Raritan Engineering CC-SG Network Card User Manual
Contents
1. Heartbeat settings Time Interval kal seconds min 5 max 60 Failure Threshold E 7 consecutively missed heartbeats Recover After 5 consecutive heartbeats OK Cancel Java Applet Window Figure 236 Cluster Configuration Advanced Settings 3 For Time Interval enter how often CC SG should check its connection with the other node Note Setting a low Time Interval will increase the network traffic generated by heartbeat checks Also clusters with nodes located far apart from each other may want to set higher intervals 4 For Failure Threshold enter the number of consecutive heartbeats that must pass without a response before a CC SG node is considered failed 5 For Recover After enter the number of consecutive heartbeats that must successfully be returned before a failed connection is considered recovered 6 Click OK to save the settings or Cancel to exit without saving Note Changing the time zone is disabled in a cluster configuration Task Manager Use Task Manager to schedule CC SG tasks on a daily weekly monthly or yearly basis A task can be scheduled to run only once or periodically on a specified day of the week and at a specified interval such as scheduling device backups every three weeks on Fridays or emailing a particular every Monday to one or more recipients Note Tasks use the Server time that is set on CC SG for sc2. 154 Saving and Uploading Backup Files c ssssssesseeeeeeeeeeeeeeeeeaaaeeeceeeeeeeeeeeeeeeessasaaaasseeeeeeeeeeeeeees 155 Refresh CC SG Display 156 Upgrade GE c C 157 Resa OO c 157 nale aeecome coE 158 Restart CC SG after Ghutdown eene nnne nnne nennen naar n nnn nnns a nnn nnn nns 158 FM SN 159 Beie ge 159 FL 159 VEUs 19151004 1 010 EEE NENNE 159 SENT eee 160 Entering Maintenance Mode nennen enne nnne nennen nnn nnns nnne nnns 160 Exiting Maintenance Mode AA 160 Chapter 12 Advanced Administration ecce ecce eee eee e e eee eee eee esee eee ssssane 161 Configuration MANGO E 161 Neko 161 Beie Reie e LL EE 163 Raritan iV CONTENTS Inactivity Timer Configuration ccccccccceccsesseeecceeeeceeeseecceeeeeeeeeeeeeeeessaeeeeeeeeessuaeeeeeeeesssaaaeeeeeeees 164 Time Date EGRET ESCHER TEE 165 Modem ere qure Vi 0 160 EE 166 ENE 172 DEE CRIN EN 174 lee 175 STE EU E 176 Strong GETT 177 Enable Us r LOCKOUT EE 177 Application Manager nnne nennen nnne nnne annia nnne nnns nnns 178 MINNE 178 EA 179 BEER 0 0 fe ie me EEE EE EE ee eee ee 180 AE EE GE EEE EE aeacenine ainda 180 Upload gd oe JE ENE ENE NE EE EN 180 BE SER dun EE 181 CommandCenter NC 181 NN 182 zelg202 ee 185 EN ge Bee Te 186 Brie E 187 Cluster Configurat
3. Ir Bxtenehi Pett femten woo Se rr Emew i Fa arn TT Me ai m r kan pa ka a EE WE CL Beuize Gud me ee it ET Hii Fm fae kile L Easgaues T filtered fett rr Bek iri C eem pees Fees vene i ween img ERR ep ERI i EE OR be Ek Ser M Figure 94 Configure Ports Screen 2 To make ports easier to find click on a column header to sort the ports by that attribute in ascending order Click on the header again to sort the ports in descending order Raritan CHAPTER 6 CONFIGURING PORTS AND PORT GROUPS 79 3 Click the Configure button that corresponds to the serial port line item you wish to configure The Configure Serial Port screen appears Configure Serial Port a Please select port properties to add A Port Properties Device name x4 206 S Device IP or Hostname i92 168 53 206 0000 000 Port number Hm 99 Raritan port ID bxseral2 oS Port name bot 000000 Application name Raritan Console v Baud rate 9600 v Parity Data bits Odd 7 v Flow control Kon Soft v Associate Device None v Port Associations Category Element System Type US States and territories In Band Parameters OK Cancel Figure 95 Configure Serial Ports Screen 4 Type a port name in Port Name field For ease of use you should name the port after the server that is connected to the p
4. lt _ lt Conb ue 7 R ukza95001 5 Khameal ket Mnwad oOo O contigues PA 2 Channel kr Unesd Leenkgure I Bee Chali Kna E ll Ezo Eam kmena o ba OOO r ro EE Tw Pe Figure 98 Configure Ports Screen 3 To make ports easier to find click on a column header to sort the ports by that attribute in ascending order Click on the header again to sort the ports in descending order 4 Click the Configure button that corresponds to the KVM port line item you wish to configure The Configure KVM Port screen appears Configje KVM Port O Please select port properties to add Port Properties Device name ASTDKX416 VER13 Device IP or Hostname 192 168 51 213 Raritan port ID b HKSeco00 13 Port number Port name Channel4 Application name Raritan Remote Client v Port Associations Categor Element Department Location Region System Type US States and territories In Band Parameters OK Cancel Figure 99 Configure KVM Port Screen Raritan 82 9 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Type a port name in the Port Name field For ease of use you should name the port after the server that is connected to the port Click on the Application Name drop down arrow and either use the default application as configured in Application Manager or select another applicati
