBM Director console SSH client HyperTerminal VNC viewer VMWare Server console gt Select which Client application is associated with the new service A range of client application options are pre configured in the default SDT Connector RDP client VNC client HTTP browser HTTPS browser Telnet client etc If you want to add new client applications to this range proceed to the next section Adding a new client then return here Cc SDTConnector K SDTConnector Preferences Client name
16. bin sh ssh L9001 127 0 0 1 4001 N o StrictHostkKeyChecking no testuser lt server ip gt amp This will run the tunnel redirecting local port 9001 to the server port 4001 15 6 6 Fingerprinting Fingerprints are used to ensure you are establishing an SSH session to who you think you are On the first connection to a remote server you will receive a fingerprint that you can use on future connections This fingerprint is related to the host key of the remote server Fingerprints are stored in ssh known_hosts To receive the fingerprint from the remote server log in to the client as the required user usually root and establish a connection to the remote host ssh remhost The authenticity of host remhost 192 168 0 1 can t be established RSA key fingerprint is 8d 11 e0 7e 8a 6f ad f1 94 0f 93 fc 7c e6 ef 56 Are you sure you want to continue connecting yes no At this stage answer yes to accept the key You should get the following message Warning Permanently added remhost 192 168 0 1 RSA to the list of known hosts You may be prompted for a password but there is no need to log in you have received the fingerprint and can Ctrl C to cancel the connection If the host key changes you will receive the following warning and not be allowed to connect to the remote host C CCCOC ECE OEE EOE OEE ECECECEOECEECEECOEEEEECEEE WARNING REMOTE HOST IDENTIFICATION HAS CHANGED ITIS POSSIBLE THAT SOMEONE IS DOING S
17. gt Create an executable trigger check script file e g etc config test sh bin sh logger A test script logger Argument1 1 logger Argument2 2 logger Argument3 3 logger Argument4 4 if f etc config customscript 0 then rm etc contig customscript 0 exit 7 fi touch etc config customscript 0 exit 1 Refer online FAQ for a sample web page html check and other script file templates gt Enter the Script Executable file name e g etc config test sh gt Set the Check Frequency i e the time in seconds between re running the script and the Script Timeout i e the maximum run time for the script gt Specify the Successful Return Code An Auto Response is triggered if the return code from the script is not this value gt Enter Arguments that are to be passed to the script e g with a web page html check script these Arguments might specify the web page address DNS and user logins gt Check Save Auto Response SNMP Custom Check Check Conditions Script Executable ne Script to execute when this action Check Frequency Script Timeout Successful Return 0 Trigger if the return code is not this value B Serial Pattern Argument 1 Argumentto pass to the script Argument 2 Argumentto pass to the script Argument 3 Argumentto pass to the script Argument 4 7 2 7 SMS Command An incoming SMS command from a nominated caller can trigger an Auto
18. s id value P id Description The config tool is designed to perform multiple actions from one command if needed so options can be chained together The config tool allows you to manipulate and query the system configuration from the command line Using config you can activate the new configuration by running the relevant configurator that performs the action needed to make the configuration changes live The custom user configuration is saved in the etc config config xml file This file is transparently accessed and edited when configuring the device using the Management Console browser GUI Only the user root can configure from the shell By default the config elements are separated by a character The root of the config tree is called lt config gt To address a specific element place a between each node branch e g to access and display the description of user1 type config g config users user1 description The root node of the config tree is lt config gt To display the entire config tree type config g config To display the help text for the config command type config h The config application resides in the bin directory The environmental variable called PATH contains a route to the bin directory This allows a user to simply type config at the command prompt instead of the full path bin config Options a run all Run all registered configurators This performs every configuration sync
19. Path to client executable file Command line format for client executable amp OK X Cancel gt Click OK then Close A service typically consists of a single SSH port redirection and a local client to access it It may consist of several redirections and some or all may have clients associated with them 724 746 5500 blackbox com Page 109 An example is the Dell RAC service The first redirection is for the HTTPS connection to the RAC server it has a client associated with it web browser that it launches immediately when you click the button for this service The second redirection is for the VNC service that you may choose to later launch from the RAC web console It automatically loads in a Java client served through the web browser so it does not need to have a local client associated with it amp SDTConnector File Edit Help ee Service Name Dell RAC Local gt Remote Port Redirections gt On the Add Service screen you can click Add as many times as needed to add multiple new port redirections and associated clients You may also specify Advanced port redirection options gt Enter the local address to bind to when creating the local endpoint of the redirection It is not usually necessary to change this from localhost gt Enter a local TCP port to bind to when creating the local endpoint o
20. Re enter the password Subject Line If this server requires a specific subject line specify it here Apply However some SMS gateway service providers require blank subjects or require specific authentication headers to be included in the subject line gt Click Apply Settings to activate SMS SMTP connection SMS via Cellular Modem To use an attached or internal cellular modem for SMS the Administrator must enable SMS gt gt Select Cellular Modem In the SMS Settings field Check Receive Messages to enable incoming SMS messages to be received A custom script will be called on receipt of incoming SMS messages You may need to enter the phone number of the carrier s SMS Message Centre only if advised by your carrier or Support Click Apply Settings to activate SMS connection 724 746 5500 blackbox com Page 144 Nagios Configure Dashboard SMS Settings SMS Gateway Status Use an external SMS gateway Cellular Modem ce Use an attached or internal Cellular Modem ius SMS via Cellular Modem RPC Status Environmental Status SMS Message Power Su Centre Dashboard Manage Apply Settings Devices Note The option to directly send SMS alerts via the cellular modem was included in the Management GUI in V3 4 Advanced console servers already had the gateway software SMS Server Tools 3 embedded however you this could only be accessed from the command line to send SMS messages 7
21. SMTP amp SMS SNMP Apply System Administration SSL Certificates Configuration Backup Firmware IP 12 5 Dashboard The Dashboard provides the Administrator with a summary of the status of the console server and its Managed Devices You can configure custom dashboards for each user group System Name ACSA Uptime 0 da NETWORK SERVICES Serial R Network nthe es Alerts Managed Devices Port activity Aerts amp Logging 8 UPS connections System 12 5 1 Configuring the Dashboard Only users who are members of the admin group and the root user can configure and access the dashboard To configure a custom dashboard 724 746 5500 blackbox com Page 205 gt Select System Configure Dashboard and select the user or group you are configuring this custom dashboard layout for gt Click Next System Nam Uptime 0 d NETWORK SERVICES Serial amp Network Serial Port Dashboard Configurations TOGA Crane Select groupluser __ Authentication s group admin X Network Hosts group admin o configure the dashboard for user SR7 Trusted Networks mi Cascaded Ports Default dashboan UPS Connections Spruny winan pun UIE icine Vyotyy veve i osivmiy vi RPC Connections Environmental Apply Note You can configure a custom dashboard for any admin user or for the admin group or you can reconfigure the default dashboard The Status Dashboard screen is the first screen displayed when admin
22. Supported types are NONE PASSWORD MDS or OEM C Present output in CSV comma separated variable format This is not available with all commands C lt ciphersuite gt The remote server authentication integrity and encryption algorithms to use for IPMIv2 lanplus connections See table 22 19 in the IPMIv2 specification The default is 3 which specifies RAKP HMAC SHA1 authentication HMAC SHA1 96 integrity and AES CBC 128 encryption algorightms E The remote server password is specified by the environment variable IPMI_PASSWORD f lt password_file gt Specifies a file containing the remote server password If this option is absent or if password_file is empty the password will default to NULL h Get basic usage help from the command line H lt address gt Remote server address can be IP address or hostname This option is required for lan and lanplus interfaces I lt interface gt Selects IPMI interface to use Supported interfaces that are compiled in are visible in the usage help output L lt privivl gt Force session privilege level Can be CALLBACK USER OPERATOR ADMIN Default is ADMIN m lt local_address gt Set the local IPMB address The default is 0x20 and there should be no need to change it for normal operation o lt oemtype gt Select OEM type to support This usually involves minor hacks in place in the code to work around quirks in various BMCs from various manufacturers Use o list to see a list of current
23. To enable gt Check the Delayed Config Commits button under System Administration gt Click Apply NETWORK SERVICES Serial amp Network Serial Port Users amp Groups An ID for this device Authentication Network Hosts System Name les1216a System Description Trusted Networks Call Home Cascaded Forts System Password UPS Connections RPC Connections Environmental Managed Devices Confirm System Password Alerts amp Logging Delayed Config Commits PortLog Alerts gt The Commit Config icon will be displayed in top right hand corner of the screen between the Backup and Log Out icons System Name le 6a M A Firmware 3 4 2 LN Uptime 2 days 5 mi Current User roo NETWORK SERVICES To queue then run configuration changes gt Firstly apply all the required changes to the configuration e g modify user accounts amend authentication method enable OpenVPN tunnel or modify system time gt Click the Commit Config button This will generate the System Commit Configuration screen displaying all the configurators to be run gt Click Apply to run all the configurators in the queue gt Alternately click Cancel and this will discard all the delayd configuration changes Note All the queued configuration changes will be lost if Cancel is selected To disable the Delayed Configuration Commits mode gt Uncheck the Delayed Config Commits button under
24. Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP System Administration SSL Certificates Dashboard Layout re currently configured Configuring Dashboard for group admin Widget 1 Alerts Amount Maximum number of alerts to display in dashboard Alerts Connection Alert Signal Alert e which alerts to displa in the da shboard Configure Widgets Note Dashboard configuration is stored in the etc config config xml file Each configured dashboard will increase the config file If this file gets too big you can run out of memory space on the console manager 724 746 5500 blackbox com Page 207 12 5 2 Creating custom widgets for the Dashboard Torun a custom script inside a dashboard widget Create a file called widget lt name gt sh in the folder etc config scripts where lt name gt can be anything You can have as many custom dashboard files as you want Inside this file you can put any code you want When configuring the dashboard choose widget lt name gt sh in the dropdown list The dashboard will run the script and display the output of the script commands directly on the screen inside the specific widget The best way to format the output would be to send HTML commands back to the browser by adding echo commands in the script echo lt table gt You can of course r
25. When NRPE and NSCA are both enabled NSCA is preferred method for communicating with the upstream Nagios server check Prefer NRPE to use NRPE whenever possible that is for all communication except for alerts 10 3 2 Enable NRPE monitoring Serial Network Remote Nagios Monitoring Host Console Server Enabling NRPE allows you to execute plug ins such as check_tcp and check_ping on the remote Console server to monitor serial or network attached remote servers This will offload CPU load from the upstream Nagios monitoring machine This is especially valuable if you are monitoring hundreds or thousands of hosts To enable NRPE gt Select System Nagios and check NRPE Enabled gt Enter the details for the user connection to the upstream Nagios monitoring server and again refer to the sample Nagios configuration example below for details about how to configure specific NRPE checks By default the console server will accept a connection between the upstream Nagios monitoring server and the NRPE server with SSL encryption without SSL or tunneled through SSH The security for the connection is configured at the Nagios server 10 3 3 Enable NSCA monitoring Z sassssss sesnsess sesoses E T Nagios iii ik Monitoring Host Console Server Remote Managed Devices NSCA is the mechanism that allows you to send passive check results from the remote console server to the Nagios daemon running on the monitoring serv
26. Your new rule will be the existing total plus 1 So if the previous command gave you 0 then you start with rule number 1 If you already have 1 rule your new rule will be number 2 etc If you want to restrict access to serial port 5 to computers from a single class C network 192 168 5 0 for example you need to issue the following commands assuming you have a previous rule in place Add a trusted network config s config portaccess rule2 address 192 168 5 0 config s config portaccess rule2 description foo bar config s config portaccess rule2 netmask 255 255 255 0 config s config portaccess rule2 port5 on config s config portaccess total 2 The following command will synchronize the live system with the new configuration config r serialconfig 14 8 Cascaded Ports To add a new slave device with the following settings IP address DNS name 192 168 0 153 Description Console in office 42 Label les1116 5 Number of ports 16 The following commands must be issued 724 746 5500 blackbox com Page 223 config s config cascade slaves slave1 address 192 168 0 153 config s config cascade slaves slave1 description CM in office 42 config s config cascade slaves slave1 label les1116 5 config s config cascade slaves slave1 ports 16 The total number of slaves must also be incremented If this is the first slave you re adding type config s config cascade slaves total 1 Increment this value
27. and the Port will be set as 22 Go to the SSH gt Tunnels menu and in Add new forwarded port enter any high unused port number for the Source port for example 54321 Set the Destination IP details If your destination device is network connected to the console server and you are connecting using RDP set the Destination as lt Managed Device IP address DNS Name gt 3389 For example if when setting up the Managed Device as Network Host on the console server you specified its IP address to be 192 168 253 1 or its DNS Name was accounts myco intranet com then specify the Destination as 192 168 523 1 3389 or accounts myco intranet com 3389 Only devices that are configured as networked Hosts can be accessed using SSH tunneling except by the root user who can tunnel to any IP address the console server can route to R PuTTY Configuration Category Terminal Options controlling SSH port forwarding i Port forwarding Local ports accept connections from other hosts Features Window __ Remote ports do the same SSH 2 only Appearance Forwarded ports T Behaviour Tahia L54321 192 168 253 1 80 Selection Colours Cor i Add new forwarded port Data Source port 55555 Add Proxy Telnet Destination 192 168 253 1 3389 Rlogin Local Remote 5 Dynamic 3 SSH Auto IPv4 IPv6 If your destination computer is serially connected to the console server
28. config s config alerts alert2 alarmrange mon until hour 14 config s config alerts alert2 alarmrange mon until min 30 config s config alerts alert2 description description config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 type alarm To enable an alarm for the entire day config s config alerts alert2 alarmrange mon from hour 0 config s config alerts alert2 alarmrange mon from min 0 config s config alerts alert2 alarmrange mon until hour 0 config s config alerts alert2 alarmrange mon until min 0 The following command will synchronize the live system with the new configuration config r alerts 14 15 SMTP amp SMS To set up an SMTP mail or SMS server with the following details Outgoing server address mail Black Box com Secure connection type SSL Sender John Black Box com Server username john Server password secret Subject line SMTP alerts config s config system smtp server mail Black Box com config s config system smtp encryption SSL can also be TLS or None config s config system smtp sender John Black Box com config s config system smtp username john config s config system smtp password secret config s config system smtp subject SMTP alerts To set up an SMTP SMS server with the same details as above config s config system smtp server2 mail Black Box com 724 746 5500 blackbox com Page 230
29. configuration is entirely independent of SDT Connector and the SSH gateway You must configure the SSH client that SDT Connector launches for example Putty OpenSSH and the host s SSH server for public key authentication Essentially what you are using is SSH over SSH and the two SSH connections are entirely separate 724 746 5500 blackbox com Page 118 6 8 Setting up SDT for Remote Desktop access The Microsoft Remote Desktop Protocol RDP enables the system manager to securely access and manage remote Windows computers to reconfigure applications and user profiles upgrade the server s operating system reboot the machine etc Black Box s Secure Tunneling uses SSH tunneling so this RDP traffic is securely transferred through an authenticated and encrypted tunnel SDT with RDP also allows remote Users to connect to Windows XP Vista Server2003 and Server 2008 computers and to Windows 2000 Terminal Servers and to access to all of the applications files and network resources with full graphical interface just as though they were in front of the computer screen at work To set up a secure Remote Desktop connection enable Remote Desktop on the target Windows computer that you want to access and configure the RPD client software on the client PC 6 8 1 Enable Remote Desktop on the target Windows computer to be accessed To enable Remote Desktop on the Windows computer being accessed gt Open System in the Control Panel and clic
30. for T Mobile it is phonenumber tmomail net 7 3 2 Send SMS gt Click on Send SMS as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time gt Specify the Phone number that the SMS will be sent to in international format without the gt Edit the Message Text to send and click Save New Action Note The SMS alert can only be sent if there is an internal or external USB cellular modem attached However an SMS alert can also be sent via a SMTP SMS gateway as described above 7 3 3 Perform RPC Action gt Click on Perform RPC Action as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time gt Select a power Outlet and specify the Action to be performed power On OFF or Cycle gt Click Save New Action 7 3 4 Run Custom Script gt Click on Run Custom Script as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time gt Create a script file to execute when this action is triggered and enter the Script Executable file name e g etc config action sh gt Set the Script Timeout i e the maximum run time for the script Leave as 0 for unlimited gt Enter any Arguments that are to be passed to the script and click Save New Action 7 3 5 Send SNMP Trap gt Click on Send SNMP Trap as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time Note The SNMP Trap actions are valid for Serial Environmental UPS and Cellular data trigg
31. gt Click Apply Note The above Trusted Networks will limit Users and Administrators access to the console serial ports They do not restrict access to the console server itself or to attached hosts To change the default settings for this access you will to need to edit the Pitables rules as described in Chapter 14 Aadvanced 4 6 Serial Port Cascading Cascaded Ports enables you to cluster distributed console servers A large number of serial ports up to 1000 can be configured and accessed through one IP address and managed through one Management Console One console server the Master controls other console servers as Slave units and all the serial ports on the Slave units appear as if they are part of the Master Black Box s clustering connects each Slave to the Master with an SSH connection This uses public key authentication so the Master can access each Slave using the SSH key pair rather than using passwords This ensures secure authenticated communications between Master and Slaves enabling the Slave console server units to be distributed locally on a LAN or remotely around the world ike Local or Remote Administration Distributed The Master A Slaves z 4 6 1 Automatically generate and upload SSH keys To set up public key authentication you must first generate an RSA or DSA key pair and upload them into the Master and Slave console servers This can all be done automatically from the Maste
32. list List available targets If possible output will be compressed into a host range see TARGET SPECIFICATION below q query Query plug status of targets If none specified query all targets Status is not cached each time this option is used powermand queries the appropriate RPC s Targets connected to RPC s that could not be contacted e g due to network failure are reported as status unknown If possible output will be compressed into host ranges n node Query node power status of targets if implemented by RPC If no targets specified query all targets In this context a node in the OFF state could be ON at the plug but operating in standby power mode b beacon Query beacon status if implemented by RPC If no targets are specified query all targets t temp Query node temperature if implemented by RPC If no targets are specified query all targets Temperature information is not interpreted by powerman and is reported as received from the RPC on one line per target prefixed by target name h help Display option summary L license Show powerman license information d destination host port Connect to a powerman daemon on non default host and optionally port V version Display the powerman version number and exit D device Displays RPC status information If targets are specified only RPC s matching the target list are displayed T telemetry Causes RPC telemetry information to be
33. remote machine and to move files from one machine to another It provides strong authentication and secure communications over insecure channels OpenSSH the de facto open source SSH application encrypts all traffic including passwords to effectively eliminate these risks Additionally OpenSSH provides a myriad of secure tunneling capabilities as well as a variety of authentication methods OpenSSH is the port of OpenBSD s excellent OpenSSH O to Linux and other versions of Unix OpenSSH is based on the last free version of Tatu Ylonen s sample implementation with all patent encumbered algorithms removed to external libraries all known security bugs fixed new features reintroduced and many other clean ups http www openssh com The only changes in the Black Box SSH implementation are PAM support EGD 1 PRNGD 2 support and replacements for OpenBSD library functions that are absent from other versions of UNIX The config files are now in etc config e g etc config sshd_config instead of etc sshd_config etc config ssh_config instead of etc ssh_config etc config users lt username gt ssh instead of home lt username gt ssh 724 746 5500 blackbox com Page 251 15 6 2 Generating Public Keys Linux To generate new SSH key pairs use the Linux ssh keygen command This will produce an RSA or DSA public private key pair and you will be prompted for a path to store the two key files for example id_dsa pub
34. set the Destination as lt port label gt 3389 For example if the Label you specified on the serial port on the console server is win2k3 then specify the remote host as win2k3 3389 Or you can set the 724 746 5500 blackbox com Page 133 Destination as portXX 3389 where XX is the SDT enabled serial port number For example if port 4 is on the console server is to carry the RDP traffic then specify port04 3389 Note http www jfitz com tips putty_config html has useful examples on configuring PuTTY for SSH tunneling gt Select Local and click the Add button gt Click Open to SSH connect the Client PC to the console server You will now be prompted for the Username Password for the console server user ep 192 168 252 202 PuTTY If you are connecting as a User in the users group then you can only SSH tunnel to Hosts and Serial Ports where you have specific access permission Ifyou are connecting as an Administrator in the admin group then you can connect to any configured Host or Serial Ports that has SDT enabled To set up the secure SSH tunnel for a HTTP browser connection to the Managed Device specify port 80 instead of port 3389 that was used for RDP in the Destination IP address To set up the secure SSH tunnel from the Client Viewer PC to the console server for VNC follow the steps above but when you configure the VNC port redirection specify port 5900 in the Destination IP address
35. simply add the list of group_names after the existing an entries including the separating colon 9 3 SSL Certificate The console server uses the Secure Socket Layer SSL protocol for encrypted network traffic between itself and a connected user When establishing the connection the console server has to expose its identity to the user s browser using a cryptographic certificate The default certificate that comes with the console server device upon delivery is for testing purposes only The System Administrator should not rely on the default certificate as the secured global access mechanism for use through Internet gt Activate your preferred browser and enter https IP address Your browser may respond with a message that verifies the security certificate is valid but notes that it is not necessarily verified by a certifying authority To proceed you need to click yes if you are using Internet Explorer or select accept this certificate permanently or temporarily if you are using Mozilla Firefox gt You will then be prompted for the Administrator account and password as normal We recommend that you generate and install a new base64 X 509 certificate that is unique for a particular console server To do this the console server must be enabled to generate a new cryptographic key and the associated Certificate Signing Request CSR that needs to be certified by a Certification Authority CA A certification autho
36. supported OEM types p lt port gt Remote server UDP port to connect to Default is 623 P lt password gt Remote server password is specified on the command line If supported it will be obscured in the process list Note Specifying the password as a command line option is not recommended t lt target_address gt Bridge IPMI requests to the remote target address U lt username gt Remote server username default is NULL user V Increase verbose output level This option may be specified multiple times to increase the level of debug output If given three times you will get hexdumps of all incoming and outgoing packets V Display version information If no password method is specified then ipmitool will prompt the user for a password If no password is entered at the prompt the remote server password will default to NULL SECURITY 724 746 5500 blackbox com Page 267 The ipmitool documentation highlights that there are several security issues to be considered before enabling the IPMI LAN interface A remote station has the ability to control a system s power state as well as being able to gather certain platform information To reduce vulnerability we strongly advise that the IPMI LAN interface only be enabled in trusted environments where system security is not an issue or where there is a dedicated secure management network or access has been provided through an console server Further we strongly advise that you do
37. tar The tar archiving utility tc Show traffic control settings tcpdump Dump traffic on a network telnetd Telnet protocol server tftp Client to transfer a file from to tftp server tftpd Trivial file Transfer Protocol tftp server tip Simple terminal emulator cu program for connecting to modems and serial devices top Provide a view of process activity in real time touch Change file timestamps traceroute Print the route packets take to network host traceroute6 Traceroute for IPv6 true Returns an exit code of TRUE 0 umount Unmount file systems uname Print system information usleep Delay for a specified amount of time vconfig Create and remove virtual ethernet devices vi Busybox clone of the VI text editor w Show who is logged on and what they are doing zcat Identical to gunzip c Commands above which are appended with come from BusyBox the Swiss Army Knife of embedded Linux http www busybox net downloads BusyBox html Others are generic Linux commands and most commands the h or help argument to provide a terse runtime description of their behavior More details on the generic Linux commands can found online at http en tldp org HOWTO HOWTO INDEX howtos html and http www faqs org docs Linux HOWTO Remote Serial Console HOWTO html An updated list of the commands may found using Is command to view all the commands actually available in the bin directory in your console server There were a numbe
38. the public key and id_dsa the private key For example S ssh keygen t rsa dsa Generating public private rsa dsa key pair Enter file in which to save the key home user ssh id_ rsa dsa Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user ssh id_ rsa dsa Your public key has been saved in home user ssh id_ rsa dsa pub The key fingerprint is 28 aa 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user server S Create a new directory to store your generated keys You can also name the files after the device they will be used for For example S mkdir keys S ssh keygen t rsa Generating public private rsa key pair Enter file in which to save the key home user ssh id_rsa home user keys control_room Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user keys control_room Your public key has been saved in home user keys control_room pub The key fingerprint is 28 aa 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user server Make sure that there is no password associated with the keys If there is a password then the Black Box devices will have no way to supply it as runtime Full documentation for the ssh keygen command can be found at http www openbsd org cgi bin man cgi query ssh keygen 15 6 3 Installing the SSH Public Private Keys Clustering For Black Box console se
39. then click Apply Note If you want to set the same protocol options for multiple serial ports at once click Edit Multiple Ports and select which ports you want to configure as a group gt If the console server has been configured with distributed Nagios monitoring enabled then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored refer Chapter 10 Nagios Integration 4 1 1 Common Settings There are a number of common settings that you can set for each serial port These are independent of the mode in which the port is being used Set these serial port parameters to match the serial port parameters on the device you attach to that port 724 746 5500 blackbox com Page 47 lt BLA CK BOX NETWORK SERVICES System Name AC Uptime 0 days 1 6A Firmware 2 8 0u2 cs Current User root Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP System Administration SSL Certificates Configuration Backup Firmware IP Common Settings for Port 1 Label Baud Rate Data Bits Parity Stop Bits Flow Control Signaling Protocol gt Specify a label for the port gt Select the appropriate Baud Rate Parity Data Bits Stop Bits and Flow Control for eac
40. 1 Port Access and Active Users The Administrator can see which Users have access privileges with which serial ports gt Select the Status Port Access N System Name M Firmware 0u2 N lt S BLACK BOX Uptime 0 Current User root 10 Backup Log Out NETWORK SERVICES Serial amp Network Serial Port Users amp Groups User From 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Authentication Network Hosts deladmin Anywhere N N N N N N N N N N N N N N N N T work austed Netware hpadmin Anywhere N N N N N N N NNN N N N N N N Cascaded Ports UPS Connections devwoom Anywhere Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y RPC Connections Environmental Legend Managed Devices Anywhere Accessible from any IP address ee en Anyone No username is required for access The Administrator can also see the current status as to Users who have active sessions on those ports gt Select the Status Active Users 12 2 Statistics The Statistics report provides a snapshot of the status current traffic and other activities and operations of your console server 724 746 5500 blackbox com Page 203 gt Select the Status Statistics System Name BLACK BOX A Firmware Current User NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Call Home Interfaces RoutesIDNS Serial Ports P ICMP TCP UDP ees of Band Routing Table Destination Gateway Mas
41. 1 Web Terminal 13 3 2 SDT Connector access 13 4 Power Management CONFIGURATION FROM THE COMMAND LINE 14 1 Accessing config from the command line 14 2 Serial Port configuration 14 3 Adding and Removing Users 14 4 Adding and removing user Groups 14 5 Authentication 14 6 Network Hosts 14 7 Trusted Networks 14 8 Cascaded Ports 14 9 UPS Connections 14 10 RPC Connections 14 11 Environmental 14 12 Managed Devices 14 13 Port Log 14 14 Alerts 14 15 SMTP amp SMS 14 16 SNMP 14 17 Administration 14 18 IP settings 14 19 Date amp Time Settings 14 20 Dial in settings 14 21 DHCP server 14 22 Services 14 23 NAGIOS ADVANCED CONFIGURATION 15 1 Custom Scripting 15 1 1 Custom script to run when booting 15 1 2 Running custom scripts when alerts are triggered 15 1 3 Example script Power Cycling on Pattern Match 15 1 4 Example script Multiple email notifications on each alert 15 1 5 Deleting Configuration Values from the CLI 15 1 6 Power Cycle any device when a ping request fails 15 1 7 Running custom scripts when a configurator is invoked 724 746 5500 blackbox com Page 10 197 198 201 202 203 203 203 204 204 205 205 208 209 209 210 210 210 211 212 213 213 216 219 220 221 222 223 223 224 225 226 227 227 228 230 231 231 231 232 233 233 234 235 236 236 236 237 238 238 238 241 243 15 1 8 Backing up the configuration and restoring using a local USB stick 15 1 9 Back
42. 2 SDT Connector access Administrator and Users can communicate directly with the console server command line and with devices attached to the console server serial ports using SDT Connector and their local tenet client or using a Web terminal and their browser gt Select Manage Terminal gt Click Connect to SDT Connector This will to activate the SDT Connector client on the computer you are browsing and load your local telnet client to connect to the command line or serial port using SSH Ne System Name A Model LE Firmware 2 SB Uptime 0 days 2 rs 4 mins Current Use vA N ETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports sDTConnector UPS Connections E SDTConnector RPC Connections m Environmental Fennia Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Gateway Actions Retrieve Hosts System Note You must install SDT Connector on the computer you are browsing from and add and the console server as a gateway as detailed in Chapter 6 724 746 5500 blackbox com Page 211 13 4 Power Management Administrators and Users can access and manage the connected power devices gt Select Manage Power 724 746 5500 blackbox com Page 212 Chapter 14 Command Line Configuration Introduction For those who prefer to configure their console server at the Linux command lin
43. 5 3 Send SNMP trap alerts The Administrator can configure the Simple Network Management Protocol SNMP agent that resides on the console server to send SNMP trap alerts to an NMS management application gt gt Select Alerts amp Logging SNMP Enter the SNMP transport protocol SNMP is generally a UDP based protocol though infrequently it uses TCP instead Enter the IP address of the SNMP Manager and the Port to use for connecting default 162 Select the version being used The console server SNMP agent supports SNMP v1 v2 and v3 Enter the Community name for SNMP v1 or 2c An SNMP community is the group that devices and management stations running SNMP belong to It helps define where information is sent SNMP default communities are private for Write and public for Read To configure for SNMP v3 you will need to enter an ID and authentication password and contact information for the local Administrator in the Security Name Click Apply to activate SNMP 724 746 5500 blackbox com Page 145 System Name les1308a Model LES1308A Firmware 3 5 3u5 lt S gt BLACK BOX Uptime 0 days 19 hours 26 mins 30 secs Current User root NETWORK SERVICES Serial amp Network SNMP Service Details Primary SNMP Manager Secondary SNMP Manager Serial Port Users amp Grou Enable Enable the SNMP service TCPIIP Protocol UDP The TCP IP protocol to serve Location _ _ System Loc
44. 5 7 4 5 8 5 8 1 5 8 2 5 8 3 5 8 4 OoB Dial In Access Configure Dial In PPP Using SDT Connector client Set up Windows XP 2003 Vista 7 client Set up earlier Windows clients Set up Linux clients for dial in OoB broadband access Broadband Ethernet Failover Dial Out Failover Always on dial out Failover dial out Cellular Modem Connection Connect to the GSM HSUPA UMTS carrier network Connect to the CDMA EV DO carrier network Verify cellular connection Cellular modem watchdog Cellular Operation OOB access set up Cellular failover setup Cellular routing Cellular CSD dial in setup Firewall amp Forwarding Configuring network forwarding and IP masquerading Configuring client devices Port forwarding Firewall rules SECURE SSH TUNNELING AND SDT CONNECTOR 6 1 6 2 Configuring for SSH Tunneling to Hosts SDT Connector Client Configuration 724 746 5500 blackbox com 102 103 103 Page 7 6 2 1 SDT Connector installation 6 2 2 Configuring a new console server gateway in the SDT Connector client 6 2 3 Auto configure SDT Connector client with the user s access privileges 6 2 4 Make an SDT connection through the gateway to a host 6 2 5 Manually adding hosts to the SDT Connector gateway 6 2 6 Manually adding new services to the new hosts 6 2 7 Adding a client program to be started for the new service 6 2 8 Dial in configuration 6 3 SDT Connector to Management Console 6 4 SDT Connector telnet or SSH connect to seriall
45. 5 Firewall Failover and OoB Dial Access Introduction The console server has a number of fail over and out of band access capabilities to make sure it s available if there are difficulties accessing the console server through the principal network path The console server also has routing NAT Network Address Translation packet filtering and port forwarding support This chapter covers out of band OoB access from a remote location using dial up modem out dial failover OoB access using an alternate broadband link LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 models only broadband failover firewall and routing 5 1 OoB Dial In Access To enable OoB dial in access you first configure the console server Once it s set up for dial in PPP access the console server will await an incoming dial in connection Set up the remote client dial in software so it can establish a network connection from the Administrator s client modem to the dial in modem on the console server OoB dial in management Note The LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 models all have an internal modem and a DB9 Local Console port for OoB access With these models you can still attach an 724 746 5500 blackbox com Page 81 external modem via a serial cable to the DB9 port and you can configure the second Eth
46. 6 2 4 Make an SDT connection through the gateway to a host gt Simply point at the host to be accessed and click on the service to use to access that host The SSH tunnel to the gateway is then automatically established the appropriate ports redirected through to the host and the appropriate local client application is launched pointing at the local endpoint of the redirection SDTConnector File Edit Help wa ze 5 208 64 91 182 m HPio2 IBM RSAII Ip Power Web Management Dell Server 2003 DRAC4 HP 2003 Server iLO 2 Dell 2003 Server Dell 2003 Server BMC HP 2003 Server Local Services rl m E m eo m m m m m Logging in to gateway 208 64 91 182 724 746 5500 blackbox com Page 107 Note The SDT Connector client can be configured with unlimited number of Gateways that is console servers You can configure each Gateway to port forward to an unlimited number of locally networked Hosts There is no limit on the number of SDT Connector clients that can be configured to access the one Gateway Nor are there limits on the number of Host connections that an SDT Connector client can concurrently have open through the one Gateway tunnel There is a limit on the number of SDT Connector SSH tunnels that can be open at the same time on a particular Gateway console server Each Gateway console server can support at least 50 such concurrent connections At any time you could have up t
47. Add New Port Forward gt Fillin the following fields Name Name for the port forward This should describe the target and the service that the port forward is used to access Input Interface This allows the user to only forward the port from a specific interface In most cases this should be left as Any 724 746 5500 blackbox com Page 98 Source Address This allows the user to restrict access to a port forward to a specific address In most cases this should be left blank Input Port Range The range of ports to forward to the destination IP These will be the port s specified when accessing the port forward These ports need not be the same as the output port range Protocol The protocol of the data being forwarded The options are TCP or UDP Output Address The target of the port forward This is an address on the internal network where packets sent to the Input Interface on the input port range are sent Output Port Range The port or ports that the packets will be redirected to on the Output Address BOX NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging PortLog Alerts SMTP amp SMS SNMP System Administration SSL Certificates Configuration Backup Firmware
48. Apply When DHCP has initially allocated hosts addresses copy these addresses into the pre assigned list so the same IP address will be reallocated if you reboot the system 3 6 3 Select Failover or broadband OOB The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers provide a broadband failover option If you have a problem using the main LAN connection for accessing the console server an alternate access path is used 724 746 5500 blackbox com Page 41 Redundant LAN connection NETWORK 1 2 Serially connected consoles Management network gt By default the failover is not enabled To enable select the Network page on the System IP menu gt Select the Failover Interface to be used if the main fails This can be o Management LAN an alternate broadband Ethernet connection which would be the Network2 port on the LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console server or o Internal Modem the internal V 92 modem in the LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console server or o Internal Cellular Modem the CDMA modem in the LES1408A LES1416A LES1432 and LES1448 or theGSM modem in the LES1308A LES1316A LES1332 and LES1348 console server o Serial DB9 an external serial modem
49. Band field enter the access details for the remote PPP server to be called Override DNS is available for PPP Devices such as modems Override DNS allows the use of alternate DNS servers from those provided by your ISP For example an alternative DNS may be required for OpenDNS used for content filtering gt To enable Override DNS check the Override returned DNS Servers box Enter the IP of the DNS servers into the spaces provided 724 746 5500 blackbox com Page 87 System Name 6a Model 216A Firmware BLACK BOX Uptime 0 days 0 5 mins Current User NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Internal Modem Dial Settings Network Hosts Trusted Networks Call Home Cascaded Ports UPS Connections RPC Connections Environmental Enable Dial Out Managed Devices Serial DB9 Port Internal Modem Disable Dial F Di modem communication Enable Dial In Allow incoming Allow outgo Alerts amp Logging PortLog P sAn Serial Settings SMTP amp SMS Baud Rate 9600 SNMP The port speed in characters per second System Flow Control Hardware Administration The method of flow control SSL Certificates Configuration Backup Firmware we Dial Out Settings Always On Out of Band Date amp Time Dial Phone Number Firewall Nagios Configure Dashboard
50. Data and Computer Software clause at DFARS 252 227 7013 or subparagraphs c 1 and 2 of the Commercial Computer Software Restricted Rights at 48 C F R 52 227 19 as applicable or any successor regulations TERM AND TERMINATION This EULA is effective until terminated The EULA terminates immediately if you fail to comply with any term or condition In such an event you must destroy all copies of the Software You may also terminate this EULA at any time by destroying the Software GOVERNING LAW AND ATTORNEY S FEES This EULA is governed by the laws of the State of Utah USA excluding its conflict of law rules You agree that the United Nations Convention on Contracts for the International 724 746 5500 blackbox com Page 279 Sale of Goods is hereby excluded in its entirety and does not apply to this EULA If you acquired this Software in a country outside of the United States that country s laws may apply In any action or suit to enforce any right or remedy under this EULA or to interpret any provision of this EULA the prevailing party will be entitled to recover its costs including reasonable attorneys fees ENTIRE AGREEMENT This EULA constitutes the entire agreement between you and Black Box with respect to the Software and supersedes all other agreements or representations whether written or oral The terms of this EULA can only be modified by express written consent of both parties If any part of this EULA is held to be
51. Networks to specify network addresses that can access nominated Slave serial ports gt Select the appropriate Alerts amp Logging Alerts to configure Slave port Connection State Change or Pattern Match alerts gt The configuration changes made on the Master are propagated out to all the Slaves when you click Apply 4 6 4 Managing the Slaves The Master is in control of the Slave serial ports For example if you change User access privileges or edit any serial port setting on the Master the updated configuration files will be sent out to each Slave in parallel Each Slave will then automatically make changes to its local configuration and only make those changes that relate to its particular serial ports You can still use the local Slave Management Console to change the settings on any Slave serial port such as alter the baud rates These changes will be overwritten next time the Master sends out a configuration file update Also while the Master is in control of all Slave serial port related functions it is not master over the Slave network host connections or over the Slave console server system itself You must access each Slave directly to manage Slave functions such as IP SMTP amp SNMP Settings Date amp Time and DHCP server These functions are not overwritten when configuration changes are propagated from the Master Similarly you have to configure the Slaves Network Host and IPMI settings at each Slave The Ma
52. Periodically log UPS status Port Log Alerts Log Rate 15 SMTP amp SMS eeii Minutes between samples A System pply gt Enter the Name of the particular remote UPS that you want to remotely monitor This name must be the name that the remote UPS was configured with on the remote console server because the remote console server may itself have multiple UPSes attached that it manages locally with NUT Optionally enter a Description Enter the IP Address or DNS name of the remote console server that is managing the remote UPS This may be another Black Box console server or it may be a generic Linux server running Network UPS Tools Note An example where centrally monitor remotely distributed UPSes is useful is a campus or large business site where there s a multitude of computer and other equipment sites spread afar each with their own UPS supply and many of these particularly the smaller sites will be USB or serially connected Having a console server at these remote sites would enable the system manager to centrally monitor the status of the power supplies at all sites and centralize alarms So he she can be warned to initiate a call out or shut down gt 8 2 3 Check Log Status and specify the Log Rate minutes between samples if you want the status from this UPS to be logged You can view these logs from the Status UPS Status screen Check Enable Shutdown Script if this remote UPS is the UPS providin
53. S 7 System eee II Es Smee g See eer ee oe wr PPTP VPN Password The system password can be changed by editing the root user on the Users form Call Home gt Cas MOTD UPS Banner RP Enviro Message of the day text banner to display to authenticating users Manag Delayed Config E Alerts amp Logging Commits Config changes are queued and must be explicitly applied Port Log Auto Respo Apply SMTP amp SMS Select System Administration and enter a System Name and System Description for the console server to give it a unique ID Note The System Name can contain from 1 to 64 alphanumeric characters however you can also use the special characters _ and There are no restrictions on the characters that can be used in the System Description or the System Password each can contain up to 254 characters However only the first eight System Password characters are used to make the password hash 3 3 The MOTD Banner can be used to display a message of the day text to users Click Apply Network IP address 724 746 5500 blackbox com Page 30 The next step is to enter an IP address for the principal Ethernet LAN Network Network1 port on the console server or enable its DHCP client so that it automatically obtains an IP address from a DHCP server on the network it will connect to gt Onthe System IP menu select the Network Interface page then check dhcp or static
54. The phone number to call to establish the connection Username The username for authentication Status PortAccess Password Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Custom Modem Dashboard Initialization e when authenticating the user Confirm firmation initialize the modem Manage Devices Port Logs Host Logs Power Terminal Override DNS ignore Dial Tone o Override returned DNS oH servers Use the following DNS vers instead of the PPP provid DNS Server 1 The primary DNS ever DNS Server 2 The secondan S server Dynamic DNS Dynamic DNS None DDNS disabled Update a DI rver when IP addr DDNS server DDNS Hostname The fully qualified DNS hostname a DDNS Username The username for the ount to manage this interface DDNS Password The p ount to ma Confirm DDNS Password enter the pa confirmation Maximum interval between updates Maximu chang Minimum interval between checks Minimu ad entifthe Maximum attempts per update Apply Numb 724 746 5500 blackbox com Page 88 5 4 2 Failover dial out The console server modem can be configured so a dial out PPP connection is automatically set up in the event of a disruption in the principal management network gt When config
55. a Host you must identify the Host and specify the TCP or UDP ports services that will be used to control that Host System Name le BLACK BOX Tor NETWORK SERVICES Serial amp Network IP Address DNS Host Name Description Notes Permitted Device Name Services Type 192 168 254 100 test ad test ad for rdp 3389 tcp rdp Edit Delete 0 19 utm4000 utm4000 for http 80 tcp http 0 Edit Delete 192 digipower 443 tcp https RPC Edit Delete 192 4 3 1 for 22 tcp ssh 0 Edit Delete 443 tcp https le_Na 80 tcp http 0 Edit Delete Alerts amp Logging PortLog nr Office P Edit Delet Auto Response SMTP amp SMS SNMP System Administration Access to this service will be logg SSL Certificates Configuration Backup Add Host gt Selecting Serial amp Network Network Hosts presents all the network connected Hosts that have been enabled for access and the related access TCP ports services gt Click Add Host to enable access to a new Host or select Edit to update the settings for an existing Host gt Enter the IP Address or DNS Name and a Host Name up to 254 alphanumeric characters for the new network connected Host and optionally enter a Description gt Add or edit the Permitted Services or TCP UDP port numbers that are authorized to be used in controlling this host Only these permitted services will be forwarded through by SDT to the Host All other services TCP UDP ports will
56. a number of checks either actively at the Nagios server s request or passively at preset intervals and submit the results to the Nagios server in a batch You can augment the console server at the local office site by one or more Intelligent Power Distribution Units IPDUs to remotely control the power supply to the managed devices 724 746 5500 blackbox com Page 193 Network checks over ethernet wees Serial checks over RS232 Power monitoring and manipulation via IPDU Console server y i j Hosts I P D U Il Remote site In this scenario configure the console server NRPE server or NSCA client to actively check configured services and upload the checks to the Nagios server that s waiting passively You can also configure it to service NRPE commands to perform checks on demand In this situation the console server will perform checks based on both serial and network access Network checks over internet we Serial checks over RS232 Results updated to Nagios via Internet NSCA Firewall Outgoing connections only Remote site with restrictive firewall In this scenario the role of the console server will vary One aspect may be to upload check results through NSCA Another may be to provide an SSH tunnel to allow the Nagios server to run NRPE commands 724 746 5500 blackbox com Page 194 55H travel initiated for remote site NRPE Server at branch server s request Internet C
57. also configure the console server to allow the port forwarded network access to itself gt Browse to the console server and select Network Hosts from Serial amp Network click Add Host and in the IP Address DNS Name field enter 127 0 0 1 this is the Black Box network loopback address Then enter Loopback in Description gt Remove all entries under Permitted Services except for those that you will use to access the Management Console 80 http or 443 https or the command line 22 ssh or 23 telnet Scroll to the bottom and click Apply gt Administrators by default have gateway access privileges For Users to access the console server Management Console you will need to give those Users the required access privileges Select Users amp Groups from Serial amp Network Click Add User Enter a Username Description and Password Confirm Select 127 0 0 1 from Accessible Host s and click Apply 6 4 SDT Connector telnet or SSH connect to serially attached devices You can also use SDT Connector to access text consoles on devices that are attached to the console server serial ports For these connections you must configure the SDT Connector client software with a Service that will access the target gateway serial port and then set the gateway up as a host gt Launch SDT Connector on your PC Select Edit gt Preferences and click the Services tab Click Add gt Enter Serial Port 2 in Service Name and click Add gt Se
58. and click you can initiate a dial up connection Refer to Chapter 6 5 5 1 3 Set up Windows XP 2003 Vista 7 client gt Open Network Connections in Control Panel and click the New Connection Wizard New Connection Wizard Network Connection Type What do you want to do Connect to the Intemet Connect to the Intemet so you can browse the Web and read email Connect to the network at my workplace Connect to a business network using dial up or VPN so you can work from home a field office or another location O Set up a home or small office network Connect to an existing home or small office network or set up a new one O Set up an advanced connection Connect directly to another computer using your serial parallel or infrared port or set up this computer so that other computers can connect to it Select Connect to the Internet and click Next On the Getting Ready screen select Set up my connection manually and click Next On the Internet Connection screen select Connect using a dial up modem and click Next VV V WV Enter a Connection Name any name you choose and the dial up Phone number that will connect through to the console server modem 724 746 5500 blackbox com Page 84 New Connection Wizard Intemet Account Information You will need an account name and password to sign in to your Intemet account Type an ISP account name and password then write down this information and store it in a
59. and serial port devices refer to Section 6 2 7 and 6 2 9 You can also set up SDT Connector to connect out of band to the console server refer to Section 6 2 9 6 2 2 Configuring a new console server gateway in the SDT Connector client To create a secure SSH tunnel to a new console server gt Click the New Gateway Eo icon or select the File New Gateway menu option Ee SDTConnector File Edit Help EB Import Preferences amp Export Preferences Exit Enter the IP or DNS Address of the console server and the SSH port that you will use typically 22 Note If SDT Connector is connecting to a remote console server through the public Internet or routed network you will need to Determine the public IP address of the console server or of the router firewall that connects the console server to the Internet as assigned by the ISP One way to find the public IP address is to access http checkip dyndns org or http www whatismyip com from a computer on the same network as the console server and note the reported IP address Set port forwarding for TCP port 22 through any firewall NAT router that is located between SDT Connector and the console server so it points to the console server http www portforward com has port forwarding instructions for a range of routers Also you can use the Open Port Check tool from http www canyouseeme org to check if port forwarding through local firewall N
60. and setting up SDT for Nagios 10 2 1 Set up central Nagios server 10 2 2 Set up distributed console servers 10 3 Configuring Nagios distributed monitoring 10 3 1 Enable Nagios on the console server 10 3 2 Enable NRPE monitoring 10 3 3 Enable NSCA monitoring 10 3 4 Configure Selected Serial Ports for Nagios Monitoring 10 3 5 Configure Selected Network Hosts for Nagios Monitoring 10 3 6 Configure the upstream Nagios monitoring host 10 4 Advanced Distributed Monitoring Configuration 10 4 1 Sample Nagios configuration 10 4 2 Basic Nagios plug ins 10 4 3 Additional plug ins 10 4 4 Number of supported devices 10 4 5 Distributed Monitoring Usage Scenarios SYSTEM MANAGEMENT 11 1 System Administration and Reset 11 2 Upgrade Firmware 724 746 5500 blackbox com Page 9 149 149 152 152 153 153 154 157 158 159 159 160 162 163 165 165 166 166 167 167 168 169 171 171 172 172 174 174 174 175 177 180 181 181 182 183 185 185 186 186 187 187 188 188 188 191 192 192 193 196 196 197 11 3 Configure Date and Time 11 4 Configuration Backup 11 5 Delayed Configuration Commit 11 6 FIPS Mode STATUS REPORTS 12 1 Port Access and Active Users 12 2 Statistics 12 3 Support Reports 12 4 Syslog 12 5 Dashboard 12 5 1 Configuring the Dashboard 12 5 2 Creating custom widgets for the Dashboard MANAGEMENT 13 1 Device Management 13 2 Port and Host Logs 13 3 Serial Port Terminal Connection 13 3
61. applied to serial attached and network attached management accesses as covered in Chapter 7 Alerts and Logging you can also configure the console server to support the remote syslog protocol on a per serial port basis gt Select the Syslog Facility Priority fields to enable logging of traffic on the selected serial port to a syslog server and to appropriately sort and action those logged messages that is redirect them send alert email etc 724 746 5500 blackbox com Page 55 Syslog Settings Syslog Facility Default Syslog facility to use on logging messages Syslog Priority Default Syslog priority level to use on logging messages Apply For example if the computer attached to serial port 3 should never send anything out on its serial console port the Administrator can set the Facility for that port to localO local0 local7 are for site local values and the Priority to critical At this priority if the console server syslog server does receive a message it will automatically raise an alert Refer to Chapter 7 Alerts amp Logging 4 1 8 Cisco USB console connection The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers support direct USB2 0 connection to one or two Cisco USB console ports in addition to the traditional RS 232 serial console port connections With such a USB console connection users ca
62. authentication The Kerberos authentication can be used with UNIX and Windows Active Directory Kerberos servers This form of authentication does not provide group information so a local user with the same username must be created and permissions set 724 746 5500 blackbox com Page 174 Note Kerberos is very sensitive to time differences between the Key Distribution Center KDC authentication server and the client device Please make sure that NTP is enabled and the time zone is set correctly on the console server When authenticating against Active Directory the Kerberos Realm will be the domain name and the Master KDC will be the address of the primary domain controller 9 1 12 Authentication testing Kerberos V Kerberos Realm Master KDC address Slave KDC Address Discover Slave KDCs using DNS The domain name ofthe realm users must authenticate against The address of the Master KDC to authenticate against The address of a Slave KDC to authenticate against if the Master is not available E Use DNS to find slave KDCs Only enable this ifthe DNS contains Kerberos information The Authentication Testing option enables the connection to the remote authentication server to be tested lt SBLACK BO 4 NETWORK SERVICES System Name 3 5 3u5 3 cs Current User root Serial amp Network Authentication Configuration Authentication Testing Authentication Testing Test Username m m
63. be configured the NRPE server is the Nagios daemon for executing plug ins on remote hosts Each of the Serial Ports and each of the Hosts connected to the console server that you want to monitor must have Nagios enabled and any specific Nagios checks configured Configure the central upstream Nagios monitoring host 10 3 1 Enable Nagios on the console server gt Select System Nagios on the console server Management Console and tick the Nagios service Enabled gt Enter the Nagios Host Name that the Console server will be referred to in the Nagios central server this will be generated from local System Name entered in System Administration if unspecified gt In Nagios Host Address enter the IP address or DNS name that the upstream Nagios server will use to reach the console server if unspecified this will default to the first network port s IP Network 1 as entered in System IP gt In Nagios Server Address enter the IP address or DNS name that the console server will use to reach the upstream Nagios monitoring server gt Check the Disable SDT Nagios Extensions option if you want to disable the SDT Connector integration with your Nagios server at the head end this would only be checked if you want to run a vanilla Nagios monitoring gt If not enter the IP address or DNS name that the SDT Nagios clients will use to reach the console server in SDT Gateway Address 724 746 5500 blackbox com Page 185 gt
