Owner`s Manual for B092, B094, B095, B096 Series Console
Contents
1. Add Ports Remove e Enter the Console Server s IP address or network name e Enter the Server TCP Port number that matches the port you have configured for the serial device on the remote Console Server Ensure this port isn t blocked by firewall o Telnet RFC2217 mode is configured by default so the range of port numbers available on a 16 port console server would be 5001 5016 o Alternately check RAW mode 4001 4048 on a 48 port console server o Select Encrypted to enable SSL TLS encryption of the data going to the port You will need to enter a Password e Select the starting COM port COM1 to COM4096 e Specify the number of ports you want to add Sequential port numbers will be assigned automatically however if a COM port is already being used by other applications that will be skipped e Click OK to add the specified COM ports Chapter 4 Serial Port Device and User Configuration 192 168 254 144 Properties Connection Advanced COM1 a 192 168 254 173 COM2 COM4 COM5 COM6 192 168 254 173 4004 7 Raw Mode _ Encrypt Traffic Authenticate Password e To configure a COM port you have created simply click on the desired COMx label in the left hand menu tree e In the Properties window you can edit the IP Address or TCP Port to be used to connect to that COM port e You can then configure the COM port in the Connection and Advanced windows ee E El 192 168 254 144 Properties2. Date amp Time Dial Output Port m Range i A port or range of ports Ranges are specified like 800 900 Nagios Configure Dashboard Save For example to forward port 8443 to an internal HTTPS server on 192 168 10 2 the following settings would be used Input Interface Any Input Port Range 8443 Protocol TCP Output Address 192 168 10 2 Output Port Range 443 Chapter 5 Firewall Failover and Out of Band 5 7 4 Port Rules Port rules can be used to block or allow traffic through an interface based on port number direction ingress or egress and protocol This can be used to allow custom on box services or block traffic based on policy To setup a port rule e Navigate to the System Firewall page and click on the Port Rules tab e Click Add New Port Rule System Firewall Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Service Access Port Forwarding Port Rules Forwarding amp Masquerading Create Modify Port Rule Name New Port Rule Name for the Port Forward Interface Any a The interface that the rule applies to Alerts amp Logging Sitch aos a 0 Port Log A port or range of ports Ranges are specified like 800 900 Alerts SMTP amp SMS Protocol TCP SNMP k The protoc
3. config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR DCD CTS config s config alerts alert2 type signal Pattern Match Alert To trigger an alert if the regular expression O 0 id is found in serial port 10 s character stream config s config alerts alert2 pattern O 0 id config s config alerts alert2 portlLO on config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 type pattern UPS Power Status Alert To trigger an alert when myUPS on localhost or thatUPS on remote host 192 168 0 50 power status changes between on line on battery and low battery config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 tyoe ups config s config alerts alert2 ups1 myUPS localhost config s config alerts alert2 ups2 thatUuPS 192 168 0 50 Chapter 14 Command Line Configuration Environmental and Power Sensor Alert config s config alerts alert2 enviro high critical critical value config s config alerts alert2 enviro high waming warning value config s config alerts alert2 enviro hysteresis value config s config alerts alert2 enviro low critical critical value config s config alerts alert2 enviro low warning warning value config s config alerts alert2 envirol Enviro sensor name config s config
4. deleting last user config d ROOTNODE LASTFIELDTEXT TOTAL Modifying item total config s TOTALNODE NEWTOTAL echo Done exit O else echo error item being deleted has an index greater than total items Increase the total count variable exit O fi Chapter 15 Advanced Configuration 15 1 6 Power cycle any device upon a ping request failure The ping detect script is designed to run specified commands when a monitored host stops responding to ping requests The first parameter taken by the ping detect script is the hostname IP address of the device to ping Any other parameters are then regarded as a command to run whenever the ping to the host fails ping detect can run any number of commands Below is an example using ping detect to power cycle an RPC PDU outlet whenever a specific host fails to respond to a ping request The ping detect is run from etc config rc local to make sure that the monitoring starts whenever the system boots So if we assume we have a serially controlled RPC connected to portO1 on a Console Server and have a router powered by outlet 3 on the RPC and the router has an internal IP address of 192 168 22 2 The following instructions will show you how to continuously ping the router and when the router fails to respond to a series of pings the Console Server will send a command to RPC outlet 3 to power cycle the router and write the current date time to a file e Copy the ping detect script
5. 1 Java Technology Restrictions Licensee shall not create modify change the behavior of or authorize licensees of Licensee to create modify or change the behavior of classes interfaces or subpackages that are in any way identified as java javax Sun or similar convention as specified by Sun in any naming convention designation In the event that Licensee creates an additional API s which a extends the functionality of a Java Environment and b is exposed to third party software developers for the purpose of developing additional software which invokes such additional API Licensee must promptly publish broadly an accurate specification for such API for free use by all developers 2 Trademarks and Logos This License does not authorize an end user licensee to use any Sun Microsystems Inc name trademark service mark logo or icon The end user licensee acknowledges that Sun owns the Java trademark and all Java related trademarks logos and icons including the Coffee Cup and Duke Java Marks and agrees to a comply with the Java Trademark Guidelines at http java sun com trademarks html b not do anything harmful to or inconsistent with Sun s rights in the Java Marks and c assist Sun in protecting those rights including assigning to Sun any rights acquired by Licensee in any Java Mark 3 Source Code Software may contain source code that unless expressly licensed for other purposes is provided solely for reference
6. 15 5 3 Enable SNMP service The Console Server supports different versions of SNMP including SNMPv1 SNMPv2c and SNMPvs SNMP although an industry standard brings with it a variety of security concerns For example SNMPvi and SNMPv2c offer no inherent privacy while SNMPv3 is susceptible to man in the middle attacks Recent IETF developments suggests tunnelling SNMP over widely accepted technologies such as SSH Secure Shell or TLS Transport Layer Security rather than relying on a less mature security systems such as SNMPv3 s USM User based Security Model Additional information regarding SNMP security issues and SNMPv3 can be found at http net snmp sourceforge net wiki index php TUT Security http www ietf org htm charters snmpv3 charter html e Select Alerts amp Logging SNMP Chapter 15 Advanced Configuration Serial amp Network Serial Port SNMP Service Details Primary SNMP Manager Secondary SNMP Manager Users amp Groups Authentication Enable Vv Network Hosts Enable the SNMP service Trusted Networks IPsec VPN TCP IP Protocol UDP OpenVPN Cascaded Ports The TCP IP protocol to serve UPS Connections 3 RPC Connections Location land Environmental Managed Devices me System Location Contact Alerts amp Logging butt t com Port Log System Contact Alerts SMTP amp SMS een Aue SNMP Read Only Community pe The read only community
7. Administration Read Write bli SSL Certificates Community ease Configuration Backup The read write community Firmware IP SNMP v3 Date amp Time p Dial Engine ID Ja n Override the automatically generated SNMPv3 Engine ID Note If not specified an Engine ID w Nagios be automaticaly generated using Network Interface details The SNMP Service Details tab is shown by default The SNMP Service Details tab controls aspects of the SNMP Service including Security Level It manages requests from external agents for status information Check the Enable the SNMP Service box to start the SNMP Service The Service is disabled by default Select either UDP or TCP for the TCP IP Protocol UDP is the recommended protocol and is selected by default TCP should only be used in special cases such as when Port Forwarding SNMP requests responses to or from the Console Server device is required Complete the Location and Contact fields The Location field should describe the physical location of the Console Server and will be used in response to requests for the SNMPv2 MIB sysLocation O of the device The Contact field refers to the person responsible for the Console Server such as the System Administrator and will be used in response to requests as follows SNMPv2 MIB sysContact 0O Enter the Read Only Community and Read Write Community This is required for SNMP v1 amp v2c only The Read Only Community field is used to specify th
8. Apply The DHCP server also supports pre assigning IP addresses to be allocated only to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses To reserve an IP addresses for a particular host e Click Add in the Reserved Addresses field e Enter the Hostname the Hardware Address MAC and the Statically Reserved IP address for the DHCP client and click Apply Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN Network Interface Management LAN Interface Statically Reserved Address OpenVPN reas Cascaded Ports The name to identify this host by UPS Connections RPC Connections Statically Environmental Reserved IP Managed Devices IP Address reserved for specific host Alerts amp Logging eee Port Log MAC Address to reserve IP for Alerts SMTP amp SMS When DHCP has initially allocated hosts addresses it is recommended to copy these into the pre assigned list so the same IP address will be reallocated in the event of a reboot 3 6 3 Select Failover or broadband OOB The Console Servers provide a failover option so in the event of a problem using the main LAN connection for accessing the Console Server an alternate access path is automatically used e By default the failover is not enabled To enable select the Network Interface page on the System IP menu e
9. IP Remote System Logging Syslog Server Address Specify the address of the remote Syslog Server to use Syslog Server Port Apply Local System Logging Match Pattern Specify which port the remote Syslog Server is serving on A regular expression to match against desired log lines Apply lt 27 gt Dec 22 20 36 32 stunnel LOG3 1462 0 SSL_accept Peer suddenly disconnected lt 27 gt Dec 22 20 36 32 stunnel LOG3 1485 0 SSL_accept Peer suddenly disconnected Chapter 12 Status Reports To make it easier to find information in the local Syslog file a pattern matching filter tool is provided e Specify the Match Pattern that is to be searched for e g the search for mount is shown below and click Apply The Syslog will then be represented with only those entries that actually include the specified pattern 12 5 Dashboard The Dashboard provides the Administrator with a summary of the status of the Console Server and its Managed Devices Custom dashboards can be configured for each user groups Status Dashboard Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN UPS Status Alerts Type Description Port Address Event User Device Status No UPS Connections have been configured UPS Connections RPC Status Managed Devices RPC Connections Environmental Managed Devices No RPC Connections have been configured
10. Owner s Manual Console Server Management Switch Models BO96 016 B096 048 Console Server with PowerAlert Model B092 016 Console Server Models B095 004 1E B095 003 1E M TRIPP LITE Tripp Lite World Headquarters 1111 W 35th Street Chicago IL 60609 USA www tripplite com support Copyright 2011 Tripp Lite All rights reserved All trademarks are the property of their respective owners FCC Information Class A This device complies with part 15 of the FCC Rules Operation is subject to the following two conditions 1 This device may not cause harmful interference and 2 this device must accept any interference received including interference that may Cause undesired operation Note This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense The user must use shielded cables and connectors with this equipment Any changes or
11. Pattern A regular expression to match against log UPS Power Status Alert UPS Power Status Alert An alert will be triggered when the UPS power status changes between on line on battery and low battery Thi alert type will only be applied to UPSes Environmental Sensor Alert e Connection Alert This alert will be triggered when a user connects or disconnects from the applicable Host or Serial Port or when a Slave connects or disconnects from the applicable UPS e Serial Port Signal Alert This alert will be triggered when the specified signal changes state and is applicable to serial ports only You must specify the particular Signal Type DSR DCD or CTS trigger condition that will send a new alert e Serial Port Pattern Match Alert This alert will be triggered if a regular expression is found in the serial ports character stream that matches the regular expression you enter in the Pattern field This alert type will only be applied serial ports e UPS Power Status Alert This alert will be triggered when the UPS power status changes between On Line On Battery and Low Battery This alert type will only be applied to UPS s e Environment and power alert Refer to next section for details on selecting and configuring this alert type Chapter 7 Alerts and Logging 7 2 3 Configuring environment and power alert type This alert type will be applied to any UPS s RPC s and EMD temperature and humidity sensors you have no
12. bin config a For information on backing up and restoring the configuration file refer Chapter 15 Advanced Configuration 14 1 1 Serial Port configuration The first set of configurations that needs to be made to any serial port are the RS232 common settings For example to setup serial port 5 to use the following properties Baud Rate 9600 Parity None Data Bits 8 Stop Bits 1 label Myport log level O protocol RS232 flow control None To do this use the following commands config s config ports port5 speed 9600 config s config ports port5 parity None config s config ports portS charsize 8 config s config ports port5 stop 1 config s config ports port5 label myport config s config ports port5 loglevel O config s config ports portS protocol RS232 config s config ports port5 flowcontro None Chapter 14 Command Line Configuration The following command will synchronize the live system with the new configuration config r serialconfig Note Supported serial port baud rates are 50 75 110 134 150 200 300 600 1200 1800 2400 4800 9600 19200 38400 57600 115200 and 230400 Supported parity values are None Odd Even Mark and Space Supported data bits values are 8 7 6 and 5 Supported stop bits values are 1 1 5 and 2 Supported flow control values a
13. e For Windows 2000 the PPP client set up procedure is the same as above except you get to the Dial Up Networking Folder by clicking the Start button and selecting Settings Then click Network and Dial up Connections and click Make New Connection e Similarly for Windows 98 you double click My Computer on the Desktop then open Dial Up Networking and double click Make New Connection and proceed as above 5 1 5 Set up Linux clients for dial in The online tutorial htto www yolinux com TUTORIALS LinuxTutorialPPPhtm presents a selection of methods for establishing a dial up PPP connection e Command line PPP and manual configuration which works with any Linux distribution e Using the Linuxconf configuration tool for Red Hat compatible distributions This configures the scripts ifup ifdown to start and stop a PPP connection e Using the Gnome control panel configuration tool e WVDIAL and the Redhat Dialup configuration tool e GUI dial program X isp Download Installation Configuration Note For all PPP clients e Set the PPP link up with TCP IP as the only protocol enabled e Specify that the Server will assign IP address and do DNS e Do not set up the Console Server PPP link as the default for Internet connection Chapter 5 Firewall Failover and Out of Band 5 2 OoB Broadband Access The BO96 048 016 Console Server Management Switch has a second Ethernet network port that can be configured for alternate and OoB out of
14. 3 3 2 Dynamic DNS DDNS configuration Dynamic DNS DDNS enables a Console Server with a dynamically assigned IP address that may change from time to time to be located using a fixed host or domain name e The first step in enabling DDNS is to create an account with the supported DDNS service provider of your choice Supported DDNS providers include O O O OOO DyNS www dyns cx dyndns org www dyndns org GNUDip gnudip cheapnet net ODS www ods org TZO www tzo com 3322 org Chinese provider ww 3322 org Upon registering with the DDNS service provider you will select a username and password as well as a hostname that you will use as the DNS name to allow external access to your machine using a URL The Dynamic DNS service providers allow the user to choose a hostname URL and set an initial IP address to correspond to that hostname URL Many Dynamic DNS providers offer a selection of URL hostnames available for free use with their service However with a paid plan any URL hostname including your own registered domain name can be used You can now enable and configure DDNS on any of the Ethernet or cellular network connections on the Console Server by default DDNS is disabled on all ports e Select the DDNS service provider from the drop down Dynamic DNS list on the System IP or System Dial menu Dynamic DNS Dynamic DNS Terminal DDNS Hostname DDNS Username DDNS Password Confirm DDNS Password Maximum
15. BO96 048 Chapter 2 Installation This chapter describes the physical installation of the Console Server hardware and connection to controlled devices 2 1 Models There are a number of Console Server models each with a different number of network USB and serial ports and power supplies Console Server Model Serial Ports Network Ports Console Port USB Port Modem Power B096 048 Dual AC Universal Input 8096 016 Dual AC Universal Input B092 016 i KvM 4 f Single AC Universal Input B095 004 1E Ao tt Eternal DC Supply B095 003 1E M External DC Supply 2 1 1 Kit components B096 048 and B096 016 Console Server Management Switch BO96 048 or BO96 016 Console Server Management Switch 2 x Cable UTP Cat5 blue a Connectors t tai DB9F RJ45S straight and cross over Dual IEC AC power cords Quick Start Guide and CD ROM e Unpack your Console Server Management Switch kit and verify you have all the parts shown above and that they all appear in good working order e If you are installing your Console Server Management Switch in a rack you will need to attach the rack mounting brackets supplied with the unit and install the unit in the rack Take care to head the Safety Precautions e Connect your Console Server Management Switch to the network to the serial ports of the controlled devices and to power as outlined below Chapter 2 Installation 2 1 2 Kit components B092 016 Console Server with PowerAlert BO92
16. Connection Advanced COM1 i 192 168 254 173 COM2 com4 COM5 COME J Connect at system startup Time between connection reties 1000 Send keep alive packets Keep alive interval Keep Alive Timeout Disable Nagle Algorithm Add Ports Remove Sae Eat e Connect at system startup When enabled Virtua Port will try to connect to the Console Server when the Virtua Port service starts as opposed to waiting for the application to open the serial port before initiating the connection to the Console Server e The Time between connection retries specifies the number of seconds between TCP connection retries after a client initiated connection failure Valid values are 1 255 The default is 1 second and Virtua Port will continue attempting to reconnect forever to the Console Server at this interval e The Send keep alive packets option tests if the TCP connection is still uo when no data has been sent for a while by sending keep alive messages Select this option and specify period of time in milliseconds after which VirtualPort sends a command to remote Console Server end in order to verify connection s integrity and keep the connection alive e The Keep Alive Interval specifies the number of seconds to wait on an idle connection before sending a keep alive message The default is 1 second The Keep Alive Timeout specifies how long VirtualPort should wait for a keep alive response before timing out the connec
17. Outlet 1 Outlet 2 When you connect an particular Managed Device that draws power from the outlet they the outlet will then take up the name of the powered Managed Device 4 9 IPsec VPN The Console Servers include Openswan a Linux implementation of the IPsec IP Security protocols which can be used to configure a Virtual Private Network VPN The VPN allows multiple sites or remote administrators to access the Console Server and Managed Devices securely over the Internet e The administrator can establish an encrypted authenticated VPN connections between Console Servers distributed at remote sites and a VPN gateway such as Cisco router running IOS IPsec on their central office network o Users and administrators at the central office can then securely access the remote console servers and connected serial console devices and machines on the Management LAN subnet at the remote location as though they were local o With serial bridging serial data from controller at the central office machine can be securely connected to the serially controlled devices at the remote sites refer Chapter 4 1 e The road warrior administrator can use a VPN IPsec software client such as TheGreenBow www thegreenbow com vpn __ gateway html or Shrew Soft www shrew net support to remotely access the Console Server and every machine on the Management LAN subnet at the remote location Configuration of IPsec is quite complex so Tripp Lite provides
18. Serial amp Network Serial Port Add OpenVPN Tunnel Users amp Groups Authentication Tunnel Name NorthStOutlet VPN Network Hosts Trusted Networks IPsec VPN Device Driver OpenVPN Tun IP Cascaded Ports Select the tap or tun driver to use UPS Connections RPC Connections Protocol UDP Environmental Managed Devices A descriptive name for the OpenVPN tunnel ZE Use a UDP or TCP protocol Tunnel Mode z Alerts amp Logging Client x Port Log Is this the Client or Server end of the tunnel Alerts 3 l SMTP amp SMS oee PKI X 509 Certificates SNMP Authenticate using certificates or use a custom configuration Compression 7 Administration Enable or disable compression e Select the Device Driver to be used either Tun IP or Tap Ethernet The TUN network tunnel and TAP network tap drivers are virtual network drivers that support IP tunneling and Ethernet tunneling respectively TUN and TAP are part of the Linux kernel e Select either UDP or TCP as the Protocol UDP is the default and preferred protocol for OpenVPN e In Tunnel Mode nominate whether this is the Client or Server end of the tunnel When running as a server the Console Server supports multiple clients connecting to the VPN server over the same port e In Configuration Method select the authentication method to be used To authenticate using certificates select
19. as the protocol and set the TCP port to 2000 plus the physical serial port number i e 2001 to 2048 Click the Open button You may then receive a Security Alert that the host s key is not cached Choose yes to continue You will then be presented with the login prompt of the remote system connected to the serial port chosen on the Console Server You can login as normal and use the host serial console screen 3l PuTTY Configuration X Category El Session Basic options for your PuTTY session i Birri M Specify your connection by host name or IP address T Keyboard Host Name or IP address Port Bell 192 168 0 1 2001 Features Protocol Window C Raw Telnet C Rogn C SSH Appearance Tear m Load save or delete a stored session Translation Saved Sessions Selection Po Colours Default Settings load Connection Tene c Rlogin Delete B SSH Auth Tunnels pon ee Bugs C Always Never Only onclean exit oau Oven Cancel PuTTY can be downloaded at http www tucows com preview 195286 html Chapter 4 Serial Port Device and User Configuration SSH TCP RFC2217 It is recommended that the User or Administrator uses SSH as the protocol for connecting to serial consoles attached to the Console Server when communicating over the Internet or any other public network This will provide an authenticated encrypted co
20. e retrieving status information using SNMP and modifying SNMP with net snmpd e public key authenticated SSH communications e SSL configuring HTTPS and issuing certificates e using pmpower for NUT and PowerMan power device management e using IPMItools e sms server tools e disable multicasting 15 1 Custom Scripting The Console Server supports GNU bash shell commands refer Appendix A enabling the Administrator to run custom scripts 15 1 1 Custom script to run when booting The etc config rc local script runs whenever the system boots By default this script file is empty You can add any commands to this file if you want them to be run at boot time e g if you wanted to display hello world bin sh echo Hello World If this script has been copied from a Windows machine you may need to run the following command on the script before bash can run it successfully dos2unix etc config rc local Another scenario would be to call another custom script from the etc config rc local file ensuring that your custom script will run whenever the system is booted Chapter 15 Advanced Configuration 15 1 2 Running custom scripts when alerts are triggered Whenever an alert gets triggered specific scripts get called These scripts all reside in etc scripts Below is a list of the default scripts that get run for each applicable alert e Fora connection alert when a user connects or disconnects from a port or network host
21. All other services TCP UDP ports will be blocked Note Following are some of the TCP Ports used by SDT in the Console Server 22 23 SO 3389 5900 3XX 19XX SSH All SDT Tunneled connections Telnet on local LAN forwarded inside tunnel HTTP on local LAN forwarded inside tunnel RDP on local LAN forwarded inside tunnel VNC on local LAN forwarded inside tunnel RDP over serial from local LAN where XX is the serial port number i e 7301to 7348 VNC over serial from local LAN where XX is the serial port number e Add the new Users using Serial amp Network Users amp Groups menu as detailed in Network Hosts Chapter 4 4 Users can be authorized to access the Console Server ports and specified network attached hosts To simplify configuration the Administrator can first set up Groups with group access permissions then Users can be classified as members of particular Groups Chapter 6 Secure SSH Tunneling amp SDT Connector 6 2 SDT Connector Configuration The SDT Connector client works with all Console Servers Each of these remote Console Servers has an embedded OpenSSH based server This server can be configured to port forward connections from the SDT Connector client to hosts on their local network as detailed in the previous chapter The SDT Connector can also be pre configured with the access tools and applications that will be available when access to a particular host has been established SDT C
22. B PANMS Console 12 04 Management TA a File Edit Vie TRIPP LITE LITE vay Logs Help lt a B Devices Status IPAddress MAC Address Hostname Modet Name Location Type Ver Ref wv porma AL 105 4 199 MUULASED bec Uaa rer idt UMP pauls peen gt Configure _ _ Ej Noma 192 168 1 28 po 11 93 23b hisz 168 1 28 ues paws jizza P Normal 192 168 11 37 j00 16 06 02 4 hsz 168 1 37 ISMARTISOORM2U pups fiz Serial amp Net Serial Po t Mail VY Noma 167 173 59 15 67 173 59 TRIPP LITE SMA jnm Users amp G f f i B i gf Moma 192 168 1 125 100 05 67 20 d 1192 168 1 TRIPP LITE SMA SFM 22 4 I Authentid ee Network Alarms 192 168 1 21 Trusted ne l e Cascaded A linta Battar Muse 2 Vane Mid 235 Chapter 16 Thin Client 16 2 Advanced Control Panel 16 2 1 System Terminal Selecting System Terminal on the control panel logs you in at the command line to the BO92 016 Linux kernel As detailed in Chapters 14 and 15 this enables you to configure and customize your BO92 016 using the config and portmanager commands or general Linux commands Lp Favorites Remote Control Shutdown Reboot Logout A umask p 8 mode unalias a na pil unset f hame re COMMANDS o COMMANDS done variables Some variable names an wait n while COMMANDS do COMMANDS done
23. COMMANDS l lozt found sbin UZP j share var 16 2 2 System Shutdown Reboot Clicking System Shutdown on the control panel will shut down the BO92 016 system You will need to cycle the power to reactivate the BO92 01 Similarly by clicking System Reboot you will initiate a soft reset With a soft reset the BO92 016 reboots with all settings such as the assigned network IP address preserved However a soft reset disconnects all Users and ends any SSH sessions that had been established A soft reset will also occur when you switch OFF power from the BO92 016 and then switch the power back ON However if you cycle the power while the unit is writing to flash you could corrupt or lose data so the software Shutdown or Reboot from the control panel is the safer option 16 2 3 System Logout Clicking System Logout closes the local user log in session and removes the control panel However this does not logout remote users who may be logged into the BO92 016 Console Server or accessing attached devices using SSH tunneling 16 2 4 Custom The Custom button on the control panel enables you to customize your BO92 016 by adding buttons to the control panel that execute bash and other Linux commands you specify 16 2 5 Status These menu items give the user a snapshot of the serial port and IPMI device status 16 2 6 Logs These menu items give the user an audit log of BO92 016 activity 236 Chapter 16 Thin C
24. DRAC iLO etc To set up Secure Tunnel access the computer being accessed can be located on the same local network as the Console Server or attached to the Console Server via its serial COM port The remote User Administrator then connects to the Console Server through an SSH tunnel via dial up wireless or ISDN modem a broadband Internet connection an enterprise VPN network or a local network Secure Remote Management Secure Local Management Secure OoB Dial In or Broradband Network Serial connected connected To set up the secure SSH tunnel from the Client computer to the Console Server you must install and launch SSH client software on the User Administrator s computer It is recommended that you use the SDT Connector client software supplied with the Console Server to do this SDT Connector is simple to install and it auto configures It provides all your users with point and click access to all the systems and devices in the secure network With one click SDT Connector sets up a secure SSH tunnel from the client to the selected Console Server and then establishes a port forward connection to the target network connected host or serial connected device It will then execute the client application that will be used in communicating with the host This chapter details the basic SDT Connector operations e Configuring the Console Server for SSH tunneled access to network attached hosts and setting up permitted S
25. Description Notes OK 6 Cancel Optionally you can enter a Descriptive Name to display instead of the IP or DNS address and any Notes or a Description of this gateway such as its firmware version site location or anything special about its network configuration Click OK and an icon for the new gateway will now appear in the SDT Connector home page Note For an SDT Connector user to access a Console Server and then access specific hosts or serial devices connected to that Console Server that user must first be set up on the Console Server and must be authorized to access the specific ports hosts refer to Chapter 5 Only these permitted services will be forwarded through by SDT to the Host All other services TCP UDP ports will be blocked Chapter 6 Secure SSH Tunneling amp SDT Connector 6 2 3 Auto configure SDT Connector client with the user s access privileges Each user on the Console Server has an access profile This has been configured with the specific connected hosts and serial port devices the user has authority to access and a specific set of the enabled services for each of them This configuration can be auto uploaded into the SDT Connector client Eta Tripp Lite SDTConnector Hs 24 e 208 64 91 182 Gateway Actions a Bgateway Retrieve Hosts e Click on the new gateway icon and select Retrieve Hosts This will o configure access to n
26. LDAP Base DN LDAP Bind DN and LDAP User Name Attribute e Enter memberOf for LDAP Group Membership Attribute as group membership is currently only supported on Active Directory servers Chapter 9 Authentication e lf required enter the group information for LDAP Console Server Group DN and or LDAP Administration Group DN A user must be a member of the LDAP Console Server Group DN group in order to gain access to the console and user interface For example the user must be a member of MyGroup on the Active Server to gain access to the Console Server Additionally a user must be a member of the LDAP Administration Group DN in order to gain administrator access to the Console Server For example the user must be a member of AdminGroup on the Active Server to receive administration privileges on the Console Server e Click Apply LDAP Server Address Server Password Confirm Password LDAP Base DN LDAP Bind DN LDAP Username Attribute LDAP Group Membership Attribute LDAP Console Server Group DN LDAP Administration Group DN 192 168 254 18 Comma separated list of remote servers eeeeeee The shared secret allowing access to the authentication server Re enter the above password for confirmation cn Users dc opengear dc c The distinguished name of the search base For example dc my company dc com cn Administrator cn Users d The distinguished name to bind to the server with The default is to
27. Left ID Right ID Left Address Right Address Left Subnet Right Subnet Initiate Tunnel Apply A descriptive name for the IPsec tunnel RSA digital signatures D Shared secret PSK Authenticate using RSA digital signatures or a shared secret PSK RSA digital signatures cannot be used until IPsec RSA keys have been generated Click here to generate keys ESP J AH Authenticate as part of ESP encryption or separately using the AH protocol The identifier for this end of the tunnel should include a fully qualified domain name preceded by e g eft example com The identifier for the other end of the tunnel should include a fully qualified domain name preceded by e g nght example com The public IP or DNS address of this end of the tunnel leave blank to use the interface of the default route The public IP or DNS address of the other end of the tunnel leave blank ff it is dynamic The private subnet behind this end of the tunnel in CIDR notation e g 19 168 123 0 24 leave blank to allow connections to this host only The private subnet behind the other end of the tunnel in CIDR notation e g 19 168 123 0 24 leave blank to connect to a single host v Initiate the tunnel connection from this end Select the Authentication Method to be used either RSA digital signatures or a Shared secret PSK If you select RSA you will asked to click here to generate keys This will generate an RSA public key f
28. Use Nagios to notify of this alert MSCA must be enabled under System Nagios Nagios must be enabled for each applicable host or port under Network Hosts or Serial Ports Applicable Port s C Select Unselect all Ports COPort Port C Port Port Port JPort Port Port 1 2 3 4 5 6 7 8 Cl Port Cl Port Cl Port Cl Port Cl Port Cl Port Cl Port Cl Port 9 10 11 12 13 14 15 16 The serial ports to apply this alert to Applicable No hosts are currently configured The hosts to apply this alert to Host s Applicable No UPSes are currently configured UPS es The UPSes to apply this alert to Applicable No RPCs are currently configured RPC s The RPCs to apply this alert to Applicable No environmental monitors are currently configured Environmental The environmental monitor sensors to apply this alert to Sensor s Applicable No environmental monitors are currently configured Alarm Sensor The alarm sensors to apply this alert to s At Add a New Alert enter a Description for this new alert Nominate the email address for the Email Recipient and or the SMS Recipient to be notified of the alert Activate SNMP notification if it is to used for this event Activate Nagios notification if it is to be used for this event In an SDT Nagios centrally managed environment you can check the Nagios alert option On the trigger condition for matched patterns logins power events and signal changes an NSCA check warning result will be sent to the
29. VNC on port 5900 Devices Port Logs Secure VNC Server Host Logs Enable the Secure encrypted VNC server for remote access to the local display VNC over SSL on port 5800 Power z z le Terminal owerAlert Conso KVM Console Server Automatically start PowerAlert console after logging into the local display or VNC session Apply Chapter 3 Initial System Configuration 3 5 Communications Software You need to configure the access protocols that the communications software on the Administrator and User Computer will use when connecting to the Console Server and when connecting to serial devices and network hosts which are attached to the Console Server This section provides an overview of the communications software tools that can be used on the remote computer Tripp Lite recommends the SDT Connector software tool that is provided with the Console Server however generic tools such as PuTTY and SSHTerm may also be used 3 5 1 SDT Connector We recommend using the SDT Connector communications software for all communications with Console Servers Each Console Server is supplied with an unlimited number of SDT Connector licenses to use with that Console Server SDT Connector is a lightweight tool that enables Users and Administrators to securely access the Console Server and the various computers network devices and appliances that may be serially or network connected to the Console Server SDT Connector can be insta
30. amp SDT Connector 6 2 6 Manually adding new services to the new hosts To extend the range of services that can be used when accessing hosts with SDT Connector e Select Edit Preferences and click the Services tab Click Add e Enter a Service Name and click Add e Under the General tab enter the TCP Port that this service runs on e g 80 for HTTP Optionally select the client to be used to access the local endpoint of the redirection i Tripp Lite SDTConnector al a 2 Sa SDTConnector Preferences HTTP browser HTTPS browser Telnet client SOL Telnet client IHTTP browser RSA II IBM Director console SSH client HyperTerminal VNC viewer VMWare Server console Close _ e Select which Client application is associated with the new service A range of client application options are pre configured in the default SDT Connector RDP client VNC client HTTP browser HTTPS browser Telnet client etc However if you wish to add new client applications to this range then proceed to the next section Adding a new client and then return here K Tripp Lite SDTConnector si SDTConnector Preferences d G Add Client Client name Path to client executable file EA Command line format for client executable 20K f Cancel e Click OK then Close A service typically consists of a single SSH port redirection and a local client t
31. etc scripts portmanager user alert for port connections or etc scripts sdt user alert for host connections e Fora signal alert when a signal on a port changes state etc scripts portmanager signal alert e Fora pattern match alert when a specific regular expression is found in the serial ports character stream etc scripts portmanager pattern alert e Fora UPS status alert when the UPS power status changes between on line on battery and low battery etc scripts ups status alert e For a environmental power and alarm sensor alerts temperature humidity power load and battery charge alerts etc scripts environmental alert e For an interface failover alert etc scripts interface failover alert All of these scripts do a check to see whether you have created a custom script to run instead The code that does this check is shown below an extract from the file etc scripts portmanager pattern alert If there s a user configured script run it instead scripts O etc config scripts pattern alert ALERT PORTNAME scripts 1 etc config scripts portmanager pattern alert for i 0 i lt scripts i do if f scripts i then exec bin sh scripts i fi done This code shows that there are two alternative scripts that can be run instead of the default one This code first checks whether a file etc config scripts pattern alert ALERT PORTNAME exists The variable ALERT PORTNAME must be
32. sample server Windows Client P Proxy Settings About Exit OpenVPN GUI j Prey 9 41PM fe i E EF Wednesday 4 03 2010 When the OpenVPN software is started the C Program Files OpenVPN config folder will be scanned for opvn files This folder will be rechecked for new configuration files whenever the OpenVPN GUI icon is right clicked So once OpenVPN is installed a configuration file will need to be created e Using a text editor create an xxxx ovpn file and save in C Program Files OpenVPN config For example C Program Files OpenVPN config client ovon An example of an OpenVPN Windows client configuration file is shown below description BL_ client client proto udp verb 3 dev tun remote 192 168 250 152 port 1194 ca c jopenvpnkeys ca crt cert c openvonkeys client crt key c jopenvonkeys client key nobind persist key persist tun comp zo An example of an OpenVPN Windows Server configuration file is shown below server 10 100 10 0 255 255 255 0 port 1194 keepalive 10 120 proto udp mssfix 1400 persist key persist tun dev tun ca c jopenvpnkeys ca crt cert c openvpnkeys server crt 60 Chapter 4 Serial Port Device and User Configuration key c jopenvonkeys server key dh c openvonkeys dh pem The Windows client server configuration file options are Options Description description This is a comment describing the configuration Comme
33. tf A SDT connector e Click the SDT Connector icon on your desktop to start the client Note SDT Connector is a Java application so it must have a Java Runtime Environment JRE installed This can be freely downloaded from http java sun com j2se It will install on Windows 2000 XP 2003 Vista computers and on most Linux platforms Solaris platforms are also supported however they must have Firefox installed SDT Connector can run on any system with Java 1 4 2 and above installed but it assumes the web browser is Firefox and that xterm e Telnet opens a Telnet window To operate SDT Connector add the new gateways to the client software by entering the access details for each Console Server refer to Section 6 2 2 Then let the client auto configure with all host and serial port connections from each Console Server refer Section 6 2 3 Now point and click to connect to the Hosts and serial devices refer to Section 6 2 4 Alternately you can manually add network connected hosts refer Section 6 2 5 as well as manually configure new services to be used when accessing the Console Server and the hosts refer Section 6 2 6 Manually configure clients to run on the computer that will use the service to connect to the hosts and serial port devices refer to Section 6 2 7 and 6 2 9 SDT Connector can also be set up to make an out of band connection to the Console Server refer to Section 6 2 9 Chapter 6 Secure SSH Tunneling amp SDT Co
34. to SDT Connector client Click Edit Preferences Private Keys Add locate the private key file and click OK You do not have to add the public part of your SSH key pair it is calculated using the private key SDT Connector will now use public key authentication when SSH connecting through the Console Server You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication If you have a host behind the Console Server that you connect to by clicking the SSH button in SDT Connector you can also configure it for public key authentication Essentially what you are using is SSH over SSH and the two SSH connections are entirely separate and the host configuration is entirely independent of SDT Connector and the Console Server You must configure the SSH client that SDT Connector launches e g Putty OpenSSH and the host s SSH server for public key authentication Chapter 15 Advanced Configuration 15 7 Secure Sockets Layer SSL Support Secure Sockets Layer SSL is a protocol developed by Netscape for transmitting private documents via the Internet SSL works by using a private key to encrypt data that s transferred over the SSL connection The Console Server includes OpenSSL The OpenSSL Project is a collaborative effort to develop a robust commercial grade full featured and Open Source toolkit implementing the Secure Sockets Layer SSL v2 v3 and Transport Layer Security TLS v1
35. what you are using is SSH over SSH and the two SSH connections are entirely separate Chapter 6 Secure SSH Tunneling amp SDT Connector 6 8 Setting up SDT for Remote Desktop Access Microsoft s Remote Desktop Protocol RDP enables the system manager securely to access and manage remote Windows computers to reconfigure applications and user profiles upgrade the server s operating system reboot the machine etc Secure Tunneling uses SSH tunneling so this RDP traffic is securely transferred through an authenticated and encrypted tunnel SDT with RDP also allows remote Users to connect to Windows XP Vista Windows 2003 computers and to Windows 2000 Terminal Servers and to have access to all of the applications files and network resources with full graphical interface just as though they were in front of the computer screen itself To set up a secure Remote Desktop connection you must enable Remote Desktop on the target Windows computer that is to be accessed and configure the RPD client software on the client computer 6 8 1 Enable Remote Desktop on the target Windows computer to be accessed To enable Remote Desktop on the Windows computer being accessed e Open System in the Control Panel and click the Remote tab System Properties General Computer Name Hardware System Restore Automatic Updates x Select the ways that this computer can be used from another g location Remote Assistance C Allow Remote Assistance i
36. 1 The Management Console supports all current versions of the popular browsers Internet Explorer Mozilla Firefox Google Chrome Apple Safari and more TRIPP LITE ee ae POWER PROTECTION System Login Username Password Passcode Submit e You will be prompted to log in Enter the default administration username and administration password Username root Password default Note Console Servers are factory configured with HTTPS access enabled and HTTP access disabled Chapter 3 Initial System Configuration TrippLite Management Console Welcome Serial amp Network Serial Port The following configuration procedure is necessary in order to initialize the unit Complete each Users amp Groups step by following the appropriate link Upon completion of each step click on the logo on the top Authentication left corner in order to return to this window Network Hosts x R Trusted Networks Change the default administration password on the SystenryAdministration page IPsec VPN e Configure the local network settings on the Systemy IP page OpenVPN pant ed Ports To configure console server features s obs n ae e Configure serial ports settings and enable supported protocols on the Sera amp Network Serial Port page Done vi t Environments e Configure users with access to serial ports on the Sera amp Network Users page Done Managed Devices A Welcome screen which lists init
37. 1 ret 0 a 0 u d down Route Waiting for TUN TAP interface to come up TEST ROUTES 1 1 succeeded len 1 ret 1 a 0 u d up e Once established the OpenVPN icon will display a message notifying of the successful connection and assigned IP This information as well as the time the connection was established is available anytime by scrolling over the OpenVPN icon i client is now connected Assigned IP 10 100 10 6 Chapter 4 Serial Port Device and User Configuration Note An alternate OpenVPN Windows client can be downloaded from http www openvpn net index php openvpn client downloads html Refer to http www openvpn net index php openvpn client howto openvpn client html for help I OpenVPN Client OPENVPN Access Status Settings Server Address W Connection Profiles Chapter 5 Firewall Failover and Out of Band The Console Server has a number of failover and out of band access capabilities to ensure availability in the event there are difficulties in accessing the Console Server through the principal network path This chapter covers e Out of band OoB access from a remote location using dial up modem e OQOut dial failover e OoB access using an alternate broadband link e Broadband failover The Console Server can also provide basic routed firewall facilities with NAT Network Address Translation packet filtering and port forwarding support on all network interfaces 5 1 OoB Dial In Acc
38. 168 0 50 MAC to reserve IP for 00 1 67 82 72 d9 Name to identify this host John PC Issue the commands config s config interfaces lan dhcpd enabled on config s config interfaces lan dhcpd defaultlease 200000 config s config interfaces lan dhcpd maxlease 300000 config s config interfaces lan dhcpd dns1 192 168 2 3 config s config interfaces lan dhcpd dns2 192 168 2 4 config s config interfaces lan dhcpd domain company com config s config interfaces lan dhcpd gateway 192 168 0 1 config s config interfaces lan dhcpd pools pool1 startt 192 168 0 20 config s config interfaces lan dhcpd pools pool1 end 192 168 0 100 config s config interfaces lan dhcpd pools total 1 config s config interfaces lan dhcpd staticips staticip1 ip 192 168 0 50 config s config interfaces lan dhcpd staticips staticio1 mac 00 1e 67 82 72 d9 config s config interfaces lan dhcpd staticips staticio1 host John PC config s config interfaces lan dhcpd staticips total 1 The following command will synchronize the live system with the new configuration config a Chapter 14 Command Line Configuration 14 1 21 Services You can manually enable or disable network servers from the command line For example if you wanted to guarantee the following server configuration HTTP Server Enabled HTTPS Server Disabled Telnet Server Disabled SSH Server Enabled SNMP Server Disabled Ping Replies Respond to ICMP echo requ
39. 55H Guth me Clase wandow on g Bunge SAh C Mever Cal Oni on clear mal Cancel Chapter 3 Initial System Configuration 3 5 3 SSHTerm Another common communications package that may be useful is SSHTerm This is an open source package that can be downloaded from http sourceforge net projects sshtools ka SSHTerm 0 7 Fi Fie Edt View Tools Help D New Conpection Alt h Open Ati y Edik g Nes Winda td Prir As Print Prewew H ext Connection Profile Hot Protocol Promy Commands Terminal Hostoame 192 168 04 H i Fit HWI Lloret roan fuihentosben Method A LE a i E pee word Pichi her eae a ee Comedi I Carn To use SSHTerm for an SSH terminal session from a Windows Client simply Select the File option and click on New Connection A new dialog box will appear for your Connection Profile Type in the host name or IP address for the Console Server unit and the TCP port that the SSH session will use port 22 Then type in your username and choose password authentication and click Connect A message may appear about the host key fingerprint You will need to select Yes or Always to continue The next step is password authentication You will be prompted for your username and password from the remote system You will then be logged on to the Console Server Chapter 3 Initial System Configuration 3 6 Management Network Configuration
40. 9 1 1 Local authentication e Select Serial and Network Authentication and check Local e Click Apply Chapter 9 Authentication 9 1 2 TACACS authentication Perform the following procedure to configure the TACACS authentication method to be used whenever the Console Server or any of its serial ports or hosts is accessed e Select Serial and Network Authentication and check TACAS or LocalTACACS or TACACSLocal or TACACSDownLocal TACACS Authentication and Authorisation Termer Addes Comma seperated list of remote authentiction and authorisation servers Accounting Server Address Comma seperated list of remote accounting servers If unset Authentication and Authorisation Server Address will be used Server Password The shared secret allowing access to the authentication server Confirm Password Re enter the above password for confirmation e Enter the Server Address IP or host name of the remote Authentication Authorization server Multiple remote servers may be specified in a comma separated list Each server is tried in succession e In addition to multiple remote servers you can also enter for separate lists of Authentication Authorization servers and Accounting servers If no Accounting servers are specified the Authentication Authorization servers are used instead e Enter the Server Password e Click Apply TACAS remote authentication will now be used for all user access to Console Server and seri
41. ARP Ping command to reset the Console Server IP address To do this from a Windows PC e Click Start gt Run or select All Programs then Accessories then Run e Type cmd and click OK to bring up the command line e Type arp d to flush the ARP cache e Type arp a to view the current ARP cache this should be empty Chapter 3 Initial System Configuration Type the name of a program folder document or Internet resource and Windows will open it for you Open EEE q Cancel Browse Now add a static entry to the ARP table and ping the Console Server to assign the IP address to the console server In the example below a Console Server has a MAC Address 00 13 C6 00 02 0F designated on the label on the bottom of the unit and we are setting its IP address to 192 168 100 23 Also the PC workstation issuing the arp command must be on the same network segment as the Console Server that is have an IP address of 192 168 100 xxx e Type arp s 192 168 100 23 OO 13 C6 00 02 OF Note for UNIX the syntax is arp s 192 168 100 23 00 13 C6 00 02 0F e Type ping t 192 18 100 23 to start a continuous ping to the new IP Address e Turn on the Console Server and wait for it to configure itself with the new IP address It will start replying to the ping at this point e Type arp d to flush the ARP cache again 3 1 2 Browser connection e Activate your preferred browser on the connected computer and enter https 192 168 0
42. Accessing config from the command line The Console Server runs a standard Linux kernel and embeds a suite of open source applications So if you do not want to use a browser and the Management Console tools you are free to configure the Console Server and to manage connected devices from the command line using standard Linux and Busybox commands and applications such as ifconfig gettyd stty powerman nut etc However without care these configurations may not withstand a power cycle reset or reconfigure So Tripp Lite provides a number of custom command line utilities and scripts to make it simple to configure the Console Server and ensure the changes are stored in the Console Server s flash memory etc In particular the config utility allows manipulation of the system configuration from the command line With config a new configuration can be activated by running the relevant configurator which performs the action necessary to make the configuration changes live To access config from the command line e Power up the Console Server and connect the terminal device o If you are connecting using the serial line plug a serial cable between the Console Server local DB 9 console port and terminal device Configure the serial connection of the terminal device you are using to 115200bps 8 data bits no parity and one stop bit o If you are connecting over the LAN then you will need to interconnect the Ethernet ports and direct your terminal e
43. Console Servers can also be configured selectively to maintain log records of all access and communications with the Console Server and with the attached serial devices all system activity and a history of the status of any attached environmental monitors UPS and PDU devices The Console Servers can also log access and communications with network attached hosts e f port logs are to be maintained on a remote server then the access path to this location needs to be configured Section 1 3 e Then you need to activate and set the desired levels of logging for each serial Section 7 4 and or network port Section 7 5 and or power and environment devices refer to Chapter 8 7 1 Configure SMTP SMS SNMP Nagios Alerts The Alerts facility monitors nominated serial ports nosts UPSs PDUs EMDs etc for trigger conditions and when triggered sends an alert notification over the nominated alert service Before setting up the alert trigger you must configure these alert services The Alerts facility monitors nominated serial ports nosts UPSs PDUs EMDs etc for trigger conditions and when triggered sends an alert notification over the nominated alert service Before setting up the alert trigger you must configure these alert services 7 1 1 Email alerts The Console Server uses SMTP Simple Mail Transfer Protocol for sending the email alert notifications To use SMTP the Administrator must configure a valid SMTP server for sending the email
44. El Add Service Service Name Serial Port 2 5 Add Port Redirection General Advanced Client Telnet client TCP Port OK 3 Cancel Assuming you have already set up the target Console Server as a gateway in your SDT Connector client with username password etc select this gateway and click the Host icon to create a host Alternatively select File New Host Enter 127 0 0 1 as the Host Address and select Serial Port 2 for Service In Descriptive Name enter something along the lines of Loopback ports or Local serial ports Click OK Click Serial Port 2 icon for Telnet access to the serial console on the device attached to serial port 2 on the gateway To enable SDT Connector to access to devices connected to the gateway s serial ports you must also configure the Console Server itself to allow port forwarded network access to itself and enable access to the nominated serial port Browse to the Console Server and select Serial Port from Serial amp Network Click Edit to selected Port e g Port 2 if the target device is attached to the second serial port Ensure the port s serial configuration is appropriate for the attached device Scroll down to Console Server Setting and select Console Server Mode Check Telnet or SSH and scroll to the bottom and click Apply Select Network Hosts from Serial amp Network and click Add Host In the IP Address DNS Name field enter 127 0 0
45. If any other element value were to be encrypted the value will become inaccessible and will have to be re set To add this user to specific groups admin users config s config users user2 groups group1 groupname config s config users user2 groups group2 groupname2 etc To give this user access to a specific port config s config users user2 port1 on config s config users user2 pomt2 on config s config users user2 portS on etc To remove port access config s config users user2 port1 the value is left blank or simply config d config users user2 port1 The port number can be anything from 1 to 48 depending on the available ports on the specific Console Server For example assume we have an RPC device connected to port 1 on the Console Server and the RPC is configured To give this user access to RPC outlet number 3 on the RPC device run the 2 commands below config s config ports port1 power outlet3 users user2 John config s config ports port1 power outlet3 users total 2 total number of users that have access to this outlet If more users are given access to this power outlet then increment the config ports port1 power outlet3 users total element accordingly To give this user access to network host 5 assuming the host is configured config s config sdt hosts host5 users user1 John config s config sdt hosts host5 users total 1 total number of users having
46. Logging Alerts refer to Chapter 7 8 2 5 UPS status You can monitor the current status of all your Managed or Monitored UPS s whether they are on the network or connected serially or via USB e Select the Status UPS Status menu and a table with the summary status of all connected UPS hardware will be displayed e Click on any particular UPS System name in the table and you will be presented with a more detailed graphical information on the select UPS System Dev UPS UPS 500VA on devups locallhost Sun Jul 02 18 15 14 EDT 2000 Battery Input Output Load UPS UPS Model 500VA Status ONLINE Battery 13 7 V Input 244 Vv Output 244 v e Click on any particular All Data for any UPS System in the table for more status and configuration information on the select UPS System e Select UPS Logs and you will be presented with the log table of the load battery charge level temperature and other status information from all the Managed and Monitored UPS systems This information will be logged for all UPS s which were configured with Log Status checked The information is also presented graphically Chapter 8 Power and Environment 8 2 6 Overview of Network UPS Tools NUT Network UPS Tools NUT is a group of open source programs that provide a common interface for monitoring and administering UPS hardware and ensuring safe shutdowns of the systems which are connected NUT can be configured using the Management Console as describ
47. Port Logs Host Logs No addresses currently reserved Power 1 Terminal Add e Enter the Gateway address that is to be issued to the DHCP clients If this field is left blank the Console Servers IP address will be used e Enter the Primary DNS and Secondary DNS address to issue the DHCP clients Again if this field is left blank Console Server s IP address is used so leave this field blank for automatic DNS server assignment e Optionally enter a Domain Name suffix to issue DHCP clients e Enter the Default Lease time and Maximum Lease time in seconds The lease time is the time that a dynamically assigned IP address is valid before the client must request it again e Click Apply The DHCP server will sequentially issue IP addresses from a specified address pool s e Click Add in the Dynamic Address Allocation Pools field e Enter the DHCP Pool Start Address and End Address and click Apply Chapter 3 Initial System Configuration Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging I Network Interface Management LAN Interface Dynamically Allocated Pool DHCP Pool Start Address The first address in the pool to use for DHCP DHCP Pool End Address The last address in the pool to use for DHCP
48. SMTP Simple Mail Transfer Protocol is much faster than sending text pages via a modem using the TAP Protocol Almost all mobile phone carriers provide an SMS gateway service that forwards email to mobile phones on their networks There is also a wide selection of SMS gateway aggregators who provide email to SMS forwarding to phones on any carriers To use SMTP SMS the Administrator must configure a valid SMTP server for sending the email SMTP SMS Server Server The outgoing SMTP SMS server address Secure Connection None O TLS OSSL If this server uses a secure connection specify its type Sender Username Password Confirm Subject Line e Inthe SMTP SMS Server field in the Alerts amp Logging SMTP amp SMS menu enter the IP address of the outgoing mail Server e You may enter a Sender email address which will appear as the from address in all email notifications sent from this Console Server Some SMS gateway service providers only forward email to SMS when the email has been received from authorized senders So you may need to assign a specific authorized email address for the Console Server e You may also enter a Username and Password as some SMS gateway service providers use SMTP servers which require authentication e Similarly you can specify the Subject Line that will be sent with the email Generally the email subject will contain a truncated version of the alert notification message which is contained in full
49. Secure SSH Tunneling amp SDT Connector Also some clients are launched in a command line or terminal window The Telnet client is an example of this c Tripp Lite SDTConnector oe d 3 Ma SDTConnector Preferences Ge Edit Client Client name Telnet client Path to client executable file telnet E Browse d Command line format for client executable cmd c start path host port OK 26 Cancel Close e Click OK 6 2 8 Dial in configuration If the client computer is dialing into Local Console port on the Console Server you will need to set up a dial in PPP link e Configure the Console Server for dial in access following the steps in the Configuring for Dial In PPP Access section in Chapter 5 Configuring Dial In Access e Set up the PPP client software at the remote User computer following the Set up the remote Client section in Chapter 5 Once you have a dial in PPP connection established you can then set up the secure SSH tunnel from the remote Client computer to the Console Server Chapter 6 Secure SSH Tunneling amp SDT Connector 6 3 SDT Connector to Management Console SDT Connector can also be configured for browser access to the gateway s Management Console and for Telnet or SSH access to the gateway command line For these connections to the gateway itself you must configure SDT Connector to access the gateway itself by setting the