5. ca et COURS File Name Files of Type Rfp File e Open Cancel Figure 222 Search Window 3 Click on the Look In drop down arrow and navigate to locate the firmware file in your system When you find the firmware select it and click Open The firmware name will appear in the Firmware Name field 4 Click Close to close the Firmware Manager screen Delete Firmware 1 On the Setup menu click Firmware Manager The Firmware Manager screen appears 2 Click on the Firmware Name drop down arrow and select the firmware to be deleted 3 Click Delete The Delete Firmware window appears Delete Firmware x P x Delete Firmware Tr01 Kernel Update 2 0 Yes No Figure 223 Delete Firmware Window 4 Click Yes to delete the firmware or No to close the window 5 Click Close to close the Firmware Manager screen CommandCenter NOC Adding a CommandCenter NOC CC NOC to your setup will expand your target management capabilities by providing monitoring reporting and alert services for your serial and KVM target systems Please see Raritan s CommandCenter NOC documentation for detailed instructions on installing and operating your CC NOC appliance Important In the following procedure passcodes are generated You need to provide these passcodes to the CC NOC administrator who needs to configure them in CC NOC within five minutes Avoid transmitting the passcodes over email or other electronic means to avoid
6. Click Close to close the Configuration Manager screen RO Ss Inactivity Timer Configuration Use this screen to time out inactive user sessions 1 On the Setup menu click Configuration Manager When the Configuration Manager screen appears click on the Inactivity Timer tab Configuration Manager E n SE 4 JO Please enter inactivity timeout Network Setup Logs Inactivity Timer Time Date Modern Connection Mode Device settings SMMP Inactivity time in seconds li8000 Figure 196 Configuration Manager Inactivity Timer Screen Type the desired time limit for inactivity in the Inactivity Time in seconds field 3 Click Update Configuration to apply the changes to the system Click Close to close the Configuration Manager screen Raritan CHAPTER 12 ADVANCED ADMINISTRATION 165 Time Date Configuration CC SG s Time and Date stamps must be accurately maintained m order to provide credibility for its device management capabilities Important This time is used when scheduling tasks in Task Manager see section Task Manager in Chapter 12 Advanced Administration The time set on the client may be different than the time set on CC SG Only Administrators and ccroot users can synchronize Time and Date 1 On the Setup menu click Configuration Manager When the Configuration Manager screen appears click on the Time Date tab Gg e CG H E 2 z9 N Server time 16 33 GMT 05 00 Configuration Manager
7. Figure 211 Configuration Settings Device Settings Screen 4 Click Update Configuration to save the new device values You may have to scroll down the screen to view the Update button success message will appear to confirm the update of all associated device settings 5 Click Close Raritan CHAPTER 12 ADVANCED ADMINISTRATION 175 SNMP Simple Network Management Protocol allows CC SG to push SNMP traps event notifications to an existing SNMP manager on the network Only a CC SG Administrator trained in handling an SNMP infrastructure should configure CC SG to work with SNMP CC SG also supports SNMP GET SET operations with third party enterprise Management Solutions such as HP OpenView To support the operations you must provide SNMP agent identifier information such as these MIB II System Group objects sysContact sysName and sysLocation Refer to RFC 1213 for details These identifiers provide contact administrative and location information regarding the managed node MIB Files Because CC SG pushes its own set of Raritan traps you must update all SNMP managers with a custom MIB file that contains Raritan SNMP trap definitions see Appendix E SNMP Traps This custom MIB file can be found on the CD included with your CC SG unit and also under Firmware Upgrades on http www raritan com support Configuring SNMP in CC SG 1 On the Setup menu click Configuration Manager When the Configuration Manager screen app
8. General Certificate IP ACL Authentication Modules E Name Type Authentication _ Authorization Add External AA Server AD 92 AD y n a CommandCenter Local DB V V radiusi RADIUS pa Idapi LDAP tacacsi TACACS a Idap2 LDAP OpenLDAP LDAP E zF charlie AD E Active Directory AD p mj Lou 0 test AD IT PE CommandCenter Settings Use SSL for client connections requires restart v Force strona password check for the entire system and all users D Update Figure 138 Security Manager General Screen 2 The modules in the table represent the multiple authentication options available in CC SG Select a name from the Authentication Modules table and click Up and Down to prioritize the sequence of engagement 3 Check the box under the Authentication column to use a selected module for user authentication 4 If the selected module is an Active Directory server or the CC Local Database check the box under the Authorization column to use that module for user authorization as well 5 Click Update to update the changes Click Close to close the Security Manager screen Distinguished Names for LDAP and Active Directory Configuration of remotely authenticated users on LDAP or Active Directory servers requires entering user names and searches in Distinguished Name DN format The full DN format is described in RFC2253 For the purposes of this document you need to