64. blank gt If there is a VPN gateway at the remote end enter the private subnet details in Right Subnet Again use the CIDR notation and leave blank if there is only a remote host gt Select Initiate Tunnel if the tunnel connection is to be initiated from the Left console server end This can only be initiated from the VPN gateway Left if the remote end was configured with a static or dyndns IP address gt Click Apply to save changes Note Itis essential the configuration details set up on the advanced console server referred to as the Left or Local host exactly matches the set up entered when configuring the Remote Right host gateway or software client 4 10 OpenVPN The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 console servers include OpenVPN which is based on TSL Transport Layer Security and SSL Secure Socket Layer With OpenVPN it is easy to build cross platform point to point VPNs using x509 PKI Public Key Infrastructure or custom configuration files OpenVPN allows secure tunneling of data through a single TCP UDP port over an unsecured network thus providing secure access to multiple sites and secure remote administration to a console server over the Internet OpenVPN also allows the use of Dynamic IP addresses by both the server and client thus providing client mobility For example an OpenVPN tunnel may be est
65. called fred the IP address of the console server is 192 168 0 1 default and the public key is on the inux unix computer in ssh id_dsa pub Execute the following command on the inux unix computer scp ssh id_dsa pub root 192 168 0 1 etc config users fred ssh authorized_keys The authorized_keys file on the console server needs to be owned by fred so login to the Management Console as root and type chown fred etc config users fred ssh authorized_keys 724 746 5500 blackbox com Page 253 Master Slave authorized_key authorized_key ssh tsa rele AAAAB3NzaC 1 yc2Efg4 t AAAABSNzaC 1yc2Efg4 t GHIAAA name elient1 GHIAAA name client1 BEGIN RSA PRIVATE KEY MIIEogIBAAKCAQEA ylIPGsNf5 a0LnPUMc nujXXPGiQGyD3b79 KZg3UZ4MjZI525sCy opv4 TJTvTK6e8OlYt GYTByUdl id_rsa pub ssh rsa AAAAB3NzaC 1 yc2Efg4 tGHIAAA name client1 If the Black Box device selected to be the server will only have one client device then the authorized_keys file is simply a copy of the public key for that device If one or more devices will be clients of the server then the authorized_keys file will contain a copy of all of the public keys RSA and DSA keys may be freely mixed in the authorized_keys file For example assume we already have one server called bridge_server and two sets of keys for the control_room and the plant_entrance S Is home user keys control_room control_room pub plant_entrance plant_
66. compiled executables or scripts that can be scheduled to run on the console server to check the status of a connected host or service This status is then communicated to the upstream Nagios server that uses the results to monitor the current status of the distributed network Each console server is preconfigured with a selection of the checks that are part of the Nagios plug ins package check_tcp and check_udp are used to check open ports on network hosts check_ping is used to check network host availability check_nrpe is used to execute arbitrary plug ins in other devices Each console server is preconfigured with two checks that are specific to Black Box 724 746 5500 blackbox com Page 191 check_serial_signals is used to monitor the handshaking lines on the serial ports check_port_log is used to monitor the data logged for a serial port 10 4 3 Additional plug ins Additional Nagios plug ins listed below are available for Advanced Console Servers LES1208A R2 LES1216A R2 LES1232A LES1248A R2 check_apt check_dns check_game check_jabber check_mrtgtraf check_nt check_ping check_simap check_ssh check_time check_by_ssh check_dummy check_hpjd check_Idap check_nagios check_ntp check_pop check_smtp check_ssmtp check_udp check_clamd check_fping check_http check_load check_nntp check_nwstat check_procs check_snmp check_swap check_ups check_dig check_ftp check_imap check_mrtg check_nntps check_over
67. config auth tacacs password password To configure RADIUS authentication config s config auth radius auth_server comma separated list list of remote authentiction and authorization servers config s config auth radius acct_server comma separated list list of remote accounting servers If unset Authentication and Authorization Server Address will be used config s config auth radius password password To configure LDAP authentication config s config auth ldap server comma separated list list of remote servers config s config auth ldap basedn name The distinguished name of the search base For example dc my company dc com config s config auth ldap binddn name The distinguished name to bind to the server with The default is to bind anonymously config s config auth radius password password The following command will synchronize the live system with the new configuration config r auth 724 746 5500 blackbox com Page 221 14 6 Network Hosts To determine the total number of currently configured hosts config g config sdt hosts total Assume this value is equal to 3 If you add another host make sure you increment the total number of hosts from 3 to 4 config s config sdt hosts total 4 If the output is config sdt hosts total then assume 0 hosts are configured Add power device host To add a UPS RPC network host with the following details IP address DNS name 192
68. connect to any major GSM carrier globally The LES1508A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers also support attaching an external USB GSM HSPA cellular modem from Sierra Wireless to one of its USB 2 0 ports Before powering on the console server you must install the SIM card provided by your cellular carrier and attach the external aerial gt Select Internal Cellular Modem panel on the System Dial menu gt Check Enable Dial Out Settings 724 746 5500 blackbox com Page 89 System Name les1308a Model LES1308A Firmware 3 5 3u5 a 0 JX Uptime 0 days 17 hours 45 mins 37 secs Current User root y BaduP Log Out NETWORK SERVICES Serial amp Network Serial DB9 Port Internal Modem Internal Cellular Modem Internal Cellular Modem Dial Settings Disable Dial Disable modem communication Enable Dial In Allow incoming modem communication Enable Dial Out ce Allow outgoing modem communication Environmental Managed Devices SIM Not Ready Error reading SIM card or SIM card unavailable Alerts amp Logging Dial Out Settings Always On Out of Band APN System i Administration The access Phone Number The sequence to dial to establish the connection defaults to 99 1 Username Note Your 3G carrier may have provided you with details for configuring the connection including APN Access Point Name Pin Code optional PIN code which may be requir
69. connecting to the RPC via the network you will be presented with the IPMI protocol options and the SNMP RPC Types currently supported by the embedded Network UPS Tools If you are connecting to the RPC by a serial port you will be presented with all the serial RPC types currently supported by the embedded PowerMan and the Black Box power manager lt BLAC Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts BOX NETWORK SERVICES Add RPC Connected Via RPC Type Name Description APC 24 Port APPv2 6 5 AOSv2 6 4 24 outlets APC 24 Port APPv3 3 3 AO0Sv3 4 4 24 outlets APC 7900 8 outlets APC 8 Port AP9210 8 outlets APC 8 Port APPv2 0 0 A0Sv2 5 4 8 outlets APC 8 Port APPv2 0 2 AO0Sv2 5 3 8 outlets APC 8 Port APPv2 2 0 AOSv3 0 3 8 outlets APC PDU 24 outlets Appro 48 outlets Baytech Serial Devices 8 outlets Cyclades PM10 10 outlets Cyclades PM20 20 outlets Cyclades PM8 8 outlets Dataprobe CP 815 8 outlets Digital Loggers 8 outlets HP 3488 1 outlets IBM Blade Center 15 outlets IBM H8 1 outlets ICS 8064 16 outlets IP Power 9258 via RS232 4 outlets Hevice Linux Networx ICE Box v2 x 10 outlets Linux Networx ICE Box v3 x v4 x 10 outlets N Measurement Computing Corp CB
70. console server command line from their browser gt Select Manage Terminal to display the Web Terminal from which you can log in to the console server command line 724 746 5500 blackbox com Page 210 System Name a M Firmware 3 4 2 i Uptime 0 days 9 mins urrent User root aa BaduP Log Out NETWORK SERVICES Sean ss Terminal Serial Port Users amp Groups nae Authentication login root Network Hosts Password em whoami root e CARIDE cat etc version Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices SDTConnector Note To access the BlackBox unit s co vand line she TConnector SOTConnector 1 5 0 or later must be installed Alerts amp Logging on the corr er you are browsing from with this unit add per the Quick Install Guide Port Log SSE Alerts Connect via SDTConnector 13 3 1 2 Web Terminal to Serial Device To enable the Web Terminal service for each serial port you want to access gt Select Serial amp Network Serial Port and click Edit Ensure the serial port is in Console Server Mode gt Check Web Terminal and click Apply Administrator and Users can communicate directly with serial port attached devices from their browser gt Select the Serial tab on the Manage Devices menu gt Under the Action column click the Web Terminal icon to display the Web Terminal connected directly to the attached serial device 13 3
71. driver programs talk directly to the UPS equipment and run on the same host as the NUT network server upsd Drivers are provided for a wide assortment of equipment from most of the popular UPS vendors and understand the specific language of each UPS They communicate with serial USB and SNMP network connected UPS hardware and map the communications back to a compatibility layer This means both an expensive smart protocol UPS and a simple power strip model can be handled transparently The NUT network server program upsd is responsible for passing status data from the drivers to the client programs via the network upsd can cache the status from multiple UPSes and then serve this status data to many clients upsd also contains access control features to limit the abilities of the clients only authorized hosts may monitor or control the UPS hardware There are a number of NUT clients that connect to upsd to check on the status of the UPS hardware and do things based on the status These clients can run on the same host as the NUT server or they can communicate with the NUT server over the network enabling them to monitor any UPS anywhere The upsc client provides a quick way to poll the status of a UPS server Use it inside shell scripts and other programs that need UPS data but don t want to include the full interface The upsmon client enables servers that draw power through the UPS to shutdown gracefully when the batter
72. example above should be executed as powerman on foo 0 4 5 15 9 2 The pmpower tool The pmpower utility is a high level tool for manipulating remote preconfigured power devices connected to the console server either via a serial or network connection The PDU UPS and IPMI power devices are variously controlled using the open source PowerMan IPMItool or Network UPS Tools and Black Box s pmpower utility arches over these tools so the devices can be controlled through one command line pmpower h I device r host o outlet u username p password action h This help message I The serial port to use o The outlet on the power target to apply to r The remote host address for the power target u Override the configured username p Override the configured password on This action switches the specified device or outlet s on off This action switches the specified device or outlet s off cycle This action switches the specified device or outlet s off and on again status This action retrieves the current status of the device or outlet Examples To turn outlet 4 of the power device connected to serial port 2 on pmpower I port02 o 4 on To turn an IPMI device off located at IP address 192 168 1 100 where username is root and password is calvin pmpower r 192 168 1 100 u root p calvin off Default system Power Device actions are specified in etc powerstrips xml Custom Power Devices can be added i
73. for the Configuration Method gt If you selected Static you must manually enter the new IP Address Subnet Mask Gateway and DNS server details This selection automatically disables the DHCP client System Name les1308a Modet LE inrmware 3 5 3u5 BLACK BOX Uptime 0 days 7 hours 15 mins 10 urrent User root NETWORK SERVICES Network Interface Management LAN General Settings Route Settings Interface IP Settings Network Configuration DHCP Method C St The mechanism to acquire IP settings IP Address A statically assigned IP address Subnet Mask A statically assigned network mask Gateway 5 efault gateway for the unit Please only setthis on one interface Auto Response SMTP amp SMS SNMP Primary DNS A statically assigned primary name server System Administration SSL Certificates A statically assigned secondary name server Secondary DNS Configuration Backup Firmware Media Auto g IP The Ethernet media type Date amp Time Dial DHCP Server Disabled gt If you selected DHCP the console server will look for configuration details from a DHCP server on your management LAN This selection automatically disables any static address The console server MAC address is printed on a label on the base plate Note In its factory default state with no Configuration Method selected the console server has its DHCP client enabled so it automatically acce
74. id_dsa pub Client 1 Server Client 2 gt e F a Q Client 1 Keys Client 2 Keys To generate the keys using OpenBSD s OpenSSH suite we use the ssh keygen program S ssh keygen t rsa dsa Generating public private rsa dsa key pair Enter file in which to save the key home user ssh id_ rsa dsa Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user ssh id_ rsa dsa Your public key has been saved in home user ssh id_ rsa dsa pub The key fingerprint is 28 aa 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user server S It is advisable to create a new directory to store your generated keys It is also possible to name the files after the device they will be used for For example S mkdir keys S ssh keygen t rsa Generating public private rsa key pair Enter file in which to save the key nome user ssh id_rsa home user keys control_room Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user keys control_room Your public key has been saved in home user keys control_room pub The key fingerprint is 28 00 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user server S You should ensure there is no password associated with the keys If there is a password then the console servers will have no way to supply it as runtime Authorized Keys If the console server selected to b
75. includes code from JSch a pure Java implementation of SSH2 JSch is licensed under BSD style license and it is Copyright c 2002 2003 2004 Atsuhiko Yamanaka JCraft Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 724 746 5500 blackbox com Page 280 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL JCRAFT INC OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGEN
76. log level 2 default is 0 Shell power command menu Enabled RFC2217 access Enabled Limit pot to 1 connection Enabled SSH access Enabled TCP access Enabled telnet access Disabled Unauthorized telnet access Disabled config s config ports port5 delay 100 config s config ports port5 escapechar config s config ports port5 loglevel 2 config s config ports port5 powermenu on config s config ports port5 rfc2217 on config s config ports port5 singleconn on config s config ports port5 ssh on config s config ports port5 tcp on config d config ports port5 telnet config d config ports port5 unauthtel Device Mode For a device mode port set the port type to ups rpc or enviro config s config ports port5 device type ups rpc enviro For port 5 as a UPS port config s config ports port5 mode reserved For port 5 as an RPC port config s config ports port5 mode powerman For port 5 as an Environmental port config s config ports port5 mode reserved SDT mode To enable access over SSH to a host connected to serial port 5 config s config ports port5 mode sadt config s config ports port5 sdt ssh on To configure a username and password when accessing this port with Username user1 and Password secret config s config ports port sdt username user1 config s config ports port sdt password secret 724 746 5500 blackbox com Page 217 Terminal server mode Enable a TTY login for a l
77. modes 724 746 5500 blackbox com Page 46 1 Console Server Mode is the default and this enables general access to serial console port on the serially attached devices 2 Device Mode sets the serial port up to communicate with an intelligent serial controlled PDU UPS or Environmental Monitor Device EMD 3 SDT Mode enables graphical console access with RDP VNC HTTPS etc to hosts that are serially connected 4 Terminal Server Mode sets the serial port to wait for an incoming terminal login session 5 Serial Bridge Mode transparently interconnects two serial port devices over a network System Name A y A Firmware 2 8 Uptime 0 d urrent User NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Port Label Mode Logging Parameters Flow Control Ports 1 8 Ports 9 16 Network Hosts Level Trusted Networks Cascaded Ports UPS Connections 2 Port 2 RPC Connections Environmental 3 Port3 1 Port1 None Edit None Edit None Edit gt Select Serial amp Network Serial Port and you will see the current labels modes logging levels and RS 232 protocol options that are currently set up for each serial port gt By default each serial port is set in Console Server mode To reconfigure the port click Edit gt When you have reconfigured the common settings Chapter 4 1 1 and the mode Chapters 4 1 2 4 1 6 for each port you can set up any remote syslog Chapter 4 1 7
78. network connected UPSes must first be connected to and configured to communicate with the console server 724 746 5500 blackbox com Page 154 gt For serial UPSes attach the UPS to the selected serial port on the console server From the Serial and Network Serial Port menu configure the Common Settings of that port with the RS 232 properties etc required by the UPS refer to Chapter 4 1 1 Common Settings Then select UPS as the Device Type gt For each network connected UPS go to the Serial amp Network Network Hosts menu and configure the UPS as a connected Host by specifying it as Device Type UPS and clicking Apply gt No such configuration is required for USB connected UPS hardware lt BLA CK BOX System Name AC c Model LES1216A Firmware 2 8 0u2 Uptime 0 days 3 hours 33 mins 26 NETWORK SERVICES secs Current User root a Backup Log Out Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Managed UPSes UPS Description Name Driver Username Connected Via No UPSes currently monitored Add Managed UPS Remote UPSes UPS Description Name Address No UPSes currently monitored AddRemote UPS gt Select the Serial amp Network UPS Connections menu The Managed UPSes
79. of the console server and the Port Number of the SDT Secure Tunnel for the console server serial port that you attach to the Windows computer you want to control For example if the Windows computer is connected to serial Port 3 on a console server located at 192 168 0 50 then you would enter 192 168 0 50 7303 Where there is an SSH tunnel over a dial up PPP connection or over a public internet connection or private network connection simply enter the localhost as the IP address 127 0 0 1 For Port Number enter the source port you created when setting SSH tunneling port forwarding in Section 6 1 6 for example 1234 Click Option In the Display section specify an appropriate color depth for example for a modem connection we recommend that you not use over 256 colors In Local Resources specify the peripherals on the remote Windows computer that are to be controlled printer serial port etc Remote Desktop Connection Logon settings ei Type the name of the computer or choose a computer from the drop down list Computer 127 0 0 1 1234 MS Bob Save my password Connection settings Save current settings or open saved connection 724 746 5500 blackbox com Page 121 gt Click Connect Note The Remote Desktop Connection software is pre installed with Windows XP Vista and Server 2003 2008 For earlier Windows PCs you need to download the RDP client Go to t
80. of the node values For example if we have five users configured and we use the script to delete user 3 then user 4 will become user 3 and user 5 will become user 4 This creates an obvious complication because this script does NOT check for any other dependencies that the node being deleted may have You are responsible for making sure that any references and dependencies connected to the deleted node are removed or corrected in the config xml file The script treats all nodes the same The syntax to run the script is delete node node name To remove user 3 delete node config users user3 The delete node script bin bash User must provide the node to be removed e g config users user1 Usage delete node full node path if S 1 then echo Wrong number of arguments echo Usage delnode full delimited node path exit 2 fi test for spaces TEMP echo S1 sed s N if STEMP N then echo Wrong input format echo Usage delnode full delimited node path exit 2 fi testing if node exists TEMP config g config grep 1 if z STEMP then echo Node 1 not found exit 0 fi LASTFIELD is the last field in the node path e g user1 ROOTNODE is the upper level of the node e g config users NUMBER is the integer value extracted from LASTFIELD e g 1 TOTALNODE is the node name for the total e g config users total TOTAL is the value of
81. of these You can upload this configuration automatically into the SDT Connector client amp SDTConnector File Edit Help z E E208 64 91 182 E Gateway Actions Baytech gateway Out Of Band gt Click on the new gateway icon and select Retrieve Hosts This will 724 746 5500 blackbox com Page 106 configure access to network connected Hosts that the user is authorized to access and set up for each of these Hosts the services for example HTTPS IPMI2 0 and the related IP ports being redirected configure access to the console server itself this is shown as a Local Services host configure access with the enabled services for the serial port devices connected to the console server SDTConnector File Edit Help aa z e 5 208 64 91 182 Services p iLo2 FBM RSAIl HTTP HTTPS E Ip Power Web Management Dell Server 2003 DRAC4 vnc HP 2003 Server iLO 2 Dell 2003 Server Q JRM RS Scc Dell 2003 Server BMC HP 2003 Server E Local Services Note The Retrieve Hosts function will auto configure all user classes that is they can be members of user or admin or some other group or no group SDT Connector will not auto configure the root and we recommend that you only use this account for initial config and to add an initial admin account to the console server
82. on the Active Server to receive administration privileges on the console server gt Click Apply Ensure the LDAP service is operational and group names are correct within the Active Directory e gt m g Xe al mm it ee 7 tester Properties 21 xi 9 Active Directory Users and Com H Q Saved Queries Environment Sessions Remote control Terminal Services Profile cOoM a ep opengear com General Address Account Profile Telephones Organization H a Builtin Published Certificates Member Of Dialin Object Security H Computers Domain Controllers Member of H ForeignSecurityPrincipal Active Directory Folder g LostAndFound opengear com Users E o NTDS Quotas Domain Users opengear com Users LJ Program Data MyGroup opengear com Users System yy Users Add Remove Primary group Domain Users There is no need to change Primary group unless you have Macintosh clients or POSIX compliant applications Set Primary Group 724 746 5500 blackbox com Page 173 9 1 9 Remote groups with TACACS authentication When using TACACS authentication there are two ways to grant a remotely authenticated user privileges The first is to set the priv lvl and port attributes of the raccess service to 12 this is discussed further in section 9 2 of this document Additionally or alternatively group names can be provided to the console server using the group
83. on the network and the services that will be supported 4 Serial amp Network Covers configuring serial ports and connected network hosts and setting up Users and Groups 5 Firewall Failover amp OoB Describes setting up the high availability access features of the console server 6 Secure Tunneling SDT Covers secure remote access using SSH and configuring for RDP VNC HTTP HTTPS etc access to network and serially connected devices 7 Auto response amp Logging Explains how to set up local and remote event data logs how to trigger SNMP and email alerts and configuring auto response actions to trigger events 8 Power amp Environment Describes how to manage USB serial and network attached power strips and UPS supplies including Network UPS Tool NUT operation IPMI power control and EMD environmental sensor configuration 9 Authentication Access to the console server requires usernames and passwords that are locally or externally authenticated 724 746 5500 blackbox com Page 13 10 Nagios Integration Describes how to set Nagios central management with SDT extensions and configure the console server as a distributed Nagios server 11 System Management Covers access to and configuration of services that will run on the console server 12 Status Reports View a dashboard summary and detailed status and logs of serial and network connected devices ports hosts power and environment 13 Management Includes po
84. on their local network as detailed in the previous chapter You can also pre configure the SDT Connector with the access tools and applications that are available to run when you ve established access to a particular host SDT Connector can connect to the console server using an alternate OoB access It can also access the console server itself and access devices connected to serial ports on the console server 724 746 5500 blackbox com Page 103 6 2 1 SDT Connector installation gt The SDT Connector set up program SDTConnector Setup 1 n exe or sdtcon 1 n tar gz is included on the CD supplied with your Black Box console server gt Run the set up program spTConnector Setup Welcome to the SDTConnector Setup Wizard This wizard will guide you through the installation of SDTConnector It is recommended that you close all other applications before starting Setup This will make it possible to update relevant system files without having to reboot your computer Click Next to continue Note For Windows clients the SDTConnectorSetup 1 n exe application will install the SDT Connector 1 n exe and the config file defaults xmil If there is already a config file on the Windows PC then it will not be overwritten To remove an earlier config file run the regedit command and search for SDT Connector then remove the directory with this name For Linux and other Unix clients SDTConnector tar gz application will
85. option allows you to enter a custom AT string modem initialization string for example AT amp C1 amp D3 amp K3 IP Dial in Settings Date amp Time Dial Remote Address i The IP address to assign a dial in client ane Local Address Nagios Configure Dashboard The IP address for the dial in server Default Route Oo The dialed connection is to become a default route for the system Custom Modem Initialization An optional AT command sequence to initialize the modem Authentication Type None least secure C PAP APv2 most secure use when checking the dial in users credentials Manage 5 If CHAP or MSCHAPv2 is selected the dial in authentication will be encrypted However the traffic itself may Devices not be evices Port Logs Consider using secure protocols HTTP S SSH to access network resources over a dial in link You must select the Authentication Type to apply to the dial in connection The console server uses authentication to challenge Administrators who dial in to the console server For dial in access the username and password received from the dial in client are verified against the local authentication database stored on the console server The Administrator must also configure the client PC workstation to use the selected authentication scheme Select PAP CHAP MSCHAPv2 or None and click Apply None With this selection no username or password authentication is requir
86. other work under the scope of this License 3 You may copy and distribute the Program or a work based on it under Section 2 in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following a Accompany it with the complete corresponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or b Accompany it with a written offer valid for at least three years to give any third party for a charge no more than your cost of physically performing source distribution a complete machine readable copy of the corresponding source code to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or c Accompany it with the information you received as to the offer to distribute corresponding source code This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer in accord with Subsection b above The source code for a work means the preferred form of the work for making modifications to it For an executable work complete source code means all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilation and installation of the executable However as a special excepti
87. page 15 5 Modifying SNMP Configuration 15 5 1 etc config snmpd conf The net snmpd is an extensible SNMP agent which responds to SNMP queries for management information from SNMP management software Upon receiving a request it processes the request s collects the requested information and or performs the requested operation s and returns the information to the sender This includes built in support for a wide range of MIB information modules and can be extended using dynamically loaded modules external scripts and commands snmpd when enabled should run with a default configuration You can customize its behavior via the options in etc config snmpd conf To change standard system information such as system contact name and location edit etc config snmpd conf file and locate the following lines sysdescr Black Box syscontact root lt root localhost gt configure etc default snmpd conf 724 746 5500 blackbox com Page 249 sysname Not defined edit etc default snmpd conf syslocation Not defined edit etc default snmpd conf Simply change the values of sysdescr syscontact sysname and syslocation to the desired settings and restart snmpd The snmpd conf provides is extremely powerful and too flexible to completely cover here The configuration file itself is commented extensively and good documentation is available at the net snmp website http www net snmp org specifically Man Page http www net snmp org doc
88. pair you can manually upload them to the Master and Slave console servers Note Ifyou already have an RSA or DSA key pair that you do not want to use you will need to create a key pair using ssh keygen PuTTYgen or a similar tool as detailed in Chapter 15 6 To manually upload the public and private key pair to the Master console server gt Select System Administration on Master s Management Console gt Browse to the location where you have stored RSA or DSA Public Key and upload it to SSH RSA DSA Public Key gt Browse to the stored RSA or DSA Private Key and upload it to SSH RSA DSA Private Key gt Click Apply 724 746 5500 blackbox com Page 63 NX System Name A Fi 2 2 BLACK BOX MENSAS Sann ema A 9 Backup Log Out NETWORK SERVICES Serial amp Network Serial Port System Name ACSdoc Users amp Groups An ID for this device Authentication Network Hosts System Trusted Networks Description The physical location of this device Cascaded Ports titania Aa UPS Connections System RPC Connections Password Environmental Managed Devices Confirm System Password R icc aoa df fi Re enter the above password for confirmation Alerts amp Logging b Port Log Apply Alerts S SMTP amp SMS SNMP SSH RSA Public Browse TE Key Upload a replacement RSA public key file Administration SSH RSA Private Browse SSL Certificates Key Upload a replacement RSA private key file Configuration Backup Firmwar
89. recovery back to the original state prior to failover The console server continually pings probe addresses whilst in original and failover states The original state will automatically be set as a priority and reestablished following three successful pings of the probe addresses during failover The failover state will be removed once the original state has been re established For earlier firmware that does not support automatic failure recovery to restore networking to a recovered state the following command then needs to be run rm f var run failed over amp amp config r ipconfig If required you can run a custom bash script when the device fails over It is possible to use this script to implement automatic failure recovery depending on your network setup The script to create is etc contig scripts interface failover alert gt You can check the connection status by selecting the Cellular panel on the Status Statistics menu o The Operational Status will change as the cellular modem finds a channel and connects to the network o The Failover amp Out of Band screen will display information relating to a configured Failover OOB interface and the status of that connection The IP Address of the Failover OOB interface will be presented in the Failover amp Out of Band screen once the Failover OOB interface has been triggered 5 7 3 Cellular routing Once you have configured carrier connection the cellular modem can be confi
90. resolve actions will not be run 7 2 4 ICMP Ping To use a ping result as the Auto Response trigger event gt Click on ICMP Ping as the Check Condition gt Specify which Address to Ping i e IP address or DNS name to send ICMP Ping to and which Interface to send ICMP Ping from e g Management LAN or Wireless network gt Set the Check Frequency i e the time in seconds between checks and the Number of ICMP Ping packets to send gt Check Save Auto Response SNMP Check ICMP Ping Check Conditions Address to Ping TO Environmental interface Default Route x Interface to send ICMP Ping from Check Frequency 60 Time in seconds between checks erial Number of 5 gin Logot Packets Number of ICMP Ping packets to send Serial Pattern Seve Auto Response Return to Auto Response List 7 2 5 Cellular Data This check monitors the aggregate data traffic inbound and outbound through the cellular modem as an Auto Response trigger event gt Click on Cellular Data as the Check Condition Note Before configuring cellular data checks in Auto Response the internal or external USB cellular modem must be configured and detected by the console server 7 2 6 Custom Check This check allows users to run a nominated custom script with nominated arguments whose return value is used as an Auto Response trigger event 724 746 5500 blackbox com Page 138 gt Click on Custom Check as the Check Condition
91. safe place If you have forgotten an existing account name or password contact your ISP User name Password Confirm password C Use this account name and password when anyone connects to the Intemet from this computer _ Make this the default Intemet connection gt Enter the PPP User name and Password you set up for the console server 5 1 4 Set up earlier Windows clients gt For Windows 2000 the PPP client set up procedure is the same as above except you get to the Dial Up Networking Folder by clicking the Start button and selecting Settings Then click Network and Dial up Connections and click Make New Connection gt Similarly for Windows 98 you double click My Computer on the Desktop then open Dial Up Networking and double click Make New Connection Then proceed as above 5 1 5 Set up Linux clients for dial in The online tutorial http www yolinux com TUTORIALS LinuxTutorialPPP html presents a selection of methods for establishing a dial up PPP connection s Command line PPP and manual configuration works with any Linux distribution s Using the Linuxconf configuration tool for Red Hat compatible distributions This configures the scripts ifup ifdown to start and stop a PPP connection s Using the Gnome control panel configuration tool WVDIAL and the Redhat Dialup configuration tool GUI dial program X isp Download Installation Configuration Note For all P
92. section will display all the UPS connections that have already been configured gt Click Add Managed UPS 724 746 5500 blackbox com Page 155 gt gt System Name c Model LI Firmware 2 8 0u2 BLACK BOX Uptime 0 day 1ours 34 mins S Current User root NETWORK SERVICES Serial amp Network Serial Port Add Managed UPS Users amp Groups Connected Via Serial Port 3 Port Authentication Network Hoss poh may be connected via USB serial or network HTTP HTTPS or Trusted Networks Cascaded Ports UPS Name UPS Connections RPC Connections Environmental Managed Devices Description The name of this UPS Alerts amp Logging Port Log Alerts Username SMTP amp SMS a A a a ace can SNMP Allow slaves to connect using this username An optional description Password System Administration SSL Certificates Confirm Configuration Backup Firmware IP On Critical Date amp Time Power Dial Services Run until failure DHCP Server The action to take when battery power becomes critical for this UPS Allow slaves to connect using this pass Re enter the password Nagios Shutdown Order 0 Configure Dashboard The order in which th Status to S Port Access and Active Users Statistics Support Report Syslog details UPS Status Driver Options RPC Status Option Argument Environmental Status Dashboard ail Ma all Mai s are never shu Driver genericups v The driver for this UPS
93. ser provisto cuando El cable de poder o el contacto ha sido da ado u Objectos han caido o liquido ha sido derramado dentro del aparato o El aparato ha sido expuesto a la lluvia o El aparato parece no operar normalmente o muestra un cambio en su desempe o o El aparato ha sido tirado o su cubierta ha sido da ada MINS 724 746 5500 blackbox com Page 5 INDEX INTRODUCTION INSTALLATION 2 1 Models 2 1 1 Kit components LES1508A Console Server 2 1 2 Kit components LES1308A LES1348A and LES1408A LES1448A Advanced Console Servers 2 1 3 Kit components LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 Advanced Console Servers 2 1 4 Kit components LES1116A LES1132A and LES1148A Console Servers 2 1 5 Kit components LES1108A Console Server 2 2 Power connection 2 2 1 LES1508A power 2 2 2 LES1408A LES1448A LES1308A LES1348A and LES1208A LES1248A power 2 2 2 LES1116A LES1132A and LES1148A power 2 2 4 LES1108A power 2 3 Network connection 2 4 Serial Port connection 2 5 USB Port Connection 2 6 Antenna and SIM SYSTEM CONFIGURATION 3 1 Management console connection 3 1 1 Connected PC workstation set up 3 1 2 Browser connection 3 2 Administrator Password 3 2 1 Set up new administrator 3 2 2 Name the console server 3 3 Network IP address 3 3 1 IPv6 configuration 3 3 2 Dynamic DNS DDNS configuration 3 4 System Services 3 4 1 Service Access 3 4 2 Service Settings 3 5 Communications Software 3
94. status and environmental monitors and probes for Check Condition triggers The console server will then initiate a sequence of actions in response to the triggers To configure you e set general parameters Section 7 1 then e select and configure the Check Conditions i e the conditions that will trigger the response Section 7 2 then e specify the Trigger Actions i e sequence of actions initiated in the event of the trigger condition Section 7 3 then e specify the Resolve Actions i e actions performed when trigger conditions have been resolved Section 7 4 All console server models can maintain log records of all access and communications with the console server and with the attached serial devices A log of all system activity is also maintained as is a history of the status of any attached environmental monitors Some models also log access and communications with network attached hosts and maintain a history of the UPS and PDU power status e f port logs are to be maintained on a remote server then the access path to this location needs to be configured Then you need to activate and set the desired levels of logging for each serial and or network port Section 7 6 and or power and environment UPS refer Chapter 8 7 1 Configure Auto Response With the Auto Response facility a sequence of Trigger Actions is initiated in the event of a specified trigger condition Check Condition Subsequent Resolve Actions can also be p
95. take by selecting the appropriate icon a Turn ON 724 746 5500 blackbox com Page 152 8 1 4 Turn OFF J Cycle Status You will only be presented with icons for those operations that are supported by the Target you have selected Fs s sf System Name ACSdoc I 6A Firmware 2 8 0u2 Ra LS Uptime 0 days 3 hours 28 mins 58 secs Current User root NETWORK SERVICES ae Serial amp Network Serial Port eee Users amp Groups Target Portt2 APC PDU Outlet Outlet1 1 Authentication Select a power device to g Outlet 1 1 Network Hosts Outlet 2 2 C Trusted Networks Action Turn On Turn Outlet 3 3 le Status Cascaded Ports Outlet 4 4 UPS Connections Perform an action on the power q RPC Connections Outlet 6 6 Environmental Status No existing status tr Outlet 7 7 may not be completed Managed Devices Outlet 8 8 Outlet 9 9 A Outlet 10 10 Outlet 11 11 Outlet 12 12 Alerts Outlet 13 13 SMTP amp SMS Outlet 14 14 RPC status You can monitor the current status of your network and serially connected PDUs and IPMI RPCs gt gt gt 8 2 Select the Status RPC Status menu and a table with the summary status of all connected RPC hardware will be displayed Click on View Log or select the RPCLogs menu and you will be presented with a table of the history and detailed graphical information on the selected RPC Click Manage to query or control
96. tested your alternate default configuration by clicking Restore If your alternate default configuration causes the console server to not boot recover your unit to factory settings using the following steps If the configuration is stored on an external USB storage device unplug the storage device and reset to factory defaults as per section 11 1 of the user manual If the configuration is stored on an internal USB storage device reset it to factory defaults using a specially prepared USB storage device e The USB storage device must be formatted with a Windows FAT32 VFAT file system on the first partition or the entire disk most USB thumb drives are already formatted this way The file system must have the volume label OPG_DEFAULT Insert this USB storage device into an external USB port on the console server and reset to factory defaults as described in Section 11 1 After recovering your console server make sure the problem configuration is no longer selected for Load On Erase 724 746 5500 blackbox com Page 200 11 5 Delayed Configuration Commit With Advanced Console Servers LES1208A R2 LES1216A R2 LES1232A LES1248A R2 a Delayed Config Commit mode is available which allows the grouping or queuing of configuration changes and the simultaneous application of these changes to a specific device For example changes to authentication methods or user accounts may be grouped and run once to minimize system downtime
97. the addresses for connecting clients Click Apply to save changes To enter authentication certificates and files Edit the OpenVPN tunnel Select the Manage OpenVPN Files tab Upload or browse to relevant authentication certificates and files Apply to save changes Saved files will be displayed in red on the right hand side of the Upload button To enable OpenVPN Edit the OpenVPN tunnel Check the Enabled button Apply to save changes Note Please make sure that the console server system time is correct when working with OpenVPN Otherwise authentication issues may arise gt 4 10 3 Select Statistics on the Status menu to verify that the tunnel is operational Windows OpenVPN Client and Server set up Windows does not come with an OpenVPN server or client This section outlines the installation and configuration of a Windows OpenVPN client or a Windows OpenVPN server and setting up a VPN connection to a console server The OpenVPN GUI for Windows software which includes the standard OpenVPN package plus a Windows GUI can be downloaded from hitp openvpn se download html gt Once installed on the Windows machine an OpenVPN icon will have been created in the Notification Area located in the right side of the taskbar Right click on this icon to start and stop VPN connections and to edit configurations and view logs dient gt IM4004_dient gt IM4216_dient gt gt gt gt sample server Wind
98. the total number of items before deleting e g 3 NEWTOTAL is the modified total i e TOTAL 1 CHECKTOTAL checks if TOTAL is the actual total items in xml LASTFIELD 1 ROOTNODE S 1 724 746 5500 blackbox com Page 239 NUMBER echo SLASTFIELD sed s a zA Z g TOTALNODE echo S 1 sed s 1 total TOTAL config g STOTALNODE sed s NEWTOTAL S STOTAL 1 Make backup copy of config file cp etc config config xml etc config config bak echo backup of etc config config xml saved in etc config config bak if z SNUMBER test whether a singular node is being deleted e g config sdt hosts then echo deleting 1 config d S1 echo Done exit 0 elif SNUMBER STOTAL Test if only one item exists then echo only one item exists Deleting node echo Deleting 1 config d S1 Modifying item total config s STOTALNODE 0 echo Done exit O elif SNUMBER It STOTAL more than one item exists then Modify the users list so user numbers are sequential by shifting the users into the gap one at a time echo Deleting 1 LASTFIELDTEXT echo SLASTFIELD sed s 0 9 g CHECKTOTAL config g SROOTNODE SLASTFIELDTEXTSTOTAL if z SCHECKTOTAL then echo WARNING STOTALNODE greater than number of items fi COUNTER 1 while SCOUNTER TOTAL NUMBER 1 do 724 746 5500 blackbox com Page 240 config g SR
99. the user group provides the user with limited access to the console server and connected Hosts and serial devices These Users can access only the Management section of the Management Console menu and they have no command line access to the console server They also can only access those Hosts and serial devices that have been checked for them using services that have been enabled 724 746 5500 blackbox com Page 57 3 If a user is set up with pptd dialin ftp or pmshell group membership they will have restricted user shell access to the nominated managed devices but they will not have any direct access to the console server itself To add this the users must also be a member of the users or admin groups The Administrator can also set up additional Groups with specific power device serial port and host access permissions However users in these additional groups don t have any access to the Management Console menu nor do they have any command line access to the console server itself The Administrator can also set up users with specific power device serial port and host access permissions who are not a member of any Groups Similarly these users don t have any access to the Management Console menu nor do they have any command line access to the console server itself For convenience the SDT Connector Retrieve Hosts function retrieves and auto configures checked serial ports and checked hosts only even for admin group users
100. tota l 1 Note that if you see config users total this means you have 0 Users configured Your new User will be the existing total plus 1 If the previous command gave you 0 then you start with user number 1 If you already have 1 user your new user will be number 2 etc To add a user with Username John Password secret and Description mySecondUser issue the commands config s config users total 2 assuming we already have 1 user configured config s config users user2 username John config s config users user2 description mySecondUser config P config users user2 password NOTE The P parameter will prompt the user for a password and encrypt it You can encrypt the value of any config element using the P parameter but only encrypted user passwords and system passwords are supported If any other element value were to be encrypted the value will become inaccessible and will have to be reset To add this user to specific groups admin users config s config users user2 groups group1 groupname config s config users user2 groups group2 groupname2 etc To give this user access to a specific port config s config users user2 port1 on config s config users user2 port2 on config s config users user2 port5 on etc To remove port access config s config users user2 port1 the value is left blank or simply config d config users user2 port1 The port number can be anything from 1 to
101. unenforceable as written it will be enforced to the maximum extent allowed by applicable law and will not affect the enforceability of any other part Should you have any questions concerning this EULA or if you desire to contact Black Box for any reason please contact the Black Box representative serving your company THE FOLLOWING DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY IS INCORPORATED INTO THIS EULA BY REFERENCE THE SOFTWARE IS NOT FAULT TOLERANT YOU HAVE INDEPENDENTLY DETERMINED HOW TO USE THE SOFTWARE IN THE DEVICE AND BLACK BOX HAS RELIED UPON YOU TO CONDUCT SUFFICIENT TESTING TO DETERMINE THAT THE SOFTWARE IS SUITABLE FOR SUCH USE LIMITED WARRANTY Black Box warrants the media containing the Software for a period of ninety 90 days from the date of original purchase from Black Box or its authorized retailer Proof of date of purchase will be required Any updates to the Software provided by Black Box which may be provided by Black Box at its sole discretion shall be governed by the terms of this EULA In the event the product fails to perform as warranted Black Box s sole obligation shall be at Black Box s discretion to refund the purchase price paid by you for the Software on the defective media or to replace the Software on new media Black Box makes no warranty or representation that its Software will meet your requirements will work in combination with any hardware or application software products provided by thi
102. will have no rights and no password set It will not appear in the Black Box configuration tools Automatically added accounts will not be able to log in if the remote servers are unavailable RADIUS users are currently assumed to have access to all resources so they will only be authorized to log in to the console server RADIUS users will be authorized each time they access a new resource gt Admin rights granted over AAA Users may be granted Administrator rights via networked AAA For TACACS a priv lvl of 12 of above indicates an Administrator For RADIUS Administrators are indicated via the Framed Filter ID See the example configuration files below for example gt Authorization via TACACS for both serial ports and host access Permission to access resources may be granted via TACACS by indicating a Black Box Appliance and a port or networked host the user may access See the example configuration files below for example TACACS Example user tim service raccess priv Ivl 11 port1 les1116 port02 port2 192 168 254 145 port05 global cleartext mit RADIUS Example paul Cleartext Password luap Service Type Framed User Fall Through No Framed Filter ld group_name admin The list of groups may include any number of entries separated by a comma If the admin group is included the user will be made an Administrator 724 746 5500 blackbox com Page 176 If there is already a Framed Filter Id
103. will identify that your carrier has allocated you a Private P Address i e in the range 10 0 0 0 10 255 255 255 172 16 0 0 172 31 255 255 or 192 168 0 0 192 168 255 255 In out of band access mode the internal cellular modem will continually stay connected The alternative is to set up Failover mode on the console server as detailed in the next section 5 7 2 Cellular failover setup Once you have configured carrier connection the cellular modem can be configured for failover This will tell the cellular connection to remain idle in a low power state If the primary and secondary probe addresses are not available it will bring up the cellular connection and connect back to the cellular carrier gt Navigate back to the Network Interface on the System IP menu specify Internal Cellular modem cell modem 01 as the Failover Interface to be used when a fault has been detected 724 746 5500 blackbox com Page 93 gt Specify the Probe Addresses of two sites the Primary and Secondary that the console server is to ping to determine if the principal network is still operational gt In event of a failure of the principal network the 3G network connection is activated as the access path to the console server and its Managed Devices Only HTTPS and SSH access is enabled on the failover connection which should enable the administrator to connect and fix the problem Note By default the console server supports automatic failure
104. with an external USB memory stick dedicated to recovery firmware boot images extended log file storage etc 2 6 Antenna and SIM The LES1408A LES1416A LES1432A and LES1448A console servers also have an internal CDMA cellular modem requiring external antenna connection The LES1308A LES1316A LES1332A and LES1348A console servers have an internal GSM cellular modem that requires a SIM card and an external antenna Before powering on the console server gt Screw the external antenna coax cable onto the MAIN screw mount SMA connector on the rear of the console server 2 gt The AUX connector can be used either for receive diversity or for GPS gt Your GSM cellular carrier will provide you with a SIM card Insert the SIM card 1 and it will lock into place Take care to insert SIM card with contacts facing downwards 724 746 5500 blackbox com Page 25 Chapter 3 Initial System Configuration Introduction This chapter provides step by step instructions for the console server s initial configuration and for connecting it to the Management or Operational LAN The Administrator must Activate the Management Console Change the Administrator password Set the IP address console server s principal LAN port Select the network services that will be supported This chapter also discusses the communications software tools that the Administrator may use to access the console server 3 1 Management console c
105. 1 0 1 Release VNC Server TERAUIIEPED host display or host port Quick Options O auto Auto select best settings Connect O ULTRA gt 2Mbit s Experimental LAN gt IMbit s Max Colors Cancel O MEDIUM 128 256Kbit s 256 Colors OMODEM 19 128Kbit s 64 Colors Ostow lt 19kKbit s 8 Colors C view Only 7 Auto Scaling C Use DSMPlugin No Plugin detected C Proxy Repeater Save connection settings as default Delete saved settings B When the Viewer PC is connected directly to the console server i e locally or remotely through a VPN or dial in connection and the VNC Host computer is serially connected to the console server enter the IP address of the console server unit with the TCP port that the SDT tunnel will use The TCP port will be 7900 plus the physical serial port number i e 7901 to 7948 so all traffic directed to port 79xx on the console server is tunneled thru to port 5900 on the PPP connection on serial Port xx For a Windows Viewer PC using UltraVNC connecting to a VNC Server attached to Port 1 on a console server itis located at 192 168 0 1 UltraVNC Win32 Viewer 1 0 1 Release VNC Server 192 168 0 1 7901 x host display or host port Quick Options O auto Auto select best settings Connect O ULTRA gt 2Mbit s Experimental OLAN gt IMbit s Max Colors esa O MEDIUM 128 256Kbit s 256 Colors MODEM 19 128Kbit s 64 Co
106. 1 log enabled config s config ups remotes remote1 log interval 240 config s config ups remotes remote1 script enabled on config s config ups remotes total 1 The following command will synchronize the live system with the new configuration config a 14 10 RPC Connections You can add an RPC connection from the command line We do not recommend that you do this because of dependency issues However FYI before adding an RPC the Management Console GUI code makes sure that at least one port has been configured to run in device mode and that the device is set to rpc To add an RPC with the following values RPC type APC 7900 Connected via Port 2 UPS name MyRPC Description RPC in room 5 Login name for device rpclogin Login password for device secret SNMP community vi or v2c 724 746 5500 blackbox com Page 225 Logging Enabled Log interval 600 second Number of power outlets 4 depends on the type model of the RPC config s config ports port2 power type APC 7900 config s config ports port2 power name MyRPC config s config ports port2 power description RPC in room 5 config s config ports port2 power username rpclogin config s config ports port2 power password secret config s config ports port2 p0wer snmp community v1 config s config ports port2 power log enabled on config s config ports port2 power log interval 600 config s config ports port2 power outlets 4 The following f
107. 13 secs NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Forwarding and Masquerading Network Hosts Trusted Networks Call Home Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Service Access Port Forwarding Firewall Rules Source Networks Allowed Destination Networks Network Interface Alerts amp Logging PortLog Management LAN Alerts SMTP amp SMS SNMP System Administration SSL Certificates Dialout Cellular Configuration Backup Firmware IP Date amp Time Dial Firewall Forwarding amp Masquerading Bacup Log Out gt Find the Source Network to be routed and then tick the relevant Destination Network to enable Forwarding IP Masquerading is generally required if the console server will be routing to the Internet or if the external network being routed to does not have routing information about the internal network behind the console server 724 746 5500 blackbox com Page 96 IP Masquerading performs Source Network Address Translation SNAT on outgoing packets to make them appear like they ve come from the console server rather than devices on the internal network When response packets come back devices on the external network the console server will translate the packet address back to the internal IP so that it is routed correctly
108. 168 2 5 Host name remoteUPS Description UPSroom3 Type UPS Allowed services ssh port 22 and https port 443 Log level for services 0 Issue the commands below config s config sdt hosts host4 address 192 168 2 5 config s config sdt hosts host4 name remoteUPS config s config sdt hosts host4 description UPSroom3 config s config sdt hosts host4 device type ups config s config sdt hosts host4 tcpports tcpport1 22 config s config sdt hosts host4 tcpports tcpport1 loglevel 0 config s config sdt hosts host4 udpports udpport2 443 config s config sdt hosts host4 udpports udpport2 loglevel 0 The loglevel can have a value of 0 or 1 The default services that you should configure are 22 tcp ssh 23 tcp telnet 80 tcp http 443 tcp https 1494 tcp ica 3389 tcp rdp 5900 tcp vnc Add other network host To add any other type of network host with the following details IP address DNS name 192 168 3 10 Host name OfficePC Description MyPC Allowed sevices ssh port 22 https port 443 log level for services 1 Issue the commands below If the Host is not a PDU or UPS power device or a server with IPMI power control then leave the device type blank config s config sdt hosts host4 address 192 168 3 10 config s config sdt hosts host4 description MyPC config s config sdt hosts host4 name OfficePC config s config sdt hosts host4 device type leave this value blank config s config sdt ho
109. 2048 Click the Open button You may then receive a Security Alert that the host s key is not cached Choose yes to continue You will then be presented with the login prompt of the remote system connected to the serial port chosen on the console server Login as normal and use the host serial console screen 724 746 5500 blackbox com Page 50 R PuTTY Configuration Category B Session Logging B Terminal Keyboard Bell Basic options for your PuTTY session Specify the destination you want to connect to Host Name or IP address 192 168 252 202 Port 2001 Features Connection type B Window D Raw Telnet Rlogin SSH Serial Appearance Behaviour Translation Selection Colours Default Settings Connection Load save or delete a stored session Saved Sessions Close window on exit D Aways Never Only on clean ext PuTTY can be downloaded at http www tucows com preview 195286 html SSH We recommend that you use SSH as the protocol where the User or Administrator connects to the console server or connects through the console server to the attached serial consoles over the Internet or any other public network This will provide authenticated SSH communications between the SSH client program on the remote user s computer and the console server so the user s communication with the serial device attached to the console server is secur
110. 22 in their firewall gateway RAW TCP allows connections directly to a TCP socket Communications programs like PuTTY also support RAW TCP You would usually access this protocol via a custom application For RAW TCP the default port address is IP Address _ Port 4000 serial port i e 4001 4048 RAW TCP also enables the serial port to be tunneled to a remote console server so two serial port devices can transparently interconnect over a network see Chapter 4 1 6 Serial Bridging Selecting RFC2217 enables serial port redirection on that port For RFC2217 the default port address is IP Address _ Port 5000 serial port that is 5001 5048 Special client software is available for Windows UNIX and Linux that supports RFC2217 virtual com ports so a remote host can monitor and manage remote serially attached devices as though they were connected to the local serial port see Chapter 4 6 Serial Port Redirection for details RFC2217 also enables the serial port to be tunneled to a remote console server so two serial port devices can transparently interconnect over a network see Chapter 4 1 6 Serial Bridging Unauthenticated Telnet Selecting Unauthenticated Telnet enables telnet access to the serial port without requiring the user to provide credentials When a user accesses the console server to telnet to a serial port he normally is given a login prompt With unauthenticated telnet the user connects directly thr
111. 48 depending on the available ports on the specific console server For example assume we have an RPC device connected to port 1 on the console server and the RPC is configured To give this user access to RPC outlet number 3 on the RPC device run the 2 commands below config s config ports port1 power outlet3 users user2 John config s config ports port1 power outlet3 users total 2 total number of users that have access to this outlet If more users are given access to this power outlet then increment the config ports port1 power outlet3 users total element accordingly To give this user access to network host 5 assuming the host is configured 724 746 5500 blackbox com Page 219 config s config sdt hosts host5 users user1 John config s config sdt hosts host5 users total 1 total number of users having access to host To give another user called Peter access to the same host config s config sdt hosts host5 users user2 Peter config s config sdt hosts host5 users total 2 total number of users having access to host To edit any of the user element values use the same approach as when adding user elements that is use the s parameter If any of the config elements do not exist they will automatically be created To delete the user called John use the delete node script delete node config users user2 The following command will synchronize the live system with the new configuration config r
112. 5 1 SDT Connector 3 5 2 PuTTY 3 5 3 SSHTerm 3 6 Management network configuration 3 6 1 Enable the Management LAN 3 6 2 Configure the DHCP server 3 6 3 Select Failover or broadband OOB 3 6 4 Aggregating the network ports 3 6 5 Static routes SERIAL PORT AND NETWORK HOST 4 1 Configure Serial Ports 4 1 1 Common Settings 4 1 2 Console Server Mode 4 1 3 SDT Mode 4 1 4 Device RPC UPS EMD Mode 4 1 5 Terminal Server Mode 4 1 6 Serial Bridging Mode 4 1 7 Syslog 724 746 5500 blackbox com Page 6 13 18 18 19 19 20 21 21 21 21 22 22 23 23 23 24 25 26 26 26 27 29 30 30 30 32 32 33 33 35 36 37 37 38 38 39 40 41 43 44 46 46 47 48 53 54 54 55 55 4 10 4 10 1 4 10 2 4 10 3 4 11 4 11 1 4 11 2 4 11 3 Cisco USB console connection Add Edit Users Authentication Network Hosts Trusted Networks Serial Port Cascading Automatically generate and upload SSH keys Manually generate and upload SSH keys Configure the slaves and their serial ports Managing the Slaves Serial Port Redirection Managed Devices IPsec VPN Enable the VPN gateway OpenVPN Enable the OpenVPN Configure as Server or Client Windows OpenVPN Client and Server set up PPTP VPN Enable the PPTP VPN server Add a PPTP user Set up a remote PPTP client FIREWALL FAILOVER AND OoB DIAL IN 5 1 5 1 1 5 1 2 5 1 3 5 1 4 5 1 5 5 2 5 3 5 4 5 4 1 5 4 2 5 5 5 6 1 5 6 2 5 6 3 5 6 4 5 7 5 7 1 5 7 2 5 7 3