50. Servers allow remote authentication via RADIUS LDAP and TACACS With Firmware V3 2 and later RADIUS and LDAP can provide additional restrictions on user access based on group information or membership For example with remote group support RADIUS and LDAP users can belong to a local group that has been setup to have restricted access to serial ports network hosts and managed devices Remote authentication with group support works by matching a local group name with a remote group name provided by the authentication service If the list of remote group names returned by the authentication service matches any local group names the user is given permissions as configured in the local groups To enable group support to be used by remote authentication services e Select Serial amp Network Authentication e Select the relevant Authentication Method e Check the Use Remote Groups button 9 1 7 Remote groups with RADIUS authentication e Enter the RADIUS Authentication and Authorization Server Address and Server Password e Click Apply e Edit the Radius user s file to include group information and restart the Radius server When using RADIUS authentication group names are provided to the Console Server using the Framed Filter Id attribute This is a standard RADIUS attribute and may be used by other devices that authenticate via RADIUS To interoperate with other devices using this field the group names can be added to the end of any existing
51. The BO96 048 or BO96 016 Console Servers each has an additional network port that can be configured as a Management LAN port or as a failover OOB access port 3 6 1 Enable the Management LAN The BO96 048 and BO96 016 Console Servers have dual Ethernet ports which can be configured to provide a management LAN gateway With this configuration the BO96 048 016 provides firewall router and DHCP server features and you can connect managed hosts to this management LAN NETWORK 1 SS NETWORK 2 Operations neiwork Management Serially network connected consoles Sagat These features are all disabled by default To configure the Management LAN gateway e Select the Management LAN Interface page on the System IP menu and uncheck Disable e Configure the IP Address and Subnet Mask for the Management LAN but leave the DNS fields blank e Click Apply Serial amp Network Serial Port Network Interface Management LAN Interface General Settings Users amp Groups Authentication Network Hosts Disable Trusted Networks Deactivate this network interface IPsec VPN OpenVPN Cascaded Ports UPS Connections z RPC Connections IP Settings Management LAN Environmenta ee Managed Devices ote DHCP Static Alerts amp Logging The mechanism to acquire IP settings Port Log IP Address Alerts SMTP amp SMS A statically assigned IP address SNMP Subnet Mask A
52. UPS RPC connections and Environmental config s config devices device8 name my device config s config devices devices description The eighth device config s config devices device8 connections connection1l name my device config s config devices device8 connections connection1 tyoe serial Host UPS RPC config s config devices total 8 decrement this value when deleting a managed device To delete the above managed device config d config devices device8 The following command will synchronize the live system with the new configuration config a Chapter 14 Command Line Configuration 14 11 12 Port log To configure serial network port logging config s config eventlog server address remote server ip address config s config eventlog server logfacility facility facility can be Daemon Local O 7 Authentication Kernel User Syslog Mail News UUCP config s config eventlog server logpriority priority priority can be Info Alert Critical Debug Emergency Error Notice Warning Assume the remote log server needs a username name1 and password secret config s config eventlog server username namel config s config eventlog server password secret To set the remote path as tripplite logs to save logged data config s config eventlog server path tripplite logs config s config eventlog server tyoe none syslog nfs cifs usb If the server
53. a Chapter 14 Command Line Configuration 14 1 4 Authentication To change the type of authentication for the Console Server config s config auth tyoe authtype authtype can be Local LocalTACACS TACACS TACACSLocal TACACSDownLocal LocalRADIUS RADIUS RADIUSLocal RADIUSDownLocal LocalLDAP LDAP LDAPLocal LDAPDownLocal To configure TACACS authentication config s config auth tacacs auth_server comma separated list list of remote authentiction and authorization servers config s config auth tacacs acct_server comma separated list list of remote accounting servers If unset Authentication and Authorization Server Address will be used config s config auth tacacs password password To configure RADIUS authentication config s config auth radius auth_server comma separated list list of remote authentiction and authorization servers config s config auth radius acct_server comma separated list list of remote accounting servers If unset Authentication and Authorization Server Address will be used config s config auth radius password password To configure LDAP authentication config s config auth ldap server comma separated list list of remote servers config s config auth l dap basedn name The distinguished name of the search base For example dc my company dc com config s config auth ldap binddn name The distinguished name to bind to the se
54. alerts alert2 outlet RPCname outlet alert2 outlet increments sequentially with each added outlet The second outlet refers to the specific RPC power outlets config s config alerts alert2 roc RPC name config s config alerts alert2 sensor temp humid load charge config s config alerts alert2 signal DSR config s config alerts alert2 type enviro config s config alerts alert2 ups1 UPSname hostname Example1 To configure a temperature sensor alert for a sensor called SensorlnRoom42 config s config alerts alert2 sensor temp config s config alerts alert2 enviro high critical 60 config s config alerts alert2 enviro high waming 50 config s config alerts alert2 enviro hysteresis 2 config s config alerts alert2 enviro low critical 5 config s config alerts alert2 enviro low warning 10 config s config alerts alert2 enviro1 SensorlnRoom42 config s config alerts alert2 signal DSR config s config alerts alert2 type enviro Example2 To configure a load sensor alert for outlets 2 and 4 for an RPC called RPCInRoom20 config s config alerts alert2 outlet1 RPCname outlet2 config s config alerts alert2 outlet2 RPCname outlet4 config s config alerts alert2 enviro high critical 300 config s config alerts alert2 enviro high waming 280 config s config alerts alert2 enviro hysteresis 20 config s config alerts alert2 enviro low critical 50 c
55. amp in addition to the default port 5000 A secondary TCP port range for Unauthenticated Telnet access to serial ports Thi amp in addition to the default port 6000 e The BO92 016 Console Server with PowerAlert also presents some additional service and configuration options The BO92 016 Console Server has an internal VNC server When enabled it allows remote users to connect to the Console Server and run the PowerAlert software and any other embedded thin client programs as if they were plugged in locally to the KVM connectors on the BO92 016 refer to Chapter 16 for more details Users connect using port 5900 and need to run a VNC client applet This enables a secure encrypted remote connection using VNC over SSL on port 5800 to the BO92 016 Console Server refer to Chapter 16 Secure VNC PowerAlert This configuration option will automatically start the PowerAlert application on the BO92 016 and display the console as soon as you log into the local display or VNC session refer to Chapter 16 The complete PowerAlert manual can be downloaded at www tripplite com EN support PowerAlert Downloads cfm Syslog Alternate PS Stat Unauthenticated Telnet n DE gt S SaN Base A secondary TCP port range for Unauthenticated Telnet access to serial ports Thi amp in addition to the default port RPC Status 6000 IU Environmental Statu z VNC Server 7 Enable the standard VNC server for remote access to the local display
56. assume we already have one server called bridge_server and two sets of keys for the control_room and the plant_entrance Is home user keys control_room control_room pub plant_entrance plant_entrance pub cat home user keys control_room pub home user keys plant_entrance pub gt home user keys authorized_keys_bridge_server Uploading Keys The keys for the server can be uploaded through the web interface on the System Administration page as detailed earlier If only one client will be connecting then simply upload the appropriate public key as the authorized keys file Otherwise upload the authorized keys file constructed in the previous step Each client will then need its own set of keys uploaded through the same page Take care to ensure that the correct type of keys DSA or RSA go in the correct spots and that the public and private keys are in the correct spot 15 6 8 SDT Connector Public Key Authentication SDT Connector can authenticate against a Console Server using your SSH key pair rather than requiring your to enter your password i e public key authentication e To use public key authentication with SDT Connector first you must first create an RSA or DSA key pair using ssh keygen PuTTYgen or a similar tool and add the public part of your SSH key pair to the Console Server as described in the earlier section e Next add the private part of your SSH key pair this file is typically named id_rsa or id_dsa
57. authentication Password Connect to port 1i 5 gt 1 Connected on port portol Router gt This syntax enables users to set up SSH tunnels to all serial ports with only a single IP port 22 having to be opened in their firewall gateway RAW TCP allows connections directly to a TCP socket Communications programs such as PuTTY also support RAW TCP however this protocol would usually be used by a custom application For RAW TCP the default port address is IP Address _ Port 4000 serial port i e 4001 4048 RAW TCP also enables the serial port to be tunneled to a remote Console Server so two serial port devices can be transparently interconnected over a network see Chapter 4 1 6 Serial Bridging Selecting RFC2217 enables serial port redirection on that port For RFC2217 the default port address is IP Address _ Port 5000 serial port i e 5001 5048 You will also need to run serial port redirector software on your desktop computer This software which supports RFC2217 virtual com ports is available commercially and as freeware for Windows UNIX and Linux and it allows you to use a serial device connected to the remote Console Server as if it were connected to your local serial port Chapter 4 Serial Port Device and User Configuration Unauthenticated Telnet Selecting Unauthenticated Telnet enables Telnet access to the serial port without requiring the user to provide credentials When a user access
58. can be installed remotely with the scp utility as follows scp ssl_key pem root lt address of unit gt etc config scp ssl_cert pem root lt address of unit gt etc config or using PSCP pscp scp ss _key pem root lt address of unit gt etc config pscp scp ss _cert pem root lt address of unit gt etc config PuTTY and the PSCP utility can be downloaded from http www chiark greenend org uk sgtatham putty download html More detailed documentation on the PSCP can be found http the earth li sgtatham putty 0 58 htmidoc Chapter5 html pscp 15 8 4 Launching the HTTPS Server Note that the easiest way to enable the HTTPS server is from the web Management Console Simply click the appropriate checkbox in Network Services HTTPS Server and the HTTPS server will be activated assuming the ss _key oem amp ssl _cert pem files exist in the etc config directory Alternatively inetd can be configured to launch the secure fnord server from the command line of the unit as follows Edit the inetd configuration file From the unit command line vi etc config inetd conf Append a line 443 stream tcp nowait root sslwrap cert etc config ss _cert pem key etc config ssl_key pem exec bin httpd home httpa Save the file and signal inetd of the configuration change kill HUP cat var run inetd pid The HTTPS server should be accessible from a web client at a URL similar to this httos lt common name of unit gt More
59. central Nagios server This condition is displayed on the Nagios status screen and triggers a notification This can cause the Nagios central server itself to send out an email or an SMS page etc Select from the list of all configured serial ports hosts power units monitors and probes which devices this new alert is to be applied to Select Applicable Port s Serial and or Applicable Host s and or Applicable UPS es and or Applicable RPC s and or Applicable EMD s and or Applicable Alarm Sensor s that are to be monitored for this alert trigger Chapter 7 Alerts and Logging 7 2 2 Select general alert type Select the Alert Type Connection Signal Pattern Match UPS Status or Environment and Power that is to be monitored You can configure a selection of different Alert types and any number of specific triggers Connection Alert Connection Alert An alert will be triggered when a user connects or disconnects from the applicable Host or Serial Port Thi alert type will oniy be applied to hosts and serial ports Serial Port Signal Alert Signal Alert An alert will be triggered when a signal changes state Thi alert type will only be applied to serial ports Signal Type DSR Specify which serial signal change to alert on Serial Port Pattern Match Alert Pattern Match Alert An alert will be triggered if a regular expression is found in the serial ports character stream 7h alert type will only be applied serial ports
60. changes Note All the queued configuration changes will be lost if Cancel is selected Chapter 11 System Management To disable the Delayed Configuration Commits mode e Uncheck the Delayed Config Commits button under System Administration and click Apply e Click the Commit Config button in top right hand corner of the screen to display the System Commit Configuration screen e Click Apply to run the systemsettings configurator The Commit Config button will no longer be displayed in the top right hand corner of the screen and configurations will no longer be queued 11 6 FIPS Mode Note The US National Institute of Standards and Technology NIST publishes the FIPS Federal Information Processing Standard series of standards FIPS 140 1 and FIPS 140 2 are both technical standards and worldwide de facto standards for the implementation of cryptographic modules These standards and guidelines are issued by NIST for use government wide NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions Console Servers with Revision 3 0 1 firmware or later use an embedded OpenSSL cryptographic module that has been validated to meet the FIPS 140 2 standards and has received Certificate 1051 This firmware is only currently available on BO95 004 1E BO95 003 1E M Console Servers When configured in FIPS mode all SSH HTTPS a
61. charsize gt character size lt charsize gt lt stop gt stop bits lt stop gt lt parity gt parity setting lt parity gt lt powerstrip gt The id appears on the web page in the list of available devices types to configure The outlets describe targets that the scripts can control For example a power control board may control several different outlets The port id is the native name for identifying the outlet This value will be passed to the scripts in the environment variable outlet allowing the script to address the correct outlet There are four possible scripts on off cycle and status When a script is run its standard input and output is redirected to the appropriate serial port The script receives the outlet and port in the outlet and port environment variables respectively The script can be anything that can be executed within the shell All of the existing scripts in etc powerstrips xml use the pmchat utility pmchat works just like the standard unix chat program only it ensures interoperation with the port manager The final options soeed charsize stop and parity define the recommended or default settings for the attached device Chapter 15 Advanced Configuration 15 10 IPMItool The Console Server includes the omitoo utility for managing and configuring devices that support the Intelligent Platform Management Interface IPMI version 1 5 and version 2 0 specifications IPMI is an open standard for mo
62. click the Backup icon Note The configuration files can also be backed up from the command line refer Chapter 14 System Configuration Backup Serial amp Network Serial Port Remote Backup Local Backup XML Configuration Users amp Groups Authentication Network Hosts Remote Backup Trusted Networks ack means m IPsec VPN Backup OpenVPN Cascaded Ports EE UPS Connections Save Backup RPC Connections Environmenta Managed Devices Backup File Choose File ieee Alerts amp Logging Saved configuration backup file Port Log i Mantes Restore You can save the backup file remotely on your PC and you can restore configurations from remote locations e Click Save Backup in the Remote Configuration Backup menu e The config backup file System Name_date_config opg will be downloaded to your PC and saved in the location you nominate To restore a remote backup e Click Browse in the Remote Configuration Backup menu and select the Backup File you wish to restore e Click Restore and click OK This will overwrite all the current configuration settings in your Console Server Alternately you can save the backup file locally onto the USB storage To do this your Console Server must support USB and you must have an internal or external USB flash drive installed To backup and restore using USB e Ensure the USB flash is the only USB device attached to the Console Server e Select t
63. configurations you may have set The solution is to create a custom script that runs after each configurator has run So after each configurator runs it will check whether that appropriate custom script exists You can then add any commands to the custom script and they will be invoked after the configurator runs The custom scripts must be in the correct location etc config scripts config post To create an alerts custom script Cd etc config scripts touch config post alerts vi config post alerts This script could be used to recover a specific backup config or overwrite a config or make copies of config files etc 15 1 8 Backing up the configuration and restoring using a local USB stick The etc scripts backup usb script been written to save and load custom configuration using a USB flash disk Before saving configuration locally you must prepare the USB storage device for use To do this disconnect all USB storage devices except for the storage device you wish to use Usage etc scripts backup usb COMMAND FILE COMMAND check magic check volume label set magic set volume label save FILE save configuration to USB delete FILE delete a configuration tarbal from USB list list available config backups on USB load FILE load a specific config from USB load default load the default configuration set default FILE set which file becomes the default The first thing to do is to check if the USB
64. console s PS 2 Keyboard Mouse and VGA connectors directly to the PS 2 and VGA connectors on the BO92 016 The default video resolution is 1024 x 768 The BO92 016 Console Server also supports the use of a USB keyboard mouse Alternately the BO92 016 Console Server can also be connected locally to a KVM or KVMoIP switch at the rack The BO92 016 Console Server with PowerAlert will enable you then to use this KVM infrastructure to run PowerAlert to manage your power devices and to run the thin clients to manage other devices Note Care should be taken in handling all Console Server products There are no operator serviceable components inside so do not remove cover Refer any service to qualified personnel Chapter 3 Initial System Configuration This chapter provides step by step instructions for the initial configuration of your Console Server and connecting it to your management or operational network This involves the Administrator e Activating the Management Console e Changing the Administrator password e Setting the IP address for the Console Server s principal LAN port e Selecting the network services to be supported This chapter also discusses the communications software tools that the Administrator may use to access the Console Server It also covers the configuration of the additional LAN ports on the BO96 016 048 Console Server Management Switch 3 1 Management Console Connection Your Console Server comes configured
65. content in the attribute in the following format group_name testgroup1 users The above example sets the remote user as a member of testgroup1 and users if groups with those names exist on the Console Server Any groups which do not exist on the Console Server are ignored When setting the Framed Filter Id the system may also remove the leading colon for an empty field To work around this add some dummy text to the start of the string For example dummy group_name testgroup1 users e f no group is specified for a user for example AmandaJones then the user will have no User Interface and serial port access but limited console access e Default groups available on the Console Server include admin for administrator access and users for general user access TomFraser Cleartext Password Fralom OQ Framed Filter ld group_name admin AmandaJones Cleartext Password JonAma amp 8 amp 3 Chapter 9 Authentication FredWhite Cleartext Password WhiFre62 Framed Filter ld group_name testgroup1 users JanetLong Cleartext Password LonJan5 Framed Filter ld group_name admin e Additional local groups such as testgroup1 can be added via Users amp Groups Serial amp Network Add a New group Groups testgroup 1 A group with predefined privileges the user will belong to Description test users A brief description of the groups role Accessible Hostis
66. data received during that time over the network at once Escape Character Customize the character used for sending out of band shell commands 7he default is Power Menu Enable shell power command menu Connect this port to a Managed Device then use p to run power commands Single Connection Limit the port to a single concurrent connection Device Settings Logging Level This specifies the level of information to be logged and monitored refer to Chapter 7 Alerts and Logging Telnet Check to enable Telnet access to the serial port When enabled a Telnet client on a User or Administrator s computer can connect to a serial device attached to this serial port on the Console Server The default port address is IP Address _ Port 2000 serial port i e 2001 2048 Telnet communications are unencrypted so this protocol is generally recommended for local connections only However if the remote communications are being tunneled with SDT Connector then Telnet can be used to securely access these attached devices see Note below With Win2000 XP NT you can run Telnet from the command prompt cmd exe Vista comes with a Telnet client and server but they are not enabled by default To enable Telnet simply e Log in as Admin and go to Start Control Panel Programs and Features e Select Turn Windows Features On or Off check the Telnet Client and click OK Chapter 4 Serial Port Device and User Configuration Cy Windows Fe
67. detailed documentation about the openssl utility can be found at the website htto www openssl org Chapter 15 Advanced Configuration 15 9 Power Strip Control The Console Server supports a growing list of remote power control devices RPCs which can be configured using the Management Console as described in Chapter 8 These RPCs are controlled using the open source NUT and PowerMan tools and the pmpower utility 15 9 1 PowerMan PowerMan provides power management in a data center or compute cluster environment It performs operations such as power on power off and power cycle via remote power controller RPC devices Target hostnames are mapped to plugs on RPC devices in powerman conf powerman power on off nodes Synopsis powerman option targets pm option targets Options 1 on Power ON targets O off Power OFF targets C cycle Power cycle targets f reset Assert hardware reset for targets if implemented by RPC f flash Turn beacon ON for targets if implemented by RPC u unflash Turn beacon OFF for targets if implemented by RPC l list List available targets If possible output will be compressed into a host range see TARGET SPECIFICATION below q query Query plug status of targets If none specified query all targets Status is not cached each time this option is used powermand queries the appropriate RPC s Targets connected to RPC s that could not be contacted e
68. disk has a label etc scripts backup usb check magic If this command returns Magic volume not found then run the following command etc scripts backup usb set magic To save the configuration etc scripts backup usb save config 20May Chapter 15 Advanced Configuration To check if the backup was saved correctly etc scripts backup usb list If this command does not display config 20May then there was an error saving the configuration The set default command takes an input file as an argument and renames it to default opg This default configuration remains stored on the USB disk The next time you want to load the default config it will be sourced from the new default opg file To set a config file as the default etc scripts backup usb set default contig 20May To load this default etc scripts backup usb load default To load any other config file etc scripts backup usb load filename The etc scripts backup usb script can be executed directly with various COMMANDS or called from other custom scripts you may create However it is recommended that you do not customize the etc scripts backup usb script itself at all 15 1 9 Backing up the configuration off box If you do not have a USB on your Console Server you can back up the configuration to an off box file Before backing up you need to arrange a way to transfer the backup off box This could be via an NFS share a Samba Windows share to USB storage
69. e Select Alerts amp Logging SMTP amp SMS Alerts amp Logging SMTP amp SMS Serial amp Network Serial Port SMTP Server Users amp Groups Server Authentication The outgoing mail server address Secure Connection None O TLS O SSL If this server uses a secure connection specify its type Sender The from address which will appear on the sent email Username If this server requires authentication specify the username Password If this server requires authentication specify the password Confirm Re enter the password Subject Line If this server requires a specific subject line specify it here e Inthe SMTP Server field enter the IP address of the outgoing mail Server e You may enter a Sender email address which will appear as the from address in all email notifications sent from this Console Server Many SMTP servers check the sender s email address with the host domain name to verify the address as authentic So it may be useful to assign an email address for the Console Server such as consoleserver2 mydomian com e You may also enter a Username and Password if the SMTP server requires authentication e Similarly you can specify the Subject Line that will be sent with the email e Click Apply to activate SMTP Chapter 7 Alerts and Logging 7 1 2 SMS alerts The Console Server uses email to SMS services to send SMS alert notifications to mobile devices Sending SMS via email using
70. ef Normal 192 168 1 28 90 11 43 23 b 192 168 3 28 Ps Dags h2 b v Normal lise 168 3 37 00 16 46 02 4 hs2 16 168 1 37 SMART SOORMOU paps hz Serial amp Net Serial Por f Pormal 67 173 59 145 7 173 59 TRIPP LITE SMA irm t2 Users amp g i f Normal lisz 168 1 125 00 06 67 20 d 192 168 1 TRIPP LITE SMA inm 12 gt Authentig L A anaia ia A aaea ani E aed ai S Network Alarms 192 168 1 21 Trusted Status Description gt Cascaded A Infa Dathan fias 2 Yane Aid Manual Conventions This manual uses different fonts and typefaces to show specific actions Note Text presented like this indicates issues to take note of Text presented like this highlights important issues and it is essential you read and take head of these warnings e Text presented with a bullet point indent indicates an action you should take as part of the procedure Bold text indicates text that you type or the name of a screen object e g a menu or button on the Management Console Italic text is also used to indicate a text command to be entered at the command line level Chapter 1 Introduction Publishing history Date Revision Update details January 2009 09 Initial draft February 2009 January 2010 Add BO95 004 003 Console Server and Firmware 3 0 1 features January 2011 Firmware 3 3 2 features March 2011 Support for additional USB ports and 16GB internal flash in BO96 016
71. fingerprint which you can use on future connections This fingerprint is related to the host key of the remote server Fingerprints are stored in ssh known_ hosts To receive the fingerprint from the remote server log in to the client as the required user usually root and establish a connection to the remote host ssh remhost The authenticity of host remhost 192 168 0 1 can t be established RSA key fingerprint is 8d 11 e0 e 8a 6f ad f1 94 0Ff 93 fc c e6 ef 56 Are you sure you want to continue connecting yes no Chapter 15 Advanced Configuration At this stage answer yes to accept the key You should get the following message Warning Permanently added remhost 192 168 0 1 RSA to the list of known hosts You may be prompted for a password but there is no need to log in you have received the fingerprint and can press Ctrl C to cancel the connection If the host key changes you will receive the following warning and not be allowed to connect to the remote host COC CC CCOCOCOCECO CCC OCC OCCECOCOCECCOC CCC CCEC WARNING REMOTE HOST IDENTIFICATION HAS CHANGED IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY COC CCC COCOCCCOCCECOCOCCOCOCCC COC COC CCC CCEC Someone could be eavesdropping on you right now man in the middle attack It is also possible that the RSA host key has just been changed The fingerprint for the RSA key sent by the remote host is ab e 33 00d 85 50 5a 43 0b e0 bd 43 3
72. getty program issues a login prompt and then invokes the login program to handle the actual system login Note Selecting Terminal Server mode will disable Port Manager for that serial port so data is no longer logged for alerts etc Chapter 4 Serial Port Device and User Configuration 4 1 6 Serial Bridging Mode With serial bridging the serial data on a nominated serial port on one Console Server is encapsulated into network packets and then transported over a network to a second Console Server where is then represented as serial data So the two Console Servers effectively act as a virtual serial cable over an IP network One Console Server is configured to be the Server The Server serial port to be bridged is set in Console Server mode with either RFC2217 or RAW enabled as described in Chapter 4 1 2 Console Server Mode For the Client Console Server the serial port to be bridged must be set in Bridging Mode Serial Bridge Settings Serial Bridging Mode Create a network connection to a remote serial port via RFC 2217 Server Address The network address of an RFC 2217 server to connect to Server TCP Port The TCP port the RFC 2217 server is serving on RFC 2217 F Enable RFC 2217 access SSH Tunnel a Redirect the serial bridge over an SSH tunnel to the server e Select Serial Bridging Mode and specify the IP address of the Server Console Server and the TCP port address of the remote serial port for RFC2217 bridging
73. http linux die net man 5 powerman dev Once the new RPC support has been built into the PowerMan we will include the updated PowerMan build in a subsequent firmware release The second path is to directly add support for the new RPC devices or to customize the existing RPC device support on your particular Console Server The Manage Power page uses information contained in etc powerstrips xm to configure and control devices attached to a serial port The configuration also looks for and loads etc config powerstrips xm if it exists The user can add their own support for more devices by putting definitions for them into etc config powerstrips xml This file can be created on a host system and copied to the Management Console device using scp Alternatively log in to the Management Console and use ftp or wget to transfer files Here is a brief description of the elements of the XML entries in etc config powerstrips xml lt powerstrip gt lt id gt Name or ID of the device support lt id gt lt outlet port port id 1 gt Display Port 1 in menu lt outlet gt Chapter 15 Advanced Configuration lt outlet port port id 2 gt Display Port 2 in menu lt outlet gt lt on gt script to turn power on lt on gt lt off gt script to power off lt off gt lt cycle gt script to cycle power lt cycle gt lt status gt script to write power status to var run power status lt status gt lt speed gt baud rate lt speed gt lt
74. in certain countries either by patents or by copyrighted interfaces the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries so that distribution is permitted only in or among countries not thus excluded In such case this License incorporates the limitation as if written in the body of this License 9 The Free Software Foundation may publish revised and or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version but may differ in detail to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and any later version you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Program does not specify a version number of this License you may choose any version ever published by the Free Software Foundation 10 If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different write to the author to ask for permission For software which is copyrighted by the Free Software Foundation write to the Free Software Foundation we sometimes make exceptions for this Our decision will be guided by the two goals of preserving the free
75. line when they are telnet or SSH connected to the device To operate the Managed Device must be set up with both its Serial port connection and Power connection configured The command to bring up the power menu is p 192 168 252 202 PuTTY Single Connection This setting limits the port to a single connection so if multiple users have access privileges for a particular port only one user at a time can be accessing that port i e port snooping is not permitted 4 1 3 SDT Mode This setting allows port forwarding of LAN protocols such as RDP VNC HTPP HTTPS SSH and Telnet through to computers which are connected locally to the Console Server by their serial COM port However such port forwarding requires a PPP link to be set up over this serial port SDT Settings SDT Mode 4 Enable access over SSH to a host Username The login name for PPP The default amp porti User Password The login secret for PPP The default i porti Confirm Password Re type the password for confirmation Chapter 4 Serial Port Device and User Configuration Refer to Chapter 6 6 Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the Console Server for configuration details 4 1 4 Device RPC UPS EMD Mode This mode configures the selected serial port to communicate with a serial controlled Uninterruptible Power Supply UPS serial Remote Power Controller Power Distribution Unit RPC or Environmental Mo
76. modifications to this equipment not expressly approved by Tripp Lite could void the user s authority to operate this equipment RoHS This product is ROHS compliant User Notice All information documentation and specifications contained in this manual are subject to change without prior notification by the manufacturer The manufacturer makes no representations or warranties either expressed or implied with respect to the contents hereof and specifically disclaims any warranties as to merchantability or fitness for any particular purpose Any of the manufacturer s software described in this manual is sold or licensed as is Should the programs prove defective following their purchase the buyer and not the manufacturer its distributor or its dealer assumes the entire cost of all necessary servicing repair and any incidental or consequential damages resulting from any defect in the software The manufacturer of this system is not responsible for any radio and or TV interference caused by unauthorized modifications to this device It is the responsibility of the user to correct such interference The manufacturer is not responsible for any damage incurred in the operation of this system if the correct operational voltage setting was not selected prior to operation Please take care to follow the safety precautions below when installing and operating the Console Server e Do not remove the metal covers There are no operator serviceable com
77. my workplace Connect to a business network using dial up or VPN so you can work from home a field office or another location Set up a home or small office network Connect to an existing home or small office network or set up a new one Set up an advanced connection Connect directly to another computer using your serial parallel or infrared port or set up this computer so that other computers can connect to it e Select Connect to the Internet and click Next e On the Getting Ready screen select Set Up My Connection Manually and click Next e On the Internet Connection screen select Connect Using a Dial Up Modem and click Next e Enter a Connection Name any name you choose and the dial up Phone Number that will connect thru to the Console Server modem Chapter 5 Firewall Failover and Out of Band New Connection Wizard Intermet Account Information You will need an account name and password to sign in to your Intemet account Type an ISP account name and password then write down this information and store it ina safe place If you have forgotten an existing account name or password contact your ISP User name Password Confirm password C Use this account name and password when anyone connects to the Intemet from this computer C Make this the default Intemet connection TE e Enter the PPP User Name and Password for have set up for the Console Server 5 1 4 Set up earlier Windows clients for dial in
78. of USB serial and network attached Power Distribution units and UPS units including Network UPS Tool NUT operation and IPMI power control EMD environmental sensor configuration 9 Authentication All access to the Console Server requires usernames and passwords which are locally or externally authenticated 10 Nagios Integration Setting Nagios central management with SDT extensions and configuring the Console Server as a distributed Nagios server 11 System Management Covers access to and configuration of services to be run on the Console Server 12 Status Reports View the status and logs of serial and network connected devices ports hosts power and environment 13 Management Includes port controls and reports that can accessed by Users 14 Basic Configuration Command line installation and configuration using the config command 15 Advanced Config More advanced command line configuration activities where you will need to use Linux commands 16 Thin Client Configuration and use of the thin client and other applications including PowerAlert embedded in the Console Server with PowerAlert BO92 016 product Chapter 1 Introduction Types of users The Console Server supports two classes of users Administrative users Those who will be authorized to configure and control the Console Server and to access and control all the connected devices These administrative users will be set up as members of the admin user group Any user i
79. of the network connection as displayed in Control Panel gt Network Connections Login is the dial in username and password is the dial in password for the connection o To initiate a pre configured dial up connection under Linux use the following Start Command pon network_connection The network_connection in the above is the name of the connection e Enter the command or path to a script to stop the OoB connection in Stop Command o To stop a pre configured dial up connection under Windows use the following Stop Command cmd c start Stopping Out of Band Connection wait min rasdial network_connection disconnect The network_connection in the above is the name of the network connection as displayed in Control Panel gt Network Connections o To stop a pre configured dial up connection under Linux use the following Stop Command poff network_connection Chapter 6 Secure SSH Tunneling amp SDT Connector To make the OoB connection using SDT Connector Select the gateway and click Out Of Band The status bar will change color to indicate this gateway is now being access using the OoB link rather than the primary link G Tripp Lite SDTConnector File Edit Help taze F C 208 64 91 182 Gateway Actions Retrieve Hosts Out of band enabled for Remote When you connect to a service on a host behind the gateway or to the Console Server gateway itself SDT Connector will initiate the OoB connection u
80. or copied off box via the network If backing up directly to off box storage make sure it is mounted tmp is not a good location for the backup except as a temporary location before transferring it off box The tmp directory will not survive a reboot The etc config directory is not a good place either as it will not survive a restore Backup and restore should be done by the root user to ensure correct file permissions are set The config command is used to create a backup tarball config e lt Output File gt The tarball will be saved to the indicated location It will contain the contents of the etc config directory in an uncompressed and unencrypted form Example nfs storage mount t nfs 192 168 0 2 backups mnt config e mnt bO95 config umount mnt Example transfer off box via scp config e tmp b095 config scp tmp bO095 config 192 168 0 2 backups The config command is also used to restore a backup config i lt Input File gt This will extract the contents of the previously created backup to tmp and then synchronize the etc config directory with the copy in tmp One problem that can crop up here is that there is not enough room in tmp to extract files to The following command will temporarily increase the size of tmp mount t tmpfs o remount size 2048k tmpfs var If restoring to either a new unit or one that has been factory defaulted it is important to make sure that the process generating S
81. pe rformed using the upsmon client running on the Slave server See section 8 5 4 for details on setting up upsmon on Slave servers powered by the UPS Note These login credentials are not related to the Users and access privileges you will have configured in Serial amp Networks Users amp Groups If you have multiple UPS s and require them to be This is a positive whole number or 1 Os are shut shut down in a specific order specify the Shutdown Order for this UPS down first then 1s 2s etc 1s are not shut down at all Defaults to O Chapter 8 Power and Environment e Select the Driver that will be used to communicate with the UPS The drop down menu presents a full selection of drivers from the latest Network UPS Tools NUT version 2 2 0 and additional information on compatible UPS hardware can be found at http Awww networkupstools org compat stable html e Click New Options in Driver Options if you need to set driver specific options for your selected NUT driver and hardware combination more details at http www networkupstools org doc Driver Options Option Argument T e Check Log Status and specify the Log Rate i e minutes between samples if you wish the status from this UPS to be logged These logs can be views from the Status UPS Status screen e Check Enable Nagios to enable this UPS to be monitored using Nagios central management e Click Apply You can also customize the upsmon upsd and up
82. powerman target hostnames may be specified as comma separated or space separated hostnames or host ranges Host ranges are of the general form prefix n m k where n lt mand I lt k etc This form should not be confused with regular expression character classes also denoted by For example foo 19 does not represent foot or foo9 but rather represents a degenerate range foo19 This range syntax is meant only as a convenience on clusters with a prefix NN naming convention and specification of ranges should not be considered necessary the list fo01 foo9 could be specified as such or by the range foo 1 9 Chapter 15 Advanced Configuration Some examples of powerman targets Power on hosts bar baz foo01 foo02 fo005 powerman on bar baz foo 01 05 Power on hosts bar foo fo09 fo010 powerman on bar foo 7 9 10 Power on fooO foo4 foo5 powerman on foo 0 4 5 As a reminder to the reader some shells will interpret brackets and for pattern matching Depending on your shell it may be necessary to enclose ranged lists within quotes For example in tcsh the last example above should be executed as powerman on foo 0O 4 5 15 9 2 pmpower The pmpower command is a high level tool for manipulating remote preconfigured power devices connected to the Console Servers either via a serial or network connection pmpower h I device r host o outlet u username p password action N Thi
83. protocols as well as a full strength general purpose cryptography library The project is managed by a worldwide community of volunteers that use the Internet to communicate plan and develop the OpenSSL toolkit and its related documentation OpenSSL is based on the excellent SSLeay library developed by Eric A Young and Tim J Hudson The OpenSSL toolkit is licensed under an Apache style licence which basically means that you are free to get and use it for commercial and non commercial purposes subject to some simple license conditions In the Console Server OpenSSL is used primarily in conjunction with http in order to have secure browser access to the GUI management console across insecure networks More documentation on OpenSSL is available from http www openssl ors docs apps openssl html http www openssl org docs HOWTO certificates txt 15 8 HTTPS The Management Console can be served using HTTPS by running the webserver via ss wrap The server can be launched on request using inetd The HTTP server provided is a slightly modified version of the fnord httpd from http www fefe de fnord The SSL implementation is provided by the ss wrap application compiled with OpenSSL support More detailed documentation can be found at http www rickk com sslwrap If your default network address is changed or the unit is to be accessed via a known Domain Name you can use the following steps to replace the default SSL Certificate and Pr
84. r alerts 14 1 14 SMTP amp SMS To set up an SMTP mail or SMS server with the following details Outgoing server address mail company com Secure connection type SSL Sender John company com Server username john Server password secret Subject line SMTP alerts config s config system smtp server mail company com config s config system smtp encryption SSL can also be TLS or None config s config system smtp sender John companycom config s config system smtp username john config s config system smtp opassword secret config s config system smtp subject SMTP alerts To set up an SMTP SMS server with the same details as above config s config system smtp server2 mail company com config s config system smtp encryption2 SSL can also be TLS or None config s config system smtp sender2 John company com config s config system smtp username2 john config s config system smtp password2 secret config s config system smtp subject2 SMTP alerts The following command will synchronize the live system with the new configuration config a Chapter 14 Command Line Configuration 14 1 15 SNMP To set up the SNMP agent on the device config s config system snmp protocol UDP TCP config s config system snmp trapport port number default is 162 config s config system snmp address NMS IP network address config s config system snmp commnity community name v1 and v2c only c
85. the Console Server and connected serial ports The Administrator can access and configure the Console Server and connected devices using a range of access protocols services and for each such access the particular service must be running with access through the firewall enabled By default HTTP HTTPS Telnet and SSH services are running and these services are enabled on all network interfaces However again by default only HTTPS and SSH access to the Console Server is enabled while HTTP and Telnet access is disabled For other services such as SNMP Nagios NRPE NUT the service must first be started on the relevant network interface using Port Rules refer Chapter 5 7 Then the Services Access can be set to allow or block access To change the access settings e Select the Service Access tab on the System Firewall page This will displays the services currently enabled for the Console Server s network interfaces Depending on the particular Console Server model the interfaces displayed may include o Network interface for the principal Ethernet connection Dial out V90 and cellular modem Dial in internal or external VOO modem WiFi 802 11 wireless OoB Failover second Ethernet connections O O O O O VPN IPSec or Open VPN connection over any network interface e Check uncheck for each network which service access is to be enabled disabled In the example shown below local Administrators on local Network Interfac
86. the mode in which the port is being used These serial port parameters must be set so they match the serial port parameters on the device which is Serial amp Network Serial Port attached to that port Serial amp Network Serial Port Common Settings for Port 1 Users amp Groups Label Baud Rate Cascaded Ports UPS Connections RPC Connections Data Bits Environmental Alerts amp Logging Parity Stop Bits Flow Control Administration Firmware IP Signaling Date amp Time Protocol Dia Cansicac e Select Serial amp Network Serial Port and click Edit e Specify a label for the port Port 1 The serial ports unique identifier 9600 ia The serial ports speed 8 The number of data bits to use None The serial ports parity 1 asan The number of stop bits to use None The flow control method RS232 The electrical signaling on this serial port Consult your manual to determine which protocols are supported for this port e Select the appropriate Baud Rate Parity Data Bits Stop Bits and Flow Control for each port and ensure they match the settings for serial device that is connected The Signaling Protocol is hard configured to be RS232 Note The serial ports are all set at the factory to RS232 9600 baud no parity 8 data bits 1 stop bit and Console Server Mode The baud rate can be changed to 2400 230400 baud using the ma
87. this will be 5001 5048 e By default the bridging client will use RAW TCP so you must select RFC2217 if this is the Console Server mode you have specified on the server Console Server serially connected device COM Port connected e g security appliance control PC e You may secure the communications over the local Ethernet by enabling SSH however you will need to generate and upload keys refer Chapter 14 Advanced Configuration 4 1 8 Syslog In addition to inbuilt logging and monitoring which can be applied to serial attached and network attached management accesses as covered in Chapter 7 Alerts and Logging the Console Server can also be configured to support the remote syslog protocol on a per serial port basis e Select the Syslog Facility Priority fields to enable logging of traffic on the selected serial port to a syslog server and to appropriately sort and action those logged messages i e redirect them send alert email etc Syslog Settings Syslog Facility Defaut M Syslog facility to use on logging messages R Syslog Priority Default v Syslog priority level to use on logging messages Apply For example if the computer attached to serial port 3 should never send anything out on its serial console port the Administrator can set the Facility for that port to JocalO ocalO local7 are meant for site local values and the Priority to critical At this priority if the Console Server syslog server does receive a m
88. to etc config scripts on the Console Server e Open etc config rc local using vi e Add the following line to rc local etc config scripts ping detect 192 168 22 2 bin bash c pmpower I portO1 o 3 cycle amp amp date gt tmp output log amp The above command will cause the ping detect script to continuously ping the host at 192 168 22 2 which is the router If the router crashes it will no longer respond to ping requests If this happens the two commands pmpower and date will run The output from these commands is sent to the file tmp output log so that we have some kind of record The ping detect is also run in the background using the amp Remember the rc ocal script is only run by default when the system boots You can manually run the rc ocal script or the ping detect script if desired The ping detect script The above is just one example of using the ping detect script The idea of the script is to run any number of commands when a specific host stops responding to ping requests Here are details of the ping detect script itself bin sh Usage ping detect HOST COMMANDS This script takes 2 types of arguments hostname IPaddress to ping and the commands to run if the ping fails 5 times in a row This script can only take one host lPaddress per instance Multiple independent commands can be sent to the script The commands will be run one after the other PINGREP is the entire reply from the ping c
89. to use your Console Server to securely monitor access and control the computers networking devices telecommunications equipment power supplies and operating environment in your data center branch office or communications room This manual guides you in managing this infrastructure locally at the rack side or across your operations or management LAN or through the local serial console port and remotely across the Internet private network or via dial up Manual Organization This manual contains the following chapters 1 Introduction An overview of the features of the Console Server and information on this manual 2 Installation Details physical installation of the Console Server and the interconnection of controlled devices 3 System Configuration Describes the initial installation and configuration using the Management Console of the Console Server on the network and the services that will be supported 4 Serial and Network Covers configuring serial ports and connected network hosts and setting up Users and Groups 5 Failover and OoB dial in Describes setting up the high availability access features of the Console Server 6 Secure Tunneling SDT Covers secure remote access using SSH and configuring for RDP VNC HTTP HTTPS etc access to network and serially connected devices T Alerts and Logging Explains the setting up of local and remote event data logs and triggering SNMP and email alerts 8 Power amp Environment Management
90. ubuntu ntp ubuntu com baytech 192 168 754 245 Accessible Port s Gelet Unselect all Ports Cl Port i Port 2 Port 3 Accessible RPC Outlet s gt baytech Select Uinselect all outlets Outlet 1 Outlet 2 Outlet 3 Outlet 4 Outlet 5 Outlet 6 Outlet F Outlet 8 9 1 8 Remote groups with LDAP authentication Unlike RADIUS LDAP has built in support for group provisioning which makes setting up remote groups easier The console server will retrieve a list of all the remote groups that the user is a direct member of and compare their names with local groups on the Console Server Note Any spaces in the group name will be converted to underscores For example in an existing Active Directory setup a group of users may be part of the UPS Admin and Router Admin groups On the Console Server these users will be required to have access to a group Router Admin with access to port 1 connected to the router and another group UPS Admin with access to port 2 connected to the UPS Once LDAP is setup users that are members of each group will have the appropriate permissions to access the router and UPS Currently the only LDAP directory service that supports group provisioning is Microsoft Active Directory Support is planned for OpenLDAP at a later time To enable group information to be used with an LDAP server e Complete the fields for standard LDAP authentication including LDAP Server Address Server Password
91. w u c Ping define command command_name command _line define service port log server server generic service check port log tripplite_nrpe_daemon_dep tripplite server Port Log NRPE Daemon check_ping via_tripplite USER1 check_nrpe H 192 168 254 147 p 5666 c host_ping SHOSTNAME service_description Host Ping host_name server use generic service check_command check ping via_tripplite Chapter 10 Nagios Integration define service service_description host ping server host_name server use generic service check_command check _ping via_tripplite active checks enabled O passive_checks_ enabled 1 define servicedependency name tripplite_nroe_daemon_ dep host_name tripplite dependent_host_name server dependent service description Host Ping service_description NRPE Daemon execution _failure_criteria w u c J SSH Port define command command _ name check_conn_via_tripplite command line USER1 check_nrpe H 192 168 254 147 p 5666 c host SHOSTNAME ARG1 _ ARG2 define service service_description SSH Port host_name server use generic service check_command check_conn_via_tripplite tcp 22 define service service_description host port tcp 22 server host port lt protocol gt lt port gt lt host gt host_name server use generic service check_command check_conn_via_tripplite tcp 22 active checks enabled O passive_checks_ enabled 1 define servicede
92. window alarm Logging enabled yes Log interval 120 seconds config s config ports port3 enviro name Envi4 config s config ports port3 enviro description Monitor in room 5 config s config ports port3 enviro offsets temp 2 config s config ports port3 enviro offsets humid 5 config s config ports port3 enviro alarms alarm1 alarmstate on config s config ports port3 enviro alarms alarm1 label door alarm config s config ports port3 enviro alarms alarm2 alarmstate on config s config ports port3 enviro alarms alarm2 label window alarm config s config ports port3 enviro alarms total 2 config s config ports port3 enviro log enabled on config s config ports port3 enviro log interval 120 It is important to assign alarms total 2 even if they are off The following 5 commands will add the environmental monitor to Managed devices To get the total number of managed devices config g config devices total Make sure to use the total 1 for the new device below config s config devices device5 connections connection1 name Envi4 config s config devices device5 connections connection1 type EMD Unit config s config devices device5 name Envi4 config s config devices device5 description Monitor in room 5 config s config devices total 5 The following command will synchronize the live system with the new configuration config a 14 1 11 Managed Devices To add a managed device also see
93. with a default IP Address 192 168 0 1 Subnet Mask 255 255 255 0 e Directly connect a computer to the Console Server Note For initial configuration it is recommended that the Console Server be connected directly to a single PC or computer However if you choose to connect your LAN before completing the initial setup steps it is important that o you ensure there are no other devices on the LAN with an address of 192 168 0 1 o the Console Server and the computer are on the same LAN segment with no interposed router appliances 3 1 1 Connected computer set up To configure the Console Server with a browser the connected computer should have an IP address in the same range as the Console Server for example 192 168 0 100 e To configure the IP Address of your Linux or Unix computer simply run ifconfig e For Windows PCs Win9x Me 2000 XP Vista 7 NT e Click Start gt Settings gt Control Panel and double click Network Connections for 95 98 Me double click Network e Right click on Local Area Connection and select Properties e Select Internet Protocol TCP IP and click Properties e Select Use the following IP address and enter the following details o IP address 192 168 0 100 o Subnet mask 255 255 255 0 e If you want to retain your existing IP settings for this network connection click Advanced and Add the above as a secondary IP connection e If it is not convenient to change your computer network address you can use the
94. 016 Console Server with PowerAlert 2 x Cable UTP Cat5 blue ma m Connector la l DB9F RJ45S straight and DB9F RJ45S cross over AC power cable Quick Start Guide and CD ROM e Unpack your Console Server and verify you have all the parts shown above and that they all appear in good working order e If you are installing your Console Server in a rack you will need to attach the rack mounting brackets supplied with the unit and install the unit in the rack Take care to heed the Safety Precautions listed earlier e Proceed to connect your BO92 016 to the network to the serial and USB ports of the controlled devices to any rack side LCD console or KVM switch and to power as outlined below 2 1 3 Kit components B095 004 1E and B095 003 1E M Console Server BO95 004 1E 4 port Console Server with single NIC or BO95 003 1E M 3 port Console Server with single NIC and modem 2 x Cable UTP Cat5 blue Connectors iz DB9F RJ45S straight and cross over External power supply C Quick Start Guide and CD ROM e Unpack your Console Server kit and verify you have all the parts shown above and that they all appear in good working order e Ifyou are installing your Console Server in a rack you will need to attach the rack mounting brackets supplied with the unit and install the unit in the rack Take care to head the Safety Precautions e Proceed to connect your Console Server to the network to the serial ports of the controlle
95. 016 provides rackside control of computers networking telecom power and other managed devices via serial USB or IP over the LAN This chapter provides instructions on configuring the thin clients and using them locally and remotely The thin clients can be controlled from the rack side using a direct monitor keyboard mouse connected to the BO92 016 or remotely using a VNC connection from the remote user to the BO92 016 16 1 Local Client Service Connections These client connections first need to be configured e Select Connect Add Delete Edit on the control panel q Favorites p Remote Control Citrix ICA PowerSlert Console Serial Browser WYNE SSH ROP AddiDeletevEqit rg Favorites E Remote Control IPMl Serial Over LAN RDP T Add Delete Edit Save Cancel e For each new Host you add you will be asked to enter a Label enter a descriptive name and a Hostname enter the IP Address or DNS Name of the new network connected Host and possibly a Username enter the name you will use to log in to the Host e Once a Host has been added you can select Edit and update the commands that will be executed in connecting the service to the existing Host dit SSH Menu Entry MO X Lahel SG580 Command rst e ssh l bob 19 16 Cancel Chapter 16 Thin Client e The sixteen seri
96. 1 this is the Console Server s network loopback address and enter Loopback in Description Remove all entries under Permitted Services and select TCP and enter 200n in Port This configures the Telnet port enabled in the previous step so for Port 2 you would enter 2002 Click Add then scroll to the bottom and click Apply Administrators by default have gateway and serial port access privileges however for Users to access the gateway and the serial port you will need to give those Users the required access privileges Select Users amp Groups from Serial amp Network Click Add User Enter a Username Description and Password Confirm Select 127 0 0 1 from Accessible Host s and select Port 2 from Accessible Port s Click Apply Chapter 6 Secure SSH Tunneling amp SDT Connector 6 5 SDT Connector OoB Connection SDT Connector can also be set up to connect to the Console Server via out of band OoB OoB access uses an alternate path for connecting to the Console Server i e not the one used for regular data traffic OOB access is useful when the primary link into the gateway is unavailable or unreliable Typically a Console Server s primary link is a broadband Internet connection or Internet connection via a LAN or VPN and the secondary out of band connectivity is provided by a dial up or wireless modem directly attached to the gateway So out of band access enables you to access the hosts and serial devices on the network diagnos