9. Using policies to control user access to ports is entirely optional You could decide to assign all users to the default System Administrators user group which grants full access to all configuration tasks devices ports target systems and servers If you do want to control user access to target servers you need to create user groups and apply policies to them If you used the Association Wizard policies were automatically created for you First you create user groups and then you apply the default policies to the user groups At that point you may want to add individual users to the user group so they are governed by the policies In summary Create User Group gt Apply Existing Policy to User Group gt Add Users If you did not use the Association Wizard you need to do the following First you create user groups then port groups then policies and lastly you apply the policies to the user groups At that point you can add individual users to the user group so they are governed by the policies This method allows you to choose a policy you created as opposed to using the default policy created in the Association Wizard In summary Create User Group gt Create Port Group gt Create Policy gt Apply Policy to User Group gt Add Users Policy Terminology You should read the following definitions to understand how they relate to policies e Policies define the permissions type of access and to which ports and or devices a user group has
10. gt CVEs can be found on http cve mitre org Comment Default CC SG SNMP community name is public Users are encouraged to change this to the site specific value Setup gt Configuration Manager gt SNMP menu Please refer to the CC SG Administrator Guide for more additional information Traditionally port 23 1s used for telnet services However CC SG uses this port for SSH V2 Diagnostic Console sessions Users may change he port and or completely disable Diagnostic Console from using the SSH Access method lease refer to the CC SG Administrator Guide for more additional information The underlying TCP IP protocol stack used by CC SG has not been shown to be susceptible to this exposure The following patches have been applied to OpenSSL therefore removing this exposure e RHSA 2004 120 e RHSA 2005 830 e RHSA 2003 101 01 Raritan APPENDIX C INITIAL SETUP PROCESS OVERVIEW 237 Appendix C Initial Setup Process Overview Pre requisites e Add Devices with Category Element clearly identified e Add Ports with Category Element clearly identified Create Group s Add User s 1 Add Device Group with rule based on Category Element 2 Add Port Group with rule based on Category Element 3 Add Policy links 2 and 3 together controls access time and permission 4 Link Groups Users to Policy of choice 1 Groupsilisers Figure 291 Association Management Process Raritan 238 COMMANDCENTER
11. 115 Active Directory AD E 115 ENN DEN 115 NN 117 General Settings on CC 118 Advanced Settings on CC 119 EN ee 121 LOAP NO CADO ed 124 Sun One LDAP iPlanet Configuration Gettngs nnn 127 OpenLDAP eDirectory Configuration Gettmges 127 joe d EE 128 RADIU c Hr 130 S i e TU TT 131 Export Current Certificate and Private key 131 Generate Certificate Signing Request nennen nnne nnns nnns 132 Generate Self Signed Certificate Heouest 133 lc 134 Chapter 10 Generating Reports orici iier ry Ev eebe 135 es Repol tM T 135 PACING FOS FICO ON MT 136 Asset Management Report rrrnnnnrnnnnnnnvnvnnnnvnnnnnnnnnnnnrennnnnsvnnnnnnennnnnnrsnnnnannnnnnnsnnnnnnsnnnnnnsnnnnnnee 137 Audit Tal FAC slo ERE EEUU E Em 138 160 OG E 140 PEO RODO qM MT TC HERR TEN 142 Accessed Devices Report vunnet nen kukr tle Das orav bua VERE uS sa E Phu rUERJ e XM VERE NEE P Rnk d Kus 143 Groun Daa REDON EEE EEE TESSUTI 145 VITE DER e e 146 VER NNN ROPOT EN 147 Guerny PON EE 148 HEET ee 149 Locked Qut Users Repor dE 150 CC NOC Synchronization Report 151 aridis ririimublnrsilird cmm 153 nog OE E cians 153 scq eecccwme 153 adrLieelcH