113. 56 BLOWFISH TWOFISH RIINDAEL 256 SERPENT GOST NSCA password secret NSCA check in interval 5 minutes NSCA port 5650 defaults to 5667 user to run as User1 defaults to nsca group to run as Group1 defaults to nobody config s config system nagios nsca enabled on config s config system nagios nsca encryption BLOWFISH config s config system nagios nsca secret secret config s config system nagios nsca interval 2 config s config system nagios nsca port 5650 config s config system nagios nsca user User1 config s config system nagios nsca group Group1 Then synchronize the live system with the new configuration using config a 724 746 5500 blackbox com Page 235 Chapter 15 Advanced Configuration Introduction Black Box console servers run the embedded Linux operating system So Administrator class users can configure the console server and monitor and manage attached serial console and host devices from the command line using Linux commands and the config utility as described in Chapter 14 The Linux kernel in the console server also supports GNU bash shell script enabling the Administrator to run custom scripts This chapter presents a number of useful scripts and scripting tools including delete node which is a general script for deleting users groups hosts UPSes etc ping detect which will run specified commands when a specific host stops responding to ping requests This cha
114. 7050 8 outlets MicroEnergetics RPC S6 6 outlets Phantom v3 v4 1 outlets Rose UltraPower 12 outlets Server Technology Sentry Switched CDU 8 outlets Sun Integrated Lights Out Management 1 outlets WTI NetPowerSeries 8 outlets ba 724 746 5500 blackbox com Page 151 Enter the Username and Password used to login into the RPC Note that these login credentials are not related to the Users and access privileges you configured in Serial amp Networks Users amp Groups If you selected SNMP protocol enter the SNMP v1 or v2c Community for Read Write access by default this would be private Check Log Status and specify the Log Rate minutes between samples if you want the status from this RPC to be logged View these logs from the Status RPC Status screen Click Apply For SNMP PDUs the console server probes the configured RPC to confirm the RPC Type matches and reports the number of outlets it finds that can be controlled If unsuccessful it will report Unable to probe outlets and you ll need to check the RPC settings or network serial connection For serially connected RPC devices a new Managed Device with the same name as given to the RPC will be created The console server will then configure the RPC with the number of outlets specified in the selected RPC Type or will query the RPC itself for this information Note The Black Box console servers support most popular network and serial P
115. AT router devices has been properly configured Enter the Username and Password of a user on the gateway that is enabled to connect via SSH and or create SSH port redirections 724 746 5500 blackbox com Page 105 G New SDT Gateway Out Of Band Remote UDP Gateway Gateway Address Gateway Username Gateway Password Descriptive Name Description Notes OK 9 Cancel gt Or enter a Descriptive Name to display instead of the IP or DNS address and any Notes or a Description of this gateway such as its firmware version site location or anything special about its network configuration gt Click OK and an icon for the new gateway will now appear in the SDT Connector home page Note For an SDT Connector user to access a console server and then access specific hosts or serial devices connected to that console server that user must first be setup on the console server and must be authorized to access the specific ports hosts refer to Chapter 5 Only these permitted services will be forwarded through by SSH to the Host All other services TCP UDP ports will be blocked 6 2 3 Auto configure SDT Connector client with the user s access privileges Each user on the console server has an access profile that was configured with those specific connected hosts and serial port devices the user has authority to access and a specific set of the enabled services for each
116. C The console server Management Console monitors and controls Remote Power Control RPC devices using the embedded PowerMan and Network UPS Tools open source management tools and the Black Box power management software RPCs include power distribution units PDUs and IPMI power devices You can control serial PDUs invariably using their command line console so you could manage the PDU through the console server using a remote Telnet client Also you could use proprietary software tools supplied by the vendor This generally runs on a remote Windows PC and you could configure the console server serial port to operate with a serial COM port redirector in the PC as detailed in Chapter 4 Similarly you can control network attached PDUs with a browser for example with SDT as detailed in Chapter 6 3 an SNMP management package or using the vendor supplied control software Servers and network attached appliances with embedded IPMI service processors or BMCs invariably have their own management tools like SoL that provide secure management when connected with SDT Connector For simplicity you can now control all these devices through one window using the Management Console s RPC remote power control tools 8 1 1 RPC connection Serial and network connected RPCs must first be connected to and configured to communicate with the console server gt For serial RPCs connect the PDU to the selected serial port on the console server F
117. C lt odem Dial in Dia INCOMING NETWORK e e ROUTING amp TRAFFIC FORWARD T R 4 PORT FORWARDS VPN m SERVICE LOCAL PROCESSES ae p o This enables the console server to function as an Internet or external network gateway Network Forwarding allows the network packets on one network interface i e LAN1 eth0 to be forwarded to another network interface i e LAN2 eth1 or dial out cellular So locally networked devices can IP connect through the console server to devices on remote networks IP Masquerading is used to allow all the devices on your local private network to hide behind and share the one public IP address when connecting to a public network This type of translation is only used for connections originating within the private network destined for the outside public network and each outbound connection is maintained by using a different source IP port number When using IP Masquerading devices on the external network cannot initiate connections to devices on the internal network Port Forwards allows external users to connect to a specific port on the external interface of the console server cellular router and be redirected to a specified internal address for a device on the internal network 724 746 5500 blackbox com Page 95 With Firewall Rules packet filtering inspects each packet passing through the firewall and accepts or rejects it based on user defined rules Then Servi
118. CBC initialized with 128 bit key i Aug 230 Data Channel Encrypt Using 160 bit message hash SHAL for HMAC authentication i Aug 230 Data Channel Decrypt Cipher BF cBC initialized with 128 bit key i Aug lt 30 Data Channel Decrypt Using 160 bit message hash SHA1 for HMAC authentication i Aug 30 control Channel TLSv1 cipher TLSV1 SSLv3 DHE RSA AES256 SHA 1024 bit RSA i Aug 230 server Peer Connection Initiated with 192 168 250 152 1194 i Aug 230 SENT CONTROL server PUSH_REQUEST status 1 i Aug 2 30 04 PUSH Received control message PUSH_REPLY route 10 100 10 1 topology net30 ping 10 ping res i Aug 230 Options error Unrecognized option or missing parameter s in PUSH OPTIONS 2 topology 2 C i Aug 230 OPTIONS IMPORT timers and or timeouts modified i Aug 530 OPTIONS IMPORT ifconfig up options modified i Aug 230 OPTIONS IMPORT route options modified i Aug 230 TAP WIN32 device Local Area Connection 3 opened Global 12EF532A 3135 4F37 B689 720FEC i Aug 230 TAP win32 Driver version 8 4 i Aug 230 TAP win32 MTU 1500 i Aug 230 Notified TAP win32 driver to set a DHCP IP netmask of 10 100 10 6 255 255 255 252 on interfac i Aug 230 Successful ARP Flush on interface 5 12EF532A 3135 4F37 B689 720FE0OB1F713 i Aug 230 TEST ROUTES 0 0 succeeded len 1 ret 0 a 0 u d down i 230 Route waiting for TUN TAP interface to come up TEST ROUTES 0 0 succeeded len 1 ret 0 a 0 u d down Route Waiting for TUN TAP interf
119. CE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE SDT Connector License GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright C 1989 1991 Free Software Foundation Inc 51 Franklin Street Fifth Floor Boston MA 02110 1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION 0 This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License The Program below refers to any such program or work and a work based on the Program means either the Program or any derivative work under copyright law that is to say a work containing the Program or a portion of it either verbatim or with modifications and or translated into another language Hereinafter translation is included without limitation in the term modification Each licensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program independent of having been made by running the Program Wheth
120. Configure Management Controller 724 746 5500 blackbox com Page 268 channels session Print session information exec Run list of commands from file set Set runtime variable for shell and exec ipmitool chassis help Chassis Commands status power identify policy restart_cause poh bootdev ipmitool chassis power help chassis power Commands status on off cycle reset diag soft You will find more details on ipmitools at http ipmitool sourceforge net manpage html 15 11 Custom Development Kit CDK As detailed in this manual customers can copy scripts binaries and configuration files directly to the console server Black Box also freely provides a development kit that allows changes to be made to the software in console server firmware image The customer can use the CDK to generate a firmware image without certain programs such as telnet which may be banned by company policy generate an image with new programs such as custom Nagios plug in binaries or company specific binary utilities generate an image with custom defaults e g it may be required that the console server be configured to have a specific default serial port profile which is reverted to even in event of a factory reset place configuration files into the firmware image which cannot then be modified e g bin config set tools update the configuration files in etc config which are read write whereas the files in etc are read only
121. DUs If your PDU is not on the default list then you can add support directly as covered in Chapter 14 Advanced Configurations or add the PDU support to either the Network UPS Tools or PowerMan open source projects Configure IPMI service processors and BMCs so that all authorized users can use the Management Console to remotely cycle power and reboot computers even when their operating system is unresponsive To set up IPMI power control the Administrator first enters the IP address domain name of the BMC or service processor for example a Dell DRAC in Serial amp Network Network Hosts then in Serial amp Network RPC Connections specifies the RPC Type to be IPMI1 5 or 2 0 8 1 2 RPC access privileges and alerts You can now set PDU and IPMI alerts using Alerts amp Logging Alerts refer to Chapter 7 You can also assign which user can access and control which particular outlet on each RPC using Serial amp Network User amp Groups refer Chapter 4 8 1 3 User power management The Power Manager enables both Users and Administrators to access and control the configured serial and network attached PDU power strips and servers with embedded IPMI service processors or BMCs gt gt Select the Manage Power and the particular Target power device to be controlled and the Outlet to be controlled if the RPC supports outlet level control The outlet status is displayed and you can initiate the Action you want to
122. Dashboard Manage g Devices Port Logs HostLogs Power Terminal Console Server Settings Console Server Mode Logging Level Telnet SSH Raw TCP RFC 2217 Unauthenticated Telnet Web Terminal Encrypt Traffic Authenticate G Enable remote network access to the console atthis serial port level 0 Disabled x Specify the detail of data to log Vv Enable Telnet access Vv Enable SSH access r Enable raw TCP access r Enable RFC 2217 access r Enable Telnet access without requiring the user to provide credentials r Enable web browser access via Manage gt Devices gt Oo Enable PortShare Encryption Warning This will override standard RFC 2217 and raw TCP behaviour Oo Enable PortShare Authentication Warning This will override standard RFC 2217 and raw TCP behaviour Serial Authentication Password Enter password for PortShare authentication Confirm Password Re type the password for confirmation Accumulation Period Collect serial data for a period of time in milliseconds then transmit any data received during that time over the network at once Customize the character used for sending out of band shell commands The default is Escape Character Replace Backspace mj Substitutes backspace value CTRL 127 with CTRL h 8 Power Menu Ei Enable shell power command menu Connect this port to a Managed Device then use p to run power c
123. Device Settings Device Type Click Apply that have already been configured Click Add lt gt BLACK B 0X NETWORK SERVICES Select the Serial amp Network Environmental menu Environmental Specify the device type Apply this s g 1 use the Environmental page to configure the attached environmental monitor System Nam Uptime 0 day Firmware Current User Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Name Trusted Networks Cascaded Ports UPS Connections Connected Via RPC Connections Environmental Managed Devices Description Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Temperature Offset Humidity Offset System Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Services DHCP Server Alarm 1 Label Alarm 2 Label Log Status lon Rate Add Environmental Monitor A descriptive name for the environmental monitor Serial Port 4 Port4 Specify the serial port for the environmental monitor A brief description for the environmental monitor Fine tuning adjustment for the Temperature Sensor Fine tuning adjustment for the Humidity Sensor A label for the first environmental monitor alarm e g Door Open A label for the second environmental monitor alarm e g Smoke Alarm Periodically log environmental status gt Enter a Name and optionally a Description for the EMD and s
124. Europe UK Japan or Australia The 12 724 746 5500 blackbox com Page 21 VDC connector from the power supply plugs into the 12VDC PWR power socket on the side of the LES1508A 2 2 2 LES1408A LES1448A LES1308A LES1348A and LES1208A LES1248A power The Advanced Console Server models LES1208A R2 LES1216A R2 LES1232A LES1248A R2 LES1308A LES1316A LES1332A LES1348A LES1408A LES1416A LES1432A and LES1448A all have dual universal AC power supplies with auto failover built in These power supplies each accept AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz The total power consumption per console server is less than 30W Two IEC AC power sockets are located at the rear of the metal case and these IEC power inlets use conventional IEC AC power cords Power cords for various regions are available although the North American power cord is provided by default There is a warning notice printed on the back of each unit A N To avoid electrical shock connect the power cord grounding conductor to ground 2 2 2 LES1116A LES1132A and LES1148A power The LES1116A LES1132A and LES1148A models have a built in universal auto switching AC power supply This power supply accepts AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz The power consumption is less than 20W The LES1116A LES1132A and LES1148A models have an IEC AC power socket located in the rear of the metal case Th
125. Extras E If the remote communications are tunneled with SDT Connector then you can use Telnet to securely access these attached devices refer to the Note below Note In Console Server mode Users and Administrators can use SDT Connector to set up secure Telnet connections that are SSH tunneled from their client PC workstations to the serial port on the console server SDT Connector can be installed on Windows 2000 XP 2003 Vista and Windows 7 PCs and on most Linux platforms You can also set up secure Telnet connections with a simple point and click To use SDT Connector to access consoles on the console server serial ports you configure SDT Connector with the console server as a gateway then configure it as a host Next you enable Telnet service on Port 2000 serial port i e 2001 2048 Refer to Chapter 6 for more details on using SDT Connector for Telnet and SSH access to devices that are attached to the console server serial ports You can also use standard communications packages like PuTTY to set a direct Telnet or SSH connection to the serial ports refer to the Note below Note PuTTY also supports Telnet and SSH and the procedure to set up a Telnet session is simple Enter the console server s IP address as the Host Name or IP address Select Telnet as the protocol and set the TCP port to 2000 plus the physical serial port number that is 2001 to
126. For CLI details refer http www networkupstools org e Nagios is a popular enterprise class management tool that provides central monitoring of the hosts and services in distributed networks For CLI details refer http www nagios org Many components of the console server software are licensed under the GNU General Public License version 2 which Black Box supports You may obtain a copy of the GNU General Public License at http www fsf org copyleft gpl html Black Box will provide source code for any of the components of the software licensed under the GNU General Public License upon request The console server also embodies the okvm console management software This is GPL code and the full source is available from http okvm sourceforge net The console server BIOS boot loader code is a port of uboot which is also a GPL package with source openly available The console server CGls the html code xml code and web config tools for the Management Console are proprietary to Black Box however the code will be provided to customers under NDA Also inbuilt in the console server is a Port Manager application and Configuration tools as described in Chapters 14 and 15 These both are proprietary to Black Box but open to customers as above The console server also supports GNU bash shell script enabling the Administrator to run custom scripts GNU bash version 2 05 0 1 release arm Black Box linux gnu offers the following shell comman
127. From the unit command line vi etc config inetd conf Append a line 443 stream tcp nowait root sslwrap cert etc config ssI_cert pem key etc config ssl_key pem exec bin httpd home httpd Save the file and signal inetd of the configuration change kill HUP cat var run inetd pid The HTTPS server should be accessible from a web client at a URL similar to this https lt common name of unit gt More detailed documentation about the openssl utility can be found at the website http www openssl org 15 9 Power Strip Control The console server supports a growing list of remote power control devices RPCs that you can configure using the Management Console as described in Chapter 8 These RPCs are controlled using the open source PowerMan and Network UPS Tools and with Black Box s pmpower utility 724 746 5500 blackbox com Page 262 15 9 1 The PowerMan tool PowerMan provides power management in a data center or compute cluster environment It performs operations such as power on power off and power cycle via remote power controller RPC devices Synopsis powerman option targets pm option targets Options 1 on Power ON targets 0 off Power OFF targets c cycle Power cycle targets r reset Assert hardware reset for targets if implemented by RPC f flash Turn beacon ON for targets if implemented by RPC u unflash_ Turn beacon OFF for targets if implemented by RPC I
128. G is P rerere mcn CC Remote IMG4004 m Retrieve Hosts Out of band enabled for Remote IMG4004 When you connect to a service on a host behind the console server or to the console server itself SDT Connector will initiate the OoB connection using the provided Start Command The OoB connection does not stop using the provided Stop Command until you click off Out Of Band under Gateway Actions then the status bar will return to its normal color 6 6 Importing and exporting preferences 724 746 5500 blackbox com Page 117 To enable the distribution of pre configured client config files SDT Connector has an Export Import facility Ec SDTConnector gt To save a configuration xml file for backup or for importing into other SDT Connector clients select File gt Export Preferences and select the location where you want to save the configuration file File Help Edi ge New Gateway New Host Export Preferences Ext gt To import a configuration select File gt Import Preferences and select the xml configuration file to install 6 7 SDT Connector Public Key Authentication SDT Connector can authenticate against an SSH gateway using your SSH key pair instead of requiring you to enter your password This is known as public key authentication To use public key authentication with SDT Connector first you must add the public part of your SSH key pair to your SSH gateway gt Make su
129. H access to the command line For these connections to the console server itself you must configure SDT Connector to access the Gateway itself by setting the Gateway console server up as a host and then configuring the appropriate services gt Launch SDT Connector on your PC Assuming you have already set up the console server as a Gateway in your SDT Connector client with username password etc select this newly added Gateway and click the Host icon to create a host Or select File gt New Host gt Enter 127 0 0 1 as the Host Address and provide details in Descriptive Name Notes Click OK 724 746 5500 blackbox com Page 113 Edit SDT Host Host Address 127 0 0 1 Services J HTTP T HTTPS V Telnet V SSH VNC E RDP E Dell RAC E Dell Server Administrator E Dell IT Assistant E soL IBM RSA II El IBM Director E IBM AMM HP iLo2 E VMWare Server E TCP Port 1494 Serial 2 SSH E Serial 2 Telnet Serial 3 SSH E Serial 3 Telnet E Serial 4 SSH E Serial 4 Telnet TCP Port 903 Descriptive Name Local Host Description Notes Manual entry connections to the console server itself gt Click the HTTP or HTTPS Services icon to access the Management Console and or click SSH or Telnet to access the command line console Note To enable SDT access to the console you must
130. LES1108A LES1208A R2 LES1308A LES1408A LES1508A e LES1116A LES1216A R2 LES1316A LES1416A lt SBLACK BOX LES1132A LES1232A LES1332A LES1432A NETWORK SERVICES LES1148A LES1248A R2 LES1348A LES1448A Customer Order toll free in the U S Call 877 877 BBOX outside U S call 724 746 5500 Support FREE technical support 24 hours a day 7 days a week Call 724 746 5500 or fax 724 746 0746 Mailing address Black Box Corporation 1000 Park Drive Lawrence PA 15055 1018 Information Web site www blackbox com e E mail info blackbox com Value Line and Advanced Console Servers Manual Trademarks Used in this Manual Black Box and the Double Diamond logo are registered trademarks of BB Technologies Inc Cisco is a registered trademark of Cisco Technology Inc Mac is a registered trademark of Apple Computers Inc Linux is a registered trademark of Linus Torvalds Internet Explorer Windows Windows Me Windows NT and Windows Vista are a registered trademarks of Microsoft Corporation Nagios is a registered trademark of Nagios Enterprises LLC Java and Solaris are trademarks of Sun Microsystems Inc Unix is a registered trademark of X Open Company Ltd Any other trademarks mentioned in this manual are acknowledged to be the property of the trademark owners Page 2 724 746 5500 blackbox com Value Line and Advanced Console Servers Manual We re here to help If you have any questions about your application or our product
131. Logs and the Host to be displayed 13 3 Serial Port Terminal Connection There are two methods available for accessing the console server command line and devices attached to the console server serial ports directly from a web browser The Web Terminal service uses AJAX to enable the web browser to connect to the console server using HTTP or HTTPS as a terminal without the need for additional client installation on the user s PC The SDT Connector service launches a pre installed SDT Connector client on the user s PC to establish secure SSH access then uses pre installed client software on the client PC to connect to the console server Web browser access is available to users who are a member of the admin or users groups 13 3 1 Web Terminal The AJAX based Web Terminal service may be used to access the console server command line or attached serial devices Note Any communication using the Web Terminal service using HTTP is unencrypted and not secure The Web Terminal connects to the command line or serial device using the same protocol that is being used to browse to the Management Console i e if you are browsing using an https URL this is the default the Web Terminal connects using HTTPS 13 3 1 1 Web Terminal to Command Line To enable the Web Terminal service for the console server gt Select System Firewall gt Check Enable Web Terminal and click Apply Administrators can now communicate directly with the
132. Method C Static The mechanism to acquire IP settings ces m IP Address Alerts amp Logging PortLog A statically assigned IP address Auto Response Subnet Mask Co eer SMTP amp SMS SNMP A statically assigned network mask Gateway System r Default gateway for the unit Please only set this on one interface Administration SSL Certificates Primary DNS Configuration Backup Firmware A statically assigned primary name server 724 746 5500 blackbox com Page 39 Note You can configure the second Ethernet port as either a gateway port or as an OOB Failover port but not both Make sure you did not allocate Network 2 as the Failover Interface when you configured the principal Network connection on the System IP menu The management gateway function is now enabled with default firewall and router rules By default these rules are configured so the Management LAN can only be accessible by SSH port forwarding This ensures that the remote and local connections to Managed Devices on the Management LAN are secure You can also configure the LAN ports in bridged mode as described later in this chapter or you can configure them from the command line 3 6 2 Configure the DHCP server The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers also host a DHCP server which by default is disabled T
133. NC bundled or have third party VNC software that you can download 6 9 2 Install configure and connect the VNC Viewer VNC is truly platform independent so a VNC Viewer on any operating system can connect to a VNC Server on any other operating system There are Viewers and Servers from a wide selection of sources for example UltraVNC TightVNC or RealVNC for most operating systems There are also a wealth of Java viewers available so that any desktop can be viewed with any Java capable browser http en wikipedia org wiki VNC lists many of the VNC Viewers sources gt Install the VNC Viewer software and set it up for the appropriate speed connection Note To make VNC faster when you set up the Viewer Set encoding to ZRLE if you have a fast enough CPU Decrease color level e g 64 bit Disable the background transmission on the Server or use a plain wallpaper Refer to http doc uvnc com for detailed configuration instructions 724 746 5500 blackbox com Page 125 gt To establish the VNC connection first configure the VNC Viewer entering the VNC Server IP address A When the Viewer PC is connected to the console server thru an SSH tunnel over the public Internet or a dial in connection or private network connection enter localhost or 127 0 0 1 as the IP VNC Server IP address and the source port you entered when setting SSH tunneling port forwarding in Section 6 2 6 e g 1234 TE Win32 Viewer
134. NETWORK SERVICES Sores Nor Current System time 23 39 21 Sep 14 2011 Serial Port Time Zone Users amp Groups _ Authentication wma Zona Africa Abidjan r Network Hosts Select your ti j Trusted Networks Call Home Cascaded Ports Set Timezone UPS Connections RPC Connections Environmental Managed Devices Date and Time Alerts amp Logging 5 Year 2000 Port Log Alerts Month January E SMTP amp SMS a SNMP Day vlg System 5 Hour oie Administration SSL Certificates Minute MIr Configuration Backup Firmware SA IP Set Time Date amp Time Dial Firewall Nagios Configure Dashboard Network Time Protocol Enable NTP Same nable Network Time Protocol Support PortAccess Active Users NTP Server r Siia ss ofthe remote NTP Server Apply Settings gt Select the System Date amp Time menu option gt Manually set the Year Month Day Hour and Minute using the Date and Time selection boxes then click Set Time The gateway can synchronize its system time with a remote time server using the Network Time Protocol NTP Configuring the NTP time server ensures that the console server clock will be accurate soon after the Internet connection is established Also if NTP is not used the system clock will reset randomly every time the console server is powered up To set the system time using NTP gt Select the Enable
135. NTP checkbox on the Network Time Protocol page gt Enter the IP address of the remote NTP Server and click Apply Settings You must now also specify your local time zone so the system clock can show local time and not UTP gt Set your appropriate region locality in the Time Zone selection box and click Apply 11 4 Configuration Backup We recommend that you back up the console server configuration whenever you make significant changes such as adding new Users or Managed Devices or before performing a firmware upgrade gt Select the System Configuration Backup menu option or click the Note You can also back up the configuration files from the command line refer to Chapter 14 724 746 5500 blackbox com Page 198 System Name les1308a Model LES1308A Firmware 3 5 3u5 re 0 lt SBLACK BOX Uptime 0 days 20 hours 49 mins 23 secs Current User root Bacup Log Out NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Autheni Network Remote Backup Local Backup XML Configuration Remote Backup Tru etworks Last Remote Backup Never IPsec V OpenVPN Save Backup PPTP VPN i e Buhi Choose File No file an Saved configuration bac Managed Devices _Restore With all console servers you can save the backup file remotely on your PC and you can restore configurations from remote locations gt Click Save Backup in the Remote Configurat
136. OMETHING NASTY C CCC CECOOECECEOCECOOLECEEOCECOOECEEECECEEEOE Someone could be eavesdropping on you right now man in the middle attack It is also possible that the RSA host key has just been changed The fingerprint for the RSA key sent by the remote host is ab 7e 33 bd 85 50 5a 43 0b e0 bd 43 3f 1c a5 f8 Please contact your system Administrator Add correct host key in ssh known_hosts to get rid of this message Offending key in ssh known_hosts 1 RSA host key for remhost has changed and you have requested strict checking Host key verification failed 724 746 5500 blackbox com Page 257 If the host key has been legitimately changed it can be removed from the ssh known_hosts file and the new fingerprint added If it has not changed this indicates a serious problem that should be investigated immediately 15 6 7 SSH tunneled serial bridging You have the option to apply SSH tunneling when two Black Box console servers are configured for serial bridging Ethernet LAN Serially connected device COM Port connected e g security appliance control PC S As detailed in Chapter 4 the Server console server is setup in Console server mode with either RAW or RFC2217 enabled and the Client console server is set up in Serial Bridging Mode with the Server Address and Server TCP Port 4000 port for RAW or 5000 port for RFC2217 specified gt Select SSH Tunnel when configuring the Serial Bridging Setti
137. OOTNODE SLASTFIELDTEXTS NUMBER COUNTER while read LINE do config s echo SLINE sed e s SLASTFIELDTEXTS NUMBER COUNTER SLASTFIELDTEXTS NUMBER COUNTER 1 e s done let COUNTER done deleting last user config d SROOTNODE SLASTFIELDTEXTSTOTAL Modifying item total config s STOTALNODE SNEWTOTAL echo Done exit O else echo error item being deleted has an index greater than total items Increase the total count variable exit O fi 15 1 6 Power Cycle any device when a ping request fails The ping detect script is designed to run specified commands when a monitored host stops responding to ping requests The first parameter taken by the ping detect script is the hostname IP address of the device to ping Any other parameters are then regarded as a command to run whenever the ping to the host fails ping detect can run any number of commands Below is an example using ping detect to power cycle an RPC PDU outlet whenever a specific host fails to respond to a ping request The ping detect runs from etc config rc local to make sure that the monitoring starts whenever the system boots Suppose we have a serially controlled RPC connected to port01 on a console server and have a router powered by outlet 3 on the RPC and the router has an internal IP address of 192 168 22 2 The following instructions will show you how to continuously ping the router When the router fails to resp
138. P addresses from the network typically the LAN that remote users are assigned while connected to the Console server Enter the desired value of the Maximum Transmission Unit MTU for the PPTP interfaces into the MTU field defaults to 1400 In the DNS Server field enter the IP address of the DNS server that assigns IP addresses to connecting PPTP clients In the WINS Server field enter the IP address of the WINS server that assigns IP addresses to connecting PPTP client 724 746 5500 blackbox com Page 78 gt Enable Verbose Logging to assist in debugging connection problems gt Click Apply Settings 4 11 2 Adda PPTP user gt Select Users amp Groups on the Serial amp Networks menu and complete the fields as covered in section 4 2 gt Ensure the pptod Group has been checked to allow access to the PPTP VPN server Note users in this group will have their password stored in clear text gt Keep note of the username and password for when you need to connect to the VPN connection gt Click Apply 4 11 3 Set up a remote PPTP client Ensure the remote VPN client PC has Internet connectivity To create a VPN connection across the Internet you must set up two networking connections One connection is for the ISP and the other connection is for the VPN tunnel to the console server Note This procedure sets up a PPTP client in the Windows 7 Professional operating system The steps may vary slightly depending on your netw
139. PP clients Set the PPP link up with TCP IP as the only protocol enabled Specify that the Server will assign IP address and do DNS a Do not set up the console server PPP link as the default for Internet connection 5 2 OoB broadband access The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers have a second Ethernet port Network 2 that you can configure for alternate and OoB out of band broadband access With two 724 746 5500 blackbox com Page 85 active broadband access paths to the console server if you are unable to access it through the primary management network Network or Network1 you can still access it through the alternate broadband path for example a T1 link 5 3 gt gt Broadband Ethernet Failover On the System IP menu select Network 2 and configure the IP Address Subnet Mask Gateway and DNS with the access settings for the alternate link Make sure that when you configure the principal Network 1 Settings connection the Failover Interface is set to None The second Ethernet port on the LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers can also be configured for failover to ensure transparent high availability lt gt BLACK BOX NETWORK SERVICES Serial amp Network Se
140. Response gt Click on SMS Command as the Check Condition gt Specify which Phone Number in international format of the phone sending the SMS message gt Set the Incoming Message Pattern PCRE regular expression to match to create trigger event 724 746 5500 blackbox com Page 139 Note The SMS command trigger condition can only be set if there is an internal or external USB cellular modem detected 7 3 Trigger Actions To configure the sequence of actions that is to be taken in the event of the trigger condition gt For a nominated Auto Response with a defined Check Condition click on Add Trigger Action e g Send Email or Run Custom Script to select the action type to be taken Then configure the selected action as detailed in the following sections gt Each action is configured with a nominated Action Delay Time which specifies how long in seconds after the Auto Response trigger event to wait before performing the action So you can add follow on actions to create a sequence of actions that will be taken in the event of the one trigger condition gt To edit or delete an existing action click the Modify or Delete icon in the Scheduled Trigger Action table Trigger Actions Add Trigger Email Action Scheduled Trigger Actions Action Action Delay Action Action Modify Delete Send a Name ia acia Unique name for this action Sl ee Action D nouen Delay Time Time after the Auto Res
141. Response Settings menu 7 2 1 UPS Power Supply To use the properties of any attached UPS as the trigger event gt Click on UPS Power Supply as the Check Condition gt Select UPS Power Device Property Input Voltage Battery Charge Load Input Frequency Hz or Temperature in C that will checked for the trigger gt Specify the Trigger value that the check measurement must exceed or drop below to trigger the AutoResponse gt Select Comparison type as being Above Trigger Value or Below Trigger Value to trigger gt Specify any Hysteresis factor that is to be applied to environmental measurements e g if an Auto Response was set up with a trigger event of a battery charge below 20 with a Hysteresis of 5 then the trigger condition would not be seen as having been resolved till the battery charge was above 25 gt Check Save Auto Response SNMP Check UPS Power Check Conditions Power Device input Voltage V epee S Prope Environmental pay Power Device Property to perform check on Alarms Digital Inputs Trigger value for the check Comparison type Hysteresis Save Auto Response Return to Auto Response List tatus Environmental Status Note Before configuring UPS checks in Auto Response you first must configure the attached UPS 7 2 2 UPS Status To use the alert state of any attached UPS as the Auto Response trigger event gt Click on UPS Status as the Check C
142. S scripts Si fi done This code shows that there are two alternative scripts that can be run instead of the default one This code first checks whether a file etc config scripts pattern alert S ALERT_PORTNAME exists The variable S ALERT_PORTNAME must be replaced with port01 or port13 or whichever port the alert should run for If this file cannot be found the script checks whether the file etc config scripts portmanager pattern alert exists If either of these files exists the script calls the exec command on the first file that it finds and runs that custom file script instead As an example you can copy the etc scripts portmanager pattern alert script file to etc config scripts portmanager pattern alert cd mkdir etc config scripts if the directory does not already exist cp etc scripts portmanager pattern alert etc config scripts portmanager pattern alert The next step will be to edit the new script file First open the file etc config scripts portmanager pattern alert using vi or any other editor and remove the lines that check for a custom script the code from above This will prevent the new custom script from repeatedly calling itself After these lines have been removed edit the file or add any additional scripting to the file 724 746 5500 blackbox com Page 237 15 1 3 Example script Power Cycling on Pattern Match For example we have an RPC PDU connected to port 1 on a console server an
143. S1232A 32 RJ 45 RS 232 serial ports LES1448A LES1348A LES1248A R2 48 RJ 45 RS 232 serial ports LES1116A 16 RJ 45 RS 232 serial ports LES11132A 32 RJ 45 RS 232 serial ports LES1148A 48 RJ 45 RS 232 serial ports LES1108A 8 RJ 45 RS 232 serial ports All models 1 DB 9 RS 232 console modem serial port Serial Baud Rates RJ45 ports 50 to 230 400bps DB9 port 2400 to 115 200 bps Ethernet Connectors LES1508A LES1408A 16A 32A 48A LES1308A 16A 32A 48A LES1208A R2 16A R2 32A 48A R2 Two RJ 45 10 100Base T Ethernet ports LES1108A 16A 32A 48A One RJ 45 10 100Base T Ethernet ports 724 746 5500 blackbox com Page 277 Appendix C Safety amp Certifications Please take care to follow the safety precautions below when installing and operating the console server Do not remove the metal covers There are no operator serviceable components inside Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock Refer all service to Black Box qualified personnel To avoid electric shock the power cord protective grounding conductor must be connected through to ground Always pull on the plug not the cable when disconnecting the power cord from the socket Do not connect or disconnect the console server during an electrical storm We recommend that you use a surge suppressor or UPS to protect the equipment from transients FCC Warning Statement This devic
144. Set up central Nagios server SDT for Nagios requires a central Nagios server running Nagios 2 x or 3 x Nagios 1 x is not supported The Nagios server software is available for most major distributions of Linux using the standard package management tools Your distribution will have documentation available on how to install Nagios This is usually the quickest and simplest way to get up and running Note that you will need the core Nagios server package and at least one of the NRPE or NSCA add ons NSCA is required to use the alerting features of the Black Box distributed hosts installing both NRPE and NSCA is recommended You will also require a web server such as Apache to display the Nagios web UI and this may be installed automatically depending on the Nagios packages Or you may wish to download the Nagios source code directly from the Nagios website and build and install the software from scratch The Nagios website http www nagios org has several Quick Start Guides that walk through this process Once you are able to browse to your Nagios server and see its web UI and the local services it monitors by default you are ready to continue 724 746 5500 blackbox com Page 182 10 2 2 Set up distributed console servers This section provides a brief walkthrough on configuring a single console server to monitor the status of one attached network host a Windows IIS server running HTTP and HTTPS services and one serially attached d
145. System Administration and click Apply gt Click the Commit Config button in top right hand corner of the screen to display the System Commit Configuration screen 724 746 5500 blackbox com Page 201 gt Click Apply to run the systemsettings configurator The Commit Config button will no longer be displayed in the top right hand corner of the screen and configurations will no longer be queued 11 6 FIPS Mode The Advanced Console Servers LES1208A R2 LES1216A R2 LES1232A LES1248A R2 all use an embedded cryptographic module that has been validated to meet the FIPS 140 2 standards Note The US National Institute of Standards and Technology NIST publishes the FIPS Federal Information Processing Standard series of standards FIPS 140 1 and FIPS 140 2 are both technical standards and worldwide de facto standards for the implementation of cryptographic modules These standards and guidelines are issued by NIST for use government wide NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions Advanced Console Servers LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A LES1248A R2 use an embedded OpenSSL cryptographic module that has been validated to meet the FIPS 140 2 standards and has received Certificate 1051 When configured in FIPs mode al
146. Test Password Apply PAM Pluggable Authentication Modules The console server supports RADIUS TACACS and LDAP for two factor authentication via PAM Pluggable Authentication Modules PAM is a flexible mechanism for authenticating users Nowadays a number of new ways of authenticating users have become popular The challenge is that each time a new authentication scheme is developed you need to rewrite all the necessary programs login ftpd etc to support it PAM provides a way to develop programs that are independent of authentication scheme These programs need authentication modules to be attached to them at run time in order to work Which authentication module is attached depends on the local system setup and is at the discretion of the local Administrator The console server family supports PAM with the following modules added for remote authentication RADIUS 724 746 5500 blackbox com pam_radius_auth http www freeradius org pam_radius_auth Page 175 TACACS pam_tacplus http echelon pl pubs pam_tacplus html LDAP pam_Idap http www padl com OSS pam_lIdap html Further modules can be added as required Changes may be made to files in etc config pam d that will persist even if the authentication configurator runs gt Users added on demand When a user attempts to log in but does not already have an account on the console server a new user account will be created This account
147. This allows the console server to provide full outgoing connectivity for internal devices using a single IP Address on the external network By default IP Masquerading is disabled for all networks To enable masquerading gt Select Forwarding amp Masquerading panel on the System Firewall menu gt Check Enable IP Masquerading SNAT on the network interfaces where masquerading is be enabled Generally this masquerading would be applied to any interface that is connecting with a public network such as the Internet 5 8 2 Configuring client devices Client devices on the local network must be configured with Gateway and DNS settings This can be done statically on each device or using DHCP Manual Configuration Manually set a static gateway address being the address of the console server and set the DNS server address to be the same as used on the external network i e if the console server is acting as an internet gateway or a cellular router then use the ISP provided DNS server address DHCP Configuration gt Navigate to the System IP page gt Click the tab of the interface connected to the internal network To use DHCP a static address must be set check that the static IP and subnet mask fields are set System Name a Model LES1216A Firmware 3 4 2 lt SBLA K X Uptime 2 days 1 18 mins 29 secs Current User root 2 amp 7 NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authen
148. U SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 12 INNO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 724 746 5500 blackbox com Page 283 OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS 724 746 5500 blackbox com Page 284 724 746 5500 blackbox com Page 285 Black Box Tech Support FREE Live 24 7 Tech support the way it should be a Great tech support is just 30 seconds away at 724 746 5500 or blackbox com lt BLACK BOX About Black Box Black Box Network Services is your source for an extensive range of networking and infrastructure products You ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free live 24 7 Tech support available in 30 seconds or less Copyright 2012 All rights reserved Black Box and the Double Diam
149. a clean restart of the modem and its services to work around any carrier issues Modem Watchdog Advanced This feature configures a service which will periodically ping a configurable IP address If a threshold number of attempts fail the service will cause the unit to reboot This can be used to force a clean restart of the modem and its services to work around any carrier issues Enable watchdog r Configure a service to reboot the unit if a configurable number of ping attempts fail Address IP address to periodically ping Threshold Number of failed ping attempts required before rebooting Ping count Number of pings per attempt Defaults to 5 Period Number of seconds to wait between attempts Defaults to 30 Apply 724 746 5500 blackbox com Page 92 5 7 Cellular Operation When set up as a console server the 3G cellular modem can be set up to connect to the carrier in either Failover mode in this case a dial out cellular connection is only established in event of a ping failure OOB mode In this mode the dial out connection to the carrier cellular network is always on awaiting any incoming access from a remote site wanting to access to the console server or attached serial consoles network hosts Cellular router mode Again in this case the dial out connection to the carrier cellular network is always on but IP traffic is routed between the cellular connected network and the console server s local n
150. ables Send a signal to a process to end gracefully Make links between files Begin session on the system Black Box loopback diagnostic command Black Box loopback diagnostic command Black Box loopback diagnostic command Black Box loopback diagnostic command Black Box loopback diagnostic command Black Box loopback diagnostic command List directory contents Send and receive mail Make directories Create an MS DOS file system under Linux Make block or character special files File perusal filter for crt viewing Mount a file system SMTP mail client Move rename files TCP IP Swiss army knife Upgrade firmware on ucLinux platforms using the blkmem interface Print network connections routing tables interface statistics etc Network Time Protocol NTP daemon 724 746 5500 blackbox com Page 272 pgrep pidof ping ping6 pkill pmchat pmdeny pminetd pmloggerd pmshell pmusers portmanager portmap pppd ps pwd reboot rm rmdir routed routed routef routel rtacct rtmon scp sed setmac setserial sh showmac sleep smbmnt smbmount smbumount snmpd snmptrap sredird ssh ssh keygen sshd sslwrap stty stunnel Display process es selected by regex pattern Find the process ID of a running program Send ICMP ECHO_REQUEST packets to network hosts IPv6 ping Sends a signal to process es selected by regex pattern Black Box command similar to the standard chat command via portmanager
151. ablished between a roaming windows client and a console server within a data centre Configuration of OpenVPN can be complex so a simple GUI interface is provided for basic set up as described below However for more detailed information on configuring OpenVPN Access server or client refer to the HOW TO and FAQs at http www openvpn net 4 10 1 Enable the OpenVPN gt Select OpenVPN on the Serial amp Networks menu gt Click Add and complete the Add OpenVPN Tunnel screen 724 746 5500 blackbox com Page 71 NETWORK SERVICES Senet Add OpenVPN Tunnel Alerts amp Logging iguration Met PKI X 509 Cortificates Client Details gt Enter any descriptive name you wish to identify the OpenVPN Tunnel you are adding for example NorthStOutlet VPN gt Select the Device Driver to be used either Tun P or Tap Ethernet The TUN network tunnel and TAP network tap drivers are virtual network drivers that support IP tunneling and Ethernet tunneling respectively TUN and TAP are part of the Linux kernel gt Select either UDP or TCP as the Protocol UDP is the default and preferred protocol for OpenVPN gt In Tunnel Mode nominate whether this is the Client or Server end of the tunnel When running as a server the advanced console server supports multiple clients connecting to the VPN server over the same port gt In Configuration Method select the authentication method to be used To authenticate using certificat
152. ace to come up TEST ROUTES 1 1 succeeded len 1 ret 1 a 0 u d up gt Once established the OpenVPN icon will display a message notifying of the successful connection and assigned IP This information as well as the time the connection was established is available anytime by scrolling over the OpenVPN icon 1M4216_client is now connected 7 Assigned IP 10 100 10 6 i Note An alternate OpenVPN Windows client can be downloaded from http www openvpn net index php openvpn client downloads html Refer to http www openvpn net index php openvpn clien howto openvpn client htm for help 724 746 5500 blackbox com Page 76 OpenVPN Client E QPENVPN Access Status Settings Server Address lt lt W Connection Profiles AH 4 11 PPTP VPN The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 console servers include a PPTP Point to Point Tunneling Protocol server PPTP is typically used for communications over a physical or virtual serial link The PPP endpoints define a virtual IP address to themselves Routes to networks can then be defined with these IP addresses as the gateway which results in traffic being sent across the tunnel PPTP establishes a tunnel between the physical PPP endpoints and securely transports data across the tunnel The strength of PPTP is its ease of configuratio
153. ached devices hosts The Administrator must configure access privileges for each of these devices and specify the services that can be used to control the devices The Administrator can also set up new users and specify each user s individual access and control privileges Network connected HTTP HTTPS IPMI ALOM SOL VNC RDP SSH X Telnet Serial connected This chapter covers each of the steps in configuring hosts and serially attached devices Configure Serial Ports setting up the protocols to be used in accessing serially connected devices Users amp Groups setting up users and defining the access permissions for each of these users Authentication covered in more detail in Chapter 9 Network Hosts configuring access to network connected devices referred to as hosts Configuring Trusted Networks nominate user IP addresses Cascading and Redirection of Serial Console Ports Connecting to Power UPS PDU and IPMI and Environmental Monitoring EMD devices Managed Devices presents a consolidted view of all the connections IPSec enabling VPN connection OpenVPN connection PPTP connection 4 1 Configure Serial Ports To configure a serial port you must first set the Common Settings the protocols and the RS 232 parameters such as baud rate that will be used for the data connection to that port Select what mode the port is to operate in You can set each port to support one of five operating
154. alert gets triggered specific scripts get called These scripts all reside in etc scripts Below is a list of the default scripts that get run for each applicable alert Fora connection alert when a user connects or disconnects from a port or network host etc scripts portmanager user alert for port connections or etc scripts sdt user alert for host connections Fora signal alert when a signal on a port changes state etc scripts portmanager signal alert Fora pattern match alert when a specific regular expression is found in the serial ports character stream etc scripts portmanager pattern alert Fora UPS status alert when the UPS power status changes between on line on battery and low battery etc scripts ups status alert Fora environmental power and alarm sensor alerts temperature humidity power load and battery charge alerts etc scripts environmental alert For an interface failover alert etc scripts interface failover alert All of these scripts do a check to see whether you have created a custom script to run instead The code that does this check is shown below an extract from the file etc scripts portmanager pattern alert If there s a user configured script run it instead scripts 0 etc config scripts pattern alert S ALERT_PORTNAME scripts 1 etc config scripts portmanager pattern alert for i 0 i lt S scripts i do if f S scripts SiJ then exec bin sh
155. ame All passwords are saved in plaintext except the user passwords and the system passwords which are encrypted 724 746 5500 blackbox com Page 215 Note The config command does not verify whether the nodes edited added by the user are valid This means that any node may be added to the tree If a user runs the following command bin contig s contig fruit apple sweet The configurator will not complain but this command is useless When the configurators are run to turn the config xml file into live config they will simply ignore this lt fruit gt node Administrators must make sure of the spelling when typing config commands Incorrect spelling for a node will not be flagged Most configurations made to the XML file will be immediately active To make sure that all configuration changes are active especially when editing user passwords run all the configurators bin config a For information on backing up and restoring the configuration file refer to Chapter 15 Advanced Configuration 14 2 Serial Port configuration The first set of configurations you need to make to any serial port are the RS 232 common settings For example setup serial port 5 to use the following properties Baud Rate 9600 Parity None Data Bits 8 Stop Bits 1 label Myport log level 0 protocol RS232 flow control None To do this use the following commands config s config ports port5 speed 9600 config s config ports port5 p
156. an be created on a host system and copied to the Management Console device using scp Alternatively login to the Management Console and use ftp or wget to transfer files Here is a brief description of the elements of the XML entries in etc config powerstrips xml lt powerstrip gt lt id gt Name or ID of the device support lt id gt lt outlet port port id 1 gt Display Port 1 in menu lt outlet gt lt outlet port port id 2 gt Display Port 2 in menu lt outlet gt lt on gt script to turn power on lt on gt lt off gt script to power off lt off gt lt cycle gt script to cycle power lt cycle gt lt status gt script to write power status to var run power status lt status gt lt speed gt baud rate lt speed gt lt charsize gt character size lt charsize gt lt stop gt stop bits lt stop gt lt parity gt parity setting lt parity gt lt powerstrip gt The id appears on the web page in the list of available devices types to configure The outlets describe targets that the scripts can control For example a power control board may control several different outlets The port id is the native name for identifying the outlet This value will be passed to the scripts in the environment variable outlet allowing the script to address the correct outlet There are four possible scripts on off cycle and status When a script is run its standard input and output is redirected to the appropriate serial port The script receives
157. an earlier version gt VV VV V WV 11 3 The Firmware version is displayed in each page s header Or select Status Support Report and note the Firmware Version To upgrade you first must download the latest firmware image from the Black Box web site Save this downloaded firmware image file to a system on the same subnet as the console server Download and read the release_notes txt for the latest information To upload the firmware image file to your console server select System Firmware Specify the address and name of the downloaded Firmware Upgrade File or Browse the local subnet and locate the downloaded file Click Apply and the console server appliance will perform a soft reboot and start upgrading the firmware This process will take several minutes After the firmware upgrade completes click here to return to the Management Console Your console server will have retained all its pre upgrade configuration information Configure Date and Time We recommend that you set the local Date and Time in the console server as soon as it is configured Features like Syslog and NFS logging use the system time for time stamping log entries while certificate generation depends on a correct Timestamp to check the validity period of the certificate 724 746 5500 blackbox com Page 197 a gt System Name les1216a Model 6A Firmware 3 4 2 N Ss Uptime 2 days 16 hours 16 mins Current User root a lt BLACK BOX Aa
158. an provide the secure SSH connections to the console servers and secure tunnels to connected devices PuTTY is a complete though not very user friendly freeware implementation of SSH for Win32 and UNIX platforms SSHTerm is a useful open source SSH communications package SSH Tectia is leading end to end commercial communications security solution for the enterprise Reflection for Secure IT formerly F Secure SSH is another good commercial SSH based security solution For example the steps below show how to establish an SSH tunneled connection to a network connected device using the PuTTY client software R PuTTY Configuration Basic options for your PuTTY session Specify the destination you want to connect to Host Name or IP address Port 192 168 252 202 22 Connection type Raw Telnet Rlogin SSH Serial Load save or delete a stored session Saved Sessions Default Settings toad Close window on exit D Always Never Only on clean exit 724 746 5500 blackbox com Page 132 In the Session menu enter the IP address of the console server in the Host Name or IP address field For dial in connections this IP address will be the Local Address that you assigned to the console server when you set it up as the Dial In PPP Server For Internet or local VPN connections connections this will be the console server s public IP address Select the SSH Protocol
159. and cannot be modified The CDK essentially provides a snapshot of the Black Box build process taken after the programs have been compiled and copied to a temporary directory romfs just before the compressed file systems are generated You can obtain a copy of the Black Box CDK for the particular appliance you are working with from Black Box Note The CDK is free 15 12 Scripts for Managing Slaves When the console servers are cascaded the Master is in control of the serial ports on the Slaves and the Master s Management Console provides a consolidated view of the settings for its own and all the Slave s serial ports The Master does not provide a fully consolidated view for example Status Active Users only displays those users active on the Master s ports and you will need to write a custom bash script that parses the port logs if you want to find out who s logged in to cascaded serial ports from the master You will probably also want to enable remote or USB logging because local logs only buffer 8K of data and don t persist between reboots 724 746 5500 blackbox com Page 269 This script would for example parse each port log file line by line each time it sees LOGIN username it adds username to the list of connected users for that port each time it sees LOGOUT username it removes it from the list The list can then be nicely formatted and displayed You can run the script on the remote log server To
160. and_line SUSER1S check_nrpe H 192 168 254 147 p 5666 c host_ping SHOSTNAMES define service service_description Host Ping host_name server use generic service check_command check_ping_via_Black Box define service service_description host ping server host_name server use generic service check_command check_ping_via_Black Box active_checks_enabled O passive_checks_enabled 1 define servicedependency name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description Host Ping service_description NRPE Daemon 724 746 5500 blackbox com Page 190 execution_failure_criteria W U C SSH Port define command command_name_ check_conn_via_Black Box command_line SUSER1S check_nrpe H 192 168 254 147 p 5666 c host_SHOSTNAMES_SARG1S_SARG2S define service service_description SSH Port host_name server use generic service check_command check_conn_via_Black Box tcp 22 define service service_description host port tcp 22 server host port lt protocol gt lt port gt lt host gt host_name server use generic service check_command check_conn_via_Black Box tcp 22 active_checks_enabled O passive_checks_enabled 1 define servicedependency name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description SSH Port service_description NRPE Daemon execution_failure_criteria W U C 10 4 2 Basic Nagios plug ins Plug ins are
161. are 3 5 3u5 lt SBLACK BOX Uptime 0 days 20 hours 57 mins 36 secs Current User root NETWORK SERVICES Managed Devices Network Serial Power Device Description Connections est ad test ad for Network Host 192 168 254 100 rdp itm4000 Network Host 192 168 254 254 DigiPower for RPC digipower cvs for ssh Network Host 192 168 253 Network Host www google com Alerts amp Logging gt Select Serial Network or Power for a view of the specific connections The user can then take a range of actions using these serial network or power connections by selecting the Action icon or the related Manage menu item For example selecting the Manager Power icon or Manage Power from the menu would enable the user to power Off On Cycle any power outlet on any PDU the user has been given access privileges to refer to Chapter 8 for details 724 746 5500 blackbox com Page 209 aN System Name A Mow Firmware 2 8 0u2 lt gt BLACK BOX Uptime 0da 54 mins rrent User S1 NETWORK SERVICES Manage Devices Target AN outlet Outleti 1 Port Logs Select a power device to manage Host Logs Terminal Power asain Turn On Turn Off 4 l Cycle Status erform an ac power device 13 2 Port and Host Logs Administrators and Users can view logs of data transfers to connected devices gt Select Manage Port Logs and the serial Port to be displayed gt To display Host logs select Manage Host