97. 1 cgi bin yourscript cgi where 192 168 0 1 is the IP address of the Console Server and yourscript cgi is the name of the script There is a useful tutorial on creating a bash script CGI at http www yolinux com TUTORIALS LinuxTutorialCgiShellScript html Similarly the Master maintains a view of the status of the Slaves e Select Status Support Report e Scroll down to Processes e Look for bin ssh MN o ControlPath var run cascade h Slavename These are the Slaves that are connected Note The end of the Slaves names will be truncated so the first 5 characters must be unique Alternatively you can write a custom CGI script as described above The currently connected Slaves can be determined by running Is var run cascade and the configured Slaves can be displayed by running config g8 config cascade Slaves 15 12 SMS Server Tools Console Servers include the SMS Server Tools software which provides an SMS Gateway which can send and receive short messages through GSM modems and mobile phones You can send short messages by simply storing text files into a special spool directory The program monitors this directory and sends new files automatically It also stores received short messages into another directory as text files Binary messages including Unicode text are also supported for example ring tone messages It s also possible to send a WAP Push message to the WAP MMS capable mobile phone The program can be run as a SMS daemon
98. 12 1 Port Access and Active Users 12 2 Statistics 12 3 Support Reports 12 4 Syslog 12 5 Dashboard 12 5 1 Configuring the Dashboard 12 5 2 Creating custom widgets for the Dashboard Management 13 1 Device Management 13 2 Port and Host Log Management 13 3 Terminal Connection 13 3 1 Web Terminal 13 3 2 SDTConnector access 13 4 Power Management 13 5 Remote Console Access BO92 016 only Configuration from the Command Line 14 1 Accessing config from the command line 14 1 1 Serial Port configuration 14 1 2 Adding and removing Users 14 1 3 Adding and removing user Groups 14 1 4 Authentication 14 1 5 Network Hosts 14 1 6 Trusted Networks 14 1 7 Cascaded Ports 14 1 8 UPS Connections 14 1 9 RPC Connections 14 1 10 Environmental 14 1 11 Managed Devices 14 1 12 Port Log 14 1 13 Alerts 14 1 14 SMTP amp SMS 14 1 15 SNMP 14 1 16 Administration 14 1 17 IP settings 14 1 18 Date amp Time settings 14 1 19 Dial in settings 14 1 20 DHCP server 14 1 21 Services 14 1 22 NAGIOS 14 2 General Linux command usage 154 154 155 156 157 158 159 161 161 161 162 162 163 163 165 166 166 166 166 166 168 168 169 170 170 T72 175 176 177 178 179 179 180 181 182 182 183 184 186 187 187 187 188 188 189 190 190 191 Table of Contents Advanced Configuration 15 1 15 1 1 15 1 2 15 1 3 15 1 4 Tal 15 1 6 TSL 15 1 8 13 1 9 15 2 15 2 1 15 2 2 15 3 15 3 1 15 3 2 15 4 1
99. 25 3 5 Communications Software 28 3 5 1 SDT Connector 28 3 5 2 PUTTY 28 35 SSHTerm 29 3 6 Management Network Configuration 30 3 6 1 Enable the Management LAN 30 3 6 2 Configure the DHCP server 31 3 6 3 Select Failover or broadband OOB 32 3 6 4 Bridging the network ports 33 Table of Contents Serial Port Host Device amp User Configuration 34 4 1 Configuring Serial Ports 34 4 1 1 Common Settings 35 4 1 2 Console Server Mode 36 4 1 3 SDT Mode 39 4 1 4 Device RPC UPS EMD Mode 40 4 1 5 Terminal Server Mode 40 4 1 6 Serial Bridging Mode 41 4 1 8 Syslog 41 4 2 Add Edit Users 42 4 3 Authentication 44 4 4 Network Hosts 44 4 5 Trusted Networks 45 4 6 Serial Port Cascading 46 4 6 1 Automatically generate and upload SSH keys 46 4 6 2 Manually generate and upload SSH keys 4T 4 6 3 Configure the slaves and their serial ports 48 4 6 4 Managing the slaves 48 4 7 Serial Port Redirection 49 4 1 1 Install VirtualPort client 49 4 1 2 Configure the VirtualPort client 50 4 1 3 To remove a configured port 92 4 1 4 Configure the remote serial device connection 52 4 8 Managed Devices 53 4 9 IPsec VPN 54 4 9 1 Enable the VPN gateway 54 4 10 OpenVPN 56 4 10 1 Enable the OpenVPN 57 4 10 2 Configure as Server or Client 58 4 10 3 Windows OpenVPN Client and Server set up 60 Firewall Failover amp OoB 64 5 1 OoB Dial In Access 64 5 14 Configure dial in PPP 65 34 2 Using SDT Connector client for dial in 66 5 173 Set up Windows XP 2003 Vista 7 clien
100. 5 Advanced Configuration H lt address gt Remote server address can be an IP address or hostname This option is required for lan and lanplus interfaces lt interface gt Selects IPMI interface to use Supported interfaces that are compiled in and visible in the usage help output L lt privivi gt Force session privilege level Can be CALLBACK USER OPERATOR ADMIN Default is ADMIN m lt ocal_address gt Set the local IPMB address The default is Ox20 and there should be no need to change it for normal operation 0 lt oemtype gt Select OEM type to support This usually involves minor hacks in place in the code to work around quirks in various BMCs from various manufacturers Use o list to see a list of current Supported OEM types p lt port gt Remote server UDP port to connect to Default is 623 P lt password gt Remote server password is specified on the command line If supported it will be obscured in the process list Note Specifying the password as a command line option is not recommended t lt target_address gt Bridge IPMI requests to the remote target address U lt username gt Remote server username default is NULL user V Increase verbose output level This option may be specified multiple times to increase the level of debug output If given three times you will get hexdumps of all incoming and outgoing packets V Display version information If no password method is specified then ipm
101. 5 5 15 5 1 150 2 15 5 4 15 99 15 6 15 6 1 15 6 2 15 6 3 15 6 4 15 6 5 15 6 6 15 6 7 15 6 8 15 7 15 8 15 8 1 15 8 2 15 8 3 15 8 4 15 9 159 1 T5 9 2 15 9 3 15 10 15 11 15 12 15 13 Custom Scripting Custom script to run when booting Running custom scripts when alerts are triggered Example script Power cycling on pattern match Example script Multiple email notifications on each alert Deleting configuration values from the CLI Power cycle any device upon a ping request failure Running custom scripts when a configurator is invoked Backing up the configuration and restoring using a local USB stick Backing up the configuration off box Advanced Portmanager Portmanager commands External Scripts and Alerts Raw Access to Serial Ports Access to serial ports Accessing the console modem port IP Filtering SNMP Status Reporting and Traps Retrieving status information using SNMP Check firewall rules etc config snmpd conf Adding multiple remote SNMP managers Secure Shell SSH Public Key Authentication SSH Overview Generating Public Keys Linux Installing the SSH Public Private Keys Clustering Installing SSH Public Key Authentication Linux Generating public private keys for SSH Windows Fingerprinting SSH tunneled serial bridging SDT Connector Public Key Authentication Secure Sockets Layer SSL Support HTTPS Generating an encryption key Generating a self signed certificate with OpenSSL Installin
102. 9 EST 2010 0 days 19 hours 55 mins 3 secs IP Configuration en eth0 Link encap Ethernet HWaddr 00 13 C6 00 52 8F tp ke Log inet addr 192 168 0 1 Bcast 192 168 0 255 Mask 255 255 255 0 a e i inet addr fe80 213 c6ff fe00 528f 64 Scope Link SNMP UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 2235 errors 0 dropped 0 overruns 0 frame 0 TX packets 2407 errors 0 dropped 0 overruns 0 carrier 0 l collisions 0 txqueuelen 1000 Administration IK T a ee Ga oe eee E A a a OE Pach amaa am e Select Status Support Report and you will be presented with a status snapshot e Save the file as a text file and attach it to your support email 12 4 Syslog The Linux System Logger in the Console Server maintains a record of all system messages and errors e Select Status Syslog The syslog record can be redirected to a remote Syslog Server e Enter the remote Syslog Server Address and Syslog Server Port details and click Apply The console maintains a local Syslog To view the local Syslog file e Select Status Syslog Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware
103. A PRIVATE KEY MIIEogIBAAKCAQEA yIPGsNf5 a0LnPUMa nujXXPGiQGyD3b79 KZg3UZ4MjzZI525sCy opv4TJTvTK6esQlvt GYTByUdl 7Z5C3sSLF8046Go ssh rsa AAAAB3NzaC 1 yc2Efg4 tG HIAAA name clientt ssh dss AAAAB3NzaZr OV01C8gdgz XDg name client2 id_dsa pub id _rsa pub More documentation on OpenSSH can be found at http openssh org portable html http www openbsd org cgi bin man cgi query ssh amp sektion 1 http www openbsd org cgi bin man cgi query sshd 15 6 5 Generating public private keys for SSH Windows This section describes how to generate and configure SSH keys using Windows First create a new user from the Console Server Management Console the following example uses a user called testuser making sure it is a member of the users group If you do not already have a public private key pair you can generate them now using ssh keygen PuTTYgen or a similar tool PulTTYgen http www chiark greenend org uk sgtatham putty download html OpenSSH http www openssh org OpenSSH Windows http sshwindows sourceforge net download For example using PulTTYgen make sure you have a recent version of the puttygen exe available from http www chiark greenend org uk sgtatham putty download html Make sure you have a recent version of WinSCP available from http winscp net eng download php To generate a SSH key using PuTTY http sourceforge net docs FO2 clients e Execute the PUTTYGEN EXE
104. Administrators and Users e Access and control authorized devices e View serial port logs and host logs for those devices e Use SDT Connector or the Web Terminal to access serially attached consoles e Power control 13 1 Device Management To display all the connected Serial devices Network Hosts and Power devices e Select Manage Devices By selecting the Serial Network Power item the display will be reduced to only those devices Serial amp Network Serial Port Network Serial Power Users amp Groups Authentication Type Device Actions Network Hosts Trusted Networks Cascaded Ports e UPS Connections 192 168 254 204 Dell 2003 Server RPC Connections Environmental 192 168 254 100 Linux Server 192 168 1 52 Dell 2003 Server DRAC Alerts amp Logging Lo Port Lag 192 168 1 53 Dell 2003 Server BMC Alerts SMTP amp SMS SNMP 192 168 254 30 HP 2003 Server 192 168 1 35 HP 2003 Server iLO2 Administration Firmware 4 IP gt Port 1 PowerEdge Console Linux Ral Date amp Time Dial gp Pot2 Sa Services DHCP Server gt Port 3 HP 2003 Server Eg The user can take a range of actions on each of these Serial Network Power devices by selecting the Action icon or the related Manage menu item Selecting the Manager Power icon or the Manage Power menu is covered in Chapter 8 13 2 Port and Host Log Management
105. Administrators and Users can view logs of data transfers to connected devices e Select Manage Port Logs and the serial Port to be displayed e To display Host logs select Manage Host Logs and the Host to be displayed 13 3 Terminal Connection There are two methods available for accessing the console server command line and devices attached to the console server serial ports directly from a web browser e The Web Terminal service uses AJAX to enable the web browser to connect to the console server using HTTP or HTTPS as a terminal without the need for additional client installation on the user s PC e The SDT Connector service launches a pre installed SDT Connector client on the user s PC to establish secure SSH access then uses pre installed client software on the client PC to connect to the console server Web browser access is available to users who are a member of the admin or users groups 13 3 1 Web Terminal The AJAX based Web Terminal service may be used to access the console server command line or attached serial devices Note Any communication using the Web Terminal service using HTTP is unencrypted and not secure The Web Terminal connects to the command line or serial device using the same protocol that is being used to browse to the Management Console i e if you are browsing using an https URL this is the default the Web Terminal connects using HTTPS Chapter 13 Management 13 3 1 1 Web Terminal to Command Line To e
106. B9 Pin DEFINITION TXD 3 Transmitted Data RXD 2 Received Data RTS T Request To Send CTS 8 Clear To Send DSR 6 Data Set Ready GND 5 Signal Ground CD 1 Received Line Signal Detector DTR 4 Data Terminal Ready RI 9 Ring Indicator FEMALE MALE l 1 9 pin DBY So Ree Serial Port Connectivity Connectors included in Console Server The BO92 016 Console Server with PowerAlert and the BO96 048 016 Console Server Management Switch ship with a cross over and a straight RJ45 DB9 connector for connecting to other vendor s products WIRING TABLE DE oF RJ45 RTS i RTS DSR 2 DSR Ts DB9F RJ45S straigh OG a eel Straight connector RxD 5 mn TXD i 5 TXD GND 5 s GND DTR d DTR CTs 8 8 TS Ril J WIRING TABLE DESF RJ45 CTs 8 i RTS DTR 4 2 DSR Ege DTR d j DCD E DB9F RJ45S cross over connector TxD 3 RxD RAD t c 3 TAD GND sg GND DSR 6 oF DTR DCD I F DTR RTS 7 f CTS Rl License Agreement Appendix C End User License Agreements READ BEFORE USING THE ACCOMPANYING SOFTWARE YOU SHOULD CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS BEFORE USING THE ACCOMPANYING SOFTWARE THE USE OF WHICH IS LICENSED FOR USE ONLY AS SET FORTH BELOW IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT DO NOT USE THE SOFTWARE IF YOU USE ANY PART OF THE SOFTWARE SUCH USE WILL INDICATE THAT YOU ACCEPT THESE TERMS You have acquired a product that includes Tripp Lite Tripp Lite propr
107. Band Link encap Ethernet HWaddr 00 13 C6 00 52 8F inet addr 192 168 0 1 Bcast 192 168 0 255 Mask 255 255 255 0 inet6 addr fe80 213 c6ff fe00 528f 64 Scope Link UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 1989 errors 0 dropped 0 overruns 0 frame 0 TX packets 2134 errors 0 dropped 0 overruns 0 carrier 0 collisions 0 txqueuelen 1000 Interrupt 12 Memory 1fff8000 1fff80ff Link encap Ethernet HWaddr 00 13 C6 00 52 8F inet addr 192 168 250 110 Bcast 192 168 250 255 Mask 255 255 255 0 UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 Interrupt 12 Memory 1fff8000 1fffS0ff Link encap Local Loopback inet addr 127 0 0 1 Mask 255 0 0 0 Chapter 12 Status Reports 12 3 Support Reports The Support Report provides useful status information that will assist the Tripp Lite technical support team to resolve any issues you may experience with your Console Server If you do experience an issue and have to contact Support ensure you include the Support Report with your email support request The Support Report should be generated when the issue is occurring and attached in plain text format Status Support Report Serial amp Network Serial Port Firmware Version Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Uptime Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices TrippLite B095 Version 3 3 2 Wed Dec 22 16 14 2
108. Click the Allow other users checkbox to allow remote users to view and control your desktop Sharing ft aah F Allow other users to wiew your desktop a E Allow other users te control your desktop Users can view your desktop using this command Yocviewer hoopoe 0 Security Wher a user bies to view or control your desktos A if ASK yal for confirmation i Require he user lo enter this password Pas gord TTI ELLI Chapter 6 Secure SSH Tunneling amp SDT Connector e To set up a persistent VNC server on Red Hat Enterprise Linux 4 o Seta password using vncpasswd Edit etc sysconfig vncservers Enable the service with chkconfig vncserver on Start the service with service vncserver start Edit home username vnc xstartup if you want a more advanced session than just twm and an xterm O O O O C For Macintosh servers and clients OSXvnc http www redstonesoftware com vnce html is a robust full featured VNC server for Mac OS X that allows any VNC client to remotely view and or control Mac OS X machine OSXvnc is supported by Redstone Software D Most other operating systems Solaris HPUX PalmOS etc either come with VNC bundled or have third party VNC software that you can download 6 9 2 Install configure and connect the VNC Viewer VNC is truly platform independent so a VNC Viewer on any operating system can connect to a VNC Server on any other operating system There are Viewers and Servers from a wide sele
109. Connector gateway For each gateway you can manually specify the network connected hosts that will be accessed through that Console Server and for each host specify the services that will used in communicating with the host e Select the newly added gateway and click the Host icon to create a host that will be accessible via this gateway Alternatively select File New Host 5 nasco sa EE New SDT Host Host Address Services HTTP Telnet SSH VNC RDP Dell RAC Dell Server Administrator Dell IT Assistant SOL IBM RSA II IBM Director IBM AMM HP iLO 2 VMWare Server _ Tripp Lite NetCommander Tripp Lite NetDirector KVM Vision Viewer Descriptive Name Description Notes e OK Cancel e Enter the IP or DNS Host Address of the host if this is a DNS address it must be resolvable by the gateway e Select which Services are to be used when accessing the new host A range of service options are pre configured in the default SDT Connector client RDP VNC HTTP HTTPS Dell RAC VMWare etc However if you wish to add new services to the range then proceed to the next section Adding a new service then return here e Optionally you can enter a Descriptive Name for the host to be displayed instead of the IP or DNS address as well as any Notes or a Description of this host such as its operating system release or anything special about its configuration e Click OK Chapter 6 Secure SSH Tunneling
110. Console Server up as a host and then configuring the appropriate services e Launch SDT Connector on your computer Assuming you have already set up the Console Server as a Gateway in your SDT Connector client with username password etc select this newly added Gateway and click the Host icon to create a host Alternatively select File New Host e Enter 127 0 0 1 as the Host Address and give some details in Descriptive Name Notes Click OK Sy Edit SDT Host eS Host Address 127 0 0 1 Services 7 HTTP J HTTPS J Telnet 7 SSH VNC RDP Dell RAC Dell Server Administrator Dell IT Assistant SOL IBM RSA II IBM Director IBM AMM HP iLO 2 VMWare Server TCP Port 1494 Serial 2 SSH Serial 2 Telnet Serial 3 SSH Serial 3 Telnet Serial 4 SSH Serial 4 Telnet TCP Port 903 Descriptive Name Local Host Description Notes Manual entry connections to the console server itself i e E E ey OK 96 Cancel e Click the HTTP or HTTPS Services icon to access the gateway s Management Console and or click SSH or Telnet to access the gateway command line console Note To enable SDT access to the gateway console you must now configure the Console Server to allow port forwarded network access to itself e Browse to the Console Server and select Network Hosts from Serial amp Network Click Add Host and in th
111. DU outlet details if applicable and any UPS connections Devices such as servers will commonly have more than one power connections e g dual power supplied and more than one network connection e g for BMC service processor All users can view but not edit these Managed Device connections by selecting Manage Devices The Administrator can edit and add delete these Managed Devices and their connections To edit an existing device and add a new connection e Select Edit on the Serial amp Network Managed Devices and click Add Connection e Select the connection type for the new connection Serial Network Host UPS or RPC and then select the specific connection from the presented list of configured unallocated hosts ports outlets Serial amp Network Managed Devices Serial amp Network Serial Port Add a New Device Users amp Groups ner ada ate Device Name Authentication Network Hosts A descriptive name for this device Trusted Networks Cascaded Ports Description Notes k nob agin A brief description of the device Environmental Managed Devices Alerts amp Logging Connections Add Connection Administration Apply To add a new network connected Managed Device e The Administrator adds a new network connected Managed Device using Add Host on the Serial amp Network Network Host menu This automatically creates a corresponding new Managed Device as covered in Sect
112. E NO LIABILITY FOR COSTS LOSS DAMAGES OR LOST OPPORTUNITY OF ANY TYPE WHATSOEVER INCLUDING BUT NOT LIMITED TO LOST OR ANTICIPATED PROFITS LOSS OF USE LOSS OF DATA OR ANY INCIDENTAL EXEMPLARY SPECIAL OR CONSEQUENTIAL DAMAGES WHETHER UNDER CONTRACT TORT WARRANTY OR OTHERWISE ARISING FROM OR IN CONNECTION WITH THIS EULA OR THE USE OR PERFORMANCE OF THE SOFTWARE IN NO EVENT SHALL TRIPPLITE BE LIABLE FOR ANY AMOUNT IN EXCESS OF THE LICENSE FEE PAID TO TRIPPLITE UNDER THIS EULA SOME STATES AND COUNTRIES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THIS LIMITATION MAY NOT APPLY TO YOU License Agreement JSch License SDT Connector includes code from JSch a pure Java implementation of SSH2 JSch is licensed under BSD style license and it is Copyright c 2002 2003 2004 Atsuhiko Yamanaka JCraft Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of Source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The names of the authors may not be used to endorse or promote products derived from this soft
113. EMD Adapter and standard CAT5 cable The EMD is powered over this serial connection and communicates using a custom handshake protocol It is not an RS232 device and should not be connected without the adapter p The EMD can be used only with a appliances Select Environmental as the Plug the RJ plug on the EMD Adapter model BO90 EMD ADP into RJ45 Port on the EMD model BO90 EMD Then connect the Console Server serial port to the RJ45 port of the EMD Adapter using the provided UTP cable If the 6 foot 2 meter UTP cable provided with the EMD is not long enough it can be replaced with a standard Cat5 UTP cable up to 33 feet 1Ometers in length Tripp Lite NOO2 series cables Screw the bare wires on any smoke detector water detector vibration sensor open door sensor or general purpose open close status sensors into the terminals on the EMD o BO90 WLS Console Server Water Leak Sensor o BO90 DCS Console Server Door Contact Sensor o BO90 VS Console Server Vibration Sensor o BO90 SD 110 Console Server Smoke Detector 110V o BO90 SD 220 Console Server Smoke Detector 220V Console Server and cannot be connected to standard RS232 serial ports on other Device Type in the Serial amp Network Serial Port menu for the port to which the EMD is to be attached No particular Common Settings are required Click Apply Device Settings Device Type configured Select the Serial amp Network Environmental v Spe
114. HCP Server Nagios Configure Dashboard Port Access Active Users Statistics Support Report RPC Status Environmental Status Dashboard Devices Port Logs Host Logs Power Terminal Service Access Service Access Services HTTP Web Management HTTPS Web Management Telnet command shell SSH command shel Telnet direct to serial ports SSH direct to serial ports RAW TCP access to serial ports RFC 2217 access to serial ports Unauthenticated telnet access to serial ports Nagios NRPE daemon NUT UPS monitoring daemon SNMP daemon TFTP Server NTP Server Respond to ICMP echos Enable Web Terminal Alternate Telnet Base Alternate SSH Base Alternate Raw TCP Base Alternate RFC 2217 Base Alternate Unauthenticated Telnet Base Apply Port Forwarding Port Rules Network Wireless Dialout Cellular Interface Network Dial in Forwarding amp Masquerading Allow web browser access to the system command line shell via Manage gt Terminal A secondary TCP port range for Telnet access to serial ports Th amp in addition to the default port 2000 A secondary TCP port range for SSH access to serial ports This amp in addition to the default port 3000 A secondary TCP port range for Raw TCP access to serial ports This amp in addition to the default port 4000 A secondary TCP port range for RFC 2217 access to serial ports Thi
115. Host Name E Name of this system in Nagios Generated fram System Name If unspecified Nagios Hast i Address Address for Nagios to find this device at Defaults te Network I IP if set Nagios Server Address Address of the upstream server Disable SOT Nagios d Extensions Don t show sdti links in service status SDT Gateway Address External address of this system shown in sdti links Qefautts te Wegies Host Adarass Prefer NRPE Use MRPE instead of NSCA whenever possible Defaults to prefer MSCA e Enter the Nagios Host Name that the Console Server will be referred to in the Nagios central server this will be generated from local System Name entered in System Administration if unspecified e In Nagios Host Address enter the IP address or DNS name that the upstream Nagios server will use to reach the Console Server if unspecified this will default to the first network port s IP as entered in System IP e In Nagios Server Address enter the IP address or DNS name that the Console Server will use to reach the upstream Nagios monitoring server e Check the Disable SDT Nagios Extensions option if you wish to disable the SDT Connector integration with your Nagios server at the head end this would only be checked if you want to run a vanilla Nagios monitoring e lf not enter the IP address or DNS name the SDT Nagios clients will use to reach the Console Server
116. Hosts Common name The full canonical name for this device Trusted Networks SE IPsec VPN i OpenVPN The group overseeing this device Cascaded Ports mo UPS Connections Aha RPC Connections The name of the organization to which the device belongs Environmental Managed Devices Locality City Alerts amp Logging The City where the organization is located Port Log State Province Alerts ka amp SMS The State or Province where the organization is located IV Country AD The country where the organization is located Administration SSL Certificates Email Configuration Backup Firmware The email address of a contact person for this device IP Date amp Time ee Dial asswor i Firewall An optional dependant on CA password DHCP Server x Nagios ala d Configure Dashboard a I O Ports Confirmation of the challenge password Key Length 512 bits ml Length of generated key in bits Port Access Active Users Statistics Generate CSR Chapter 9 Authentication To do this the Console Server must be enabled to generate a new cryptographic key and the associated Certificate Signing Request CSR that needs to be certified by a Certification Authority CA A certification authority verifies that you are the person who you claim you are and signs and issues a SSL certificate to you To create and install a SSL certificate for the Console
117. J45 jacks are used for serial connections Before connecting the console port of an external device to the Console Server serial port confirm that the device supports standard RS 232C EIA 232 The Console Server also has a DB9 LOCAL Console Modem port This DB 9 connector is on the rear panel of the BO92 016 Console Server and on the front panel of the BO96 048 016 Console Server Management Switch D J mon amp wn 2 5 USB Port Connection The BO96 048 016 Console Server Management Switch has one USB 1 0 port on the front panel and two USB 2 0 ports on the rear External USB devices can be plugged into these USB ports Note The BO96 048 016 Console Server Management Switch ships with an internal 16GB USB memory which can be used for extended log file storage There are four USB 2 0 ports on the rear panel of the BO92 016 Console Server and one USB2 0 port located under the RJ45 10 100 LAN connector on the BO95 004 003 Console Server These ports are used to connect to USB consoles of managed UPS hardware and to other external devices Such as a USB memory stick or keyboard External USB devices including USB hubs can be plugged into any Console Server USB port 2 6 Rackmount Console KVM Connection B092 016 only BO92 016 Console Server with PowerAlert can be connected directly to a rackmount console such as BO21 000 17 or BO21 019 by Tripp Lite to provide direct local management right at the rack Connect the rackmount
118. No Managed Devices have been configured Alerts amp Logging Environmental Status Port Activity Alerts SMTP amp SMS SNMP System Port Active Users No Environmental Connections have been configured 12 5 1 Configuring the Dashboard Only users who are members of the admin group and the root user can configure and access the dashboard To configure a custom dashboard e Select System Configure Dashboard and select the user or group you are configuring this custom dashboard layout for Note You can configure a custom dashboard for any admin user or for the admin group or you can reconfigure the default dashboard The Status Dashboard screen is the first screen displayed when admin users other than root log into the console manager If you log in as John and John is member of the admin group and there is a dashboard layout configured for John then you will see the dashboard for John on log in and each time you click on the Status Dashboard menu item If there is no dashboard layout configured for John but there is an admin group dashboard configured then you will see the admin group dashboard instead If there is no user dashboard or admin group dashboard configured then you will see the default dashboard The root user does not have its own dashboard The above configuration options are intended to enable admin users to setup their own custom dashboards Chapter 12 Status Reports The Das
119. Now select the Failover Interface to be used in the event of an outage on the main network This can be o an second Ethernet connection on the BO96 048 016 or o the BO96 048 016 internal modem or o an external serial modem ISDN device connected to the Console Server e Click Apply You have selected the failover method However it is not active until you have specified the external sites to be probed to trigger failover and set up the failover ports themselves This is covered in Chapter 5 Note The second Ethernet port on the BO96 048 016 can be configured as either a Management LAN gateway port or it can be configured as an OoB Failover port but not both So ensure you did not configure this port as the Management LAN on the System IP menu Chapter 3 Initial System Configuration 3 6 4 Bridging the network ports By default the BO96 048 016 Console Server s Management LAN network port can only be accessed using SSH tunneling port forwarding or by establishing an IPsec VPN tunnel to the Console Server However the network ports on the Console Servers can be bridged System IP Serial amp Network Serial Port Network Interface Management LAN Interface General Settings Users amp Groups Authentication Network Hosts General Settings Trusted Networks E idani nable Bridging IPsec VPN OpenVPN Bridge between all interfaces Cascaded Ports UPS Connections Enable IPv6 RPC Connections Enable IP
120. P IP ports for the various access services that Users and Administrators can use to access devices attached to serial ports as covered in Chapter 4 Configuring Serial Ports The Administrator can also set alternate ranges for these services and these secondary ports will then be used in addition to the defaults The default TCP IP base port address for telnet access is 2000 and the range for telnet is IP Address Port 2000 serial port i e 2001 2048 So if the Administrator were to set 8000 as a secondary base for telnet then serial port 2 on the Console Server can be telnet accessed at IP Address 2002 and at IP Address 8002 The default base for SSH is 3000 for Raw TCP is 4000 and for RFC2217 it is 5000 RAW You can also specify that serial port devices can be accessed from nominated network interfaces using Raw TCP Direct direct Telnet SSH unauthenticated Telnet services etc e Click Apply As you apply your services selections the screen will be updated with a confirmation message Message Changes to configuration succeeded Chapter 3 Initial System Configuration Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Administration SSL Certificates Configuration Backup Firmware D
121. PKI X 509 Certificates or select Custom Configuration to upload custom configuration files Custom configurations must be stored in etc config Note If you select PKI public key infrastructure you will need to establish e Separate certificate also known as a public key This Certificate File will be a crt file type e Private Key for the server and each client This Private Key File will be a key file type e Master Certificate Authority CA certificate and key which is used to sign each of the server and client certificates This Root CA Certificate will be a crt file type For a server you may also need dh1024 pem Diffie Hellman parameters Refer http openvpn net easyrsa html for a guide to basic RSA key management For alternative authentication methods see http openvpn net index php documentation howto html auth For more information also see http openvpn net howto html e Check or uncheck the Compression button to enable or disable compression respectively Chapter 4 Serial Port Device and User Configuration 4 10 2 Configure as Server or Client e Complete the Client Details or Server Details depending on the Tunnel Mode selected o If Client has been selected the Primary Server Address will be the address of the OpenVPN Server o If Server has been selected enter the IP Pool Network address and the IP Pool Network mask for the IP Pool The network defined by the IP Pool Network address mask is used to provid
122. PN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Device Name Connections Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Add a New Device Description Notes Add Connection Administration SSL Certificates Configuration Backup Apply CommsRoom Air A descriptive name for this device Air conditioner back room A brief description of the device RPC CommsRoom_PDU Outlet 1 Delete Serial x Port 2 Delete Note The Management Console has support for a number of network and serial PDU s If your PDU is not on the default list it is simple to add support for more devices This is covered in Chapter 14 Advanced Configurations IPMI service processors and BMCs can be configured so all authorized users can use the Management Console to remotely cycle power and reboot computers even when their operating system is unresponsive To set up IPMI power control the Administrator first enters the IP address domain name of the BMC or service processor e g a Dell DRAC in Serial amp Network Network Hosts Then in Serial amp Network RPC Connections the Administrator specifies the RPC Type to be IPMI1 5 or 2 0 Chapter 8 Power and Environment 8 1 2 RPC alerts You can now set PDU and IPMI alerts using Alerts amp Logging Alerts refer to Chapter 7 8 1 3 RPC status You can monitor the c
123. RE Dimensions BO96 016 BO96 048 17 x 12 x 1 75 in 43 2 x 31 3 x 4 5 cm BO92 016 17 x 6 7 x 1 75 in 44 x 17 x 4 5 cm BO95 004 BO95 003 4 1x3 4x1 1 in 10 3 x 8 7 x 2 8 cm Weight BO96 016 BO96 048 11 8 Ibs 5 4 kg BO92 016 8 5 Ib 3 9 kg BO95 004 BO95 003 2 2 Ibs 1 0 kg Ambient operating temperature Non operating storage temperature Humidity Power Serial Port Connectivity Appendix B Serial Port Connectivity Pinout standards exist for both DB9 and DB25 connectors However there are not pinout standards for serial connectivity using RJ45 connectors Many Console Servers and serially managed servers router switches PSUs have adopted their own unique pinout so custom connectors and cables may be required to interconnect your Console Server In an endeavor to create some move to standardization Tripp Lite Console Server products all use the same RJ45 pinout convention as adopted by Cisco SUN and others Serial Port Pinout The 16 48 RJ45 connectors on the BO92 016 Console Server with PowerAlert and the BO96 048 016 Console Server Management Switch have the following pinout hie _ SIGNAL DEFINITION DIRECTION l hee Clear To Send 2 Data Set Ready a D 5 DTR TS X z Signal Ground 6 7 TE Signal Ground g Transmit Data DR Data Terminal Ready Output Request To Send Output The LOCAL console modem port on the Console Server uses a standard DB9 connector as tabled below SIGNAL D
124. S authentication 9 1 3 RADIUS authentication 9 1 4 LDAP authentication 9 5 RADIUS TACACS user configuration 9 1 6 Group support with remote authentication 9 1 7 Remote groups with RADIUS authentication 9 1 8 Remote groups with LDAP authentication 9 2 PAM Pluggable Authentication Modules 9 3 Secure Management Console Access 9 4 SSL Certificate Nagios Integration 10 1 Nagios Overview 10 2 Central management and setting up SDT for Nagios 10 2 1 Setup central Nagios server 10 2 2 Setup distributed Console Servers 10 3 Configuring Nagios distributed monitoring 10 3 1 Enable Nagios on the Console Server 10 3 2 Enable NRPE monitoring 10 3 3 Enable NSCA monitoring 10 3 4 Configure selected Serial Ports for Nagios monitoring 10 3 5 Configure selected Network Hosts for Nagios monitoring 10 3 6 Configure the upstream Nagios monitoring host 10 4 Advanced Distributed Monitoring Configuration 10 4 1 Sample Nagios configuration 10 4 2 Basic Nagios plug ins 10 4 3 Additional plug ins 115 115 115 117 117 118 119 119 121 122 123 123 124 125 126 127 127 128 128 128 129 130 131 T31 132 132 133 135 136 137 139 139 140 140 141 143 144 144 145 146 147 148 149 149 152 152 Table of Contents System Management 11 1 System Administration and Reset 11 2 Upgrade Firmware 11 3 Configure Date and Time 11 4 Configuration Backup 11 5 Delayed Configuration Commit 11 6 FIPS Mode Status Reports
125. SER1 check_nrpe H 192 168 254 147 p 5666 define service service_description NRPE Daemon host_name tripplite use generic service check_command check_nrpe_daemon Serial Status define command command _namecheck serial_status command line USER1 check_nrpe H 192 168 254 147 p 5666 c check _serial_ HOSTNAME define service service_description Serial Status host_name server use generic service check_command check_serial_status define service service_description serial signals server host_name server use generic service check_command check_serial_ status Chapter 10 Nagios Integration active checks enabled O passive_checks_ enabled 1 define servicedependency name host_name dependent_host_name dependent_service_description service_description execution _failure_criteria w u c Port Log define command command_name command _line tripplite_nroe_daemon_ dep tripplite server Serial Status NRPE Daemon check port log USER1 check_nrpe H 192 168 254 147 p 5666 c port log SHOSTNAME define service service_description Port Log host_name server use generic service check_command check_port log define service service_description host_name use check_command active checks enabled O passive_checks_ enabled 1 define servicedependency name host_name dependent_host_name dependent _service_description service_description execution _failure_criteria
126. SH Authorized Key e Click Apply The next step is to Fingerprint each new Slave Master connection This once off step will validate that you are establishing an SSH session to who you think you are On the first connection the Slave will receive a fingerprint from the Master which will be used on all future connections e To establish the fingerprint first log in the Master server as root and establish an SSH connection to the Slave remote host ssh remhost Once the SSH connection has been established you will be asked to accept the key Answer yes and the fingerprint will be added to the list of known hosts For more details on Fingerprinting refer Chapter 15 6 e lf you are asked to supply a password then there has been a problem with uploading keys The keys should remove any need to supply a password Chapter 4 Serial Port Device and User Configuration 4 6 3 Configure the slaves and their serial ports You can now begin setting up the Slaves and configuring Slave serial ports from the Master Console Server Serial amp Network Cascaded Ports Serial Port IP Address DNS Name Description Label Number of Locally Allocated sers amp Groups Ports Port Numbers A iecmuniagienctaien No slaves currently configured Network Hosts Trusted Networks Add Slave Cascaded Parts e Select Serial amp Network Cascaded Ports on the Masters Management Console e To add clustering support select Add Slave Note You will
127. SH keys is either stopped or completed before restoring configuration If this is not done then a mix of old and new keys may be put in place As SSH uses these keys to avoid man in the middle attacks logging in may be disrupted Chapter 15 Advanced Configuration 15 2 Advanced Portmanager The portmanger program manages the Console Server serial ports It routes network connection to serial ports checks permissions and monitors and logs all the data flowing to from the ports 15 2 1 Portmanager commands pmshell The pmshell command acts similar to the standard tio or cu commands but all serial port access is directed via the portmanager Example To connect to port 8 via the portmanager pmshell I port08 pmshell Commands Once connected the pmshell command supports a subset of the escape commands that tip cu support For SSH you must prefix the escape with an additional command i e use the escape Send Break Typing the character sequence b will generate a BREAK on the serial port if you re doing this over ssh you ll need to type b History Typing the character sequence h will generate a history on the serial port Quit pmshell Typing the character sequence will exit from pmshell Set RTS to 1 run the command pmshell rts 1 Show all signals pmshell signals DSR 1 DTR 1 CTS 1 RTS 1 DCD O Read a line of text from the serial port pmshell getline pmchat The pmchat
128. Server e Select System SSL Certificate and fill out the fields as explained below Common name This is the network name of the Console Server once it is installed in the network usually the fully qualified domain name It is identical to the name that is used to access the Console Server with a web browser without the http prefix In case the name given here and the actual network name differ the browser will pop up a security warning when the Console Server is accessed using HTTPS Organizational Unit This field is used for specifying to which department within an organization the Console Server belongs Organization The name of the organization to which the Console Server belongs Locality City The city where the organization is located State Province The state or province where the organization is located Country The country where the organization is located This is the two letter ISO code e g DE for Germany or US for the USA Note the country code has to be entered in CAPITAL LETTERS Email The email address of a contact person that is responsible for the Console Server and its security Challenge Password Some certification authorities require a challenge password to authorize later changes on the certificate e g revocation of the certificate The minimal length of this password is 4 characters Confirm Challenge Password Confirmation of the Challenge Password Key length This is the length of the generated key in b
129. Servers NSCA is the mechanism that allows you to send passive check results from the remote Console Server to the Nagios daemon running on the monitoring server To enable NSCA NSCA NSCA Enabled Schedule check ins with the NSCA server NSCA Encryption None v Type of encryption NSCA Secret Password for NSCA NSCA Confirm Re enter password for NSCA NSCA Interval 4354 Check in frequency in minutes NSCA Port Port to connect to Defaults to 5667 NSCA User User to run as Defaults to nsca NSCA Group Group to run as Defaults to nobody Apply e Select System Nagios and check NSCA Enabled e Select the Encryption to be used from the drop down menu then enter a Secret password and specify a check Interval e Refer the sample Nagios configuration section below for some examples of configuring specific NSCA checks Chapter 10 Nagios Integration 10 3 4 Configure selected Serial Ports for Nagios monitoring The individual Serial Ports connected to the Console Server to be monitored must be configured for Nagios checks Refer to Chapter 4 4 Network Host Configuration for details on enabling Nagios monitoring for Hosts that are network connected to the Console Server To enable Nagios to monitor a device connected to the Console Server serial port e Select Serial amp Network Serial Port and click Edit on the serial Port to be monitored e Select Enable Nagios specify the name of the device on the upstream server and de
130. System IP menu select the Management LAN Interface page and click the Disabled label in the DHCP Server field or go to the System DHCP Server menu and check Enable DHCP Server System DHCP Server Serial amp Network Serial Port Network Interface Management LAN Interface Users amp Groups Authentication x Network Hosts Network DHCP Server Settings Subnet 192 168 0 0 255 255 255 0 Trusted Networks IPsec VPN a OpenVPN Enable DHCP Server Cascaded Ports UPS Connections Gateway RPC Connections Environmenta Managed Devices The Default Gateway to assign Use interface address as Sieur 3 Bake Alerts amp Logging gateway Use this interface as the DHCP Gateway Port Log z Alerts Primary DNS i Ssk aiii The primary DNS to assign Secondary DNS p er The secondary DNS to assign SSL Certificates Configuration Backup Firmware IP Date amp Time Default Lease Dial Firewall The Default Lease Time DHCP Server Nagios Maximum Lease Configure Dashboard Domain Name The Domain Name to assign The Maximum Lease Time Status TEES Port Access Apply Active Users Statistics Syslog UPS Status Pool Start Pool End RPC Status Environmental Status Power Supply Status er Dashboard Add No address pools currently allocated Reserved Addresses Manage Devices IP Address Host Name HW Address
131. TION TO THE WARRANTY PERIOD SET FORTH ABOVE AND THIS WARRANTY EXPRESSLY EXCLUDES ALL INCIDENTAL AND CONSEQUENTIAL DAMAGES Some states do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or limitation of incidental or consequential damages so the above limitations or exclusions may not apply to you This Warranty gives you specific legal rights and you may have other rights which vary from jurisdiction to jurisdiction Tripp Lite 1111 W 35th Street Chicago IL 60609 USA or safe for the use intended Since individual applications are subject to great variation the manufacturer makes WARNING The individual user should take care to determine prior to use whether this device is suitable adequate no representation or warranty as to the suitability or fitness of these devices for any specific application Warranty Registration Visit www tripplite com warranty today to register the warranty for your new Tripp Lite product You ll be automatically entered into a drawing for a chance to win a FREE Tripp Lite product No purchase necessary Void where prohibited Some restrictions apply See website for details WARNING Use of this equipment in life support applications where failure of this equipment can reasonably be expected to cause the failure of the life support equipment or to significantly affect its safety or effectiveness is not recommended Do not use this equipment in
132. The pattern to separate fields with default is Prompt user for a value Hash the value then save it in id Chapter 14 Command Line Configuration The registered configurators are alerts nagios auth power cascade serialconfig console services dhcp slave dialin systemsettings eventlog time hosts ups ipaccess users ipconfig There are three ways to delete a config element value The simplest way is use the delete node script detailed later in Chapter 15 You can also assign the config element to or delete the entire config node using d bin config d element name All passwords are saved in plaintext except the user passwords and the system passwords which are encrypted Note The config command does not verify whether the nodes edited added by the user are valid This means that any node may be added to the tree If a user were to run the following command bin config s config fruit apple sweet The configurator will not complain but this command is clearly useless When the configurators are run to turn the config xml file into live config they will simply ignore this lt fruit gt node Administrators must make sure of the spelling when typing config commands Incorrect spelling for a node will not be flagged Most configurations made to the XML file will be immediately active To make sure that all configuration changes are active especially when editing user passwords run all the configurators
133. VM Console Server Remote Control Users amp Groups Authentication Network Hosts Trictad Naturnrkec Launch Standard VNC Remote Control using VNC on port 5900 e Click Standard VNC Remote control and a VNC Java applet will be loaded into your browser to connect to the BO92 016 Console Server Then log in to the VNC applet and the Console Server refer to Chapter 16 3 for more details Remote Control Disconnect Options Clipboard Send Ctril Alt Del Refresh Chapter 14 Command Line Configuration For those who prefer to configure their Console Server at the Linux command line level rather than use a browser and the Management Console this chapter describes using command line access and the config tool to manage the Console Server and configure the ports etc This config documentation in this chapter walks thru command line configuration to deliver the functions provided otherwise using the Management Console GUI For advanced and custom configurations and for details using other tools and commands refer to the next chapter When displaying a command the convention used in the rest of this chapter is to use single quotes for user defined values e g descriptions and names Element values without single quotes must be typed exactly as shown After the initial section on accessing the config command the menu items in this document follow the same structure as the menu items in the web GUI 14 1
134. a simple GUI interface for basic set up as described below However for more detailed information on configuring Openswan IPsec at the command line and interconnecting with other IPsec VPN gateways and road warrior IPsec software refer http wiki openswan org 4 9 1 Enable the VPN gateway e Select IPsec VPN on the Serial amp Networks menu e Click Add and complete the Add IPsec Tunnel screen e Enter any descriptive name you wish to identify the IPsec Tunnel you are adding such as WestStOutlet VPN Chapter 4 Serial Port Device and User Configuration Serial amp Network IPsec VPN Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard Port Access Active Users Statistics Support Report Syslog UPS Status RPC Status Environmental Status Power Supply Status Dashboard Manage Devices Port Logs Host Logs Power Terminal Add IPsec Tunnel Tunnel Name Authentication Method Generate Keys Authentication Protocol
135. able Dial Out Access box and enter the access details for the remote PPP server to be called Note Both SSH and HTTPS access is enabled for dial out failover do the administrator can SSH or HTTPS connect to the console server and its Managed Devices and fix the problem Chapter 5 Firewall Failover and Out of Band Dial Out Settings Failover Enable Dial Out 7 Allow outgoing modem communication on this port Phone Number The Phone Number to call when dialing out to provide failover Username The user to dial as Password The secret to use when authenticating the user Confirm Re enter the user s password for confirmation Custom Modem Initialization An optional AT command sequence to initialize the modem Ignore Dial Tone Do not wait for dial tone before dialing Override DNS Override returned DNS Servers Use the following DNS Servers instead of the PPP provided servers DNS Server 1 The Primary DNS Server DNS Server 2 The Secondary DNS Server Override DNS is available for PPP Devices such as modems Override DNS allows the use of alternate DNS servers from those provided by your ISP For example an alternative DNS may be required for OpenDNS used for content filtering e To enable Override DNS check the Override returned DNS Servers box Enter the IP of the DNS servers into the Spaces provided Note By default the Console Server supports automatic failure recovery back to the original state prior to failov
136. access to host To give another user called Peter access to the same host config s config sdt hosts host5 users user2 Peter config s config sdt hosts host5 users total 2 total number of users having access to host To edit any of the user element values use the same approach as when adding user elements i e use the s parameter If any of the config elements do not exist they will automatically be created To delete the user called John use the delete node script delete node config users user2 The following command will synchronize the live system with the new configuration config r users Chapter 14 Command Line Configuration 14 1 3 Adding and removing User Groups The Console Server is configured with a few default user groups even though only two of these groups are visible in the Management Console GUI To find out how many groups are already present config g config groups total Assume this value is six Make sure to number any new groups you create from seven onwards To add a custom group to the configuration with Group name Group Group description MyGroup and Port access 1 5 you d issue the commands config s config groups group name Group config s config groups group description MyGroup config s config groups total 7 config s config groups group portl on config s config groups group ports on Assume we have an RPC device connected to port 1 on the con
137. ach of these users e Authentication this is covered in more detail in Chapter 9 e Network Hosts configuring access to local network connected computers or appliances hosts e Configuring Trusted Networks nominate specific IP addresses that trusted users access from e Cascading and Redirection of Serial Console Ports e Connecting to Power UPS PDU and IPMI and Environmental Monitoring EMD devices e Serial Port Redirection using the VirtualPort windows and Linux clients e Managed Devices presents a consolidated view of all the connections e IPSec enabling VPN connection 4 1 Configuring Serial Ports To configure a serial port you must first set the Common Settings Chapter 4 1 1 that are to be used for the data connection to that port e g baud rate and the mode the port is to operate in Each port can be set to support one of five operating modes i Console Server Mode Chapter 4 1 2 is the default setting and enables general access to the serial console port on serially attached devices li Device Mode Chapter 4 1 3 sets the serial port up to communicate with an intelligent serial controlled PDU UPS or Environmental Monitor Devices EMD iii SDT Mode Chapter 4 1 4 enables graphical console access with RDP VNC HTTPS etc to hosts that are serially connected iv Terminal Server Mode Chapter 4 1 5 sets the serial port to await an incoming terminal login session v Serial Bridge Mode Chapter 4 1 6 ena
138. ager opens the port Otherwise any setup you do with stty will get lost when the portmanager opens the port the reason that portmanager sets things back to its config rather than using whatever is on the port is so the port is in a known good state and will work no matter what things are done to the serial port outside of portmanager 15 3 2 Accessing the console modem port The console dial in is handled by mgetty with automatic PPP login extensions mgetty is a smart getty replacement designed to be used with Hayes compatible data and data fax modems mgetty knows about modem initialization manual modem answering So your modem doesn t answer if the machine isn t ready UUCP locking So you can use the same device for dial in and dial out mgetty provides very extensive logging facilities All standard mgetty options are supported Modem initialization strings e To override the standard modem initialization string either use the Management Console refer Chapter 5 or the command line config tool refer Dial In Configuration Chapter 14 Enabling Boot Messages on the Console e If you are not using a modem on the DB9Y console port and instead wish to connect to it directly via a Null Modem cable you may want to enable verbose mode allowing you to see the standard linux start up messages This can be achieved with the following commands bin config set config console debug on bin config run console reboot e If at so
139. al ports are pre configured by default in Console Server mode for the BO96 016 BO96 048 Console Server Management Switch or in UPS PowerAlert mode for the BO92 016 Console Server with PowerAlert product To change these settings select Configure which will load the local Firefox browser and run the Management Console You can then reconfigure the serial ports as detailed in Chapter 4 y Favorites E Remote Control Disconnect Options Clipboard Send Ctri Alt Del Refresh ay Configure Connect Logs e Status Ea Custom m system TrippLite Management Console Mozilla Firefox F X File Edit Miew History Bookmarks Tools Help E fy E http 27 0 0 1 8181 7form serialconfig amp action edit amp ports 1 Bra IGJ Googie a E System Name 1092 0 Model Number BOS2 01 TRIPP LITE Firmware Rev u1 Current User ror Up time days 1 hours 46 mi 45 ecs POWER PROTECTION a a Serial amp Network gt Serial Port Common Settings for Port 1 Users amp Groups Label Pon Authentication E EAE a Nation Hosts The serial ports unique identifier Trusted Networks Baud Rate a600 Cas rt Cascaded Parts The serial ports speed UPS Connections RPC Connections Data Bits 8 x F Environmental The number of data bits to use Parity Nanna Ge x 16 1 1 Connect Serial Terminal e Select Connect Serial on the control panel and click on th
140. ally or network attached devices TACACS The Terminal Access Controller Access Control System TACACS security protocol is a recent protocol developed by Cisco It provides detailed accounting information and flexible administrative control over the authentication and authorization processes TACACS allows for a single access control server the TACACS daemon to provide authentication authorization and accounting services independently Each service can be tied into its own database to take advantage of other services available on that server or on the network depending on the capabilities of the daemon There is a draft RFC detailing this protocol Further information on configuring remote TACACS servers can be found at the following sites http Awww cisco com en US tech tk59 technologies_tech_noteOQ9186a0080094e99 shtml http www cisco com en US products sw secursw ps4911 products_user_guide_chapterO9186a0Q0800eb6d6 html http cio cisco com univercd cc td doc product software ios113ed 113ed_cr secur_c scprt2 sctplus htm Chapter 9 Authentication 9 1 3 RADIUS authentication Perform the following procedure to configure the RADIUS authentication method to be used whenever the Console Server or any of its serial ports or hosts is accessed e Select Serial and Network Authentication and check RADIUS or LocalRADIUS or RADIUSLocal or RADIUSDownLocal RADIUS Authentication and Authorisation P TN Temer Addres Comma seper
141. anager will cause it to re read its configuration file 15 2 2 External Scripts and Alerts The portmanager has the ability to execute external scripts on certain events When a port is opened by the portmanager e When the portmanager opens a port it attempts to execute etc config scripts portxx init where XX is the number of the port e g 08 The script is run with STDIN and STDOUT both connected to the serial port e Ifthe script cannot be executed then portmanager will execute etc config scripts portxXx chat via the chat command on the serial port When an alert occurs on a port e When an alert occurs on a port the portmanager will attempt to execute etc config scripts portxX alert where XX is the port number e g 08 e The script is run with STDIN containing the data which triggered the alert and STDOUT redirected to dev null NOT to the serial port If you wish to communicate with the port use pmshell or pmchat from within the script e f the script cannot be executed then the alert will be mailed to the address configured in the system administration section When a user connects to any port e Ifa file called etc config pmshell start sh exists it is run when a user connects to a port It is provided 2 arguments the Port number and the Username Here is a simple example lt etc config omshell start sh gt bin sh PORT 1 USER 2 echo Welcome to port PORT USER lt etc config omshell st
142. ang en and click the Download button This software package will install the client portion of Remote Desktop on Windows 95 Windows 98 and 98 Second Edition Windows Me Windows NT 4 0 Windows 2000 and Windows 2003 When run this software allows these older Windows platforms to remotely connect to a computer running Windows XP Professional or Windows 2003 Server B On a Linux or UNIX client computer e Launch the open source rdesktop client rdesktop u windows user id p windows password g 1200x950 ms windows terminal server host name option description _ Color depth 8 16 24 Device redirection i e Redirect sound on remote machine to local device i e O r sound MS Windows 2003 a Geometry widthxheight or 70 screen percentage e Use p to receive password prompt e You can use GUI front end tools like the GNOME Terminal Services Client tsclient to configure and launch the rdesktop client Using tsclient also enables you to store multiple configurations of rdesktop for connection to many servers Chapter 6 Secure SSH Tunneling amp SDT Connector Terminal Server Client Logon Settings E Type the name of the computer or choose a computer fromthe drop down list Computer Protocol User Name Password Domain Client Hostname B e l ea es C9 Note The rdesktop client is supplied with Red Hat 9 0 e rpm ivh rdesktop 1 2 0 1 i386 rom For Red Hat 8 0 or other distr
143. apter 14 Advanced Chapter 4 Serial Port Device and User Configuration 4 6 Serial Port Cascading Cascaded Ports enables you to cluster distributed Console Servers so that a large number of serial ports up to 1000 can be configured and accessed through one IP address and managed through the one Management Console One Console Server the Master controls other Console Servers as Slave units and all the serial ports on the Slave units appear as if they are part of the Master Each Slave connects to the Master with an SSH connection using public key authentication So the Master accesses each Slave using an SSH key pair rather than using passwords ensuring secure authenticated communications So the Slave Console Server units can be distributed locally on a LAN or remotely over public networks around the world 4 6 1 Automatically generate and upload SSH keys To set up public key authentication you must first generate an RSA or DSA key pair and upload them into the Master and Slave Console Servers This can all be done automatically from the Master e Select System Administration on Master s Management Console e Check Generate SSH keys automatically and click Apply Serial amp Network Generating each set of keys will require approximately two minutes Any old keys of that type will be destroyed Functions relying on SSH keys e g Cascading may stop functioning until they are updated with the new set of keys If unsure select
144. art sh gt e The return value from the script controls whether the user is accepted or not if O is returned or nothing is done on exit as in the above script the user is permitted otherwise the user is denied access e Here is a more complex script which reads from configuration to display the port label if available and denies access to the root user lt etc config omshell start sh gt bin sh PORT 1 USER 2 LABEL config g config ports port PORT label cut f2 d if USER root then echo Permission denied for Super User exit 1 fi if z LABEL then echo Welcome USER you are connected to Port PORT Chapter 15 Advanced Configuration else echo Welcome USER you are connected to Port PORT LABEL fi lt etc config omshell start sh gt 15 3 Raw Access to Serial Ports 15 3 1 Access to serial ports You can use tip and stty to completely bypass the portmanager and have raw access to the serial ports When you run tip on a portmanager controlled port portmanager closes that port and stops monitoring it until tip releases control of it With stty the changes made to the port only stick until that port is closed and opened again So it is doubtful that people will want to use stty for more than initial debugging of the serial connection If you want to use stty to configure the port you can put stty commands in etc config scripts portxxX init which gets run whenever portman
145. assphrase again Your identification has been saved in home user ssh id_ rsa dsa Your public key has been saved in home user ssh id_ rsa dsa pub The key fingerprint is 28 4a 29 38 ba 40 f4 11 5e 3f d4 fa e5 36 14 d6 user server It is advisable to create a new directory to store your generated keys It is also possible to name the files after the device they will be used for For example mkdir keys ssh keygen t rsa Generating public private rsa key pair Enter file in which to save the key nome user ssh id_rsa home user keys control_room Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user keys control_ room Your public key has been saved in home user keys control_room pub The key fingerprint is 28 4a 29 38 ba 40 74 11 5e 3f d4 fa e5 36 14 d6 user server You should ensure there is no password associated with the keys If there is a password then the Console Servers will have no way to supply it as runtime 217 Chapter 15 Advanced Configuration Authorized Keys If the Console Server selected to be the server will only have one client device then the authorized_keys file is simply a copy of the public key for that device If one or more devices will be clients of the server then the authorized_keys file will contain a copy of all of the public keys RSA and DSA keys may be freely mixed in the authorized_keys file For example