162. arity None config s config ports port5 charsize 8 config s config ports port5 stop 1 config s config ports port5 label myport config s config ports port5 loglevel 0 config s config ports port5 protocol RS232 config s config ports port5 flowcontrol None The following command will synchronize the live system with the new configuration config r serialconfig Note Supported serial port baud rates are 50 75 110 134 150 200 300 600 1200 1800 2400 4800 9600 19200 38400 57600 115200 and 230400 Supported parity values are None Odd Even Mark and Space Supported data bits values are 8 7 6 and 5 Supported stop bits values are 1 1 5 and 2 Supported flow control values are Hardware Software and None Additionally before any port can function properly you need to set the port mode Set any port to run in one of the five possible modes refer Chapter 4 for details Console server mode Device mode SDT mode Terminal server mode Serial bridge mode All these modes are mutually exclusive 724 746 5500 blackbox com Page 216 Console server mode The command to set the port in portmanager mode config s config ports port5 mode portmanager To set the following optional config elements for this mode Data accumulation period 100 ms Escape character default is
163. art sh gt bin sh PORT 51 USER 52 echo Welcome to port SPORT SUSER lt etc config pmshell start sh gt The return value from the script controls whether the user is accepted or not if 0 is returned or nothing is done on exit as in the above script the user is permitted otherwise the user is denied access Here is a more complex script which reads from configuration to display the port label if available and denies access to the root user lt etc config pmshell start sh gt bin sh PORT S1 USER S2 LABEL S config g config ports portSPORT label cut f2 d if SUSER root then echo Permission denied for Super User exit 1 fi if z SLABEL then echo Welcome SUSER you are connected to Port SPORT else echo Welcome SUSER you are connected to Port SPORT SLABEL fi lt etc config pmshell start sh gt 15 3 Raw Access to Serial Ports 15 3 1 Access to serial ports You can use tip and stty to completely bypass the portmanager and have raw access to the serial ports When you run tip on a portmanager controlled port portmanager closes that port and stops monitoring it until tip releases control of it 724 746 5500 blackbox com Page 247 With stty the changes made to the port only stick until that port is closed and opened again People probably will not want to use stty for more than initial debugging of the serial connection If you want to use stty to configure the po
164. as is a history of the status of any attached environmental monitors 7 6 1 Log storage Before activating any Event Serial Network or UPS logging you must specify where those logs are to be saved These records are stored off server or in the console server USB flash memory 724 746 5500 blackbox com Page 146 gt Select the Alerts amp Logging Port Log menu option and specify the Server Type to be used and the details to enable log server access System Name les1308a Model LES1308A Firmware 3 5 3u5 ba 0 Uptime 0 days 19 hours 38 mins 12 secs Current User root Backup Log Out NETWORK SERVICES Serial amp Network Serial Port Remote Log Storage Server Type Server Address Server Path LoM The directory where to store log in Username 7 The login name required for remote server Password _ __ The secret required to access the remote server System Confirm Re type the above secret for confirmation ackup Syslog Facility Daemon The facility field to include in syslog messages Date amp Time Syslog Priority info a Dial From the Manage Devices menu the Administrator will can view serial network and power device logs stored in the console reserve memory or flash USB The User will only see logs for the Managed Devices they or their Group have been given access privileges for Refer Chapter 13 Event logs on the USB can be viewed using the web terminal
165. asons only the administrator user named root can initially log into your console server Only people who know the root password can access and reconfigure the console server itself However anyone who correctly guesses the root password could gain access and the default root password is default To avoid this enter and confirm a new root password before giving the console server any access to or control of your computers and network appliances gt The system password can be changed by editing the root user on the Serial amp Network Users amp Groups form gt Select Change default administration password on the Welcome screen which will take you to Serial amp Network Users amp Groups where you can add a new confirmed Password for the user root System Name les1308a Model LE A Firmware 3 5 3u5 ba 0 Uptime 0 days 6 hours 41 mi Current User root Bacup Log Out NETWORK SERVICES ee da Edit an Existing User Serial Port i Username root A unique name for the user Description Root User cription of the users role Password Confirm Re enter the users password for confirmation Alerts amp Logging SSH Authorized Keys PortLog Auto Response SMTP amp SMS SNMP Disable Password O ce Authentication Check to only allow public key authentication for this user when using SSH Date amp Time Apply gt Enter a new Password then re enter it in Confirm This is the n
166. ation Contact as System Contact SNMP v1 amp v2c Read Only oo Community Auto Response The read only community SMTP amp SMS SNMP Read Write Community The read write community Seer SNMP v3 Administration SSL Certificates Eegeas Configuration Backup Ov 3 Engine Firmware na IP z Date amp Time Security Level amp noauth Nial Note All console servers have the snmptrap daemon to send traps notifications to remote SNMP servers on defined trigger events as detailed above LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 console servers also embed the net snmpd daemon It accepts SNMP requests from remote SNMP management servers and provides information on network interface running processes etc refer to Chapter 15 5 Modifying SNMP Configuration for more details 7 5 4 Nagios alerts To notify the central Nagios server of Alerts NSCA must be enabled under System Nagios and Nagios must be enabled for each applicable host or port under Serial amp Network Network Hosts or Serial amp Network Serial Ports refer to Chapter 10 7 6 Logging The console server can maintain log records of auto response events and log records of all access and communications events with the console server and with the attached serial network and power devices A log of all system activity is also maintained by default
167. ation Backup Firmware gt Select Status Support Report and you will be presented with a status snapshot gt Save the file as a text file and attach it to your support email 12 4 Syslog The Linux System Logger in the console server maintains a record of all system messages and errors gt Select Status Syslog You can redirect the syslog record to a remote Syslog Server 724 746 5500 blackbox com Page 204 gt Enter the remote Syslog Server Address and Syslog Server Port details and click Apply The console maintains a local Syslog To view the local Syslog file gt Select Status Syslog To make it easier to find information in the local Syslog file use the provided pattern matching filter tool gt Specify the Match Pattern that you want to search for for example the search for mount is shown below and click Apply The Syslog will then be represented with only those entries that actually include the specified pattern System Na Uptime 0 da Bacup Log Out NETWORK SERVICES Serial amp Network Serial Port Remote System Logging Users amp Groups Syslog Server Address Authentication Network Hosts Specify the address of the remote Syslog Server to use Trusted Networks Cascaded Ports UPS Connections Specify which port the remote Syslog Server is serving o RPC Connections Environmental Apply Managed Devices Syslog Server Port eT Local System Logging Port Log Match Pattern Alerts
168. ave Nagios server at remote sites The console server products all support basic distributed monitoring Additionally the Advanced Console Server LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A LES1248A R2 family supports extensive customizable distributed monitoring Even if distributed monitoring is not required the console servers can be deployed locally alongside the Nagios monitoring host server to provide additional diagnostics and points of access to managed devices Central site Remote site Nagios Server Console server _ TL PEE Fr js BET Network Managed hosts and services SDT for Nagios extends the capabilities of the central Nagios server beyond monitoring enabling it to be used for central management tasks It incorporates the SDT Connector client enabling point and click access and control of distributed networks of console servers and their attached network and serial hosts from a central location Note If you have an existing Nagios deployment you may want to use the console server gateways in a distributed monitoring server capacity only If this case and you are already familiar with Nagios skip ahead to section 10 3 724 746 5500 blackbox com Page 180 10 1 Nagios Overview Nagios provides central monitoring of the hosts and services in your distributed network Nagios is freely downloadable open source software T
169. be sufficient for most cases Longer keys may result in slower response time of the console server when establishing connection gt Once this is done click on the button Generate CSR which will initiate the Certificate Signing Request generation The CSR can be downloaded to your administration machine with the Download button gt Send the saved CSR string to a Certification Authority CA for certification You will get the new certificate from the CA after a more or less complicated traditional authentication process depending on the CA gt Upload the certificate to the console server using the Upload button as shown below lt BLACK BOX Firmware Current User System Name Uptime 0 da NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports Organizational UPS Connections unit RPC Connections Message Changes to configuration succeeded Common name supplyrooms The full canonical name for this device myco production The group overseeing this device Environmental Organization myco lic Managed Devices The name of the organization to which the device belongs a Locality City odgen Alerts amp Logging The City where the organization is located Port Log Alerts State Province utah SMTP amp SMS The State or Province where the organization is located SNMP Country AM System The country where the organization is located Adm
170. be blocked gt The Logging Level specifies the level of information to be logged and monitored for each Host access refer to Chapter 7 Alerts and Logging gt If the Host is a PDU or UPS power device or a server with IPMI power control then specify RPC for IPMI and PDU or UPS and the Device Type The Administrator can then configure these devices and enable which users have permission to remotely cycle power etc refer to Chapter 8 Otherwise leave the Device Type set to None 724 746 5500 blackbox com Page 60 gt If the console server has been configured with distributed Nagios monitoring enabled then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored refer to Chapter 10 Nagios Integration gt Click Apply This will create the new Host and also create a new Managed Device with the same name 4 5 Trusted Networks The Trusted Networks facility gives you an option to nominate specific IP addresses where users Administrators and Users must be located to access console server serial ports gt Select Serial amp Network Trusted Networks gt To add anew trusted network select Add Rule System Name les1308a Model LES1308A Firmware 3 5 3u5 ba 0 7 s Uptime 1 days 5 hours 29 mins ecs Current User root Bacup Log Out NETWORK SERVICES Serial amp Network Serial Port Us Add a New Rule Accessible Port s T SelectU
171. be distributed throughout the data center across a campus or around the world NUT supports the more complex power architectures found in data centers communications centers and distributed office environments where many UPSes from many vendors power many systems with many clients Each of the larger UPSes power multiple devices and many of these devices are in turn dual powered 8 3 Environmental Monitoring The Environmental Monitor Device EMD connects to any Black Box console server serial port and each console server can support multiple EMDs Each EMD device has one temperature and one humidity sensor and one or two general purpose status sensors that you can connect to a smoke detector water detector vibration or open door sensor Using the Management Console Administrators can view the ambient temperature in C and humidity percentage and set the EMD to automatically send alarms progressively from warning levels to critical alerts 724 746 5500 blackbox com Page 162 Vibration Kotso AA Water Leak Desr Smoke Glass Beaks S ansor Detest Senser Sensor Open Sete ctor Oetector a a n s a LLETITTTETITITED RIETTE Deeeeewmteeerereereare PsP eE Tee S eee ed OTTEET LETTITETIETTITTE END E EMD EMO Tepes aeoe Z Homhihy Seoses Tiara de Z Heidy Sennen Tepes rise 4 HemMite Staser Tiere dere Z eed fity Senter aa SS ane Ea aN 8 3 1 Connecting the EMD The Environmental Monitor Device EMD connects to any serial por
172. cations Connectivity and Serial I O Terminology End User License Agreement Service and Warranty 724 746 5500 blackbox com Page 12 Chapter 1 Introduction This Manual This User s Manual walks you through installing and configuring your Black Box Console Server LES1108A LES1116A LES1132A LES1148A LES1508A or Advanced Console Server LES1208A R2 LES1216A R2 LES1232A LES1248A R2 LES1308A LES1316A LES1332A LES1348A LES1408A LES1416A LES1432A LES1448A Each of these products is referred to generically in this manual as a console server Once configured you will be able to use your console server to securely monitor access and control the computers networking devices telecommunications equipment power supplies and operating environments in your data room or communications centers This manual guides you in managing this infrastructure locally across your operations or management LAN or through the local serial console port and remotely across the Internet private network or via dial up Manual Organization This manual contains the following chapters 1 Introduction An overview of the features of console server and information on this manual 2 Installation Physical installation of the console server and how to interconnect controlled devices 3 System Configuration Describes the initial installation and configuration using the Management Console Covers configuration of the console server
173. ce Access Rules can be set for connecting to the console server router itself 5 8 1 Configuring network forwarding and IP masquerading To use a console server as an Internet or external network gateway requires establishing an external network connection and then setting up forwarding and masquerading Note Network forwarding allows the network packets on one network interface i e LAN1 ethO to be forwarded to another network interface i e LAN2 eth1 or dial out cellular So locally networked devices can IP connect through the console server to devices on remote networks IP masquerading is used to allow all the devices on your local private network to hide behind and share the one public IP address when connecting to a public network This type of translation is only used for connections originating within the private network destined for the outside public network and each outbound connection is maintained by using a different source IP port number By default all console server models are configured so that they will not route traffic between networks To use the console server as an Internet or external network gateway forwarding must be enabled so that traffic can be routed from the internal network to the Internet external network gt Navigate to the System Firewall page and then click on the Forwarding amp Masquerading tab System Name le Model LES1216A Firmware 3 4 2 lt SBLACK BOX Uptime 2 days 13 2 mins
174. check 1 10 second 1 3 second 1 8 second NRPE time to service 10 1 second 3 seconds 1 seconds simultaneous checks Maximum number of simultaneous checks before timeouts 30 20 1 2 and 8 or 25 16 and 48 port 25 8 port 35 16 and 48 port The results were from running tests 5 times in succession with no timeouts on any runs There are a number of ways to increase the number of checks you can do Usually when using NRPE checks an individual request will need to set up and tear down an SSL connection This overhead can be avoided by setting up an SSH session to the console server and tunneling the NRPE port This allows the NRPE daemon to run securely without SSL encryption because SSH will provide the security When the console server submits NSCA results it staggers them over a certain time period for example 20 checks over 10 minutes will result in two check results every minute Staggering the results like this means that if the power fails or other incident causes multiple problems the individual freshness checks will be staggered too NSCA checks are also batched In the previous example the two checks per minute are sent through ina single transaction 10 4 5 Distributed Monitoring Usage Scenarios Below are a number of distributed monitoring Nagios scenarios I Local office In this scenario the console server is set up to monitor each managed device s console Configure it to make
175. cify the Shutdown Order for this UPS This is a whole positive number or 1 Os shut down first then 1s 2s etc 1s are not shut down at all Defaults to 0 gt Select the Driver that you will use to communicate with the UPS Most console servers are preconfigured so the drop down menu presents a full selection of drivers from the latest Network UPS Tools NUT version 2 4 gt Click New Options in Driver Options if you need to set driver specific options for your selected NUT driver and hardware combination more details at http www networkupstools org doc gt Check Log Status and specify the Log Rate minutes between samples if you want the status from this UPS to be logged You can view these logs from the Status UPS Status screen gt Ifyou have enabled Nagios services then you will be presented with an option for Nagios monitoring Check Enable Nagios to enable this UPS to be monitored using Nagios central management gt Check Enable Shutdown Script if this is the UPS providing power to the console server itself and if a critical power failure occurs you can perform any ast gasp actions on the console server before power is lost Place a custom script in etc config scripts ups shutdown you may use the provided etc scripts ups shutdown as a template This script only runs when then UPS reaches critical battery status gt Click Apply Note You can also customize the upsmon upsd and upsc settings for this UPS har
176. ckmount console servers The LES1508A Console Server has a Cisco RJ 45 pinout shown below _ PIN SIGNAL DEFINITION DIRECTION RJ 45 CTS 1 CTS Clear To Send Input pi DSR 2 DSR Data Set Ready Input RD 3 RXD Receive Data Input 3 p 4 4 GND Signal Ground NA 5 i 5 GND Signal Ground NA 6 gt 7 2R 6 TXD Transmit Data Output g pE 7 DTR Data Terminal Ready Output 8 RTS Request To Send Output The LES1108A LES1116A LES1132A and LES1148A Console Servers have the Black Box Classic RJ 45 pinout shown below 724 746 5500 blackbox com Page 23 RTS Request To send Output osr Dataset Ready mpu oco Data Carrier Dete Input o w eno 7 DTR _ Data Terminal Ready Output e cs ClearTosend input The LES1208A R2 LES1216A R2 LES1232A LES1248A R2 LES1308A LES1316A LES1332A LES1348A LES1408A LES1416A LES1432A and LES1448A Advanced Console Servers have the Cyclades RJ 45 pinout shown next PIN sea n _ DIRECTION RH45 mi o Send Output b Data Terminal Pata Termin Rese Output 3 EREU A TransmitData Data E aa 4 oe Signal Ground OO O M 5 4 ganid Send Input 6 es 7 ae ee Data Input 3 q gt raeme _ Carrier Detect Input Data Set DataSetReady lt Input The rackmount console servers also have a DB9 LOCAL Console Modem port on front panel The LE1108A has a DB9 LOCAL Console Modem port on rear panel With the LES1508 Ser
177. ckups on USB load FILE load a specific config from USB load default load the default configuration set default FILE set which file becomes the default The first thing to do is to check if the USB disk has a label etc scripts backup usb check magic If this command returns Magic volume not found then run the following command etc scripts backup usb set magic 724 746 5500 blackbox com Page 243 To save the configuration etc scripts backup usb save config 20May To check if the backup was saved correctly etc scripts backup usb list If this command does not display config 20May then there was an error saving the configuration The set default command takes an input file as an argument and renames it to default opg This default configuration remains stored on the USB disk The next time you want to load the default config it will be sourced from the new default opg file To set a config file as the default etc scripts backup usb set default config 20May To load this default etc scripts backup usb load default To load any other config file etc scripts backup usb load filename The etc scripts backup usb script can be executed directly with various COMMANDS or called from other custom scripts you may create We recommend that you do not customize the etc scripts backup usb script itself at all 15 1 9 Backing up the configuration off box If you do not have a USB port on your console s
178. clients available for Windows computers WinNUT If you have an RPC PDU you can shut down UPS powered computers and other equipment if if the they don t have a client running for example communications and surveillance gear Set up a UPS alert and using this to trigger a script that controls a PDU to shut off the power refer to Chapter 15 8 2 4 UPS alerts You can set UPS alerts using Alerts amp Logging Alerts refer Chapter Alerts amp Logging 8 2 5 UPS status You can monitor the current status of your network serially or USB connected Managed UPSes and any configured Remote UPSes gt Select the Status UPS Status menu and a table with the summary status of all connected UPS hardware displays gt Click on any particular UPS System name in the table and more detailed graphical information on the selected UPS System appears 724 746 5500 blackbox com Page 159 SmartOnline SUINT1O00RTXL2Ua Thu May 14 02 25 13 EDT 2009 Battery Input Output Load UPS Model Status Battery Input Output gt Click on any particular All Data for any UPS System in the table for more status and configuration information about the selected UPS System gt Select UPS Logs and you will be presented with the log table of the load battery charge level temperature and other status information from all the Managed and Monitored UPS systems This information will be logged for all UPSes that were configured with L
179. company dc com m The distinguished name to bind to the server with The default is to bind anonymously Password for the Bind DN user sAMAccountName The LDAP attribute that corresponds to the login name of the user fne mberOf The LDAP attribute that is used to indicate group memberships m The distinguished name of a group existing on the server which all users with access to the console server must belong to m The distinguished name of a group existing on the server whose members will be given users group access LDAP Administration Group DN The distinguished name of a group existing on the server whose members will be given admin group access gt Enter the Server Address IP or host name of the remote Authentication server Multiple remote servers may be specified in a comma separated list Each server is tried in succession gt Enter the Server Password Note To interact with LDAP requires that the user account exist on our console server to work with the remote server You can t just create the user on your LDAP server and not tell the console server about it You need to add the user account gt Click Apply LDAP remote authentication will now be used for all user access to console server and serially or network attached devices LDAP The Lightweight Directory Access Protocol LDAP is based on the X 500 standard but is significantly simpler and more readily adapted to meet custom needs T
180. config s config alerts alert2 enviro low critical 5 config s config alerts alert2 enviro low warning 10 config s config alerts alert2 enviro1 SensorinRoom42 config s config alerts alert2 signal DSR config s config alerts alert2 type enviro Example2 To configure a load sensor alert for outlets 2 and 4 for an RPC called RPCInRoom20 config s config alerts alert2 outlet1 RPCname outlet2 config s config alerts alert2 outlet2 RPCname outlet4 724 746 5500 blackbox com Page 229 config s config alerts alert2 enviro high critical 300 config s config alerts alert2 enviro high warning 280 config s config alerts alert2 enviro hysteresis 20 config s config alerts alert2 enviro low critical 50 config s config alerts alert2 enviro low warning 70 config s config alerts alert2 rpc1 RPCInRoom20 config s config alerts alert2 sensor load config s config alerts alert2 signal DSR config s config alerts alert2 type enviro Alarm Sensor Alert To set an alert for doorAlarm and windowAlarm that are two alarms connected to an environmental sensor called SensorlnRoom3 Both alarms are disabled on Mondays from 8 15 am to 2 30 pm config s config alerts alert2 alarm1 SensorinRoom3 alarm1 doorAlarm config s config alerts alert2 alarm1 SensorinRoom3 alarm2 windowAlarm config s config alerts alert2 alarmrange mon from hour 8 config s config alerts alert2 alarmrange mon from min 15
181. connected to the Console port for dialing out to an ISP or the remote management office 724 746 5500 blackbox com Page 42 lt gt BLACK BOX NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging PortLog Alerts SMTP amp SMS SNMP System Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Services DHCP Server Nagios Configure Dashboard Status Port Access Active Users Statistics Support Report Syslog UPS Status Network Interface System Name c Model LI Uptime 0 day ours 11 mins 47 Firmware 2 8 0u2 Current User root Backup Management LAN Interface General Settings IP Settings Network Configuration Method IP Address Subnet Mask Gateway Primary DNS Secondary DNS Media Failover interface Primary Probe Address Secondary Probe Address Apply The mechanism to acquire IP settings A statically assigned IP address A statically assigned network mask A statically ass d gateway A statically ass A statically ass Auto X The Ethernet media type Management LAN lan EN None configured and Management LAN lan Serial DB9 Port sercon DISABLED Internal Modem Port modem01 DISABLED The address of the first peer to pr
182. cprt2 sctplu s htm 9 1 3 RADIUS authentication Perform the following procedure to configure the RADIUS authentication method to use whenever the console server or any of its serial ports or hosts is accessed gt Select Serial and Network Authentication and check RADIUS or LocalRADIUS or RADIUSLocal or RADIUSDownLocal Syslog RADIUS Z Saan Authentication and RPC Status Authorisation Server Environmental Status Address Comma separated list of remote authentiction and authorization servers Dashboard Accounting Server Address Manage Comma separated list of remote accounting servers If unset Authentication and Devices Authorization Server Address will be used Port Logs Host Logs Server Password Power The shared secret allowing access to the authentication server Terminal Confirm Password Re enter the above password for confirmation 724 746 5500 blackbox com Page 168 gt Enter the Server Address IP or host name of the remote Authentication Authorization server Multiple remote servers may be specified in a comma separated list Each server is tried in succession gt In addition to multiple remote servers you can also enter separate lists of Authentication Authorization servers and Accounting servers If no Accounting servers are specified the Authentication Authorization servers are used instead gt Enter the Server Password gt Click Apply RADIUS remote authentication will now be used for all user acces
183. cr check_real check_spop check_tcp check_user You can download these plug ins from the Nagios plug ins package from www blackbox com You can also download and run bash scripts primarily check_log sh gt To configure additional checks save the downloaded plug in program in the tftp addins directory on the USB flash and save the downloaded text plug in file in etc config gt To enable these new additional checks select Seria 1 amp Network Network Port then Edit the Network Host you want to monitor and select New Checks The additional check option is included in the updated Nagios Checks list and you can again customize the arguments 10 4 4 Number of supported devices Ultimately the number of devices that by any particular console server can support depends upon the number of checks made and how often they are performed Access method will also play a part The table below shows the performance of three of the console servers 724 746 5500 blackbox com Page 192 Time No 3DES encryption SSH tunnel NSCA for single check second second second NSCA for 100 sequential checks 100 seconds 100 seconds 100 seconds NSCA for 10 sequential checks batched upload 1 seconds 2 seconds 1 second NSCA for 100 sequential checks batched upload 7 seconds 11 seconds 6 seconds No SSL no encryption encryption tunneled over existing SSH session NRPE time to service 1
184. ctions to a device that you can access and monitor through the console server To view the connections to the devices gt Select Serial amp Network Managed Devices lt BLACK BOX System Nam Uptime 0 days NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Managed Devices s Serial Port Network Host and power RPC and UPS connections to provide a e under management Device Name Description Notes Related Connections No devices currently configured Add Device This screen displays all the Managed Devices with their Description Notes It also lists all the configured Connections that is Serial Port if serially connected or USB if USB connected IP Address if network connected Power PDU outlet details if applicable and any UPS connections Devices such as servers will commonly have more than one power connections for example dual power supplied and more than one network connection for example for BMC service processor All Users can view but not edit these Managed Device connections by selecting Manage Devices The Administrator user can edit and add delete these Managed Devices and their connections To edit an existing device and add a new connection gt Select Edit on the Serial amp Network Managed Devices and click Add Connectio
185. d also have some telecommunications device connected to port 2 which is powered by the RPC outlet 3 Now assume the telecom device transmits a character stream EMERGENCY out on its serial console port every time that it encounters some specific error and the only way to fix this error is to power cycle the telecom device The first step is to setup a pattern match alert on port 2 to check for the pattern EMERGENCY Next we need to create a custom script to deal with this alert cd mkdir etc config scripts if the directory does not already exist cp etc scripts portmanager pattern alert etc config scripts portmanager pattern alert Note Make sure to remove the if statement which checks for a custom script from the new script in order to prevent an infinite loop The pmpower utility is used to send power commands to RPC device in order to power cycle our telecom device pmpower l port01 o 3 cycle The RPC is on serial port 1 The telecom device is powered by RPC outlet 3 We can now append this command to our custom script This will guarantee that our telecom device will be power cycled every time the console reads the EMERGENCY character stream on port 2 15 1 4 Example script Multiple email notifications on each alert If you want to send more than one email when an alert triggers you have to create a replacement script using the method described above and add the appropriate lines to your new script Curre
186. d establish an SSH connection to the Slave remote host ssh remhost 724 746 5500 blackbox com Page 64 Once the SSH connection has been established the system asks you to accept the key Answer yes and the fingerprint will be added to the list of known hosts For more details on Fingerprinting refer to Chapter 15 6 gt Ifthe system asks you to supply a password then there is a problem with uploading keys The keys should remove any need to supply a password 4 6 3 Configure the slaves and their serial ports You can now begin setting up the Slaves and configuring Slave serial ports from the Master console server e System Name A 2 Firmware BLACK BOX cra NETWORK SERVICES Serial amp Network Serial Port IP Address DNS Description Label Number Locally Users amp Groups Name of Ports Allocated Port Authentication Numbers Network Hosts No slaves currently configured Trusted Networks Cascaded Ports Add Slave UPS Connections gt Select Serial amp Network Cascaded Ports on the Master s Management Console gt To add clustering support select Add Slave Note You can t add any Slaves until you automatically or manually generate SSH keys System Name ACSdoc Model LES1216A Firmware 2 8 0u2 Ra 0 BLA K X Uptime 0 days 2 hours 33 mins 23 secs Current User root Back og Out NETWORK SERVICES ee Serial amp Network Serial Port Users amp Groups Authentication Click
187. device via telnet or ssh To operate the Managed Device must be set up with both its Serial port connection and Power connection configured The command to bring up the power menu is p oP 192 168 252 202 PuTTY Single Connection This setting limits the port to a single connection gt If multiple users have access privileges for a particular port only one user at a time can access that port that is port snooping is not permitted 4 1 3 SDT Mode This setting allows port forwarding of RDP VNC HTPP HTTPS SSH Telnet and other LAN protocols through to computers that are locally connected to the console server by their serial COM port Port forwarding requires that you set up a PPP link over this serial port 724 746 5500 blackbox com Page 53 SDT Settings SDT Mode Enable access over SSH to a host connected to this serial port Username The login name for PPP The default is port01 User Password The login secret for PPP The default is port01 Confirm Password Re type the password for confirmation For configuration details refer to Chapter 6 6 Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server 4 1 4 Device RPC UPS EMD Mode This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply UPS Remote Power Controller Power Distribution Unit RPC or Environmental Monitoring Device EMD D
188. displayed as commands are processed Useful for debugging device scripts x exprange Expand host ranges in query responses For more details refer http linux die net man 1 powerman Also refer powermand http linux die net man 1 powermand documentation and powerman conf http linux die net man 5 powerman conf Target Specification powerman target hostnames may be specified as comma separated or space separated hostnames or host ranges Host ranges are of the general form prefix n m I k where n lt m and I lt k etc This form 724 746 5500 blackbox com Page 263 should not be confused with regular expression character classes also denoted by For example foo 19 does not represent foo1 or foo9 but rather represents a degenerate range foo19 This range syntax is meant only as a convenience on clusters with a prefix NN naming convention and specification of ranges should not be considered necessary the list foo1 foo9 could be specified as such or by the range foo 1 9 Some examples of powerman targets follows Power on hosts bar baz foo01 foo02 f0005 powerman on bar baz foo 01 05 Power on hosts bar foo7 foo9 foo10 powerman on bar foo 7 9 10 Power on foo0 foo4 foo5 powerman on foo 0 4 5 As a reminder to the reader some shells will interpret brackets and for pattern matching Depending on your shell you might need to enclose ranged lists within quotes For example in tcsh the last
189. dress ranges use the format ip netmask where netmask is in bits 1 32 This may be left blank Select if the firewall rule will apply to TCP or UDP Select the traffic direction that the firewall rule will apply to Ingress incoming or Egress Select the action Accept or Block that will be applied to the packets detected that match the Interface Port Range Source destination Address Range Protocol Direction For example to block all SSH traffic from leaving Dialout Interface the following settings can be used Interface Dialout Cellular Port Range 22 724 746 5500 blackbox com Page 100 Protocol TCP Direction Egress Action Block The firewall rules are processed in a set order from top to bottom So rule placement is important For example with the following rules all traffic coming in over the Network Interface is blocked except when it comes from two nominated IP addresses SysAdmin and Tony To allow all incoming traffic on all To allow all incoming interfaces from the SysAdmin traffic from Tony Interface Any Any Port Range Any Any Source IP IP address of SysAdmin IP address of Tony Destination IP Any Any Protocol TCP TCP Direction Ingress Ingress Action Accept Accept To block all incoming traffic from the Network Interface Network Interface Any Any Any TCP Ingress Block However if the Rule Order above was to be changed so the Block Everyone Else rule was second on the l
190. ds alias p name value local name value bg job_spec logout bind lpvsPVS m keymap f fi break n popd N N n builtin shell builtin arg printf format arguments case WORD in PATTERN PATTERN pushd dir N N n cd PL dir pwd PL command pVv read ers t timeout p promp command arg readonly anf name or read return n compgen abcdefjkvu o option select NAME in WORDS do complete abcdefjkvu pr o o COMMANDS continue n set abefhkmnptuvxBCHP o opti declare afFrxi p name value shift n dirs clpv N N shopt pqsu o long option opt disown h ar jobspec source filename echo neE arg suspend f enable pnds a f filename test expr eval arg time p PIPELINE exec cl a name file redirec times exit n trap arg signal_spec export nf name or export true 724 746 5500 blackbox com Page 275 false fc e ename nlr first last fg job_spec for NAME in WORDS do COMMA function NAME COMMANDS or NA getopts optstring name arg hash r p pathname name help s pattern history c d offset n or hi if COMMANDS then COMMANDS elif jobs Inprs jobspec or job kill s sigspec n signum si let arg arg type apt name name typeset afFrxi p name
191. dware directly from the command line 8 2 2 Remote UPS management A Remote UPS is a UPS that is connected as a Managed Device to a remote console server that is monitored but not managed by your console server You can configure the upsc and upslog clients in the Black Box console server to monitor remote servers that are running Network UPS Tools managing their locally connected UPSes These remote servers might be other Black Box console servers or generic Linux servers running NUT You can centrally monitor all these distributed UPSes which may be spread in a row in a data center around a campus property or across the country through the one central console server window To add a Remote UPS gt Select the Serial amp Network UPS Connections menu The Remote UPSes section will display all the remote UPS devices being monitored gt Click Add Remote UPS 724 746 5500 blackbox com Page 157 e System Name oc Model LE A Firmware 2 8 0u2 gt lt SBLACK BOX Uptime 0 day urs 42 mins cs Current User root ha Backup Log Out NETWORK SERVICES Serial amp Network Serial Port Add Remote UPS Users amp Groups UPS Name Authentication ation Hasis The name of this UPS Trusted Networks Description Cascaded Ports UPS Connections An optional description RPC Connections Address Environmental Managed Devices The address or DNS name of the host managing this UPS Log Status Alerts amp Logging P lly log UPS stat
192. e For SSH access to the consoles on devices attached to the console server serial ports you can use SDT Connector Configure SDT Connector with the console server as a gateway then as a host and enable SSH service on Port 3000 serial port i e 3001 3048 Chapter 6 Secure Tunneling has more information on using SDT Connector for SSH access to devices that are attached to the console server serial ports You can also use common communications packages like PuTTY or SSHTerm to SSH connect directly to port address IP Address _ Port 3000 serial port i e 3001 3048 SSH connections can be configured using the standard SSH port 22 Identify the the serial port that s accessed by appending a descriptor to the username This syntax supports lt username gt lt portXX gt lt username gt lt port label gt lt username gt lt ttySX gt lt username gt lt serial gt 724 746 5500 blackbox com Page 51 TCP RFC2217 For a User named fred to access serial port 2 when setting up the SSHTerm or the PuTTY SSH client instead of typing username fred and ssh port 3002 the alternate is to type username fred port0O2 or username fred ttyS1 and ssh port 22 Or by typing username fred serial and ssh port 22 A port selection option appears to the User ep 192 168 254 152 PuTTY o 8 amp This syntax enables Users to set up SSH tunnels to all serial ports with only opening a single IP port
193. e Group Note There are no specific limits on the number of users you can set up nor on the number of users per serial port or host Multiple users Users and Administrators can control monitor one port or host There are no specific limits on the number of Groups Each user can be a member of a number of Groups they take on the cumulative access privileges of each of those Groups A user does not have to be a member of any Groups but if the Useris not even a member of the default user group then he will not be able to use the Management Console to manage ports The time allowed to re configure increases as the number and complexity increases We recommend that you keep the aggregate number of users and groups under 250 The Administrator can also edit the access settings for any existing users gt Select Serial amp Network Users amp Groups and click Edit for the User to be modified gt Alternately click Delete to remove the User or click Disable to temporarily block any access privileges Note For more information on enabling the SDT Connector so each user has secure tunneled remote RPD VNC Telnet HHTP HTTPS SoL access to the network connected hosts refer to Chapter 6 724 746 5500 blackbox com Page 59 4 3 Authentication Refer to Chapter 9 1 Remote Authentication Configuration for authentication configuration details 4 4 Network Hosts To access a locally networked computer or device referred to as
194. e SSH DSA Public Browse IP Key Upload a replacement DSA public key file Date amp Time Dial SSH DSA Private Browse Services Key Upload a replacement DSA private key file DHCP Server Nagios SSH Authorized Browse Configure Dashboard nays Upload a replacement authorized keys file Status eain SSH 7 keys E a PortAccess automatically Generate SSH keys locally Active Users Statistics ial Next you must register the Public Key as an Authorized Key on the Slave In a case that has only one Master with multiple Slaves you only need to upload the one RSA or DSA public key for each Slave Note Using key pairs can be confusing since one file Public Key fulfills two roles Public Key and Authorized Key For a more detailed explanation refer to the Authorized Keys section of Chapter 15 6 Also refer to this chapter if you need to use more than one set of Authorized Keys in the Slave gt Select System Administration on the Slave s Management Console gt Browse again to the stored RSA or DSA Public Key and upload it to Slave s SSH Authorized Key gt Click Apply The next step is to Fingerprint each new Slave Master connection This one time step will validate that you are establishing an SSH session to who you think you are On the first connection the Slave will receive a fingerprint from the Master which will be used on all future connections gt To establish the fingerprint first log in the Master server as root an
195. e and Description for the Managed Device System Name A Model LES1216A Firmware 2 8 0u2 BLACK BOX Uptime 0 days 2 S 37 mins 34 secs Current User root NETWORK SERVICES Serial amp Network Serial Port Add a New Device Users amp Groups Device Name Authentication Network Hosts jeasince aecokacaminaaaia Trusted Networks Cascaded Ports UPS Connections A brief description of the device RPC Connections Environmental Managed Devices Description Notes Connections Alerts amp Logging Serial X Poti Delete pis Alerts Network H SMTP amp SMS Add Connection SNMP m Apply Click Add Connection and select Serial and the Port that connects to the Managed Device To add a UPS RPC power connection or network connection or another serial connection click Add Connection Click Apply 724 746 5500 blackbox com Page 68 Note To set up a new serially connected RPC UPS or EMD device configure the serial port designate itas a Device then enter a Name and Description for that device in the Serial amp Network RPC Connections or UPS Connections or Environmental When applied this will automatically create a corresponding new Managed Device with the same Name Description as the RPC UPS Host refer to Chapter 8 Power and Environment All the outlet names on the PDU will by default be Outlet 1 and Outlet 2 When you connect a particular Managed Device that draws power from the outlet t
196. e bruits radio lectriques d passant les limites applicables aux appareils num riques de la classe A prescrites dans le R glement sur le brouillage radio lectrique publi par Industrie Canada Page 4 724 746 5500 blackbox com Value Line and Advanced Console Servers Manual In strucciones de Seguridad Normas Oficiales Mexicanas Electrical Safety Statement 1 2 3 4 5 oN OD o 10 11 12 13 14 15 16 17 18 Todas las instrucciones de seguridad y operaci n deber n ser le das antes de que el aparato el ctrico sea operado Las instrucciones de seguridad y operaci n deber n ser guardadas para referencia futura Todas las advertencias en el aparato el ctrico y en sus instrucciones de operaci n deben ser respetadas Todas las instrucciones de operaci n y uso deben ser seguidas El aparato el ctrico no deber ser usado cerca del agua por ejemplo cerca de la tina de ba o lavabo s tano mojado o cerca de una alberca etc El aparato el ctrico debe ser usado nicamente con carritos o pedestales que sean recomendados por el fabricante El aparato el ctrico debe ser montado a la pared o al techo s lo como sea recomendado por el fabricante Servicio El usuario no debe intentar dar servicio al equipo el ctrico m s all a lo descrito en las instrucciones de operaci n Todo otro servicio deber ser referido a personal de servicio calificado El aparato e
197. e client and the server syslog By default logs are located in syslog or if running as a service on Window in Program Files OpenVPN log directory To initiate the OpenVPN tunnel following the creation of the client server configuration files gt Right click on the OpenVPN icon in the Notification Area gt Select the newly created client or server configuration For example LES1216_client gt Click Connect as shown below 724 746 5500 blackbox com Page 75 i Aug 06 129 2010 OpenVPN 2 0 9 win32 Minew SSL LZO built on oct 1 2006 i Aug 06 11 29 57 2010 WARNING NO server certificate verification method has been enabled See http openvpn net i Aug 06 11 29 57 2010 LZO compression initialized i Aug 06 229 2010 Control Channel MTU parms L 1542 D 138 EF 38 EB 0 ET 0 EL 0 i Aug 06 529 2010 Data Channel MTU parms L 1542 D 1450 EF 42 EB 135 ET 0 EL 0 AF 3 1 i Aug 129 2010 Local Options hash VER v4 41690919 i Aug 29 57 2010 Expected Remote Options hash VER v4 530fdded i Aug 129 upPv4 link local undef i Aug 229 upPv4 link remote 192 168 250 152 1194 i Aug 229 TLS Initial packet from 192 168 250 152 1194 sid dd3359de 265f251d i Aug 30 VERIFY OK depth 1 C US ST CA L SanFrancisco O Fort Funston CN OpenvPN CA emai 1Address meG n i Aug 230 VERIFY OK depth 0 C US ST CA L SanFrancisco O Fort Funston CN server emai 1Address me myhos i Aug 230 Data Channel Encrypt Cipher BF c
198. e complies with Part 15 of the FCC rules Operation of this device is subject to the following conditions 1 This device may not cause harmful interference and 2 this device must accept any interference that may cause undesired operation 724 746 5500 blackbox com Page 278 Appendix F End User License Agreement READ BEFORE USING THE ACCOMPANYING SOFTWARE YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING SOFTWARE THE USE OF WHICH IS LICENSED FOR USE ONLY AS SET FORTH BELOW IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT DO NOT USE THE SOFTWARE IF YOU USE ANY PART OF THE SOFTWARE SUCH USE WILL INDICATE THAT YOU ACCEPT THESE TERMS You have acquired a product that includes Black Box Black Box proprietary software and or proprietary software licensed to Black Box This Black Box End User License Agreement EULA is a legal agreement between you either an individual or a single entity and Black Box for the installed software product of Black Box origin as well as associated media printed materials and online or electronic documentation Software By installing copying downloading accessing or otherwise using the Software you agree to be bound by the terms of this EULA If you do not agree to the terms of this EULA Black Box is not willing to license the Software to you In such event do not use or install the Software If you have purchased t
199. e debug on bin config run console reboot If at some point in the future you chose to connect a modem for dial in out of band access you can reverse the procedure with the following commands bin config del config console debug bin config run console reboot 15 4 IP Filtering The console server uses the iptables utility to provide a stateful firewall of LAN traffic By default rules are automatically inserted to allow access to enabled services and serial port access via enabled protocols The commands that add these rules are contained in configuration files etc config ipfilter This is an executable shell script that runs whenever the LAN interface is brought up and whenever modifications are made to the iptables configuration as a result of CGI actions or the config command line tool The basic steps performed are as follows The current iptables configuration is erased Ifa customized IP Filter script exists it is executed and no other actions are performed Standard policies are inserted that will drop all traffic not explicitly allowed to and through the 724 746 5500 blackbox com Page 248 system Rules are added which explicitly allow network traffic to access enabled services for example TTP SNMP etc Rules are added that explicitly allow traffic network traffic access to serial ports over enabled protocols e g Telnet SSH and raw TCP If the standard system firewall configuratio
200. e fnord httpd from http www fefe de fnord The SSL implementation is provided by the ss wrap application compiled with OpenSSL support You can find more detailed documentation at http www rickk com sslwrap If your default network address is changed or the unit is to be accessed via a known Domain Name you can use the following steps to replace the default SSL Certificate and Private Key with ones tailored for your new address 15 8 1 Generating an encryption key To create a 1024 bit RSA key with a password issue the following command on the command line of a linux host with the openssl utility installed openssl genrsa des3 out ssl_key pem 1024 15 8 2 Generating a self signed certificate with OpenSSL This example shows how to use OpenSSL to create a self signed certificate OpenSSL is available for most Linux distributions via the default package management mechanism Windows users can check http www openssl org related binaries html To create a 1024 bit RSA key and a self signed certificate issue the following openssl command from the host you have openssl installed on openssl req x509 nodes days 1000 newkey rsa 1024 keyout ssl_key pem out ssl_cert pem You will be prompted to enter a lot of information Most of it doesn t matter but the Common Name should be the domain name of your computer e g test Black Box com When you have entered everything the certificate will be created in a file called ss _cer
201. e level rather than use a browser and the Management Console this chapter describes how to use command line access and the config tool to manage the console server and configure the ports etc This config documentation in this chapter walks through command line configuration to deliver the functions provided using the Management Console GUI For advanced and custom configurations and for details using other tools and commands refer to the next chapter When displaying a command the convention used in the rest of this chapter is to use single quotes for user defined values for example descriptions and names Element values without single quotes must be typed exactly as shown After the initial section on accessing the config command the menu items in this document follow the same structure as the menu items in the web GUI 14 1 Accessing config from the command line The console server runs a standard Linux kernel and embeds a suite of open source applications If you do not want to use a browser and the Management Console tools you can configure the console server and manage connected devices from the command line using standard Linux and Busybox commands and applications such as ifconfig gettyd stty powerman nut etc Without care these configurations may not withstand a power cycle reset or reconfigure Black Box provides a number of custom command line utilities and scripts to make it simple to configure the console serve
202. e restricted access to serial ports network hosts and managed devices Remote authentication with group support works by matching a local group name with a remote group name provided by the authentication service If the list of remote group names returned by the authentication service matches any local group names the user is given permissions as configured in the local groups To enable group support to be used by remote authentication services 724 746 5500 blackbox com Page 171 Select Serial amp Network Authentication Select the relevant Authentication Method Check the Use Remote Groups button 9 1 7 Remote groups with RADIUS authentication Enter the RADIUS Authentication and Authorization Server Address and Server Password Click Apply gt Edit the Radius user s file to include group information and restart the Radius server When using RADIUS authentication group names are provided to the console server using the Framed Filter Id attribute This is a standard RADIUS attribute and may be used by other devices that authenticate via RADIUS To interoperate with other devices using this field the group names can be added to the end of any existing content in the attribute in the following format igroup_name testgroup1 users The above example sets the remote user as a member of testgroup1 and users if groups with those names exist on the console server Any groups which do not exist on the console server are ignored Wh
203. e the IP address as shown in the illustration above From 169 134 13 1 To 169 134 13 2 724 746 5500 blackbox com Page 129 Or you can set the advanced connection and access on the Windows computer to use the console server defaults Specify 10 233 111 254 as the From address Select Allow calling computer to specify its own address Also you could use the console server default username and password when you set up the new Remote Desktop User and gave this User permission to use the advance connection to access the Windows computer The console server default Username is portXX where XX is the serial port number on the console server The default Password is portXX To use the defaults for a RDP connection to the serial port 2 on the console server you would have set up a Windows user named port02 gt When the PPP connection has been set up a network icon will appear in the Windows task bar Note The above notes describe setting up an incoming connection for Windows XP The steps are similar for Vista and Windows Server 2003 2008 but the set up screens present slightly differently Incoming Connections Properties ARENA AERA a You need to put a check in the box for Always allow directly connected devices such as palmtop The option for to Set up an advanced connection is not available in Windows 2003 if RRAS is configured If RRAS has been configured you can enable the null modem connection fo
204. e the server will only have one client device then the authorized_keys file is simply a copy of the public key for that device If one or more devices will be clients of the server 724 746 5500 blackbox com Page 259 then the authorized_keys file will contain a copy of all of the public keys RSA and DSA keys may be freely mixed in the authorized _keys file For example assume we already have one server called bridge_server and two sets of keys for the control_room and the plant_entrance S Is home user keys control_room control_room pub plant_entrance plant_entrance pub S cat home user keys control_room pub home user keys plant_entrance pub gt home user keys authorized_keys_bridge_server Uploading Keys The keys for the server can be uploaded through the web interface on the System Administration page as detailed earlier If only one client will be connecting then simply upload the appropriate public key as the authorized keys file Otherwise upload the authorized keys file constructed in the previous step Each client will then need its own set of keys uploaded through the same page Take care to ensure that the correct type of keys DSA or RSA go in the correct spots and that the public and private keys are in the correct spot 15 6 8 SDT Connector Public Key Authentication SDT Connector can authenticate against a console servers using your SSH key pair rather than requiring you to enter your password i e public k
205. ection click Advanced and Add the above as a secondary IP connection If it is not convenient to change your PC workstation network address you can use the ARP Ping command to reset the console server IP address To do this from a Windows PC Click Start gt Run or select All Programs then Accessories then Run Type cmd and click OK to bring up the command line Type arp d to flush the ARP cache Type arp a to view the current ARP cache this should be empty Type the name of a program folder document or Internet resource and Windows will open it for you Open Stale Now add a static entry to the ARP table and ping the console server to assign the IP address to the console server In the example below a console server has a MAC Address 00 13 C6 00 02 0F designated on the label on the bottom of the unit and we are setting its IP address to 192 168 100 23 Also the PC workstation issuing the arp command must be on the same network segment as the console server that is have an IP address of 192 168 100 xxx Type arp s 192 168 100 23 00 13 C6 00 02 OF Note for UNIX the syntax is arp s 192 168 100 23 00 13 C6 00 02 0F Type ping t 192 18 100 23 to start a continuous ping to the new IP Address Turn on the console server and wait for it to configure itself with the new IP address It will start replying to the ping at this point Type arp d to flush the ARP cache again Browser co
206. ed for dial in access We do not recommend this PAP Password Authentication Protocol PAP is the usual method of user authentication used on the internet sending a username and password to a server where they are compared with a table of authorized users While most common PAP is the least secure of the authentication options CHAP Challenge Handshake Authentication Protocol CHAP is used to verify a user s name and password for PPP Internet connections It is more secure than PAP the other main authentication protocol MSCHAPv2 Microsoft Challenge Handshake Authentication Protocol MSCHAP is authentication for PPP connections between a computer using a Microsoft Windows operating system and a network access server It is more secure than PAP or CHAP and is the only option that also supports data encryption 724 746 5500 blackbox com Page 83 Note The User name and Password to be used for the dial in PPP link are setup when the User is initially set up with dialin Group membership The dialin Group supports multiple dial in users Any dial back phone numbers are also configured when the User is set up Note Chapter 15 Advanced Configuration has examples of Linux commands that you can use to control the modem port operation at the command line level 5 1 2 Using SDT Connector client Administrators can use their SDT Connector client to set up secure OoB dial in access to all their remote console servers With a point
207. ed to unlock the SIM card Phone Number the sequence to dial to establish the connection defaults to 99 1 Username Password optional and Dial string optional AT commands However you generally will only need to enter your provider s APN and leave the other fields blank gt Enter the carrier s APN e g for AT amp T USA simply enter i2gold for T Mobile USA enter epc tmobile com for InterNode Aust enter internode and for Telstra Aust enter te stra internet gt If the SIM Card is configured with a PIN Code you will be required to unlock the Card by entering the PIN Code If the PIN Code is entered incorrectly three times then the PUK Code will be required to unlock the Card You may also need to set Override DNS to use alternate DNS servers from those provided by your carrier gt To enable Override DNS check the Override returned DNS Servers box Enter the IP of the DNS servers into the spaces provided Override DNS Override returned Vv DNS servers Use the following DNS servers instead of the PPP provided servers DNS Server 1 The primary DNS server DNS Server 2 gt Check Apply and a radio connection will be established with your cellular carrier 724 746 5500 blackbox com Page 90 5 6 2 Connect to the CDMA EV DO carrier network The LES1408A LES1416A LES1432A and LES1448A console servers have an internal CDMA modem The LES1508A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console se
208. elect Widget Auto Responses System Name les1308a Model LES1308A Firmware 3 5 3u5 Uptime 0 days 20 hours 53 mins 47 secs Current User root Select Widget Select Widget 4 Select Widget 6 1 Selec lich wi to display in this Select Widget Active Users X a Se hich widget to display in this Select Widget 5 ay in this on Refresh Timer C S Ol a Backup Log Out Configure Widgets Managed Devices which w o display in this widget to display in this Environmental j S ch widget to display in this Apply Note The Alerts widget is a new screen that shows the current alerts status When an alert gets triggered a corresponding XML file is created in var run alerts The dashboard scans all these files and displays a Summary status in the alerts widget When an alert is deleted the corresponding XML files that belong to that alert are also deleted To configure what is to be displayed by each widget gt Go to the Configure widgets panel and configure each selected widget for example specify which UPS status is to be displayed on the ups widget or the maximum number of Managed Devices to be displayed in the devices widget Click Apply System Name A Uptime 0 d NETWORK SERVICES c Model LES121 53 mins Firmware 2 8 0u2 Current User root Serial amp Network Serial Port Users amp Groups Authentication Network Hosts
209. elect the pre configured serial port that the EMD will be Connected Via gt You may optionally calibrate the EMD with a Temperature Offset or C or Humidity Offset or percent gt Provide Labels for each of the two alarms if used 724 746 5500 blackbox com Page 164 gt Check Log Status and specify the Log Rate minutes between samples if you want to log the status from this EMD These logs can be views from the Status Environmental Status screen gt Click Apply This will also create a new Managed Device with the same name 8 3 2 Environmental alerts You can now set temperature humidity and probe status alerts using Alerts amp Logging Alerts refer to Chapter 7 8 3 3 Environmental status You can monitor the current status of all EMDs and their probes gt Select the Status Environmental Status menu and a table with the summary status of all connected EMD hardware will be displayed gt Click on View Log or select the Environmental Logs menu and you will be presented with a table and graphical plot of the selected EMD s log history A Firmware 2 8 0u2 Uptime 0 days 19 hours 15 r NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging PortLog Alerts SMTP amp SMS SNMP System Administration SSL Certificate
210. en setting the Framed Filter ld the system may also remove the leading colon for an empty field To work around this add some dummy text to the start of the string For example dummy group_namestesigroup1 users gt If no group is specified for a user for example AmandauJones then the user will have no User Interface and serial port access but limited console access gt Default groups available on the console server include admin for administrator access and users for general user access TomFraser Cleartext Password FraTom70 Framed Filter ld group_name admin AmandaJones _ Cleartext Password JonAma83 FredWhite Cleartext Password WhiFre62 Framed Filter Id group_name testgroup1 users JanetLong Cleartext Password LonJan57 Framed Filter ld group_name admin gt Additional local groups such as testgroup1 can be added via Users amp Groups Serial amp Network 9 1 8 Remote groups with LDAP authentication Unlike RADIUS LDAP has built in support for group provisioning which makes setting up remote groups easier The console server will retrieve a list of all the remote groups that the user is a direct member of and compare their names with local groups on the console server Note Any spaces in the group name will be converted to underscores 724 746 5500 blackbox com Page 172 For example in an existing Active Directory setup a group of users may be pa
211. enable log storage and connection logging Select Alerts amp Logging Port Log Configure log storage Select Serial amp Network Serial Port Edit the serial port s Under Console server select Logging Level 1 and click Apply There s a useful tutorial on creating a bash script CGI at http www yolinux com TUTORIALS LinuxTutorialCgiShellScript htm Similarly the Master does maintain a view of the status of the slaves Select Status Support Report Scroll down to Processes Look for bin ssh MN o ControlPath var run cascade h slavename These are the slaves that are connected Note the end of the Slaves names will be truncated so the first 5 characters must be unique Alternatively you can write a custom CGI script as described above The currently connected Slaves can be determined by running s var run cascade and the configured slaves can be displayed by running config g config cascade slaves 724 746 5500 blackbox com Page 270 Appendix A Linux Commands amp Source Code The console server platform is a dedicated Linux computer optimized to provide monitoring and secure access to serial and network consoles of critical server systems and their supporting power and networking infrastructure Black Box console servers are built on the 2 4 uCLinux kernel as developed by the uCLinux project This is GPL code and source can be found at http cvs uclinux org Some uCLinux commands have config fil
212. ent enter the console servers IP address as the Host Name or IP address To access the console server command line select SSH as the protocol and use the default IP Port 22 Click Open and the console server login prompt will appear You may also receive a Security Alert that the host s key is not cached Choose yes to continue Using the Telnet protocol is similarly simple but you use the default port 23 Another popular communications package you can use is SSHTerm an open source package that you can download from http sourceforge net projects sshtools To use SSHTerm for an SSH terminal session from a Windows Client simply Select the File option and click on New Connection Connection Profile Host Protocol Proxy Commands Terminal Hostname z 19216801 Port 3001 Userrame root a password pablckey keybord interactive 3 6 Management network configuration A new dialog box will appear for your Connection Profile Type in the host name or IP address for the console server unit and the TCP port that the SSH session will use port 22 Then authentication and click connect in your username choose password You may receive a message about the host key fingerprint Select yes or always to continue The next step is password authentication The system prompts you for your username and password from the remote system Thi
213. ent Specify whether this will be a client or server configuration file server In the server configuration file define the IP address pool and netmask For example server 10 100 10 0 255 255 255 0 proto udp Set the protocol to UDP or TCP The client and server must use the proto tcp same settings mssfix lt max size gt Mssfix sets the maximum size of the packet This is only useful for UDP if problems occur verb lt level gt Set log file verbosity level Log verbosity level can be set from 0 minimum to 15 maximum For example 0 silent except for fatal errors 3 medium output good for general usage 724 746 5500 blackbox com Page 74 5 helps with debugging connection problems 9 extremely verbose excellent for troubleshooting dev tun Select dev tun to create a routed IP tunnel or dev tap to create an dev tap Ethernet tunnel The client and server must use the same settings remote lt host gt The hostname IP of OpenVPN server when operating as a client Enter either the DNS hostname or the static IP address of the server Port The UDP TCP port of the server Keepalive Keepalive uses ping to keep the OpenVPN session alive Keepalive 10 120 pings every 10 seconds and assumes the remote peer is down if no ping has been received over a 120 second time period http proxy lt proxy If a proxy is required to access the server enter the proxy server DNS server gt lt proxy port gt na
214. entrance pub cat home user keys control_room pub home user keys plant_entrance pub gt home user keys authorized_keys_bridge_server 724 746 5500 blackbox com Page 254 Master Master authorized_keys ssh rsa AAAABINzaC 1yc2Efas tGH AAA name elient1 ssh dss AAAAB3NzaZr OV01C8gdgz _ BEGIN DSA XDg name client2 PRIVATE KEY MIBugIBAAKBGOCR PRIVATE KEY JX Li gt ik RENNA MIIEogIBAAKCAQEA oynY4QNIXjIYU7T nujXXPGIQGyD3b79 87ITLQIAhn3yp7ZWYy KZg3UZ4M ZI5255Cy TZ5C3sLF8046G0 opv4TJTvTK6e8OIvt GYTByUdl ssh dss sh rsa AMAAAB3INzaZr OV01 C8gdaz AAAABSNzal 1yc2Efg4tG HIAAA name eclient1 XDg name client2 id_dsa pub id_rsa pub More documentation on OpenSSH can be found at http openssh org portable html http www openbsd org cgi bin man cgi query ssh amp sektion 1 http www openbsd org cgi bin man cgi query sshd 15 6 5 Generating public private keys for SSH Windows This section describes how to generate and configure SSH keys using Windows First create a new user from the Black Box Management the following example uses a user called testuser making sure it is a member of the users group If you do not already have a public private key pair you can generate them now using ssh keygen PuTTYgen or a similar tool PuTTYgen http www chiark greenend org uk sgtatham putty download html OpenSSH http www openssh org OpenSSH Windows http sshwindows sourceforge n
215. equired specify TACACS Service to authenticate with This determines which set of attributes are returned by the server defaults to raccess gt If required check Default Admin Privileges to give all TACAS authenticated users admin privileges Use Remote Groups must also be ticked for these privileges to be granted gt Click Apply TACAS remote authentication will now be used for all user access to console server and serially or network attached devices TACACS The Terminal Access Controller Access Control System TACACS security protocol is a recent protocol developed by Cisco It provides detailed accounting information and flexible administrative control over the authentication and authorization processes TACACS allows for a single access control server the TACACS daemon to provide authentication authorization and accounting services independently Each service can be tied into its own database to take advantage of other services available on that server or on the network depending on the capabilities of the daemon There is a draft RFC detailing this protocol You can find further information on configuring remote TACACS servers at the following sites http www cisco com en US tech tk59 technologies_tech_note09186a0080094e99 shtml http www cisco com en US products sw secursw ps491 1 products_user_guide_chapter09186a0 0800eb6d6 html http cio cisco com univercd cc td doc product software ios1 13ed 1 13ed_cr secur_c s
216. er To enable NSCA 724 746 5500 blackbox com Page 186 10 3 4 Select System Nagios and check NSCA Enabled Select the Encryption to be used from the drop down menu then enter a Secret password and specify a check Interval Refer to the sample Nagios configuration section below for some examples of configuring specific NSCA checks Configure Selected Serial Ports for Nagios Monitoring The individual Serial Ports connected to the console server to be monitored must be configured for Nagios checks Refer to Chapter 4 4 Network Host Configuration for details on enabling Nagios monitoring for Hosts that are network connected to the console server To enable Nagios to monitor a device connected to the console server serial port gt gt 10 3 5 Select Serial amp Network Serial Port and click Edit on the serial Port you want to monitor Select Enable Nagios specify the name of the device on the upstream server and determine the check you want to run on this port Serial Status monitors the handshaking lines on the serial port and Check Port monitors the data logged for the serial port Configure Selected Network Hosts for Nagios Monitoring The individual Network Hosts connected to the console server that you want to monitor must also be configured for Nagios checks gt gt VV V WV Select Serial amp Network Network Port and click Edit on the Network Host you want to monitor Select Enable Nagios specify
217. er which defaults to 777 gt Click Apply gt The Cellular statistics page on Status Statistics will display the current state of the modem gt OTASP success will result in a valid phone number being placed in the NAM Profile Account MDN field Manual Activation Some carriers may not support OTASP in which case it may be necessary to manually provision the modem gt Select Internal Cellular Modem panel on the System Dial menu gt Enter the MSL MDN and MSID values These values are specific to your carrier and for manual activation you will have to investigate what values your carrier uses in each field For example Verizon have been known to use an MSL of 000000 and the phone number assigned to your console server device as both the MDN and MSID with no spaces or hyphens e g 5551231234 for 555 123 1234 gt Click Activate If no errors occur you will see the new values entered into the NAM Profile at the Cellular page on Status Statistics 724 746 5500 blackbox com Page 91 gt 5 6 3 Navigate to the Internal Cellular Modem tab on System Dial To connect to your carriers 3G network enter the appropriate phone number usually 777 and a Username and Password if directed to by your account plan documentation Select Enable and then click Apply to initiate the Always On Out of Band connection Verify cellular connection Out of band access is enabled by default so the cellular modem connection should no
218. er 2008 you can have multiple sessions and with Server 2003 you have three sessions the console session and two other general sessions More than one user can have active sessions on a single computer When the remote user connects to the accessed computer on the console session Remote Desktop automatically locks that computer no other user can access the applications and files When you come back to your computer at work you can unlock it by typing CTRL ALT DEL 6 8 2 Configure the Remote Desktop Connection client Now that you have the Client PC securely connected to the console server either locally or remotely through the enterprise VPN or a secure SSH internet tunnel or a dial in SSH tunnel you can establish the Remote Desktop connection from the Client Simply enable the Remote Desktop Connection on the remote client PC then point it to the SDT Secure Tunnel port in the console server A Ona Windows client PC gt Click Start Point to Programs then to Accessories then Communications and click Remote Desktop Connection 724 746 5500 blackbox com Page 120 iix Connection Remote Desktop 1y Computer 192 168 2 19 z Username WINSERVER 2 Bill You will be asked for credentials when you connect J cose Hep Ontions gt gt In Computer enter the appropriate IP Address and Port Number Where there is a direct local or enterprise VPN connection enter the IP Address
219. er that is true depends on what the Program does 1 You may copy and distribute verbatim copies of the Program s source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee 2 You may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program and copy and distribute such modifications or work under the terms of Section 1 above provided that you also meet all of these conditions a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change 724 746 5500 blackbox com Page 281 b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c If the modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an anno
220. erated key Save public key Save private key Parameters Type of key to generate OSSH 1 RSA SSH 2 RSA OSSH 2 DSA Number of bits in a generated key 1024 Create a new file authorized_keys with notepad and copy your public key data from the Public key for pasting into OpenSSH authorized_keys file section of the PUTTY Key Generator and paste the key data to the authorized_keys file Make sure there is only one line of text in this file Use WinSCP to copy this authorized_keys file into the users home directory e g etc config users testuser ssh authorized_keys of the Black Box gateway which will be the SSH server You will need to make sure this file is in the correct format with the correct permissions with the following commands dos2unix etc config users testuser ssh authorized_keys amp amp chown testuser etc config users testuser ssh authorized_keys Using WinSCP copy the attached sshd_config over etc config sshd_config on the server Makes sure public key authentication is enabled Test the Public Key by logging in as testuser Test the Public Key by logging in as testuser to the client Black Box device and typing you should not need to enter anything ssh o StrictHostKeyChecking no lt server ip gt 724 746 5500 blackbox com Page 256 To automate connection of the SSH tunnel from the client on every power up you need to make the clients etc config rc local look like the following
221. erformed when the trigger condition has been resolved To configure first set the general parameters that will be applied to all Auto Responses gt Check Log Events on Alerts amp Logging Auto Response to enable logging all Auto Response activities gt Check Delay after Boot to set any general delay to be applied after console server system boot before processing events 724 746 5500 blackbox com Page 135 System Name les1308a Model LES1308A Firmware 3 5 3u5 ba 0 Uptime 0 days 18 hours 51 mins O0 secs Current User root Bacup Log Out BLAC NETWORK SERVICES Serial amp Network 5 Configured Auto Responses Serial Port M E Groups Name Check Type Status Modify Delete Cancel New Auto Response Global Auto Response Settings Log Events oO Log Events and actions related to Auto Responses Delay after boot 120 Delay after system boot before processing events Save Settings Auto Response Logs No AutoResponse Logs SNMP To configure a new Auto Response gt gt Select New Auto Response in the Configured Auto Response field You will be presented with a new Auto Response Settings menu Enter a unique Name for the new Auto Response Specify the Reset Timeout for the time in seconds after resolution to delay before this Auto Response can be triggered again Check Repeat Trigger Actions to continue to repeat trigger action sequences until the check is resolved Enter any required dela
222. erial DB9 Port or Internal Modem Port gt Check Enable Dial In Note The console server console modem serial port is set by default to 115200 baud No parity 8 data bits and 1 stop bit with software Xon Xoff flow control enabled for the Serial DB9 Port and 9600 baud for the Internal modem and PC Card Ports When enabling OoB dial in we recommend that this be changed to 38 400 baud with Hardware Flow Control gt Select the Baud Rate and Flow Control that will communicate with the modem gt Click Apply Note You can further configure the console modem port for example to include modem init strings by editing etc mgetty config files as described in the Chapter 15 Advanced Configuration 724 746 5500 blackbox com Page 82 In the Remote Address field enter the IP address to be assigned to the dial in client You can select any address for the Remote IP Address It and the Local IP Address must both be in the same network range e g 200 100 1 12 and 200 100 1 67 In the Local Address field enter the IP address for the Dial In PPP Server This is the IP address that will be used by the remote client to access console server once the modem connection is established You can select any address for the Local IP Address but it must be in the same network range as the Remote IP Address The Default Route option enables the dialed PPP connection to become the default route for the Console server The Custom Modem Initialization
223. ernet port for broadband OoB access Make sure you unplug the console server power before installing the modem When it next boots it will detect the modem and a PC Card Modem tab will appear under System gt Dial The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1108A LES1116A LES1132 and LES1148A models need to have an external modem attached via a serial cable to the DB9 port marked Local located on the front of the unit 5 1 1 Configure Dial In PPP To enable dial in PPP access on the modem System Name les1308a Model LES1308A Firmware 3 5 3u5 ba 0 Uptime 0 days 16 hours 58 mins 39 secs Current User root B aduP Log Out Serial amp Network Message Changes to configuration succeeded Serial Port Users amp Groups Serial DB9 Port Internal Modem Internal Cellular Modem Internal Modem Dial Settings Disable Dial C Disable modem communication Enable Dial in Allow incoming modem communication Enable Dial Out Allow outgoing modem communication Serial Settings se SMTP amp SMS Baud Rate 38400 SNMP The port speed in characters per second System Flow Control Software gt Administration The method of flow control to use SSL Certificates Configuration Backup Firmware P Dial In Settings Date amp Time Dial Remote Address gt Select the System Dial menu option and the port to be configured S
224. ers only 7 3 6 Send Nagios Event gt Click on Send Nagios Event as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time gt Edit the Nagios Event Message text to display on the Nagios status screen for the service gt Specify the Nagios Event State OK Warning Critical or Unknown to return to Nagios for this service 724 746 5500 blackbox com Page 141 gt Click Save New Action Note To notify the central Nagios server of Alerts NSCA must be enabled under System Nagios and Nagios must be enabled for each applicable host or port 7 4 Resolve Actions Actions can also be scheduled to be taken a trigger condition has been resolved gt For a nominated Auto Response with a defined trigger Check Condition click on Add Resolve Action e g Send Email or Run Custom Script to select the action type to be taken Note Resolve Actions are configured exactly the same as Trigger Actions except the designated Resolve Actions are all executed on resolution of the trigger condition and there are no Action Delay Times set Resolve Actions Scheduled Resolve Actions Add Resolve Action Action Action Modify Delete Name Type Scheduled 7 5 Configure SMTP SMS SNMP and or Nagios service for alert notifications The Auto Response facility enables remote alerts to be sent as Trigger and Resolve Actions Before such alert notifications can be sent you must conf
225. erver you can back up the configuration to an off box file Before backing up you need to arrange a way to transfer the backup off box This could be via an NFS share a Samba Windows share to USB storage or copied off box via the network If backing up directly to off box storage make sure it is mounted tmp is not a good location for the backup except as a temporary location before transferring it off box The tmp directory will not survive a reboot The etc config directory is not a good place either because it will not survive a restore Backup and restore should be done by the root user to make sure correct file permissions are set The config command is used to create a backup tarball config e lt Output File gt The tarball will be saved to the indicated location It will contain the contents of the etc config directory in an uncompressed and unencrypted form Example nfs storage mount t nfs 192 168 0 2 backups mnt config e mnt les4108 config umount mnt Example transfer off box via scp config e tmp les4108 config scp tmp les4108 config 192 168 0 2 backups The config command is also used to restore a backup config i lt Input File gt 724 746 5500 blackbox com Page 244 This will extract the contents of the previously created backup to tmp and then synchronize the etc config directory with the copy in tmp One problem that can crop up here is that there is not enough room in tmp
226. es that can be altered e g portmanager inetd init ssh sshd scp sshkeygen ucd snmpd samba fnord sslwrap Other commands you can run and do neat stuff with e g loopback bash shell ftp hwclock iproute iptables netcat ifconfig mii tool netstat route ping portmap pppd routed setserial smtpclient stty stunel tcodump tftp tip traceroute Below are most of the standard uCLinux and BusyBox commands and some custom Black Box commands that are in the default build tree The Administrator can use these to configure the console server and monitor and manage attached serial console and host devices addgroup Add a group or add an user to a group adduser Add an user agetty alternative Linux getty arp Manipulate the system ARP cache arping Send ARP requests replies bash GNU Bourne Again Shell busybox Swiss army knife of embedded Linux commands cat Concatenate FILE s and print them to stdout chat Useful for interacting with a modem connected to stdin stdout chgrp Change file access permissions chmod Change file access permissions chown Change file owner and group config Black Box tool to manipulate and query the system configuration from the command line cp Copy files and directories date Print or set the system date and time dd Convert and copy a file deluser Delete USER from the system df Report filesystem disk space usage dhcpd Dynamic Host Configuration Protocol server disca
227. es select PKI X 509 Certificates or select Custom Configuration to upload custom configuration files Custom configurations must be stored in etc config Note If you select PKI public key infrastructure you will need to establish Separate certificate also known as a public key This Certificate File will be a crt file type Private Key for the server and each client This Private Key File will be a key file type Master Certificate Authority CA certificate and key which is used to sign each of the server and client certificates This Root CA Certificate will be a crt file type For a server you may also need dh1024 pem Diffie Hellman parameters Refer http openvpn net easyrsa html for a guide to basic RSA key management For alternative authentication methods see hitp openvpn net index php documentation howto html auth For more information also see http openvpn net howto html gt Check or uncheck the Compression button to enable or disable compression respectively 4 10 2 Configure as Server or Client gt Complete the Client Details or Server Details depending on the Tunnel Mode selected o If Clienthas been selected the Primary Server Address will be the address of the OpenVPN Server 724 746 5500 blackbox com Page 72 o If Server has been selected enter the IP Pool Network address and the IP Pool Network mask for the IP Pool The network defined by the IP Pool Network address mask is used to provide
228. et download For example using PuTTYgen make sure you have a recent version of the puttygen exe available from http www chiark greenend org uk sgtatham putty download html Make sure you have a recent version of WinSCP available from http winscp net eng download php To generate a SSH key using PuTTY http sourceforge net docs FO2 clients 724 746 5500 blackbox com Page 255 Execute the PUTTYGEN EXE program Select the desired key type SSH2 DSA you may use RSA or DSA within the Parameters section It is important that you leave the passphrase field blank Click on the Generate button Follow the instruction to move the mouse over the blank area of the program in order to create random data used by PUTTYGEN to generate secure keys Key generation will occur once PUTTYGEN has collected sufficient random data PuTTY Key Generator File Key Conversions Help Key Public key for pasting into OpenSSH authorized_keys file MASAB IN z2aC 1 yo2EAASABIOASAIBI NOAGKIGY zoky1 ORVc3wbK2TZYuGsT LKFZe HK gnmb21 OvputT 4ayqJf1f3qg3SxF4JDFIB7AdoL2VTRTHH8131bFH8SsNECnT 5m bp T 1 pLNALvHOB tDXyLIFnEAppLGmxtuZpneF fk fyaeSqns TY CYTO f3rebD uhNPudhw 1sa key 20061212 Key fingerprint ssh tsa 1023 91 18 3d 14 f7 07 86 64 f2 ca 4a 9b 7e cf 18 4b Key comment tsa key 20061212 Key passphrase Confirm passphrase Actions Generate a public private key pair Load an existing private key file Save the gen
229. etwork Host The destination network host that the route provides access to Destination a netmask EEEE Gasaeciaa eaten An the range 0 32 Route Gateway D The IP address of a router that will route packets to the destination network SNMP Metric E q The route metric which represent a this route Lower System metric routes will be used in p Administration SSL Certificates Apply To add to the static route to the route table of the system gt gt Select the Route Settings tab on the System IP General Settings menu Enter a meaningful Route Name for the route In the Destination Network Host field enter the IP address of the destination network host that the route provides access to Enter a value in the Destination netmask field that identifies the destination network or host Any number between 0 and 32 A subnet mask of 32 identifies a host route Enter Route Gateway with the IP address of a router that will route packets to the destination network Enter a value in the Metric field that represents the metric of this connection This generally only has to be set if two or more routes conflict or have overlapping targets Any number equal to or greater than 0 Click Apply 724 746 5500 blackbox com Page 45 Chapter 4 Serial Port Host Device amp User Configuration Introduction The Black Box console server enables access and control of serially attached devices and network att
230. etwork ports Circuit Switched Data CSD mode In this dial in mode the cellular modem can receive incoming calls from remote modems who dial a special Data Terminating number 5 7 1 OOB access set up Out of band access is enabled by default and the cellular modem connection is always on However to be directly accessed the console server needs to have a Public IP address and it must not have SSH access firewalled Almost all carriers offer corporate mobile data service plans with a Public static or dynamic IP address These plans often have a service fee attached gt If you have such a static Public IP address plan you can also now try accessing the console server using the Public IP Address provided by the carrier However by default only HTTPS and SSH access is enabled on the OOB connection So you can browse to the console server but you cannot ping it gt If you have a dynamic Public IP address plan then a DDNS service will need to be configured to enable the remote administrator to initiate incoming access Once this is done you can then also try accessing the console server using the allocated domain name By default most providers offer a consumer grade service which provides dynamic Private IP address assignments to 3G devices This IP address is not visible across the Internet but generally it is adequate for home and general business use gt With such a plan the Failover amp Out of Band tab on the Status Statistics shows
231. evice the console port of a network router and to send alerts back to the Nagios server when an Administrator connects to the router or IIS server This walkthrough provides an example but details of the configuration options are described in the next section This walkthrough also assumes the network host and serial devices are already physically connected to the console server The first step is to set up the Nagios features on the console server Q System Name AC Model LES1216A Firmware 2 8 0u2 BLA K B X Uptime 0 days 1 48 mins 14 secs Current User root NETWORK SERVICES Serial amp Network Serial Port Enabled Users amp Groups Switch on the Nagios service Authentication Network Hosts Nagios Host Name Trusted Networks Name ofthis syste Cascaded Ports UPS Connections Nagios Host Address RPC Connections Environmental Managed Devices Nagios Server Address n in Nagios Generated from System Name if unspecified Address for Nagios to find this device at Defaults to Network 1 IP if set Alerts amp Logging Port Log Disable SDT for Alerts Nagios Extensions Don t show sat links in s SMTP amp SMS SNMP SDT Gateway Address System Administration SSL Certificates Use NRPE instead of NSCA whenever possible Defaults to prefer NSCA Canfinuentian Da Prefer NRPE gt Browse the Black Box console server and select System Nagios on the console server Management Console Check Nagios service Enabled g
232. evice Settings Device Type None None pe RPC Environmental gt Select the desired Device Type UPS RPC or EMD gt Proceed to the appropriate device configuration page Serial amp Network UPS Connections RPC Connection or Environmental as detailed in Chapter 8 Power amp Environmental Management 4 1 5 Terminal Server Mode gt Select Terminal Server Mode and the Terminal Type vt220 vt102 vt100 Linux or ANSI to enable a getty on the selected serial port Terminal Server Settings Terminal Server Mode Enable a TTY login for a local terminal attached to this serial port Terminal Type vi220 The terminal standard to use on this serial port The getty will then configure the port and wait for a connection to be made An active connection on a serial device is usually indicated by the Data Carrier Detect DCD pin on the serial device being raised When a connection is detected the getty program issues a login prompt and then invokes the login program to handle the actual system login Note Selecting Terminal Server mode will disable Port Manager for that serial port so data is no longer logged for alerts etc 724 746 5500 blackbox com Page 54 4 1 6 Serial Bridging Mode With serial bridging the serial data on a nominated serial port on one console server is encapsulated into network packets and then transported over a network to a second console server It is then represented on its serial p
233. ew password for root the main administrative user account so choose a complex password and keep it safe Note There are no restrictions on the characters that can be used in the Password It can contain up to 254 characters However only the first eight System Password characters are used to make the password hash 724 746 5500 blackbox com Page 29 Click Apply Since you have changed the password you will be prompted to log in again This time use the new password Note 3 2 1 If you are not confident that your console server has the current firmware release you can upgrade Refer to Upgrade Firmware Chapter 10 Set up new administrator It is also recommended that you set up a new Administrator user as soon as convenient and log in as this new user for all ongoing administration functions rather than root This Administrator can be configured in the admin group with full access privileges through the Serial amp Network Users amp Groups menu refer Chapter 4 for details 3 2 2 Name the console server It is also recommended that you set up a System Name for your console server to make it simple to identify System Name M Firmware 3 5 3 5 3u5 lt SBLACK BOX Uptime 0 d 5 s 36 S Current User root NETWORK SERVICES Serial amp Network E System Serial Port Name pum Users amp Groups An ID for this device System Description a The physical location of this device
234. ext to each user who should be allowed a connection to this computer Note that other factors such as a disabled user account may affect a user s ability to connect Users allowed to connect 0G Guest 1 HelpAssistant Remote Desktop Help Assistant Account Remote Bob Remote Bob C j SUPPORT_388945a0 CN Microsoft Corporation L Redmond S Washingt o Egi SUPPORT_ 151ab9 CN Dell Computer Corporation L Round Rock S Te_ v lt j B gt Specify which Users will be allowed to use this connection This should be the same Users who were given Remote Desktop access privileges in the earlier step Click Next gt On the Network Connection screen select TCP IP and click Properties Incoming TCP IP Properties Nawas V Allow callers to access my local area network TCP IP address assignment Assign TCP IP addresses automatically using DHCP Specify TCP IP addresses From 169 134 143 1l To 169 134 133 2 Total V Allow calling computer to specify its own IP address gt Select Specify TCP IP addresses on the Incoming TCP IP Properties screen select TCP IP Nominate a From and a To TCP IP address and click Next Note You can choose any TCP IP addresses so long as they are addresses that are not used anywhere else on your network The From address will be assigned to the Windows XP 2003 computer and the To address will be used by the console server For simplicity us
235. ey authentication gt To use public key authentication with SDT Connector you must first create an RSA or DSA key pair using ssh keygen PuTTYgen or a similar tool and add the public part of your SSH key pair to the Black Box gateway as described in the earlier section gt Next add the private part of your SSH key pair this file is typically named id_rsa or id_dsa to SDT Connector client Click Edit gt Preferences gt Private Keys gt Add locate the private key file and click OK You do not have to add the public part of your SSH key pair it is calculated using the private key SDT Connector will now use public key authentication when SSH connecting through the console server You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication If you have a host behind the console server that you connect to by clicking the SSH button in SDT Connector you can also configure it for public key authentication Essentially what you are using is SSH over SSH and the two SSH connections are entirely separate and the host configuration is entirely independent of SDT Connector and the console server You must configure the SSH client that SDT Connector launches e g Putty OpenSSH and the host s SSH server for public key authentication 15 7 Secure Sockets Layer SSL Support Secure Sockets Layer SSL is a protocol developed by Netscape for transmitting private documents
236. f the redirection If you leave this blank a random port is selected 724 746 5500 blackbox com Page 110 E sDTConnector File Edit Help Local Address localhost Local TCP Port 5900 UDP Port Note SDT Connector can also tunnel UDP services SDT Connector tunnels the UDP traffic through the TCP SSH redirection so it is a tunnel within a tunnel Enter the UDP port where the service is running on the host This will also be the local UDP port that SDT Connector binds as the local endpoint of the tunnel Note that for UDP services you still need to specify a TCP port under General This will be an arbitrary TCP port that is not in use on the gateway An example of this is the SOL Proxy service It redirects local UDP port 623 to remote UDP port 623 over the arbitrary TCP port 6667 6 2 7 Adding a client program to be started for the new service Clients are local applications that you may launch when a related service is clicked To add to the pool of client programs gt Select Edit Preferences and click the Client tab Click Add E SDTConnector File Edit Help SDTConnector Preferences Add Client gt on RIOT Client name Path to client executable file 724 746 5500 blackbox com Page 111 gt Enter a Name for the client Enter the Path to the e
237. faces or Bond Interfaces o When bridging is enabled network traffic is forwarded across all Ethernet ports with no firewall restrictions All the Ethernet ports are all transparently connected at the data link layer layer 2 so they do retain their unique MAC addresses o With bonding the network traffic is carried between the ports but they present with one MAC address o Both modes remove all the Management LAN Interface and Out of Band Failover Interface functions and disable the DHCP Server o Allthe Ethernet ports are all transparently connected at the data link layer layer 2 and they are configured collectively using the Network Interface menu 3 6 5 Static routes Static routes provide a very quick way to route data from one subnet to different subnet So you can hard code a path that specifies to the console server to get to a certain subnet by using a certain path This may be useful for remotely accessing various subnets at a remote site when being accessed using the cellular out of band connection 724 746 5500 blackbox com Page 44 System Name les1308a Model LES1308A Firmware 3 5 3u5 aa 0 N Uptime 0 days 8 hours 33 mins 46 secs Current User root BaduP Log Out NETWORK SERVICES Serial amp Network Network Interface Management LAN General Settings Route Settings Serial Port Interface Route Settings Route Name New Route Meaningful name for the Route Destination Sas N
238. g s config interfaces lan dhcpd staticips staticip1 mac 00 1e 67 82 72 d9 config s config interfaces lan dhcpd staticips staticip1 host John PC config s config interfaces lan dhcpd staticips total 1 The following command will synchronize the live system with the new configuration config a 14 22 Services You can manually enable or disable network servers from the command line For example if you wanted to guarantee the following server configuration HTTP Server Enabled HTTPS Server Disabled Telnet Server Disabled SSH Server Enabled SNMP Server Disabled Ping Replies Respond to ICMP echo requests Disabled TFTP server Enabled config s config services http enabled on config d config services https enabled config d config services telnet enabled config s config services ssh enabled on config d config services snmp enabled config d config services pingreply enabled config s config services tftp enabled on To set secondary port ranges for any service config s config services telnet portbase port base number Default 2000 config s config services ssh portbase port base number Default 3000 config s config services tcp portbase port base number Default 4000 724 746 5500 blackbox com Page 234 config s config services rfc2217 portbase port base number Default 5000 config s config services unauthtel portbase port base number Default 6000 The following command will synch
239. g it with your console server gt If there are multiple USB devices installed you will be warned to remove them 724 746 5500 blackbox com Page 199 To backup to the USB enter a brief Description of the backup in the Local Configuration Backups menu and select Save Backup The Local Configuration Backup menu will display all the configuration backup files you have stored onto the USB flash System Name A el L A Firmware 2 8 0u2 Ra Uptime 0 da S Current User root Bacup Log Out NETWORK SERVICES Serial amp Network Serial Port Remote Backup Local Backup Users amp Groups Authentication Local Backup Network Hosts Trusted Networks Description pa A brief description to identify the backup RPC Connections Save Backup Environmental _ Managed Devices Alerts amp Logging Description Load On Erase eas Factory default Alerts s SMTP amp SMS internal Restore Delete SNMP ELED Apply gt To restore a backup from the USB simply select Restore on the particular backup you wish to restore and click Apply After saving a local configuration backup you may choose to use it as the alternate default configuration When the console server is reset to factory defaults it will then load your alternate default configuration instead of its factory settings gt To setan alternate default configuration check Load On Erase and click Apply Note Before selecting Load On Erase make sure that you have
240. g on th step by following the in the top left corner of the ys and enable supported protocols on the Seria amp Network Serial Port page ess to serial ports on the Serial amp Network Users page Done A Welcome screen which lists initial installation configuration steps will be displayed Change the default administration password on the Users page Chapter 3 Configure the local network settings on the System IP page Chapter 3 Configure port settings and enable the Serial amp Network Serial Port page Chapter 4 Configure users with access to serial ports on the Serial amp Network Users page Chapter 4 If your system has a cellular modem you will also be given the steps to configure the cellular router features Configure the cellular modem connection on System Dial page Chapter 5 Allow forwarding to the cellular destination network on System Firewall page Chapter 5 Enable IP masquerading for cellular connection on System Firewall page Chapter 5 724 746 5500 blackbox com Page 28 After completing each of the above steps you can return to the configuration list by clicking in the top left corner of the screen on the Black Box logo Note Ifyou are not able to connect to the Management Console at 192 168 0 1 or if the default Username Password were not accepted then reset your console server refer to Chapter 11 3 2 Administrator Password For security re
241. g power to the console server itself If the UPS reaches critical battery status the custom script in etc config scripts ups shutdown runs enabling you to perform any last gasp actions Click Apply Controlling UPS powered computers One of the advantages of having a Managed UPS is that you can configure computers that draw power through that UPS to shut down gracefully if you have UPS problems For Linux computers set up upsmon on each computer and direct them to monitor the console server that is managing their UPS This will set the specific conditions that will be used to initiate a power down of the computer Non critical servers may be powered down some seconds after the UPS starts running 724 746 5500 blackbox com Page 158 on battery In contrast more critical servers may not be shut down until a low battery warning is received Refer to the online NUT documentation for details on how to do this http eu1 networkupstools org doc 2 2 0 INSTALL html http linux die net man 5 upsmon conf http linux die net man 8 upsmon An example upsmon conf entry might look like MONITOR managedups 192 168 0 1 1 username password slave managedups is the UPS Name of the Managed UPS 192 168 0 1 is the IP address of the Black Box console server 1 indicates the server has a single power supply attached to this UPS username is the Username of the Managed UPS password is the Password of the Manager UPS There are NUT monitoring
242. g www dyndns org GNUDip gnudip cheapnet net ODS www ods org TZO www tzo com 3322 org Chinese provider www 3322 org Upon registering with the DDNS service provider you will select a username and password as well as a hostname that you will use as the DNS name to allow external access to your machine using a URL The Dynamic DNS service providers allow the user to choose a hostname URL and set an initial IP address to correspond to that hostname URL Many Dynamic DNS providers offer a selection of URL hostnames available for free use with their service However with a paid plan any URL hostname including your own registered domain name can be used You can now enable and configure DDNS on any of the Ethernet or cellular network connections on the console server by default DDNS is disabled on all ports gt Select the DDNS service provider from the drop down Dynamic DNS list on the System IP or System Dial menu In DDNS Hostname enter the fully qualified DNS hostname for your console server e g your hostname dyndns org Enter the DDNS Username and DDNS Password for the DDNS service provider account Specify the Maximum interval between updates in days A DDNS update will be sent even if the address has not changed Specify the Minimum interval between checks for changed addresses in seconds Updates will still only be sent if the address has changed Specify the Maximum attempts per update i e the number of ti
243. gt gt gt Select Alerts from the Alerts amp Logging menu and click Add Alert In Description enter Administrator connection Check Nagios NSCA In Applicable Ports check the serial port that has the router console port attached In Applicable Hosts check the IP address DNS name of the IIS server Click Connection Alert Click Apply Finally you need to add a User for the client running SDT Connector 724 746 5500 blackbox com Page 184 Select Users amp Groups from the Serial amp Network menu Click Add User In Username enter sdtnagiosuser then enter and confirm a Password VV V WV In Accessible Hosts click the IP address DNS name of the IIS server and in Accessible Ports click the serial port that has the router console port attached gt Click Apply 10 3 Configuring Nagios distributed monitoring To activate the console server Nagios distributed monitoring Nagios integration must be enabled and a path established to the central upstream Nagios server If the console server is to periodically report on Nagios monitored services then the NSCA client embedded in the console server must be configured the NSCA program enables scheduled check ins with the remote Nagios server and is used to send passive check results across the network to the remote server If the Nagios server is to actively request status updates from the console server then the NRPE server embedded in the console server must
244. gured to route traffic through the console server This requires setting up forwarding and masquerading as detailed in Chapter 5 8 5 7 4 Cellular CSD dial in setup Once you have configured carrier connection the cellular modem can be configured to receive Circuit Switched Data CSD calls Note CSD is a legacy form of data transmission developed for the TDMA based mobile phone systems like GSM CSD uses a single radio time slot to deliver 9 6kb s data transmission to the GSM Network and Switching Subsystem where it could be connected through the equivalent of a normal modem to the Public Switched Telephone Network PSTN allowing direct calls to any dial up service CSD is provided selectively by carriers and it is important you receive a Data Terminating number as part of the mobile service your carrier provides This is the number which external modems will call to access the console server gt Select the Cellular Modem panel on the System Dial menu gt Check Enable Dial In and configure the Dial In Settings 724 746 5500 blackbox com Page 94 5 8 Firewall amp Forwarding The console server has routing NAT packet filtering and port forwarding support on all physical and virtual network interfaces Console server A LAN 1 Network interface gt OUTGOING IP is ba I MASQUERADE i gt TRAFFIC RULES 1 gt ine bnn lt LAN2 Management LAN gt Bo f E Modem Dialin Diakut gt T
245. h port Port The serial ports unique identifier 9600 The serial ports speed 8v The number of data bits to use None v The serial ports parity 1 X The number of stop bits to use None X The flow control method RS232 b e elec aling on this Note The RS 485 RS 422 option is not relevant for console servers gt Before proceeding with further serial port configuration connect the ports to the serial devices they will be controlling and make sure they have matching settings Note The serial ports are all set at the factory to RS232 9600 baud no parity 8 data bits 1 stop bit and Console server Mode You can change the baud rate to 2400 230400 baud using the management console You can configure lower baud rates 50 75 110 134 150 200 300 600 1200 1800 baud from the command line Refer to Chapter 14 Basic Configuration Linux Commands 4 1 2 Console Server Mode Select Console Server Mode to enable remote management access to the serial console that is attached to this serial port 724 746 5500 blackbox com Page 48 Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall Services DHCP Server Nagios Configure Dashboard Status PortAccess Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Power Supply Status
246. he DHCP server enables the automatic distribution of IP addresses to hosts on the Management LAN that are running DHCP clients To enable the DHCP server gt Onthe System IP menu select the Management LAN page and click the Disable label in the DHCP Server field or directly go to the System DHCP Server menu gt Check Enable DHCP Server System Name les1308a Model LES1308A Firmware 3 5 3u5 lt SBLACK BOX Uptime 0 days 8 hours 2 mins 6 secs Current User root NETWORK SERVICES Serial amp Network Network Interface Management LAN Interface Serial Port Management LAN DHCP Server Settings Subnet Unavailable DHCP Server o Enable DHCP Server Gateway The Default Gateway to assign Use interface address as gateway Use this interface as the DHCP Gateway Primary DNS The primary DNS to assign Secondary DNS The secondary DNS to assign SNMP Use this interface O addressasthe DNS Use the built in DNS relay for DNS lookups System E server The DNS service r Services page Administration en cas SSL Certificates Domain Name CL Co guration Backup Th e Domain Name to assign gt Enter the Gateway address that you want to issue to the DHCP clients If you leave this field blank the console server s IP address will be used gt Enter the Primary DNS and Secondary DNS address to issue the DHCP clients If you leave this field blank the console server s IP address is used So lea
247. he Microsoft Download Center site http Awww microsoft com downloads details aspx familyid 801 1 1F21 D48D 426E 96C2 O8AA2BD23A498 amp displaylang en and click the Download button This software package will install the client portion of Remote Desktop on Windows 95 Windows 98 and 98 Second Edition Windows Me Windows NT 4 0 and Windows 2000 When run this software allows these older Windows platforms to remotely connect to a computer running current Windows B Ona Linux or UNIX client PC gt Launch the open source rdesktop client rdesktop u windows user id p windows password g 1200x950 ms windows terminal server host name option description a Color depth 8 16 24 be Device redirection Redirect sound on remote machine to local device 0 r sound MS Windows 2003 g Geometry widthxheight or 70 screen percentage p Use p to receive password prompt gt You can use GUI front end tools like the GNOME Terminal Services Client tsclient to configure and launch the rdesktop client Using tsclient also enables you to store multiple configurations of rdesktop for connection to many servers 724 746 5500 blackbox com Page 122 Terminal Server Client Terminal Server Client i Display Local Resources Programs Performance Logon Settings Li Type the name of the computer or choose a ee computer from the drop down list Computer Protocol User Name Password
248. he Software promptly return the Software and all accompanying materials with proof of purchase for a refund Products with separate end user license agreements that may be provided along with the Software are licensed to you under the terms of those separate end user license agreements LICENSE GRANT Subject to the terms and conditions of this EULA Black Box grants you a nonexclusive right and license to install and use the Software on a single CPU provided that 1 you may not rent lease sell sublicense or lend the Software 2 you may not reverse engineer decompile disassemble or modify the Software except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation and 3 you may not transfer rights under this EULA unless such transfer is part of a permanent sale or transfer of the Product you transfer at the same time all copies of the Software to the same party or destroy such materials not transferred and the recipient agrees to this EULA No license is granted in any of the Software s proprietary source code This license does not grant you any rights to patents copyright trade secrets trademarks or any other rights with respect to the Software You may make a reasonable number of copies of the electronic documentation accompanying the Software for each Software license you acquire provided that you must reproduce and include all copyright notices and any other proprieta
249. he core LDAP specifications are all defined in RFCs LDAP is a protocol used to access information stored in an LDAP server You can find further information on configuring remote RADIUS servers at the following sites http www Idapman org articles intro_to_ Idap html http Awww Idapman org servers html http www linuxplanet com linuxplanet tutorials 5050 1 http www linuxplanet com linuxplanet tutorials 5074 4 724 746 5500 blackbox com Page 170 9 1 5 RADIUS TACACS User Configuration Users may be added to the local console server appliance If they are not added and they log in via remote AAA a user will be added for them This user will not show up in the Black Box configurators unless they are specifically added at which point they are transformed into a completely local user The newly added user must authenticate from the remote AAA server and will have no access if it is down If a local user logs in they may be authenticated authorized from the remote AAA server depending on the chosen priority of the remote AAA A local user s authorization is the union of local and remote privileges Example 1 User Tim is locally added and has access to ports 1 and 2 He is also defined on a remote TACACS server which says he has access to ports 3 and 4 Tim may log in with either his local or TACACS password and will have access to ports 1 through 4 If TACACS is down he will need to use his local password and will only be ab
250. he section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 8 If the distribution and or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detai
251. hen the outlet will then take up the name of the powered Managed Device 4 9 IPsec VPN The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 console servers include Openswan a Linux implementation of the IPsec IP Security protocols which can be used to configure a Virtual Private Network VPN The VPN allows multiple sites or remote administrators to access the console server and Managed Devices securely over the Internet The administrator can establish an encrypted authenticated VPN connection between advanced console serves distributed at remote sites and a VPN gateway such as Cisco router running OS IPsec on their central office network o Users and administrators at the central office can then securely access the remote console servers and connected serial console devices and machines on the Management LAN subnet at the remote location as though they were local o With serial bridging serial data from controller at the central office machine can be securely connected to the serially controlled devices at the remote sites refer Chapter 4 1 The road warrior administrator can use a VPN IPsec software client such as TheGreenBow www thegreenbow com vpn_gateway html or Shrew Soft www shrew net support to remotely access the console server and every machine on the Management LAN subnet at the remote location IPsec VPN Client as see
252. here to go back or here to upload or generate keys To define and configure a Slave gt gt Enter the remote IP Address or DNS Name for the Slave console server Enter a brief Description and a short Label for the Slave use a convention here that enables you to effectively manage large networks of clustered console servers and the connected devices gt gt Enter the full number of serial ports on the Slave unit in Number of Ports Click Apply This will establish the SSH tunnel between the Master and the new Slave The Serial amp Network Cascaded Ports menu displays all the Slaves and the port numbers that have been allocated on the Master If the Master console server has 16 ports of its own then ports 1 16 are pre allocated to the Master The first Slave added will be assigned port number 17 and up 724 746 5500 blackbox com Page 65 Once you have added all the Slave console servers you can assign and access the Slave serial ports and the connected devices from the Master s Management Console menu You can also access them through the Master s IP address gt Select the appropriate Serial amp Network Serial Port and Edit to configure the serial ports on the Slave gt Select the appropriate Serial amp Network Users amp Groups to add new users with access privileges to the Slave serial ports or to extend existing users access privileges gt Select the appropriate Serial amp Network Trusted
253. his section offers a quick background of Nagios and its capabilities A complete overview FAQ and comprehensive documentation are available at http www nagios org Nagios does take some time to install and configure however once Nagios is up and running however it provides an outstanding network monitoring system With Nagios you can Display tables showing the status of each monitored server and network service in real time Use a wide range of freely available plug ins to make detailed checks of specific services for example don t just check that a database is accepting network connections check that it can actually validate requests and return real data Display warnings and send warning e mails pager or SMS alerts when a service failure or degradation is detected Assign contact groups who are responsible for specific services in specific time frames 10 2 Central management and setting up SDT for Nagios The Black Box Nagios solution has three parts the Central Nagios server Distributed Black Box console servers and the SDT for Nagios software x Central Nagios 4 Server 9 j s Distributed console servers 7 Client 4 Central Nagios server Avanilla Nagios 2 x or 3 x installation typically on a Linux server generally running on a blade PC virtual machine etc at a central location Runs a web server that displays the Nagios GUI Imports configuration from distributed console se
254. host Status RPE SM Host Name Environmental Status Dashboard Name of hostin Nagios Generated using host description if unspecified z Nagios Checks Command check Devices 1 Check NRPE y Use Default Args hd host Delete Port Logs Check NRPE alive Host Logs Check Ping fauli MMAND Sewer Check Permitted TCP Fcheckhostalive T Check Permitted UDP erminal Check TUP Apply Check UDP Scroll down to Nagios Settings and check Enable Nagios Click New Check and select Check Ping Click check host alive Click New Check and select Check Permitted TCP Select Port 3389 Click New Check and select Check TCP Select Port 80 Click New Check and select Check TCP Select Port 443 Click Apply Similarly you now must configure the serial port to the router to be monitored by Nagios gt gt gt gt gt Select Serial Port from the Serial amp Network menu Locate the serial port that has the router console port attached and click Edit Make sure the serial port settings under Common Settings are correct and match the attached router s console port Click Console server Mode and select Logging Level 1 Check Telnet SSH access is not required as SDT Connector is used to secure the otherwise insecure Telnet connection Scroll down to Nagios Settings and check Enable Nagios Check Port Log and Serial Status Click Apply Now you can set the console server to send alerts to the Nagios server gt gt gt
255. hronization action pushing all changes to the live system h help Display a brief usage message 724 746 5500 blackbox com Page 214 v verbose d del id g get id p path file r run configurator s set id value e export file i import file t test import file S separator char P password id Log extra debug information Remove the given configuration element specified by a separated identifier Display the value of a configuration element Specify an alternate configuration file to use The default file is located at etc config config xml Run the specified registered configurator Registered configurators are listed below Change the value of configuration element specified by a separated identifier Save active configuration to file Load configuration from file Pretend to load configuration from file The pattern to separate fields with default is Prompt user for a value Hash the value then save it in id The registered configurators are alerts auth cascade console dhcp dialin eventlog hosts ipaccess There are three ways to delete detailed later in Chapter 15 You can also assign the config element to node using d ipconfig nagios power serialconfig services slave systemsettings time ups users a config element value The simplest way is use the delete node script or delete the entire config bin config d element n
256. ial Port 1 is configured by default in Local Console modem mode Conventional CAT5 cabling with RJ 45 jacks is used for serial connections Before connecting an external device s console port to the console server serial port confirm that the device supports the standard RS 232C EIA 232 Black Box supplies a range of cables and adapters that may be required to connect to the more popular servers and network appliances Call Technical Support at 724 746 5500 for details 2 5 USB Port Connection The LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers each also have one USB1 1 port on the front face and two additional USB 2 0 ports at the rear face adjacent to modem jack The LES1308A LES1316A LES1332A LES1348A LES1408A LES1416A LES1432A and LES1448A console servers each also have one USB1 1 port on the front face and one additional USB 2 0 ports at the rear face This USB2 0 port is adjacent to antenna connector and conne cts using the micro AB USB cable The LES1508A console server has twoUSB 2 0 ports on the front face The USB2 0 ports can be used for 724 746 5500 blackbox com Page 24 connecting to USB consoles of Managed Devices e g for managing UPS supplies attaching other external USB peripherals e g an external USB memory stick or modem adding supported Sierra Wireless cellular USB modems plugging in USB hubs to provide additional ports The USB1 1 port is best reserved for use
257. igure the nominated alert service 7 5 1 Send Email alerts The console server uses SMTP Simple Mail Transfer Protocol for sending the email alert notifications To use SMTP the Administrator must configure a valid SMTP server for sending the email gt Select Alerts amp Logging SMTP amp SMS 724 746 5500 blackbox com Page 142 lt BLAC NETWORK SERVICES Serial amp Network SMTP Server Server pide Secure Connection O VPN PPTP VPN Call Home SMTP port Sender Managed Devices Username Alerts amp Logging 6 Password Confirm System 5 Administration ertificates Authentication onfiguration Backup Method Firmware IP Date amp Time Subject Line System Name les 1308a Uptime 0 days 19 hours 19 mins m The outgoing mail server address None x f this server uses a m Specify the SMTP port Default is 25 m The from address which will appear on the m Ifthis server requires authentication specify m f this server requires authentication specify m Re enter the password Automatic x Allows authentication to be m secure connection spec overriden should Model LES1308A Firmware 3 5 3u5 a Bacup Log Out 50secs Current User root cify its type sent ema the username the password autodetection fail gt Inthe SMTP Server field enter the outgoing mail Server s IP address gt If this mail server
258. ing 7 6 4 Auto Response event logging 7 6 5 Power device logging POWER amp ENVIRONMENTAL MANAGEMENT 724 746 5500 blackbox com Page 8 104 105 106 107 108 109 111 113 113 114 116 117 118 119 119 120 124 124 125 127 127 131 132 132 135 137 137 138 138 138 138 139 140 140 141 141 141 141 141 142 142 142 143 145 146 146 146 147 148 148 148 149 8 1 Remote Power Control RPC 8 1 1 RPC connection 8 1 2 RPC access privileges and alerts 8 1 3 User power management 8 1 4 RPC status 8 2 Uninterruptible Power Supply Control UPS 8 2 1 Managed UPS connections 8 2 2 Remote UPS management 8 2 3 Controlling UPS powered computers 8 2 4 UPS alerts 8 2 5 UPS status 8 2 6 Overview of Network UPS Tools NUT 8 3 Environmental Monitoring 8 3 1 Connecting the EMD 8 3 2 Environmental alerts 8 3 3 Environmental status AUTHENTICATION 9 1 Authentication Configuration 9 1 1 Local authentication 9 1 2 TACACS authentication 9 1 3 RADIUS authentication 9 1 4 LDAP authentication 9 1 5 RADIUS TACACS User Configuration 9 1 6 Group support with remote authentication 9 1 7 Remote groups with RADIUS authentication 9 1 8 Remote groups with LDAP authentication 9 1 9 Remote groups with TACACS authentication 9 1 10 Idle timeout 9 1 11 Kerberos authentication 9 2 PAM Pluggable Authentication Modules 9 3 SSL Certificate NAGIOS INTEGRATION 10 1 Nagios Overview 10 2 Central management