146. assword to a server where they are compared with a table of authorized users Whilst most common PAP is the least secure of the authentication options CHAP Challenge Handshake Authentication Protocol CHAP is used to verify a user s name and password for PPP Internet connections It is more secure than PAP the other main authentication protocol MSCHAPv2_ Microsoft Challenge Handshake Authentication Protocol MSCHAP is authentication for PPP connections between a computer using a Microsoft Windows operating system and a network access server It is more secure than PAP or CHAP and is the only option that also supports data encryption e Console Servers all support dial back for additional security Check the Enable Dial Back box and enter the phone number to be called to re establish an OoB link once a dial in connection has been logged 5 1 2 Using SDT Connector client for dial in Administrators can use their SDT Connector client to set up secure OoB dial in access to all their remote Console Servers With a point and click you can initiate a dial up connection Refer to Chapter 6 5 5 1 3 Set up Windows XP 2003 Vista 7 client for dial in e Open Network Connections in Control Panel and click the New Connection Wizard New Connection Wizard Network Connection Type Ne do you want to do Connect to the Intemet Connect to the Intemet so you can browse the Web and read email Wizard New Connection Connect to the network at
147. at etc config filter custom containing commands to build a specialized firewall This firewall script will be run whenever the LAN interface is brought up including initially and will override any automated system firewall settings Below is a simple example of a custom script which creates a firewall using the iptables command Only incoming connections from computers on a C class network 192 168 10 0 will be accepted when this script is installed at etc config filter custom Note that when this script is called any preexisting chains and rules have been flushed from iptables bin sh Set default policies to drop any incoming or routable traffic and blindly accept anything from the 192 168 10 0 network iptables policy FORWARD DROP iptables policy INPUT DROP iptables policy OUTPUT ACCEPT Allow responses to outbound connections back in iptables append INPUT match state state ESTABLISHED RELATED jump ACCEPT Explicitly accept any connections from computers on 192 168 10 0 24 iptables append INPUT source 192 168 10 0 24 jump ACCEPT There s good documentation about using the iptables command at the Linux netfilter website http netfilter org documentation index html There are also many high quality tutorials and HOWTOs available via the netfilter website in particular peruse the tutorials listed on the netfilter HOWTO page Chapter 15 Advanced Configuration 15 5 SNMP Status Repor
148. ated list of remote authentiction and authorisation servers Accounting Server Address Comma seperated list of remote accounting servers If unset Authentication and Authorisation Server Address will be used Server Password The shared secret allowing access to the authentication server Confirm Password Re enter the above password for confirmation e Enter the Server Address IP or host name of the remote Authentication Authorization server Multiple remote servers may be specified in a comma separated list Each server is tried in Succession e In addition to multiple remote servers you can also enter for separate lists of Authentication Authorization servers and Accounting servers If no Accounting servers are specified the Authentication Authorization servers are used instead e Enter the Server Password e Click Apply RADIUS remote authentication will now be used for all user access to Console Server and serially or network attached devices RADIUS The Remote Authentication Dial In User Service RADIUS protocol was developed by Livingston Enterprises as an access server authentication and accounting protocol The RADIUS server can support a variety of methods to authenticate a user When it is provided with the username and original password given by the user it can support PPP PAP or CHAP UNIX login and other authentication mechanisms Further information on configuring remote RADIUS servers can be found a
149. atures Turn Windows features on or off To turn a feature on select its check box To turn a feature off clear its check box A filled box means that only part of the feature is turned on 7 JA SNMP feature i Subsystem for UNIX based Applications WI Tablet PC Optional Components v Telnet Client Telnet Server TFTP Client M Windows DFS Replication Service Wi Windows Fax and Scan V Windows Meeting Space Windows Process Activation Service WM Windows Ultimate Extras Cancel Note In Console Server mode Users and Administrators can use SDT Connector to set up secure Telnet connections that are SSH tunneled from their client computers to the serial port on the Console Server with a simple point and click To use SDT Connector to access consoles on the Console Server serial ports configure the SDT Connector with the Console Server as a gateway then as a host Now enable Telnet service on Port 2000 serial port i e 2001 2048 Refer to Chapter 6 for more details on using SDT Connector for Telnet and SSH access to devices attached to the Console Server serial ports You can also use standard communications packages like PuTTY to set a direct Telnet or SSH connection to the serial ports refer Note below Note PuTTY also supports Telnet and SSH The procedure to set up a Telnet session is simple Enter the Console Server s IP address as the Host Name or IP address Select Telnet
150. ay warnings and send warning e mails pager or SMS alerts when a service failure or degradation is detected e Assign contact groups who are responsible for specific services in specific time frames Chapter 10 Nagios Integration 10 2 Central management and setting up SDT for Nagios The Nagios solution has three parts the Central Nagios server Distributed Console Servers and the SDT for Nagios software Central Nagios Server D Distributed console servers Central Nagios server e A vanilla Nagios 2 x or 3 x installation typically on a Linux server e Generally running on a blade PC virtual machine etc at a central location e Runs a web server that displays the Nagios GUI e Imports configuration from distributed Console Servers Distributed Console Servers e BO96 016 BO96 048 or BO92 016 Console Servers e Serial and network hosts are attached to each Console Server e Each runs Nagios plug ins NRPE and NSCA add ons but not a full Nagios server Clients e Typically a client PC laptop etc running Windows Linux or Mac OS X e Runs Tripp Lite SDT Connector client software 1 5 0 or later e Connect to the central Nagios server web UI to view status of monitored hosts and serial devices e Then use SDT Connector to connect through the distributed Console Servers to manage monitored hosts and serial devices 10 2 1 Set up central Nagios server The Nagios server software is available for most major distrib
151. b terminal to access serially attached consoles and control power to connected devices Chapter 1 Introduction Serial amp Network Serial Port Managed Devices Network Serial Power Users amp Groups Authentication Network Hosts Type Device Actions Trusted Networks IPsec VPN e Port 1 OpenVPN Cascaded Ports UPS Connections lt I Port 2 E RPC Connections Environmental T Port 3 Managed Devices Alerts amp Logging The Console Server runs an embedded Linux operating system Experienced Linux and UNIX users may prefer to undertake configuration at the command line As an Administrator you can get command line access by connecting through a terminal emulator or communications program to the console serial port or by SSH or Telnet connecting to the Console Server over the LAN or by connecting to the Console Server through an SSH tunnel using the SDTConnector The BO92 016 Console Server also has PowerAlert software and a selection of thin clients embedded RDP Firefox etc You will be able to use these consoles as well as the standard Management Console for access and control EG Connect Logs Ie Status E Custom System ESPANMS Console 12 04 mri File Edit view me Devices Status IPAddress MAC Address Hostname Model Name Location Type Ver Ref y moma Lwc i05 19 WUE OS 2OID SIL 195 1 DMAK I SURPIL paups liz
152. band broadband access With two active broadband access paths to the Console Server in the event you are unable to access through the primary management network you may still have access through the alternate broadband path e g a T1 link e On the System IP menu select Management LAN Interface and configure the IP Address Subnet Mask Gateway and DNS with the access settings that relate to the alternate link e Ensure that when configuring the principal Network Interface connection you set the Failover Interface to None Alternate network Management maha grk 5 3 Broadband Ethernet Failover The second Ethernet port on the BO96 048 016 Console Server Management Switch can also be configured for failover to ensure transparent high availability System IP Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard Port Access Active Users Statistics Support Report Syslog UPS Status Network Interface IP Settings Network Conf
153. be prevented from adding any Slaves until you have automatically or manually generated SSH keys To define and configure a Slave e Enter the remote IP Address or DNS Name for the Slave Console Server e Enter a brief Description and a short Label for the Slave use a convention here that enables effective management of large networks of clustered Console Servers and the connected devices e Enter the full number of serial ports on the Slave unit in Number of Ports e Click Apply This will establish the SSH tunnel between the Master and the new Slave The Serial amp Network Cascaded Ports menu displays all the Slaves and the port numbers that have been allocated on the Master If the Master Console Server has 16 ports of its own then ports 1 16 are pre allocated to the Master so the first Slave added will be assigned port number 17 onwards Once you have added all the Slave Console Servers the Slave serial ports and the connected devices are configurable and accessible from the Master s Management Console menu and accessible through the Master s IP address e g e Select the appropriate Serial amp Network Serial Port and Edit to configure the serial ports on the Slave e Select the appropriate Serial amp Network Users amp Groups to add new users with access privileges to the Slave serial ports or to extend existing users access privileges e Select the appropriate Serial amp Network Trusted Networks to specify network addresse
154. been recently added steps through configuring NRPE on the upstream server http nagios sourceforge net docs nrpe NRPE pdf At this stage Nagios at the upstream monitoring server is configured and individual serial port and network host connections on the Console Server are configured for Nagios monitoring If NSCA is enabled each selected check will be executed once over the period of the check interval If NRPE is enabled then the upstream server will be able to request status updates under its own scheduling Chapter 10 Nagios Integration 10 4 Advanced Distributed Monitoring Configuration 10 4 1 Sample Nagios configuration An example configuration for Nagios is listed below It shows how to set up a remote Console Server to monitor a single host with both network and serial connections Each check has two configurations one for NRPE and one for NSCA In practice these would be combined into a single check which uses NSCA as a primary method and falling back to NRPE if a check were late For details see the Nagios documentation http www nagios org docs on Service and Host Freshness Checks Host definitions Console Server define host use generic host host_name tripplite alias Console Server address 192 168 254 147 J Managed Host define host use generic host host_ name server alias server address 192 168 254 227 NRPE daemon on gateway define command command_namecheck_nrpe_daemon command line U
155. bind anonymously sAMAccountName The LDAP attribute corresponding to the login name On Active Directory servers the attribute is sAMAccountName memberOf The LDAP attribute that is used to indicate group memberships On Active Directory servers the attribute is memberOf cn MyGroup cn Users dc o The distinguished name of a group existing on the server which all users with access to the console server must belong to cn AdminGroup cn Users dc The distinguished name of a group existing on the server whose members will be given admin access e Ensure the LDAP service is operational and group names are correct within the Active Directory almy Xe om an he y a 4 Active Directory Users and Com Ta H Saved Queries opengear com Lester Properties Environment Sessions Remote contral Terminal Services Frofile COM General Addes Account Frofile Telephones Organization H Builtin Published Certificates Member Of Diakin Object Securty H computers Fi Domain Controllers Member of ai Ll ForeignSecurityPrincipal Name mj Active Directory Folder H LostAndFound opengear com Users IL NTDS Quotas Domain Users opengear com Lsers H Program Data MyGroup opengear com Users H O System of 3 Users Add Remove Primary group Domain Users There iz no need to change Primary group unles
156. bles the transparent interconnection of two serial port devices over a network To select the serial port to configure e Select Serial amp Network Serial Port and click Edit on the port to be reconfigured Note If you wish to set the same protocol options for multiple serial ports at once click Edit Multiple Ports and select which ports you wish to configure as a group Serial amp Network Serial Port Serial amp Network Serial Port Port Label Mode Logging Parameters Flow Users amp Groups Level Control Authentication Network Hosts 1 Port 1 Local Console 0 115200 8 N None Edit Trusted Networks Mode 1 IPsec VPN OpenVPN 2 Port 2 Console Tene 1 9600 8 N 1 None Edit Cascaded Ports UPS Connections 3 Port 3 Console 0 9600 8 N 1 None Edit RPC Connections Unconfigured Environmental Managed Devices Edit Multiple Ports e When you have configured the common settings and the mode for each port set up any remote syslog Chapter 4 1 7 then click Apply e Ifthe Console Server has been configured with distributed Nagios monitoring enabled then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored refer to Chapter 10 Nagios Integration Chapter 4 Serial Port Device and User Configuration 4 1 1 Common Settings There are a number of common settings available for each serial port These are independent of
157. ch port which has Master control over a UPS and in the Serial amp Network Network Hosts menu for each network connected UPS refer to Chapter 4 Device Settings Device Type Specify the device type Apply this setting then use the UPS Connections page to configure the attached UPS No such configuration is required for USB connected UPS hardware Chapter 8 Power and Environment TRIPP LITE POWER PROTECTION Serial amp Network UPS Connections Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Managed UPSes UPS Description Name No UPSes currently monitored Add UPS Monitored UPS Alerts amp Logging Enabled Port Log Alerts SMTP amp SMS daie SNMP Address Administration Firmware IP Description Date amp Time Dial Services Username DHCP Server Nagios Password Dart Arcrecc Connected Via Shutdown Order Driver Username Enable this UPS connection The name of this UPS The address or DNS name of the host managing this UPS An optional description Connect using this username Connect using this password e Select the Serial amp Network UPS Connections menu The Managed UPSes section will display all the UPS connections that have already been configured
158. cify the device type Apply this setting then use the Environmental page to configure the attached environmental monitor Environmental menu This will display all the EMD connections that have already been Lj POWER PROTECTION Serial amp Network Environmental Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections Click Add Environmental Monitors Name Description Alarm 1 Alarm 2 Connected Via Log Label Label Status No environmental monitors have been configured Add Chapter 8 Power and Environment Serial amp Network Environmental Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Port Log Alerts SMTP amp SMS Administration Firmware IP Date amp Time Dial Services DHCP Server Nagios Name Connected Via Description Alarm 1 Label Alarm 2 Label Log Status Log Rate Apply Add Environmental Monitor A descriptive name for the environmental monitor Serial Portt2 v Specify the serial port for the environmental monitor A brief description for the environmental monitor A label for the first environmental monitor alarm e g Door Open A label for
159. cify the logging level that is to be maintained for that particular TDC UDP port service on that particular Host Turns off logging for the selected TDC UDP port to the selected Host Logs all connection events to the port Logs all data transferred to and from the port Chapter 8 Power and Environment The BO95 004 003 and BO92 016 Console Server and BO96 048 016 Console Server Management Switch products embed software that can be used to manage connected Power Distribution Systems PDU s IPMI devices and Uninterruptible Power Supplies UPS s supplied by a number of vendors and some the environmental monitoring devices BO92 016 Console Server with PowerAlert also embeds Tripp Lite s PowerAlert software 8 1 Remote Power Control RPC The Console Server Management Console monitors and controls Remote Power Control RPC devices using the embedded PowerMan and NUT open source management tool RPC s include power distribution units PDU s and IPMI power devices 8 1 1 RPC connection Serial and network connected RPC s must first be connected to and configured to communicate with the Console Server e For serial RPC s connect the PDU to the selected serial port on the Console Server From the Serial and Network Serial Port menu configure the Common Settings of that port with the RS232 properties required by the PDU refer to Chapter 4 1 1 Common Settings Then select RPC as the Device Type e Similarly for each network co
160. cisco com em pe Gl Google Ou A forum for peer and expert wisdom to get the A dynamic know A answers you need Ask questions and resolve Q Q collaborate crea t issues that concern you now A technical conten Join the Discussion A Download SX K pma S f Troubleshoot Select Connect Browser on the control panel and click on the Host web site you have configured to be accessed using Ox Ordering Support Training amp Event Support Wiki problems in real Discover the Wik overview or View Informatiot Type Application Networking m a Java LICENSEE Java and all Java based trademarks and logos are trademarks or registered trademarks of Sun Microsystems Inc in the U S and other countries Chapter 16 Thin Client 16 1 3 Connect VNC e Select Connect VNC on the control panel and click on the VNC server Host to be accessed e The VNC Viewer client in your BO92 016 will be started and a VNC connection window to the selected server will be opened rs Configure ES Connect Logs Ip Status a Custom System Serial gt Browser gt REE wer server SSH gt Ace NT412 IPMI gt Account Mgt 32R RDP A L Add Delete Edit YNC Viewer Connection Details VNC server a About Options OK Cancel e ifthe HostName was left blank when the VNC server connection was configured then the VNC Viewer will start with a reque
161. command acts similar to the standard chat command but all serial port access is directed via the portmanager Example To run a chat script via the portmanager pmchat v f etc config scripts port08 chat lt dev port08s For more information on using chat and pmchat you should consult the UNIX man pages http techpubs sgi com library tpl cgibin getdoc cgi coll linux amp db man amp fname usr share catman man8s chat 8 html pmusers The pmusers command is used to query the portmanager for active user sessions Example To detect which users are currently active on which serial ports pmusers This command will output nothing if there are no active users currently connected to any ports otherwise it will respond with a sorted list of usernames per active port Port 1 useri user2 Port 2 useri Port 8 user2 The above output indicates that a user named user is actively connected to ports 1 and 2 while user2 is connected to both ports 1 and 8 Chapter 15 Advanced Configuration portmanager daemon There is normally no need to stop and restart the daemon To restart the daemon normally just run the command portmanager Supported command line options are Force portmanager to run in the foreground nodaemon Set the level of debug logging loglevel debug info warn error alert Change which configuration file it uses C etc contig portmanager conf Signals Sending a SIGHUP signal to the portm
162. comp zo Enable compression on the OpenVPN link This must be enabled on both the client and the server syslog By default logs are located in syslog or if running as a service on Window in Program Files OpenVPN log directory To initiate the OpenVPN tunnel following the creation of the client server configuration files e Right click on the OpenVPN icon in the Notification Area e Select the newly created client or server configuration For example BL client e Click Connect as shown below dient 4 dient p E saent sample d server Windows Client P view Log Proxy Settings Edit Config Change Password Ge al 10 244m Lr i Aug 29 57 2010 OpenvPN 2 0 9 win32 mMinGw SSL LZO built on Oct 1 2006 A i Aug 729 2010 WARNING No server certificate verification method has been enabled See http openvpn net i Aug 22a 2010 LZO compression initialized i Aug 70 2010 Control Channel MTU parms L 1542 D 138 EF 38 EB 0 ET 0 EL 0 i Aug 29 2010 Data Channel MTU pme L 1542 D 1450 EF 42 EB 135 ET 0 EL 0 AF 3 1 i Aug 29 2010 Local Options hash VER vV4 41690919 i Aug 229 2010 Expected Remote Options hash VER v4 530fdded i Aug 29 2010 UDPv4 link local undef i Aug sao 2010 UDPv4 link remote 192 168 250 152 1194 i Aug 29 2010 TLS Initial packet from 192 168 250 152 1194 sid dd3359de 265f251d i Aug 230 2010 VERIFY OK depth 1 C US ST CA L SanFrancisco O Fo
163. configuration config r serialconfig 14 1 7 Cascaded Ports To add a new slave device with the following settings IP address DNS name 192 168 0 153 Description CM in office 42 Label BL6 5 Number of ports 16 The following commands must be issued config s config cascade slaves slave1 address 192 168 0 153 config s config cascade slaves slave1 description CM in office 42 config s config cascade slaves slave1 label BL6 5 config s config cascade slaves slave1 ports 16 The total number of slaves must also be incremented If this is the first slave being added type config s config cascade slaves total 1 Increment this value when adding more slaves NOTE If a slave is added using the CLI then the master SSH public key will need to be manually copied to every slave device before cascaded ports will work refer Chapter 4 The following command will synchronize the live system with the new configuration config r cascade Chapter 14 Command Line Configuration 14 1 8 UPS Connections Managed UPS Systems Before adding a managed UPS make sure that at least 1 port has been configured to run in device mode and that the device is set to ups To add a managed UPS with the following values Connected via Port 1 UPS name My UPS Description UPS in room 5 Username to connect to UPS User2 Password to connect to UPS secret shutdown order 2 O shuts down first Driver genericups Driver optio
164. configuration When the Console Server is reset to factory defaults it will then load your alternate default configuration instead of its factory settings e To set an alternate default configuration check Load On Erase and click Apply Chapter 11 System Management Note Before selecting Load On Erase please ensure you have tested your alternate default configuration by clicking Restore If for some reason your alternate default configuration causes the Console Server to become unbootable recover your unit to factory settings using the following steps e Ifthe configuration is stored on an external USB storage device unplug the storage device and reset to factory defaults as per section 11 1 of the user manual e Ifthe configuration is stored on an internal USB storage device reset to factory defaults using a specially prepared USB storage device o The USB storage device must be formatted with a Windows FAT32 VFAT file system on the first partition or the entire disk most USB thumb drives are already formatted this way o The file system must have the volume label OPG_DEFAULT Insert this USB storage device into an external USB port on the Console Server and reset to factory defaults as per section 11 1 After recovering your Console Server ensure the problematic configuration is no longer selected for Load On Erase 11 5 Delayed Configuration Commit The Delayed Config Commit mode allows the grouping or queuing of configuration chang
165. console ppp enabled on config s config console ppp callback enabled on config s config console ppp callback ophone1 O800223665 config s config console ppp username user1 config s config console ppp password secret To make the dialed connection the default route config s config console ppp defaultroute on Please note that supported authentication types are None PAP CHAP and MSCHAPv2 Supported serial port baud rates are 9600 19200 38400 5 7600 115200 and 230400 Supported parity values are None Odd Even Mark and Space Supported data bits values are 8 7 6 and 5 Supported stop bits values are 1 1 5 and 2 Supported flow control values are Hardware Software and None If you do not wish to use out of band dial in access please note that the procedure for enabling start up messages on the console port is covered in Chapter 15 Accessing the Console Port The following command will synchronize the live system with the new configuration config a 14 1 20 DHCP server To enable the DHCP server on the console management LAN with settings 200000 seconds 300000 seconds Default lease time Maximum lease time DNS server 192 168 2 3 DNS server2 192 168 2 4 Domain name company com Default gateway 192 168 0 1 IP pool 1 start address 192 168 0 20 IP pool 1 end address 192 168 0 100 Reserved IP address 192
166. ction of sources e g UltraVNC TightVNC or RealVNC for most operating systems There are also a wealth of Java viewers available so that any desktop can be viewed with any Java capable browser http en wikipedia org wiki VNC lists many of the VNC Viewers sources e Install the VNC Viewer software and set it up for the appropriate speed connection Note To make VNC faster when you set up the Viewer e Set encoding to ZRLE if you have a fast enough CPU e Decrease color level e g 64 bit e Disable the background transmission on the Server or use a plain wallpaper Refer to http doc uvne com for detailed configuration instructions e To establish the VNC connection first configure the VNC Viewer entering the VNC Server IP address A When the Viewer computer is connected to the Console Server through an SSH tunnel over the public Internet or a dial in connection or private network connection enter localhost or 127 0 0 1 as the IP VNC Server IP address and the source port you entered when setting SSH tunneling port forwarding in Section 6 2 6 e g 1234 Tete Win3 Viewer 1 0 1 Release ZC Quick Options AUTO Auto select best settings Connect ULTRA gt 2M bits Experimental 7 ILAN gt TM bites Mas Colors Cancel O MEDIUM 128 256K bits 256 Colors OMODEM 19 128Kbit s 64 Colors SLOW lt 19kKE bits 8 Colors view Only Auto Scaling Ciptions Options Use DSMPlug
167. d For port 5 as an RPC port config s config ports ports mode powerman For port 5 as an Environmental port config s config ports ports mode reserved Chapter 14 Command Line Configuration SDT mode To enable access over SSH to a host connected to serial port 5 config s config ports portS mode sat config s config ports port5 sdt ssh on To configure a username and password when accessing this port with Username user and Password secret config s config ports port sdt username user1 config s config ports port sdt password secret Terminal server mode Enable a TTY login for a local terminal attached to serial port 5 config s config ports ports mode terminal config s config ports port5 terminal vt220 vt102 vt100 linux ansi The default terminal is vt220 Serial bridge mode Create a network connection to a remote serial port via RFC 2217 on port 5 config s config ports ports mode bridge Optional configurations for the network address of RFC 2217 server of 192 168 3 3 and TCP port used by the RFC 2217 service 2500 config s config ports port5 bridge address 192 168 3 3 config s config ports portd bridge portt 2500 To enable RFC 2217 access config s config ports port bridge rfc221 7 on To redirect the serial bridge over an SSH tunnel to the server config s config ports port5 bridge ssh enabled on Syslog settings Additionally the global system log setti
168. d devices and to power as outlined below Chapter 2 Installation 2 2 Power Connection 2 2 1 Power Console Server Management Switch The BO96 048 16 Console Server Management Switch has dual universal AC power supplies with auto failover built in These power supplies each accept AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz and the total power consumption per Console Server is less than 30W Two IEC AC power sockets are located at the rear of the metal case and these IEC power inlets use conventional IEC AC power cords A North American power cord is provided by default Power cords for other regions are available separately from Tripp Lite 2 2 2 Power Console Server with PowerAlert The standard BO92 016 Console Server has a built in universal auto switching AC power supply This power supply accepts AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz and the power consumption is less than 40W AC Serial console ports USB VGA USB power Modem Keyboard 10 00 port Mouse Ethernet The AC power socket is located at the rear of the BO92 016 This power inlet uses a conventional AC power cord A North American power cord is provided by default Power cords for other regions are available separately from Tripp Lite 2 2 3 Power Console Server The BO95 004 003 Console Server has an external wall mount power supply This power supply accepts AC input voltage between 100 and 240 VAC with a
169. d then the Administrator can only access the Console Server using HTTPS However once logged in they can reconfigure the Console Server settings e g to enabled HTTP Telnet for future access They can also access any of the connected Hosts or serial port devices using any of the services that have been enabled for these connections But again the Administrator can reconfigure the access services for any Host or serial port So only trusted users should have Administrator access Note For convenience the SDT Connector Retrieve Hosts function retrieves and auto configures checked serial ports and checked hosts only even for admin group users 2 Membership of the user group provides the user with limited access to the Console Server and connected Hosts and serial devices These Users can access only the Management section of the Management Console menu and they have no command line access to the Console Server They also can only access those Hosts and serial devices that have been checked for them using services that have been enabled 3 The Administrator can also set up additional Groups with specific serial port and host access permissions Same as Users However users in these additional groups don t have any access to the Management Console menu nor do they have any command line access to the Console Server itself Lastly the Administrator can also set up users who are not a member of any Groups and they will have the same access as users
170. d to as the Left or Local host exactly matches the set up entered when configuring the Remote Right host gateway or software client 4 10 OpenVPN Console Servers also include OpenVPN which is based on TSL Transport Layer Security and SSL Secure Socket Layer With OpenVPN it is easy to build cross platform point to point VPNs using x509 PKI Public Key Infrastructure or custom configuration files OpenVPN allows secure tunneling of data through a single TCP UDP port over an unsecured network thus providing secure access to multiple sites and secure remote administration to a console server over the Internet OpenVPN also allows the use of Dynamic IP addresses by both the server and client thus providing client mobility For example an OpenVPN tunnel may be established between a roaming windows client and a Console Server within a data centre Configuration of OpenVPN can be complex so Tripp Lite provides a simple GUI interface for basic set up as described below However for more detailed information on configuring OpenVPN Access server or client refer to the HOW TO and FAQs at http www openvpn net Chapter 4 Serial Port Device and User Configuration 4 10 1 Enable the OpenVPN e Select OpenVPN on the Serial amp Networks menu e Click Add and complete the Add OpenVPN Tunnel screen e Enter any descriptive name you wish to identify the OpenVPN Tunnel you are adding for example NorthStOutlet VPN Serial amp Network OpenVPN
171. d to serial Port 3 ona Console Server located at 192 168 0 50 then you would enter 192 168 0 50 7303 o Where there is an SSH tunnel over a dial up PPP connection or over a public internet connection or private network connection simply enter the localhost as the IP address i e 127 0 0 1 For Port Number enter the source port you created when setting SSH tunneling port forwarding in Section 6 1 6 e g 1234 e Click Option In the Display section specify an appropriate color depth e g for a modem connection it is recommended you not use over 256 colors In Local Resources specify the peripherals on the remote Windows computer that are to be controlled printer serial port etc Chapter 6 Secure SSH Tunneling amp SDT Connector f Remote Desktop Connection General Display Local Resources Programs Experience Lagon settings Type the name of the computer or choose a computer from the drop down list Computer 27001124 Username MS Bob Password sesseeee Domain Save my password Connection settings Save cument settings or open saved connection STE PTS EA e Click Connect Note The Remote Desktop Connection software is pre installed on Windows XP However for earlier Windows computers you will need to download the RDP client e Go to the Microsoft Download Center site http www microsoft com downloads details aspx familyid 80111F21 D48D 4A26E 96C2 08AA2BD23A49 amp displayl
172. does not apply to this EULA If you acquired this Software in a country outside of the United States that country s laws may apply In any action or suit to enforce any right or remedy under this EULA or to interpret any provision of this EULA the prevailing party will be entitled to recover its costs including reasonable attorneys fees ENTIRE AGREEMENT This EULA constitutes the entire agreement between you and Tripp Lite with respect to the Software and supersedes all other agreements or representations whether written or oral The terms of this EULA can only be modified by express written consent of both parties If any part of this EULA is held to be unenforceable as written it will be enforced to the maximum extent allowed by applicable law and will not affect the enforceability of any other part Should you have any questions concerning this EULA or if you desire to contact Tripp Lite for any reason please contact the Tripp Lite representative serving your company THE FOLLOWING DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY IS INCORPORATED INTO THIS EULA BY REFERENCE THE SOFTWARE IS NOT FAULT TOLERANT YOU HAVE INDEPENDENTLY DETERMINED HOW TO USE THE SOFTWARE IN THE DEVICE AND TRIPPLITE HAS RELIED UPON YOU TO CONDUCT SUFFICIENT TESTING TO DETERMINE THAT THE SOFTWARE IS SUITABLE FOR SUCH USE LIMITED WARRANTY Tripp Lite warrants the media containing the Software for a period of ninety 90 days from the date of original purcha
173. e Click Add UPS _ ar TRIPP LITE POWER PROTECTION Serial amp Network UPS Connections Serial amp Network Serial Port Add Managed UPS Users amp Groups UPS Name Authentication Network Hosts The name of this UPS Trusted Networks Description Cascaded Ports UPS Connections An optional description Ean Connected va use The UPS may be connected via USB serial or network HTTP or HTTPS Alerts amp Logging aa Port Log Alerts Allow slaves to connect using this username SMTP amp SMS SNMP Password Allow slaves to connect using this password Administration Confirm Firmware Re enter the password IP Date amp Time Shutdown Order 0 Dial Control the order in which UPSes are shut down Os are shut down first then 1s 2s etc and 1s are Services not shut down at all Defaults to 0 DHCP Server Nagios Driver genericups v The driver for this UPS model see the hardware compatibility list for details e Enter a UPS Name and Description optional and identify if the UPS will be Connected Via USB or over pre configured serial port or via HTTP HTTPS over the preconfigured network Host connection J Enter the UPS login details This Username and Password is used by Slaves of this UPS i e other computers that are drawing power through this UPS to connect to the Console Server for monitoring of the UPS status and shutdown when battery power is low Monitoring will typically be
174. e Console Server and connected devices When an alert event is triggered a notification is emailed to a nominated email address or SMS gateway or the configured SNMP or Nagios server is notified A wide selection of events can be used as the trigger for an alert These events include e auser establishing a remote Telnet connecting to a serial port or Host e reaching a nominated low battery level on a particular UPS or current load levels on a PDU power outlet e exceeding a specified temperature or humidity level on an environmental sensor e sensing a particular data pattern on a serial port e g the data stream on a particular serial console may be monitored for nominated messages coming from the device such as warning or IO error and send out an alarm when they occur o Select Alerts amp Logging Alerts which will display all the alerts currently configured Click Add Alert 7 2 1 Add anew alert The first step is to specify the alert service that will be used to send notification for this event who to notify and what port host device is to be monitored Alerts amp Logging Alerts Serial amp Network Serial Port Add a New Alert Users amp Groups Description Authentication A brief description of this alert s purpose Email Recipient The email address to send this alert to SMTP SMS Email Recipient The SMTP SMS email address to send this alert to SNMP g Use SNMP to notify of this alert Nagios NSCA O
175. e Enter a Command Line associated with launching the client application SDT Connector typically launches a client using command line arguments to point it to the local endpoint of the redirection There are three special keywords for specifying the command line format When launching the client SDT Connector substitutes these keywords with the appropriate values path is path to the executable file i e the previous field host is the local address to which the local endpoint of the redirection is bound i e the Local Address field for the Service redirection Advanced options port is the local port to which the local endpoint of the redirection is bound i e the Local TCP Port field for the Service redirection Advanced options If this port is unspecified i e Any the appropriate randomly selected port will be substituted For example SDT Connector is preconfigured for Windows installations with a HTTP service client that will connect with whichever local browser the local Windows user has configured as the default Otherwise the default browser used is Firefox cE Tripp Lite SDTConnector J Sa SDTConnector Preferences 5 Edit Client Client name HTTP browse Path to client executable file rundll32 url dll FileProtocolHandler Browse ww Command line format for client executable Jepath http host port 7 OK S Cancel Close Chapter 6
176. e IP Address DNS Name field enter 127 0 0 1 this is the Console Servers network loopback address Then enter Loopback in Description e Remove all entries under Permitted Services except for those that will be used in accessing the Management Console 80 http or 443 https or the command line 22 ssh or 23 Telnet Scroll to the bottom and click Apply e Administrators by default have gateway access privileges However for Users to access the gateway Management Console you will need to give those Users the required access privileges Select Users amp Groups from Serial amp Network Click Add User Enter a Username Description and Password Confirm Select 127 0 0 1 from Accessible Host s and click Apply Chapter 6 Secure SSH Tunneling amp SDT Connector 6 4 SDT Connector Telnet or SSH Serial Device Connection SDT Connector can also be used to access text consoles on devices that are attached to the Console Servers serial ports For these connections you must configure the SDT Connector client software with a Service that will access the target gateway serial port and then set the gateway up as a host Launch SDT Connector on your computer Select Edit Preferences and click the Services tab Click Add Enter Serial Port 2 in Service Name and click Add Select Telnet client as the Client Enter 2002 in TCP Port Click OK then Close and Close again E Tripp Lite SDTConnector a 6 SDTConnector Preferences ients
177. e LAN do not have Telnet access to the Console Server itself only SSH and HTTPS access but they do have Telnet access to the serial console devices attached to the console Server Similarly remote Administrators using Dial In only can access the Nagios NUT status from the console Server while VPN connected Administrators have been given extensive services access System Firewall Serial amp Network Serial Port Service Access Port Forwarding Port Rules Forwarding amp Masquerading Users amp Groups Authentication Network Hosts Service Access Trusted Networks Services Network Wireless Dialout Cellular Dial in VPN IPsec VPN Interface Network OpenVPN Cascaded Ports HTTP Web UPS Connections Management RPC Connections Environmental HTTPS Web J v 4 Managed Devices Management Alerts amp Logging Telnet command CED shell hag SSH command F x 7 SNMP a Telnet direct to 7 serial ports Administration SSH direct to SSL Certificates Aaa Configuration Backup Firmware RAW TCP access 5 5 IP s Date amp Time to serial ports RFC 2217 access 7 v to serial ports DHCP Server Ai Nagios Unauthenticated 7 7 Configure Dashboard telnet access to I O Ports serial ports Nagios NRPE 7 J Port Access daemon Active Users NUT UPS y y Statistics Support Report Syslog monitoring daemon Chapter 3 Initial System Configuration Th
178. e Program or any derivative work under copyright law that is to say a work containing the Program or a portion of it either verbatim or with modifications and or translated into another language Hereinafter translation is included without limitation in the term modification Each licensee is addressed as you Activities other than copying distribution and modification are not covered by this License they are outside its scope The act of running the Program is not restricted and the output from the Program is covered only if its contents constitute a work based on the Program independent of having been made by running the Program Whether that is true depends on what the Program does 1 You may copy and distribute verbatim copies of the Program s source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee License Agreement 2 You may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program and copy and distribute such modifications or work under the te
179. e SNMPv1 or SNMPv2c community that will be allowed read only GET and GETNEXT access This must be specified in order for both versions to become enabled The Read Write Community field is used to specify the SNMPvi or SNMPv2c community that will be allowed read write GET GETNEXT and SET access Firmware IP SNMP v3 Date amp Time Dial Engine ID Firewa eee ae A a Jn Override the automatically generated SNMPv3 Engine ID Note If not specified an Engine ID will GIV r m r n E i Nagios be automaticaly generated using Network Interface detai Configure Dashboard I O Ports Security Level noauth auth Status priv Port Access Active Users The SNMPv3 Security Level priv amp recommended for enforcing both authentication and Statistics encryption Support Report Syslog Read Only Username UPS Status RPC Status The SNMPv3 read only security name Mandatory for SNMPv3 Environmental Status Dashboard Auth Protocol SHA l The SNMPv3 authentication protocol Devices Auth Password Port Logs Host Logs The SNMPv3 users authentication password Power Terminal Confirm Password Confirm the SNMPv3 users authentication password Privacy Protocol DES b a The SNMPv3 privacy protocol Privacy Password The SNMPv3 encryption password Confirm Password Confirm the SNMPv3 encryption password Apply Configure SNMP v3 i
180. e Services Access settings specify which services the Administrator can use over which network interface to access the console server It also nominates the enabled services that the Administrator and the User can use to connect through the Console Server to attached serial and network connected devices e The following general service access options can be specified HTTPS This ensures the Administrator has secure browser access to all the Management Console menus on the Console Server It also allows appropriately configured Users secure browser access to selected Manage menus For information on certificate and user client software configuration refer Chapter 9 Authentication By default HTTPS is enabled and it is recommended that only HTTPS access be used if the Console Server is to be managed over any public network e g the Internet HTTP The HTTP service allows the Administrator basic browser access to the Management Console It is recommended the HTTP service be disabled if the Console Server is to be remotely accessed over the Internet Telnet This gives the Administrator telnet access to the system command line shell Linux commands While this may be suitable for a local direct connection over a management LAN it is recommended this service be disabled if the Console Server is to be remotely administered This service may also be useful for local Administrator and the User access to selected serial consoles This service provides s
181. e Setup serial ports and devices as per operational requirements such as UPS RPC PDU and EMD e Copy the mibs from etc snmp mibs on the Console Server product to a local directory using scp or Winscp For example scp root bO095 etc snmp mibs e Using the snmpwalk and snmpget commands the status information can be retrieved from any console server For example snmpwalk Oa v1 M usr share snmp mibs c public b095 STATUS MIB ogStatus snmpget Oa v1 M usr share snmp mibs c public b095 OG STATUSMIB ogSerialPortStatusSpeed 2 KA Chapter 15 Advanced Configuration STATUS MIB SerialPortStatusSpeed 2 INTEGER 19268 noauth snmpwalk Oa v3 I noAuthNoPriv u readonlyusername M usr share snmp mibs bO95 STATUS MIB Status auth snmpwalk Oa v3 I authNoPriv u readonlyusername a SHA A authpassword M usr share snmp mibs b095 STATUS MIB ogStatus priv snmpwalk Oa v3 l authNoPriv u readonlyusername a SHA A authpassword x DES X privoassword M usr share snmp mibs b095 STATUS MIB ogStatus Security Level U Security Name or Read Only Username a Authentication Protocol SHA or MD5 A Authentication Password X Privacy Protocol DES or AES X Privacy Password A mib browser may be used to explore the enterprise MIB structure 15 5 4 etc config snmpd conf The net snmpd is an extensible SNMP which includes built in Support for a wide range of MIB inf
182. e any connectivity issues and restore the gateway s primary link In SDT Connector OoB access is configured by providing the secondary IP address of the gateway and telling SDT Connector how to start and stop the OoB connection Starting an OoB connection may be achieved by initiating a dial up connection or adding an alternate route to the gateway SDT Connector allows for maximum flexibility by allowing you to provide your own scripts or commands for starting and stopping the OoB connection Ets Tripp Lite SDTConnector e G New SDT Gateway General Out Of Band Remote UDP Gateway Secondary Address Port 22 Start Command onnection wait min rasdial OOB login password Stop Command tit min rasdial network_connection login password a2 ok 9G Cancet To configure SDT Connector for OOB access e When adding a new gateway or editing an existing gateway select the Out Of Band tab e Enter the secondary OoB IP address for the gateway e g the IP address to be used when dialing in directly You may also modify the gateway s SSH port if it s not using the default of 22 e Enter the command or path to a script to start the OoB connection in Start Command o To initiate a pre configured dial up connection under Windows use the following Start Command cmd c start Starting Out of Band Connection wait min rasdial network_connection login password The network_connection in the above is the name
183. e desired serial port A window will be created with a connection to the device on the selected serial port sip Favorites Remote Control Disconnect Options Clipboard Send Ctrl Alt Del Refresh p of Configure Logs Status IB system Citrix ICA PowerAlert Console gt Browser NC SSH IPMI RDP Add Delete Edit DE port04 The embedded terminal emulator uses rxvt a color vt102 terminal emulator You can find more details on configuration options in http Awww rxvt org manual html Chapter 16 Thin Client 16 1 2 Connect Browser the browser Sites can be internal or external Logs ee Status Eg Custom m System gt Serial Citrix ICA Browser YNE SSH IPMI RDP Add Delete Edit Support Cisco Systems Mozilla Firefox Test IMG4216 25 Cisco 5904 3 Acc Dell DRAC4 Cisco support wiki gt Ahali cisco ie j i LB sluji T aso Solutions Products amp Services Support NetPro Community Select a Task Firefox version 2 0 0 11 1335 2007 Contributors All Rights Reserved Firefox and the Firefox logos are trademarks of the Mozilla Foundation All rights reserved some trademark rights Used under license from The Charlton Company Mozillas 0 11 U Linus i356 en Us 1 8 1 11 Geckore00o0 70 Firefoxe 0 0 11 File Edit View History Bookmarks Tools Help http vAvww
184. e network to hide behind and share the one public IP address when connecting to a public network This type of translation is only used for connections originating within the private network destined for the outside public network and each outbound connection is maintained by using a different source IP port number By default all Console Server models are configured so that they will not route traffic between networks To use the Console Server as an Internet or external network gateway forwarding must be enabled so that traffic can be routed from the internal network to the Internet external network e Navigate to the System Firewall page and then click on the Forwarding amp Masquerading tab Chapter 5 Firewall Failover and Out of Band System Firewall Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN Service Access Port Forwarding Port Rules Forwarding amp Masquerading Network Forwarding and Masquerading l Source Networks Allowed Destination Networks OpenVPN Cascaded Ports Network wa UPS Connections ee Management LAN RPC Connections Dialout Cellular Environmental Dial in Managed Devices VPN Alerts amp Logging Port Log Management Network Interface Alerts LAN SMTP amp SMS Dialout Cellular SNMP Dial in VPN Administration z SSL Certificates Dialout Cellular Netw
185. e the addresses for connecting clients e Click Apply to save changes Serial amp Network OpenVPN Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmenta Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard Port Access Active Users Statistics Support Report Syslog UPS Status ANA Cenk ie Add OpenVPN Tunnel Tunnel Name Device Driver Protocol Tunnel Mode Configuration Method Compression Server Details Local Port IP Pool Network IP Pool Netmask Apply SouthStOutlet VPN A descriptive name for the OpenVPN tunnel Tun IP x Select the tap or tun driver to use UDP Use a UDP or TCP protocol Server x Is this the Client or Server end of the tunnel PKI X 509 Certificates Authenticate using certificates or use a custom configuration v Enable or disable compression The TCP IP port to listen on Defauit amp 1194 10 100 0 0 Network addresses to allocate 255 255 255 0 Network mask for IP Pool e To enter authentication certificates and fil
186. e to the location you have stored RSA or DSA Public Key and upload it to SSH RSA DSA Public Key e Browse to the stored RSA or DSA Private Key and upload it to SSH RSA DSA Private Key e Click Apply System Name TLG An ID for this device System Description Rack3F The physical location of this device System Password ecccecece N The secret used to gain administration access to this device Confirm System 00000000 Passwor 5 2 Re enter the above password for confirmation SSH RSA Public Key Jploa c t RS D SSH RSA Private Key Upload a replacement RSA private key file SSH DSA Public Key Upload a replacement DSA public key file SSH DSA Private Key X pload a replacement DS SSH Authorized Keys Uploa lacer S Generate SSH keys O automatically eae SSH keys loc Next you must register the Public Key as an Authorized Key on the Slave In the simple case with only one Master with multiple Slaves you need only upload the one RSA or DSA public key for each Slave Note The use of key pairs can be confusing as in many cases one file Public Key fulfills two roles Public Key and Authorized Key For a more detailed explanation refer the Authorized Keys section of Chapter 15 6 Also refer to this chapter if you need to use more than one set of Authorized Keys in the Slave e Select System Administration on the Slave s Management Console e Browse again to the stored RSA or DSA Public Key and upload it to Slave s S
187. eck_dummy check_mrtg check pop check_tcp check fping check mrtgtraf check procs check time check _ftp check_nagios check real check udp check _ game check_nntp check_simap check_ups check_hpjd check_nntps check smtp check_users Chapter 10 Nagios Integration There also are bash scripts which can be downloaded and run primarily check_log sh To configure additional checks the downloaded plug in program must be saved in the tftp addins directory on the USB flash and the downloaded text plug in file saved in etc config To enable these new additional checks you select Serial amp Network Network Port then you Edit the Network Host to be monitored and select New Checks The additional check option will have been included in the updated Nagios Checks list You can again customize the arguments Power Device Username Power Device Password Confirm Password Log Level Nagios Settings Enable Nagios Host Name Nagios Checks g Check CLAMD Check Dummy Check FTP Check HF JetDirect Check HTTP Check IMAP Check Jabber Check LDAP Check NNTP Check NNTPS Check NRPE Check NT Check NTP f Check NW Stat Check Over CR 5 Check Ping Check POP Check REAL Check SIMAP Check SMTP Check SNMP a Check SPOP Check SSH Check SSMTP Check TCP n Check Time Check UDP Check UPS am hange then edit and click update Click Apply te commit changes to configuration bwer device owe
188. ecure SSH access It is recommended you choose SSH as the protocol where the Administrator connects to the Console Server over the Internet or any other public network This will provide authenticated communications between the SSH client program on the remote PC workstation and the SSH sever in the Console Server For more information on SSH configuration refer Chapter 9 Authentication This will enable netsnmp in the Console Server which will keep a remote log of all posted information SNMP is disabled by default To modify the default SNMP settings the Administrator must make the edits at the command line as described in Chapter 15 Advanced Configuration If a USB flash card or internal flash is detected on the Console Server then enabling this service will set up default tftp server on the USB flash This server is used to store config files maintain access and transaction logs etc Files transferred using tftp will be stored under var tmp usbdisk tftpboot This allows the Console Server to respond to incoming ICMP echo requests Ping is enabled by default however for security reasons this service should generally be disabled post initial configuration Access to the NUT UPS monitoring and Nagios NRPE monitoring daemons Access to the NUT UPS monitoring and Nagios NRPE monitoring daemons e And there are some serial port access parameters that can be configured on this menu The Console Server uses specific default ranges for the TC
189. ed s a zA Z s TOTALNODE echo 1 sed s 1 total Chapter 15 Advanced Configuration TOTAL config g TOTALNODE sed s NEWTOTAL TOTAL 1 Make backup copy of config file cp etc config config xml etc config contig bak echo backup of etc config config xml saved in etc config config bak if z S NUMBER test whether a singular node is being deleted e g config sdt hosts then echo deleting 1 config d 1 echo Done exit O elif SNUMBER TOTAL Test if only one item exists then echo only one item exists Deleting node echo Deleting 1 config d 1 Modifying item total config s TOTALNODE O echo Done exit O elif SNUMBER It TOTAL more than one item exists then Modify the users list so user numbers are sequential by shifting the users into the gap one at a time echo Deleting 1 LASTFIELDTEXT echo LASTFIELD sed s 0 9 g CHECKTOTAL config 8 SROOTNODE LASTFIELDTEXT TOTAL if z CHECKTOTAL then echo WARNING TOTALNODE greater than number of items fi COUNTER 1 while COUNTER TOTAL NUMBER 1 do config g SROOTNODE LASTFIELDTEXT NUMBER COUNTER while read LINE do config s echo LINE sed e s LASTFIELDTEXT NUMBER COUNTER LASTFIELDTEXT NUMBER COUNTER 1 Chapter 15 Advanced Configuration e SET done let COUNTER done
190. ed above or you can configure the tools and manage the UPS s directly from the command line This section provides an overview of NUT You can find full documentation at http www networkupstools org doc NUT is built on a networked model with a layered scheme of drivers server and clients 1 The driver programs talk directly to the UPS equipment and run on the same host as the NUT network server upsd Drivers are provided for a wide assortment of equipment from most of the popular UPS vendors and they understand the specific language of each UPS and map it back to a compatibility layer This means both an expensive smart protocol UPS and a simple power strip model can be handled transparently The NUT network server program upsd is responsible for passing status data from the drivers to the client programs via the network upsd can cache the status from multiple UPS s and can then serve this status data to many clients upsd also contains access control features to limit the abilities of the clients So only authorized hosts may monitor or control the UPS hardware There are a number of NUT clients that connect to upsd to check on the status of the UPS hardware and do things based on the status These clients can run on the same host as the NUT server or they can communicate with the NUT server over the network enabling them to monitor any UPS anywhere The upsmon client enables servers that draw power through the UPS i e Slaves
191. een each node branch e g to access and display the description of user type config g config users user1 description The root node of the config tree is lt config gt To display the entire config tree type config g config To display the help text for the config command type config h The config application resides in the bin directory The environmental variable called PATH contains a route to the bin directory This allows a user to simply type config at the command prompt instead of the full path bin config Options a run all h help v verbose d del id g get id p path file r run configurator S set id value e export file i import file t test import file S separator char P password id Run all registered configurators This performs every configuration synchronization action pushing all changes to the live system Display a brief usage message Log extra debug information Remove the given configuration element specified by a separated identifier Display the value of a configuration element Specify an alternate configuration file to use The default file is located at etc config config xml Run the specified registered configurator Registered configurators are listed below Change the value of configuration element specified by a separated identifier Save active configuration to file Load configuration from file Pretend to load configuration from file
192. emice 5 Edit Port Redirection Local Address localhost Local TCP Port 5900 UDP Port 7 0K 6 Cancel Note SDT Connector can also tunnel UDP services SDT Connector tunnels the UDP traffic through the TCP SSH redirection so in effect it is a tunnel within a tunnel Enter the UDP port on which the service is running on the host This will also be the local UDP port that SDT Connector binds as the local endpoint of the tunnel Note that for UDP services you still need to specify a TCP port under General This will be an arbitrary TCP port that is not in use on the gateway An example of this is the SOL Proxy service It redirects local UDP port 623 to remote UDP port 623 over the arbitrary TCP port 6667 Chapter 6 Secure SSH Tunneling amp SDT Connector 6 2 7 Adding a client program to be started for the new service Clients are local applications that may be launched when a related service is clicked To add to the pool of client programs e Select Edit Preferences and click the Client tab Click Add Sea Tripp Lite SDTConnector J a 5a SDT Connector Preferences Add Client Client name Path to client executable file g Browse Command line format for client executable 8 ok 9 Cancel A Close e Enter a Name for the client Enter the Path to the executable file for the client or click Browse to locate the executable
193. er Next you will need to set up SSH keys for each end of the tunnel and upload these keys to the Server and Client console servers Bg Chapter 15 Advanced Configuration Client Keys The first step in setting up ssh tunnels is to generate keys Ideally you will use a separate secure machine to generate and store all keys to be used on the Console Servers However if this is not ideal to your situation keys may be generated on the Console Servers themselves It is possible to generate only one set of keys and reuse them for every SSH session While this is not recommended each organization will need to balance the security of separate keys against the additional administration they bring Generated keys may be one of two types RSA or DSA and it is beyond the scope of this document to recommend one over the other RSA keys will go into the files id_rsa and id_rsa pub DSA keys will be stored in the files id_dsa and id_dsa pub For simplicity going forward the term private key will be used to refer to either id_rsa or id_dsa and public key to refer to either id_rsa pub or id_dsa pub Client 1 Server Client 2 Client 1 Keys Client 2 Keys To generate the keys using OpenBSD s OpenSSH suite we use the ssh keygen program ssh keygen t rsa dsa Generating public private rsa dsa key pair Enter file in which to save the key home user ssh id_ rsa dsa Enter passphrase empty for no passphrase Enter same p
194. er The Console Server continually pings probe addresses whilst in original and failover states The original state will automatically be set as a priority and reestablished following three successful pings of the probe addresses during failover The failover state will be removed once the original state has been re established Chapter 5 Firewall Failover and Out of Band 5 7 Firewall amp Forwarding Console Servers provide basic firewalled routing NAT Network Address Translation packet filtering and port forwarding Support on all network interfaces LAN 1 Network interface SOTOAN IP PEN S A ee FILTERING lt lt a LAFFIC MASQUERADE 4 TRAFFIC ATES LANZ ManagementLAN gt wll EN i Modem Dial in Dialout gt INCOMING NETWORK i A TRAFFIC FORWARD Wireless802 11 TER E SERVICE gt ple e ACCESS DNS SDT _ NS SOY CONTROL 5 7 1 Configuring network forwarding and IP masquerading To use a Console Server as an Internet or external network gateway requires establishing an external network connection and then setting up forwarding and masquerading Note Network forwarding allows the network packets on one network interface i e LAN1 ethO to be forwarded to another network interface i e LAN2 eth1 or dial out cellular so that locally networked devices can connect to IP through the Console Server to devices on remote networks IP masquerading is used to allow all the devices on your local privat
195. er of each page TRIPP LITE Lpa a POWER PROTECTION System Administration Or select Status Support Report and note the Firmware Version To upgrade you must first download the latest firmware image from http www tripplite com EN support downloads driver firmware downloads cfm Save this downloaded firmware image file on to a system on the same subnet as the Console Server Also download and read the release_notes txt for the latest information To then upload the firmware image file to your Console Server select System Firmware Serial amp Network Serial Port Firmware Upgrade Phonon EEA o a Geom Fi No file chosen Authentication Specify a valid firmware file to upgrade the unit with Network Hosts z Trusted Networks Firmware Options IPsec VPN z OpenVPN Advanced options should only be used at the request of customer support Cascaded Ports aree UPS Connections Apply RPC Connections Specify the address and name of the downloaded Firmware Upgrade File or Browse the local subnet and locate the downloaded file Click Apply and the Console Server appliance will undertake a soft reboot and commence upgrading the firmware This process will take several minutes After the firmware upgrade has completed click here to return to the Management Console Your Console Server will have retained all its pre upgrade configuration information Chapter 11 System Management 11 3 Config