259. ing up the configuration off box 15 2 Advanced Portmanager 15 2 1 Portmanager commands 15 2 2 External Scripts and Alerts 15 3 Raw Access to Serial Ports 15 3 1 Access to serial ports 15 3 2 Accessing the console modem port 15 4 IP Filtering 15 5 Modifying SNMP Configuration 15 5 1 etc config snmpd conf 15 5 2 Adding more than one SNMP server 15 6 Secure Shell SSH Public Key Authentication 15 6 1 SSH Overview 15 6 2 Generating Public Keys Linux 15 6 3 Installing the SSH Public Private Keys Clustering 15 6 4 Installing SSH Public Key Authentication Linux 15 6 5 Generating public private keys for SSH Windows 15 6 6 Fingerprinting 15 6 7 SSH tunneled serial bridging 15 6 8 SDT Connector Public Key Authentication 15 7 Secure Sockets Layer SSL Support 15 8 HTTPS 15 8 1 Generating an encryption key 15 8 2 Generating a self signed certificate with OpenSSL 15 8 3 Installing the key and certificate 15 8 4 Launching the HTTPS Server 15 9 Power Strip Control 15 9 1 The PowerMan tool 15 9 2 The pmpower tool 15 9 3 Adding new RPC devices 15 10 IPMItool 15 11 Custom Development Kit CDK 15 12 Scripts for Managing Slaves 724 746 5500 blackbox com Page 11 243 244 245 245 246 247 247 248 248 249 249 250 251 251 252 252 253 255 257 258 260 260 261 261 261 262 262 262 263 264 264 266 269 269 APPENDIX CLI Commands and Source Code Hardware Specification Safety and Certifi
260. inistration Email eng myco com SSL Certificates The email address of a contact person for this device Backup Challenge POE FEEESR irmware Password 7 IP An optional dependant on CA password Date amp Time Confirm eeeeeeet Dial Password Confirmation of the challenge password Services DHCP Server Key Length 512 Nagios bits Length of generated key in bits Configure Dashboard Download CancelCSR_ Status Port Access Active Users Certificate Browse Statistics Certificate file issued by your CA Support Report Syslog Upload After completing these steps the console server has its own certificate that is used for identifying the console server to its users Note You can find information on issuing certificates and configuring HTTPS from the command line in Chapter 15 724 746 5500 blackbox com Page 179 Chapter 10 Nagios Integration Introduction Nagios is a powerful highly extensible open source tool for monitoring network hosts and services The core Nagios software package will typically be installed on a server or virtual server the central Nagios server Console servers operate in conjunction with a central upstream Nagios server to distribute and monitor attached network hosts and serial devices They embed the NSCA Nagios Service Checks Acceptor and NRPE Nagios Remote Plug in Executor add ons this allows them to communicate with the central Nagios server so you won t need a dedicated sl
261. inistrator client to use when connecting to the console server User clients who you may set up later will also use these protocols when accessing console server serial attached devices and network attached hosts You will need to have appropriate communications software tools set up on the Administrator and User PC workstation 724 746 5500 blackbox com Page 36 Black Box provides the SDT Connector Java applet as the recommended client software tool You can use other generic tools such as PuTTY and SSHTerm These tools are all described below as well 3 5 1 SDT Connector Each console server has an unlimited number of SDT Connector licenses to use with that console server SDT Connector RDP YNC Telnet HTTP client Applications amp database SSH encrypted tunnel RDP VNC Telnet HTTP sessions forwarded to devices computers service processors on the LAN SDT Connector is a lightweight tool that enables Users and Administrators to securely access the console server and the various computers network devices and appliances that may be serially or network connected to the console server SDT Connector is a Java applet that couples the trusted SSH tunneling protocol with popular access tools such as Telnet SSH HTTP HTTPS VNC and RDP to provide point and click secure remote management access to all the systems and devices being managed Information on using SDT Connector for browser access to the conso
262. install the sdicon 1 n jar and the config file defaults xml Once the installer completes you will have a working SDT Connector client installed on your machine and an icon on your desktop gt Click the SDT Connector icon on your desktop to start the client Note SDT Connector is a Java application so it must have a Java Runtime Environment JRE installed You can download this for free from http java sun com j2se It installs on Windows 2000 XP 2003 Vista and 7 PCs and on most Linux platforms Solaris platforms are also supported but they must have Firefox installed SDT Connector can run on any system with Java 1 4 2 and above installed but it assumes the web browser is Firefox and that xterm e telnet opens a telnet window To operate SDT Connector you first need to add new gateways to the client software by entering the access details for each console server refer to Section 6 2 2 Then let the client auto configure all host and serial port connections from each console server refer to Section 6 2 3 Finally point and click to connect to the Hosts and serial devices refer to Section 6 2 4 Or you can manually add network connected hosts refer to Section 6 2 5 and manually configure new services to use to access the console server and the hosts refer to Section 6 2 6 Then manually 724 746 5500 blackbox com Page 104 configure clients to run on the PC that will use the service to connect to the hosts
263. ion Backup menu gt The config backup file System Name_date_config opg will be downloaded to your PC and saved in the location you nominate To restore a remote backup gt Click Browse in the Remote Configuration Backup menu and select the Backup File you want to restore gt Click Restore and click OK This will overwrite all the current configuration settings in your console server With Advanced Console Servers LES1208A R2 LES1216A R2 LES1232A LES1248A R2 you can save the backup file locally on the console server USB storage To do this you must have an external USB flash drive installed lt SBLACK BOX sa NETWORK SERVICES Serial amp Network Serial Port Remote Backup Users amp Groups Authentication Network Hosts Trusted Networks Before saving configuration locally you must prepare the USB storac Cascaded Ports UPS Connections Disc RPC Connections USB Local Backup Local Backup e then click here to proceed After the To backup and restore using USB gt Make sure the USB flash is the only USB device attached to the console server and click Prepare Storage in the Local Configuration Backup menu gt This will set a Volume Label on the USB storage device This preparation step is only necessary the first time and will not affect any other information you have saved onto the USB storage device We recommend that you back up any critical data from the USB storage device before usin
264. irewall Rule Network Hosts Name Trusted Networks am New Firewall Rule Call Home Name for the rule Cascaded Ports UPS Connections Interface RPC Connections Environmental Managed Devices Alerts amp Logging PortLog Alerts Source MAC address SMTP amp SMS SNMP System Source Address Address Range Administration SSL Certificates Configuration Backup Firmware Destination IP Address Address Range Date amp Time Dial Firewall Nagios Protocol Configure Dashboard gt Click New Firewall Rule Any lz The interface thatthe rule applies to Destination Port Port Range is may be left blar gt Fillin the following fields Name Interface Port Range Name the rule This name should describe the policy the firewall rule is being used to implement e g block ftp Allow Tony Select the interface that the firewall rule will be applied to i e Any Dialout Cellular VPN Network Interface Dial in etc Specify the Port or range of Ports e g 1000 1500 that the rule will apply to This may be left blank for Any Source Address Range Specify the source IP address or address range to match IP address Destination Range Protocol Direction Action ranges use the format ip netmask where netmask is in bits 1 32 This may be left blank for Any Specify the destination IP address address range to match IP ad
265. is IEC power inlet uses a conventional IEC AC power cord and the power cords for various regions are available Call Black Box Technical Support for details at 724 746 5500 The North American power cord is provided by default There is a warning notice printed on the back of each unit A N To avoid electrical shock connect the power cord grounding conductor to ground 724 746 5500 blackbox com Page 22 2 2 4 LES1108A power The LES1108A includes an external DC power supply unit This unit accepts an AC input voltage between 100 and 250 VAC with a frequency of 50Hz or 60Hz The DC power supply has an IEC AC power socket which accepts a conventional IEC AC power cord The power cord for North America is included in the kit The 5 VDC connector from the power supply plugs into the 5VDC power socket on the rear of the LES1108A 2 3 Network connection The RJ 45 LAN ports are located on the rear panel of the LES1108A and LES1508A and on the front panel of the rack mount console servers Use industry standard Cat5 cabling and connectors Make sure that you only connect the LAN port to an Ethernet network that supports 10BASE T 100BASE T To initially configure the console server you must connect a PC or workstation to the console server s principal network port labeled NETWORK1 or LAN 2 4 Serial Port connection The RJ 45 serial ports are located on the rear panel of the LES1108A and on the front panel of the LES1508A and ra
266. ist then the traffic coming in over the Network Interface from Tony would be blocked 724 746 5500 blackbox com Page 101 Chapter 6 Secure SSH Tunneling amp SDT Connector Introduction Each Black Box console server has an embedded SSH server and uses SSH tunneling so remote users can securely connect through the console server to Managed Devices using text based console tools such as SSH telnet SoL or graphical tools such VNC RDP HTTPS HTTP X11 VMware DRAC iLO The Managed Devices you access can be located on the same local network as the console server or they can be attached to the console server via a serial port The remote User Administrator connects to the console server thru an SSH tunnel via dial up wireless or ISDN modem a broadband Internet connection the enterprise VPN network or the local network Secure Remote Management Secure Local Management Secure OoB Dial In or Broradband Network Serial connected connected To set up the secure SSH tunnel from the client PC to the console server install and launch SSH client software on the User Administrator s PC Black Box recommends you use the SDT Connector client software supplied with the console server for this SDT Connector is simple to install and auto configure and it provides all your users with point and click access to all the systems and devices in the secure network With one click SDT Connector sets up a secure SSH tunnel fr
267. ith the engine ID To set the Username field SNMP version 3 only config set config system snmp username2 yourusername 724 746 5500 blackbox com Page 250 replacing yourusername with the username config system snmp usernamez2 3 only To set the Engine ID field SNMP version 3 only config set config system snmp password2 yourpassword replacing yourpassword with the password Once the fields are set apply the configuration with the following command config run snmp You can add a third or more SNMP servers by incrementing the 2 in the above commands e g config system snmp protocol3 config system snmp address3 etc 15 6 Secure Shell SSH Public Key Authentication This section covers how to generate public and private keys in a Linux and Windows environment and configure SSH for public key authentication The steps to use in a Clustering environment are Generate a new public and private key pair Upload the keys to the Master and to each Slave console server Fingerprint each connection to validate 15 6 1 SSH Overview Popular TCP IP applications such as telnet rlogin ftp and others transmit their passwords unencrypted Doing this across pubic networks like the Internet can have catastrophic consequences It leaves the door open for eavesdropping connection hijacking and other network level attacks Secure Shell SSH is a program to log into another computer over a network to execute commands in a
268. itor1 options option1 opt option config s config ups monitors monitor1 options option1 arg argument config s config ups monitors monitor1 options total 1 config s config ups monitors monitor1 log enabled on config s config ups monitors monitor1 log interval 2 config s config ups monitors monitor1 script enabled on 724 746 5500 blackbox com Page 224 Make sure to increment the total monitors config s config ups monitors total 1 The five commands below will add the UPS to Managed devices Assuming there are already two managed devices configured config s config devices device3 connections connection1 name My UPS config s config devices device3 connections connection1 type UPS Unit config s config devices device3 name My UPS config s config devices device3 description UPS in toom 5 config s config devices total 3 To delete this managed UPS config d config ups monitors monitor1 Decrement monitors total when deleting a managed UPS Remote UPSes To add a remote UPS with the following details assuming this is our first remote UPS UPS name oldUPS Description UPS in room 2 Address 192 168 50 50 Log status Disabled Log rate 240 seconds Run shutdown script Enabled config s config ups remotes remote1 name oldUPS config s config ups remotes remote1 description UPS in room 2 config s config ups remotes remote1 address 192 168 50 50 config d config ups remotes remote
269. ive commands are used by the Management Console to add the RPC to Managed Devices config s config devices device3 connections connection1 name myRPC config s config devices device3 connections connection1 type RPC Unit config s config devices device3 name myRPC config s config devices device3 description RPC in room 5 config s config devices total 3 The following command will synchronize the live system with the new configuration config a 14 11 Environmental To configure an environmental monitor with the following details Monitor name Envi4 Monitor Description Monitor in room 5 Temperature offset 2 Humidity offset 5 Enable alarm 1 yes Alarm 1 label door alarm Enable alarm 2 yes Alarm 2 label window alarm Logging enabled yes Log interval 120 seconds config s config ports port3 enviro name Envi4 config s config ports port3 enviro description Monitor in room 5 config s config ports port3 enviro offsets temp 2 config s config ports port3 enviro offsets humid 5 config s config ports port3 enviro alarms alarm1 alarmstate on config s config ports port3 enviro alarms alarm1 label door alarm config s config ports port3 enviro alarms alarm2 alarmstate on config s config ports port3 enviro alarms alarm2 label window alarm config s config ports port3 enviro alarms total 2 config s config ports port3 enviro log enabled on config s config ports port3 enviro
270. k Flags Interface Cascaded Ports etho UPS Connections RPC Connections 192 168 254 0 0 0 0 0 etho Environmental Managed Devices 127 0 0 0 0 0 0 0 255 0 0 0 0 0 0 192 168 254 254 0 0 0 G etho Alerts amp Logging DNS Information PortLog Alerts resolv conf from eth0 0 SMTP amp SMS ameserver 192 16 SNMP gt You can find detailed statistics reports by selecting the various submenus 12 3 Support Reports The Support Report provides useful status information that will assist the Black Box Technical Support team to solve any problems you may experience with your console server If you do experience a problem and have to contact tech support make sure you include the Support Report with your email support request The Support Report is generated when the issue is occurring and is attached in plain text format System irmwal Uptime s 16 3 Current User NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Call Home Uptime Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Firmware Version BlackBowLES12xxA Version 3 4 2 Wed Aug 31 23 18 11 EST 2011 2 days 16 hours 34 mins 43 secs IP Configuration Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP System 5 Administration SSL Certificates Configur
271. k the Remote tab System Properties General Computer Name Hardware Advanced System Restore Automatic Updates Remote 6 gt Select the ways that this computer can be used from another d location Remote Assistance C Allow Remote Assistance invitations to be sent from this computer What is Remote Assistance Remote Desktop Allow users to connect remotely to this computer Full computer name Bigbob What is Remote Desktop For users to connect remotely to this computer the user account must have a password Windows Firewall will be configured to allow Remote Desktop connections to this computer gt Check Allow users to connect remotely to this computer gt Click Select Remote Users 724 746 5500 blackbox com Page 119 gt Remote Desktop Users The users listed below can connect to this computer and any members of the Administrators group can connect even if they are not listed Remote Bob Lox cma To set the user s who can remotely access the system with RDP click Add on the Remote Desktop Users dialog box Note If you need to set up new users for Remote Desktop access open User Accounts in the Control Panel and follow the steps to nominate the new user s name password and account type Administrator or Limited Note With Windows XP Professional and Vista you have only one Remote Desktop session and it connects directly to the Windows root console With Windows Serv
272. l ctrico debe ser situado de tal manera que su posici n no interfiera su uso La colocaci n del aparato el ctrico sobre una cama sof alfombra o superficie similar puede bloquea la ventilaci n no se debe colocar en libreros o gabinetes que impidan el flujo de aire por los orificios de ventilaci n El equipo el ctrico deber ser situado fuera del alcance de fuentes de calor como radiadores registros de calor estufas u otros aparatos incluyendo amplificadores que producen calor El aparato el ctrico deber ser connectado a una fuente de poder s lo del tipo descrito en el instructivo de operaci n o como se indique en el aparato Precauci n debe ser tomada de tal manera que la tierra fisica y la polarizaci n del equipo no sea eliminada Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisados ni pellizcados por objetos colocados sobre o contra ellos poniendo particular atenci n a los contactos y receptaculos donde salen del aparato El equipo el ctrico debe ser limpiado nicamente de acuerdo a las recomendaciones del fabricante En caso de existir una antena externa deber ser localizada lejos de las lineas de energia El cable de corriente deber ser desconectado del cuando el equipo no sea usado por un largo periodo de tiempo Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados sobre la cubierta u orificios de ventilaci n Servicio por personal calificado deber
273. l AC Dual AC Single AC Single AC Single AC Ext AC DC Memory flash RAM 16 64MB 4GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16GB 16 64MB 16 64MB 16 64MB 8 16MB gt Unpack your kit and verify you have all the parts shown above and that they all appear in good working order 724 746 5500 blackbox com Page 18 gt If you are installing the console server in a rack you will need to attach the rack mounting brackets supplied with the unit then install the unit in the rack Make sure you follow the Safety Precautions listed in Appendix C gt Connect your console server to the network to the serial ports of the controlled devices and to power as outlined next 2 1 1 Kit components LES1508A Console Server CERERA LES1508A Console Server KO KO 2 UTP CATS blue cables a amp DB9F RJ45S straight and DB9F RJ45S cross over connectors ex Power Supply 12VDC 1 0A Wall mount a Printed Quick Start Guide and this User s Manual on CD ROM 2 1 2 Kit components LES1308A LES1348A and LES1408A LES1448A Advanced Console Servers Ee LES1308A LES1316A LES1332A LES1348A LES1408A LES1416A LES1432A or LES1448A Advanced Console Server O KO 2 UTP CATS blue cables 724 746 5500 blackbox com Page 19 c DB9F RJ45S straight and DB9F RJ45S cross over connectors USB micro AB adapter cable
274. l SSH HTTPS and SDT Connector access to all services on the advanced console servers will use the embedded FIPS compliant cryptographic module To connect you must also be using cryptographic algorithms that are FIPs approved in your browser or client or the connection will fail gt Select the System Administration menu option gt Check FIPS Mode to enable FIPS mode on boot and check Reboot to safely reboot the console server gt Click Apply and the console server will now reboot It will take several minutes to reconnect as secure communications with your browser are validated and when reconnected it will display FIPs mode Enabled in the banner Not To enable FIPS mode from the command line login and run these commands config s config system fips on touch etc config FIPS chmod 444 etc config FIPS flatfsd b The final command saves to flash and reboots the unit The unit will take a few minutes to boot into FIPS mode To disable FIPS mode contig d config system fips rm etc conftig FIPS flatfsd b 724 746 5500 blackbox com Page 202 Chapter 12 Status Reports Introduction This chapter describes the dashboard feature and the status reports that are available Port Access and Active Users Statistics Support Reports Syslog Dashboard Other status reports that are covered elsewhere include UPS Status Chapter 8 2 RPC Status Chapter 8 1 Environmental Status Chapter 8 3 12
275. l to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Program does not specify a version number of this License you may choose any version ever published by the Free Software Foundation 10 If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YO
276. le dial in access on the DB9 serial port from the command line with the following attributes Local IP Address 172 24 1 1 Remote IP Address 172 24 1 2 Authentication Type MSCHAPv2 Serial Port Baud Rate 115200 Serial Port Flow Control Hardware Custom Modem Initialization ATQOV1HO Callback phone 0800223665 User to dial as user1 Password for user secret Run the following commands config s config console ppp localip 172 24 1 1 config s config console ppp remoteip 172 24 1 2 config s config console ppp auth MSCHAPv2 config s config console speed 115200 config s config console flow Hardware config s config console initstring ATQOV1HO config s config console ppp enabled on config s config console ppp callback enabled on config s config console ppp callback phone1 0800223665 config s config console ppp username user1 config s config console ppp password secret To make the dialed connection the default route config s config console ppp defaultroute on Please note that supported authentication types are None PAP CHAP and MSCHAPv2 Supported serial port baud rates are 9600 19200 38400 57600 115200 and 230400 Supported parity values are None Odd Even Mark and Space Supported data bits values are 8 7 6 and 5 Supported stop bits values are 1 1 5 and 2 Supported flow control values are Hardware Software and None If you do no
277. le server s Management Console Telnet SSH access to the console server command line and TCP UDP connecting to hosts that are network connected to the console server is in Chapter 6 Secure Tunneling SDT Connector can be installed on Windows 2000 XP 2003 Vista and Windows 7 PCs and on most Linux UNIX and Solaris computers 3 5 2 PuTTY You can also use communications packages like PuTTY to connect to the console server command line and to connect serially attached devices as covered in Chapter 4 PuTTY is a freeware implementation of Telnet and SSH for Windows and UNIX platforms It runs as an executable application without needing to be installed onto your system PuTTY the Telnet and SSH client itself can be downloaded from http www tucows com preview 195286 html 724 746 5500 blackbox com Page 37 ig PuTTY Configuration Category B Session Logging Terminal Keyboard Bell Features E Window B Connection Data Proxy Telnet Rlogin SSH Kex Auth TTY X11 Tunnels Bugs Basic options for your PuTTY session Specify the destination you want to connect to Host Name or IP address Port 192 168 252 202 22 Connection type Raw Tenet Rlogin SSH Serial Load save or delete a stored session Saved Sessions Default Settings Close window on exit Always Never Only on clean exit 3 5 3 SSHTerm To use PuTTY for an SSH terminal session from a Windows cli
278. le to access ports 1 and 2 Example 2 User Ben is only defined on the TACACS server which says he has access to ports 5 and 6 When he attempts to log in a new user will be created for him and he will be able to access ports 5 and 6 If the TACACS server is down he will have no access Example 3 User Paul is defined on a RADIUS server only He has access to all serial ports and network hosts Example 4 User Don is locally defined on an appliance using RADIUS for AAA Even if Don is also defined on the RADIUS server he will only have access to those serial ports and network hosts he has been authorized to use on the appliance If a no local AAA option is selected then root will still be authenticated locally You can add remote users to the admin group via either RADIUS or TACACS Users may have a set of authorizations set on the remote TACACS server Users automatically added by RADIUS will have authorization for all resources whereas those added locally will still need their authorizations specified LDAP has not been modified and will still need locally defined users 9 1 6 Group support with remote authentication All console servers allow remote authentication via RADIUS LDAP and TACACS With RADIUS and LDAP additional restrictions can be provided on user access based on group information or membership For example with remote group support RADIUS and LDAP users can belong to a local group that has been setup to hav
279. lect Telnet client as the Client Enter 2002 in TCP Port Click OK then Close and Close again 724 746 5500 blackbox com Page 114 gt gt gt amp SDTConnector B 3 F Add Service Service Name Serial Port 2 Add Port Redirection General Advanced Client Telnet client TCP Port 2 ok 3 cancel Assuming you have already set up the target console server as a gateway in your SDT Connector client with username password etc select this gateway and click the Host icon to create a host Or select File gt New Host Enter 127 0 0 1 as the Host Address and select Serial Port 2 for Service In Descriptive Name enter something such as Loopback ports or Local serial ports Click OK Click Serial Port 2 icon for Telnet access to the serial console on the device attached to serial port 2 on the gateway To enable SDT Connector to access to devices connected to the gateway s serial ports you must also configure the Console server itself to allow port forwarded network access to itself and enable access to the nominated serial port gt gt Browse to the Console server and select Serial Port from Serial amp Network Click Edit next to selected Port for example Port 2 if the target device is attached to the second serial port Make sure the port s serial configuration is appropriate for the attached de
280. log interval 120 Assign alarms total 2 even if they are off The following 5 commands will add the environmental monitor to Managed devices 724 746 5500 blackbox com Page 226 To get the total number of managed devices config g config devices total Make sure you use the total 1 for the new device below config s config devices device5 connections connection1 name Envi4 config s config devices device5 connections connection1 type EMD Unit config s config devices device5 name Envi4 config s config devices device5 description Monitor in room 5 config s config devices total 5 The following command will synchronize the live system with the new configuration config a 14 12 Managed Devices To add a managed device also see UPS RPC connections and Environmental config s config devices device8 name my device config s config devices device8 description The eighth device config s config devices device8 connections connection1 name my device config s config devices device8 connections connection1 type serial Host UPS RPC config s config devices total 8 decrement this value when deleting a managed device To delete the above managed device config d config devices device8 The following command will synchronize the live system with the new configuration config a 14 13 Port Log To configure serial network port logging config s config eventlog serve
281. loglevel debug info warn error alert Change which configuration file it uses c etc config portmanager conf Signals Sending a SIGHUP signal to the portmanager will cause it to re read its configuration file 15 2 2 External Scripts and Alerts The portmanager can execute external scripts on certain events When the portmanager opens a port It attempts to execute etc config scripts portxx init where XX is the number of the port e g 08 The script is run with STDIN and STDOUT both connected to the serial port Ifthe script cannot be executed then portmanager will execute etc config scripts portXX chat via the chat command on the serial port When an alert occurs on a port 724 746 5500 blackbox com Page 246 The portmanager will attempt to execute etc config scripts portXX alert where XX is the port number e g 08 The script is run with STDIN containing the data which triggered the alert and STDOUT redirected to dev null NOT to the serial port If you want to communicate with the port use pmshell or pmchat from within the script Ifthe script cannot be executed then the alert will be mailed to the address configured in the system administration section When a user connects to any port Ifa file called etc config pmshell start sh exists it is run when a user connects to a port It is provided 2 arguments the Port number and the Username Here is a simple example lt etc config pmshell st
282. lors OsLow lt 19kKbit s 8 Colors C view Only C Auto Scaling C Use DSMPlugin No Plugin detected C Proxy Repeater Save connection settings as default Delete saved settings gt To establish the VNC connection simply activate the VNC Viewer software on the Viewer PC and enter the password 724 746 5500 blackbox com Page 126 VC Authentication O Password MII Note For general background reading on Remote Desktop and VNC access we recommend the following The Microsoft Remote Desktop How To http Awww microsoft com windowsxp using mobility getstarted remoteintro mspx The Illustrated Network Remote Desktop help page http theillustratednetwork mvps org RemoteDesktop RemoteDesktopSetupandTroubleshooting ht ml What is Remote Desktop in Windows XP and Windows Server 2003 by Daniel Petri http Awww petri co il what s_remote_desktop htm Frequently Asked Questions about Remote Desktop http Awww microsoft com windowsxp using mobility rdfag mspx Secure remote access of a home network using SSH Remote Desktop and VNC for the home user http theillustratednetwork mvps org RemoteDesktop SSH RDP VNC RemoteDesktopVNCandSSH html Taking your desktop virtual with VNC Red Hat magazine http Awww redhat com magazine O06apr05 features vnc and http Awww redhat com magazine 007may05 features vnc Wikipedia general background on VNC http en wikipedia org wiki VNC 6 10 Using SDT
283. m on the remote PC workstation and the SSH server in the console server By default SSH is enabled For more information on SSH configuration refer Chapter 9 Authentication gt You can configure related service options at this stage SNMP This will enable netsnmp in the console server which will keep a remote log of all posted information SNMP is disabled by default This SNMP service is only available 724 746 5500 blackbox com Page 34 in rackmount models To modify the default SNMP settings the Administrator must make the edits at the command line as described in Chapter 15 Advanced Configuration TFTP This service will set up the default tftp server on the USB flash card and is relevant to LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers only This server can be used to store config files and maintain access and transaction logs etc Ping The Respond to ICMP echos i e ping allows the console server to respond to incoming ICMP echo requests Ping is enabled by default For security reasons you should disable this service after initial configuration Nagios Access to the Nagios NRPE monitoring daemons refer Chapter 8 NUT Access to the NUT UPS monitoring daemon refer Chapter 10 SNMP This will enable netsnmp in the console server which will keep a remote log of all posted information SNMP is disabled by defa
284. me or IP and port number ca lt file name gt Enter the CA certificate file name and location The same CA certificate file can be used by the server and all clients Note Ensure each V in the directory path is replaced with For example c openvpnkeysi ca crt will become c openvpnkeys ca crt cert lt file name gt Enter the client s or servers s certificate file name and location Each client should have its own certificate and key files Note Ensure each in the directory path is replaced with V key lt file name gt Enter the file name and location of the client s or server s key Each client should have its own certificate and key files Note Ensure each V in the directory path is replaced with V dh lt file name gt This is used by the server only Enter the path to the key with the Diffie Hellman parameters Nobind Nobind is used when clients do not need to bind to a local address or specific local port number This is the case in most client configurations persist key This option prevents the reloading of keys across restarts persist tun This option prevents the close and reopen of TUN TAP devices across restarts cipher BF CBC Blowfish Select a cryptographic cipher The client and server must use the same default settings cipher AES 128 CBC AES cipher DES EDE3 CBC Triple DES comp zo Enable compression on the OpenVPN link This must be enabled on both th
285. mes to attempt an update before giving up defaults to 3 724 746 5500 blackbox com Page 32 3 4 System Services The Administrator can access and configure the console server and connected devices using a range of access protocols services and for each such access the particular service must be running with access through the firewall enabled Service Access specifies which access protocols services can be used to access the console server and connected serial ports By default HTTP HTTPS Telnet and SSH services are running and these services are enabled on all network interfaces However again by default only HTTPS and SSH access to the console server is enabled while HTTP and Telnet access is disabled For other services such as SNMP Nagios NRPE NUT the service must first be started on the relevant network interface using Service Settings Then the Services Access can be set to allow or block access 3 4 1 Service Access Service Access specifies which access protocols services can be used to access the console server and connected serial ports To change the access settings gt Select the Service Access tab on the System Services page This will displays the services currently enabled for the console server s network interfaces Depending on the particular console server model the interfaces displayed may include Network interface for the principal Ethernet connection Dial out V90 and cellular modem
286. n el see the hardware compatibility list for New Option Log Status Manage Devices Port Logs Log Rate 15 Host Logs Power Terminal Periodically log UPS status Minutes between samples Apply Select if the UPS will be Connected Via USB over a pre configured serial port or via SNMP HTTP HTTPS over the preconfigured network Host connection When you select a network UPS connection then the corresponding Host Name Description that you set up for that connection will be entered as the Name and Description for the power device Or if you selected to Connect Via a USB or serial connection then you will need to enter a Name and Description for the power device and these details will also be used to create a new Managed Device entry for the serial USB connected UPS devices Enter the login details This Username and Password is used by slaves of this UPS that is other computers that are drawing power through this UPS to connect to the console server to monitor the UPS status so they can shut themselves down when battery power is low Monitoring will typically be performed using the upsmon client running on the slave server refer to Section 8 2 3 724 746 5500 blackbox com Page 156 Note These login credentials are not related to the Users and access privileges you configured in Serial amp Networks Users amp Groups gt If you have multiple UPSes and require them to be shut down in a specific order spe
287. n 724 746 5500 blackbox com Page 67 gt Select the connection type for the new connection Serial Network Host UPS or RPC and then select the specific connection from the presented list of configured unallocated hosts ports outlets To add a new network connected Managed Device gt gt The Administrator adds a new network connected Managed Device using Add Host on the Serial amp Network Network Host menu This automatically creates a corresponding new Managed Device as covered in Section 4 4 Network Hosts When adding a new network connected RPC or UPS power device you set up a Network Host designate it as RPC or UPS then go to RPC Connections or UPS Connections to configure the relevant connection A corresponding new Managed Device with the same Name Description as the RPC UPS Host is not created until you complete this connection step refer Chapter 8 Power and Environment Note The outlet names on this newly created PDU will by default be Outlet 1 and Outlet 2 When you connect a particular Managed Device that draws power from the outlet then the outlet will take the powered Managed Device s name To add a new serially connected Managed Device gt gt Configure the serial port using the Serial amp Network Serial Port menu refer to Section 4 1 Configure Serial Port Select Serial amp Network Managed Devices and click Add Device Enter a Device Nam
288. n etc config powerstrips xml If an action is attempted which has not been configured for a specific Power Device pmpower will exit with an error 15 9 3 Adding new RPC devices There are a number of simple paths to adding support for new RPC devices 724 746 5500 blackbox com Page 264 The first is to have scripts to support the particular RPC included in either the open source PowerMan project http sourceforge net projects powerman or the open source NUT UPS Tools project The PowerMan device specifications are rather weird and it is suggested that you leave the actual writing of these scripts to the PowerMan authors Documentation on how they work can be found at http linux die net man 5 powerman dev The Network UPS Tools NUT project has recently moved on from its UPS management origins to also cover SNMP PDUs and embrace PowerMan Black Box progressively includes the updated PowerMan and NUT build into the console server firmware releases The second path is to directly add support for the new RPC devices or to customize the existing RPC device support on your particular console server The Manage Power page uses information contained in etc powerstrips xml to configure and control devices attached to a serial port The configuration also looks for and loads etc config powerstrips xm if it exists The user can add their own support for more devices by putting definitions for them into etc config powerstrips xml This file c
289. n on Management LAN IPsec VPN Gient Remote Configuration of IPsec is quite complex so the LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 724 746 5500 blackbox com Page 69 console servers provide a simple GUI interface for basic set up as described below However for more detailed information on configuring Openswan IPsec at the command line and interconnecting with other IPsec VPN gateways and road warrior IPsec software refer http wiki openswan org 4 9 1 gt gt Enable the VPN gateway Select IPsec VPN on the Serial amp Networks menu Click Add and complete the Add IPsec Tunnel screen Enter any descriptive name you wish to identify the IPsec Tunnel you are adding such as WestStOutlet VPN NETWORK SERVICES on Add IPsec Tunnel Alerts amp Logging System Select the Authentication Method to be used either RSA digital signatures or a Shared secret PSK o If you select RSA you will asked to click here to generate keys This will generate an RSA public key for the console server the Left Public Key You will need to find out the key to be used on the remote gateway then cut and paste it into the Right Public Key o Ifyou select Shared secret you will need to enter a Pre shared secret PSK The PSK must match the PSK configured at the other end of the tunnel In Authentication Protocol select the authentica
290. n also use the special oo oy characters _ and There are no restrictions on the characters that you can use in the user Password each can contain up to 254 characters Only the first eight Password characters are used to make the password hash gt Specify which Group or Groups you want the user to join gt SSH pass key authentication can be used This is more secure than password based authentication Paste the public keys of authorized public private keypairs for this user in the Authorized SSH Keys field gt Check Disable Password Authentication if you wish to only allow public key authentication for this user when using SSH gt Check Enable Dial Back in the Dial in Options menu to allow an out going dial back connection to be triggered by logging into this port Enter the Dial Back Phone Number with the phone number to call back when user logs in gt Check specific Accessible Hosts and or Accessible Ports to nominate the serial ports and network connected hosts you want the user to have access privileges to gt If there are configured RPCs you can check Accessible RPC Outlets to specify which outlets the user is able to control that is Power On Off gt Click Apply The new user can now access the Network Devices Ports and RPC Outlets you nominated as accessible Plus if the user is a Group member they can also access any other device port outlet that was set up as accessible to th
291. n and integration into existing Microsoft infrastructure It is generally used for connecting single remote Windows clients If you take your portable computer on a business trip you can dial a local number to connect to your Internet access service provider ISP and then create a second connection tunne into your office network across the Internet and have the same access to your corporate network as if you were connected directly from your office Similarly telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP To set up a PPTP connection 1 Enable and configure the PPTP VPN server on your console server 2 Setup VPN user accounts on the console server and enable the appropriate authentication 3 Configure the VPN clients at the remote sites The client does not require special software as the PPTP Server supports the standard PPTP client software included with Windows XP NT 2000 7 and Vista 4 Connect to the remote VPN 4 11 1 Enable the PPTP VPN server gt Select PPTP VPN on the Serial amp Networks menu 724 746 5500 blackbox com Page 77 System Name les1308a Model LES1308A Firmware 3 5 3u5 Ra 0 Uptime 1 days 5 hours 45 mins 7 secs Current User root BaduP Log Out NETWORK SERVICES Serial amp Network PPTP Server Serial Port amp Groups Enable E Enable the PPTP server Minium C None least secure Authentication Required Required Encryption Level
292. n is not adequate for your needs you can bypass it safely by creating a file at etc config filter custom containing commands to build a specialized firewall This firewall script will run whenever the LAN interface is brought up including initially and will override any automated system firewall settings Below is a simple example of a custom script that creates a firewall using the iptables command Only incoming connections from computers on a C class network 192 168 10 0 will be accepted when this script is installed at etc config filter custom Note that when this script is called any preexisting chains and rules have been flushed from iptables bin sh Set default policies to drop any incoming or routable traffic and blindly accept anything from the 192 168 10 0 network iptables policy FORWARD DROP iptables policy INPUT DROP iptables policy OUTPUT ACCEPT Allow responses to outbound connections back in iptables append INPUT match state state ESTABLISHED RELATED jump ACCEPT Explicitly accept any connections from computers on 192 168 10 0 24 iptables append INPUT source 192 168 10 0 24 jump ACCEPT There s good documentation about using the iptables command at the Linux netfilter website http netfilter org documentation index html There are also many high quality tutorials and HOWTOs available via the netfilter website in particular peruse the tutorials listed on the netfilter HOWTO
293. n send IOS commands through the USB console port remotely using a browser and the console server s built in AJAX terminal or monitor messages from the Cisco USB console ports and take rule book actions using the console server s built in Auto Response capabilities For configuration and control these USB consoles are presented as new serial ports on the Serial amp Network Serial Port menu So for an LES1508A any Cisco USB console ports would present as Port 9 and 10 Common Seitings such baud rate are ignored when configuring the Cisco USB serial port However you can apply all the Console Server Mode Syslog and Serial Bridging settings to this port Note The Cisco USB console is auto detected and the new serial port numbers are created However it must be manually configured on initial connection Any subsequent USB console disconnection is auto detected USB console re connection on the same physical USB port will also be auto detected but only if the console server has been power cycled 4 2 Add Edit Users The Administrator uses this menu selection to set up edit and delete users and to define the access permissions for each of these users 724 746 5500 blackbox com Page 56 NETWORK SERVICES Serial amp Network Groups Hame Alerts amp Logging r Add Group Users Users can be authorized to access specified console server serial ports and specified network attached ho
294. n the Management Console Italic text indicates a text command you enter at the command line level Publishing history 724 746 5500 blackbox com Page 15 Date Revision Update details September 2011 1 1 Prerelease October 2011 2 0 Release for V2 8 firmware and later December 2012 3 0 Release for V3 5 firmware and later 724 746 5500 blackbox com Page 16 Copyright Black Box Corporation 2011 All Rights Reserved Information in this document is subject to change without notice and does not represent a commitment on the part of Black Box Black Box provides this document as is without warranty of any kind either expressed or implied including but not limited to the implied warranties of fitness or merchantability for a particular purpose Black Box may make improvements and or changes in this manual or in the product s and or the program s described in this manual at any time This manual could include technical inaccuracies or typographical errors Changes are periodically made to the information herein these changes may be incorporated in new editions of the publication Notice to Users Use proper back up systems and necessary safety devices to protect against injury death or property damage caused by system failure This protection is the user s responsibility This device is not approved for use as a life support or medical system Any changes or modifications made to this device witho
295. name custom attribute of the raccess service An example Linux tac plus config snippet might look like user myuser service raccess groupname users groupname 1 routers groupname2 dracs You may also specify multiple groups in one comma delimited e g groupname users routers dracs but be aware that the maximum length of the attribute value string is 255 characters To use an attribute name other than groupname set Authentication gt TACACS gt TACACS Group Membership Attribute 9 1 10 Idle timeout You can specify amount of time in minutes the console server waits before it terminates an idle ssh pmshell or web connection Web Management 0 Session Timeout erve Web Management session idle timeout in minutes Nagios z Configure Dashboard CL Management Session Timeout CLI Management session idle timeout in minutes Status Console Server Session Timeout Serial console server session idle timeoutin minutes gt Select Serial and Network Authentication gt Web Management Session Timeout specifies the browser console session idle timeout in minutes The default setting is 20 minutes gt CLI Management Session Timeout specifies the ssh console session idle timeout in minutes The default setting is to never expire gt Console Server Session Timeout specifies the pmshell serial console server session idle timeout in minutes The default setting is to never expire 9 1 11 Kerberos
296. network IP address preserved This soft reset disconnects all users and ends any established SSH sessions A soft reset will also occur when you switch OFF power from the console server and then switch the power back ON If you cycle the power and the unit is writing to flash you could corrupt or lose data so rebooting the software is the safer option A hard erase hard reset is performed by 724 746 5500 blackbox com Page 196 gt Pushing the Erase button on the rear panel twice A ball point pen or bent paper clip is a suitable tool for this procedure Do not use a graphite pencil Press the button gently twice within a couple of seconds while the unit is powered ON This will reset the console server back to its factory default settings and clear the console server s stored configuration information The hard erase will clear all custom settings and Connect to 192 168 0 1 return the unit back to factory default settings i e the IP address will be reset to 192 168 0 1 You will be prompted to log in and must enter the default administration username and administration password Moer neme E root z 11 2 A 192 168 0 1 80 Password eessso S I Remember my password Username root Password default A ee Upgrade Firmware Before upgrading make sure you are already running the most current firmware in your gateway Your console server will not allow you to upgrade to the same or
297. network attached host gt Add the new host and the permitted services using the Serial amp Network Network Hosts menu as detailed in Network Hosts Chapter 4 4 Only these permitted services will be forwarded through by SSH to the host All other services TCP UDP ports will be blocked Note Following are some of the TCP Ports used by SDT in the console server 22 SSH All SDT Tunneled connections 23 Telnet on local LAN forwarded inside tunnel 80 HTTP on local LAN forwarded inside tunnel 3389 RDP on local LAN forwarded inside tunnel 5900 VNC on local LAN forwarded inside tunnel 73XX RDP over serial from local LAN where XX is the serial port number that is 7301 to 7348 on a 48 port console server 79XX VNC over serial from local LAN where XxX is the serial port number 6 2 Add the new Users using Serial amp Network Users amp Groups menu as detailed in Network Hosts Chapter 4 4 Users can be authorized to access the console server ports and specified network attached hosts To simplify configuration the Administrator can first set up Groups with group access permissions then Users can be classified as members of particular Groups SDT Connector Client Configuration The SDT Connector client works with all Black Box console servers Each of these remote console servers has an embedded OpenSSH based server that you can configure to port forward connections from the SDT Connector client to hosts
298. ng Serial Bridge Settings Serial Bridging Mode Create a network connection to a remote serial port via RFC 2217 Server Address The network address of an RFC 2217 server to connect to Server TCP Port The TCP port the RFC 2217 server is serving on RFC 2217 ea Enable RFC 2217 access SSH Tunnel Redirect the serial bridge over an SSH tunnel to the server Next you will need to set up SSH keys for each end of the tunnel and upload these keys to the Server and Client console servers Client Keys The first step in setting up ssh tunnels is to generate keys Ideally you will use a separate secure machine to generate and store all keys to be used on the console servers If this is not ideal for your situation keys may be generated on the console servers themselves It is possible to generate only one set of keys and reuse them for every SSH session While we do not recommend this each organization will need to balance the security of separate keys against the additional administration they bring Generated keys may be one of two types RSA or DSA and it is beyond the scope of this document to recommend one over the other RSA keys will go into the files id_rsa and id_rsa pub DSA keys will be stored in the files id_dsa and id_dsa pub 724 746 5500 blackbox com Page 258 For simplicity going forward the term private key will be used to refer to either id_rsa or id_dsa and public key to refer to either id_rsa pub or
299. ng distributing or modifying the Program or works based on it 724 746 5500 blackbox com Page 282 6 Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license from the original licensor to copy distribute or modify the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties to this License 7 lf as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Program at all For example if a patent license would not permit royalty free redistribution of the Program by all those who receive copies directly or indirectly through you then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance the balance of the section is intended to apply and t
300. nnection Activate your preferred browser on the connected PC workstation and enter https 192 168 0 1 The Management Console supports all current versions of the popular browsers Internet Explorer Mozilla Firefox Chrome and more 724 746 5500 blackbox com Page 27 gt You will be prompted to log in Enter the default administration username and administration password Username root Password default Connect to 192 168 0 1 2 x 192 168 0 1 80 User name e root z Password eoeceee T Remember my password Loox J oe Note Console servers are factory configured with HTTPS access enabled and HTTP access disabled NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication figure the following n return to the PPTP VPN Call Home Configure Done Configure Environmental Managed Devices Alerts amp Logging e Configure th e Allow forw Auto Response Welcome to the BlackBox Management Console c e Change the default administration password on the OpenVPN e Configure the local network settings on the System ellular modem connection on the Sy g to the Dialout Cellular destination netv PortLog Enable IP masquerading for Dialout Cellular on the Sy a Model LES1308A Firmware 3 5 3u5 ba 6 hours 4 mins 50 secs Current User root Bacup Log Out unit After corr by clickin
301. nome KDE etc front end for example with Red Hat Enterprise Linux 4 there s VNC Server software and a choice of Viewer client software and to launch gt Select the Remote Desktop entry in the Main Menu gt Preferences menu gt Click the Allow other users checkbox to allow remote users to view and control your desktop 724 746 5500 blackbox com Page 124 a Remote Desktop Preferences EJ Sharing a x Allow other users to view your desktop r lt Allow other users to control your desktop Users can view your desktop using this command yncviewer hoopoe elk 0 Security When a user tries to view or control your desktop x Ask you for confirmation Z Require the user to enter this password Password gt Toset up a persistent VNC server on Red Hat Enterprise Linux 4 Set a password using vncpasswd Edit etc sysconfig vncservers Enable the service with chkconfig vncserver on Start the service with service vncserver start Edit home username vnc xstartup if you want a more advanced session than just twm and an xterm C For Macintosh servers and clients O 0 Oi OF O OSXvnc http www redstonesoftware com vnc html is a robust full featured VNC server for Mac OS X that allows any VNC client to remotely view and or control the Mac OS X machine OSXvnc is supported by Redstone Software D Most other operating systems Solaris HPUX PalmOS etc either come with V
302. not enable IPMI for remote access without setting a password and that that password should not be the same as any other password on that system When an IPMI password is changed on a remote machine with the IPMIv1 5 an interface the new password is sent across the network as clear text This could be observed and then used to attack the remote system We recommend that IPMI password management only be done over IPMlv2 0 lanplus interface or the system interface on the local station For IPMI v1 5 the maximum password length is 16 characters Passwords longer than 16 characters will be truncated For IPMI v2 0 the maximum password length is 20 characters longer passwords are truncated COMMANDS help This can be used to get command line help on ipmitoo commands It may also be placed at the end of commands to get option usage help ipmitool help Commands raw Send a RAW IPMI request and print response lan Configure LAN Channels chassis Get chassis status and set power state event Send pre defined events to MC mc Management Controller status and global enables sdr Print Sensor Data Repository entries and readings sensor Print detailed sensor information fru Print built in FRU and scan SDR for FRU locators sel Print System Event Log SEL pef Configure Platform Event Filtering PEF sol Configure IPMlv2 0 Serial over LAN isol Configure IPMlv1 5 Serial over LAN user Configure Management Controller users channel
303. nrpe_daemon Serial Status define command command_name check_serial_status command_line SUSER1S check_nrpe H 192 168 254 147 p 5666 c check_serial_SHOSTNAMES define service service_description Serial Status host_name server use generic service check_command check_serial_status define service service_description serial signals server host_name server use generic service check_command check_serial_status active_checks_enabled O passive_checks_enabled 1 define servicedependency name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description Serial Status service_description NRPE Daemon execution_failure_criteria W U C Port Log define command command_name_ check_port_log command_line SUSER1S check_nrpe H 192 168 254 147 p 5666 c port_log_SHOSTNAMES define service service_description Port Log host_name server use generic service check_command check_port_log 724 746 5500 blackbox com Page 189 define service service_description port log server host_name server use generic service check_command check_port_log active_checks_enabled O passive_checks_enabled 1 define servicedependency name Black Box_nrpe_daemon_dep host_name Black Box dependent_host_name server dependent_service_description Port Log service_description NRPE Daemon execution_failure_criteria W U C Ping define command command_name_ check_ping_via_Black Box comm
304. nselect all Ports O m O m O 0 0 O Port 1 Port 2 Port 3 Port 4 Port 5 Port 6 Port7 Port 8 PPTP VPN Network ome Address The IP Address of the subnet to permit Network Mask The subnet mask for the permitted IP range Description Alerte amp Logging A brief explanation of this entry PortLog Auto Response SMTP amp SMS eal gt Select the Accessible Port s that the new rule is to be applied to gt Then enter the Network Address of the subnet to be permitted access gt Then specify the range of addresses that are to be permitted by entering a Network Mask for that permitted IP range for example To permit all the users located with a particular Class C network for example 204 15 5 0 connection to the nominated port then you would add the following Trusted Network New Rule Network Address 204 15 5 0 Network Mask 255 255 255 0 If you want to permit only the one user who is located at a specific IP address for example 204 15 5 13 say to connect Network Address 204 15 5 0 724 746 5500 blackbox com Page 61 Network Mask 255 255 255 255 If however you want to allow all the users operating from within a specific range of IP addresses for example any of the thirty addresses from 204 15 5 129 to 204 15 5 158 to be permitted connection to the nominated port Host Subnet Address 204 15 5 128 Subnet Mask 255 255 255 224
305. ntly there is a script etc scripts alert email that runs from within all the alert scripts for example portmanager user alert or environmental alert The alert email script sends the email The line that invokes the email script is as follows bin sh etc scripts alert email Ssuffix amp If you want to send another email to a single address or the same email to many recipients edit the custom script appropriately You can follow the examples in any of the seven alert scripts listed above In particular consider the portmanager user alert script If you need to send the same alert email to more than one email address find the lines in the script responsible for invoking the alert email script then add the following lines below the existing lines export TOADDR emailaddress domain com bin sh etc scripts alert email Ssuffix amp These two lines assign a new email address to TOADDR and invoke the alert email script in the background 15 1 5 Deleting Configuration Values from the CLI The delete node script is provided to help with deleting nodes from the command line The delete node script takes one argument the node name you want to delete for example config users user1 or config sdt hosts host1 724 746 5500 blackbox com Page 238 delete node is a general script for deleting any node you desire users groups hosts UPSes etc from the command line The script deletes the specified node and shuffles the remainder
306. o 50 users securely controlling an unlimited number of Managed Devices at a remote site through the on site console server Gateway 6 2 5 Manually adding hosts to the SDT Connector gateway For each gateway you can manually specify the network connected hosts that you will access through that console server and for each host specify the services that you will use to communicate with the host gt Select the newly added gateway and click the Host icon I to create a host that will be accessible via this gateway Alternatively select File New Host F New SDT Host Host Address Services 7 HTTP E Telnet E vnc 7 Dell RAC Dell Server Administrator Dell IT Assistant SOL E IBM RSA I IBM Director IBM AMM HP iLO 2 VMWare Server TCP Port 1494 Serial 2 SSH Serial 2 Telnet Serial 3 SSH Serial 3 Telnet Serial 4 SSH Serial 4 Telnet TCP Port 903 Descriptive Name Description Notes Enter the IP or DNS Host Address of the host if this is a DNS address it must be able to be resolved by the gateway Select which Services to use to access the new host A range of service options are pre configured in the default SDT Connector client RDP VNC HTTP HTTPS Dell RAC VMware etc However if you want to add new services to the range then proceed to the next section Adding a new service then return here
307. obe for connectivity detection The address of the second peer to probe for connectivity detection a gt Click Apply You have selected the failover method It is not active until you specify the external sites to be probed to trigger failover and set up the failover ports themselves This is covered in Chapter 5 Note 3 6 4 Aggregating the network ports You can configure the second Ethernet port as either a gateway port or as an OOB Failover port but not both Make sure you did not enable the Management LAN function on Network 2 By default you can only access the console server s Management LAN network ports using SSH tunneling port forwarding or by establishing an IPsec VPN tunnel to the console server However all the wired network ports on the console servers can also aggregated by being bridged or bonded 724 746 5500 blackbox com Page 43 System Name les1308a Model LES1308A Firmware 3 5 3u5 Ra 0 a j Uptime 0 days 8 hours 22 mins 48 secs Current User root Bacup Log Out NETWORK SERVICES Serial amp Network Network Interface Management LAN General Settings Route Settings Serial Port Interface General Settings Interface Disabled OpenVPN Aggregation C Bri PPTP VPN ia Enable aggreg of wired Ethernet interfaces Enable IPv6 oO Enable IPv6 for all interfaces Apply gt Select Enable Bridging on the System IP General Settings menu gt Select Bridge Inter