196. ervices and Users access Section 6 1 e Setting up the SDT Connector client with gateway host service and client application details and making connections between the Client computer and hosts connected to the Console Server Section 6 2 e Using SDT Connector to browser access the Management Console Section 6 3 e Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the Console Server Section 6 4 The chapter then covers more advanced SDT Connector and SDT tunneling topics e Using SDT Connector for out of band access Section 6 5 e Automatic importing and exporting of configurations Section 6 6 e Configuring Public Key Authentication Section 6 7 e Setting up a SDT Secure Tunnel for Remote Desktop Section 6 8 e Setting up a SDT Secure Tunnel for VNC Section 6 9 Using SDT to IP connect to hosts that are serially attached to the Console Server Section 6 10 Chapter 6 Secure SSH Tunneling amp SDT Connector 6 1 Configuring for SDT Tunneling to Hosts To set up the Console Server to SDT access a network attached host the host and the permitted services that are to be used in accessing that host need to be configured on the gateway and User access privileges need to be specified e Add the new host and the permitted services using the Serial amp Network Network Hosts menu as detailed in Network Hosts Chapter 4 4 Only these permitted services will be forwarded by SDT to the host
197. es Edit the OpenVPN tunnel e Select the Manage OpenVPN Files tab Upload or browse to relevant authentication certificates and files Manage OpenVPN Files Configuration File Root CA Certificate Certificate File Private Key File Diffie Hellman File var T esting Certificates ca c rt jing Certificates acm clientcrt 1 g Certificates acm clientkey File is not NorthStOutlet custom VPN conf No file available Upload No file available Upload No file available Upload o file ae e Apply to save changes Saved files will be displayed in red on the right hand side of the Upload button Chapter 4 Serial Port Device and User Configuration Manage OpenVPN Files Configuration File File is not NorthStoutlet custom VPN cont Root CA Browse is NarhStOutlet earns Browse Upload oes Certificate File Browse TEET NorthStOutlet i Upload Browse Upload Norm public ert Private Key File Browse Upload NorthStOutlet VPN private Key Diffie Hellman File Browse U No file st Jpload Upload available Apply e To enable OpenVPN Edit the OpenVPN tunnel OpenVPN Tunnels Tunnel Name Tunnel Configuration Protocol Details Enabled Mode Method NorthStOutlet VPN Client PKI X 509 udp Server s N Edit Delete 192 168 250 106 1194 Add e Check the Enabled button e Apply to save changes Note Please make sure that the console server system time is correc
198. es a consolidated view of the settings for its own and all the Slave s serial ports however the Master does not provide a fully consolidated view For example if you want to find out who s logged in to cascaded serial ports from the master you ll see that Status Active Users only displays those users active on the Master s ports so you may need to write custom scripts to provide this view This is covered in Chapter 11 Chapter 4 Serial Port Device and User Configuration 4 7 Serial Port Redirection Tripp Lite s VirtualPort software delivers the virtual serial port technology your Windows applications need to open remote serial ports and read the data from serial devices that are connected to your Console Server ag Pers SSS ree a AN Application Q a ze P VirtualPort Glents BE TrippLite Serial Port Console Servers a hh but pplication lt A rar VirtualPort is supplied with each BO96 016 BO96 048 Console Server Management Switch or BO92 016 Console Server with PowerAlert or BO95 003 1E M BO95 004 1E Console Server You are licensed to install VirtualPort on one or more computers for accessing any serial device connected to any Tripp Lite Console Server port 4 7 1 Install VirtualPort client VirtualPort is fully compatible with 32 bit and 64 bit versions of Windows NT 4 x Windows XP Windows 2000 Windows 2003 Windows 2008 Windows Vista and 64 bit and Windows 7 The installation p
199. es and the simultaneous application of these changes to a specific device For example changes to authentication methods or user accounts may be grouped and run once to minimize system downtime To enable e Check the Delayed Config Commits button under System Administration e Click Apply e The Commit Config icon Commit will now be displayed in top right hand corner of the screen between the Backup and Log Out icons Contig hal Oo Log Out TRIPPLITE 280 POWER PROTECTION System Administration To queue then run configuration changes O E FEA e Firstly apply all the required changes to the configuration e g modify user accounts amend authentication method enable OpenVPN tunnel or modify system time e Click the Commit Config button This will generate the System Commit Configuration screen displaying all the configurators to be run System Commit Configuration Serial amp Network Serial Port Users amp Groups Authentication dialin Network Hosts pars Trusted Networks bada intsensors nagios power serialconfig ups users Apply Cancel The following configurators will be run on config commit cascade console IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices e Click Apply to run all the configurators in the queue e Alternately click Cancel and this will discard all the delayd configuration
200. es the Console Server to Telnet to a serial port they are normally given a login prompt However with unauthenticated Telnet they connect directly through to port with any Console Server login at all This mode is mainly used when you have an external system Such as conserver managing user authentication and access privileges at the serial device level For Unauthenticated Telnet the default port address is IP Address _ Port 6000 serial port i e 6001 6048 Web Terminal Selecting Web Terminal enables web browser access to the serial port via Manage Devices Serial using the Management Console s built in AJAX terminal Web Terminal connects as the currently authenticated Management Console user and does not re authenticate See section 13 3 for more details Accumulation Period By default once a connection has been established for a particular serial port Such as a RFC2217 redirection or Telnet connection to a remote computer then any incoming characters on that port are forwarded over the network on a character by character basis The accumulation period changes this by specifying a period of time that incoming characters will be collected before then being sent as a packet over the network Escape Character This enables you to change the character used for sending escape characters The default is Power Menu This setting enables the shell power command so a user can control the power connection to a Managed Device from command
201. ess To enable OoB dial in access first set up the Console Server configuration for dial in PPP access Once the Console Server is so configured it will wait for an incoming connection from a dial in at a remote site Then remote Administrator s must be configured to dial in and must establish a network connection to the Console Server OoB dial in management E E EEE h Note The BO96 048 016 and BOO95 003 M Console Servers have an internal modem for dial up OoB access The BO92 016 Console Server needs an external modem to be attached via a serial cable to its DBY port With the BO95 004 Console Server the four serial ports are by default all configured as RJ serial Console Server ports However Port 1 can be configured to be the Local Console Modem port for an external modem to be attached Chapter 5 Firewall Failover and Out of Band 5 1 1 Configure dial in PPP To enable dial in PPP access on the Console Server modem port internal modem Serial amp Network Serial Port Serial DBS Port Internal Modem Port Users amp Groups Anthon stinn utnenticatio Serial Settings Serial DB9 Port Baud Rate 115200 The port speed in characters per second Flow Control None y The method of flow control to use Dial In Settings Enable Dial In F Allow incoming modem communication on this port Username The user to dial as Password The secret to use when authenticating the user Confirm Re enter the use
202. essage it will automatically raise an alert Refer to Chapter 7 Alerts amp Logging at Chapter 4 Serial Port Device and User Configuration 4 2 Add Edit Users The Administrator uses this menu selection to set up edit and delete users and to define the access permissions for each of these users r Serial amp Network Users amp Groups Serial amp Network Serial Port Groups Users amp Groups Name Description Authentication ICa LIU Network Hosts admin Provides users with unlimited configuration and management Trusted Networks privileges Cascaded Ports UPS Connections RPC Connections i Add Group Environmenta Alerts amp Logging Users users Provides users with basic management privileges Username Group Description admin admin Master sysadmin user Edit Delete E AC Use Users can be authorized to access specified Console Server serial ports and specified network attached hosts These users can also be given full Administrator status with full configuration and management and access privileges To simplify user set up they can be configured as members of Groups There are two Groups set up by default admin and user 1 Membership of the admin group provides the user with full Administrator privileges The admin user Administrator can access the Console Server using any of the services which have been enabled in System Services e g if only HTTPS has been enable
203. ests Disabled TFIP server Enabled config s config services http enabled on config d config services https enabled config d config services telnet enabled config s config services ssh enabled on config d config services snmp enabled config d config services pingreply enabled config s config services tftp enabled on To set secondary port ranges for any service config s config services telnet portbase port base number Default 2000 config s config services ssh portbase port base number Default 3000 config s config services tcp portbase port base number Default 4000 config s config services rfc221 portbase port base number Default 5000 config s config services unauthtel portbase port base number Default 6000 The following command will synchronize the live system with the new configuration config a 14 1 22 NAGIOS To configure NAGIOS with the following settings NAGIOS host name b095 Name of this system NAGIOS host address 192 168 0 1 IP to find this device at NAGIOS server address 192 168 0 10 upstream NAGIOS server Enable SDT for NAGIOS ext Enabled SDT gateway address 192 168 0 1 defaults to host address Prefer NRPE over NSCA Disabled defaults to Disabled config s config system nagios enabled on config s config system nagios name b095 config s config system nagios address 192 168 0 1 config s config system nagios server address 192 168 0 10 config s co
204. etwork connected Hosts that the user is authorized to access and set up for each of these Hosts the services e g HTTPS IPMI2 0 and the related IP ports being redirected o configure access to the Console Server itself this is shown as a Local Services host o configure access with the enabled services for the serial port devices connected to the Console Server Ec Tripp Lite SDTConnector File Edit Help ae F 208 64 91 182 Services HTTP E ESXi O Tene E Ip Power Web Management Dell Server 2003 DRAC4 HP 2003 Server iLO 2 Dell 2003 Server Dell 2003 Server BMC HP 2003 Server E Local Services Q prs IBM RSAIl Note The Retrieve Hosts function will auto configure all classes of user i e they can be members of user or admin or some other group or no group SDT Connector will however not auto configure the root and it is recommended that this account is only used for initial config and for adding an initial admin account to the Console Server Chapter 6 Secure SSH Tunneling amp SDT Connector 6 2 4 Make an SDT connection through the gateway to a host e Simply point at the host to be accessed and click on the service to be used in accessing that host The SSH tunnel to the gateway is then automatically established the appropriate ports redirected through to the host and the appropriate local client application is launched pointing a
205. ever the Master does not provide a fully consolidated view e g Status Active Users It only displays those users active on the Master s ports You will need to write a custom bash script that parses the port logs if you want to find out who s logged in to cascaded serial ports from the master You will probably also want to enable remote or USB logging as local logs only buffer 8K of data and don t persist between reboots This script would parse each port log file line by line Each time it sees LOGIN username it adds the username to the list of connected users for that port each time it sees LOGOUT username it removes it from the list The list can then be nicely formatted and displayed It is also possible to run this as a CGI script on the BO92 016 In this case the remote USB logged port logs files are in var run portmanager logdir or they are in var log Otherwise you can run the script on the remote log server To enable log storage and connection logging e Select Alerts amp Logging Port Log e Configure log storage e Select Serial amp Network Serial Port Edit the serial port s e Under Console Server select Logging Level 1 and click Apply Chapter 15 Advanced Configuration To run the CGI script on the Console Server e Login to the BO92 016 e Run mount o remount rw dev hdal e Copy the script to home httpd cgi bin e Run mount o remount ro dev hdal e Browse to http 192 168 0
206. f 1c a5 T8 Please contact your system administrator Add correct host key in ssh known_hosts to get rid of this message Offending key in ssh known_hosts 1 RSA host key for remhost has changed and you have requested strict checking Host key verification failed If the host key has been legitimately changed it can be removed from the ssh known_hosts file and the new fingerprint added If it has not changed this indicates a serious problem that should be investigated immediately 15 6 7 SSH tunneled serial bridging You have the option to apply SSH tunneling when two Black Box console servers are configured for serial bridging Ethernet LAN 4 k serially connected device COM Port connected e g security appliance control PC As detailed in Chapter 4 the Server console server is setup in Console Server mode with either RAW or RFC2217 enabled and the Client console server is set up in Serial Bridging Mode with the Server Address and Server TCP Port 4000 port for RAW or 5000 port for RFC2217 specified e Select SSH Tunnel when configuring the Serial Bridging Setting Serial Bridge Settings Serial Bridging Mode Create a network connection to a remote serial port via RFC 2217 Server Address The network address of an RFC 2217 server to connect to Server TCP Port The TCP port the RFC 2217 server is serving on RFC 2217 Enable RFC 2217 access SSH Tunnel Redirect the serial bridge over an SSH tunnel to the serv
207. f required SNMP v3 provides secure SNMP operations through the use of USM User based Security Model It offers various levels of security including user based authentication and basic encryption o The Engine ID is used to localize the SNMPv3 user It will be automatically generated from a Network Interface ethO hardware address if left blank or must be entered as a hex value e g OxXO1020304 o Specify the Security Level 207 Chapter 15 Advanced Configuration noauth No authentication or encryption is required This is the minimum level of security auth Authentication will be required but encryption is not enforced An authentication protocol SHA or MD5 and password will be required priv Enforces the use of encryption This is the highest level of security and requires an encryption protocol DES or AES and password in addition to the authentication protocol and password o Complete the Read Only Username Enter the read only security name This field is mandatory and must be completed when configuring the Console Server for SNMPv3 o Fora Security Level of auth select the Auth Protocol SHA or MD5 and the Auth Password A password of at least 8 characters is required o Fora Security Level of priv select the Privacy Protocol DES or AES and the Privacy Password AES is recommended as it provides stronger privacy but requires more intense calculations A password of at least 8 characters is required e Click Apply
208. f the gateway device connecting it to the Internet as the Left Address You can leave this blank to use the interface of the default route Chapter 4 Serial Port Device and User Configuration e In Right Address enter the public IP or DNS address of the remote end of the tunnel only if the remote end has a static or dyndns address Otherwise leave this blank e Ifthe VPN gateway is serving as a VPN gateway to a local subnet e g the Console Server has a Management LAN configured enter the private subnet details in Left Subnet Use the CIDR notation where the IP address number is followed by a slash and the number of one bits in the binary notation of the netmask For example 192 168 0 0 24 indicates an IP address where the first 24 bits are used as the network address This is the same as 255 255 255 0 If the VPN access is only to the console server itself and to its attached serial console devices then leave Left Subnet blank e lf there is a VPN gateway at the remote end enter the private subnet details in Right Subnet Again use the CIDR notation and leave blank if there is only a remote host e Select Initiate Tunnel if the tunnel connection is to be initiated from the Left console server end This can only be initiated from the VPN gateway Left if the remote end was configured with a static or dyndns IP address e Click Apply to save changes Note It is essential the configuration details set up on the Console Server referre
209. frequency of 50 or 60 Hz and the total power consumption per console server is less than 20W The DC power sockets on the BO95 004 003 Console Server is located on the side of the metal case marked PXR 2 3 Network Connection The RJ45 10 100 LAN port is located on the rear of the BO92 016 Console Server on the front of the BO96 048 016 Console Server Management Switch and on the side panel of the BO95 004 003 Console Server All physical connections are made using industry standard Cat5e patch cables Tripp Lite NOO1 and NOO2 series cables Ensure you only connect the LAN port to an Ethernet network that supports 10Base T 100Base T For the initial configuration of the Console Server you must connect a computer to the Console Server s principal network port Chapter 2 Installation 2 4 Serial Port Connection The RJ45 serial ports are located on the rear of the BO92 016 Console Server on the front of the BO96 048 016 Console Server Management Switch and on the side panel of the BO95 004 003 Console Server These Console Servers use the RJ45 pinout used by Cisco Use straight through RJ 45 cabling to connect to equipment such as Cisco Juniper SUN and more ei 3 PIN SIGNAL DEFINITION DIRECTION gt CTS Clear To Send te Data Set Ready Input RD DSR Data Set Ready Input 70 GND Signal Ground pork GND Signal Ground gt TXD Transmit Data Output DTR Data Terminal Ready Output RTS Request To Send Output Conventional Cat5 cabling with R
210. g due to network failure are reported as status unknown If possible output will be compressed into host ranges n node Query node power status of targets if implemented by RPC If no targets are specified query all targets In this context a node in the OFF state could be ON at the plug but operating in standby power mode b beacon Query beacon status if implemented by RPC If no targets are specified query all targets t temp Query node temperature if implemented by RPC If no targets are specified query all targets Temperature information is not interpreted by powerman and is reported as received from the RPC on one line per target prefixed by target name h help Display option summary L license Show powerman license information d destination host port Connect to a powerman daemon on non default host and optionally port V version Display the powerman version number and exit D device Displays RPC status information If targets are specified only RPC s matching the target list are displayed T telemettry Causes RPC telemetry information to be displayed as commands are processed Useful for debugging device scripts X exprange Expand host ranges in query responses For more details refer http linux die net man 1 powerman Also refer powermand http linux die net man 1 powermand documentation and powerman conf http linux die net man 5 powerman conf Target Specification
211. g ssh keygen PuTTYgen or a similar tool You may use RSA or DSA however it is important that you leave the passphrase field blank o PulTYgen http www chiark greenend org uk sgtatham putty download html o OpenSSH http www openssh or o OpenSSH Windows http sshwindows sourceforge net download e Upload the public part of your SSH key pair this file is typically named id_rsa pub or id_dsa pub to the SSH gateway or add it to the ssh authorized keys in your home directory on the SSH gateway e Next add the private part of your SSH key pair this file is typically named id_rsa or id_dsa to SDT Connector Click Edit Preferences Private Keys Add locate the private key file and click OK You do not have to add the public part of your SSH key pair it is calculated using the private key SDT Connector will now use public key authentication when connecting through the SSH gateway Console Server You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication If you have a host behind the Console Server that you connect to by clicking the SSH button in SDT Connector you may also wish to configure access to it for public key authentication as well This configuration is entirely independent of SDT Connector and the SSH gateway You must configure the SSH client that SDT Connector launches e g Putty OpenSSH and the host s SSH server for public key authentication Essentially
212. g the key and certificate Launching the HTTPS Server Power Strip Control PowerMan pmpower Adding new RPC devices IPMitool Scripts for Managing Slaves SMS Server Tools Multicast 193 193 193 194 195 195 196 199 200 200 201 202 202 203 204 204 204 205 206 206 206 209 210 211 211 211 212 212 214 215 216 218 219 219 219 219 220 220 221 221 222 222 224 226 227 227 Table of Contents Thin Client B092 016 228 16 1 Local Client Service Connections 228 16 1 1 Connect Serial Terminal 229 16 1 2 Connect Browser 230 16 1 3 Connect VNC 231 16 1 4 Connect SSH 232 16 1 5 Connect IPMI 233 16 1 6 Connect Remote Desktop RDP 234 16 1 7 Connect Citrix ICA 235 16 1 8 Connect PowerAlert 235 16 2 Advanced Control Panel 236 16 2 1 System Terminal 236 16 2 2 System Shutdown Reboot 236 16 2 3 System Logout 236 16 2 4 Custom 236 16 2 5 Status 236 16 2 6 Logs 236 16 3 Remote Control 237 Appendix A Hardware Specification 238 Appendix B Serial Port Connectivity 239 Appendix C End User License Agreements 241 Appendix D Service and Warranty 248 Chapter 1 Introduction This User Manual is provided to help you get the most from your BO96 016 BO96 048 Console Server Management Switch BO92 016 Console Server with PowerAlert or BO95 004 1E BO95 003 1E M Console Server product These products are referred to generically in this manual as Console Servers Once configured you will be able
213. ger v3 Auth Protocol and password fields config set config system snmp authprotocol3 SHA or config set config system snmp authprotocol3 MD5 config set config system snmp authpassword3 password 1 To set the SNMP Manager v3 Privacy Protocol and password fields config set config system snmp privprotocol3 AES or config set config system snmp privprotocol3 DES config set config system snmp privpassword3 password 2 Once the fields are set apply the configuration with the following command config run snmp You can add a third or more SNMP servers by incrementing the 2 in the above commands e g config system snmp protocol3 config system snmp address3 etc Chapter 15 Advanced Configuration 15 6 Secure Shell SSH Public Key Authentication This section covers the generation of public and private keys in a Linux and Windows environment and configuring SSH for public key authentication The steps to use in a Clustering environment are e Generate a new public and private key pair e Upload the keys to the Master and to each Slave Console Server e Fingerprint each connection to validate 15 6 1 SSH Overview Popular TCP IP applications such as telnet rlogin fto and others transmit their passwords unencrypted Doing this across public networks like the Internet can have catastrophic consequences It leaves the door open for eavesdropping connection hijacking and other network level attacks Secu
214. hboard displays six widgets These widgets include each of the Status screens alerts devices ports ups rpc and environmental status and a custom script screen The admin user can configure which of these widgets is to be displayed where e Go to the Dashboard Layout panel and select which widget is to be displayed in each of the six display locations widget1 6 e Click Apply Serial amp Network Serial Port Dashboard Layout Users amp Groups Authentication z R Network Hosts Configuring Dashboard for Group admin Trusted Networks IPsec VPN OpenVPN Cascaded Ports x Select Widget 2 Managed Devices UPS Connections RPC Connections Select which widget to display in this position Select which widget to display in this position Environmental Managed Devices Select Widget 3 Configure Widgets Select Widget 1 Alerts Active Users X Select Widget 4 UPS v Select which widget to display in this position Select which widget to display in this position Alerts amp Logging Port Log Select Widget 5 RPC X Select Widget 6 Environmental X Select which widget to display in this position Select which widget to display in this position SNMP Refresh Timer Administration Minutes between each dashboard page refresh Default is 5 SSL Certificates Note The Alerts widget is a new screen that shows the cu
215. he Local Backup tab and click here to proceed This will set a Volume Label on the USB storage device This preparation step is only necessary the first time and will not affect any other information you have saved onto the USB storage device However it is recommended that you back up any critical data from the USB storage device before using it with your Console Server If there are multiple USB devices installed you will be warned to remove them System Configuration Backup Serial amp Network sh iecey komata ee Local Backup XML Configuration Users amp Groups Authentication Network Hosts Local Backup Trusted Networks Before saving configuration locally you must prepare the USB storage device for use OpenVPN Cascaded Ports Disconnect all USB storage devices except for the storage device you wish to prepare then click here to UPS Connections proceed After the USB storage device has been prepared you may reconnect other USB storage RPC Connections devices Envirnanmental e To backup to the USB enter a brief Description of the backup in the Local Backup menu and select Save Backup e The Local Backup menu will display all the configuration backup files you have stored onto the USB flash e To restore a backup from the USB simply select Restore on the particular backup you wish to restore and click Apply After saving a local configuration backup you may choose to use it as the alternate default
216. he Source port e g 54321 e Set the Destination IP details o If your destination device is network connected to the Console Server and you are connecting using RDP set the Destination as lt Managed Device IP address DNS Name gt 3389 e g if when setting up the Managed Device as Network Host on the Console Server you specified its IP address to be 192 168 253 1 or its DNS Name was accounts myco intranet com then specify the Destination as 192 168 523 1 3389 or accounts myco intranet com 3389 Only devices which have been configured as networked Hosts can be accessed using SSH tunneling except by the root user who can tunnel to any IP address the Console Server can route to Chapter 6 Secure SSH Tunneling amp SDT Connector EY PuTTY Configuration eNi Terminal Options controlling SSH port forwarding F Kenom Port forwarding E a E Local ports accept connections from other hosts ES Window Remote ports do the same SSH 2 only A Appearance Forwarded ports Behaviour Translation w Selection Colours Connection Remove L54321 192 168 253 1 80 i i Add new forwarded port Source port 15555 Destination 192 168 253 1 3389 Local Remote Dynamic i Auto i Pv PvE o If your destination computer is serially connected to the Console Server set the Destination as lt port label gt 3389 e g if the Label you specified on the ser
217. he only way to fix this error is to power cycle the telecom device The first step is to setup a pattern match alert on port 2 to check for the pattern EMERGENCY Next we need to create a custom script to deal with this alert Cd mkdir etc config scripts if the directory does not already exist cp etc scripts oortmanager pattern alert etc config scripts portmanager pattern alert Note Make sure to remove the if statement which checks for a custom script from the new script in order to prevent an infinite loop The pmpower utility is used to send power commands to RPC device in order to power cycle our telecom device pmpower I portO1 o 3 cycle The RPC is on serial port 1 The telecom device is powered by RPC outlet 3 We can now append this command to our custom script This will guarantee that our telecom device will be power cycled every time the console reads the EMERGENCY character stream on port 2 15 1 4 Example script Multiple email notifications on each alert If you desire to send more than one email when an alert triggers you have to create a replacement script using the method described above and add the appropriate lines to your new script Currently there is a script etc scripts alert email which gets run from within all the alert scripts e g portmanager user alert or environmental alert The alert email script is responsible for sending the email The line which invokes the email script looks as fol
218. he two key files e g id_dsa pub the public key and id_dsa the private key For example ssh keygen t rsa dsa Generating public private rsa dsa key pair Enter file in which to save the key home user ssh id_ rsa dsa Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user ssh id_ rsa dsa Your public key has been saved in home user ssh id_ rsa dsa pub The key fingerprint is 28 42a 29 38 ba 40 74 11 5e 3f d4 fa e5 36 14 d6 user server Chapter 15 Advanced Configuration It is advisable to create a new directory to store your generated keys It is also possible to name the files after the device they will be used for For example mkdir keys ssh keygen t rsa Generating public private rsa key pair Enter file in which to save the key nome user ssh id_rsa home user keys control_room Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home user keys control_room Your public key has been saved in home user keys control_room pub The key fingerprint is 28 4a 29 38 ba 40 74 11 5e 3f d4 fa e5 36 14 d6 user server You must ensure there is no password associated with the keys If there is a password then the Console Server devices will have no way to supply it as runtime Full documentation for the ssh keygen command can be found at http www openbsd org cgi bin ma
219. heck that the static IP and subnet mask fields are set e Click on the Disabled link next to DHCP Server which will bring up the System DHCP Server page e Check Enable DHCP Server e To configure the DHCP server tick the Use interface address as gateway check box e Set the DNS server address es lease times allocation pools and pre assigned IP addresses as detailed previously in Chapter 3 6 2 Once applied devices on the internal network will be able to access resources on the external network Chapter 5 Firewall Failover and Out of Band 5 7 3 Port Forwarding When using IP Masquerading devices on the external network cannot initiate connections to devices on the internal network To work around this Port Forwards can be set up to allow external users to connect to a specific port or range of ports on the external interface of the Console Server and have the Console Server redirect the data to a specified internal address and port range To setup a port forward e Navigate to the System Firewall page and click on the Port Forwarding tab e Click Add New Port Forward e Fill in the following fields Name Name for the port forward This should describe the target and the service that the port forward is used to access Input Interface This allows the user to only forward the port from a specific interface In most cases this should be left as Any Source Address This allows the user to restrict access to a port forward t
220. here s a wide selection of client programs which support monitoring UPS hardware via NUT Big Sister Cacti Nagios Windows and more Refer to www networkupstools org client projects So NUT supports the more complex power architectures found in data centers computer rooms and NOCs where many UPS s from many vendors power many systems with many clients and each of the larger UPS s power multiple devices and many of these devices are themselves dual powered Chapter 8 Power and Environment 8 3 Environmental Monitoring The Environmental Monitoring Device EMD model BO9O EMD can be connected to any Console Server serial port and each Console Server can support multiple EMD s Each EMD has one temperature and one humidity sensor and one general purpose status sensor which can be connected to a smoke detector water detector vibration or open door sensor The BO95 004 003 Console Server models also each has an internal temperature sensor Using the Management Console Administrators can view the ambient temperature and humidity and set the EMD to automatically send alarms progressively from warning levels to critical alerts Wibr2tion Sensor ry EHD EMD HAC E PPH alpat A Hinan gi Pests kita tae A Hi Tk ariji biH eet H nr naa Bhide t A llibe irdi Chapter 8 Power and Environment 8 3 1 Connecting the EMD The Environmental Monitoring Sensor EMD connects to any serial port on the Console Server via a special
221. ial installation configuration steps will be displayed These steps are e Change default administration password System Administration page Refer Chapter 3 2 e Configure the local network settings System IP page Refer Chapter 3 3 To configure Console Server features e Configure serial ports settings Serial amp Network Serial Port page Refer Chapter 4 e Configure user port access Serial amp Network Users page Refer Chapter 4 After completing each of the above steps you can return to the configuration list by clicking the Tripp Lite logo in the top left corner of the screen TRIPP LITE POWER PROTECTION Note If you are not able to connect to the Management Console at 192 168 0 1 or if the default Username Password were not accepted then reset your Console Server refer Chapter 10 3 1 3 Initial BO92 016 connection You can configure the BO92 016 Console Server using a connected computer and browser connection as described in the two sections above or you can configure it directly To do this you will need to connect a console keyboard mouse and display or a KVM switch directly to its mouse keyboard and VGA ports When you initially power on the BO92 016 you will be prompted on your directly connected video console to log in e Enter the default administration username and password Username root Password default The BO92 016 control panel will be displayed e Click the Configure button on the control panel This w
222. ial port on the Console Server is win2k3 then specify the remote host as win2k3 3389 Alternative you can set the Destination as portXx 3389 where XX is the SDT enabled serial port number e g if port 4 is on the Console Server is to carry the RDP traffic then specify port04 3389 Note http www jfitz com tips putty_config html has useful examples on configuring PuTTY for SSH tunneling e Select Local and click the Add button Click Open to SSH connect the Client PC to the Console Server You will now be prompted for the Username Password for the Console Server user Chapter 6 Secure SSH Tunneling amp SDT Connector ee 192 166 252 202 PuTTY o If you are connecting as a User in the users group then you can only SSH tunnel to Hosts and Serial Ports where you have specific access permissions o If you are connecting as an Administrator in the admin group then you can connect to any configured Host or Serial Ports which has SDT enabled To set up the secure SSH tunnel for a HTTP browser connection to the Managed Device specify port 80 rather than port 3389 as was used for RDP in the Destination IP address To set up the secure SSH tunnel from the Client Viewer PC to the Console Server for VNC follow the steps above however when configuring the VNC port redirection specify port 5900 in the Destination IP address Note How secure is VNC VNC access generally allows access to your whole computer so security is very imp
223. ibutions of Linux download source untar configure make make then install rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http www rdesktop org C On a Macintosh client e Download Microsoft s free Remote Desktop Connection client for Mac OS X http www microsoft com mac otherproducts otherproducts aspx pid remotedesktopclient Chapter 6 Secure SSH Tunneling amp SDT Connector 6 9 SDT SHH Tunnel for VNC Alternately with SDT and Virtual Network Computing VNC Users and Administrators can securely access and control Windows 98 NT 2000 XP 2003 Linux Macintosh Solaris and UNIX computers There s a range of popular VNC software available UltraVNC RealVNC TightVNC freely and commercially To set up a secure VNC connection install and configure the VNC Server software on the computer to be accessed Then install and configure the VNC Viewer software on the Viewer computer 6 9 1 Install and configure the VNC Server on the computer to be accessed Virtual Network Computing VNC software enables users to remotely access computers running Linux Macintosh Solaris UNIX all versions of Windows and most other operating systems A For Microsoft Windows servers and clients Windows does not include VNC software so you will need to download install and activate a third party VNC Server software package FE AL RealVNC http www realvnc com is fully cross pla
224. ietary software and or proprietary software licensed to Tripp Lite This Tripp Lite End User License Agreement EULA is a legal agreement between you either an individual or a single entity and Tripp Lite for the installed software product of Tripp Lite origin as well as associated media printed materials and online or electronic documentation Software By installing copying downloading accessing or otherwise using the Software you agree to be bound by the terms of this EULA If you do not agree to the terms of this EULA Tripp Lite is not willing to license the Software to you In such event do not use or install the Software If you have purchased the Software promptly return the Software and all accompanying materials with proof of purchase for a refund Products with separate end user license agreements that may be provided along with the Software are licensed to you under the terms of those separate end user license agreements LICENSE GRANT Subject to the terms and conditions of this EULA Tripp Lite grants you a nonexclusive right and license to install and use the Software on a single CPU provided that 1 you may not rent lease sell sublicense or lend the Software 2 you may not reverse engineer decompile disassemble or modify the Software except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation and 3 you may not transfer rights under thi
225. iguration Master Slave AA disave authorized_key authorized_key ssh rsa ssh rsa AAAAB3NzaC1 yc2Efg4 t AAAAB3NzaC1 yc2Efg4 t GHIAAA name client1 GHIAAA name client1 BEGIN RSA PRIVATE KEY MIIEogIBAAKCAQEA yIPGsNf5 a0LnPUMc nujXXPGiQGyD3b79 KZg3UZ4MjZI525sCy opv4TJTvTK6e8QIYt GYTByUdl id_rsa pub ssh rsa AAAAB3NzaC 1yc2Efg4 tGHIAAA name client1 If the Console Server device selected to be the server will only have one client device then the authorized_keys file is simply a copy of the public key for that device If one or more devices will be clients of the server then the authorized_keys file will contain a copy of all of the public keys RSA and DSA keys may be freely mixed in the authorized_keys file For example assume we already have one server called bridge server and two sets of keys for the control room and the plant_entrance Is home user keys contro _room control_room pub plant_entrance plant_entrance pub cat home user keys control_room pub home user keys plant_entrance pub gt home user keys authorized_keys_bridge_server Chapter 15 Advanced Configuration Master Master MA A a authorized_keys ssh rsa AAAAB3NzaC1 yc2Efg4 tGHI i AAA name client1 id dsa ssh dss AAAAB3NzaZr OV01C8gdgz BEGIN DSA XDg name client2 PRIVATE KEY MIIBugIBAAKBgQCR kixjJOSKuiIREXTM xOPFp9HqBvEg 7Ww9 oynY4QNiXj1 YU7T 87ITLQiAhn3yp7ZWy BEGIN RS
226. iguration Method IP Address Subnet Mask Gateway Primary DNS Secondary DNS Media DHCP Server Failover Interface Primary Probe Address Management LAN Interface General Settings DHCP Static The mechanism to acquire IP settings A statically assigned IP address A statically assigned network mask A statically assigned gateway A statically assigned primary name server A statically assigned secondary name server Auto x The Ethernet media type Disabled Configure a DHCP server for this interface None x 1D st be configured and enabled for Management LAN lan Serial DB9 Port sercon DISABLED Internal Modem modem01 DISABLED e When configuring the principal network connection on the System IP Network Interface menu select Management LAN eth1 as the Failover Interface to be used when a fault has been detected with main Network Interface ethO Chapter 5 Firewall Failover and Out of Band e Specify the Probe Addresses of two sites the Primary and Secondary that the BO96 048 016 is to ping to determine if Network ethO is still operational e Then configure Management LAN Interface eth1 with the same IP setting that you used for the main Network Interface ethO to ensure transparent redundancy In this mode Network 2 eth1 is available as the transparent back up port to Network 1 ethO for accessing the management network Network 2 will automatically and transparently ta
227. il Connect to the network at my workplace Connect to a business network using dial up or VPN so you can work from home a field office or another location O Set up a home or small office network Connect to an existing home or small office network or set up a new one Set up an advanced connection eee directly to another computer using your serial irp or infrared port or set up this computer so that other computers can connect to it Select Set up an advanced connection and click Next On the Advanced Connection Options screen select Accept Incoming Connections and click Next Select the Connection Device i e the serial COM port on the Windows computer that you cabled through to the Console Server By default select COM1 The COM port on the Windows computer should be configured to its maximum baud rate Click Next On the Incoming VPN Connection Options screen select Do not allow virtual private connections and click Next Chapter 6 Secure SSH Tunneling amp SDT Connector New Connection Wizard You can specify the users who can connect to this computer Select the check box next to each user who should be allowed a connection to this computer Note that other factors such as a disabled user account may affect a user s ability to connect Users allowed to connect O E i Guest O E i HelpAssistant Remote Desktop Help Assistant Account C Remote Bob Remote Bob O Sef SUPPORT_388945a0 CN Microsoft Corpora
228. ill load the Firefox browser and open the BO92 016 Management Console rs Configure Ea Connect Logs cs Status bs Custom M System Mozilla Firefox RAR File Edit View History Bookmarks Tools Help E gt G Google Authentication Required Ga Enter username and password for 127 0 0 1 8161 at http 127 0 0 1 6161 User Name Password rr C Use Password Manager to remember this password Cancel OK eet for 127 0 0 1 e At the Management Console menu select System Administration Chapter 3 Initial System Configuration 3 2 Administrator Password For security reasons only the administration user named root can initially log into your Console Server Only those people who know the root password can access and reconfigure the Console Server itself However anyone who correctly guesses the root password and the default root password which is default could gain access It is therefore essential that you enter and confirm a new root password before giving the Console Server any access to or control of your computers and network appliances System Administration Serial amp Network Serial Port System Name b096 048 Users amp Groups Authentication An ID for this device Network Hosts Trusted Networks System IDA Description IPsec VPN Th hy T t f this device OpenVPN 1e physical location of this device Cascaded Ports UPS Connecti
229. in Mo Plugin detected Contig C Frosy Repeater Save connection settings as default Delete saved settings B When the Viewer computer is connected directly to the Console Server either locally or remotely through a VPN or dial in connection and the VNC Host computer is serially connected to the Console Server then enter the IP address of the Console Server unit with the TCP port that the SDT tunnel will use The TCP port will be 7900 plus the physical serial port number i e 7901 to 7948 so all traffic directed to port 79xx on the Console Server is tunneled through to port 5900 on the PPP connection on serial Port xx For example for a Windows Viewer computer using UltraVNC connecting to a VNC Server which is attached to Port 1 on a Console Server enter 192 168 0 1 Chapter 6 Secure SSH Tunneling amp SDT Connector Te ra TA a nT Omas Y VNC Server 192 168 0 1 7901 i host display or host port i dat Quick Options O AUTO Auto select best settings Connect ULTRA aM bits Experimental OLAN gt TMbite s Max Colors Panci O MEDIUM 128 256K bit s 256 Colors i G MODEM 19 128K bits 64 Colors O SLOW T9kkbits 6 Colors View Ony C Auto Scaling Alptida Use DSMPlugin Mo Plugin detected s Config Frosp Repeater Save connection settings as default Delete saved settings e You can then establi
230. in SDT Gateway Address e When NRPE and NSCA are both enabled NSCA is preferred method for communicating with the upstream Nagios server check Prefer NRPE to use NRPE whenever possible i e for all communication except for alerts 10 3 2 Enable NRPE monitoring Nagios Remote Remote Gateway Servers Monitoring Host Enabling NRPE allows you to execute plug ins Such as check tcp and check_ping on the remote Console Server to monitor serial or network attached remote servers This will offload CPU load from the upstream Nagios monitoring machine which is especially valuable if you are monitoring hundreds or thousands of hosts To enable NRPE Chapter 10 Nagios Integration NRPE Enabled Switch on the NRPE service NRPE Port Port to listen on for NRPE Defaults to 5666 NRPE User User to run as Defaults to nrpe NRPE Group Group to run as Defaults to nobody e Select System Nagios and check NRPE Enabled e Enter the details for the user connection to the upstream Nagios monitoring server Again refer to the sample Nagios configuration example below for details of configuring specific NRPE checks By default the Console Server will accept a connection between the upstream Nagios monitoring server and the NRPE server with SSL encryption without SSL or tunneled through SSH The security for the connection is configured at the Nagios server 10 3 3 Enable NSCA monitoring Nagios Remote Remote Monitoring Host Gateway
231. in the additional groups To set up new Groups and new users and to classify users as members of particular Groups e Select Serial amp Network Users amp Groups to display the configured Groups and Users e Click Add Group to add a new Group Chapter 4 Serial Port Device and User Configuration Serial amp Network Users amp Groups Serial amp Network Serial Port Add a New group Users amp Groups Authentication Network Hosts A group with predefined privileges the user will belong to Trusted Networks Groups Description Cascaded Ports A brief description of the groups role UPS Connections RPC Connections Environmental Managed Devices meg z Accessible Host s No hosts currently configured Accessible Port s Select Unselect all Ports Administration SSL Certificates Port 1 Port 2 Port 3 Configuration Backup Firmware IP Date amp Time Dial Accessible RPC Outlet s DHCP Server No RPCs currently configured Nagios Configure Dashboard I O Ports Apay e Add a Group name and Description for each new Group then nominate the Accessible Hosts Accessible Ports and Accessible RPC Outlets s that you wish any users in this new Group to be able to access e Click Apply e Click Add User to add a new user e Add a Username and a confirmed Password for each new user You may also include information related to the user e g c
232. in the body of the email However some SMS gateway service providers require blank subjects or require specific authentication headers to be included in the subject line e Click Apply to activate SMTP Chapter 7 Alerts and Logging 7 1 3 SNMP alerts The Administrator can configure the Simple Network Management Protocol SNMP agent that resides on the Console Server to send SNMP trap alerts to an NMS management application e Select Alerts amp Logging SNMP e Select Primary SNMP Manager tab The Primary and Secondary SNMP Manager tabs are used to configure where and how outgoing SNMP alerts and notifications are sent If you require your Console Server to send alerts via SNMP then at a minimum a Primary SNMP Manager must be configured Optionally a second SNMP Network Manager with its own SNMP settings can be specified on the Secondary SNMP Manager tab Alerts amp Logging SNMP Serial amp Network Serial Port SNMP Service Details Users amp Groups Authentication Enable Network Hosts Enable the SNMP service Trusted Networks IPsec VPN TCP IP Protocol OpenVPN UDP z Cascaded Ports The TCP IP protocol to serve UPS Connections z RPC Connections Location Environmenta Managed Devices Primary SNMP Manager Secondary SNMP Manager System Location Contact Alerts amp Logging Port Log System Contact Alerts MP v 2c SMTP amp SMS LEY SNMP Read Only Com
233. interval between updates Minimum interval between checks Maximum attempts per update Apply dyns cx v iNone DDNS disabled 3322 dyndns lame assigned to this interface gnudip gt ods 2 address is changed tzo The username Tor tne account to manage this interface The password for the account to manage this interface Re enter the password for confirmation Maximum interval between updates in days DDNS update will be sent even if the address has not changed Defaults to 25 Minimum interval between checks for changed addresses in seconds Updates will still only be sent if the address has changed Defaults to 1800 Number of times to attempt an update before giving up Defaults to 3 e In DDNS Hostname enter the fully qualified DNS hostname for your console server e g your hostname dyndns org e Enter the DDNS Username and DDNS Password for the DDNS service provider account e Specify the Maximum interval between updates in days A DDNS update will be sent even if the address has not changed e Specify the Minimum interval between checks for changed addresses in seconds Updates will still only be sent if the address has changed e Specify the Maximum attempts per update i e the number of times to attempt an update before giving up defaults to 3 Chapter 3 Initial System Configuration 3 4 System Service Access Service Access specifies which access protocols services can be used to access
234. ion COMMANDS help This can be used to get command line help on jomitool commands It may also be placed at the end of commands to get option usage help iomitool help Commands raw Send a RAW IPMI request and print response lan Configure LAN Channels chassis Get chassis status and set power state event Send pre defined events to MC mc Management Controller status and global enables sdr Print Sensor Data Repository entries and readings sensor Print detailed sensor information fru Print built in FRU and scan SDR for FRU locators sel Print System Event Log SEL pef Configure Platform Event Filtering PEF sol Configure IPMIv2 0 Serial over LAN isol Configure IPMIv1 5 Serial over LAN user Configure Management Controller users channel Configure Management Controller channels session Print session information exec Run list of commands from file set Set runtime variable for shell and exec ipmitool chassis help Chassis Commands status power identify policy restart_cause poh bootdev ipmitool chassis power help chassis power Commands status on off cycle reset diag soft You will find more details on ipmitools at http ipmitool sourceforge net manpage html 15 11 Scripts for Managing Slaves When the Console Servers are cascaded the Master is in control of the serial ports on the Slaves and the Master s Management Console provides a consolidated view of the settings for its own and all the Slave s serial ports How
235. ion and all the COM ports configured on that Console Server e Select the console server or COM port on the left hand menu and click the Remove button 4 7 4 Configure the remote serial device connection Ensure the remote serial device is connected to your remote Console Server Then configure the serial port as detailed in the User Guide e Set the RS232 Common Settings e g baud rate e Select Console server mode and specify the appropriate protocol to be used o RAW TCP allows connections directly to a TCP socket and the default TCP port address is 4000 serial port i e the address of the second serial port is IP Address _ 4002 o RFC2217 enables serial port redirection on that port and the default port address is IP Address _ Port 5000 serial port i e 5001 5048 on a 48 port Console Server o VirtualPort Secure mode enables encrypted communication This feature will be available mid 2010 Chapter 4 Serial Port Device and User Configuration 4 8 Managed Devices Managed Devices presents a consolidated view of all the connections to a device that can be accessed and monitored through the Console Server To view the connections to the devices e Select Serial amp Network Managed Devices This will display all the Managed Device with their Description Notes and lists of all the configured Connections e Serial Port if serially connected or e USB if USB connected e IP Address if network connected e Power P
236. ion 4 4 Network Hosts e When adding a new network connected RPC or UPS power device you set up a Network Host designate it as RPC or UPS then go to RPC Connections or UPS Connections to configure the relevant connection Again corresponding new Managed Device with the same Name Description as the RPC UPS Host is not created until this connection step is completed refer Chapter 8 Power and Environment Chapter 4 Serial Port Device and User Configuration To add a new serially connected Managed Device e Configure the serial port using the Serial amp Network Serial Port menu refer Section 4 1 Configure Serial Port e Select Serial amp Network Managed Devices and click Add Device e Enter a Device Name and Description for the Managed Device e Click Add Connection and select Serial and the Port that connects to the Managed Device e To add a UPS RPC power connection or network connection or another serial connection click Add Connection e Click Apply Note To set up a new serially connected RPC UPS or EMD device you configure the serial port designate it as a Device then enter a Name and Description for that device in the Serial amp Network RPC Connections or UPS Connections or Environmental When applied this will automatically create a corresponding new Managed Device with the same Name Description as the RPC UPS Host refer Chapter 8 Power and Environment Also all the outlet names on the PDU will by default be
237. ion if unspecified Hagios T vnnTnnT Fan F FSF F FF FF PETS PEV TOOT z k 1 Check NRPE Iv Use Default args w Command check host alive Check NRPE Q Check Ping Check Permitted TCP Defautt dregs H ROST e BCOMMAND SS Check Permitted UDP Mew Check TCP Check UDP Apply e The Nagios Check nominated as the check host alive check is used to determine whether the network host itself is up or down e Typically this will be Check Ping although in some cases the host will be configured not to respond to pings e f no check host alive check is selected the host will always be assumed to be up e You may deselect check host alive by clicking Clear check host alive e f required customize the selected Nagios Checks to use custom arguments e Click Apply Nagios Settings Enable Nagios Switch Nagios on for this host Host Name Name of host in Nagios Ganerated using host description iF unspectied Checks t check WRPE v Use Default Arge v Command check host aive k Override Default 4rqs l dd to default args c BCOMMAND YS Clear check hast alive Apply Chapter 10 Nagios Integration 10 3 6 Configure the upstream Nagios monitoring host Refer to the Nagios documentation http www nagios org docs for configuring the upstream server e The section entitled Distributed Monitoring steps through what is needed to configure NSCA on the upstream server under Central Server Configuration e NRPE Documentation which has
238. iption UPS in toom 5 config s config devices total 3 To delete this managed UPS config d config ups monitors monitor1 Decrement monitors total when deleting a managed UPS Chapter 14 Command Line Configuration Remote UPSes To add a remote UPS with the following details assuming this is our first remote UPS UPS name oldUPS Description UPS in room 2 Address 192 168 50 50 Log status Disabled Log rate 240 seconds Run shutdown script Enabled config s config ups remotes remote1 name oldUPS config s config ups remotes remote1 description UPS in room 2 config s config ups remotes remote1 address 192 168 50 50 config d config ups remotes remote1 log enabled config s config ups remotes remote1 log interval 240 config s config ups remotes remote1 script enabled on config s config ups remotes total 1 The following command will synchronize the live system with the new configuration config a 14 1 9 RPC Connections You can add an RPC connection from the command line but it is not recommended that you do so because of dependency issues However FYI before adding an RPC the Management Console GUI code makes sure that at least 1 port has been configured to run in device mode and that the device is set to rpc To add an RPC with the following values RPC type APC 7900 Connected via Port 2 UPS name MyRPC Description RPC in room 5 Login name for device roclogin Login password f
239. ironmental Status Environmental Logs EMD Engineering Temperature Graph 26 48 20 45 D Temperature W Humidity EMD Engineering Log Time Temperature Humidity Alarm 1 Alarm 2 Alert Status Fri Jan 16 20 37 05 24 51 Open 0 Open 0 Normal 2009 Fri Jan 16 20 38 05 24 47 Open 0 Open 0 Normal 2009 Chapter 9 Authentication The Tripp Lite Console Server is a dedicated Linux computer and it embodies popular and proven Linux software modules for secure network access OpenSSH and communications OpenSSL and sophisticated user authentication PAM RADIUS TACACS and LDAP e This chapter details how the Administrator can use the Management Console to establish remote AAA authentication for all connections to the Console Server and attached serial and network host devices e This chapter also covers establishing a secure link to the Management Console using HTTPS and using OpenSSL and OpenSSH to establish a secure Administration connection to the Console Server 9 1 Authentication Configuration Authentication can be performed locally or remotely using an LDAP Radius or TACACS authentication server The default authentication method for the Console Server is Local Serial amp Network Authentication Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Authentication Method IPsec VPN OpenVPN Cascaded Ports UPS Connecti
240. is already a Framed Filter Id simply add the list of group names after the existing entries including the separating colon 9 3 Secure Management Console Access Selecting HTTPS Server in System Services enables the Administrator to establish a secure browser connection Management Console System Firewall Serial amp Network Serial Port Service Access Port Forwarding Port Rules Forwarding amp Users amp Groups Masquerading Authentication Network Hosts z Trusted Networks Service Access IPsec VPN Services Network Dialout Cellular _Dial in VPN OpenVPN Interface Cascaded Ports UPS Connections HTTP Web RPC Connections Management Environmental Managed Devices HTTPS Web 7 7 7 7 Management Alerts amp Logging Telnet command Port Log shel Alerts SMTP amp SMS SSH command 7 J 5 5 e Activate your preferred browser and enter https IP address For example if the Console Server has been set up with an IP address of 200 122 0 12 you need to type https 200 122 0 12 in your address bar e Your browser may respond with a message that verifies the security certificate is valid but notes that it is not necessarily verified by a certifying authority To proceed you need to click yes if you are using Internet Explorer or select accept this certificate permanently or temporarily if you are using Mozilla Firefox e You will then be prompted for the Administrator acc
241. itool will prompt the user for a password If no password is entered at the prompt the remote server password will default to NULL SECURITY The ipmitoo documentation highlights that there are several security issues to be considered before enabling the IPMI LAN interface A remote station has the ability to control a system s power state as well as being able to gather certain platform information To reduce vulnerability it is strongly advised that the IPMI LAN interface only be enabled in trusted environments where system security is not an issue or where there is a dedicated secure management network or access has been provided through an Console Server Further it is strongly advised that you should not enable IPMI for remote access without setting a password and that the password should not be the same as any other password on that system When an IPMI password is changed on a remote machine with the IPMlv1 5 an interface the new password is sent across the network as clear text This could be observed and then used to attack the remote system It is thus recommended that IPMI password management only be done over IPMlv2 0 anplus interface or the system interface on the local station For IPMI v1 5 the maximum password length is 16 characters Passwords longer than 16 characters will be truncated For IPMI v2 0 the maximum password length is 20 characters longer passwords are truncated Chapter 15 Advanced Configurat
242. its 1024 Bits are supposed to be sufficient for most cases Longer keys may result in slower response time of the Console Server during connection establishment o Once this is done click on the button Generate CSR which will initiate the Certificate Signing Request generation The CSR can be downloaded to your administration machine with the Download button Oo Send the saved CSR string to a Certification Authority CA for certification You will get the new certificate from the CA after a more or less complicated traditional authentication process depending on the CA o Upload the certificate to the Console Server using the Upload button as shown below After completing these steps the Console Server has its own certificate that is used for identifying the Console Server to its users Note Information on issuing certificates and configuring HTTPS from the command line can be found in Chapter 15 Advanced Chapter 10 Nagios Integration Nagios is a powerful highly extensible open source tool for monitoring network hosts and services The core Nagios software package will typically be installed on a server or virtual server the central Nagios server Tripp Lite Console Servers can operate in conjunction with a central upstream Nagios server to provide distributing monitoring of attached network hosts and serial devices The Console Servers can embed the NSCA Nagios Service Checks Acceptor and NRPE Nagios Remote Plug in Executor add
243. ivate Key with ones tailored for your new address 15 8 1 Generating an encryption key To create a 1024 bit RSA key with a password issue the following command on the command line of a linux host with the openssl utility installed openssl genrsa des3 out ss _key pem 1024 15 8 2 Generating a self signed certificate with OpenSSL This example shows how to use OpenSSL to create a self signed certificate OpenSSL is available for most Linux distributions via the default package management mechanism Windows users can check http www openssl org related binaries html To create a 1024 bit RSA key and a self signed certificate issue the following openssl command from the host you have openssl installed on openssl req X509 nodes days 1000 newkey rsa 1024 keyout ssl_key pem out ssl_cert pem You will be prompted to enter a lot of information Most of it doesn t matter but the Common Name should be the domain name of your computer When you have entered everything the certificate will be created in a file called ssl_cert pem Chapter 15 Advanced Configuration 15 8 3 Installing the key and certificate The recommended method for copying files securely to the Console Server unit is with an SCP Secure Copying Protocol client The scp utility is distributed with OpenSSH for most Unix distributions while Windows users can use something like the PSCP command line utility available with PuTTY The files created in the steps above
244. ke over the work of Network 1 in the event Network 1 becomes unavailable for any reason By default the Console Server supports automatic failure recovery back to the original state prior to failover The Console Server continually pings probe addresses whilst in original and failover states The original state will automatically be set as a priority and re established following three successful pings of the probe addresses during failover The failover state will be removed once the original state has been re established 5 4 Dial Out Failover The Console Servers can be configured so a dial out PPP connection is automatically set up in the event of a disruption in the principal management network e When configuring the principal network connection in System IP specify Internal Modem or the Dial Serial DB9 if using an external modem on the Console port as the Failover Interface to be used when a fault has been detected with Network1 ethO e Specify the Probe Addresses of two sites the Primary and Secondary that the Console Server is to ping to determine if Network is still operational e Select the System Dial menu option and the port to be configured Serial DB9 Port or Internal Modem Port e Select the Baud Rate and Flow Control that will communicate with the modem Note You can further configure the console modem port e g to include modem init strings by editing etc mgetty config files as described in Chapter 13 e Check the En
245. led below and Tripp Lite will provide source code for any of the components of the Software licensed under the GNU General Public License upon request EXPORT RESTRICTIONS You agree that you will not export or re export the Software any part thereof or any process or service that is the direct product of the Software in violation of any applicable laws or regulations of the United States or the country in which you obtained them U S GOVERNMENT RESTRICTED RIGHTS The Software and related documentation are provided with Restricted Rights Use duplication or disclosure by the Government is subject to restrictions set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 or subparagraphs c 1 and 2 of the Commercial Computer Software Restricted Rights at 48 C F R 52 227 19 as applicable or any successor regulations TERM AND TERMINATION This EULA is effective until terminated The EULA terminates immediately if you fail to comply with any term or condition In such an event you must destroy all copies of the Software You may also terminate this EULA at any time by destroying the Software License Agreement GOVERNING LAW AND ATTORNEY S FEES This EULA is governed by the laws of the State of Utah USA excluding its conflict of law rules You agree that the United Nations Convention on Contracts for the International Sale of Goods is hereby excluded in its entirety and
246. lient 16 3 Remote Control You can access the BO92 016 locally via a directly connected keyboard monitor and mouse or KVM switch If the BO92 O16 is connected to a KVMolP infrastructure then this may also provide you with some remote access to the BO92 016 local consoles RDP Telnet VNC ICA JRE etc The BO92 016 also hosts an embedded VNC server that enables you to remotely monitor and control the thin client software RDP Telnet VNC ICA etc that is running in the BO92 016 itself Note You can still run management client software RDP etc on the remote computer and use SDT to securely connect the client directly to the managed devices that are serially or network attached to the BO92 016 This is useful when running proprietary applications such as Dell OpenManage or Windows applications such as VMware VDI client on a remote management computer which is be used to manage a DRAC service processor or VMware virtual device on a remote server Each BO92 016 gateway has an internal VNC server enabling remote administrators to oversee local activity and giving them the option to access and control all the devices themselves To activate the VNC server in the BO92 016 e Select the System Services option in the Management Console menu then check VNC Server or Secure VNC Server Syslog Alternate UPS Status Unauthenticated Telnet is Tee eee Base A secondary TCP port range for Unauthenticated Telnet access to serial port
247. lled on Windows 2000 XP 2003 Vista and on most Linux UNIX and Solaris computers as detailed in Chapter 6 3 5 2 PuTTY Communications packages like PuTTY can be also used to connect to the Console Server command line and to connect to serially attached devices as covered in Chapter 4 PuTTY is a freeware implementation of Telnet and SSH for Win32 and UNIX platforms It runs as an executable application without needing to be installed onto your system PuTTY the Telnet and SSH client itself can be downloaded at http www tucows com preview 195286 html e To use PuTTY for an SSH terminal session from a Windows client Sie enter the Console Server s IP address as the Host Name or IP eon Base opiors for wow PuTTY pemon address WP te Speciy youl connection bp hast rame ai IP addiens e To access the Console Server command line select SSH as the Regt Hane AOR E ees protocol and use the default IP Port 22 Pul TY Configuration Dal RERAN Feabhra Protozoa e Click Open and the Console Server login prompt will appear You J ia LJA KJT i iA 554 7 7 aina enceee iaci al ie may also receive a Security Alert that the host s key is not Behaviou Bee PENE S eee cached Choose yes to continue Tranche Dee Se S alector e Using the Telnet protocol is similarly simple but you need to use Colour Delad Sethenge ad the default port 23 Connechon Ac tuned berepagle Fray Teire Fiogr 3
248. lows bin sh etc scripts alert email suffix amp If you wish to send another email to a single address or the same email to many recipients edit the custom script appropriately You can follow the examples in any of the seven alert scripts listed above In particular let s consider the portmanager user alert script If you need to send the same alert email to more than one email address find the lines in the script responsible for invoking the alert email script then add the following lines below the existing lines export TOADDR emailaddress domain com bin sh etc scripts alert email suffix amp These two lines assign a new email address to TOADDR and invoke the alert email script in the background Chapter 15 Advanced Configuration 15 1 5 Deleting configuration values from the CLI The delete node script is provided to help with deleting nodes from the command line The delete node script takes one argument the node name you want to delete e g config users user1 or config sdt hosts hostL So delete node is a general script for deleting any node you desire users groups hosts UPS s etc from the command line The script deletes the specified node and shuffles the remainder of the node values For example if we have five users configured and we use the script to delete user 3 then user 4 will become user 3 and user 5 will become user 4 This creates an obvious complication as this script does NOT check for a
249. lso defined on a remote TACACS server which says he has access to ports 3 and 4 The user may log in with either his local or TACACS password and will have access to ports 1 through 4 If TACACS is down he will need to use his local password and will only be able to access ports 1 and 2 Example 2 User B is only defined on the TACACS server which says he has access to ports 5 and 6 When he attempts to log in a new user will be created for him and he will be able to access ports 5 and 6 If the TACACS server is down he will not Chapter 9 Authentication have any access Example 3 User C is defined on a RADIUS server only He has access to all serial ports and network hosts Example 4 User D is locally defined on an appliance using RADIUS for AAA Even if the user is also defined on the RADIUS server he will only have access to those serial ports and network hosts he has been authorized to use on the appliance If a no local AAA option is selected then root will still be authenticated locally Remote users may be added to the admin group via either RADIUS or TACACS Users may have a set of authorizations set on the remote TACACS server Users automatically added by RADIUS will have authorization for all resources whereas those added locally will still need their authorizations specified LDAP has not been modified and will still need locally defined users 9 1 6 Group support with remote authentication All Console
250. m clock will be reset randomly every time the Console Server is powered up To set the system time using NTP e Select the Enable NTP checkbox on the Network Time Protocol page e Enter the IP address of the remote NTP Server and click Apply Settings You must now also specify your local time zone so the system clock can show local time and not UTP e Set your appropriate region locality in the Time Zone selection box and click Set Timezone The Time Zone can also be set to UCT Coordinated Universal Time which replaced Greenwich Mean Time as the World standard for time in 1986 System Date amp Time Serial amp Network 5 Current System time 21 29 34 Dec 22 2000 Serial Port Users amp Groups Time Zone Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts a PUTNA A rear Pacific Yap 4 Poland Set Timezone Portugal PRC PST8PDT ROC ROK Date and Time Singapore Turke Year aT TT Universal Manth PIO Alot Chapter 11 System Management 11 4 Configuration Backup It is recommended that you back up the Console Server configuration whenever you make significant changes Such as adding new Users or Managed Devices or before performing a firmware upgrade a e Select the System Configuration Backup menu option or
251. me point in the future you chose to connect a modem for dial in out of band access the procedure can be reversed with the following commands bin config del config console debug bin config run console reboot Chapter 15 Advanced Configuration 15 4 IP Filtering The Console Server uses the iptables utility to provide a stateful firewall of LAN traffic By default rules are automatically inserted to allow access to enabled services and serial port access via enabled protocols The commands which add these rules are contained in configuration files etc config ipfilter This is an executable shell script which is run whenever the LAN interface is brought up and whenever modifications are made to the iptables configuration as a result of CGI actions or the config command line tool The basic steps performed are as follows e The current iptables configuration is erased e lf a customized IP Filter script exists it is executed and no other actions are performed e Standard policies are inserted which will drop all traffic not explicitly allowed to and through the system e Rules are added which explicitly allow network traffic to access enabled services e g HTTP SNMP etc e Rules are added which explicitly allow traffic network traffic access to serial ports over enabled protocols e g Telnet SSH and raw TCP If the standard system firewall configuration is not adequate for your needs it can be bypassed safely by creating a file
252. minated Environmental Sensor Alert Environmental Sensor Alert An alert will be triggered at the value s below This alert type will only be applied to UPSes RPCs and environmental monitor temperature and humidity sensors Sensor Type Temperature Specify which environmental sensor type to alert on Set Point Low Low Warning Low Critical A warning alert will be triggered when A critical alert will be triggered when the sensor reading falls to this value or the sensor reading falls to this value or lower lower Set Point High E ae High High Warning High Critical A warning alert will be triggered when A critical alert will be triggered when the sensor reading rises to this value or the sensor reading rises to this value or higher higher Hysteresis Value a sensor reading must drop below a high point or to rise above a low point before the alert is reset e Select Sensor Alert to activate e Specify which Sensor Type to alert on Temperature Humidity Power Load and Battery Charge e Set the levels at which Critical and or Warning alerts are to be sent You can also specify High and or Low Set Points for sending alerts and the Hysteresis to be applied before resetting off the alerts Note Specify the Set Point values are in Degrees F for Temperature Amps Current for Power Load Percentage for Humidity and Battery Charge If you have selected Applicable Alarm Sensor s that are to be monitored for this aler
253. mple details of the configuration options are described in the next section This walk through also assumes the network host and serial devices are already physically connected to the Console Server First step is to set up the Nagios features on the Console Server Serial amp Network Serial Port Enabled 7 oe Switch on the Nagios service Authentication Network Hosts Nagios Host Name Trusted Networks Cascaded Ports UPS Connections Nagios Host Address RPC Connections Environmental Name of this system in Nagios Generated from System Name if unspecified Address for Nagios to find this device at Defaults to Network 1 JP if set Nagios Server Address Alerts amp Logging z Address of the upstream server Port Log Alerts Disable SDT for Nagios SMTP amp SMS EHTS Don t show sdt links in service status SNMP SDT Gateway Address External address of this system shown in sdt links Defaults to Nagios Host Address Administration Firmware Prefer NRPE IP m a w Use NRPE instead of NSCA whenever possible Defaults to prefer NSCA Browse the Console Server and select System Nagios on the Console Server Management Console Check Nagios service Enabled Enter the Host Name and the Nagios Host Address i e IP address that the central Nagios server will use to contact the distributed Console Server Enter the IP address that the distributed Console Server will use to contac
254. mulator program to the IP address of the Console Server 192 168 0 1 by default e Log on to the Console Server by pressing return a few times The Console Server will request a username and password Enter the username root and the password default You should now see the command line prompt which is a hash This chapter is not intended to teach you Linux We assume you already have a certain level of understanding before you execute Linux kernel level commands Chapter 14 Command Line Configuration The config tool Syntax config ahv d id g id p path r configurator s id value P id Description The config tool is designed to perform multiple actions from one command if need be so if necessary options can be chained together The config tool allows manipulation and querying of the system configuration from the command line Using config the new configuration can be activated by running the relevant configurator which performs the action necessary to make the configuration changes live The custom user configuration is saved in the etc config config xml file This file is transparently accessed and edited when configuring the device using the Management Console browser GUI Only the user root can configure from the shell By default the config elements are separated by a character The root of the config tree is called lt config gt To address a specific element place a betw
255. munity The read only community Administration Read Write SSL Certificates Community Configuration Backup The read write community Firmware IP SNMP v3 Date amp Time 5 Dial Engine ID DHCP Server Override the automatically generated SNMPv3 Engine ID Note If not specified Nagios an Engine ID wil be automaticaly generated using Network Interface details Configure Dashboard Security Level noauth Status auth Port Access priv Active Users Statistics The SNMPv3 Security Level priv amp recommended for enforcing both Support Report authentication and encryption Syslog UPS Status Read Only RPC Status Username Environmental Status The SNMPv3 read only security name Mandatory for SNMPv3 Power Supply Status Dashboard Auth Protocol SHA a The SNMPv3 authentication protocol Manage Devices Auth Password Port Logs Host ae The SNMPv3 users authentication password Power Terminal a Confirm the SNMPv3 users authentication password Privacy Protocol DES i The SNMPv3 privacy protocol Privacy Password The SNMPv3 encryption password Confirm Password Confirm the SNMPv3 encryption password Apply e Select the Manager Protocol SNMP is generally a UDP based protocol though infrequently it uses TCP instead e Enter the host address of the SNMP Network Manager into the Manager Address field e Enter the TCP IP port number into the Manage
256. n option option Driver option argument argument Logging Enabled Log interval 2 minutes Run script when power is critical Enabled config s config ups monitors monitor1 port dev portO1 If the port number is higher than 9 eg port 13 enter config s config ups monitors monitor1 port dev port13 config s config ups monitors monitor1 name My UPS config s config ups monitors monitor1 description UPS in room 5 config s config ups monitors monitor1 username User2 config s config ups monitors monitor1 password secret config s config ups monitors monitor1 sdorder 2 config s config ups monitors monitor1 driver genericups config s config ups monitors monitor1 options option1 opt option config s config ups monitors monitor1 options option1 arg argument config s config ups monitors monitor1 options total 1 config s config ups monitors monitor1 log enabled on config s config ups monitors monitor1 log interval 2 config s config ups monitors monitor1 script enabled on Make sure to increment the total monitors config s config ups monitors total 1 The 5 commands below will add the UPS to Managed devices Assuming there are already 2 managed devices configured config s config devices device3 connections connection1 name My UPS config s config devices device3 connections connection1 tyoe UPS Unit config s config devices device3 name My UPS config s config devices device3 descr
257. n cgi query ssh keygen 15 6 3 Installing the SSH Public Private Keys Clustering For Console Servers the keys can be simply uploaded through the web interface on the System Administration page This enables you to upload stored RSA or DSA Public Key pairs to the Master and apply the Authorized key to the slave and is described in Chapter 4 Once complete you then proceed to Fingerprinting as described below SSH RSA Public Key Upload a replacement RSA public key file 55H RSA Private Key Upload a replacement RSA private key file SSHDSAPuble Bo Key Upload a replacement OSA public key file SSH DSA Private Key Upload a replacement OSA private key file SSH Authorized Keys Upload a replacement authorized keys file 15 6 4 Installing SSH Public Key Authentication Linux Alternately the public key can be installed on the unit remotely from the linux host with the scp utility as follows Assuming the user on the Management Console is called fred the IP address of the Console Server is 192 168 0 1 default and the public key is on the inux unix computer in ssh id_dsa pub Execute the following command on the linux unix computer scp ssh id_dsa pub root 192 168 0 1 etc config users fred ssh authorized_keys The authorized_keys file on the Console Server needs to be owned by fred so login to the Management Console as root and type chown fred etc config users fred ssh authorized_keys Chapter 15 Advanced Conf
258. n gateway 192 168 0 1 config s config interfaces wan dns1 192 168 0 1 config s config interfaces wan dns2 192 168 0 2 config s config interfaces wan mode static config s config interfaces wan media Auto 100baseTx FD 100baseTx HD 10baseT HD 10baseT FD To enable bridging between all interfaces config s config system bridge enabled on To enable IPv6 for all interfaces config s config system ipv6 enabled on To configure the management lan interface use the same commands as above but replace config interfaces wan with config interfaces lan Chapter 14 Command Line Configuration Note Not all devices have a management LAN interface To configure a failover device in case of an outage config s config interfaces wan failover address1 ip address config s config interfaces wan failover address2 ip address config s config interfaces wan failover interface eth1 console modem The network interfaces can also be configured automatically config s config interfaces wan mode dhcp config s config interfaces lan mode dhcp The following command will synchronize the live system with the new configuration bin config run ipconfig The following command will synchronize the live system with the new configuration config r ipconfig 14 1 18 Date amp Time settings To enable NTP using a server at pool ntp org issue the following commands config s config ntp enabled on co
259. n of the PUTTY Key Generator and paste the key data to the authorized _keys file Make sure there is only one line of text in this file e Use WinSCP to copy this authorized keys file into the user s home directory eg etc config users testuser ssh authorized_keys of the Console Server which will be the SSH server You will need to make sure this file is in the correct format with the correct permissions with the following commands dos2unix etc config users testuser ssh authorized_keys amp amp chown testuser etc config users testuser ssh authorized_keys e Using WinSCP copy the attached sshd_config over etc config sshd_config on the server Makes sure public key authentication is enabled e Test the Public Key by logging in as testuser Test the Public Key by logging in as testuser to the client Console Server device and typing you should not need to enter anything ssh o StrictHostKeyChecking no lt server ip gt To automate connection of the SSH tunnel from the client on every power up you need to make the clients etc config rc local look like the following bin sh ssh L9001 127 0 0 1 4001 N o StrictHostkeyChecking no testuser lt server ip gt amp This will run the tunnel redirecting local port 9001 to the server port 4001 15 6 6 Fingerprinting Fingerprints are used to ensure you are establishing an SSH session to who you think you are On the first connection to a remote server you will receive a
260. n the Console Server Chapter 12 Status Reports 12 5 2 Creating custom widgets for the Dashboard To run a custom script inside a dashboard widget Create a file called Widget lt name gt sh in the folder etc config scripts where lt name gt can be anything You can have as many custom dashboard files as you want Inside this file you can put any code you wish When configuring the dashboard choose widget lt name gt sh in the dropdown list The dashboard will run the script and display the output of the script commands directly on the screen inside the specific widget The best way to format the output would be to send HTML commands back to the browser by adding echo commands in the script echo lt table gt You can of course run any command and its output will be displayed in the widget window directly Below is an example script which writes the current date to a file and then echo s HTML code back to the browser The HTML code gets an image from a specific URL and displays it in the widget bin sh date gt gt tmp test echo lt table gt echo lt tr gt lt td gt This is my custom script running lt td gt lt tr gt echo lt tr gt lt td gt echo lt img src http www vinras com images linux online inc jpg gt echo lt td gt lt tr gt echo lt table gt exit O Chapter 13 Management The Console Server has a small number of Manage reports and tools that are available to both
261. n this class is referred to generically in this manual as an Administrator An Administrator can access and control the Console Server using the config utility the Linux command line or the browser based Management Console By default the Administrator has access to all services and ports to control all the serial connected devices and network connected devices hosts ll Users Embraces those who have been set up by the Administrator with specific limits on their access and control authority These users are set up as members of the user s user group or some other user groups the Administrator may have added They are only authorized to perform specified controls on specific connected devices and are referred to as Users These Users when authorized can access serial or network connected devices and control these devices using the specified services e g Telnet HHTPS RDP IPMI Serial over LAN Power Control An authorized User can also use the Management Console to access configured devices and review port logs In this manual when the term user lower case is used it is referring to both the above classes of users This document also uses the term remote users to describe users who are not on the same LAN segment as the Console Server These remote users may be Users who are on the road connecting to managed devices over the public Internet or it may be an Administrator in another office connecting to the Console Server itself over the en
262. n to be taken by selecting the appropriate icon Power ON Power OFF J Power Cycle be You will only be presented with icons for those operations that are supported by the Target you have selected Power Status Chapter 8 Power and Environment 8 2 Uninterruptible Power Supply Control UPS The Console Servers manage UPS hardware using Network UPS Tools refer Section 8 2 6 for an overview of embedded open source Network UPS Tools NUT software 8 2 1 Managed UPS connections A Managed UPS is a UPS that is connected by serial or USB cable or by the network to the Console Server The Console Server becomes the Master of this UPS and runs a upsd server to allow other computers that are drawing power through the UPS Slaves to monitor its status and take appropriate action Such as shutdown in event of low battery Serial or USB control ports Managed UPSes The Console Server may or may not be drawing power through the Managed UPS see the Configure UPS powering the Console Server section below When the UPS s battery power reaches critical the Console Server signals and waits for Slaves to shutdown then powers off the UPS Serial and network connected UPS s must first be configured on the Console Server with the relevant serial control ports reserved for UPS usage or with the UPS allocated as a connected Host e Select UPS as the Device Type in the Serial amp Network Serial Port menu for ea
263. nable the Web Terminal service for the console server e Select the tab in the System Firewall menu e Check Enable Web Terminal and click Apply Respond to ICMP 7 J 7 J Devices echos Port Logs Host Logs Enable Web Terminal J Power Terminal Allow web browser access to the system command line shell via Manage gt Terminal Alternate Telnet Base g A secondary TCP port range for Telnet access to serial ports Thi amp in addition to the default Administrators can now communicate directly with the Console Server command line from their browser e Select Manage Terminal to display the Web Terminal from which you can log in to the Console Server command line Manage Terminal Serial amp Network Serial Port Terminal Users amp Groups 7 Authentication ogin root Network Hosts Password Trusted Networks IPsec VPN OpenVPN cat etc version Cascaded Ports TrippLite BO95 Version 3 3 2 Wed Dec 22 16 1 UPS Connections 4 29 EST 2010 RPC Connections Environmental 13 3 1 2 Web Terminal to Serial Device To enable the Web Terminal service for each serial port you want to access e Select Serial amp Network Serial Port and click Edit Ensure the serial port is in Console Server Mode e Check Web Terminal and click Apply shed Console Server Setti Date amp Time oS EXEL S j m i Console Server Firewa DHCP Server Mode Enable remote net
264. nagement console Lower baud rates 50 75 110 134 150 200 300 600 1200 1800 baud can be configured from the command line as detailed in Chapter 14 Chapter 4 Serial Port Device and User Configuration 4 1 2 Console Server Mode Select Console Server Mode to enable remote management access to the serial console that is attached to the serial port IP Console Server Settings Console Server Mode Enable remote network access to the console at this serial port DHCP Server Nagios z z a pail ee Logging Level level 1 user connects disconnects to port I O Ports Specify the detail of data to log Status Telnet v Port Access Enable Telnet access Active Users Statistics SSH Support Report Enable SSH access Syslog UPS Status Raw TCP RPC Status Enable raw TCP access Environmental Status Dashboard RFC 2217 Enable RFC 2217 access Manage Port Logs Telnet Enable Telnet access without requiring the user to provide credentials Host Logs Power Web Terminal Terminal Enable web browser access via Manage gt Devices gt Serial Authenticate Enable PortShare Authentication Warning This will override standard RFC 2217 and raw TCP behaviour Authentication Password Enter password for PortShare authentication Confirm Password Re type the password for confirmation Accumulation Period Collect serial data for a period of time in milliseconds then transmit any
265. nd SDTConnector access to all services on the Console Servers will use the embedded FIPS compliant cryptographic module To connect you must also be using cryptographic algorithms that are FIPs approved in your browser or client or the connection will fail e Select the System Administration menu option e Check FIPS Mode to enable FIPS mode on boot and check Reboot to safely reboot the console server i nepi FIPS Mode sea Logs Enable FIPS mode on boot changing requires safe reboot Power Terminal Reboot Safely reboot the device Apply e Click Apply and the Console Server will now reboot It will take several minutes to reconnect as secure communications with your browser are validated and when reconnected it will display FIPs mode Enabled in the banner Chapter 11 System Management Note To enable FIPS mode from the command line login and run these commands config s config system fips on touch etc config FIPS chmod 444 etc config FIPS flatfsd b The final command saves to flash and reboots the unit The unit will take a few minutes to boot into FIPS mode To disable FIPS mode config d config system fips rm etc config FIPS flatfsd b Chapter 12 Status Reports This chapter describes the dashboard feature and the status reports that are available e Port Access and Active Users e Statistics e Support Reports e Syslog e Dashboard The UPS RPC and Environmental Status reports are c
266. net 80 tcp http 443 tcp https 1494 tcp ica 3389 tcp rdp 5900 tcp vno Add other network host To add any other type of network host with the following details IP address DNS name 192 168 3 10 Host name OfficePC Description MyPC Allowed sevices ssh port 22 https port 443 log level for services 1 Issue the commands below If the Host is not a PDU or UPS power device or a server with IPMI power control then leave the device type blank config s config sdt hosts host4 address 192 168 3 10 config s config sdt hosts host4 description MyPC config s config sdt hosts host4 name OfficePC config s config sdt hosts host4 device tyoe leave this value blank config s config sdt hosts host4 tcpports tcpport1 22 config s config sdt hosts host4 tcpports tcpport1 loglevel 1 config s config sdt hosts host4 udpports tcppport2 443 config s config sdt hosts host4 udpports tcpport2 loglevel 1 If you want to add the new host as a managed device make sure to use the current total number of managed devices 1 for the new device number To get the current number of managed devices config g config devices total Chapter 14 Command Line Configuration Assuming we already have one managed device our new device will be device 2 Issue the following commands config s config devices device2 connections connection1 name 192 168 3 10 config s config devices device2 connections connection1 t
267. nfig s config nto server pool ntp org Alternatively you can manually change the clock settings To change running system time date 092216452005 05 Format is MMDDhhmm CC YY ss Then the following command will save this new system time to the hardware clock bin hwclock systohc Alternatively to change the hardware clock bin hwclock set date 092216452005 05 Format is MMDDhhmm CC YY ss Then the following command will save this new hardware clock time as the system time bin hwclock hctosys To change the timezone config s config system timezone US Eastern The following command will synchronize the live system with the new configuration config r time 14 1 19 Dial in settings To enable dial in access on the DB9 serial port from the command line with the following attributes Local IP Address 172 24 1 1 Remote IP Address 172 24 1 2 Authentication Type MSCHAPv2 Serial Port Baud Rate 115200 Serial Port Flow Control Hardware Custom Modem Initialization ATQOV1HO Callback phone 0800223665 User to dial as user Password for user secret Run the following commands config s config console ppp localipo 172 24 1 1 config s config console ppp remoteip 1 72 24 1 2 config s config console ppp auth MSCHAPv2 config s config console speed 115200 Chapter 14 Command Line Configuration config s config console flow Hardware config s config console initstring ATQOVLHO config s config
268. nfig system nagios sdt disabled on disables SDT for nagios extensions config s config system nagios sdt address 192 168 0 1 config s config system nagios nrpe prefer To configure NRPE with following settings NRPE port 5600 port to listen on for nrpe Defaults to 5666 NRPE user user1 User to run as Defaults to nrpe NRPE group group Group to run as Defaults to nobody Allow command arguments Enabled config s config system nagios nrpe enabled on config s config system nagios nrpe port 5600 config s config system nagios user user1 config s config system nagios nrpe group group1 config s config system nagios nrpe cmdargs on Chapter 14 Command Line Configuration To configure NSCA with the following settings NSCA encryption BLOWFISH can be None XOR DES TRPLEDES CAST 256 BLOWFISH TWOFISH RISNDAEL 256 SERPENT GOST NSCA password secret NSCA check in interval 5 minutes NSCA port 5650 defaults to 5667 user to run as User defaults to nsca group to run as Group defaults to nobody config s config system nagios nsca enabled on config s config system nagios nsca encryption BLOWFISH config s config system nagios nsca secret secret config s config system nagios nsca interval 2 config s config system nagios nsca port 5650 config s config system nagios nsca user Userl1 config s config system nagios nsca group Group1 The following command will synchr
269. ng end to end commercial communications security solution for the enterprise e Reflection for Secure IT formerly F Secure SSH is another good commercial SSH based security solution By way of example the steps below show the establishment of an SSH tunneled connection to a network connected device using the PulTY client software fet PuTTY Configuration fesse at I Session Basic options for your PuTTY session a 5 ai Specify the destination you want to connect to a Bell 192 168 252 202 7 e Features Connection type Window Raw Telnet Rlogin 55H i1 Seral C Jal CT i fee Load save or delete a stored session Froxy Saved Sessions Hi Telnet aon Default Settings J OEIngs 7 SSH toad os gave m PEY Delete pe AT Tunnels 1 Bugs Close window on ext inet Always Never Only on clean exit About Hep Open Cancel e Inthe Session menu enter the IP address of the Console Server in the Host Name or IP address field o For dial in connections this IP address will be the Local Address that you assigned to the Console Server when you set it up as the Dial In PPP Server o For Internet or local VPN connections connections this will be the public IP address of the Console Server e Select the SSH Protocol and the Port will be set as 22 e Go to the SSH Tunnels menu and in Add new forwarded port enter any high unused port number for t
270. ngs can be set for any specific port in any mode config s config ports port syslog facility facility facility can be Default local O 7 auth authpriv cron daemon ftp kern lpr mail news user uucp config s config ports port syslog priority priority priority can be Default warning notice Info error emergency debug critical alert Chapter 14 Command Line Configuration 14 1 2 Adding and removing Users Firstly determine the total number of existing Users if you have no existing Users you can assume this is 0 config g config users total This command should display config users total 1 Note that if you see config users total this means you have O Users configured Your new User will be the existing total plus 1 So if the previous command gave you O then you start with user number 1 if you already have 1 user your new user will be number 2 etc To add a user with Username John Password secret and Description mySeconduUser issue the commands config s config users total 2 assuming we already have 1 user configured config s config users user2 username John config s config users user2 description mySecondUser config P config users user2 password NOTE The P parameter will prompt the user for a password and encrypt it In fact the value of any config element can be encrypted using the P parameter but only encrypted user passwords and system passwords are supported
271. nitoring logging recovery inventory and control of hardware that is implemented independent of the main CPU BIOS and OS The service processor or Baseboard Management Controller BMC is the brain behind platform management and its primary purpose is to handle the autonomous sensor monitoring and event logging features The ipmitoo program provides a simple command line interface to this BMC It features the ability to read the sensor data repository SDR and print sensor values display the contents of the System Event Log SEL print Field Replaceable Unit FRU inventory information read and set LAN configuration parameters and perform remote chassis power control SYNOPSIS ipmitool c h v V I open lt command gt ipmitool c h v V I Jan H lt hostname gt p lt port gt U lt username gt A lt authtype gt L lt privivl gt a E P f lt password gt o lt oemtype gt lt command gt ipmitool c h v V I Janplus H lt hostname gt p lt port gt U lt username gt L lt privivl gt a E P f lt password gt o lt oemtype gt C lt ciphersuite gt lt command gt DESCRIPTION This program lets you manage Intelligent Platform Management Interface IPMI functions of either the local system via a kernel device driver or a remote system using IPMI V1 5 and IPMI v2 0 These functions include printing FRU information LAN configuration sensor readings and
272. nitoring Device EMD Device Settings Device Type ESN Specify the device type Apply this setting then use the APC Connections page to configure the attached power controller e Select the desired Device Type UPS RPC or EMD e Proceed to the appropriate device configuration page Serial amp Network UPS Connections RPC Connection or Environmental as detailed in Chapter 8 Power amp Environmental Management The BO92 016 Console Server also allows you to configure ports as UPS devices that PowerAlert will manage PowerAlert will discover the attached UPS device and auto configure See www tripplite com EN support PowerAlert Downloads cfm for a complete PowerAlert manual Device Settings Device Type UPS PowerAlert gt None UPS NUT UPS PowerAlert PowerAlert to discover the attached device RPC Environmental e Select Terminal Server Mode and the Terminal Type vt220 vt102 vt100 Linux or ANSI to enable a getty on the selected serial port 4 1 5 Terminal Server Mode Terminal Server Settings Terminal Server Mode Enable a TTY login for a local terminal attached to this serial port Terminal T ype vi220 J The terminal standard to use bn this serial port The getty will then configure the port and wait for a connection to be made An active connection on a serial device is usually indicated by the Data Carrier Detect DCD pin on the serial device being raised When a connection is detected the
273. nnected RPC go to Serial amp Network Network Hosts menu and configure the RPC as a connected Host Device Settings Device Type RPC a Specify the device type Apply this setting then use the RPC Connections page to configure the attached power controller e Select the Serial amp Network RPC Connections menu This will display all the RPC connections that have already been configured e Click Add RPC In Connected Via select the pre configured serial port or the network host address that connects to the RPC e Enter a RPC Name and Description for the RPC e Enter the Username and Password used to login into the RPC Note that these login credentials are not related the Users and access privileges you will have configured in Serial amp Networks Users amp Groups e Check Log Status and specify the Log Rate minutes between samples if you wish the status from this RPC to be logged These logs can be views from the Status RPC Status screen e Click Apply Chapter 8 Power and Environment Serial amp Network RPC Connections Serial amp Network Serial Port Add RPC Users amp Groups Connected Via Authentication Network Hosts Trusted Networks IPsec VPN RPC Type OpenVPN Cascaded Ports UPS Connections RPC Connections Name Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Description Username Administ
274. nnection between the SSH client program on the remote user s computer and the Console Server The user s communication with the serial device attached to the Console Server is therefore secure It is recommended for Users and Administrators to use SDT Connector when making an SSH connection to the consoles on devices attached to the Console Server s serial ports Configure the SDT Connector with the Console Server as a gateway then as a host and enable SSH service on Port 3000 serial port i e 3001 3048 refer to Chapter 6 You can also use common communications packages like PUTTY or SSHTerm to SSH connect directly to port address IP Address _ Port 3000 serial port i e 3001 3048 Alternately SSH connections can be configured using the standard SSH port 22 The serial port being accessed is then identified by appending a descriptor to the username This syntax supports any of lt username gt lt portxx gt lt username gt lt port label gt lt username gt lt ttySX gt lt username gt lt serial gt So for a user named fred to access serial port 2 when setting up the SSHTerm or the PuTTY SSH client instead of typing username fred and ssh port 3002 the alternate is to type username fred port02 or username fred ttyS1 and ssh port 22 Or by typing username fred serial and ssh port 22 the user is presented with a port selection option login as testil iserial Using keyhoard interactive
275. nnector 6 2 2 Configuring a new gateway in the SDT Connector client To create a secure SSH tunnel to a new Console Server Click the New Gateway 4a New Gateway Import Preferences Export Preferences E Exit li Enter the IP or DNS Address of the Console Server and the SSH port that will be used typically 22 Note If SDT Connector is connecting to a remote Console Server through the public Internet or routed network you will need to Determine the public IP address of the Console Server or of the router firewall that connects the Console Server to the Internet as assigned by the ISP One way to find the public IP address is to access http checkip dyndns org or http www whatismyip com from a computer on the same network as the Console Server and note the reported IP address Set port forwarding for TCP port 22 through any firewall NAT router that is located between SDT Connector and the Console Server so that it points to the Console Server http www portforward com has port forwarding instructions for a range of routers Also you can use the Open Port Check tool from http www canyouseeme org to check if port forwarding through local firewall NAT router devices has been properly configured Enter the Username and Password of a user on the gateway that has been enabled to connect via SSH and or create SSH port redirections Gateway Address Port 22 Gateway Username Gateway Password Descriptive Name
276. nt lines start with a and are ignored by OpenVPN Client server Specify whether this will be a client or server configuration file In the server configuration file define the IP address pool and netmask For example server 10 100 10 0 255 255 255 0 proto udp Set the protocol to UDP or TCP The client and server must use the same settings proto tcp mssfix lt max size gt Mssfix sets the maximum size of the packet This is only useful for UDP if problems occur verb lt level gt Set log file verbosity level Log verbosity level can be set from O minimum to 15 maximum For example O silent except for fatal errors 3 medium output good for general usage 5 helps with debugging connection problems 9 extremely verbose excellent for troubleshooting dev tun Select dev tun to create a routed IP tunnel or dev tap to create an Ethernet tunnel The dev tap client and server must use the same settings remote lt host gt The hostname IP of OpenVPN server when operating as a client Enter either the DNS hostname or the static IP address of the server Port The UDP TCP port of the server Keepalive Keepalive uses ping to keep the OpenVPN session alive Keepalive 10 120 pings every 10 seconds and assumes the remote peer is down if no ping has been received over a 120 second time period http proxy lt proxy server gt If a proxy is required to access the server enter the proxy server DNS name
277. nts all the network connected Hosts that have been enabled for access and the related access TCP ports services e Click Add Host to enable access to a new Host or select Edit to update the settings for existing Host TRIPP LITE POWER PROTECTION Serial amp Network Network Hosts Serial amp Network Serial Port IP Address DNS Users amp Grown Name 4 arin The host s IP Address or DNS name Authentication Network Hosts Host Name Trusted Networks z A descriptive name for this host Description Notes A brief description of the host Permitted Services 22 tcp ssh 0 23 tcp telnet 0 80 tcp http 0 443 tcp https 0 1494 tcp ica 0 3389 tcp rdp 0 5900 tcp vnc 0 TCP OUDP Port level 0 Disabled hd The TCP services available from this host Device Settings Device Type None Statistics Specify the device type Support Report Svsiog Avolv e Enter the IP Address or DNS Name and a Host Name up to 254 alphanumeric characters for the new network connected Host and optionally enter a Description up to characters e Add or edit the Permitted Services or TCP UDP port numbers that are authorized to be used in controlling this host Only these permitted services will be forwarded through by SDT to the Host All other services TCP UDP ports will be blocked e The Logging Level specifies the level of information to be logged and monitored for each Host acces
278. nvitations to be sent from this computer What is Remote Assistance Remote Desktop Allow users to connect remotely to this computer Full computer name Bigbob What is Remote Desktop Select Remote Users For users to connect remotely to this computer the user account must have a password Windows Firewall will be configured to allow Remote Desktop connections to this computer OK Cancel e Check Allow users to connect remotely to this computer e Click Select Remote Users Chapter 6 Secure SSH Tunneling amp SDT Connector Remote Desktop Users The users listed below can connect to this computer and any members of the Administrators group can connect even if they are not listed IL i Remote Bob Bob already has access oy To create new user accounts or add users to other groups go to Control Panel and open User Accounts e To set the user s who can remotely access the system with RDP click Add on the Remote Desktop Users dialog box Note If you need to set up new users for Remote Desktop access open User Accounts in the Control Panel and proceed through the steps to nominate the new user s name password and account type Administrator or Limited Note With Windows XP Professional and Vista you have only one Remote Desktop session and it connects directly to the Windows root console With Windows Server 2008 you can have multiple sessions and with Server 2003 you have three sessions the console
279. ny other dependencies that the node being deleted may have had So you are responsible for making sure that any references and dependencies connected to the deleted node are removed or corrected in the config xml file The script treats all nodes the same The syntax to run the script is delete node node name so to remove user 3 delete node config users user3 The delete node script bin bash User must provide the node to be removed e g config users user1 Usage delete node full node path if 1 then echo Wrong number of arguments echo Usage delnode full delimited node path exit 2 fi test for spaces TEMP echo 1 sed s N if STEMP N then echo Wrong input format echo Usage delnode full delimited node path exit 2 fi testing if node exists TEMP config g config grep 1 if z TEMP then echo Node 1 not found exit O fi LASTFIELD is the last field in the node path e g user ROOTNODE is the upper level of the node e g config users NUMBER is the integer value extracted from LASTFIELD e g 1 TOTALNODE is the node name for the total e g config users total TOTAL is the value of the total number of items before deleting e g 3 NEWTOTAL is the modified total i e TOTAL 1 CHECKTOTAL checks if TOTAL is the actual total items in xml LASTFIELD 1 ROOTNODE 1 NUMBER echo LASTFIELD s
280. o a specific address In most cases this should be left blank Input Port Range The range of ports to forward to the destination IP These will be the port s specified when accessing the port forward These ports need not be the same as the output port range Protocol The protocol of the data being forwarded The options are TCP or UDP Output Address The target of the port forward This is an address on the internal network where packets sent to the Input Interface on the input port range are sent Output Port Range The port or ports that the packets will be redirected to on the Output Address System Firewall Serial amp Network Serial Port Service Access Port Forwarding Port Rules Forwarding amp Users amp Groups Masquerading Authentication Network Hosts Trusted Networks Create Modify Port Forward IPsec VPN OpenVPN Name New Port Forward Rule Cascaded Ports Name for the Port Forward UPS Connections RPC Connections Input Interface Environmental Any x Managed Devices Interface that the data enters the device from Alerts amp Logging Source Addres The source IP address of the data This may be left blank Input Port 0 Range A port or range of ports Ranges are specified like 800 900 Protocol TCP a Administration 3 SSL Certificates The protocol of the data Configuration Backup Firmware Output Address IP The IP address that the data should be redirected to
281. o access it However it may consist of several redirections some or all of which may have clients associated with them An example is the Dell RAC service The first redirection is for the HTTPS connection to the RAC server it has a client associated with it web browser that is launched immediately upon clicking the button for this service The second redirection is for the VNC service that the user may choose to launch later from the RAC web console It automatically loads in a Java client served through the web browser so it does not need a local client associated with it Chapter 6 Secure SSH Tunneling amp SDT Connector EE Tripp Lite SDTConnector f a SDTConnector Preferences ienty Edit Service Service Name Dell RAC Local gt Remote Port Redirections TCP 5900 5900 4p Add TCP any gt 443 a TCP 3668 gt 3668 A Edit i SoA Close e On the Add Service screen you can click Add as many times as needed to add multiple new port redirections and associated clients You may also specify Advanced port redirection options e Enter the local address to bind to when creating the local endpoint of the redirection It is not usually necessary to change this from localhost e Enter a local TCP port to bind to when creating the local endpoint of the redirection If this is left blank a random port will be selected 4S Tripp Lite SDTConnector lit He 1 C Edit S
282. of any Groups but if the User is not even a member of the default user group then they will not be able to use the Management Console to manage ports However while there are no specific limits the time to re configure does increase as the number and complexity increases so we recommend the aggregate number if users and groups be kept under 250 1000 for BO92 016 The Administrator can also edit the access settings for any existing users e Select Serial amp Network Users amp Groups and click Edit for the User to be modified Note For more information on enabling the SDT Connector so each user has secure tunneled remote RPD VNC Telnet HHTP HTTPS SoL access to the network connected hosts refer Chapter 6 Chapter 4 Serial Port Device and User Configuration 4 3 Authentication Refer to Chapter 9 1 Remote Authentication Configuration for authentication configuration details 4 4 Network Hosts To access a locally networked computer or device referred to as a Host you must identify the Host and specify the TCP or UDP ports services that will be used to control that Host Serial amp Network Network Hosts Serial amp Network ria ort Users amp Groups IP Host Description Notes Permitted Services Device as Address DNS Name Type Authenticatio Name Network Hosts Trusted Networks No hosts currently configured Cascaded Ports UPS Connections Add Host e Selecting Serial amp Network Network Hosts prese
283. of the UPS to shutdown gracefully when the battery power reaches critical Additionally one server is designated the Master of the UPS and is responsible for shutting down the UPS itself when all Slaves have shut down Typically the Master of the UPS is the one connected to the UPS via serial or USB cable upsmon can monitor multiple UPS s so high end servers which receive power from multiple UPS s simultaneously won t initiate a shutdown until the total power situation across all source UPS s becomes critical There also the two status logging clients upse and upslog The upsc client provides a quick way to poll the status of a UPS It can be used inside shell scripts and other programs that need UPS status information ups og is a background service that periodically polls the status of a UPS writing it to a file All these clients run on the Console Server for Management Console presentations but they also are run remotely on locally powered servers and remote monitoring systems This layered NUT architecture enables Multiple architecture support NUT can manage serial and USB connected models with the same common interface SNMP equipment can also be monitored although at this stage this is still pre release with experimental drivers and this feature will be added to the embedded UPS tools in future release Multiple clients monitoring one UPS Multiple systems may monitor a single UPS using only their network connections T
284. of the subnet to permit Network Mask The subnet mask for the permitted IP range Description A brief explanation of th s entry Date amp Time e Select the Accessible Port s that the new rule is to be applied to e Then enter the Network Address of the subnet to be permitted access e Then specify the range of addresses that are to be permitted by entering a Network Mask for that permitted IP range e g o To permit all the users located with a particular Class C network 204 15 5 0 say connection to the nominated port then you would add the following Trusted Network New Rule Network IP Address 204 15 5 0 Subnet Mask 255 255 255 0 o Ifyou want to permit only the one users who is located at a specific IP address 204 15 5 13 say to connect Network IP Address 204 15 5 0 Subnet Mask 255 255 255 255 o If however you want to allow all the users operating from within a specific range of IP addresses say any of the thirty addresses from 204 15 5 129 to 204 15 5 158 to be permitted connection to the nominated port Host Subnet Address 204 15 5 128 Subnet Mask 255 255 255 224 o Click Apply Note The above Trusted Networks will limit access by Users and Administrators to the console serial ports However they do not restrict access by the Administrator to the Console Server itself or to attached hosts To change the default settings for this access you will to need to edit the IPtables rules as described in the Ch
285. ogram the distribution of the whole must be on the terms of this License whose permissions for other licensees extend to the entire whole and thus to each and every part regardless of who wrote it Thus it is not the intent of this section to claim rights or contest your rights to work written entirely by you rather the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition mere aggregation of another work not based on the Program with the Program or with a work based on the Program on a volume of a storage or distribution medium does not bring the other work under the scope of this License 3 You may copy and distribute the Program or a work based on it under Section 2 in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following a Accompany it with the complete corresponding machine readable source code which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or b Accompany it with a written offer valid for at least three years to give any third party for a charge no more than your cost of physically performing source distribution a complete machine readable copy of the corresponding source code to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange or c Accompany it wi
286. ol of the data aia E Direction Ingress E smpai The direction of the data that the rule applies to Configuration Back pcan aa att Block x IP The action to undertake Date amp Time ial gt Frewal Save e Fill in the following fields Name Name the port rule This name should describe the policy the port rule is being used to implement e g block ftp Interface in etc Select the interface that the port rule will be applied to i e Any Dialout Cellular VPN Network Interface Dial Port Range Specify the port or range of ports e g 1000 1500 that the rule will apply to Protocol Select if the port rule will apply to TCP or UDP Direction Select the traffic direction that the port rule will apply to Ingress incoming or Egress Action Select the action Accept or Block that will be applied to the packets detected that match the Interface Port Range Protocol Direction For example to block SSH traffic from leaving Dialout Interface the following settings can be used Interface Dialout Port Range 22 Protocol TCP Direction Egress Action Block Chapter 6 Secure SSH Tunneling amp SDT Connector Each Console Server has an embedded SSH server and uses SSH tunneling This enables one Console Server to securely manage all the systems and network devices in the data center using text based console tools Such as SSH Telnet SoL or graphical desktop tools VNC RDP HTTPS HTTP X11 VMware
287. ommand LOSS is the percentage loss from the ping command 1 must be the hostname IPaddress of device to ping 2 must be the commands to run when the pings fail COUNTER O TARGET 1 shift loop indefinitely while true do ping the device 10 times PINGREP ping c 10 i 1 TARGET get the packet loss percentage LOSS echo PINGREP grep sed e s 0 9 1 if SLOSS eq 100 then COUNTER expr COUNTER 1 else COUNTER O sleep 30s fi Chapter 15 Advanced Configuration if COUNTER eq 5 then COUNTER O sleep 2s fi done 15 1 7 Running custom scripts when a configurator is invoked A configurator is responsible for reading the values in etc config config xml and making the appropriate changes live Some changes made by the configurators are part of the Linux configuration itself such as user passwords or ipconfig Currently there are nineteen configurators each one responsible for a specific group of config e g the users configurator makes the user configurations in the config xmI file live To see all the available configurators type the following from a command line prompt config When a change is made using the Management Console web GUI the appropriate configurator is automatically run This can be problematic as if another user administrator makes a change using the Management Console the configurator could possibly overwrite any custom CLI linux
288. onfig s config alerts alert2 enviro low warning 7O config s config alerts alert2 roc1 RPCInNRoom20 config s config alerts alert2 sensor load config s config alerts alert2 signal DSR config s config alerts alert2 type enviro Chapter 14 Command Line Configuration Alarm Sensor Alert To set an alert for doorAlarm and windowAlarm which are two alarms connected to an environmental sensor called SensorinRoom3 Both alarms are disabled on Mondays from 8 15am to 2 30pm config s config alerts alert2 alarm1 SensorinRoom3 alarm1 doorAlarm config s config alerts alert2 alarm1 SensorinRoom3 alarm2 windowAlarm config s config alerts alert2 alarmrange mon from hour 8 config s config alerts alert2 alarmrange mon from min 15 config s config alerts alert2 alarmrange mon until hour 14 config s config alerts alert2 alarmrange mon until min 30 config s config alerts alert2 description description config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 type alarm To enable an alarm for the entire day config s config alerts alert2 alarmrange mon from hour O config s config alerts alert2 alarmrange mon from min O config s config alerts alert2 alarmrange mon until hour O config s config alerts alert2 alarmrange mon until min O The following command will synchronize the live system with the new configuration config
289. onfig s config system snmp engineid ID v3 only config s config system snmp username username v3 only config s config system snmp password password v3 only config s config system snmp version 1 2c 3 The following command will synchronize the live system with the new configuration config a 14 1 16 Administration To change the administration settings to System Name og mydomain com System Password root account secret Description Device in office 2 config s config system name og mydomain com config P config system password will prompt user for a password config s config system location Device in office 2 NOTE The P parameter will prompt the user for a password and encrypt it In fact the value of any config element can be encrypted using the P parameter but only encrypted user passwords and system passwords are supported If any other element value were to be encrypted the value will become inaccessible and will have to be re set The following command will synchronize the live system with the new configuration config a 14 1 17 IP settings To configure the primary network interface with static settings IP address 192 168 0 23 Netmask 255 255 255 0 Default gateway 192 168 0 1 DNS server 1 192 168 0 1 DNS server 2 192 168 0 2 config s config interfaces wan address 192 168 0 23 config s config interfaces wan netmask 255 255 255 0 config s config interfaces wa
290. onfirm a Password e In Accessible Hosts click the IP address DNS name of the IIS server In Accessible Ports click the serial port that has the router console port attached e Click Apply Chapter 10 Nagios Integration 10 3 Configuring Nagios distributed monitoring To activate the Console Server s Nagios distributed monitoring e Nagios integration must be enabled and a path established to the central upstream Nagios server e ifthe Console Server is to periodically report on Nagios monitored services then the NSCA client embedded in the Console Server must be configured the NSCA program enables scheduled check ins with the remote Nagios server and is used to send passive check results across the network to the remote server e Ifthe Nagios server is to actively request status updates from the Console Server then the NRPE server embedded in the Console Server must be configured the NRPE server is the Nagios daemon for executing plug ins on remote hosts e Each of the Serial Ports and each of the Hosts connected to the Console Server which are to be monitored must have Nagios enabled and any specific Nagios checks configured e Lastly the central upstream Nagios monitoring host must be configured Chapter 10 Nagios Integration 10 3 1 Enable Nagios on the Console Server e Select System Nagios on the Console Server Management Console and tick the Nagios service Enabled Enabled Fi Switch on the Nagios service Nagios