308. ocal terminal attached to serial port 5 config s config ports port5 mode terminal config s config ports port5 terminal vt220 vt102 vt100 linux ansi The default terminal is vt220 Serial bridge mode Create a network connection to a remote serial port via RFC 2217 on port 5 config s config ports port5 mode bridge Optional configurations for the network address of RFC 2217 server of 192 168 3 3 and TCP port used by the RFC 2217 service 2500 config s config ports port5 bridge address 192 168 3 3 config s config ports port5 bridge port 2500 To enable RFC 2217 access config s config ports port5 bridge rfc2217 on To redirect the serial bridge over an SSH tunnel to the server config s config ports port5 bridge ssh enabled on Syslog settings Additionally the global system log settings can be set for any specific port in any mode config s config ports port syslog facility facility facility can be Default local 0 7 auth authpriv cron daemon ftp kern Ipr mail news user uucp config s config ports port syslog priority priority priority can be Default warning notice Info error emergency debug critical alert 724 746 5500 blackbox com Page 218 14 3 Adding and Removing Users First determine the total number of existing Users if you have no existing Users you can assume this is 0 config g config users total This command should display config users
309. og Status checked The information is also presented graphically System Name Modet LI 216A Firmware 2 8 0u2 N 0 lt SBLACK BOX Uptime 0 d ours 46 mins cs Current User root ia Bacup Log Out NETWORK SERVICES Serial amp Network SmartOnline Status Graph Serial Port Users amp Groups Authentication Network Hosts Trusted Networks 28 Cascaded Ports 10 UPS Connections RPC Connections Environmental 62 38 62 40 82 58 Managed Devices 38 SmartOnline Log Alerts amp Logging Date Time Battery Input Load Status Temperature Frequency Port Log Charge Voltage Alerts SMTP amp SMS 20090518 212100 100 237 3 0 off 49 9 tenti 20090518 212200 100 237 3 0 off 49 9 System 20090518 212300 100 235 8 0 off 49 9 8 2 6 Overview of Network UPS Tools NUT NUT is built on a networked model with a layered scheme of drivers server and clients Configure NUT using the Management Console as described above or configure the tools and manage the UPSes directly from the command line This section provides an overview of NUT You can find full documentation at http www networkupstools org doc 724 746 5500 blackbox com Page 160 I Monitor log graph amp alert NUT upsc client i f Local NUT upsa server NUT serialUSB SNMP UPS drivers na NUT sian server on ss UPS drivers Multiple fa ad remote UPSes NUT is built on a networked model with a layered scheme of drivers server and clients The
310. om the client to the selected console server then establishes a port forward connection to the target network connected host or serial connected device Next it executes the client application that it uses in communicating with the host This chapter details the basic SDT Connector operations Configuring the console server for SSH tunneled access to network attached hosts and setting up permitted Services and user access Section 6 1 Setting up the SDT Connector client with gateway host service and client application details and making connections between the Client PC and hosts connected to the console server Section 6 2 Using SDT Connector to access the Management Console via a browser Section 6 3 724 746 5500 blackbox com Page 102 Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server Section 6 4 The chapter then covers more advanced SDT Connector and SSH tunneling topics 6 1 Using SDT Connector for out of band access Section 6 5 Automatic importing and exporting configurations Section 6 6 Configuring Public Key Authentication Section 6 7 Setting up a SDT Secure Tunnel for Remote Desktop Section 6 8 Setting up a SDT Secure Tunnel for VNC Section 6 9 Using SDT to IP connect to hosts that are serially attached to the console server Section 6 10 Configuring for SSH Tunneling to Hosts To set up the console server to SSH tunnel access a
311. ommands Single Connection o Limit the port to a single concurrent connection Logging Level This specifies the level of information to be logged and monitored referto Chapter 7 Alerts and Logging Telnet When the Telnet service is enabled on the console server a Telnet client on a User or Administrator s computer can connect to a serial device attached to this serial port on the console server The Telnet communications are unencrypted so this protocol is generally recommended only for local connections With Win2000 XP NT you can run telnet from the command prompt cmd exe Vista and Windows 7 include a Telnet client and server but they are not enabled by default To enable Telnet Log in as Admin and go to Start Control Panel Programs and Features Select Turn Windows features on or off check the Telnet Client and click OK 724 746 5500 blackbox com Page 49 Al Windows Features Turn Windows features on or off To turn a feature on select its check box To turn a feature off clear its check box A filled box means that only part of the feature is turned on re my SNMP feature _ Subsystem for UNIX based Applications ie Tablet PC Optional Components Telnet Client Telnet Server TFTP Client J Windows DFS Replication Service J Windows Fax and Scan J Windows Meeting Space FJI Windows Process Activation Service Z J Windows Ultimate
312. on the source code distributed need not include anything that is normally distributed in either source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically terminate your rights under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copyi
313. ond logo are registered trademarks of BB Technologies Inc Any third party trademarks appearing in this white paper are acknowledged to be the property of their respective owners LES1108A version 3 724 746 5500 blackbox com
314. ond to a series of pings the console server will send a command to RPC outlet 3 to power cycle the router and write the current date time to a file Copy the ping detect script to etc config scripts on the console server Open etc config rc local using vi Add the following line to rc ocal etc config scripts ping detect 192 168 22 2 bin bash c pmpower I portO1 o 3 cycle amp amp date gt tmp output log amp 724 746 5500 blackbox com Page 241 The above command will cause the ping detect script to continuously ping the host at 192 168 22 2 which is the router If the router crashes it will no longer respond to ping requests If this happens the two commands pmpower and date will run The output from these commands is sent to the file tmp output log so that we have a record The ping detect is also run in the background using the amp Remember the rc oca script only runs by default when the system boots You can manually run the rc local script or the ping detect script if desired The ping detect script The above is just one example of using the ping detect script The idea of the script is to run any number of commands when a specific host stops responding to ping requests Here are details of the ping detect script itself bin sh Usage ping detect HOST COMMANDBS This script takes 2 types of arguments hostname IPaddress to ping and the commands to run if the ping fails 5 times in a row Thi
315. ondition gt Select the reported UPS State to trigger the Auto Response either On Battery or Low Battery The Auto Response will resolve when the UPS state returns to the Online state gt Select which connected UPS Device to monitor and check Save Auto Response Note Before configuring UPS state checks in Auto Response you first must configure the attached UPS 724 746 5500 blackbox com Page 137 7 2 3 Serial Login Logout To monitor serial ports and check for login logout or pattern matches for Auto Response triggers events gt Click on Serial Login Logout as the Check Condition Then in the Serial Login Logout Check menu select Trigger on Login to trigger when any user logs into the serial port or Trigger on Logout and specify Serial Port to perform check on and or gt Click on Serial Signal as the Check Condition Then in the Serial Signal Check menu select the Signal CTS DCD DSR to trigger on the Trigger condition either on serial signal change or check level and specify Serial Port to perform check on and or gt Click on Serial Pattern as the Check Condition Then in the Serial Pattern Check menu select the PCRE pattern to trigger on and the serial line TX or RX and Serial Port to pattern check on gt Check Save Auto Response Note Before configuring serial port checks in Auto Response you first must configure the serial port in Console server mode Also most serial port checks are not resolvable so
316. onnection Your console server is configured with a default IP Address 192 168 0 1 Subnet Mask 255 255 255 0 gt Directly connect a PC or workstation to the console server Note For initial configuration we recommend that you connect the console server directly to a single PC or workstation However if you choose to connect your LAN before completing the initial setup steps it is important that you make sure that there are no other devices on the LAN with an address of 192 168 0 1 the console server and the PC workstation are on the same LAN segment with no interposed router appliances 3 1 1 Connected PC workstation set up To configure the console server with a browser the connected PC workstation should have an IP address in the same range as the console server e g 192 168 0 100 gt To configure the IP Address of your Linux or Unix PC workstation simply run ifconfig gt For Windows PCs Win9x Me 2000 XP Vista 7 NT a Click Start gt Settings gt Control Panel and double click Network Connections for 95 98 Me double click Network Right click on Local Area Connection and select Properties Select Internet Protocol TCP IP and click Properties Select Use the following IP address and enter the following details o IP address 192 168 0 100 724 746 5500 blackbox com Page 26 gt 3 1 2 o Subnet mask 255 255 255 0 If you want to retain your existing IP settings for this network conn
317. onsole server Remote site with no network access In this scenario the console server allows dial in access for the Nagios server Periodically the Nagios server will establish a connection to the console server and execute any NRPE commands before dropping the connection 724 746 5500 blackbox com Page 195 Chapter 11 System Management Introduction This chapter describes how the Administrator can perform a range of general console server system administration and configuration tasks such as Applying Soft and Hard Resets to the gateway Re flashing the Firmware Configuring the Date Time and NTP Setting up Backup of the configuration files System administration and configuration tasks that are covered elsewhere include Resetting the System Password and entering a new System Name and Description Chapter 3 2 Setting the System IP Address Chapter 3 3 Setting the permitted Services by which to access the gateway Chapter 3 4 Setting up OoB Dial in Chapter 5 Configuring the Dashboard Chapter 12 11 1 System Administration and Reset The Administrator can reboot or reset the gateway to default settings A soft reset is affected by gt Selecting Reboot in the System Administration menu and clicking Apply Manage 5 FIPS Mode Devices Port Logs Reboot Host Logs Power Terminal Apply The console server reboots with all settings for example the assigned
318. or by ssh telnet connecting to the console server System Name les1308a Model LES1308A Firmware 3 5 3u5 ba 0 LS Uptime 0 days 19 hours 39 mins 39 secs Current User root BaduP Log Out NETWORK SERVICES Terminal login root Password 7 6 2 Serial port logging In Console Server mode activity logs can be maintained of all serial port activity To specify which serial ports are to have activities recorded and to what level data is to be logged gt Select Serial amp Network Serial Port and Edit the port to be logged gt Specify the Logging Level of for each port as Level 0 Turns off logging for the selected port Level 1 Logs all User connection events to the port Level 2 Logs all data transferred to and from the port and all changes in hardware flow control status and all User connection events Level 3 Logs all data transferred from the port and all changes in hardware flow control status and all User connection events 724 746 5500 blackbox com Page 147 Level 4 Logs all data transferred to the port and all changes in hardware flow control status and all User connection events Click Apply Note A cache of the most recent 8K of logged data per serial port is maintained locally in addition to the Logs which are transmitted for remote USB flash storage To view the local cache of logged serial port data select Manage Port Logs 7 6 3 Network TCP and UDP port logging The console server supp
319. ork access or if you are using an alternate version of Windows More detailed instructions are available from the Microsoft web site gt Login to your Windows client with administrator privileges gt From the Network amp Sharing Center on the Control Panel select Network Connections and create a new connection SF i Set Up a Connection or Network Choose a connection option Connect to the Intemet Set up a ess broadba Ew Set up a new network onfigure a ne outer or access point ts Fe to a wireless Ork or cre Je Connect to a workplace Set up a dial up or VPN connection to your workplace ie up a dial up connection Connect to the Internet us CN Cancel gt Select Use My Internet Connection VPN and enter the IP Address of the console server 724 746 5500 blackbox com Page 79 Note To connect remote VPN clients to the local network you need to know the user name and password for the PPTP account you added as well as the Internet IP address of the console server lf your ISP has not allocated you a static IP address consider using a dynamic DNS service Otherwise you must modify the PPTP client configuration each time your Internet IP address changes lin Connect to a Workplace Type your user name and password User name Password Show characters Remember this password Domain optional Connect Cancel 724 746 5500 blackbox com Page 80 Chapter
320. ork connected devices gt The following general service access options can be specified HTTPS HTTP Telnet SSH This ensures secure browser access to all the Management Console menus It also allows appropriately configured Users secure browser access to selected Management Console Manage menus If you enable HTTPS the Administrator will be able to use a secure browser connection to the Console servers Management Console For information on certificate and user client software configuration refer to Chapter 9 Authentication By default HTTPS is enabled and we recommend that that you only use HTTPS access if the console server will be managed over any public network for example the Internet By default HTTP is disabled We recommend that the HTTP service remain disabled if the console server will be remotely accessed over the Internet This gives the Administrator Telnet access to the system command line shell Linux commands This may be suitable for a local direct connection over a management LAN By default Telnet is disabled We recommend that this service remain disabled if you will remotely administer the console server This service provides secure SSH access to the Linux command line shell We recommend that you choose SSH as the protocol where the Administrator connects to the console server over the Internet or any other public network This will provide authenticated communications between the SSH client progra
321. ort again as serial data The two console servers effectively act as a virtual serial cable over an IP network One console server is configured as the Server Set the Server serial port to be bridged in Console Server mode with either RFC2217 or RAW enabled as described in Chapter 4 1 2 Console Server Mode For the Client console server the serial port to bridge must be set in Bridging Mode Serial Bridge Settings Serial Bridging Mode Create a network connection to a remote serial port via RFC 2217 Server Address The network address of an RFC 2217 server to connect to Server TCP Port The TCP port the RFC 2217 server is serving on RFC 2217 Enable RFC 2217 access SSH Tunnel Redirect the serial bridge over an SSH tunnel to the server Select Serial Bridging Mode and specify the IP address of the Server console server and the TCP port address of the remote serial port for RFC2217 bridging this will be 5001 5048 By default the bridging client will use RAW TCP Select RFC2217 if this is the console server mode you have specified on the server console server Local Ethernet LAN U Serially connected device COM Port connected e g security appliance control PC gt You may secure the communications over the local Ethernet by enabling SSH You will need to 4 1 7 generate and upload keys refer to Chapter 14 Advanced Configuration Syslog In addition to built in logging and monitoring which can be
322. orts optional logging of access to and communications with network attached Hosts gt gt 7 6 4 7 6 5 For each Host when you set up the Permitted Services which are authorized to be used you also must set up the level of logging that is to be maintained for each service Specify the logging level that is to be maintained for that particular TDC UDP port service on that particular Host Level 0 Turns off logging for the selected TDC UDP port to the selected Host Level 1 Logs all connection events to the port Level 2 Logs all data transferred to and from the port Click Add then click Apply Auto Response event logging Check Log Events on Alerts amp Logging Auto Response to enable logging all Auto Response activities Power device logging The console server also logs access and communications with network attached hosts and maintain a history of the UPS and PDU power status To activate and set the desired levels of logging for each serial Section 7 4 and or network port Section 7 5 and or power and environment UPS refer Chapter 8 724 746 5500 blackbox com Page 148 Chapter 8 Power amp Environmental Management Introduction Black Box console servers manage embedded software that you can use to manage connected Power Distribution Systems PDUs IPMI devices and Uninterruptible Power Supplies UPSs supplied by a number of vendors and some environmental monitoring devices 8 1 Remote Power Control RP
323. ough to a port with any console server login This mode is mainly used when you have an external system such as conserver managing user authentication and access privileges at the serial device level For Unauthenticated Telnet the default port address is IP Address _ Port 6000 serial port i e 6001 6048 724 746 5500 blackbox com Page 52 Web Terminal Selecting Web Terminal enables web browser access to the serial port via Manage Devices Serial using the Management Console s built in AJAX terminal Web Terminal connects as the currently authenticated Management Console user and does not re authenticate See section 13 3 for more details Authenticate Enable for secure serial communications using Portshare and add password Accumulation Period By default once a connection is established for a particular serial port such as a RFC2217 redirection or Telnet connection to a remote computer then any incoming characters on that port are forwarded over the network on a character by character basis The accumulation period changes this by specifying a period of time that incoming characters will be collected before then being sent as a packet over the network Escape Character This enables you to change the character used for sending escape characters The default is Power Menu This setting enables the shell power command A user can control the power connection to a Managed Device from command line when they are connected to the
324. over address1 ip address config s config interfaces wan failover address2 ip address config s config interfaces wan failover interface eth1 console modem The network interfaces can also be configured automatically config s config interfaces wan mode dhcp config s config interfaces lan mode dhcp The following command will synchronize the live system with the new configuration bin config run ipconfig The following command will synchronize the live system with the new configuration config r ipconfig 14 19 Date amp Time Settings To enable NTP using a server at pool ntp org issue the following commands config s config ntp enabled on config s config ntp server pool ntp org Alternatively you can manually change the clock settings To change running system time date 092216452005 05 Format is MMDDhhmm CC YY ss Then the following command will save this new system time to the hardware clock bin hwclock systohc Alternatively to change the hardware clock bin hwclock set date 092216452005 05 Format is MMDDhhmm CC YY ss Then the following command will save this new hardware clock time as the system time bin hwclock hctosys 724 746 5500 blackbox com Page 232 To change the timezone config s config system timezone US Eastern The following command will synchronize the live system with the new configuration config r time 14 20 Dial in settings To enab
325. ows_Client Proxy Settings About 724 746 5500 blackbox com Page 73 When the OpenVPN software is started the C Program Files OpenVPN config folder will be scanned for opvn files This folder will be rechecked for new configuration files whenever the OpenVPN GUI icon is right clicked So once OpenVPN is installed a configuration file will need to be created gt Using a text editor create an xxxx ovpn file and save in C Program Files OpenVPN config For example C Program Files OpenVPN config client ovpn An example of an OpenVPN Windows client configuration file is shown below description les1216_client client proto udp verb 3 dev tun remote 192 168 250 152 port 1194 ca c lopenvpnkeys ca crt cert c lopenvpnkeys client crt key c lopenvpnkeys lclient key nobind persist key persist tun comp Izo An example of an OpenVPN Windows Server configuration file is shown below server 10 100 10 0 255 255 255 0 port 1194 keepalive 10 120 proto udp mssfix 1400 persist key persist tun dev tun ca c lopenvpnkeys ca crt cert c lopenvpnkeys server crt key c lopenvpnkeys server key dh c openvpnkeys dh pem comp lzo verb 1 syslog LES1216_OpenVPN_Server The Windows client server configuration file options are Options Description description This is a comment describing the configuration Comment lines start with a and are ignored by OpenVPN Cli
326. plained below Common name This is the network name of the console server once it is installed in the network usually the fully qualified domain name It is identical to the name that is used to access the console server with a web browser without the http prefix In case the name given here and the actual network name differ the browser will pop up a security warning when the console server is accessed using HTTPS Organizational Unit Use this field to specify which department within an organization the console server belongs to Organization The name of the organization that the console server belongs to Locality City The city where the organization is located State Province The state or province where the organization is located Country The country where the organization is located This is the two letter ISO code for example DE for Germany or US for the USA Note Enter the country code in CAPITAL LETTERS Email The email address of a contact person that is responsible for the console server and its security Challenge Password Some certification authorities require a challenge password to authorize later changes on the certificate for example revocation of the certificate The password must be at least 4 characters long Confirm Challenge Password Confirmation of the Challenge Password 724 746 5500 blackbox com Page 178 Key length This is the length of the generated key in bits 1024 Bits are supposed to
327. ponse triggers to perform this action Recipient Email Address The email address to send this email to Subject The subject of the email Email Text TIMESTAMP This action was run Check details vs trigger value SAR_TRIGGER_VAL Save ee l l Note A message text can be sent with Email SMS and Nagios actions This configurable message can include selected values AR_TRIGGER_VAL the trigger value for the check e g for UPS Status it could be onbatt or battlow AR_VAL the value returned by the check e g for ups status it could be online onbatt battlow AR_CHECK_DEV the device name of the device being checked e g for Alarm the alarm name TIMESTAMP the current timestamp HOSTNAME the hostname of the console server The default message text is TIMESTAMP This action was run Check details value AR_VAL vs trigger value AR_TRIGGER_VAL 7 3 1 Send Email gt Click on Send Email as the Add Trigger Action Enter a unique Action Name and set the Action Delay Time 724 746 5500 blackbox com Page 140 Specify the Recipient Email Address to send this email to and the Subject of the email For multiple recipients you can enter comma separated addresses gt Edit the Email Text message to send and click Save New Action Note An SMS alert can also be sent via an SMTP email gateway You will need to specify the Recipient Email Address in the format specified by the gateway provider e g
328. pter then details how to perform advanced and custom management tasks using Black Box commands Linux commands and the open source tools embedded in the console server portmanager serial port management raw data access to the ports and modems iptables modifications and updating IP filtering rules modifying SNMP with net snmpd public key authenticated SSH communications SSL configuring HTTPS and issuing certificates using pmpower for NUT and PowerMan power device management using PMItools CDK custom development kit 15 1 Custom Scripting The console server supports GNU bash shell commands refer to Appendix A enabling the Administrator to run custom scripts 15 1 1 Custom script to run when booting The etc config rc local script runs whenever the system boots By default this script file is empty You can add any commands to this file if you want them to run at boot time for example if you wanted to display hello world bin sh echo Hello World If this script has been copied from a Windows machine you may need to run the following command on the script before bash can run it successfully 724 746 5500 blackbox com Page 236 dos2unix etc config rc local Another scenario would be to call another custom script from the etc config rc local file making sure that your custom script will run whenever the system is booted 15 1 2 Running custom scripts when alerts are triggered Whenever an
329. pts any network IP address assigned by a DHCP server on your network In this initial state the console server will then respond to both its Static address 192 168 0 1 and its newly assigned DHCP address gt By default the console server LAN port auto detects the Ethernet connection speed You can use the Media menu to lock the Ethernet to 10 Mbps or 100 Mbps and to Full Duplex FD or Half Duplex HD Note If you changed the console server IP address you may need to reconfigure your PC workstation so it has an IP address that is in the same network range as this new address gt Click Apply gt Enter http new IP address to reconnect the browser on the PC workstation that is connected to the console server 724 746 5500 blackbox com Page 31 3 3 1 IPv6 configuration You can also configure the console server Network and Management LAN Interfaces for IPv6 operation gt gt 3 3 2 On the System IP menu select General Settings page and check Enable IPv6 Then configure the IPv6 parameters on each Interface page Dynamic DNS DDNS configuration With Dynamic DNS DDNS a console server whose IP address is dynamically assigned and that may change from time to time can be located using a fixed host or domain name gt The first step in enabling DDNS is to create an account with the supported DDNS service provider of your choice Supported DDNS providers include DyNS www dyns cx dyndns or
330. r 724 746 5500 blackbox com Page 62 gt Select System Administration on Master s Management Console gt Check Generate SSH keys automatically and click Apply LS gt System Name Mov 2 Fari 28 002 BLACK BOX Uptime 0 day 25 Current User root NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts To generate keys select RSA and or DSA Trusted Networks Cascaded Ports UPS Connections RPC Connections DSA Keys Environmental Managed Devices ely two minutes Any old ng may stop functio eys of that type will be ing until they are updated with s If RSA Keys Generate RSA Keys Generate DSA Keys Apply Next you must select whether to generate keys using RSA and or DSA if unsure select only RSA Generating each set of keys will require approximately two minutes and the new keys will destroy any old keys of that type that may previously been uploaded Also while the new generation is underway on the master functions relying on SSH keys for example cascading may stop functioning until they are updated with the new set of keys To generate keys gt Select RSA Keys and or DSA Keys gt Click Apply gt Once the new keys have been successfully generated Click here to return and the keys will automatically be uploaded to the Master and connected Slaves 4 6 2 Manually generate and upload SSH keys Or if you have an RSA or DSA key
331. r address remote server ip address config s config eventlog server logfacility facility facility can be Daemon Local 0 7 Authentication Kernel User Syslog Mail News UUCP config s config eventlog server logpriority priority priority can be Info Alert Critical Debug Emergency 724 746 5500 blackbox com Page 227 Error Notice Warning Assume the remote log server needs a username name1 and password secret config s config eventlog server username name1 config s config eventlog server password secret To set the remote path as Black Box logs to save logged data config s config eventlog server path Black Box logs config s config eventlog server type none syslog nfs cifs usb If the server type is set to usb none of the other values need to be set The mount point for storing ona remote USB device is var run portmanager logdir The following command will synchronize the live system with the new configuration config a 14 14 Alerts You can add an email SNMP or NAGIOS alert by following the steps below The general settings for all alerts Assume this is our second alert and we want to send alert emails to john Black Box com and sms s to peter Black Box com config s config alerts alert2 description MySecondAlert config s config alerts alert2 email john Black Box com config s config alerts alert2 email2 peter Black Box com To use NAGIOS to no
332. r and make sure the changes are stored in the console server s flash memory etc In particular the config utility allows you to manipulate the system configuration from the command line With config you can activate a new configuration by running the relevant configurator which performs the action needed to make the configuration changes live To access config from the command line gt Power on the console server and connect the terminal device o If you are connecting using the serial line plug a serial cable between the console server local DBO console port and terminal device Configure the serial connection of the terminal device you are using to 115200 bps 8 data bits no parity and one stop bit 724 746 5500 blackbox com Page 213 o If you are connecting over the LAN then you will need to interconnect the Ethernet ports and direct your terminal emulator program to the IP address of the console server 192 168 0 1 by default gt Log onto the console server by pressing return a few times The console server will request a username and password Enter the username root and the password default You should now see the command line prompt which is a hash a certain level of understanding before you execute Linux kernel level A This chapter is not intended to teach you Linux We assume you already have commands The config tool Syntax config ahv d id g id p path r configurator
333. r is configured and individual serial port and network host connections on the console server are configured for Nagios monitoring If NSCA is enabled each selected check will be executed once over the period of the check interval If NRPE is enabled then the upstream server will be able to request status updates under its own scheduling 10 4 Advanced Distributed Monitoring Configuration 10 4 1 Sample Nagios configuration An example configuration for Nagios is listed below It shows how to set up a remote Console server to monitor a single host with both network and serial connections For each check it has two configurations one each for NRPE and NSCA In practice these would be combined into a single check which used NSCA as a primary method falling back to NRPE if a check was late for details see the Nagios documentation http www nagios org docs on Service and Host Freshness Checks Host definitions Black Box console server define host use generic host host_name Black Box alias Console server address 192 168 254 147 Managed Host define host use generic host host_name server alias server address 192 168 254 227 NRPE daemon on gateway define command command_name check_nrpe_daemon command_line SUSER1S check_nrpe H 192 168 254 147 p 5666 define service 724 746 5500 blackbox com Page 188 service_description NRPE Daemon host_name Black Box use generic service check_command check_
334. r of Black Box tools listed above that make it simple to configure the console server and make sure the changes are stored in the console server s flash memory etc These commands are covered in the previous chapters and include e config which allows manipulation and querying of the system configuration from the command line With config a new configuration can be activated by running the relevant configurator which performs the action necessary to make the configuration changes live e portmanager which provides a buffered interface to each serial port It is supported by the pmchat and pmshell commands which ensure all serial port access is directed via the portmanager e pmpower is a configurable tool for manipulating remote power devices that are serially or network connected to the console server e SDT Connector is a java client applet that provides point and click SSH tunneled connections to the console server and Managed Devices 724 746 5500 blackbox com Page 274 There are also a number of other CLI commands related to other open source tools embedded in the console server including e PowerMan provides power management for many preconfigured remote power controller RPC devices For CLI details refer http linux die net man 1 powerman e Network UPS Tools NUT provides reliable monitoring of UPS and PDU hardware and ensure safe shutdowns of the systems which are connected with a goal to monitor every kind of UPS and PDU
335. r the dial in configuration 724 746 5500 blackbox com Page 130 C For earlier version Windows computers follow the steps in Section B above To get to the Make New Connection button 6 10 2 For Windows 2000 click Start and select Settings At the Dial Up Networking Folder click Network and Dial up Connections and click Make New Connection You may need to first set up a connection over the COM port using Connect directly to another computer before proceeding to Set up an advanced connection For Windows 98 double click My Computer on the Desktop then open Dial Up Networking and double click Set up SDT Serial Ports on console server To set up RDP and VNC forwarding on the console server Serial Port that is connected to the Windows computer COM port Select the Serial amp Network Serial Port menu option and click Edit for the particular Serial Port that is connected to the Windows computer COM port On the SDT Settings menu select SDT Mode this will enable port forwarding and SSH tunneling and enter a Username and User Password SDT Settings SDT Mode Enable access over SSH to a host connected to this serial port Username The login name for PPP The default is port01 User Password The login secret for PPP The default is port04 Confirm Password Re type the password for confirmation Note When you enable SDT it will override all other Configuration protocols on that port Note If
336. rd Network utility that listens on the discard port dmesg Print or control the kernel ring buffer echo Print the specified ARGs to stdout erase Tool for erasing MTD partitions eraseall Tool for erasing entire MTD partitions false Do nothing unsuccessful find Search for files 724 746 5500 blackbox com Page 271 flashw flatfsd ftp gen keys getopt gettyd grep gunzip gzip hd hostname httpd hwclock inetd inetd echo init ip ipmitool iptables ip6tables iptables restore iptables save kill In login loopback loopback1 loopback2 loopback8 amp loopback16 loopback48 Is mail mkdir mkfs jffs2 mknod more mount msmtp mv nc netflash netstat ntpd Write data to individual flash devices Daemon to save RAM file systems back to FLASH Internet file transfer program SSH key generation program Parses command options Getty daemon Print lines matching a pattern Compress or expand files Compress or expand files ASCII decimal hexadecimal octal dump Get or set hostname or DNS domain name Listen for incoming HTTP requests Query and set hardware clock RTC Network super server daemon Network echo utility Process control initialization Show or manipulate routing devices policy routing and tunnels Linux IPMI manager Administration tool for IPv4 packet filtering and NAT Administration tool for IPv6 packet filtering Restore IP Tables Save IP T
337. rd parties that the operation of the software products will be uninterrupted or error free or that all defects in the Software will be corrected BLACK BOX DISCLAIMS ANY AND ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OTHER THAN AS STATED HEREIN THE ENTIRE RISK AS TO SATISFACTORY QUALITY PERFORMANCE ACCURACY AND EFFORT IS WITH YOU ALSO THERE IS NO WARRANTY AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR AGAINST INFRINGEMENT IF YOU HAVE RECEIVED ANY WARRANTIES REGARDING THE DEVICE OR THE SOFTWARE THOSE WARRANTIES DO NOT ORIGINATE FROM AND ARE NOT BINDING ON BLACK BOX NO LIABILITY FOR CERTAIN DAMAGES EXCEPT AS PROHIBITED BY LAW BLACK BOX SHALL HAVE NO LIABILITY FOR COSTS LOSS DAMAGES OR LOST OPPORTUNITY OF ANY TYPE WHATSOEVER INCLUDING BUT NOT LIMITED TO LOST OR ANTICIPATED PROFITS LOSS OF USE LOSS OF DATA OR ANY INCIDENTAL EXEMPLARY SPECIAL OR CONSEQUENTIAL DAMAGES WHETHER UNDER CONTRACT TORT WARRANTY OR OTHERWISE ARISING FROM OR IN CONNECTION WITH THIS EULA OR THE USE OR PERFORMANCE OF THE SOFTWARE IN NO EVENT SHALL BLACK BOX BE LIABLE FOR ANY AMOUNT IN EXCESS OF THE LICENSE FEE PAID TO BLACK BOX UNDER THIS EULA SOME STATES AND COUNTRIES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THIS LIMITATION MAY NOT APPLY TO YOU JSch License SDT Connector
338. re the SSH gateway allows public key authentication this is typically the default behavior gt Ifyou do not already have a public private key pair for your client PC the one running SDT Connector generate them now using ssh keygen PuTTYgen or a similar tool You may use RSA or DSA however leave the passphrase field blank PuTTYgen http www chiark greenend org uk sgtatham putty download html OpenSSH http www openssh org OpenSSH Windows http sshwindows sourceforge net download gt Upload the public part of your SSH key pair this file is typically named id_rsa pub or id_dsa pub to the SSH gateway or otherwise add to ssh authorized keys in your home directory on the SSH gateway gt Next add the private part of your SSH key pair this file is typically named id_rsa or id_dsa to SDT Connector Click Edit gt Preferences gt Private Keys gt Add locate the private key file and click OK You do not have to add the public part of your SSH key pair the private key calculates it SDT Connector will now use public key authentication when connecting through the SSH gateway console server You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication If you have a host behind the console server that you connect to by clicking the SSH button in SDT Connector you may also want to configure access to it for public key authentication as well This
339. resents a list of serial ports and network Host connections that you have set up with device type RPC but have yet to connect to a specific RPC device When you select Connect Via for a Network RPC connection then the corresponding Host Name Description that you set up for that connection will be entered as the Name and Description for the power device Or if you select to Connect Via a Serial connection enter a Name and Description for the power device 724 746 5500 blackbox com Page 150 lt BLACK BO A NETWORK SERVICES System Name 16A Firmware 2 8 0u2 Uptime 0 da 0m s Current User root Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP System Administration SSL Certificates Configuration Backup Firmware Add RPC Connected Via RPC Type Name Description Username Password Confirm Serial Pot 2 Pot2 v Specify the serial port or network host address for the power device None X Specify the type of the connected power device A descriptive name for the power device A brief description for the power device Specify the login name for the power device Specify the login secret for the power device gt Select the appropriate RPC Type for the PDU or IPMI being connected If you are
340. rial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP System Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Services DHCP Server Nagios Configure Dashboard Status Port Access Active Users Statistics Support Report Syslog UPS Status Network Interface Management LAN Interface General Settings IP Settings Network Configuration Method IP Address Subnet Mask Gateway Primary DNS Secondary DNS Media Failover Interface Primary Probe Address Secondary Probe Address Apply DHCP Static The mechanism to acquire IP settings A statically assigned IP address A statically assigned network mask A statically assigned gateway A statically assigned primary name server A statically assigned secondary name server Auto v The Ethernet media type Management LAN lan in None C Management LAN lan Serial DB9 Port sercon DISABLED Internal Modem Port modem01 DISABLED The address of the first peer to probe for connectivity detection onfigured and The address of the second peer to probe for connectivity detection gt When configuring the principal network connection specify Network 2 eth1 as the Failover Interface to use when a fault is detected with Network 1 ethO
341. rity verifies that you are the person who you claim you are and signs and issues a SSL certificate to you To create and install a SSL certificate for the console server 724 746 5500 blackbox com Page 177 lt BLAC 6A Firmware 2 8 0u2 cs Current User root System Name Uptime 0 days 19 NETWORK SERVICES Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP System Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Services DHCP Server Nagios Configure Dashboard Common name The full canonical name for this device Organizational unit The group overseeing this device Organization The name of the organization to which the device belongs Locality City he City where the organization is located State Province he State or Province where the organization is located Country AD he country where the organization is located Email The email addre contact person for this device Challenge Password An optional depe dant on CA password Confirm Password Confirmation of the challenge password Key Length bits 512 Length of generated key in bits Status GenerateCSR_ Port Access gt Select System SSL Certificate and fill out the fields as ex
342. rom the Serial and Network Serial Port menu configure the Common Settings of that port with the RS 232 properties etc required by the PDU refer to Chapter 4 1 1 Common Settings Then select RPC as the Device Type gt For each network connected RPC go to Serial amp Network Network Hosts menu and configure the RPC as a connected Host by specifying it as Device Type RPC and clicking Apply refer to Section 4 4 Network Hosts 724 746 5500 blackbox com Page 149 F e System Name c Model LES1216A Firmware 2 8 0u2 BLACK BOX Uptime 0 d hours 13 mins s Current User root NETWORK SERVICES Serial amp Network Serial Port IP Address DNS Name eee ere The hosts IP Address or DNS name Authentication Network Hosts Host Name Trusted Networks Cascaded Ports UPS Connections Description Notes RPC Connections A descriptive name to identify the host A brief description of the host Environmental Managed Devices Permitted 22 tcp ssh 0 Services 23 tcp telnet 0 Alerts amp Logging 80 tcp http 0 Port Log 443 tcp https 0 Alerts 1494 tcp ica 0 SMTP amp SMS 3389 tcp rdp 0 SNMP 5900 tcp vnc 0 Remove System TCP Administration UDP Port irene ae level 0 Disabled Configuration Backup Firmware Add Select the Serial amp Network RPC Connections menu This will display all the RPC connections that have already been configured Click Add RPC Connected Via p
343. ronize the live system with the new configuration config a 14 23 NAGIOS To configure NAGIOS with the following settings NAGIOS host name console at R3 Name of this system NAGIOS host address 192 168 0 1 IP to find this device at NAGIOS server address 192 168 0 10 upstream NAGIOS server Enable SDT for NAGIOS ext Enabled SDT gateway address 192 168 0 1 defaults to host address Prefer NRPE over NSCA Disabled defaults to Disabled config s config system nagios enabled on config s config system nagios name les1116 config s config system nagios address 192 168 0 1 config s config system nagios server address 192 168 0 10 config s config system nagios sdt disabled on diables SDT for nagios extensions config s config system nagios sdt address 192 168 0 1 config s config system nagios nrpe prefer To configure NRPE with following settings NRPE port 5600 port to listen on for nrpe Defualts to 5666 NRPE user user1 User to run as Defaults to nrpe NRPE group group1 Group to run as Defaults to nobody Allow command arguments Enabled config s config system nagios nrpe enabled on config s config system nagios nrpe port 5600 config s config system nagios user user1 config s config system nagios nrpe group group1 config s config system nagios nrpe cmdargs on To configure NSCA with the following settings NSCA encryption BLOWFISH can be None XOR DES TRPLEDES CAST 2
344. rt amp OK X Cancel J Also some clients are launched in a command line or terminal window The Telnet client is an example of this so the Path to client executable file is telnet and the Command line format for client executable is cmd c start path host port 724 746 5500 blackbox com Page 112 F SDTConnector G SDTConnector Preferences R Edit Client Client name Telnet client Path to client executable file telnet Command line format for client executable cmd c start path host port 0K 3 Cancel Close gt Click OK 6 2 8 Dial in configuration If the client PC is dialing into Local Console port on the console server you will need to set up a dial in PPP link gt Configure the console server for dial in access following the steps in the Configuring for Dial In PPP Access section in Chapter 5 Configuring Dial In Access gt Set up the PPP client software at the remote User PC following the Set up the remote Client section in Chapter 5 Once you have a dial in PPP connection established you then can set up the secure SSH tunnel from the remote Client PC to the console server 6 3 SDT Connector to Management Console You can also configure SDT Connector for browser access to the console server s Management Console and for Telnet or SS
345. rt you can put stty commands in etc config scripts portXX init which gets run whenever portmanager opens the port Otherwise any setup you do with stty will get lost when the portmanager opens the port The reason that portmanager sets things back to its config rather than using whatever is on the port is so the port is in a known good state and will work no matter what things are done to the serial port outside of portmanager 15 3 2 Accessing the console modem port The console dial in is handled by mgetty with automatic PPP login extensions mgetty is a smart getty replacement designed to be used with Hayes compatible data and data fax modems mgetty knows about modem initialization manual modem answering your modem doesn t answer if the machine isn t ready UUCP locking you can use the same device for dial in and dial out mgetty provides very extensive logging facilities All standard mgetty options are supported Modem initialization strings To override the standard modem initialization string either use the Management Console refer Chapter 5 or the command line config tool refer to Dial In Configuration Chapter 14 Enabling Boot Messages on the Console Ifyou are not using a modem on the DB9 console port and instead want to connect to it directly via a Null Modem cable enable verbose mode which allows you to see the standard linux start up messages Follow these commands bin config set config consol
346. rt controls that Users can access 14 Basic Configuration Command line installation and configuration using the config command 15 Advanced Config More advanced command line configuration activities where you will need to use Linux commands The latest update of this manual can be found online at www blackbox com Types of users The console server supports two classes of users First there are the administrative users who will be authorized to configure and control the console server and to access and control all the connected devices These administrative users will be set up as members of the admin user group and any user in this class is referred to generically in this manual as the Administrator An Administrator can access and control the console server using the config utility the Linux command line or the browser based Management Console By default the Administrator has access to all services and ports to control all the serial connected devices and network connected devices hosts The second class of users are those who have been set up by the Administrator with specific limits of their access and control authority These users are set up as members of the users user group or some other user groups the Administrator may have added They are only authorized to perform specified controls on specific connected devices and are referred to as Users These Users when authorized can access serial or network connected devices and con
347. rt of the UPS Admin and Router Admin groups On the console server these users will be required to have access to a group Router_Admin with access to port 1 connected to the router and another group UPS Admin with access to port 2 connected to the UPS Once LDAP is setup users that are members of each group will have the appropriate permissions to access the router and UPS Currently the only LDAP directory service that supports group provisioning is Microsoft Active Directory Support is planned for OpenLDAP at a later time To enable group information to be used with an LDAP server gt Complete the fields for standard LDAP authentication including LDAP Server Address Server Password LDAP Base DN LDAP Bind DN and LDAP User Name Attribute gt Enter memberOf for LDAP Group Membership Attribute as group membership is currently only supported on Active Directory servers gt If required enter the group information for LDAP Console Server Group DN and or LDAP Administration Group DN A user must be a member of the LDAP Console Server Group DN group in order to gain access to the console and user interface For example the user must be a member of MyGroup on the Active Server to gain access to the console server Additionally a user must be a member of the LDAP Administration Group DN in order to gain administrator access to the console server For example the user must be a member of AdminGroup
348. rvers the keys can be simply uploaded through the web interface on the System Administration page This enables you to upload stored RSA or DSA Public Key pairs to the Master and apply the Authorized key to the slave and is described in Chapter 4 Once complete you then proceed to Fingerprinting as described below 724 746 5500 blackbox com Page 252 System Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial SSH DSA Public Key Firewall Nagios Configure Dashboard SSH RSA Public Key SSH RSA Private Key SSH DSA Private Key Status E Port Access SSH Authorized Keys Active Users Statistics Support Report Syslog Generate SSH keys UPS Status automatically RPC Status Environmental Status Apply Dashboard Choose File No file chosen Upload a replacement RSA public key file Choose File No file chosen Upload a replacement RSA private key file Choose File No file chosen Upload a replacement DSA public key file Choose File No file chosen Upload a replacement DSA private key file Choose File No file chosen Upload a replacement authorized keys file Generate SSH keys locally 15 6 4 Installing SSH Public Key Authentication Linux Alternately the public key can be installed on the unit remotely from the linux host with the scp utility as follows Assuming the user on the Management Console is
349. rvers also support attaching an external USB CDMA cellular modem from Sierra Wireless to one of its USB 2 0 ports Both will connect to the Verizon network in North America After creating an account with the CDMA carrier some carriers require an additional step to provision the Internal Cellular Modem referred to as Provisioning Your console server supports Over the Air Service Provisioning OTASP where modem specific parameters can be retrieved via a voice call to a special phone number and a manual process where the phone number and other parameters can be entered manually OTASP Activation Before activating over the air you will need to establish a data plan then register the device for activation gt Contact your carrier and provide them with your ESN Electronic Serial Number which can be found on the white label on the underside of the console server gt Select Internal Cellular Modem panel on the System Dial menu gt A particular phone number will need to be dialed to complete OTASP e g Verizon uses 22899 Telus uses 22886 gt Click Activate to initiate the OTASP call The process is successful if no errors are displayed and you no longer see the CDMA Modem Activation form If OTASP is unsuccessful you can consult the System Logs for clues to what went wrong at Status Syslog gt When OTASP has completed successfully you can proceed to enabling the Internal Cellular Modem by entering the carriers phone numb
350. rvers using the SDT for Nagios Configuration Wizard 724 746 5500 blackbox com Page 181 Distributed console servers Black Box console servers E Serial and network hosts are attached to each console server Each runs Nagios plug ins NRPE and NSCA add ons but not a full Nagios server Clients Typically a client PC laptop etc running Windows Linux or Mac OS X Runs SDT Connector client software 1 5 0 or later a Possibly remote to the central Nagios server or distributed console servers i e a road warrior May receive alert emails from the central Nagios server or distributed console servers E Connects to the central Nagios server web UI to view status of monitored hosts and serial devices Uses SDT Connector to connect through the console servers to manage monitored hosts and serial devices SDT Nagios setup involves the following steps i Install Nagios and the NSCA and NRPE add ons on the central Nagios server Section 10 2 1 Set up central Nagios server ii Configure each Black Box distributed console server for Nagios monitoring alerting and SDT Nagios integration Section 10 2 2 Set up distributed Black Box servers iii Run the SDT for Nagios Configuration Wizard on the central Nagios server Section 10 2 3 Set up SDT Nagios on central Nagios server and perform any additional configuration tasks iv Install SDT Connector on each client Section 10 2 4 Set up clients 10 2 1
351. ry rights notices appearing on the electronic documentation Black Box reserves all rights not expressly granted herein INTELLECTUAL PROPERTY RIGHTS The Software is protected by copyright laws international copyright treaties and other intellectual property laws and treaties Black Box and its suppliers retain all ownership of and intellectual property rights in including copyright the Software components and all copies thereof provided however that 1 certain components of the Software including SDT Connector are components licensed under the GNU General Public License Version 2 which Black Box supports and 2 the SDT Connector includes code from JSch a pure Java implementation of SSH2 which is licensed under BSD style license Copies of these licenses are detailed below and Black Box will provide source code for any of the components of the Software licensed under the GNU General Public License upon request EXPORT RESTRICTIONS You agree that you will not export or re export the Software any part thereof or any process or service that is the direct product of the Software in violation of any applicable laws or regulations of the United States or the country in which you obtained them U S GOVERNMENT RESTRICTED RIGHTS The Software and related documentation are provided with Restricted Rights Use duplication or disclosure by the Government is subject to restrictions set forth in subparagraph c 1 ii of the Rights in Technical
352. s Configuration Backup Firmware IP Date amp Time Dial Services DHCP Server Summary comms room EMD Engineering Temperature Graph 40 36 26 48 26 45 MW Temperature W Humidity EMD Engineering Log Time Temperature Humidity Alarm 1 Alarm 2 Alert Status Fri Jan 16 20 37 05 24 51 Open 0 Open 0 Normal 2009 Fri Jan 16 20 38 05 24 47 Open 0 Open 0 Normal 2009 724 746 5500 blackbox com Page 165 Chapter 9 Authentication Introduction The console server is a dedicated Linux computer with a myriad of popular and proven Linux software modules for networking secure access OpenSSH and communications OpenSSL and sophisticated user authentication PAM RADIUS TACACS and LDAP This chapter details how the Administrator can use the Management Console to establish remote AAA authentication for all connections to the console server and attached serial and network host devices This chapter also covers how to establish a secure link to the Management Console using HTTPS and using OpenSSL and OpenSSH to establish a secure Administration connection to the console server 9 1 Authentication Configuration Authentication can be performed locally or remotely using an LDAP Radius or TACACS authentication server The default authentication method for the console server is Local A Firmware 3 5 3u5 J 7 ns 4 x BLACK BOX s 13 S Current User root NETWORK SERVICES
353. s contact Black Box Tech Support at 724 746 5500 or go to blackbox com and click on Talk to Black Box You ll be live with one of our technical experts in less than 30 seconds 724 746 5500 blackbox com Page 3 Value Line and Advanced Console Servers Manual Federal Communications Commission and Industry Canada Radio Frequency Interference Statements This equipment generates uses and can radiate radio frequency energy and if not installed and used properly that is in strict accordance with the manufacturer s instructions may cause interference to radio communication It has been tested and found to comply with the limits for a Class A computing device in accordance with the specifications in Subpart B of Part 15 of FCC rules which are designed to provide reasonable protection against such interference when the equipment is operated in a commercial environment Operation of this equipment in a residential area is likely to cause interference in which case the user at his own expense will be required to take whatever measures may be necessary to correct the interference Changes or modifications not expressly approved by the party responsible for compliance could void the user s authority to operate the equipment This digital apparatus does not exceed the Class A limits for radio noise emission from digital apparatus set out in the Radio Interference Regulation of Industry Canada Le pr sent appareil num rique n met pas d
354. s logs you on to the console server The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers have a second network port that you can configure as a management LAN port or as a failover OOB access port 724 746 5500 blackbox com Page 38 3 6 1 Enable the Management LAN The LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers provide a firewall router and DHCP server You need to connect an external LAN switch to Network 2 to attach hosts to this management LAN Gateway to the Management LAN NETWORK 1 NETWORK 2 Operations network a Management Serially network connected consoles l 5 This Management LAN feature is disabled by default To configure the Management LAN gateway gt Select the Management LAN page on the System IP menu and uncheck Disable gt Configure the IP Address and Subnet Mask for the Management LAN but leave the DNS fields blank gt Click Apply System Name les rmware 3 5 3u5 SBLACK BOX Uptime 0 days s 5 urrent User root NETWORK SERVICES Serial amp Network Network Interface Management LAN General Settings Route Settings Serial Port Interface Disable E Deactivate this network interface IP Settings Management LAN Configuration DHCP
355. s man snmpd conf html FAQ http www net snmp org docs FAQ html Net SNMPD Tutorial http www net snmp org tutorial tutorial 5 demon snmpd html 15 5 2 Adding more than one SNMP server To add more than one SNMP server for alert traps add the first SNMP server using the Management Console refer Chapter 7 or the command line config tool Secondary and any further SNMP servers are added manually using config Log in to the console server s command line shell as root or an admin user Refer back to the Management Console UI or user documentation for descriptions of each field To set the Manager Protocol field config set config system snmp protocol2 UDP or config set config system snmp protocol2 TCP To set the Manager Address field config set config system snmp address2 w x y Z replacing w x y z with the IP address or DNS name To set the Manager Trap Port field config set config system snmp trapport2 162 replacing 162 with the TCP UDP port number To set the Version field config set config system snmp version2 1 or config set config system snmp version2 2c or config set config system snmp version2 3 To set the Community field SNMP version 1 and 2c only config set config system snmp community2 yourcommunityname replacing yourcommunityname with the community name To set the Engine ID field SNMP version 3 only config set config system snmp engineid2 800000020109840301 replacing 800000020109840301 w
356. s script can only take one host IPaddress per instance Multiple independent commands can be sent to the script The commands will be run one after the other PINGREP is the entire reply from the ping command LOSS is the percentage loss from the ping command 1 must be the hostname IPaddress of device to ping 2 must be the commands to run when the pings fail COUNTER 0 TARGET S1 shift loop indefinitely while true do ping the device 10 times PINGREP ping c 10 i 1 STARGET get the packet loss percentage LOSS echo SPINGREP grep sed e s 0 9 1 if SLOSS eq 100 then COUNTER expr SCOUNTER 1 else COUNTER 0 sleep 30s fi if SCOUNTER eq 5 then COUNTER 0 S n sleep 2s fi done 724 746 5500 blackbox com Page 242 15 1 7 Running custom scripts when a configurator is invoked A configurator is responsible for reading the values in etc config config xml and making the appropriate changes live Some changes made by the configurators are part of the Linux configuration itself such as user passwords or ipconfig Currently there are nineteen configurators Each one is responsible for a specific group of config for example the users configurator makes the user configurations in the config xmI file live To see all the available configurators type the following from a command line prompt config When a change is made using the Management Con