291. onize the live system with the new configuration config a 14 2 General Linux command usage The Console Server platform is a dedicated Linux computer optimized to provide access to serial consoles of critical server systems and control network connected hosts Being based around uClinux a small footprint but extensible Linux it embodies a myriad of popular and proven Linux software modules for networking NetFilter IPTables secure access OpenSSH and communications OpenSSL and sophisticated user authentication PAM RADIUS TACACS and LDAP Many components of the Console Server software are licensed under the GNU General Public License version 2 You may obtain a copy of the GNU General Public License at http www fsf org copyleft gpl html and source code will provided for any of the components of the Software licensed under the GNU General Public License upon request The Console Servers are built on the 2 6 uClinux kernel as developed by the uClinux project This is GPL code and source can be found http cvs uclinux org Chapter 14 Command Line Configuration Supported commands that have config files that can be altered include portmanager inetd init ssh sshd scp sshkeygen ucd snmpd samba fnord web server sslwrap Commands you can run from the command line on the Console Server include loopback bash shell busybox http www busybox net downloads BusyBox html has lots of unix shell commands and
292. only RSA To generate keys select RSA and or DSA RSA Keys g Generate RSA Keys DSA Keys o Generate DSA Keys Apply Next you must select whether to generate keys using RSA and or DSA if unsure select only RSA Generating each set of keys will require approximately two minutes and the new keys will destroy any old keys of that type that may previously been uploaded Also while the new generation is underway on the master functions relying on SSH keys e g cascading may stop functioning until they are updated with the new set of keys To generate keys e Select RSA Keys and or DSA Keys e Click Apply System SSH Keys Serial amp Network S P Serial Po Users amp Groups Successfully generated rsa keys e Once the new keys have been successfully generated simply Click here to return and the keys will automatically be uploaded to the Master and connected Slaves Chapter 4 Serial Port Device and User Configuration 4 6 2 Manually generate and upload SSH keys Alternately if you have a RSA or DSA key pair you can manually upload them to the Master and Slave Console Servers Note If you do not already have RSA or DSA key pair and you do not wish to use you will need to create a key pair using ssh keygen PuTTYgen or a similar tool as detailed in Chapter 15 6 To manually upload the key public and private key pair to the Master Console Server e Select System Administration on Master s Management Console e Brows
293. onnector can connect to the Console Server using an alternate OoB access It can also be configured to access the Console Server itself and to access devices connected to serial ports on the Console Server 6 2 1 SDT Connector client installation e The SDT Connector set up program SDTConnector Setup 1 n exe or sdtcon 1 n tar gz is included on the CD supplied with your Console Server e Run the set up program ip Tripp Lite SDTConnector Setup Welcome to the Tripp Lite SDTConnector Setup Wizard This wizard will quide you through the installation of Tripp Lite SDTConnector It is recommended that you close all other applications before starting Setup This will make it possible to update relevant system files without having to reboot your computer Click Next to continue Note For Windows clients the SDTConnectorSetup 1 n exe application will install the SDT Connector 1 n exe and the config file defaults xml If a config file already exists on the Windows computer then it will not be overwritten To remove an earlier config file run the regedit command search for SDT Connector and then remove the directory with this name For Linux and other Unix clients SDTConnector tar gz application will install the sdtcon 1 n jar and the config file defaults xml Once the installer completes you will have a working SDT Connector client installed on your machine and an icon on your desktop a gt j T a
294. ons RPC Connections Environmental Managed Devices Alerts amp Logging Port Log Alerts SMTP amp SMS Use Remote Groups Administration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial DHCP Server TACACS Session lifetime 2 Local LocalTACACS TACACS TACACSLoca l TACACSDownLocal LocalRADIUS RADIUS RADIUSLocal RADIUSDownLocal LocalLDAP LDAP LDAPLocal LDAPDownLocal Use group membership information provided by remote authentication services Session lifetime in minutes The default setting is 20 minutes Any authentication method that is configured will be used for authentication of any user attempting to log in through Telnet SSH or the Web Manager to the Console Server and any connected serial port or network host devices The Console Server can be configured to the default Local or an alternate authentication method TACACS RADIUS or LDAP with the option of a selected order in which local and remote authentication is to be used Local TACACS RADIUS LDAP Tries local authentication first falling back to remote if local fails TACACS RADIUS LDAP Local Tries remote authentication first falling back to local if remote fails TACACS RADIUS LDAP Down Local Tries remote authentication first falling back to local if the remote authentication returns an error condition e g the remote authentication server is down or inaccessible
295. ons This allows them to communicate with the central Nagios server eliminating the need for a dedicated Slave Nagios server at remote sites The Console Servers embed a basic set of distributed monitoring add ons and can be uploaded with additional customizable distributed monitoring Note If you have an existing Nagios deployment you may wish to use the Console Server in a distributed monitoring server capacity only In this case and if you are already familiar with Nagios skip ahead to section 10 3 10 1 Nagios Overview Nagios provides central monitoring of the hosts and services in your distributed network Nagios is freely downloadable open source software This section offers a quick background of Nagios and its capabilities A complete overview FAQ and comprehensive documentation are available at http www nagios org Nagios forms the core of many leading commercial system management solutions such as GroundWork http www groundworkopensource com Nagios takes some time to install and configure but once it is up and running it provides an outstanding network monitoring system With Nagios you can e Display tables showing the status of each monitored server and network service in real time e Use a wide range of freely available plug ins to make detailed checks of specific services e g don t just check if a database is accepting network connections check that it can actually validate requests and return real data e Displ
296. ons System Password RPC Connections Environmenta Managed Devices Confirm Systems Password Alerts amp Logging Re enter the above password for confirmation K eae enia Delayed Config Alerts r i SMTP amp SMS Commits Config changes are queued and must be explicitly applied SNMP SS Apply e Select System Administration e Enter a new System Password then re enter it in Confirm System Password This is the new password for root the main administrative user account so it is important that you choose a complex password and keep it safe e You may now wish to enter a System Name and System Description for the Console Server to give it a unique ID and make it simple to identify Note The System Name can contain from 1 to 64 alohanumeric characters however you can also use the special characters and There are no restrictions on the characters that can be used in the System Description or the System Password which each can contain up to 254 characters However only the first eight Password characters are used to make the password hash e Click Apply As you have changed the password you will be prompted to log in again This time use the new password Note If you are not confident your Console Server has been supplied with the current release of firmware you can upgrade Refer Upgrade Firmware Chapter 10 3 2 1 Set up new administrator It is also recommended that you set up a new Administrator use
297. ons in http www rxvt org manual html 232 Chapter 16 Thin Client 16 1 5 Connect IPMI The BO92 016 control panel provides a number of IPMI tools for managing service processors or Baseboard Management Controllers BMCs These IPMI controls are built on the jomitools program Find more details on configuration options in http ipmitool sourceforge net manpage html The ipmitool program provides a simple command line interface to the BMCs and features the ability to read the sensor data repository SDR display the contents of the System Event Log SEL read and set LAN configuration parameters and perform remote chassis power control The BO92 016 Management Console also has additional tools for controlling power units with IPMI interfaces refer to Chapter 8 e Select Connect IPMI on the control panel and select the Serial over LAN connection to be accessed yy Favorites Remote Control Disconnect p Options Clipboard Send Ctrl Alt Del Refresh J cote Ey comrae toot J sus 5 cone Lye Citrix ICA PowerAlert Console Serial gt Browser gt YNE gt gt b gt m SSH serial Over LAN gt Add Delete Edit This will launch a Serial Over LAN session by running ipmitool I lanplus H hostname U username P password sol activate The resulting serial character connection is presented in an mvt ouR XVT window Also the Serial Over LAN feature is only ap
298. ontact details in the Description field Note The User Name can contain from 1 to 127 alphanumeric characters however you can also use the special characters and There are no restrictions on the characters that can be used in the user Password which each can contain up to 254 characters However only the first eight Password characters are used to make the password hash e Specify which Group or Groups you wish the user to be a member of e Check specific Accessible Hosts and or Accessible Ports to nominate the serial ports and network connected hosts you wish the user to have access privileges to e If there are configured RPCs you can check Accessible RPC Outlets to specify which outlets the user is able to control i e Power On Off e Click Apply The new user will now be able to access the Network Devices Ports and RPC Outlets you nominated as accessible plus if the user is a Group member they can also access any other device port outlet that was set up as accessible to the Group Note There are no specific limits on the number of users you can set up nor on the number of users per serial port or host So multiple users Users and Administrators can control monitor the one port or host Similarly there are no specific limits on the number of Groups and each user can be a member of a number of Groups in which case they take on the cumulative access privileges of each of those Groups A user does not have to be a member
299. or AES and password in addition to the authentication protocol and password o Complete the Username This is the Security Name of the SNMPv3 user sending the message This field is mandatory and must be completed when configuring the Console Server for SNMPv3 o An Authentication Protocol SHA or MD5 and Authentication Password must be given for a Security Level of either authNoPriv or authPriv The password must contain at least 8 characters to be valid o A Privacy Protocol DES or AES must be specified for the authPriv level of security to be used as the encryption algorithm AES is recommended for stronger security A password of at least 8 characters must be provided for encryption to work e Click Apply Note Console Servers also embed the net snmpd daemon which can accept SNMP requests from remote SNMP management servers and provides information on serial port and device status refer Chapter 15 5 for more details Also refer Chapter 15 5 for details on configuring the snmptrap daemon to send traps notifications to multiple remote SNMP servers 7 1 4 Nagios Alerts To notify the central Nagios server of Alerts NSCA must be enabled under System Nagios and Nagios must be enabled for each applicable host or port under Serial amp Network Network Hosts or Serial amp Network Serial Ports refer to Chapter 10 Chapter 7 Alerts and Logging 7 2 Activate Alert Events and Notifications The Alert facility monitors the status of th
300. or IP and port lt proxy port gt number ca lt file name gt Enter the CA certificate file name and location The same CA certificate file can be used by the server and all clients Note Ensure each in the directory path is replaced with For example c openvpnkeys ca crt will become c openvpnkeys ca crt Enter the client s or servers s certificate file name and location Each client should have its own certificate and key files Note Ensure each V in the directory path is replaced with W cert lt file name gt key lt file name gt Enter the file name and location of the client s or server s key Each client should have its own certificate and key files Note Ensure each in the directory path is replaced with W dh lt file name gt This is used by the server only Enter the path to the key with the Diffie Hellman parameters Nobind is used when clients do not need to bind to a local address or specific local port Nobind number This is the case in most client configurations persist key This option prevents the reloading of keys across restarts persist tun This option prevents the close and reopen of TUN TAP devices across restarts cipher BF CBC Blowfish Select a cryptographic cipher The client and server must use the same settings default cipher AES 128 CBC AES cipher DES EDE3 CBC Triple DES Chapter 4 Serial Port Device and User Configuration
301. or access Select Manage Terminal Managed Devices Netwark Serial Power Type Device Actions lt gt Port 1 lt gt Port 2 Port 3 Note The Web Terminal feature was introduced in firmware V3 3 2 Earlier releases had an open source jeterm java terminal applet which could be downloaded into your browser to connect to the Console Server and attached serial port devices However jeterm had some JRE compatibility issues and is no longer supported Administrator and Users can communicate directly with the Console Server command line and with devices attached to the Console Server serial ports using SDT Connector and their local tenet client or using a Web terminal and their browser Click the Connect to SDT Connector button This will to activate the SDT Connector client on the computer you are browsing and load your local telnet client to connect to the command line or serial port using SSH Manage Terminal Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP System 13 4 Power Management Select Manage Power SDTConnector Note To access the TrippLite unit s command line shell or serial ports via SDTConnector SDTConnector 1 5 0 or later must be installed on the computer you are browsing from with thi
302. or device secret SNMP community v or v2c Logging Enabled Log interval 600 second Number of power outlets 4 depends on the type model of the RPC config s config ports port2 power tyoe APC 7900 config s config ports port2 powername MyRPC config s config ports port2 oower description RPC in room 5 config s config ports port2 power username rpclogin config s config ports port2 ower password secret config s config ports port2 oowersnmp community v1 config s config ports port2 powerlog enabled on config s config ports port2 power log interval 600 config s config ports port2 power outlets 4 The following five commands are used by the Management Console to add the RPC to Managed Devices config s config devices device3 connections connection1 name myRPC config s config devices device3 connections connection1 tyoe RPC Unit config s config devices device3 name myRPC config s config devices device3 description RPC in room 5 config s config devices total 3 The following command will synchronize the live system with the new configuration config a 181 Chapter 14 Command Line Configuration 14 1 10 Environmental To configure an environmental monitor with the following details Monitor name Envi4 Monitor Description Monitor in room 5 Temperature offset 2 Humidity offset 5 Enable alarm 1 yes Alarm 1 label door alarm Enable alarm 2 yes Alarm 2 label
303. or the console server the Left Public Key You will need to find out the key to be used on the remote gateway then cut and paste it into the Right Public Key Serial amp Network IPsec VPN Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging If you select Shared secret you will need to enter a Pre shared secret PSK The PSK must match the PSK configured at the other end of the tunnel Add IPsec Tunnel Tunnel Name Authentication Method Shared Secret PSK A descriptive name for the IPsec tunnel RSA digital signatures Shared secret PSK Authenticate using RSA digital signatures or a shared secret PSK A passphrase must match the passphrase configured at the other end of the tunnel In Authentication Protocol select the authentication protocol to be used Either authenticate as part of ESP Encapsulating Security Payload encryption or separately using the AH Authentication Header protocol Enter a Left ID and Right ID This is the identifier that the Local host gateway and remote host gateway use for IPsec negotiation and authentication Each ID must include an and can include a fully qualified domain name preceded by e g left example com_ Enter the public IP or DNS address o
304. ork Interface Configuration Backup Management LAN Firmware Dial IP ial in Date amp Time VPN DHCP Server Dial in Network Interface Nagios ne Configure Dashboard Management LAN Dialout Cellular VPN Port Access Active Users Statistics VPN Network Interface Report Management LAN Syslog j UPS Status Dialout Cellular RPC Status Dial in e Find the Source Network to be routed and then tick the relevant Destination Network to enable Forwarding For example to configure a dual Ethernet device such as a BO96 048 or BO96 016 Console Server Management Switch e The Source Network would the Network Interface and the Destination Network would be Management LAN IP Masquerading is generally required if the Console Server will be routing to the Internet or if the external network being routed to does not have routing information about the internal network behind the Console Server IP Masquerading performs Source Network Address Translation SNAT on outgoing packets to make them appear like they ve come from the Console Server rather than devices on the internal network When response packets come back devices on the external network the Console Server will translate the packet address back to the internal IP so that it is routed correctly This allows the Console Server to provide full outgoing connectivity for internal devices using a single IP Address on the external network Power Sup
305. ormation modules and can be extended using dynamically loaded modules external scripts and commands snmpd when enabled should run with a default configuration Its behavior can be customized via the options in etc config snmpd conf Note If the SNMP Service is enabled through the Web Based Management Console this configuration file will be overidden and you will lose any customization Changing standard system information such as system contact name and location can be achieved by editing etc contig snmpd conf file and locating the following lines sysdescr tripplite syscontact root lt root localhost gt configure etc default snmpd conf sysname Not defined edit etc default snmpd conf syslocation Not defined edit etc default snmpd conf Simply change the values of sysdescr syscontact sysname and syslocation to the desired settings and restart snmpd The snmpd conf provides is extremely powerful and too flexible to completely cover here The configuration file itself is commented extensively and good documentation is available at the net snmp website http www net snmp org specifically Man Page http www net snmp org docs man snmpd conf html FAQ http www net snmp org docs FAQ html Net SNMPD Tutorial http www net snmp org tutorial tutorial 5 demon snmpd html Chapter 15 Advanced Configuration 15 5 5 Adding multiple remote SNMP managers You can add multiple SNMP servers for alert traps add the first and
306. ortant VNC uses a random challenge response system to provide the basic authentication that allows you to connect to a VNC server This is reasonably secure and the password is not sent over the network However once connected all subsequent VNC traffic is unencrypted So a malicious user could snoop your VNC session Also there are VNC scanning programs available which will scan a subnet looking for PCs which are listening on one of the ports which VNC uses Tunneling VNC over a SSH connection ensures all traffic is strongly encrypted Also no VNC port is ever open to the internet so anyone scanning for open VNC ports will not be able to find your computers When tunneling VNC over a SSH connection the only port which you re opening on your Console Server the SDT port 22 So sometimes it may be prudent to tunnel VNC through SSH even when the Viewer PC and the Console Server are both on the same local network Chapter 7 Alerts and Logging This chapter describes the alert generation and logging features of the Console Server The alert facility monitors the serial ports all logins the power status and environmental monitors and probes It sends emails SMS Nagios or SNMP alerts when specified trigger events occurs e First enable and configure the service that will be used to carry the alert Section 7 1 e Then specify the alert trigger condition and the actual destination to which that particular alert is to be sent Section 7 2 The
307. ount e Click Apply LDAP remote authentication will now be used for all user access to Console Server and serially or network attached devices LDAP The Lightweight Directory Access Protocol LDAP is based on the X 500 standard but is significantly simpler and more readily adapted to meet custom needs The core LDAP specifications are all defined in RFCs LDAP is a protocol used to access information stored in an LDAP server Further information on configuring remote RADIUS servers can be found at the following sites http Awww dapman org articles intro_to_ldap html http www ldapman org servers html http www linuxplanet com linuxplanet tutorials 5050 1 http www linuxplanet com linuxplanet tutorials 50 74 4 9 1 5 RADIUS TACACS user configuration Users may be added to the local Console Server appliance If they are not added and they log in via remote AAA a user will be added for them This user will not show up in the configurators unless they are specifically added at which point they are transformed into a completely local user The newly added user must authenticate via the remote AAA server and will not have any access if it is down If a local user logs in they may be authenticated authorized from the remote AAA server depending on the chosen priority of the remote AAA A local user s authorization is the union of local and remote privileges Example 1 User A is locally added and has access to ports 1 and 2 He is a
308. ount and password as normal When you have a secure HTTPS connection in place the SSL secured icon will appear at the bottom of the browser screen You can verify the level of encryption in place by clicking on this icon When you first enable and connect via HTTPS it is normal that you may receive a certificate warning The default SSL certificate in your Console Server is embedded during testing and is not signed by a recognized third party certificate authority Rather it is signed by our own signing authority These warnings do not affect the encryption protection you have against eavesdroppers Chapter 9 Authentication 9 4 SSL Certificate The Console Server uses the Secure Socket Layer SSL protocol for encrypted network traffic between itself and a connected user During the connection establishment the Console Server has to expose its identity to the user s browser using a cryptographic certificate The default certificate that comes with the Console Server device upon delivery is for testing purpose only and should not be relied on for secured global access The System Administrator should not rely on the default certificate as the secured global access mechanism for use through Internet It is recommended you generate and install a new base64 X 509 certificate that is unique for a particular Console Server System SSL Certificates Serial amp Network Serial Port Users amp Groups Authentication Network
309. overed in Chapter 8 12 1 Port Access and Active Users The Administrator can see which Users have access privileges with which serial ports e Select the Status Port Access Status Port Access Serial amp Network Serial Port Users amp Groups User From 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ticati e admin St a N a GG a T T E a Na oe A GO ON SG SA Sa Network Hosts Trusted Networks secman Anywhere N N Y N N N N N N N N N N N N N Cascaded Ports UPS Connection S Legend RPC Connections Environmental Alerts amp Logging Anyone Anywhere Accessible from any IP address No username is required for access The Administrator can also see the current status as to Users who have active sessions on those ports e Select the Status Active Users 12 2 Statistics The Statistics report provides a snapshot of the status current traffic and other activities and operations of your Console Server e Select the Status Statistics Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Interfaces IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices etho Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP etho 0 Administration SSL Certificates Serial Failover amp Routes p IP ICMP TCP UDP Out of orts
310. pendency name tripplite_nroe_daemon dep host name tripplite dependent _ host name serer dependent service description SSH Port service_description NRPE Daemon execution failure _criteria w u c j Chapter 10 Nagios Integration 10 4 2 Basic Nagios plug ins Plug ins are compiled executables or scripts that can be scheduled to be run on the Console Server to check the status of a connected host or service This status is then communicated to the upstream Nagios server which uses the results to monitor the current status of the distributed network Each Console Server is preconfigured with a selection of the checks that are part of the Nagios plug ins package check tcp and check _udp are used to check open ports on network hosts check_ping is used to check network host availability check_nrpe is used to execute arbitrary plug ins in other devices Each Console Server is also preconfigured with two checks that are specific to the Console Server check_serial_signals is used to monitor the handshaking lines on the serial ports check_port_log is used to monitor the data logged for a serial port 10 4 3 Additional plug ins Additional Nagios plug ins listed below are available for all the Tripp Lite Console Servers check_apt check_http check_nt check snmp check by ssh check_imap check_ntp check spop check_clamd check_jabber check_nwstat check_ssh check dig check _Idap check_overcr check_ssmtp check_dns check_load check_ping check_swap ch
311. plicable to IPMI2 0 devices e Select Logs IPMI on the control iil and select the IPMI Event Log to be viewed se VNC Server Serial Log Files Y IPMI Event Log Add Delete Edit This will retrieve the selected IPMI event log by running ipmitool haunts H hostname U username P password sel info gf Configure x Connect Logs JES Sistas E custom Es Serial Power Status Add Delete Edit 233 Chapter 16 Thin Client 16 1 6 Connect Remote Desktop RDP e Select Connect RDP on the control panel and click on the Windows computer to be accessed re Configure ES Connect Logs 5 Status Fs Custom system bee ee EE eee ee ee eee Serial 3 Browser E VAC j SSH Hl IPMI 2 Ace HTH Add Delete Edit XP Engineering FF6 MS Server 2007 45A e The rdesktop program in your BO92 016 will be started an RDP connection to the Remote Desktop server in the selected computer will be opened the rdesktop window will appear on your BO92 016 screen and you will be prompted for a password If the selected computer does not have RDP access enabled then the rdesktop window will not appear Z Configure E2 Connect Logs T Status gt Custom System rdesktop VERREES 8 Eeti iMt Fayans ait Heir ay Fact o p Search Folders E B Address e Control Panel Go va Control Panel a a 4 s Accessibility Add Hardware Add or Administ
312. ply Status Dashboard Enable IP Network Interface Masqueradin st 9 Management LAN Manage SNAT Dialout Cellular Devices Port Logs Dian Host Logs VPN Power IP Masquerading is used to translate private network traffic onto public networks Terminal such as the Internet This is generally required when using the interface as an Internet gateway Apply By default IP Masquerading is disabled for all networks To enable masquerading e Select Forwarding amp Masquerading panel on the System Firewall menu e Check Enable IP Masquerading SNAT on the network interfaces where masquerading is be enabled Generally this masquerading would be applied to any interface that is connecting with a public network such as the Internet Chapter 5 Firewall Failover and Out of Band 5 7 2 Configuring client devices Client devices on the local network must be configured with Gateway and DNS settings This can be done statically on each device or using DHCP Manual Configuration Manually set a static gateway address being the address of the Console Server and set the DNS server address to be the same as used on the external network i e if the Console Server is acting as an internet gateway or a cellular router then use the ISP provided DNS server address DHCP Configuration e Navigate to the System IP page e Click the tab of the interface connected to the internal network To use DHCP a static address must be set c
313. ponents inside Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock Refer all service to Tripp Lite qualified personnel To avoid electric shock the power cord protective grounding conductor must be connected through to ground Always pull on the plug not the cable when disconnecting the power cord from the socket Do not connect or disconnect the Console Server during an electrical storm Also it is recommended you use a surge suppressor or UPS to protect the equipment from transients Table of Contents Introduction 10 Installation 14 2 1 Models 14 2 1 1 Kit components BO96 048 and BO96 016 Console Server Management Switch 14 2 1 2 Kit components BO92 016 Console Server with PowerAlert 15 2 49 Kit components BO95 004 1E and BO95 003 1E M Console Server 15 2 2 Power Connection 16 22A Power Console Server Management Switch 16 2 2 2 Power Console Server with PowerAlert 16 2 253 Power Console Server 16 2 3 Network Connection 17 2 4 Serial Port Connection 17 2 5 USB Port Connection 17 2 6 Rackmount Console KVM Connection BO92 016 only 17 System Configuration 18 3 1 Management Console Connection 18 to Oa Connected computer set up 18 3 1 2 Browser connection 19 3 1 3 Initial BO92 016 connection 20 3 2 Administrator Password 21 3 2 1 Set up new administrator 21 3 3 Network IP Address 22 33 1 IPv6 configuration 23 3 0 2 Dynamic DNS DDNS configuration 24 3 4 System Service Access
314. pply e RDP and VNC forwarding over serial ports is enabled on a Port basis You can add Users who can have access to these ports or reconfigure User profiles by selecting Serial amp Network User amp Groups menu tag as described earlier in Chapter 4 Configuring Serial Ports 6 10 3 Set up SDT Connector to SSH port forward over the Console Server Serial Port In the SDT Connector software running on your remote computer specify the gateway IP address of your Console Server and a username password for a user you have setup on the Console Server that has access to the desired port Next add a New SDT Host In the Host address you need to put portxx where xx the port to which you are connecting Example for port 3 you would have a Host Address of portO3 and then select the RDP Service check box Chapter 6 Secure SSH Tunneling amp SDT Connector 6 11 SSH Tunneling using other SSH clients e g PuTTY As covered in the previous sections of this chapter we recommend you use the SDT Connector client software that is supplied with the Console Server However there s also a wide selection of commercial and free SSH client programs that can also provide the secure SSH connections to the Console Servers and secure tunnels to connected devices e PuTTY is a complete though not very user friendly freeware implementation of SSH for Win32 and UNIX platforms e SSHTerm is a useful open source SSH communications package e SSH Tectia is leadi
315. program e Select the desired key type SSH2 DSA you may use RSA or DSA within the Parameters section e itis important that you leave the passphrase field blank e Click on the Generate button e Follow the instruction to move the mouse over the blank area of the program in order to create random data used by PUTTYGEN to generate secure keys Key generation will occur once PUTTYGEN has collected sufficient random data e Create a new file authorized keys with notepad and copy your public key data from the Public key for pasting into Chapter 15 Advanced Configuration ct PullY Key Generator Fie Key Conversions Help kep Public kep for pasting into OpenSSH authorized keys file Fe al ial eet AAA AR aN zal yc EAAAABJOAAAIB N OAgk 9G 20k ORY coWbe2 TA ruGsTLEFZe konmb Q vyutT Jayo Fg FAJ DFB FAdoL2vTARTHHE1 ST bFHesNE Cal 5m1 bps T TpLNALYHOB ADL LF nE App Gmt pneFtk fyaedognsT Cy T OF arebDuhN F udi rea key 20061212 Kep fingerprint ssh sa 1023 91 18 31 4 Ob Be f2 ca 4a 9b feck 1a 4b Key comment tsa key 20061 212 Key passphrase Confirm passphrase Actions Generate a public private key pair Load an existing private key file Load Save the generated key Save public key Save private kep Parameters Type of key to generate SSH 1 RSA SSH 2 ASA S5H 2 DSA Number of bits in a generated key 1024 OpenSSH authorized_ keys file sectio
316. purposes pursuant to the terms of your license Source code may not be redistributed unless expressly provided for in the terms of your license 4 Third Party Code Additional copyright notices and license terms applicable to portions of the Software are set forth in the THIRDPARTYLICENSEREADME ttt file 247 Service amp Warranty Appendix D Service and Warranty Limited Warranty Seller warrants this product if used in accordance with all applicable instructions to be free from original defects in material and workmanship for a period of 2 years except U S Canada and Mexico 1 year from the date of initial purchase If the product should prove defective in material or workmanship within that period Seller will repair or replace the product in its sole discretion Service under this Warranty includes parts and Tripp Lite service center labor On site service plans are available from Tripp Lite through authorized service partners in most areas Contact Tripp Lite Customer Service at 773 869 1234 for details International customers should contact Tripp Lite support at intlservice tripplite com THIS WARRANTY DOES NOT APPLY TO NORMAL WEAR OR TO DAMAGE RESULTING FROM ACCIDENT MISUSE ABUSE OR NEGLECT SELLER MAKES NO EXPRESS WARRANTIES OTHER THAN THE WARRANTY EXPRESSLY SET FORTH HEREIN EXCEPT TO THE EXTENT PROHIBITED BY APPLICABLE LAW ALL IMPLIED WARRANTIES INCLUDING ALL WARRANTIES OF MERCHANTABILITY OR FITNESS ARE LIMITED IN DURA
317. r Terminal Reboot Safely reboot the device Apply The Console Server reboots with all settings e g the assigned network IP address preserved However this soft reset does disconnect all users and ends any SSH sessions that had been established A soft reset will also be affected when you switch OFF power from the Console Server and then switch the power back ON However if you cycle the power while the unit is writing to flash you could corrupt or lose data so the software reboot is the safer option A hard erase hard reset is effected by e Pushing the Erase button on the rear panel twice A ball point pen or bent paper clip is a suitable tool for performing this procedure Do not use a graphite pencil Depress the button gently twice within a couple of second period while the unit is powered ON This will reset the Console Server back to its factory default settings and clear the Console Server s stored configuration information e the IP address will be reset to 192 168 0 1 You will be prompted to log in and must enter the default administration username and administration password Username root Password default Chapter 11 System Management 11 2 Upgrade Firmware Before upgrading you should ascertain if you are already running the most current firmware in your gateway Your Console Server will not allow you to upgrade to the same or an earlier version The Firmware version is displayed in the head
318. r DNS name of the host managing this UPS Description An optional description Username Connect using this username Password Connect using this password Confirm Re enter the password Log Status Periodically log UPS status Log Rate 15 Minutes between samples Enable Nagios Monitor the status of this UPS in Nagios Nagios Host Name Name of host in Nagios Generated using if unspecified Nagios UPS Status Switch on Nagios UPS status Apply 8 2 3 Configuring powered computers to monitor a Managed UPS Connected Via Serial Port Edit Delete H Once you have added a Managed UPS each server that is drawing power through the UPS should be setup to monitor the UPS status as a Slave This is done by installing the NUT package on each server and setting up upsmon to connect to the Console Server Refer to the NUT documentation for details on how this is done specifically sections 13 5 to 13 10 htto euL networkupstools org doc 2 2 0 INSTALL html An example upsmon conf entry might look like MONITOR managedups 192 168 0 1 1 username password Slave managedups is the UPS Name of the Managed UPS 192 168 0 1 is the IP address of the Console Server 1 indicates the server has a single power supply attached to this UPS username is the Username of the Managed UPS password is the Password of the Manager UPS Chapter 8 Power and Environment 8 2 4 UPS alerts You can now set UPS alerts using Alerts amp
319. r Trap Port field default 162 e Select the Version to be used The Console Server SNMP agent supports SNMP v1 v2 and v3 e Enter the Community name for SNMP v1 or SNMP v2c At a minimum a community needs to be set for either SNMP v1 or v2c traps to work An SNMP community is the group to which devices and management stations running SNMP belong It helps define where information is sent SNMP default communities are private for Write and public for Read Chapter 7 Alerts and Logging e Configure SNMP v3 if required For SNMP v3 messages the users details and security level must match what the receiving SNMP Network Manager is expecting SNMP v3 mandates that the message will be rejected unless the SNMPv3 user sending the trap already exists in the user database on the SNMP Manager The user database in a SNMP v3 application is actually referenced by a combination of the Username and the Engine ID for the given SNMP application you are talking to o Enter the Engine ID for the user sending messages as a hex number e g OxX8OOOO00001020304 o Specify the Security Level The level of security has to be compatible with the settings of the remote SNMP Network Manager noAuthNoPriv No authentication or encryption authNoPriv Authentication only An authentication protocol SHA or MD5 and password will be required authPriv Uses both authentication and encryption This is the highest level of security and requires an encryption protocol DES
320. r aS soon as convenient and log in as this new user for all ongoing administration functions rather than root This Administrator can be configured in the admin group with full access privileges through the Serial amp Network Users amp Groups menu refer Chapter 4 for details Chapter 3 Initial System Configuration 3 3 Network IP Address It is time to enter an IP address for the principal 10 100 LAN port on the Console Server or enable its DHCP client so that it automatically obtains an IP address from a DHCP server on the network to which it is to be connected e On the System IP menu select the Network Interface page then check DHCP or Static for the Configuration Method e lf you select Static you must manually enter the new IP Address Subnet Mask Gateway and DNS server details This selection automatically disables the DHCP client System IP Serial amp Network Serial Port Network Interface General Settings Users amp Groups Authentication Network Hosts Trusted Networks IP Settings Network IPsec VPN ier gaa we OpenVPN Static Cascaded Ports The mechanism to acquire IP settings UPS Connections RPC Connections IP Address Environmental Managed Devices A statically assigned IP address Alerts amp Logging Subnet Mask Port Log A statically assigned network mask Alerts SMTP amp SMS Gateway SNMP A statically assigned gateway Prima
321. r device confirmation t this power device host Defaults te host name if unset 1 Check by SSH Command User ka Use Default Args a A 3 Default Args I USER H HOST C COMMAND Chapter 11 System Management This chapter describes how the Administrator can perform a range of general system administration and configuration tasks on the Console Server such as e Applying Soft and Hard Resets to the gateway e Re flashing the firmware e Configuring the Date Time and NTP e Setting up Backup of the configuration files BO95 004 003 only e Configuring the console server in FIPS mode BO95 004 003 only System administration and configuration tasks covered elsewhere include e Resetting the System Password and entering a new System Name and Description for the Console Server Chapter 3 2 e Setting the Console Server s System IP Address Chapter 3 3 e Setting the permitted Services used to access the Console Server Chapter 3 4 e Setting up OoB Dial in Chapter 5 Configuring the Dashboard BO95 004 003 only Chapter 12 11 1 System Administration and Reset The Administrator can reboot or reset the gateway to default settings A soft reset is affected by e Selecting Reboot in the System Administration menu and clicking Apply Devices Port Logs FIPS Mode Host Logs Enable FIPS mode on boot changing requires safe reboot Powe
322. ransferred from the port and all changes in hardware flow control status and all User connection events Logs all data transferred to the port and all changes in hardware flow control status and all User connection events Note A cache of the most recent 8K of logged data per serial port is maintained locally in addition to the Logs which are transmitted for remote USB flash storage To view the local cache of logged serial port data select Manage Port Logs Chapter 7 Alerts and Logging 7 5 Network TCP or UDP Port Logging The Console Servers can also log any access to and communications with network attached Hosts For each Host when you set up the Permitted Services which are authorized to be used you also must set up the level of Serial amp Network Network Hosts e logging that is to be maintained for each service Serial amp Network IP Address DNS Name Host Name Description Notes Permitted Services Ad 5 Firmware IP Date amp Time Dia Services DHCP Serve Level 0 Level 1 Level 2 e Click Add then click Apply The host s IP Address or DNS name A descriptive name for this host A brief description of the host 22 tcp ssh 0 23 tcp telnet 0 80 tcp http 0 443 tcp https 0 1494 tcp ica 0 3389 tcp rdp 0 5900 tcp vnc 0 Remove TCP OuDP Port level 2 Input Output logging on services level 1 level 0 Disabled Spe
323. ration SSL Certificates Configuration Backup Firmware IP Date amp Time Dial Firewall DHCP Server Nagios Configure Dashboard I O Ports Password Confirm Log Status Log Rate Port Access Active Users Statistics Apply Serial Port 3 Port 3 v Specify the serial port or network host address for the power device None x Specify the type of the connected power device A descriptive name for the power device A brief description for the power device Specify the login name for the power device Specify the login secret for the power device Confirm the login secret for the power device Periodically log RPC status 15 Minutes between samples Now you have set up a new serially or network connected RPC device this will automatically create a corresponding new Managed Device with the same Name Description as the RPC The outlet names on the RPC PDU Managed Device will by default be Outlet 1 Outlet 2 You can now establish a connection between particular Managed Device that draws power from the particular RPC PDU outlet using Serial amp Network Managed Devices refer Chapter 4 The outlet will then take up the name of the powered Managed Device Serial amp Network Managed Devices Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec V
324. rative c Switch to Category View Options Remoy Tools D A E See Also a 7 gt Automatic Date and Time Display Folder Options Windows Update Updates wj Help and Support a s gt Game Internet Keyboard Controllers Options e 9 b Network Network Setup Phone and Connections Wizard Modem PE PE F Start E Control Panel FPG E 1 01 PM You can use Add Delete Edit to customize the rdesktop client e g to include login username passwords The command line protocol is rdesktop u windows user id p windows password g 1200x950 ms windows terminal server host name option Description a oor gepen 8 16 28 O O cr Device redirection i e Redirect sound on remote machine to local device i e O r sound MS Windows 2003 e Geometry widthxheight or 70 screen percentage e Use p to receive password prompt Further information on rdesktop can be found at http www rdesktop org Chapter 16 Thin Client 16 1 7 Connect Citrix ICA e Select Connect Citrix ICA on the control panel and click on the Citrix server to be accessed yy Favorites Remote Control EPOS TEA TIS TCA Citrix Presentation Server Client for Linux Power4lert Console 7 Connections View Tools Serial Browser WNC SoH IPM Description Destination ROF Add Delete Edit 16 1 8 Connect PowerAlert e Select Connect PowerAlert on the control panel The PowerAlert software will be launched Bowes
325. re Hardware Software and None Additionally before any port can function properly the mode of the port needs to be set Any port can be set to run in one of the five possible modes refer Chapter 4 for details Console Server mode Device mode SDT mode Terminal server mode Serial bridge mode All these modes are mutually exclusive Console Server mode The command to set the port in portmanager mode config s config ports ports mode portmanager To set the following optional config elements for this mode Data accumulation period 100 ms Escape character default is log level 2 default is O Shell power command menu Enabled RFC221 7 access Enabled Limit pot to 1 connection Enabled SSH access Enabled TCP access Enabled telnet access Disabled Unauthorized telnet access Disabled config s config ports port5 delay 100 config s config ports portS escapechar config s config ports port5 loglevel 2 config s config ports portS powermenu on config s config ports port5 rfc2217 0n config s config ports port5 singleconn on config s config ports portS ssh on config s config ports portS tcp on config d config ports port5 telnet config d config ports port5 unauthtel Device Mode For a device mode port set the port type to either ups rpc or enviro config s config ports port5 device tyoe ups roc enviro For port 5 as a UPS port config s config ports ports mode reserve
326. re Shell SSH is a program to log into another computer over a network to execute commands in a remote machine and to move files from one machine to another It provides strong authentication and secure communications over insecure channels OpenSSH the de facto open source SSH application encrypts all traffic including passwords to effectively eliminate these risks Additionally OpenSSH provides a myriad of secure tunneling capabilities as well as a variety of authentication methods OpenSSH is the port of OpenBSD s excellent OpenSSH O to Linux and other versions of Unix OpenSSH is based on the last free version of Tatu Ylonen s sample implementation with all patent encumbered algorithms removed to external libraries all known security bugs fixed new features reintroduced and many other clean ups http www openssh com The only changes in the SSH implementation are e PAM support e EGD 1 PRNGD 2 support and replacements for OpenBSD library functions that are absent from other versions of UNIX e The config files are now in etc config e g o etc config sshd_config instead of etc sshd_config o etc config ssh_ config instead of etc ssh_config o etc config users lt username gt ssh instead of home lt username gt ssh 15 6 2 Generating Public Keys Linux To generate new SSH key pairs use the Linux ssh keygen command This will produce an RSA or DSA public private key pair and you will be prompted for a path to store t
327. reconfigure your PC workstation so it has an IP address that is in the same network range as this new address as detailed in an earlier note in this chapter e Click Apply e You will need to reconnect the browser on the PC workstation that is connected to the Console Server by entering http new IP address Chapter 3 Initial System Configuration 3 3 1 IPv6 configuration By default the Console Server Ethernet interfaces support IPv However they can also be configured for IPv6 operation e On the System IP menu select General Settings page and check Enable IPv6 System IP Serial amp Network Serial Port Network Interface Management LAN Interface General Settings Users amp Groups Authentication Network Hosts General Settings Trusted Networks E idni nable Bridgin IPsec VPN gng l 3 OpenVPN Bridge between all interfaces Cascaded Ports UPS Connections Enable IPv6 RPC Connections Enable IPv6 for all interfaces Environmental Managed Devices Apply e You will then need to configure the IPv6 parameters on each network interface page Manage Devices Port Logs Host pred IPv6 Settings Network Power she Configuration Stateless only Terminal Method 3 wa a d The mechanism to acquire IP settings IPv6 Address A statically assigned IPv6 address IPv6 Subnet Mask A statically assigned IPv6 network mask Chapter 3 Initial System Configuration
328. remote chassis power control IPMI management of a local system interface requires a compatible IPMI kernel driver to be installed and configured On Linux this driver is called OpenIPMI and it is included in standard distributions On Solaris this driver is called BMC and is included in Solaris 10 Management of a remote station requires the IPMl over LAN interface to be enabled and configured Depending on the particular requirements of each system it may be possible to enable the LAN interface using ipmitool over the system interface OPTIONS a Prompt for the remote server password A lt authtype gt Specify an authentication type to use during IPMlv1 5 lan session activation Supported types are NONE PASSWORD MD5 or OEM C Present output in CSV comma separated variable format This is not available with all commands C lt ciphersuite gt The remote server authentication integrity and encryption algorithms to use for IPMIv2 lanplus connections See table 22 19 in the IPMlv2 specification The default is 3 which specifies RAKP HMAC SHA 1 authentication HMAC SHA1 96 integrity and AES CBC 128 encryption algorithms E The remote server password is specified by the environment variable PMI_PASSWORD f lt password file gt Specifies a file containing the remote server password If this option is absent or if password file is empty the password will default to NULL h Get basic usage help from the command line Chapter 1
329. replaced with portO1 or port13 or whichever port the alert should run for If this file cannot be found the script checks whether the file etc config scripts portmanager pattern alert exists If either of these files exists the script calls the exec command on the first file that it finds and runs that custom file script instead As an example you can copy the etc scripts portmanager pattern alert script file to etc config scripts portmanager pattern alert cd mkdir etc config scripts if the directory does not already exist cp etc scripts oortmanager pattern alert etc config scripts portmanager pattern alert The next step will be to edit the new script file Firstly open the file etc config scripts portmanager pattern alert using vi or any other editor and remove the lines that check for a custom script the code from above this will prevent the new custom script from repeatedly calling itself After these lines have been removed edit the file or add any additional scripting to the file Chapter 15 Advanced Configuration 15 1 3 Example script Power cycling on pattern match If for example we had an RPC PDU connected to port 1 on a Console Server and also have some telecommunications device connected to port 2 and which is powered by the RPC outlet 3 Now assume the telecom device transmits a character stream EMERGENCY out on its serial console port every time that it encounters some specific error and t
330. rms of Section 1 above provided that you also meet all of these conditions a You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change b You must cause any work that you distribute or publish that in whole or in part contains or is derived from the Program or any part thereof to be licensed as a whole at no charge to all third parties under the terms of this License c Ifthe modified program normally reads commands interactively when run you must cause it when started running for such interactive use in the most ordinary way to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty or else saying that you provide a warranty and that users may redistribute the program under these conditions and telling the user how to view a copy of this License Exception if the Program itself is interactive but does not normally print such an announcement your work based on the Program is not required to print an announcement These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program and can be reasonably considered independent and separate works in themselves then this License and its terms do not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Pr
331. rocess is simple e The virtualport_setup exe program is included on the CD supplied with your Console Server or a copy can be freely downloaded from the ftp site Double click the VirtualPort_setup exe file to start installation process O VirtualPort v1 2 Uninstall Welcome to the VirtualPort v1 2 Uninstall Wizard This wizard will quide you through the uninstallation of VirtualPort v1 2 Before starting the uninstallation make sure VirtualPort v1 2 is not running Click Next to continue Cem e Read the License Agreement then follow the prompts to select the destination path and choose shortcuts you wish to create Once the installer completes you will have a working Virtua Port client installed on your machine and an icon on your desktop e Click the Virtua Port icon on your desktop to start the client Chapter 4 Serial Port Device and User Configuration 4 7 2 Configure the VirtualPort client Creating the VirtualPort client connection will initiate a virtual serial port data redirection to the remote Console Server using TCP IP protocol e Click on Add Ports e Specify a name to identify this connection in the Server Description tab fr z VirtualPort ea ERs Fi 192 168 254 144 Details Tai soo E Server Description CA Outlet 15 Server Address 192 168 254 173 Server TCP Port 4001 Starting Device Name COM2 Number of Ports 4 V Raw Mode Encrypt Traffic Require Authentication Password
332. rrent alerts status When an alert gets triggered a corresponding XML file is created in var run alerts The dashboard scans all these files and displays a summary status in the alerts widget When an alert is deleted the corresponding XML files that belong to that alert are also deleted To configure what is to be displayed by each widget e Go to the Configure Widgets panel and configure each selected widget e g specify which UPS status is to be displayed on the ups widget or the maximum number of Managed Devices to be displayed in the devices widget e Click Apply Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks UPS Connections Dashboard Layout Configure Widgets Configuring Dashboard for Group admin Widget 1 Alerts RPC Connections Amount Environmental i 2 Managed Devices Maximum number of alerts to display in dashboard Alerts Connection Alert Signal Alert Pattern Match Alert UPS power status alert Environmental and Power Sensor Alert Alarm Sensor Alert Administration Choose which alerts to display in the dashboard SSL Certificates Configuration Backup Firmware IP Date amp Time Widget 2 Managed Devices Nial Note Dashboard configuration is stored in the etc config config xml file Each configured dashboard will increase the config file If this file gets too big you can run out of memory space o
333. rs password for confirmation Remote Address The IP address to assign a dial in client Local Address The IP address for the Dial In server Default Route g The dialed connection is to become a default route for the system Custom Modem Initialization eae An optional AT command sequence to initialize non standard modems Authentication Type None O PAP O CHAP MSCHAPv2 The method to use when checking the dial in users credentials Enable Dial Back g Allow an out going connection to be triggered by logging into this port Dial Back Phone Number The Phone Number to call back when user logs in e Select the System Dial menu option and the port to be configured Serial DB9 Port or Internal Modem Port Note The Console Server s console modem serial port is set by default to 115200 baud No parity 8 data bits and 1 stop bit with software Xon Xoff flow control enabled You can modify the baud rate and flow contro using the Management Console You can further configure the console modem port settings by editing etc mgetty config files as described in Chapter 14 e Select the Baud Rate and Flow Control that will communicate with the modem e Check the Enable Dial In Access box e Enter the User name and Password to be used for the dial in PPP link e In the Remote Address field enter the IP address to be assigned to the dial in client You can select any address for the Remote IP Address However it and the Local IP Address mu
334. rt Funston CN OpenvPN CA emai lAddress meGn i Aug 302 2010 VERIFY OK depth 0 C US ST CA L SanFrancisco O Fort Funston CN server emai lAddress me myhos i Aug 30 2010 Data Channel Encrypt Cipher BF CBC initialized with 128 bit key i Aug 3303 Data Channel Encrypt Using 160 bit message hash SHAL for HMAC authentication i Aug 230 Data Channel Decrypt Cipher BF CBC initialized with 128 bit key i Aug 230 Data Channel Decrypt Using 160 bit message hash SHAL for HMAC authentication i Aug 30 control Channel TLSv1 cipher TLSv1 SSLv3 DHE RSA AES256 SHA 1024 bit RSA i server Peer Connection Initiated with 192 168 250 152 1194 SENT CONTROL server PUSH_REQUEST status 1 PUSH Received control message PUSH_REPLY route 10 100 10 1 topology net30 ping 10 ping res Options error Unrecognized option or missing parameter s in PUSH OPTIONS 2 topology 2 C OPTIONS IMPORT timers and or timeouts modified OPTIONS IMPORT ifconfig up options modified OPTIONS IMPORT route options modified TAP WIN32 device Local Area Connection 3 opened Global 12EF532A 3135 4F37 B689 720FEC TAP win32 Driver version 8 4 TAP win32 MTU 1500 Notified TAP win32 driver to set a DHCP IP netmask of 10 100 10 6 255 255 255 252 on interfac Successful ARP Flush on interface 5 12 amp F532A 3135 4F37 B689 720FE0B1F713 TEST ROUTES 0 0 succeeded len 1 ret 0 a 0 u d down Route waiting for TUN TAP interface to come up Zz TEST ROUTES 0 0 succeeded len
335. rver a new user account will be created This account will not have any rights and no password set They will not appear in the configuration tools Automatically added accounts will not be able to log in if the remote servers are unavailable RADIUS users are currently assumed to have access to all resources so will only be authorized to log in to the Console Server RADIUS users will be authorized each time they access a new resource e Admin rights granted over AAA Users may be granted Administrator rights via networked AAA For TACACS a priv lvl of 12 of above indicates an administrator For RADIUS administrators are indicated via the Framed Filter ID See the example configuration files below for example e Authorization via TACACS for both serial ports and host access Permission to access resources may be granted via TACACS by indicating an appliance and a port or networked host the user may access See the example configuration files below for example Chapter 9 Authentication TACACS Example user tim service raccess priv lvl 11 port1 xxxxx port02 port2 192 168 254 145 port05 J global cleartext mit RADIUS Example paul Cleartext Password Iuap Service Type Framed User Fall Through No Framed Filter ld group_name admin The list of groups may include any number of entries separated by a comma If the admin group is included the user will be made an Administrator If there
336. rver with The default is to bind anonymously config s config auth radius password password The following command will synchronize the live system with the new configuration config r auth Chapter 14 Command Line Configuration 14 1 5 Network Hosts To determine the total number of currently configured hosts config g config sdt hosts total Assume this value is equal to 3 If you add another host make sure to increment the total number of hosts from 3 to 4 config s config sdt hosts total 4 If the output is config sdt hosts total then assume O hosts are configured Add power device host To add a UPS RPC network host with the following details IP address DNS name 192 168 2 5 Host name remoteUPS Description UPSroom3 Type UPS Allowed services ssh port 22 and https port 443 Log level for services O Issue the commands below config s config sdt hosts host4 address 192 168 2 5 config s config sdt hosts host4 name remoteUPS config s config sdt hosts host4 description UPSroom3 config s config sdt hosts host4 device tyoe ups config s config sdt hosts host4 tcpports tcpport1 22 config s config sdt hosts host4 tcpports tcpport1 loglevel O config s config sdt hosts host4 udpports udpport2 443 config s config sdt hosts host4 udpports udpport2 loglevel O The loglevel can have a value of O or 1 The default services that should be configured are 22 tcp ssh 23 tcp tel
337. ry DNS Administration SSL Certificates A statically assigned primary name server Configuration Backup Firmware Secondary DNS IP Date amp Time A statically assigned secondary name server Dial Firewall Media Auto X DHCP Server The Ethernet media type Nagios Configure Dashboard DHCP Server Disabled I O Ports Configure a DHCP server for this interface Failover N one mpe p Interface z z i a LA E ort Access A device to fail to in case of outage Devices must be configured and enabled for Active Users failover to work Statistics e lf you selected DHCP the Console Server will look for configuration details from a DHCP server on your management LAN This selection automatically disables any static address The Console Server MAC address can be found on a label on the base plate Note In its factory default state with no Configuration Method selected the Console Server has its DHCP client enabled so it automatically accepts any network IP address assigned by a DHCP server on your network In this initial state the Console Server will then respond to both its Static address 192 168 0 1 and its newly assigned DHCP address e By default the Console Server LAN port auto detects the Ethernet connection speed However you can use the Media menu to lock the Ethernet to 10 Mb s or LOOMb s and to Full Duplex FD or Half Duplex HD Note If you have changed the Console Server IP address you may need to
338. s EULA unless such transfer is part of a permanent sale or transfer of the Product you transfer at the same time all copies of the Software to the same party or destroy such materials not transferred and the recipient agrees to this EULA No license is granted in any of the Software s proprietary source code This license does not grant you any rights to patents copyright trade secrets trademarks or any other rights with respect to the Software You may make a reasonable number of copies of the electronic documentation accompanying the Software for each Software license you acquire provided that you must reproduce and include all copyright notices and any other proprietary rights notices appearing on the electronic documentation Tripp Lite reserves all rights not expressly granted herein INTELLECTUAL PROPERTY RIGHTS The Software is protected by copyright laws international copyright treaties and other intellectual property laws and treaties Tripp Lite and its suppliers retain all ownership of and intellectual property rights in including copyright the Software components and all copies thereof provided however that 1 certain components of the Software including SDT Connector are components licensed under the GNU General Public License Version 2 which Tripp Lite supports and 2 the SDT Connector includes code from JSch a pure Java implementation of SSH2 which is licensed under BSD style license Copies of these licenses are detai