357. s to console server and serially or network attached devices RADIUS The Remote Authentication Dial In User Service RADIUS protocol was developed by Livingston Enterprises as an access server authentication and accounting protocol The RADIUS server can support a variety of methods to authenticate a user When it is provided with the username and original password given by the user it can support PPP PAP or CHAP UNIX login and other authentication mechanisms You can find further information on configuring remote RADIUS servers at the following sites http Awww microsoft com technet prodtechnol windowsserver2003 library DepkKit d4fe8248 eecd 49e4 88f6 9e304f97fefc mspx http www cisco com en US tech tk59 technologies_tech_note09186a00800945cc shtml http www freeradius org 9 1 4 LDAP authentication Perform the following procedure to configure the LDAP authentication method to use whenever the console server or any of its serial ports or hosts is accessed gt Select Serial and Network Authentication and check LDAP or LocalLDAP or LDAPLocal or LDAPDownLocal 724 746 5500 blackbox com Page 169 LDAP Server Address LDAP Base DN LDAP Bind DN Bind DN Password Confirm Password LDAP Username Attribute LDAP Group Membership Attribute LDAP Console Server Group DN LDAP Basic Management Group DN m Comma separated list of servers The distinguished name of the search base For example dc my
358. sktop VNC HTTP X connection to the console server gt Open Network Connections in Control Panel and click the New Connection Wizard New Connection Wizard i Network Connection Type What do you want to do Connect to the Intemet Connect to the Intemet so you can browse the Web and read email Connect to the network at my workplace Connect to a business network using dial up or VPN so you can work from home a field office or another location Set up a home or small office network Connect to an existing home or small office network or set up a new one Set up an advanced connection Connect directly to another computer using your serial parallel or infrared port or set up this computer so that other computers can connect to it gt Select Set up an advanced connection and click Next gt Onthe Advanced Connection Options screen select Accept Incoming Connections and click Next gt Select the Connection Device i e the serial COM port on the Windows computer that you cabled through to the console server By default select COM1 The COM port on the Windows computer should be configured to its maximum baud rate Click Next gt Onthe Incoming VPN Connection Options screen select Do not allow virtual private connections and click Next 724 746 5500 blackbox com Page 128 New Connection Wizard User Permissions You can specify the users who can connect to this computer Select the check box n
359. sole web GUI the appropriate configurator automatically runs This can be a problem if another Administrator makes a change using the Management Console The configurator could possibly overwrite any custom CLI linux configurations you may have set The solution is to create a custom script that runs after each configurator runs After each configurator runs it will check whether that appropriate custom script exists You can then add any commands to the custom script and they will be invoked after the configurator runs The custom scripts must be in the correct location etc config scripts config post To create an alerts custom script cd etc config scripts touch config post alerts vi config post alerts You could use this script to recover a specific backup config or overwrite a config or make copies of config files etc 15 1 8 Backing up the configuration and restoring using a local USB stick The etc scripts backup usb script is written to save and load custom configuration using a USB flash disk Before saving configuration locally you must prepare the USB storage device for use To do this disconnect all USB storage devices except for the storage device you want to use Usage etc scripts backup usb COMMAND FILE COMMAND check magic check volume label set magic set volume label save FILE save configuration to USB delete FILE delete a configuration tarbal from USB list list available config ba
360. ster s Management Console provides a consolidated view of the settings for its own and all the Slave s serial ports The Master does not provide a fully consolidated view For example if you want to find out who s logged in to cascaded serial ports from the master you ll see that Status Active Users only displays those users active on the Master s ports so you may need to write custom scripts to provide this view This is covered in Chapter 11 4 7 Serial Port Redirection To allow an application on a client PC to access the virtual serial ports on the console server you need to run client software to redirect the local serial port traffic to remote console server serial port There s a selection of commercial software available including Serial to Ethernet from Eltima www eltima com and Serial IP COM Port Redirector from Tactical Software www tacticalsoftware com products serialip htm 724 746 5500 blackbox com Page 66 Serial Device Applications Remote Serial Device Retail Data Systems ae Building TERNE B _ _ Automation Pi Systems Serial IP Redirector A Virtual COM Ports y Controllers jm Sensors This serial port redirector software is loaded in your desktop PC and it allows you to use a serial device that s connected to the remote console server as if it were connected to your local serial port 4 8 Managed Devices Managed Devices presents a consolidated view of all the conne
361. sts These users can also be given full Administrator status with full configuration and management and access privileges To simplify user set up they can be configured as members of Groups There are six Groups set up by default admin and user admin Provides users with unlimited configuration and management privileges pptpd Group to allow access to the PPTP VPN server Users in this group will have their password stored in clear text dialin Group to allow dialin access via modems Users in this group will have their password stored in clear text fip Group to allow ftp access and file access to storage devices pmshell Group to set default shell to pmshell users Provides users with basic management privileges Note l Members of the admin group have full Administrator privileges The admin user Administrator can access the console server using any of the services that are enabled in System Services For example if only HTTPS has been enabled then the Administrator can only access the console server using HTTPS Once logged in they can reconfigure the console server settings for example to enabled HTTP Telnet for future access They can also access any of the connected Hosts or serial port devices using any of the services that have been enabled for these connections The Administrator can reconfigure the access services for any Host or serial port Only trusted users should have Administrator access Membership of
362. sts host4 tcpports tcpport1 22 config s config sdt hosts host4 tcpports tcpport1 loglevel 1 config s config sdt hosts host4 udpports tcppport2 443 config s config sdt hosts host4 udpports tcpport2 loglevel 1 724 746 5500 blackbox com Page 222 If you want to add the new host as a managed device make sure you use the current total number of managed devices 1 for the new device number To get the current number of managed devices config g config devices total Assuming we already have one managed device our new device will be device 2 Issue the following commands config s config devices device2 connections connection1 name 192 168 3 10 config s config devices device2 connections connection1 type Host config s config devices device2 name 0fficePC config s config devices device2 description MyPC config s config devices total 2 The following command will synchronize the live system with the new configuration config hosts 14 7 Trusted Networks You can further restrict remote access to serial ports based on the source IP address To configure this via the command line you need to do the following Determine the total number of existing trusted network rules If you have no existing rules you can assume this is O config g config portaccess total This command should display config portaccess total 1 Note that if you see config portaccess total this means you have 0 rules configured
363. t Enter the Host Name and the Nagios Host Address for example IP address that the central Nagios server will use to contact the distributed Black Box console server gt Enter the IP address that the distributed Black Box console server will use to contact the central Nagios server in Nagios Server Address gt Enter the IP address that the clients running SDT Connector will use to connect through the distributed Black Box servers in SDT Gateway address gt Check Prefer NRPE NRPE Enabled and NRPE Command Arguments gt Check NSCA Enabled choose an NSCA Encryption Method and enter and confirm an NSCA Secret Remember these details because you will need them later on For NSCA Interval enter 5 gt Click Apply Next you must configure the attached Window network host and specify the services you will be checking with Nagios HTTP and HTTPS gt Select Network Hosts from the Serial amp Network menu and click Add Host gt Enter the IP Address DNS Name of the network server for example 192 168 1 10 and enter a Description for example Windows 2003 IIS Server 724 746 5500 blackbox com Page 183 gt VV VV Y gt Remove all Permitted Services This server will be accessible using Terminal Services so check TCP Port 3389 and log level 1 and click Add Remove and re add the service to enable logging Statistics Nagios Settings Support Report Syslog Enable Nagios y UPS Status Switch Nagios on for this
364. t command gt ipmitool c h v V I Jan H lt hostname gt p lt port gt U lt username gt A lt authtype gt L lt privivi gt a E P f lt password gt o lt oemtype gt lt command gt ipmitool c h v V I Janplus H lt hostname gt p lt port gt U lt username gt L lt privivi gt a E P f lt password gt o lt oemtype gt C lt ciphersuite gt lt command gt DESCRIPTION This program lets you manage Intelligent Platform Management Interface IPMI functions of either the local system via a kernel device driver or a remote system using IPMI V1 5 and IPMI v2 0 These functions include printing FRU information LAN configuration sensor readings and remote chassis power control IPMI management of a local system interface requires a compatible IPMI kernel driver to be installed and configured On Linux this driver is called Open PMI and it is included in standard distributions On Solaris this driver is called BMC and is inclued in Solaris 10 Management of a remote station requires the IPMl over LAN interface to be enabled and configured Depending on the particular requirements of each system it may be possible to enable the LAN interface using ipmitool over the system interface OPTIONS a Prompt for the remote server password 724 746 5500 blackbox com Page 266 A lt authtype gt Specify an authentication type to use during IPMIv1 5 an session activation
365. t must request it again gt Click Apply The DHCP server will sequentially issue IP addresses from a specified address pool s gt Click Add in the Dynamic Address Allocation Pools field gt Enter the DHCP Pool Start Address and End Address and click Apply The DHCP server also supports pre assigning IP addresses to be allocated only to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses To reserve an IP addresses for a particular host Once applied devices on the internal network will be able to access resources on the external network Note The DHCP server feature is available only on the LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers It is not supported on LES1108A LES1116A LES1132A and LES1148A console servers 5 8 3 Port forwarding When using IP Masquerading devices on the external network cannot initiate connections to devices on the internal network To work around this Port Forwards can be set up to allow external users to connect to a specific port or range of ports on the external interface of the console server cellular router and have the console server cellular router redirect the data to a specified internal address and port range To setup a port forward gt Navigate to the System Firewall page and click on the Port Forwarding tab gt Click
366. t on the console server via a special EMD Adapter and standard CAT5 cable The EMD is powered over this serial connection and communicates using a custom handshake protocol It is not an RS 232 device and should not be connected without the adapter gt Plug the male RJ plug on the EMD Adapter into EMD and ea then connect it to the console server serial port using the provided UTP cable If the 6 foot 2 meter UTP cable provided with the EMD is not long enough you can replace it with a standard CAT5 UTP cable up to 33 feet 10 meters long gt Screw the bare wires on any smoke detector water detector vibration sensor open door sensor or general purpose open close status sensors into the terminals on the EMD 724 746 5500 blackbox com Page 163 Note You can attach two external sensors onto the terminals on EMDs that are connected to LES1108A LES1116A LES1132 and LES1148A console servers LES1508A LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A LES1348A LES1208A R2 LES1216A R2 LES1232 and LES1248A R2 console servers only support attaching a single sensor to each EMD You can only use the EMD with a Black Box console server you cannot connect it to standard RS 232 serial ports on other appliances gt Select Environmental as the Device Type in the Serial amp Network Serial Port menu for the port to which the EMD will be attached No particular Common Settings are required
367. t pem 724 746 5500 blackbox com Page 261 15 8 3 Installing the key and certificate We recommend that you use an SCP Secure Copying Protocol client to copy files securely to the console server unit The scp utility is distributed with OpenSSH for most Unix distributions while Windows users can use something like the PSCP command line utility available with PuTTY You can install remotely the files created in the steps above with the scp utility as follows scp ssl_key pem root lt address of unit gt etc config scp ssl_cert pem root lt address of unit gt etc config or using PSCP pscp scp ssl_key pem root lt address of unit gt etc config pscp scp ssl_cert pem root lt address of unit gt etc config PuTTY and the PSCP utility can be downloaded from http www chiark greenend org uk sgtatham putty download html More detailed documentation on the PSCP can be found http the earth li sgtatham putty 0 58 htmlidoc Chapter5 html pscp 15 8 4 Launching the HTTPS Server Note that the easiest way to enable the HTTPS server is from the web Management Console Simply click the appropriate checkbox in Network gt Services gt HTTPS Server and the HTTPS server will be activated assuming the ss _key pem amp ss _cert pem files exist in the etc config directory Alternatively inetd can be configured to launch the secure fnord server from the command line of the unit as follows Edit the inetd configuration file
368. t want to use out of band dial in access note that the procedure for enabling start up messages on the console port is covered in Chapter 15 Accessing the Console Port The following command will synchronize the live system with the new configuration config a 14 21 DHCP server To enable the DHCP server on the console management LAN with settings Default lease time 200000 seconds Maximum lease time 300000 seconds 724 746 5500 blackbox com Page 233 DNS server1 192 168 2 3 DNS server2 192 168 2 4 Domain name company com Default gateway 192 168 0 1 IP pool 1 start address 192 168 0 20 IP pool 1 end address 192 168 0 100 Reserved IP address 192 168 0 50 MAC to reserve IP for 00 1e 67 82 72 d9 Name to identify this host John PC Issue the commands config s config interfaces lan dhcpd enabled on config s config interfaces lan dhcpd defaultlease 200000 config s config interfaces lan dhcpd maxlease 300000 config s config interfaces lan dhcpd dns1 192 168 2 3 config s config interfaces lan dhcpd dns2 192 168 2 4 config s config interfaces lan dhcpd domain company com config s config interfaces lan dhcpd gateway 192 168 0 1 config s config interfaces lan dhcpd pools pool1 start 192 168 0 20 config s config interfaces lan dhcpd pools pool1 end 192 168 0 100 config s config interfaces lan dhcpd pools total 1 config s config interfaces lan dhcpd staticips staticip1 ip 192 168 0 50 confi
369. tgoing mail Server SMS gateway 724 746 5500 blackbox com Page 143 Select a Secure Connection if applicable and specify the SMTP port to be used if other than the default port 25 You may also enter a Sender email address which will appear as the from address in all email notifications sent from this console server Some SMS gateway service providers only forward email to SMS when the email has been received from authorized senders So you may need to assign a specific authorized email address for the console server You may also enter a Username and Password as some SMS gateway service providers use SMTP servers which require authentication Similarly you can specify the specific Subject Line that will be sent with the email Generally the email subject will contain a truncated version of the alert notification message which is contained in full in the body of the email Nagios Configure Dashboard SMTP SMS Server Server Status Port Access Active Users Secure N Statistics Connection Support Report Syslog SSL UPS Status RPC Status If this server uses a secure connection specify its type The outgoing one TLS Environmental Status Dashboard Sender The from address which will appear on the sent email Manage Username Devices Port Logs Ifthis server requires authentication specify the username Host Logs Password Power Terminal If this server requires authentication specify the password Confirm
370. the individual power outlet This will take you to the Manage Power screen Uninterruptible Power Supply Control UPS You can configure all Black Box console servers to manage locally and remotely connected UPS hardware using Network UPS Tools Network UPS Tools NUT is a group of open source programs that provide a common interface for monitoring and administering UPS hardware These programs ensure safe shutdowns of the systems that are connected NUT is built on a networked model with a layered scheme of drivers server and clients covered in some detail in Chapter 8 2 6 724 746 5500 blackbox com Page 153 Multiple local serial USB networked UPSes MANAGED UPS N Multiple ae remote UPSes REMOTE UPS 8 2 1 Managed UPS connections A Managed UPS is a UPS that is directly connected as a Managed Device to the console server You can connect it via serial or USB cable or by the network The console server becomes the master of this UPS and runs a upsd server to allow other computers that are drawing power through the UPS slaves to monitor the UPS status and take appropriate action such as shutdown when the UPS battery is low Serial USB or network connections Managed UPS The console server may or may not be drawing power itself through the Managed UPS When the UPS s battery power reaches critical the console server signals and waits for slaves to shut down then powers off the UPS Serial and
371. the name of the device as it will appear on the upstream Nagios server Click New Check to add a specific check which will be run on this host Select Check Permitted TCP UDP to monitor a service that you have previously added as a Permitted Service Select Check TCP UDP to specify a service port that you want to monitor without allowing external SDT Connector access Select Check TCP to monitor The Nagios Check nominated as the check host alive check is the check used to determine whether the network host itself is up or down Typically this will be Check Ping although in some cases the host will be configured not to respond to pings If no check host alive check is selected the host will always be assumed to be up You may deselect check host alive by clicking Clear check host alive If required customize the selected Nagios Checks to use custom arguments Click Apply 724 746 5500 blackbox com Page 187 10 3 6 Configure the upstream Nagios monitoring host Refer to the Nagios documentation http www nagios org docs for configuring the upstream server gt The section entitled Distributed Monitoring steps through what you need to do to configure NSCA on the upstream server under Central Server Configuration gt NRPE Documentation was recently added that steps through configuring NRPE on the upstream server http nagios sourceforge net docs nrpe NRPE pdf At this stage Nagios at the upstream monitoring serve
372. the outlet and port in the outlet and port environment variables respectively The script can be anything that can be executed within the shell All of the existing scripts in etc powerstrips xml use the pmchat utility pmchat works just like the standard unix chat program only it ensures interoperation with the port manager The final options speed charsize stop and parity define the recommended or default settings for the attached device 724 746 5500 blackbox com Page 265 15 10 IPMItool The console server includes the ipmitoo utility for managing and configuring devices that support the Intelligent Platform Management Interface IPMI version 1 5 and version 2 0 specifications IPMI is an open standard for monitoring logging recovery inventory and control of hardware that is implemented independent of the main CPU BIOS and OS The service processor or Baseboard Management Controller BMC is the brain behind platform management and its primary purpose is to handle the autonomous sensor monitoring and event logging features The ipmitool program provides a simple command line interface to this BMC It features the ability to read the sensor data repository SDR and print sensor values display the contents of the System Event Log SEL print Field Replaceable Unit FRU inventory information read and set LAN configuration parameters and perform remote chassis power control SYNOPSIS ipmitool c h v V I open l
373. ther group called Group8 access to the same host config s config sdt hosts host5 groups group2 Group8 config s config sdt hosts host5 groups total 2 total number of users having access to host To delete the group called Group7 use the following command rmuser Group7 724 746 5500 blackbox com Page 220 Attention The rmuser script is a generic script to remove any config element from config xml correctly However any dependencies or references to this group will not be affected Only the group details are deleted The Administrator is responsible for going through config xm l and removing group dependencies and references manually specifically if the group had access to a host or RPC device The following command will synchronize the live system with the new configuration config a 14 5 Authentication To change the type of authentication for the console server config s config auth type authtype authtype can be Local LocalTACACS TACACS TACACSLocal TACACSDownLocal LocalRADIUS RADIUS RADIUSLocal RADIUSDownLocal LocalLDAP LDAP LDAPLocal LDAPDownLocal To configure TACACS authentication config s config auth tacacs auth_server comma separated list list of remote authentiction and authorization servers config s config auth tacacs acct_server comma separated list list of remote accounting servers If unset Authentication and Authorization Server Address will be used config s
374. tication IP Settings Network Network Hosts Trusted Networks Call Home Sta Cascaded Ports The mechani UPS Connections RPC Connections IP Address Environmental Managed Devices A statically assigned IP address Network Interface Management LAN Interface General Settings Route Settings Configuration Method DHCP Subnet Mask Alerts amp Logging Port Log Alerts Gateway SMTP amp SMS SNMP A statically assigned gateway Primary DNS System Administration SSL Certificates Secondary DNS Configuration Backup Firmware A statically assigned se IP Date amp Time Seda Auto Dial Firewall Nagios DHCP Server Disabled Configure Dashboard Configure a DHCP server for this interface A statically assigned primary name server The Ethernet media type 724 746 5500 blackbox com Page 97 Click on the Disabled link next to DHCP Server which will bring up the System DHCP Server page Check Enable DHCP Server To configure the DHCP server tick the Use interface address as gateway check box VV V WV Set the DNS server address es to be the same as used on the external network i e if the console server is acting as an internet gateway or a cellular router then use the ISP provided DNS server address gt Enter the Default Lease time and Maximum Lease time in seconds The lease time is the time that a dynamically assigned IP address is valid before the clien
375. tify of this alert config s config alerts alert2 nsca enabled on To use SNMP to notify of this alert config s config alerts alert2 snmp enabled on Increment the total alerts config s config alerts total 2 Below are the specific settings depending on the type of alert required Connection Alert To trigger an alert when a user connects to serial port 5 or network host 3 config s config alerts alert2 host3 host name config s config alerts alert2 port5 on config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 type login Signal Alert To trigger an alert when a signal changes state on port 1 config s config alerts alert2 port1 on config s config alerts alert2 sensor temp 724 746 5500 blackbox com Page 228 config s config alerts alert2 signal DSR DCD CTS config s config alerts alert2 type signal Pattern Match Alert To trigger an alert if the regular expression 0 0 id is found in serial port 10 s character stream config s config alerts alert2 pattern 0 0 id config s config alerts alert2 port10 on config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 type pattern UPS Power Status Alert To trigger an alert when myUPS on localhost or thatUPS on remote host 192 168 0 50 power status changes between on line on battery and low battery
376. tion or Internet connection via a LAN or VPN and the secondary out of band connectivity is provided by a dial up or wireless modem directly attached to the gateway Out of band access enables you to access the hosts and serial devices on the network diagnose any connectivity issues and restore the gateway s primary link In SDT Connector to configure OoB access you provide the secondary IP address of the gateway and tell SDT Connector how to start and stop the OoB connection You can start an OoB connection by initiating a dial up connection or adding an alternate route to the gateway SDT Connector allows for maximum flexibility It allows you to provide your own scripts or commands for starting and stopping the OoB connection New SDT Gateway General Out Of Band Remote UDP Gateway Secondary Address Port 22 Start Command Tonnection wait min rasdial OOB login password Stop Command iit min rasdial network_connection login password L 2 ox Cancet_ To configure SDT Connector for OoB access gt When adding a new Gateway or editing an existing Gateway select the Out Of Band tab gt Enter the secondary OoB IP address of the gateway for example the IP address it is using when dialed in directly You also may modify the gateway s SSH port if it s not using the default of 22 gt Enter the command or path to a script to start the OoB connection in Start Command
377. tion protocol to be used Either authenticate as part of ESP Encapsulating Security Payload encryption or separately using the AH Authentication Header protocol Enter a Left ID and Right ID This is the identifier that the Local host gateway and remote host gateway use for IPsec negotiation and authentication Each ID must include an and can include a fully qualified domain name preceded by e g left example com Enter the public IP or DNS address of this console server VPN gateway or enter the address of the device connecting the console server to the Internet as the Left Address You can leave this blank to use the interface of the default route In Right Address enter the public IP or DNS address of the remote end of the tunnel only if the remote end has a static or dyndns address Otherwise leave this blank 724 746 5500 blackbox com Page 70 gt Ifthe VPN gateway is serving as a VPN gateway to a local subnet e g the console server has a Management LAN configured enter the private subnet details in Left Subnet Use the CIDR notation where the IP address number is followed by a slash and the number of one bits in the binary notation of the netmask For example 192 168 0 0 24 indicates an IP address where the first 24 bits are used as the network address This is the same as 255 255 255 0 If the VPN access is only to the console server itself and to its attached serial console devices then leave Left Subnet
378. to IP connect to hosts that are serially attached to the gateway Network IP protocols like RDP VNC and HTTP can also be used for connecting to host devices that are serially connected through their COM port to the console server To do this you must 6 10 1 establish a PPP connection Section 6 7 1 between the host and the gateway then set up Secure Tunneling Ports on the console server Section 6 7 2 then configure SDT Connector to use the appropriate network protocol to access IP consoles on the host devices that are attached to the Console server serial ports Section 6 7 3 Establish a PPP connection between the host COM port and console server This step is only necessary for serially connected computers First physically connect the COM port on the host computer you want to access to the serial port on the console server then A For non Windows Linux UNIX Solaris etc computers establish a PPP connection over the serial port The online tutorial http www yolinux com TUTORIALS LinuxTutorialPPP html presents a selection of methods for establishing a PPP connection for Linux 724 746 5500 blackbox com Page 127 B For Windows XP and 2003 computers follow the steps below to set up an advanced network connection between the Windows computer through its COM port to the console server Both Windows 2003 and Windows XP Professional allow you to create a simple dial in service which can be used for the Remote De
379. to configure the TACACS authentication method to use whenever the console server or any of its serial ports or hosts is accessed gt Select Serial and Network Authentication and check TACAS or LocalTACACS or TACACSLocal or TACACSDownLocal UPS Status TACACS RPC Status Environmental Status Authentication and Authorisation Server Address Accounting Server a Address Server Password Terminal Confirm Password TACACS Login Method TACACS Group Membership Attribute TACACS Service Default Admin Priviledges Comma separated list of remote authentication and authorization servers efaults to PAP gt Enter the Server Address IP or host name of the remote Authentication Authorization server Multiple remote servers may be specified in a comma separated list Each server is tried in succession 724 746 5500 blackbox com Page 167 gt In addition to multiple remote servers you can also enter separate lists of Authentication Authorization servers and Accounting servers If no Accounting servers are specified the Authentication Authorization servers are used instead gt Enter and confirm the Server Password Then select the method to be used to authenticate to the server defaults to PAP To use DES encrypted passwords select Login gt If required enter the TACACS Group Membership Attribute that is to be used to indicate group memberships defaults to groupname n gt If r
380. to extract files to The following command will temporarily increase the size of tmp mount t tmpfs o remount size 2048k tmpfs var If restoring to either a new unit or one that has been factory defaulted make sure that the process generating SSH keys either stops or completes before restoring configuration If this is not done then a mix of old and new keys may be put in place SSH uses these keys to avoid man in the middle attacks Logging in may be disrupted 15 2 Advanced Portmanager Black Box s portmanger program manages the console server serial ports It routes network connection to serial ports checks permissions and monitors and logs all the data flowing to from the ports 15 2 1 Portmanager commands pmshell The pmshell command acts similar to the standard tip or cu commands but all serial port access is directed via the portmanager Example To connect to port 8 via the portmanager pmshell I port08 pmshell Commands Once connected the pmshell command supports a subset of the escape commands that tip cu support For SSH you must prefix the escape with an additional command i e use the escape Send Break Typing the character sequence b will generate a BREAK on the serial port History Typing the character sequence h will generate a history on the serial port Quit pmshell Typing the character sequence will exit from pmshell Set RTS to 1 run the command pmshell rts 1 Sho
381. trol these devices using the specified services for example Telnet HHTPS RDP IPMI Serial over LAN Power Control An authorized User also has a limited view of the Management Console and can only access authorized configured devices and review port logs In this manual when the term user lower case is used it refers to both the above classes of users This document also uses the term remote users to describe users who are not on the same LAN segment as the console server These remote users may be Users who are on the road connecting to managed devices over the public Internet or it may be an Administrator in another office connecting to the console server itself over the enterprise VPN or the remote user may be in the same room or the same office but connected on a separate VLAN than the console server Management Console The Management Console provides a view of the console server and all the connected devices Administrators can use any browser to log into the Management Console either locally or from a remote location They can then use Management Console to manage the console server the users the serial 724 746 5500 blackbox com Page 14 ports and serially connected devices network connected hosts and connected power devices and to view associated logs and configure alerts System Name les1308a Model LES1308A Firmware 3 5 3u5 ba 0 OX i Uptime 0 days 6 hours 14 mins 56 secs Current User root OP Backup Log O
382. ult To modify the default SNMP settings the Administrator must make the edits at the command line as described in Chapter 15 Advanced Configuration NTP Refer Chapter 11 gt Click Apply As you apply your services selections the screen will be updated with a confirmation message Message Changes to configuration succeeded 3 4 2 Service Settings The Administrator can access the console server and connected serial ports and managed devices using a range of access protocols services However for each such access the particular service must first be configured and enabled to run on the console server To enable and configure a service gt Select the Service Settings tab on the System Services page 724 746 5500 blackbox com Page 35 System Name les1308a Modet LE A Firmware 3 5 3u5 az 0 g Uptime 0 days 7 hours 48 mins s Current User root ING Bacup Log Out NETWORK SERVICES Serial amp Network Service Settings Service Access ured you can control the network int Alternate HTTP Port 80 Alternate HTTP port tc port 80 for CMS a port 80 fo Enable HTTPS Web Vv Management Completely enable or disable the HTTPS web management service HTTPS Port 443 Port to listen for the HTTPS web management service Enable Telnet Vv command shell Completely enable or disable the telnet service Alternate Telnet SNMP aan Port System Administration Enable SSH Vv
383. un any command and its output will be displayed in the widget window directly Below is an example script that writes the current date to a file and then echos HTML code back to the browser The HTML code gets an image from a specific URL and displays it in the widget bin sh date gt gt tmp test echo lt table gt echo lt tr gt lt td gt This is my custom script running lt td gt lt tr gt echo lt tr gt lt td gt echo lt img src http www vinras com images linux online inc jpg gt echo lt td gt lt tr gt echo lt table gt exit 0 724 746 5500 blackbox com Page 208 Chapter 13 EET Gai Introduction The console server has a small number of Manage reports and tools that are available to both Administrators and Users Access and control authorized devices View serial port logs and host logs for those devices Use SDT Connector or the Web terminal to access serially attached consoles Control power devices where authorized All other Management Console menu items are available to Administrators only 13 1 Device Management To display the Managed Devices and their associated serial network and power connections gt Select Manage Devices The Administrator will be presented with a list of all configured Managed Devices whereas the User will only see the Managed Devices they or their Group has been given access privileges for System Name les1308a Model LES1308A Firmw
384. uncement including an appropriate copyright notice and a notice that there is no warranty or else saying that you provide a warranty and that users may redistribute the program under these conditions and telling the user how to view a copy of this License Exception if the Program itself is interactive but does not normally print such an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Program the distribution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition mere aggregation of another work not based on the Program with the Program or with a work based on the Program on a volume of a storage or distribution medium does not bring the
385. uring the principal network connection in System IP specify the Failover Interface that will be used when a fault has been detected with Network Network1 ethO This can be either Internal Modem or the Dial Serial DB9 if you are using an external modem on the Console port or USB Modem gt Specify the Probe Addresses of two sites the Primary and Secondary that the IMG IM console server is to ping to determine if Network Network1 is still operational gt Select the System Dial menu option and the port to be configured Serial DB9 Port or PC Card or Internal Modem Port gt Select the Baud Rate and Flow Control that will communicate with the modem Note You can further configure the console modem port for example to include modem init strings by editing etc mgetty config files as described in Chapter 13 5 5 Cellular Modem Connection The LES1408A LES1416A LES1432A LES1448A LES1308A LES1316A LES1332A and LES1348A console servers have an internal cellular modem The LES1508A LES1208A R2 LES1216A R2 LES1232A and LES1248A R2 console servers support external cellular modems These modems first need to be set up to validate they can connect to the carrier network They then can be configured for operation in Failover mode OOB mode Cellular router mode or CSD mode 5 6 1 Connect to the GSM HSUPA UMTS carrier network The LES1308A LES1316A LES1332A and LES1348A console servers have an internal GSM modem that will
386. users 14 4 Adding and removing user Groups The console server is configured with a few default user groups even though only two of these groups are visible in the Management Console GUI To find out how many groups are already present config g config groups total Assume this value is six Make sure you number any new groups you create from seven and up To add a custom group to the configuration with Group name Group7 Group description MyGroup and Port access 1 5 you d issue the commands config s config groups group7 name Group7 config s config groups group7 description MyGroup config s config groups total 7 config s config groups group7 port1 on config s config groups group7 port5 on Assume we have an RPC device connected to port 1 on the console manager and the RPC is configured To give this group access to RPC outlet number 3 on the RPC device run the two commands below config s config ports port1 power outlet3 groups group1 Group7 config s config ports port1 power outlet3 groups total 1 total number of groups that have access to this outlet If more groups are given access to this power outlet then increment the config ports port1 power outlet3 groups total element accordingly To give this group access to network host 5 config s config sdt hosts host5 groups group1 Group7 config s config sdt hosts host5 groups total 1 total number of groups having access to host To give ano
387. users other than root log into the console manager If you log in as John and John is member of the admin group and there is a dashboard layout configured for John then you will see the dashboard for John upon log in and each time you click on the Status Dashboard menu item If there is no dashboard layout configured for John but there is an admin group dashboard configured then you will see the admin group dashboard instead If there is no user dashboard or admin group dashboard configured then you will see the default dashboard The root user does not have its own dashboard Use the above configuration options to enable admin users to setup their own custom dashboards The Dashboard displays six widgets These widgets include each of the Status screens alerts devices ports ups rpc and environmental status and a custom script screen The admin user can configure which of these widget is to be displayed where gt Go to the Dashboard layout panel and select which widget is to be displayed in each of the six display locations widget 6 gt Click Apply 724 746 5500 blackbox com Page 206 LS 0X NETWORK SERVICES Serial amp Network Serial Port OpenVPN PPTP VPN Managed Devices Alerts amp Logging Port Log SMTP amp SMS SNMP System Administration SSL Certificates ation Backup Dashboard Layout Configuring Dashboard for Group admin S
388. uses a Secure Connection specify its type gt You may enter a Sender email address which will appear as the from address in all email notifications sent from this console server Many SMTP servers check the sender s email address with the host domain name to verify the address as authentic So it may be useful to assign an email address for the console server such as consoleserver2 mydomain com gt You may also enter a Username and Password if the SMTP server requires authentication gt You can specify the specific Subject Line that will be sent with the email gt Click Apply to activate SMTP 7 5 2 Send SMS alerts With any model console server you can use email to SMS services to send SMS alert notifications to mobile devices Almost all mobile phone carriers provide an SMS gateway service that forwards email to mobile phones on their networks There s also a wide selection of SMS gateway aggregators who provide email to SMS forwarding to phones on any carriers Alternately if your console server has an embedded or externally attached cellular modem you will be given the option to send the SMS directly over the carrier connection SMS via Email Gateway To use SMTP SMS the Administrator must configure a valid SMTP server for sending the email gt Inthe SMTP Settings field in the Alerts amp Logging SMTP amp SMS menu select SMS Gateway An SMS via Email Gateway field will appear gt Enter the IP address of the ou
389. ut NETWORK SERVICES Serial amp Network Groups Serial Port Fe Name Description admin Provi 1 unlimited configuration and management privileges pptpd dialin fip pmshell users Provides users with basic management privileges Alerts amp Logging z Add Group PortLog SMTP amp SNMP Users Username Group Description System Administration root Root User Edit Disable A User can also use the Management Console but has limited menu access to control select devices review their logs and access them using the built in java terminal or control power to them The console server runs an embedded Linux operating system and experienced Linux and UNIX users may prefer to configure it at the command line To get command line access connect through a terminal emulator or communications program to the console serial port connect via ssh or telnet through the LAN or connect through an SSH tunneling to the console server Manual Conventions This manual uses different fonts and typefaces to show specific actions Note Text presented like this indicates issues to note Text presented like this highlights important information Make sure you read and follow these warnings gt Text presented with an arrow head indent indicates an action you should take as part of the procedure Bold text indicates text that you type or the name of a screen object for example a menu or button o
390. ut the explicit approval or consent of Black Box will void Black Box of any liability or responsibility of injury or loss caused by any malfunction This equipment is for indoor use and all the communication wirings are limited to the inside of the building 724 746 5500 blackbox com Page 17 Chapter 2 Introduction Installation This chapter describes how to install the console server hardware and connect it to controlled devices A N To avoid physical and electrical hazards please read Appendix C on Safety 2 1 Models There are multiple console server models each with a different number of network and serial ports or power supply configurations Serial Ports LES1508A 8 LES1448A 48 LES1432A 32 LES1416A 16 LES1408A 8 LES1348A 48 LES1332A 32 LES1316A 16 LES1308A 8 LES1248A R2 48 LES1232A 32 LES1216A R2 16 LES1208A R2 8 LES1148A 48 LES1132A 32 LES1116A 16 LES1108A 8 The next sections show the components shipped with each of these models USB Ports ww w WI INININININI NININJIN Network Ports ejejeie NININI NINININI NININININJIN Console Port e jejejejejlejeje leje lelejejlejejeje Modem Internal CDMA Internal CDMA Internal CDMA Internal CDMA Internal GSM Internal GSM Internal GSM Internal GSM Internal V 92 Internal V 92 Internal V 92 Internal V 92 RJ Pinout Power Ext AC DC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dual AC Dua
391. value ulimit SHacdflmnpstuv limit umask p S mode unalias a name unset f v name until COMMANDS do COMMANDS done variables Some variable names an wait n while COMMANDS do COMMANDS done COMMANDS 724 746 5500 blackbox com Page 276 Appendix B FEATURE Dimensions Hardware Specifications VALUE LES1408A 16A 32A 48A LES1308A 16A 32A 48A LES1208A R2 16A R2 32A 48A R2 17 x 12 x 1 75 in 43 2 x 31 3 x 4 5 cm LES1116A 32A 48A 17 x 8 5 x 1 75 in 43 2 x 21x 4 5 cm LES1108A 8 2 x 4 9 x 1 2 in 20 8 x 12 6 x 4 5 cm Weight LES1408A 16A 32A 48A LES1308A 16A 32A 48A LES1208A R2 16A R2 32A 48A R2 5 4 kg 11 8 Ibs LES1116A 32A 48A 3 9 kg 8 5 Ibs LES1108A 1 7 kg 3 7 Ibs Ambient operating temperature Non operating storage 5 C to 50 C 41 F to 122 F 30 C to 60 C 20 F to 140 F temperature Humidity 5 to 90 Power Refer to Chapter 2 for various models Power Consumption All less than 30W CPU Micrel KS8695P controller Memory LES1408A 16A 32A 48A LES1308A 16A 32A 48A LES1208A R2 16A R2 32A 48A R2 64MB SDRAM 16MB Flash 16GB USB Flash LES1116A 32A 48A 64MB SDRAM 16MB Flash LES1108A 16MB SDRAM 8MB Flash Serial Connectors LES1508A 8 RJ 45 RS 232 serial ports LES1408A LES1308A LES1208A R2 8 RJ 45 RS 232 serial ports LES1416A LES1316A LES1216A R2 16 RJ 45 RS 232 serial ports LES1432A LES1332A LE
392. ve this field blank for automatic DNS server assignment gt Optionally enter a Domain Name suffix to issue DHCP clients 724 746 5500 blackbox com Page 40 gt Enter the Default Lease time and Maximum Lease time in seconds The lease time is the time that a dynamically assigned IP address is valid before the client must request it again gt Click Apply The DHCP server will sequentially issue IP addresses from a specified address pool s gt Click Add in the Dynamic Address Allocation Pools field gt Enter the DHCP Pool Start Address and End Address and click Apply System Name ACSdoc Mo 81216A Firmware 2 8 0u2 NETWORK SERVICES Serial amp Network apa anaes Statically Reserved Address Authentication Network Hosts se Tiuta cloaks The name to identify this host by Cascaded Ports Statically UPS Connections Reserved IP RPC Connections IP Address reserved for specific host Environmental Hardware Managed Devices Address Host Name MAC Address to reserve IP for Alerts amp Logging EET Port Log PPly The DHCP server also supports pre assigning IP addresses to be allocated only to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses To reserve an IP addresses for a particular host gt Click Add in the Reserved Addresses field gt Enter the Hostname the Hardware Address MAC and the Statically Reserved IP address for the DHCP client and click
393. via the Internet SSL works by using a private key to encrypt data that s transferred over the SSL connection 724 746 5500 blackbox com Page 260 The console server includes OpenSSL The OpenSSL Project is a collaborative effort to develop a robust commercial grade full featured and Open Source toolkit implementing the Secure Sockets Layer SSL v2 v3 and Transport Layer Security TLS v1 protocols as well as a full strength general purpose cryptography library The project is managed by a worldwide community of volunteers that use the Internet to communicate plan and develop the OpenSSL toolkit and its related documentation OpenSSL is based on the excellent SSLeay library developed by Eric A Young and Tim J Hudson The OpenSSL toolkit is licensed under an Apache style licence which basically means that you are free to get and use it for commercial and non commercial purposes subject to some simple license conditions In the console server OpenSSL is used primarily in conjunction with http to have secure browser access to the GUI management console across insecure networks More documentation on OpenSSL is available from http www openssl org docs apps openssl html http www openssl org docs HOWTO certificates txt 15 8 HTTPS The Management Console can be served using HTTPS by running the webserver via ss wrap The server can be launched on request using inetd The HTTP server provided is a slightly modified version of th
394. vice Scroll down to Console server Setting and select Console server Mode Check Telnet or SSH and scroll to the bottom and click Apply Select Network Hosts from Serial amp Network and click Add Host In the IP Address DNS Name field enter 127 0 0 1 this is the Black Box network loopback address and enter Loopback in Description Remove all entries under Permitted Services select TCP and enter 200n in Port This configures the Telnet port enabled in the previous step so for Port 2 you would enter 2002 Click Add then scroll to the bottom and click Apply Administrators by default have gateway and serial port access privileges however for Users to access the gateway and the serial port you will need to give those Users the required access privileges Select Users amp Groups from Serial amp Network Click Add User Enter a Username 724 746 5500 blackbox com Page 115 Description and Password Confirm Select 127 0 0 1 from Accessible Host s and select Port 2 from Accessible Port s Click Apply 6 5 Using SDT Connector for out of band connection to the gateway You can also set up SDT Connector to connect to the console server gateway out of band OoB OoB access uses an alternate path for connecting to the gateway to that used for regular data traffic OoB access is useful for when the primary link into the gateway is unavailable or unreliable Typically a gateway s primary link is a broadband Internet connec
395. w all signals pmshell signals DSR 1 DTR 1 CTS 1 RTS 1 DCD 0 Read a line of text from the serial port omshell getline pmchat The pmchat command acts similar to the standard chat command but all serial port access is directed via the portmanager Example To run a chat script via the portmanager pmchat v f etc config scripts port08 chat lt dev port08 724 746 5500 blackbox com Page 245 For more information on using chat and pmchat you should consult the UNIX man pages http techpubs sgi com library tp cgibin getdoc cgi coll linux amp db man amp fname usr share catman man8s chat 8 html pmusers The pmusers command is used to query the portmanager for active user sessions Example To detect which users are currently active on which serial ports pmusers This command will output nothing if there are no active users currently connected to any ports Otherwise it will respond with a sorted list of usernames per active port Port 1 user1 user2 Port 2 user1 Port 8 user2 The above output indicates that a user named user1 is actively connected to ports 1 and 2 while user2 is connected to both ports 1 and 8 portmanager daemon There is normally no need to stop and restart the daemon To restart the daemon normally just run the command portmanager Supported command line options are Force portmanager to run in the foreground nodaemon Set the level of debug logging
396. w be on gt You can verify the connection status from the Status Statistics o Select the Cellular tab and in Service Availability verify Mode is set to Online o Select Failover amp Out of Band and the Connection Status reads Connected o You can check your allocated P address You can measure the received signal strength from the Cellular Statistics page on the Status Statistics screen This will display the current state of the cellular modem including the Received Signal Strength Indicator RSSI Note Received Signal Strength Indicator RSSI is a measurement of the Radio Frequency RF power present in a received radio signal at the mobile device It is generally expressed in dBm and the best throughput comes from placing the device in an area with the highest RSSI 100 dbm or less Unacceptable coverage 99 dbm to 90 dbm Weak Coverage 89 dbm to 70 dbm Medium to High Coverage 69 dbm or greater Strong Coverage gt 5 6 4 With the cellular modem connection on you can also see the connection status from the LEDs on top of unit Cellular modem watchdog When you select Enable Dial Out on the System Dial menu you will be given the option to configure a cellar modem watchdog service with firmware V3 5 2u13 and later This service will periodically ping a configurable IP address If a threshold number of consecutive attempts fail the service will cause the unit to reboot This can be used to force
397. when adding more slaves NOTE If a slave is added using the CLI then the master SSH public key will need to be manually copied to every slave device before cascaded ports will work refer Chapter 4 The following command will synchronize the live system with the new configuration config r cascade 14 9 UPS Connections Managed UPSes Before adding a managed UPS make sure that at least 1 port has been configured to run in device mode and that the device is set to ups To add a managed UPS with the following values Connected via UPS name Description Username to connect to UPS Password to connect to UPS shutdown order Driver Driver option option Driver option argument Logging Log interval Run script when power is critical Port 1 My UPS UPS in room 5 User2 secret 2 O shuts down first genericups option argument Enabled 2 minutes Enabled config s config ups monitors monitor1 port dev port01 If the port number is higher than 9 eg port 13 enter config s config ups monitors monitor1 port dev port13 config s config ups monitors monitor1 name My UPS config s config ups monitors monitor1 description UPS in room 5 config s config ups monitors monitor1 username User2 config s config ups monitors monitor1 password secret config s config ups monitors monitor1 sdorder 2 config s config ups monitors monitor1 driver genericups config s config ups monitors mon
398. ws servers and clients Windows does not include VNC software so you will need to download install and activate a third party VNC Server software package REAL RealVNC http www realvnc com is fully cross platform so a desktop AN running on a Linux machine may be displayed on a Windows PC on a Solaris machine or on any number of other architectures There is a Windows C server allowing you to view the desktop of a remote Windows machine on any of these platforms using exactly the same viewer RealVNC was founded by members of the AT amp T team who originally developed VNC TightVNC http www tightvnc com is an enhanced version of VNC It has added features such as file transfer performance improvements and read only password support They have just recently included a video drive much VNC like UltraVNC TightVNC is still free cross platform Windows Unix and CD Linux and compatible with the standard Real VNC UltraVNC http ultravnc com is easy to use fast and free VNC software that has pioneered and perfected features that the other flavors have consistently refused or been very slow to implement for cross platform and minimalist reasons UltraVNC runs under Windows operating systems 95 98 Me NT4 2000 XP 2003 Download UltraVNC from Sourceforge s UltraVNC file list B For Linux servers and clients Most Linux distributions now include VNC Servers and Viewers and they generally can be launched from the G
399. xecutable file for the client or click Browse to locate the executable gt Enter a Command Line associated with launching the client application SDT Connector typically launches a client using command line arguments to point it at the local endpoint of the redirection There are three special keywords for specifying the command line format When launching the client SDT Connector substitutes these keywords with the appropriate values path is path to the executable file that is the previous field host is the local address to which the local endpoint of the redirection is bound that is the Local Address field for the Service redirection Advanced options port is the local port to which the local endpoint of the redirection is bound that is the Local TCP Port field for the Service redirection Advanced options If this port is unspecified that is Any the appropriate randomly selected port will be substituted For example SDT Connector is preconfigured for Windows installations with a HTTP service client that will connect with the local browser that the local Windows user has configured as the default Otherwise the default browser used is Firefox amp SDTConnector File Edit Help K SDTConnector Preferences Edit Client Client name HTTP browser Path to client executable file rundil32 url dllFileProtocolHandler Command line format for client executable Ypath http host po
400. y attached devices 6 5 Using SDT Connector for out of band connection to the gateway 6 6 Importing and exporting preferences 6 7 SDT Connector Public Key Authentication 6 8 Setting up SDT for Remote Desktop access 6 8 1 Enable Remote Desktop on the target Windows computer to be accessed 6 8 2 Configure the Remote Desktop Connection client 6 9 SDT SSH Tunnel for VNC 6 9 1 Install and configure the VNC Server on the computer to be accessed 6 9 2 Install configure and connect the VNC Viewer 6 10 Using SDT to IP connect to hosts that are serially attached to the gateway 6 10 1 Establish a PPP connection between the host COM port and console server 6 10 2 Set up SDT Serial Ports on console server 6 10 3 Set up SDT Connector to SSH port forward over the console server Serial Port 6 11 SSH Tunneling using other SSH clients e g PuTTY ALERTS AND LOGGING 721 UPS Power Supply 7 2 2 UPS Status 7 2 3 Serial Login Logout 7 2 4 ICMP Ping 7 2 5 Cellular Data 7 2 6 Custom Check 7 2 7 SMS Command 7 3 Trigger Actions 7 3 1 Send Email 7 3 2 Send SMS 7 3 3 Perform RPC Action 7 3 4 Run Custom Script 7 3 5 Send SNMP Trap 7 3 6 Send Nagios Event 7 4 Resolve Actions 7 5 Configure SMTP SMS SNMP and or Nagios service for alert notifications 7 5 1 Send Email alerts 7 5 2 Send SMS alerts 7 5 3 Send SNMP trap alerts 7 5 4 Nagios alerts 7 6 Logging 7 6 1 Log storage 7 6 2 Serial port logging 7 6 3 Network TCP and UDP port logg
401. y power reaches critical There are also logging clients ups og and third party interface clients Big Sister Cacti Nagios Windows and more Refer www networkupstools org client projects 724 746 5500 blackbox com Page 161 The latest release of NUT 2 4 also controls PDU systems It can do this either natively using SNMP or through a binding to Powerman open source software from Livermore Labs that also is embedded in Black Box console servers These NUT clients and servers all are embedded in each Black Box console server with a Management Console presentation layer added and they also are run remotely on distributed console servers and other remote NUT monitoring systems This layered distributed NUT architecture enables Multiple manufacturer support NUT can monitor UPS models from 79 different manufacturers and PDUs from a growing number of vendors with a unified interface Multiple architecture support NUT can manage serial and USB connected UPS models with the same common interface Network connected USB and PDU equipment can also be monitored using SNMP Multiple clients monitoring one UPS Multiple systems may monitor a single UPS using only their network connections There is a wide selection of client programs that support monitoring UPS hardware via NUT Big Sister Cacti Nagios and more Central management of multiple NUT servers A central NUT client can monitor multiple NUT servers that may
402. y time before repeating trigger actions in Repeat Trigger Action Delay This delay starts after the last action is queued System Name les1308a Model LES1308A Firmware 3 5 3u5 a O Uptime 0 days 18 hours 51 mins 48 secs Current User root BaduP Log Out lt SBLACK BOX NETWORK SERVICES Serial amp Network Auto Response Settings Name Unique Name for this AutoResponse Reset Timeout q ime in seconds after resolution to delay before this AutoResponse can be triggered again Repeat Trigger Actions o Repeat Trigger actions until the check is resolved Repeat Trigger Action bag Environmental Delay Managed Devices Alerts amp Logging Disable Auto Response rc Po at specific times Allows Auto Responses to be pei lly disabled based on time and da Auto SMTP SNMP System Administration L Certifi Configuration Backup Firmware IP Date amp Time Check Add a new check by selecting a check type from the left mer Conditions Environmenta gt Check Disable Auto Response at specific times and you will be able to periodically disable auto Responses between specified times of day 724 746 5500 blackbox com Page 136 7 2 Check Conditions To configure the condition that will trigger the Auto Response gt Click on the Check Condition type e g Environmental UPS Status or ICMP ping to be configured as the trigger for this new Auto Response in the Auto
403. you leave the Username and User Password fields blank they default to portXX and portXx where XX is the serial port number The default username and password for Secure RDP over Port 2 is port02 Make sure the console server Common Settings Baud Rate Flow Control are the same as those set up on the Windows computer COM port and click Apply RDP and VNC forwarding over serial ports is enabled on a Port basis You can add Users who can have access to these ports or reconfigure User profiles by selecting Serial amp Network User amp Groups menu tag as described earlier in Chapter 4 Configuring Serial Ports 724 746 5500 blackbox com Page 131 6 10 3 Set up SDT Connector to SSH port forward over the console server Serial Port In the SDT Connector software running on your remote computer specify the gateway IP address of your console server and a username password for a user you set up on the console server that has access to the desired port Next add a New SDT Host In the Host address put portxx where xx the port you are connecting to Example for port 3 you would have a Host Address of port03 Then select the RDP Service check box 6 11 SSH Tunneling using other SSH clients e g PuTTY As covered in the previous sections of this chapter we recommend that you use the SDT Connector client software that is supplied with the console server There s also a wide selection of commercial and free SSH client programs that c
404. ypt the value of any config element using the P parameter but only encrypted user passwords and system passwords are supported If any other element value were to be encrypted the value will become inaccessible and will have to be reset The following command will synchronize the live system with the new configuration config a 14 18 IP settings To configure the primary network interface with static settings IP address 192 168 0 23 Netmask 255 255 255 0 Default gateway 192 168 0 1 DNS server 1 192 168 0 1 DNS server 2 192 168 0 2 724 746 5500 blackbox com Page 231 config s config interfaces wan address 192 168 0 23 config s config interfaces wan netmask 255 255 255 0 config s config interfaces wan gateway 192 168 0 1 config s config interfaces wan dns1 192 168 0 1 config s config interfaces wan dns2 192 168 0 2 config s config interfaces wan mode static config s config interfaces wan media Auto 100baseTx FD 100baseTx HD 10baseT HD 10baseT FD To enable bridging between all interfaces config s config system bridge enabled on To enable IPv6 for all interfaces config s config system ipv6 enabled on To configure the management LAN interface use the same commands as above but replace config interfaces wan with config interfaces lan Note Not all devices have a management LAN interface To configure a failover device in case of an outage config s config interfaces wan fail
Download Pdf Manuals
Related Search