339. s J you have Macintosh clents or POSI compliant applications Chapter 9 Authentication 9 2 PAM Pluggable Authentication Modules The Console Server supports RADIUS TACACS and LDAP for two factor authentication via PAM Pluggable Authentication Modules PAM is a flexible mechanism for authenticating Users Nowadays a number of new ways of authenticating users have become popular The challenge is that each time a new authentication scheme is developed it requires all the necessary programs login ftpd etc to be rewritten to support it PAM provides a way to develop programs that are independent of authentication schemes These programs need authentication modules to be attached to them at run time in order to work Which authentication module is to be attached is dependent upon the local system setup and is at the discretion of the local Administrator The Console Server family supports PAM to which we have added the following modules for remote authentication RADIUS pam_radius auth http www freeradius org pam_radius_auth TACACS pam_tacplus http echelon pl pubs pam_tacplus html LDAP pam _Idap http www padl com OSS pam _Idap html Further modules can be added as required Changes may be made to files in etc config pam d which will persist even if the authentication configurator is run e Users added on demand When a user attempts to log in but does not already have an account on the Console Se
340. s This amp in addition to the default port RPC Status ea N 6000 Environmental Statug VNC Server Vv Enable the standard VNC server for remote access to the local display VNC on port 5900 Devices Port Logs Secure VNC Server Host Logs Enable the Secure encrypted VNC server for remote access to the local display VNC over SSL on port 5800 Power i al PowerAlert Console KVM Console Server Automatically start PowerAlert console after logging into the local display or VNC session Apply e Click Manage KVM Console Server then Launch Standard VNC Remote Control and your browser will automatically download and run a Java VNC applet client e Login as root or some other configured BO92 016 username and as a remote Administrator you can then connect to the VNC server in the BO92 016 and gain remote access to and monitor and take control of the BO92 016 local display You can find more details on configuration options for the BO92 016 realvnc server in http www realvnc com products free 4 1 man vncserver html Note You can also run a VNC client application such as RealVNC TightVNC or UltraVNC directly on a remote computer and configure it with the BO92 016 s IP address to connect to the BO92 016 VNC server f Server 1 qe 168 252 29 C Encryption About Options OK Cancel 237 Hardware Specification Appendix A Hardware Specification FEATU
341. s refer Chapter 7 Alerts and Logging e Ifthe Host is a networked server with IPMI power control then specify RPC for IPMI and PDU or UPS and the Device Type The Administrator can then configure these devices and enable which users have permissions to remotely cycle power etc refer Chapter 8 Otherwise leave the Device Type set to None e f the Console Server has been configured with distributed Nagios monitoring enabled then you will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored refer Chapter 10 Nagios Integration e Click Apply This will create the new Host and also create a new Managed Device with the same name Chapter 4 Serial Port Device and User Configuration 4 5 Trusted Networks The Trusted Networks facility gives you an option to nominate specific IP addresses that users Administrators and Users must be located at to have access to Console Server serial ports e Select Serial amp Network Trusted Networks e To add a new trusted network select Add Rule TRIPP LITE POWER PROTECTION Serial amp Network Trusted Networks Serial amp Network Seria Port Add a New Rule Users amp Groups Accessible oe oo C Select Unselect all Ports CPort Port C Port C Port C Port C Port C Port C Port 1 2 3 4 5 6 7 8 Cl Port Cl Port Cl Port Cl Port C Port Cl Port Cl Port Cl Port 9 10 11 12 13 14 15 16 Network Address The IP Address
342. s help message I The serial port to use O The outlet on the power target to apply to r The remote host address for the power target U Override the configured username p Override the configured password on This action switches the specified device or outlet s ON off This action switches the specified device or outlet s OFF cycle This action switches the specified device or outlet s OFF and ON again status This action retrieves the current status of the device or outlet Examples To turn outlet 4 of the power device connected to serial port 2 on pmpower I port02 o 4 on To turn an IPMI device located at IP address 192 168 1 100 to OFF where username is root and password is calvin pmpower r 192 168 1 100 u root p calvin off Default system Power Device actions are specified in etc powerstrips xml Custom Power Devices can be added in etc config powerstrips xml If an action is attempted which has not been configured for a specific Power Device pmpower will exit with an error 15 9 3 Adding new RPC devices There are two simple paths to adding support for new RPC devices The first is to have scripts to support the particular RPC included in the open source PowerMan project http sourceforge net projects oowerman The PowerMan device specifications are unusual and it is suggested that you leave the actual writing of these scripts to the PowerMan authors However documentation on how they work can be found at
343. s that can access nominated Slave serial ports e Select the appropriate Alerts amp Logging Alerts to configure Slave port Connection State Change or Pattern Match alerts e The configuration changes made on the Master are propagated out to all the Slaves when you click Apply 4 6 4 Managing the slaves The Master is in control of the Slave serial ports So for example if change a User access privileges or edit any serial port setting on the Master the updated configuration files will be sent out to each Slave in parallel Each Slave will then automatically make changes to their local configurations and only make those changes that relate to its particular serial ports You can still use the local Slave Management Console to change the settings on any Slave serial port Such as alter the baud rates However these changes will be overwritten next time the Master sends out a configuration file update Also while the Master is in control of all Slave serial port related functions it is not master over the Slave network host connections or over the Slave Console Server system itself So Slave functions such as IP SMTP amp SNMP Settings Date amp Time DHCP server must be managed by accessing each Slave directly and these functions are not over written when configuration changes are propagated from the Master Similarly the Slaves Network Host and IPMI settings have to be configured at each Slave Also the Master s Management Console provid
344. s unit added as a gateway as per the Quick Install Guide Connect via SDTConnector Java Terminal Select File gt Open TrippLite unit s serial 1 c Tripp Lite SDTConnector TRIPP LITE POWER PROTECTION Note SDT Connector must be installed on the computer you are browsing from and the Console Server must be added as a gateway as detailed in Chapter 6 Administrators and Users can access and manage the connected power devices Manage Power Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Target Action Outlets Port 1 Switched CDU v Outlet Outlet4 4 v Select a power device to manage Tumon Tumor J cyce E3 Staus Perform an action on the power device No existing status the last action may not be completed Chapter 13 Management 13 5 Remote Console Access B092 016 only Administrator and Users can also connect to the BO92 016 Console Server with PowerAlert remotely as if they were plugged in locally to the KVM connectors on the BO92 016 This connection will enable the remote users to run the PowerAlert software and the other thin client programs refer to Chapter 16 embedded in the Console Server e Select Manage KVM Console Server Manage KVM Console Server Serial amp Network Serial Port K
345. sc settings for this UPS hardware directly from the command line 8 2 2 Configure UPS powering the Console Server A Monitored UPS is a UPS that is providing the power to the Console Server The purpose of configuring a Monitored UPS is to provide an opportunity to perform any last gasp actions before power is lost during a power failure This is achieved by placing a script in etc config scripts ups shutdown You may use the etc scripts ups shutdown as a template This script is run when then UPS reaches critical battery status e lf the Console Server is drawing power through a Managed UPS that has already been configured select Local enter the Managed UPS Name and check Enabled The Console Server continues to be the master of this UPS e Ifthe UPS that powers the Console Server is not a Managed UPS for that Console Server then the Console Server can still connect to a remote NUT server upsd to monitor its status as a Slave In this case select Remote and enter the address username and password to connect Chapter 8 Power and Environment Managed UPSes UPS Description Driver Username Shutdown Name Order Rack4A TrippLite345 genericups OOOX 3 Add UPS Monitored UPS Enabled Enable this UPS connection Location Local Remote Connect to a locally managed UPS or remote UPS UPS Name The name of this UPS Address The address o
346. se from Tripp Lite or its authorized retailer Proof of date of purchase will be required Any updates to the Software provided by Tripp Lite which may be provided by Tripp Lite at its sole discretion shall be governed by the terms of this EULA In the event the product fails to perform as warranted Tripp Lite s sole obligation shall be at Tripp Lite s discretion to refund the purchase price paid by you for the Software on the defective media or to replace the Software on new media Tripp Lite makes no warranty or representation that its Software will meet your requirements will work in combination with any hardware or application software products provided by third parties that the operation of the software products will be Uninterrupted or error free or that all defects in the Software will be corrected TRIPP LITE DISCLAIMS ANY AND ALL OTHER WARRANTIES WHETHER EXPRESS OR IMPLIED INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OTHER THAN AS STATED HEREIN THE ENTIRE RISK AS TO SATISFACTORY QUALITY PERFORMANCE ACCURACY AND EFFORT IS WITH YOU ALSO THERE IS NO WARRANTY AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE SOFTWARE OR AGAINST INFRINGEMENT IF YOU HAVE RECEIVED ANY WARRANTIES REGARDING THE DEVICE OR THE SOFTWARE THOSE WARRANTIES DO NOT ORIGINATE FROM AND ARE NOT BINDING ON TRIPP LITE NO LIABILITY FOR CERTAIN DAMAGES EXCEPT AS PROHIBITED BY LAW TRIPP LITE SHALL HAV
347. second SNMP servers using the Management Console refer Chapter 7 or the command line config tool Further SNMP servers must be added manually using config Log in to the Console Server s command line shell as root or an admin user Refer back to the Management Console UI or user documentation for descriptions of each field To set the SNMP Manager Address field config set config system snmp address3 w x y z replacing w x y z with the IP address or DNS name To set the Manager Trap Port field config set config system snmp trapport3 162 replacing 162 with the TCP UDP port number To set the SNMP Manager Protocol field config set config system snmp protocol3 UDP or config set config system snmp protocol3 TCP To set the SNMP Manager Version field config set config system snmp version3 3 To set the SNMP Manager v1 amp v2c community field config set config system snmp community3 public To set the SNMP Manager v3 Engine ID field config set config system snmp engineid3 0x8000000001020304 replacing Ox80O00000001020304 with the hex Engine ID To set the SNMP Manager v3 Security Level field config set config system snmp seclevel3 noAuthNoPriv or config set config system snmp seclevel3 authNoPriv or config set config system snmp seclevel3 authPriv To set the SNMP Manager v3 Username field config set config system snmp username3 username To set the SNMP Mana
348. session and two other general sessions Therefore more than one user can have an active session on a single computer When the remote user connects to the accessed computer on the console session Remote Desktop automatically locks that computer so no other user can access the applications and files When you come back to the computer you can unlock it by typing CTRL ALT DEL 6 8 2 Configure the Remote Desktop Connection client Now that you have the Client computer securely connected to the Console Server either locally or remotely thru the enterprise VPN or a secure SSH internet tunnel or a dial in SSH tunnel you are ready to establish the Remote Desktop connection from the Client To do this you simply enable the Remote Desktop Connection on the remote client computer then point it to the SDT Secure Tunnel port in the Console Server A On a Windows client computer e Click Start Point to Programs then to Accessories then Communications and click Remote Desktop Connection Remote Desktop Connection Connect Cancel __Help _ Options gt gt e In Computer enter the appropriate IP Address and Port Number o Where there is a direct local or enterprise VPN connection enter the IP Address of the Console Server and the Port Number of the SDT Secure Tunnel for the Console Server s serial port the one that is attached to the Windows computer to be controlled For example if the Windows computer is connecte
349. sh the VNC connection by simply activating the VNC Viewer software on the Viewer computer and entering the password Viel Authentication Password III Cer Note For general background reading on Remote Desktop and VNC access we recommend the following e The Microsoft Remote Desktop How To http www microsoft com windowsxp using mobility getstarted remoteintro mspx e The Illustrated Network Remote Desktop help page http theillustratednetwork mvps org RemoteDesktop RemoteDesktopSetupandTroubleshooting html e What is Remote Desktop in Windows XP and Windows Server 2003 by Daniel Petri http www petri co il what s_remote_desktop htm e Frequently Asked Questions about Remote Desktop http www microsoft com windowsxp using mobility rdfaq mspx e Secure remote access of a home network using SSH Remote Desktop and VNC for the home user http theillustratednetwork mvps org RemoteDesktop SSH RDP VNC RemoteDesktopVNCandSSH html e Taking your desktop virtual with VNC Red Hat magazine http www redhat com magazine OO6apr05 features vnc and http www redhat com magazine OO may05 features vnc e Wikipedia general background on VNC http en wikipedia org wiki VNC Chapter 6 Secure SSH Tunneling amp SDT Connector 6 10 SDT IP Connection to Hosts Network IP protocols like RDP VNC and HTTP can also be used to connect to host devices that are serially connected through their COM port to the Console Server To do this you mus
350. sing the provided Start Command The OoB connection isn t stopped using the provided Stop Command until Out Of Band under Gateway Actions is clicked off at which point the status bar will return to its normal color 6 6 Importing and Exporting Preferences To enable the distribution of pre configured client config files SDT Connector has an Export Import facility E Tripp Lite SDTConnector File Edit Help cE New Gateway B Import Preferences Export Preferences gt Exit To save a configuration xml file for backup or for importing into other SDT Connector clients select File Export Preferences and select the location to save the configuration file To import a configuration select File Import Preferences and select the xml configuration file to be installed Chapter 6 Secure SSH Tunneling amp SDT Connector 6 7 SDT Connector Public Key Authentication SDT Connector can authenticate against an SSH gateway using your SSH key pair rather than requiring your to enter your password This is known as public key authentication To use public key authentication with SDT Connector you must first add the public part of your SSH key pair to your SSH gateway e Ensure the SSH gateway allows public key authentication This is typically the default behavior e lf you do not already have a public private key pair for your client computer the one which the SDT Connector is running generate them now usin
351. sole Server default username and password when you set up the new Remote Desktop User and give this User permission to use the advance connection to access the Windows computer e The Console Server default Username is portXX where XX is the serial port number on the Console Server e The default Password is portXxX So to use the defaults for an RDP connection to the serial port 2 on the Console Server you would have set up a Windows user named portO2 e When the PPP connection has been set up a network icon will appear in the Windows task bar Note The above notes describe setting up an incoming connection for Windows XP The steps are the same for Windows 2003 except that the setup screens present slightly differently E Incoming Connections Properties b x General Uners Networking Uzer alowed lo connect m Li Accrustrator News Delete Properties Note thal othe factors such at a divabled user account may affect a user s abiy to conmect Ahya allow directly connected devices such ar palmbop complet bo connect yethoul prodding a pasted R e Put a check in the box for Always allow directly connected devices such as palmtop Also the option to Set up an advanced connection is not available in Windows 2003 if RRAS is configured If RRAS has been configured it is a simple task to enable the null modem connection for the dial in configuration C For earlier version Windows computers follow
352. sole manager and the RPC is configured To give this group access to RPC outlet number 3 on the RPC device run the two commands below config s config ports port1 power outlet3 groups group1 Group config s config ports port1 power outlet3 groups total 1 total number of groups that have access to this outlet If more groups are given access to this power outlet then increment the config ports port1 power outlet3 groups total element accordingly To give this group access to network host 5 config s config sdt hosts host5 groups group1 Group 7 config s config sdt hosts host5 groups total 1 total number of groups having access to host To give another group called Group amp access to the same host config s config sdt hosts host5 groups group2 Groups config s config sdt hosts host5 groups total 2 total number of users having access to host To delete the group called Group use the following command rmuser Group Attention The rmuser script is a generic script to remove any config element from config xml correctly However any dependencies or references to this group will not be affected Only the group details are deleted The administrator is responsible for going through config xml and removing group dependencies and references manually specifically if the group had access to a host or RPC device The following command will synchronize the live system with the new configuration config
353. st both be in the same network range e g 200 100 1 12 and 200 100 1 67 e In the Local Address field enter the IP address for the Dial In PPP Server This is the IP address that will be used by the remote client to access Console Server once the modem connection is established Again you can select any address for the Local IP Address but both must be in the same network range as the Remote IP Address e The Default Route option enables the dialed PPP connection to become the default route for the Console Server e The Custom Modem Initialization option allows a custom AT string modem initialization string to be entered e g AT amp C1 amp D3 amp K3 e Then select the Authentication Type to be applied to the dial in connection The Console Server uses authentication to challenge Administrators who dial in to the Console Server For dial in access the username and password received from the dial in client are verified against the local authentication database stored on the Console Server The Administrator must also have their client computer configured to use the selected authentication scheme Select PAP CHAP MSCHAPv2 or None and click Apply Chapter 5 Firewall Failover and Out of Band None With this selection no username or password authentication is required for dial in access This is not recommended PAP Password Authentication Protocol PAP is the usual method of user authentication used on the internet sending a username and p
354. st for the VNC server e Selecting Options at this stage enables you to configure the VNC Viewer e Alternately you can select Options by right clicking on the VNC Viewer task Bar icon VNC Viewer Connection Options Encoding and Colour Level l Auto select Full fall available colours i RLE C Medium 256 colours C Hestile f Low 64 colours Tr Raw C Very low 8 colours Inputs View only ignore mouse amp keyboard iY Accept clipboard from server l Send clipboard to server IY Send primary selection amp cut buffer as clipboard Misc Shared don t disconnect other viewers Full screen mode lv Render cursor locally M Show dot when no cursor OK Cancel You can find more details on configuration options in http www realvnc com products free 4 1 man vneviewer htm Chapter 16 Thin Client 16 1 4 Connect SSH SSH is typically used to log into a remote machine and execute commands e Select Connect SSH on the control panel and click on the Host to be accessed e An SSH connection window will be opened Enter the SSH login password and you will be securely connected to the selected Host d Serial Citrix ICA Browser b YNC b SSH x g Cisco 0465 IPMI SG560 RDP gt Asterix Add Delete Edit Password The BO92 016 SSH connection uses OpenSSH http www openssh com and the terminal connection is presented using rxvt ou RXVT You can find more details on configuration opti
355. statically assigned network mask Administration SSL Certificates Gateway Configuration Backup Firmware A statically assigned gateway IP Date amp Time Primary DNS Dial Firewall A statically assigned primary name server DHCP Server Nagios Secondary DNS Configure Dashboard A statically assigned secondary name server Media Auto oa The Ethernet media type Port Access Active Users i AAN DHCP Server Disabled Syslog ie Configure a DHCP server for this interface Note With the BO96 048 and BO96 016 the second Ethernet port can be configured as either a gateway port or it can be configured as an OOB Failover port but not both So ensure you did not allocate the Management LAN as the Failover Interface when you configured the principal Network connection on the System IP menu The management gateway function is now enabled with default firewall and router rules By default these rules are configured so the Management LAN can only be accessible by SSH port forwarding This ensures the remote and local connections to Managed Devices on the Management LAN are secure Chapter 3 Initial System Configuration 3 6 2 Configure the DHCP server The Console Servers also host a DHCP server which by default is disabled The DHCP server enables the automatic distribution of IP addresses to devices on the Network Interface or the Management LAN To enable the DHCP server e On the
356. status of all derivatives of our free software and of promoting the sharing and reuse of software generally License Agreement NO WARRANTY 11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 12 INNO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS License Agreement SUN Java License BO92 016 Console Server with PowerAlert product only
357. t establish a PPP connection Section 6 7 1 between the host and the gateway then set up Secure Tunneling Ports on the Console Server Section 6 7 2 then configure SDT Connector to use the appropriate network protocol to access IP consoles on the host devices that are attached to the Console Server serial ports Section 6 7 3 6 10 1 Establish a PPP connection between the host COM port and Console Server This step is only necessary for serially connected computers Firstly physically connect the COM port on the host computer that is to be accessed to the serial port on the Console Server Then A For non Windows computers Linux UNIX Solaris etc establish a PPP connection over the serial port The online tutorial http www yolinux com TUTORIALS LinuxTutorialPPPhtml presents a selection of methods for establishing a PPP connection for Linux For Windows XP and 2003 computers follow the steps below to set up an advanced network connection between the Windows computer through its COM port to the Console Server Both Windows 2003 and Windows XP Professional allow you to create a simple dial in service which can be used for the Remote Desktop VNC HTTP X connection to the Console Server Open Network Connections in Control Panel and click the New Connection Wizard New Connection Wizard Network Connection Type What do you want to do Connect to the Intemet Connect to the Intemet so you can browse the Web and read ema
358. t event then you can also set time windows when these sensors will not be monitored e g for a door open sensor you may not wish to activate the sensor alert monitoring during the working day Alarm Sensor Alert Alarm Sensor Alert An alert will be triggered when an alarm condition occurs Thi alert type will oniy be applied to environmental monitor alarm sensors Alarm Disable Sunday From i00 00 Until 00 00 Hour Minute Hour Minute Monday From 00 00 Until 00 00 Hour Minute Hour Minute Tuesday From 00 00 Until 00 00 Hour Minute Hour Minute Wednesday From 00 00 Until 00 00 Hour Minute Hour Minute Thursday From 00 00 Until 00 00 Hour Minute Hour Minute Friday From 00 00 Until 00 00 Hour Minute Hour Minute Saturday From 00 00 Until 00 00 Hour Minute Hour Minute Disable the alarm sensor alert during these times e Click Apply Chapter 7 Alerts and Logging 7 3 Remote Log Storage Before activating Serial or Network Port Logging on any port or UPS logging you must specify where those logs are to be saved e Select the Alerts amp Logging Port Log menu option and specify the Server Type to be used and the details to enable log server access Remote Log Storage Server Type None USB Flash Memory Remote Syslog NFS CIFS Windows Samba Server Address 192 168 254 30 The remote Storage Server address Server Path Serial_Log The direc
359. t for dial in 66 5 1 4 Set up earlier Windows clients for dial in 67 5 15 Set up Linux clients for dial in 67 5 2 OoB Broadband Access 68 5 3 Broadband Ethernet Failover 68 5 4 Dial Out Failover 69 5 7 Firewall amp Forwarding 71 5 7 1 Configuring network forwarding and IP masquerading 71 OP Configuring client devices 3 Bilao Port Forwarding 14 5 7 4 Port Rules 15 Table of Contents SSH Tunnels amp SDT Connector 16 6 1 Configuring for SDT Tunneling to Hosts T7 6 2 SDT Connector Configuration 78 6 2 1 SDT Connector client installation 18 6 2 2 Configuring a new gateway in the SDT Connector client 19 6 2 3 Auto configure SDT Connector client with the user s access privileges 80 6 2 4 Make an SDT connection through the gateway to a host 81 6 2 5 Manually adding hosts to the SDT Connector gateway 82 6 2 6 Manually adding new services to the new hosts 83 6 2 Adding a client program to be started for the new service 85 6 2 8 Dial in configuration 86 6 3 SDT Connector to Management Console 87 6 4 SDT Connector Telnet or SSH Serial Device Connection 88 6 5 SDT Connector OoB Connection 89 6 6 Importing and Exporting Preferences 90 6 7 SDT Connector Public Key Authentication 91 6 8 Setting up SDT for Remote Desktop Access 92 6 8 1 Enable Remote Desktop on the target Windows computer to be accessed 92 6 8 2 Configure the Remote Desktop Connection client 93 6 9 SDT SHH Tunnel for VNC 96 6 9 1 Install and configure the VNC Server on the compu
360. t the central Nagios server in Nagios Server Address Enter the IP address that the clients running SDT Connector will use to connect through the distributed Console Servers in SDT Gateway address Check Prefer NRPE NRPE Enabled and NRPE Command Arguments Check NSCA Enabled choose an NSCA Encryption Method and enter and confirm an NSCA Secret Remember these details as you will need them later on For NSCA Interval enter 5 Click Apply Next configure the attached Window network host and specify the services you will be checking with Nagios HTTP and HTTPS Select Network Hosts from the Serial amp Network menu and click Add Host Enter the IP Address DNS Name of the network server e g 192 168 1 10 and enter a Description e g Windows 2003 IIS Server Remove all Permitted Services This server will be accessible using Terminal Services so check TCP Port 3389 and log level 1 and click Add It is important to remove and re add the service to enable logging Nagios Settings Enable Nagios Switch Nagios an for this host Host Name Name of host in Nagios Generated using bost description if unspecified ae 1 Check NRPE vl Use Default args w Command BL oct snes a Check NRPE Check Ping Check Permitted TCP Default dregs H ROST c BCOMMAND SS Check Permitted UDP New Check TCP Check UDP Apply Chapter 10 Nagios Integration e Scroll down to Nagios Settings and check Enable Nagios e Click Ne
361. t the following sites http Awww microsoft com technet prodtechnol windowsserver2003 library Depkit d4fe8248 eecd 49e4 88f6 9e304f9 fefc mspx http Awww cisco com en US tech tk59 technologies_tech_noteO9186a00800945cc shtml http www freeradius or Chapter 9 Authentication 9 1 4 LDAP authentication Perform the following procedure to configure the LDAP authentication method to be used whenever the Console Server or any of its serial ports or hosts is accessed e Select Serial and Network Authentication and check LDAP or LocalLDAP or LDAPLocal or LDAPDownLocal LDAP Server Address Comma seperated list of remote servers Server Password The shared secret allowing access to the authentication server Confirm Password Re enter the above password for confirmation LDAP Base DN The distinguished name of the search base For example dc my company dc com LDAP Bind DN The distinguished name to bind to the server with The default is to bind anonymously e Enter the Server Address IP or host name of the remote Authentication server Multiple remote servers may be specified in a comma separated list Each server is tried in succession e Enter the Server Password Note To interact with LDAP requires that the user account exist on our Console Server to work with the remote server i e you can t just create the user on your LDAP server and not tell the Console Server about it You need to add the user acc
362. t the local endpoint of the redirection ES Tripp Lite SDTConnector oo amp Ln z amp E5 208 64 91 182 Services HP iLO 2 uHtrPs IBM RSA J m VMWar E Ip Power Web Management Dell Server 2003 DRAC4 HP 2003 Server iLO 2 B Dell 2003 Server Dell 2003 Server BMC HP 2003 Server Local Services gt ESXi Logging in to gateway 208 64 91 182 Note The SDT Connector client can be configured with an unlimited number of Gateways Each Gateway can be configured to port forward to an unlimited number of locally networked Hosts Similarly there is no limit on the number of SDT Connector clients who can be configured to access the one Gateway There are also no limits on the number of Host connections that an SDT Connector client can concurrently have open through the one Gateway tunnel However there is a limit on the number of SDT Connector SSH tunnels that can be open at one time on a particular Gateway The BO96 016 BO96 048 Console Server Management Switch and BO92 016 Console Server with PowerAlert each support at least 50 such concurrent connections So for a site with a BO96 016 gateway you can have at any time up to 50 users securely controlling an unlimited number of network attached computers power devices and other appliances routers etc at that site Chapter 6 Secure SSH Tunneling amp SDT Connector 6 2 5 Manually adding hosts to the SDT
363. t when working with OpenVPN Otherwise authentication issues may arise Edit OpenVPN Tunnel Details Edit OpenVPN Tunnel Details Tunnel Name NorthStOutlet VPN A descriptive name for the OpenVPN tunnel Enabled m Enable or disable the tunnel Device Driver Tun IP Select the tap or tun driver to use Protocol UDP Use a UDP or TCP protocol Tunnel Mode Configuration Method Compression Client E Is this the Client or Server end of the tunnel PKI X 509 Certificates Authenticate using certificates or use a custom configuration Enable or disable compression e Select Statistics on the Status menu to verify that the tunnel is operational Chapter 4 Serial Port Device and User Configuration 4 10 3 Windows OpenVPN Client and Server set up Windows does not come with an OpenVPN server or client This section outlines the installation and configuration of a Windows OpenVPN client or a Windows OpenVPN server and setting up a VPN connection to a console server The OpenVPN GUI for Windows software which includes the standard OpenVPN package plus a Windows GUI can be downloaded from http openvpn se download html e Once installed on the Windows machine an OpenVPN icon will have been created in the Notification Area located in the right side of the taskbar Right click on this icon to start and stop VPN connections and to edit configurations and view logs dient IM4004 dient IM4216 dient H
364. ter to be accessed 96 6 9 2 Install configure and connect the VNC Viewer 97 6 10 SDT IP Connection to Hosts 99 6 10 1 Establish a PPP connection between the host COM port and Console Server 99 6 10 2 Set up SDT Serial Ports on Console Server 102 6 10 3 Setup SDT Connector to SSH port forward over the Console Server Serial Port 102 6 11 SSH Tunneling using other SSH clients e g PuTTY 103 Alerts and Logging 106 7 1 Configure SMTP SMS SNMP Nagios Alerts 106 7 1 1 Email alerts 106 7 1 2 SMS alerts 107 ee lees SNMP alerts 108 1 1 4 Nagios Alerts 109 7 2 Activate Alert Events and Notifications 110 1 2 1 Add a new alert 110 2 2 Select general alert type 111 2 3 Configuring environment and power alert type 112 7 3 Remote Log Storage 113 7 4 Serial Port Logging 113 1 5 Network TCP or UDP Port Logging 114 Table of Contents Power and Environmental Monitoring 8 1 Remote Power Control RPC 8 1 1 RPC connection 8 1 2 RPC alerts 8 1 3 RPC status 8 1 4 User power management 8 2 Uninterruptible Power Supply Control UPS 8 2 1 Managed UPS connections 8 2 2 Configure UPS powering the Console Server 8 2 3 Configuring powered computers to monitor a Managed UPS 8 2 4 UPS alerts 8 2 5 UPS status 8 2 6 Overview of Network UPS Tools NUT 8 3 Environmental Monitoring 8 3 1 Connecting the EMD 8 3 2 Environmental alerts 8 3 3 Environmental status Authentication 9 1 Authentication Configuration 9 1 1 Local authentication 9 1 2 TACAC
365. termine the check to be run on this port Serial Status monitors the handshaking lines on the serial port and Check Port monitors the data logged for the serial port Nagios Settings Enable Nagios F Switch Nagios on for this port Host Name Name of host in Nagios Defaults te host name if unset Port Log Switch on Nagios port logging Serial Status F Switch on Nagios serial status Apply Chapter 10 Nagios Integration 10 3 5 Configure selected Network Hosts for Nagios monitoring The individual Network Hosts connected to the Console Server that is to be monitored must also be configured for Nagios checks e Select Serial amp Network Network Port and click Edit on the Network Host to be monitored Nagios Settings Enable Nagios Switch Nagios on for this host Host Name Name of host in Nagios Defaults te host name if unset Nagios Checks e Select Enable Nagios specify the name of the device as it will appear on the upstream Nagios server e Click New Check to add a specific check which will be run on this host e Select Check Permitted TCP UDP to monitor a service that you have previously added as a Permitted Service e Select Check TCP UDP to specify a service port that you wish to monitor but do not wish to allow external SDT Connector access e Select Check TCP to monitor Nagios Settings Enable Nagios Switch Magios an for this host Host Name Name of host in Nagios Generated using host descript
366. terprise VPN or the remote user may be in the same room or the same office but connected on a separate VLAN to the Console Server Management Console The Console Server Management Console runs in a browser It provides a view of your Console Server Management Switch BO96 016 048 Console Server with PowerAlert BO92 016 or Console Server BO95 004 003 product and all the connected equipment Administrators can use the Management Console either locally or from a remote location to configure the Console Server set up Users configure the ports and connected hosts and set up logging and alerts i gt Q TRIPP LITE es POWER PROTECTION System Administration Serial amp Network Serial Port System Name b095 Users amp Groups Authentication An ID for this device Network Hosts PERED Trusted Networks i ae Description Rackside2 ideal in The physical location of this device OpenVPN e physical location OF This device Cascaded Ports UPS Connections SEn Password RPC Connections Environmenta Managed Devices Confirm System Alerts amp Logging Password Re enter the above password for confirmation Port Log Delayed Config Alerts SMTP amp SMS Commits Config changes are queued and must be explicitly applied SNMP Apply An authorized User can use the Management Console to access and control configured devices review port logs use the in built We
367. tform so a desktop running on a Linux machine may Vy be displayed on a Windows computer on a Solaris machine or on any number of other architectures l a There is a Windows server allowing you to view the desktop of a remote Windows machine on any of these platforms using exactly the same viewer RealVNC was founded by members of the AT amp T team who originally developed VNC TightVNC http www tightvnc com is an enhanced version of VNC It has added features such as file transfer performance improvements and read only password support They have just recently included a video drive much like UltraVNC TightVNC is still free cross platform Windows Unix and Linux and compatible with the standard Real VNC UltraVNC http ultravnc com is easy to use fast and free VNC software that has pioneered and perfected features that the other flavors have consistently refused or been very slow to implement for cross platform and minimalist reasons UltraVNC runs under Windows operating systems 95 98 Me NT4 2000 XP 2003 Download UltraVNC from Sourceforge s UltraVNC file list B For Linux servers and clients Most Linux distributions now include VNC Servers and Viewers They are generally launched from the Gnome KDE etc front end For example there s VNC Server software with Red Hat Enterprise Linux 4 and a choice of Viewer client software To launch e Select the Remote Desktop entry in the Main Menu Preferences menu e
368. th the information you received as to the offer to distribute corresponding source code This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer in accord with Subsection b above The source code for a work means the preferred form of the work for making modifications to it For an executable work complete source code means all the source code for all modules it contains plus any associated interface definition files plus the scripts used to control compilation and installation of the executable However as a special exception the source code distributed need not include anything that is normally distributed in either Source or binary form with the major components compiler kernel and so on of the operating system on which the executable runs unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated place then offering equivalent access to copy the source code from the same place counts as distribution of the source code even though third parties are not compelled to copy the source along with the object code 4 You may not copy modify sublicense or distribute the Program except as expressly provided under this License Any attempt otherwise to copy modify sublicense or distribute the Program is void and will automatically terminate your righ
369. the presence of a flammable anesthetic mixture with air oxygen or nitrous oxide Service amp Warranty Regulatory Compliance Identification Numbers For the purpose of regulatory compliance certifications and identification your Tripp Lite product has been assigned a unique series number The series number can be found on the product nameplate label along with all required approval markings and information When requesting compliance information for this product always refer to the series number The series number should not be confused with the marking name or model number of the product WEEE Compliance Information for Tripp Lite Customers and Recyclers European Union Under the Waste Electrical and Electronic Equipment WEEE Directive and implementing regulations when customers buy new electrical and electronic equipment from Tripp Lite they are entitled to e Send old equipment for recycling on a one for one like for like basis this varies depending on the country Send the new equipment back for recycling when this ultimately becomes waste Tripp Lite follows a policy of continuous improvement Product specifications are subject to change without notice TRIPP LITE Tripp Lite World Headquarters 1111 W 35th Street Chicago IL 60609 USA www tripplite com support gg 201103159 93 2879
370. the second environmental monitor alarm e g Smoke Abrm Periodically log environmental status 15 Minutes between samples e Enter a Name and Description for the EMD and select pre configured serial port that the EMD will be Connected Via e Provide Labels for each of the two alarms e Check Log Status and specify the Log Rate minutes between samples if you wish the status from this EMD to be logged These logs can be views from the Status Environmental Status screen e Click Apply 8 3 2 Environmental alerts You can now set temperature humidity and probe status alerts using Alerts amp Logging Alerts refer to Chapter 7 8 3 3 Environmental status You can monitor the current status of all of EMDs and their probes e Select the Status Environmental Status menu and a table with the summary status of all connected EMD hardware will be displayed e Click on View Log or select the Environmental Logs menu and you will be presented with a table and graphical plot of the log history of the select EMD Status Environmental Status Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks Cascaded Ports UPS Connections RPC Connections Environmental Alerts amp Logging Port Log Alerts SMTP amp SMS SNMP Administration Firmware IP Date amp Time Dial Services DHCP Server Nagios Env
371. the steps in Section B above To get to the Make New Connection button e For Windows 2000 click Start and select Settings At the Dial Up Networking Folder click Network and Dial up Connections and click Make New Connection Note you first may need to set up a connection over the COM port using Connect directly to another computer before proceeding to Set up an advanced connection e For Windows 98 you double click My Computer on the Desktop then open Dial Up Networking and double click Chapter 6 Secure SSH Tunneling amp SDT Connector 6 10 2 Set up SDT Serial Ports on Console Server To set up RDP and VNC forwarding on the Console Server s Serial Port that is connected to the Windows computer COM port e Select the Serial amp Network Serial Port menu option and click Edit for the particular Serial Port that is connected to the Windows computer COM port e On the SDT Settings menu select SDT Mode which will enable port forwarding and SSH tunneling and enter a Username and User Password Note When you enable SDT this will override all other Configuration protocols on that port Note If you leave the Username and User Password fields blank they default to portXX and portXX where XX is the serial port number So the default username and password for Secure RDP over Port 2 is portO2 e Ensure the Console Server Common Settings Baud Rate Flow Control are the same as were set up on the Windows computer COM port and click A
372. ting and Traps Console Servers can send traps messages to multiple remote SNMP Network Managers on defined trigger events as detailed in Chapter 7 Console Servers also contain an SNMP Service Snmpd which can provide status information on demand From the snmpd manual page snmpd is an SNMP agent which binds to a port and awaits requests from SNMP management software Upon receiving a request it processes the request s collects the requested information and or performs the requested operation s and returns the information to the sender 15 5 1 Retrieving status information using SNMP Console Servers can provide serial and device status information through SNMP This includes e Serial port status e Active users e Remote Power Control RPC and Power Distribution Unit PDU status e Environmental Monitoring Device EMD status e Signal alert status e Environmental alert status and e UPS alert status The MIBs in your Console Server are located in etc snmp mibs OG STATUS MIB This new MIB contains serial and connected device status information for snmpstatusd amp snmpalertd OG SMI MIB Enterprise structure of management information OGTRAP MIB SMiv1 traps from old MIBS as smilint will not let SMIv1 structures coexist with SMlv2 15 5 2 Check firewall rules e Select System Firewall and ensure the SNMP daemon box has been checked for the interface required This will allow SNMP requests through the firewall for the specified interface
373. tion e Disable Nagle Algorithm the Nagle Algorithm is enabled by default and it reduces the number of small packets sent by VirtualPort across the network Chapter 4 Serial Port Device and User Configuration i i 192 168 254 144 Properties Connection Advanced COM1 192 168 254 173 COM2 COM4 COM5 COME Emulate Baud Rate Add Ports Remove e e Check Receive DSR DCD CTS changes if the flow control signal status from the physical serial port on Console Server is to be reflected back to the Windows COM port driver as some serial communications applications prefer to run without any hardware flow control i e in two wire mode e The Propagate local port changes allows complete serial device control by the Windows application so it operates exactly like a directly connected serial COM port It provides a complete COM port interface between the attached serial device and the network providing hardware and software flow control So the baud rate etc of the remote serial port is controlled by the settings for that COM port on Windows computer If not selected then the port serial configuration parameters are set on the Console Server e With the Emulate Baud Rate selected Virtua Port will only send data out at the baud rate configured by the local Application using the COM port 4 7 3 To remove a configured port At any stage you can delete a single configured COM port or delete the Console Server connect
374. tion L Redmond S Washingt IL E i SUFFORT_ J 1mMab CN Dell Computer Corporation L Round Rock S5 Te _ 4 gt e Specify which Users will be allowed to use this connection This should be the same Users who were given Remote Desktop access privileges in the earlier step Click Next e On the Network Connection screen select TCP IP and click Properties Incoming TCP IP Properties ooh eee Allow callers to access my local area network TCP IP address assignment O Assign TCP IP addresses automatically using DHCP Specify TCP IP addresses Ba 169 134 13 To 169 14 13 Total Allow calling computer to specify its own IP address Select Specify TCP IP addresses on the Incoming TCP IP Properties screen Nominate a From and a To TCP IP address and click Next Chapter 6 Secure SSH Tunneling amp SDT Connector Note You can choose any TCP IP addresses as long as they are addresses which are not used anywhere else on your network The From address will be assigned to the Windows XP 2003 computer and the To address will be used by the Console Server For simplicity use the IP address as shown in the illustration above From 169 134 13 1 To 169 134 13 2 Alternately you can set the advanced connection and access on the Windows computer to use the Console Server defaults e Specify 10 233 111 254 as the From address e Select Allow calling computer to specify its own address Also you could use the Con
375. tools chat dhcpcd ftp hd hwclock iproute iptables netcat ifconfig mii tool netstat route openntpd ping portmap pppd routed setserial smtpclient stty stunel tcodump tftp tip traceroute More details on the above Linux commands can found online at http en tldp org HOWTO HOWTO INDEX howtos html http www faqs org docs Linux HOWTO Remote Serial Console HOWTO html http www stokely com unix serial port resources serial switch html Chapter 15 Advanced Configuration Console Servers run the embedded Linux operating system So Administrator class users can configure the Console Server and monitor and manage attached serial console and host devices from the command line using Linux commands and the config utility as described in Chapter 14 The Linux kernel in the Console Server also supports GNU bash shell script enabling the Administrator to run custom scripts This chapter presents a number of useful scripts and scripting tools including e delete node which is a general script for deleting users groups hosts UPS s etc e ping detect which will run specified commands when a specific host stops responding to ping requests This chapter then details how to perform advanced and custom management tasks using Linux commands and the open source tools embedded in the Console Server e portmanager serial port management e raw data access to the ports and modems e iptables modifications and updating IP filtering rules
376. tory where to store log in Username Administrator The login name required for remote server Password eecccece The secret required to access the remote server Confirm eeccecece Re type the above secret for confirmation Syslog Facility Daemon v The facility field to include in syslog messages Syslog Priority Info v The priority field to include in syslog messages 7 4 Serial Port Logging In Console Server mode activity logs can be maintained of all serial port activity These records are stored on an off server or in the Console Server flash memory To specify which serial ports are to have activities recorded and to what level data is to be logged Console Server Settings Console Server Mode Enable remote network access to the console at this serial port Logging Level level 0 Disabled z level 0 Disabled level 1 user connects disconnects to port Telnet level 2 input output logging on ports level 1 llevel 3 input logging on ports level 1 level 4 output logging on ports level 1 SSH e Select Serial amp Network Serial Port and Edit the port to be logged e Specify the Logging Level of for each port as Level 0 Level 1 Level 2 Level 3 Level 4 e Click Apply Turns off logging for the selected port Logs all User connection events to the port Logs all data transferred to and from the port and all changes in hardware flow control status and all User connection events Logs all data t
377. tribute so as to Satisfy simultaneously your obligations under this License and any other pertinent obligations then as a consequence you may not distribute the Program at all For example if a patent license would not permit royalty free redistribution of the Program by all those who receive copies directly or indirectly through you then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 8 If the distribution and or use of the Program is restricted
378. ts under this License However parties who have received copies or rights from you under this License will not have their licenses terminated so long as such parties remain in full compliance 5 You are not required to accept this License since you have not signed it However nothing else grants you permission to modify or distribute the Program or its derivative works These actions are prohibited by law if you do not accept this License Therefore by modifying or distributing the Program or any work based on the Program you indicate your acceptance of this License to do so and all its terms and conditions for copying distributing or modifying the Program or works based on it License Agreement 6 Each time you redistribute the Program or any work based on the Program the recipient automatically receives a license from the original licensor to copy distribute or modify the Program subject to these terms and conditions You may not impose any further restrictions on the recipients exercise of the rights granted herein You are not responsible for enforcing compliance by third parties to this License T If as a consequence of a court judgment or allegation of patent infringement or for any other reason not limited to patent issues conditions are imposed on you whether by court order agreement or otherwise that contradict the conditions of this License they do not excuse you from the conditions of this License If you cannot dis
379. type is set to usb none of the other values need to be set The mount point for storing on a remote USB device is var run portmanager logdir The following command will synchronize the live system with the new configuration config a Chapter 14 Command Line Configuration 14 1 13 Alerts You can add an email SNMP or NAGIOS alert by following the steps below The general settings for all alerts Assume this is our second alert and we want to send alert emails to jonn company com and sms s to peter compnany com config s config alerts alert2 description MySecondAlert config s config alerts alert2 email john company com config s config alerts alert2 email2 peter company com To use NAGIOS to notify of this alert config s config alerts alert2 nsca enabled on To use SNMP to notify of this alert config s config alerts alert2 snmp enabled on Increment the total alerts config s config alerts total 2 Below are the specific settings depending on the type of alert required Connection Alert To trigger an alert when a user connects to serial port 5 or network host 3 config s config alerts alert2 host3 host name config s config alerts alert2 port5 on config s config alerts alert2 sensor temp config s config alerts alert2 signal DSR config s config alerts alert2 type login Signal Alert To trigger an alert when a signal changes state on port 1 config s config alerts alert2 port1 on
380. ure Date and Time It is recommended that you set the local Date and Time in the Console Server as soon as it is configured Features such as Syslog and NFS logging use the system time for time stamping log entries while certificate generation depends on a correct Timestamp to check the validity period of the certificate System Date amp Time Serial amp Network l Current System time 21 29 34 Dec 22 2000 Serial Port Users amp Groups Time Zone Authentication Network Hosts Trusted Networks Time Zone Africa Abidjan z Select your timezone IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Set Timezone Date and Time Alerts amp Logging TER Port Log 2000 kzl Alerts h SMTP amp SMS Mont Janua v SNMP Y l Day 01 Administration Hour SSL Certificates i iz Configuration Backup z Firmware Minute 01 x IP Date amp Time Set Dial e Select the System Date amp Time menu option e Manually set the Year Month Day Hour and Minute using the Date and Time selection boxes then click Set Time The gateway can synchronize its system time with a remote time server using the Network Time Protocol NTP Configuring the NTP time server ensures that the Console Server clock will be accurate soon after the Internet connection is established Also if NTP is not used the syste
381. urrent status of your network and serially connected PDU s and IPMI RPC s e Select the Status RPC Status menu A table with the summary status of all connected RPC hardware will be displayed Status RPC Status Serial amp Network Serial Port Users amp Groups RPC Status RPC Logs Authentication Network Hosts RPC Status Trusted Networks ae z Name Description RPC T Connected Via Outlet Status Cascaded Ports P UPS Connections TrippLite PDU Switched CDU Serial Port 1 Unknown Manage RPC Connections Environmental e Click on View Log or select the RPC Logs menu You will be presented with a table of the history and detailed graphical information on the select RPC e Click Manage to query or control the individual power outlet This will take you to the Manage Power screen Chapter 8 Power and Environment 8 1 4 User power management The Power Manager enables both Users and Administrators to access and control the configured serial and network attached PDU power strips and servers with embedded IPMI service processors or BMC s ee y e E ae TRIPP LITE POREN PROTECT Target Pert 1 Svar hed COL Gute Ouilet4 4 Auton g Tuin Cin Turn Ce Cycle ES Status Cutiets be completed e Select the Manage Power and the particular Target power device to be controlled or click Manage on the Status RPC Status menu e The outlet status is displayed You can initiate the desired Actio
382. utors of Linux using the standard package management tools Your distributor will have documentation available on how to install Nagios This is usually the quickest and simplest way to get up and running Note that you will need the core Nagios server package and at least one of the NRPE or NSCA add ons NSCA is required to utilize the alerting features of the distributed hosts installing both NRPE and NSCA is recommended You will also require a web server such as Apache to display the Nagios web UI and this may be installed automatically as a dependency of the Nagios packages Alternatively you may wish to download the Nagios source code directly from the Nagios website and build and install the software from scratch The Nagios website http www nagios org has several Quick Start Guides that walk through this process Once you are able to browse to your Nagios server and see its web UI and the local services it monitors by default you are ready to continue Chapter 10 Nagios Integration 10 2 2 Set up distributed Console Servers This section provides a brief walk through on configuring a single Console Server to monitor the status of one attached network host a Windows IIS server running HTTP and HTTPS services and one serially attached device the console port of a network router and to send alerts back to the Nagios server when an administrator connects to the router or IIS server While this walk through provides an exa
383. v6 for all interfaces Environmental Managed Devices Apply e Select Enable Bridging on the System IP General Settings menu With bridging enabled e the Ethernet ports are transparently interconnected at the data link layer layer 2 e the Ethernet ports are configured collectively using the Network Interface menu e network traffic is forwarded between all Ethernet ports with no firewall restrictions e the Management LAN Interface and Out of Band Failover Interface functions are removed and the DHCP Server is disabled An alternate to bridging is to use the firewall routing functions packet filtering port forwarding masquerading functions detailed in chapter 5 This can provide firewalled remote IP access to devices on the Management LAN Chapter 4 Serial Port Device and User Configuration The Console Server enables access and control of serially attached devices and network attached devices hosts The Administrator must configure access privileges for each of these devices and specify the services that can be used to control the devices The Administrator can also set up new users and specify each user s individual access and control privileges This chapter covers each of the steps in configuring hosts and serially attached devices e Configure Serial Ports setting up the protocols to be used in accessing serially connected devices e Users amp Groups setting up users and defining the access permissions for e
384. w Check and select Check Ping Click check host alive e Click New Check and select Check Permitted TCP Select Port 3389 e Click New Check and select Check TCP Select Port 80 e Click New Check and select Check TCP Select Port 443 e Click Apply Similarly configure the serial port to the router to be monitored by Nagios e Select Serial Port from the Serial amp Network menu e Locate the serial port that has the router console port attached and click Edit e Ensure the serial port settings under Common Settings are correct and match the attached router s console port e Click Console Server Mode and select Logging Level 1 e Check Telnet SSH access is not required as SDT Connector is used to secure the otherwise unsecured Telnet connection e Scroll down to Nagios Settings and check Enable Nagios e Check Port Log and Serial Status e Click Apply Now set the Console Server to send alerts to the Nagios server e Select Alerts from the Alerts amp Logging menu and click Add Alert e In Description enter Administrator connection e Check Nagios NSCA e In Applicable Ports check the serial port that has the router console port attached In Applicable Hosts check the IP address DNS name of the IIS server e Click Connection Alert e Click Apply Lastly add a User for the client running SDT Connector e Select Users amp Groups from the Serial amp Network menu e Click Add User e In Username enter sdtnagiosuser then enter and c
385. ware without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL JCRAFT INC OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE SDT Connector License GNU GENERAL PUBLIC LICENSE Version 2 June 1991 Copyright C 1989 1991 Free Software Foundation Inc 51 Franklin Street Fifth Floor Boston MA 02110 1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document but changing it is not allowed GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING DISTRIBUTION AND MODIFICATION O This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License The Program below refers to any such program or work and a work based on the Program means either th
386. which can be started automatically when the operating system starts High availability can be ensured by using multiple GSM devices currently up to 64 this limit is easily changeable The program can run other external programs or scripts after events like reception of a new message successful sending and also when the program detects a problem These programs can inspect the related text files and perform automatic actions The SMS Server Tools software needs a GSM modem or mobile phone with SMS command set according to the European specifications GSM 07 05 ETSI TS 300 585 and GSM 03 38 ETSI TS 100 900 AT command set is supported Devices can be connected with serial port infrared or USB For more information refer to http smstools3 kekekasvi com 15 13 Multicast By default Console Servers have Multicasting enabled Multicasting provides products with the ability to simultaneously transmit information from a single device to a select group of hosts Multicasting can be disabled and re enabled from the command line To disable multicasting type ifconfig ethO multicast To re enable multicasting from the command line type ifconfig ethO multicast IPv6 may need to be restarted when toggling between multicast states 227 Chapter 16 Thin Client The BO92 016 has a selection of management clients Firefox browser SSH Telnet VNC viewer ICA RDP embedded as well as the Tripp Lite PowerAlert software With these the BO92
387. work access to the console at this serial port Nagios A n caus Logging Level level 1 user connects disconnects to pot x I O Ports Specify the detail of data to log Status Telnet v Port Access Enable Telnet access Active Users Statistics SSH Support Report Enable SSH access Syslog UPS Status Raw TCP RPC Status Enable raw TCP access Environmental Status Dashboard RFC 2217 Enable RFC 2217 access Manage Devices Unauthenticated Port Logs Telnet Enable Telnet access without requiring the user to provide Host Logs credentials Power Terminal Web Terminal 7 Enable web browser access via Manage gt Devices gt Serial Accumulation Period Collect serial data for a period of time in milliseconds then transmit any data received during that time over the network at once Administrator and Users can communicate directly with serial port attached devices from their browser e Select the Serial tab on the Manage Devices menu e Under the Action column click the Web Terminal icon Lead to display the Web Terminal connected directly to the attached serial device Chapter 13 Management Serial amp Network Serial Port Users amp Groups Authentication Network Hosts Trusted Networks IPsec VPN OpenVPN Cascaded Ports UPS Connections RPC Connections Environmental Managed Devices Alerts amp Logging z 13 3 2 SDTConnect
388. ype Host config s config devices device2 name OfficePC config s config devices device2 description MyPC config s config devices total 2 The following command will synchronize the live system with the new configuration config hosts 14 1 6 Trusted Networks You can further restrict remote access to serial ports based on the source IP address To configure this via the command line you need to do the following Determine the total number of existing trusted network rules if you have no existing rules you can assume this is O config g config portaccess total This command should display config portaccess total 1 Note that if you see config portaccess total this means you have O rules configured Your new rule will be the existing total plus 1 So if the previous command gave you O then you start with rule number 1 If you already have 1 rule your new rule will be number 2 etc If you want to restrict access to serial port 5 to computers from a single class C network 192 168 5 0 say you need to issue the following commands assuming you have a previous rule in place Add a trusted network config s config portaccess rule2 address 192 168 5 0 config s config portaccess rule2 description foo bar config s config portaccess rule2 netmask 255 255 255 0 config s config portaccess rule2 port5 on config s config portaccess total 2 The following command will synchronize the live system with the new
Download Pdf Manuals
Related Search