12. Data Report 2 Click Manage Report Data to save or print the report Click Save to save the report to a location of your choice or Print to print the report Click Close to close the window 3 Click Close to close the All Users Data report Raritan CHAPTER 10 GENERATING REPORTS 147 Users In Groups Report The Users In Group report displays data on users and the groups with which they are associated 1 On the Reports menu click Users In Groups The Users In Groups report is generated Use the scroll bar to scroll through the list and view all entries Userz n Groupe pee Get Marra Auger Barra SE a et Le ire Er educt Maney aria me Better Sarre tori LhpmrT Hot In Group Manags Report Date Disig Figure 175 Users In Groups Report 2 Click Manage Report Data to save or print the report Click Save to save the report to a location of your choice or Print to print the report Click Close to close the window 3 Click Close to close the Users In Groups report Raritan 148 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Query Port Report The Query Port Report displays all ports according to port status 1 On the Reports menu click Query Port The Query Port screen appears Query Port Filter Select port status New Available Busy V Unused M Unavailable Show Ghosted Ports Apply Ports Device Name Port Name Port Type Port Status Dominion KX hannels k
13. Repeat steps through 3 to restart other devices Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 59 Pause Device You can pause a device to temporarily suspend CC SG s control of it without losing any of the configuration data stored within the CC SG Server 1 Click on the Devices tab and select a device from the Devices tree 2 On the Devices menu click Device Manager and then click Pause Management The indicator of the device being paused is its icon changing from a grey active state to a red paused state in the Devices tree Resume Device After pausing a device have it continue with its normal activity by commanding it to resume 1 Click on the Devices tab and select the paused device from the Devices tree 2 On the Devices menu click Device Manager and then click Resume Management The device icon changes from the red paused state to a grey active state View Devices Regular View Select this command to view devices in the Devices tree grouped in default view you can change the regular view by assigning new criteria in custom view see the next section Custom View 1 Click on the Devices tab 2 On the Devices menu click Change View and then click Regular View The Regular View of the Devices tree appears Ports Users Devices Porti S816 327 62 Power Supe Gi testPIISC J E Figure 67 Devices Tree Regular View Screen Known ports are nested und
14. The following Port groups have been created with their corresponding policies Policies Allow LA Market Area Ports Allow Chicago Market Area Ports Allow New York Market Area Ports Allow Atlanta Market Area Ports Policies Allow Sales Servers Ports Allow Monitoring Ports Allow Production Ports Allow Testing Rack Ports Allow Demo Rack Ports Figure 48 Association Wizard Summary Screen 9 The Association Wizard has now created a port group for each element and a policy for each port group If the element names were not unique the default port groups and policies cannot be created sec Appendix F Troubleshooting for additional information You can now add ports to these port groups using the Port Group Manager To make changes to any of the categories from the Associations menu click Association Manager To make changes to any of the policies from the Associations menu click Policy Manager By default the Association Wizard sets the policy for control access at all times Raritan CHAPTER 4 CREATING ASSOCIATIONS 45 Import Categories Devices Ports from CSV File To expedite configuration you can import pre defined categories elements of those categories and the ports and devices to which the categories apply from a CSV file After importing you can have CC SG validate the file to ensure the file was formatted properly If errors are discovered they are displayed Once successfully imported the categories and ele
15. 1 16 characters in length underscores permitted Password Alphanumeric text 6 16 characters in length The first six characters of the password must contain at least two alpha and one numeric character and the first four characters cannot be the same as the user name Raritan CHAPTER 2 ACCESSING CC SG 17 Compatibility Matrix The Compatibility Matrix lists the firmware versions of Raritan devices and software versions of applications that are compatible with the current version of CC SG To view the Compatibility Matrix on the Devices menu click Compatibility Matrix Compa ibility Matrix Dese er Dnrmininn ES E r Darnininn KX 101 IB aeminiarn KE Baomsinion ES i IP Ra ach J Imm D e i AN Appar atin fum DEE E GR IE 4 EU Et Cortole i 14 Rartan Ramota Slani 4 40 Tou Can sies labet odd product comqpatibilie eratis anims by dickirg en the TEL below bel us riter sem EEG FG usarrdar rex Linne Figure 14 Compatibility Matrix CC SG checks against this data whenever you add a device upgrade device firmware or select an application for use If the firmware or software version is incompatible CC SG warns you of this before you proceed further Note Each version of CC SG will only support the current and previous firmware versions for Raritan devices at the time of release Raritan 18 Raritan COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CHAPTE
16. CC SG sends a heartbeat message to CC NOC This confirms if CC NOC if still up and available Default is 60 seconds Valid range 1s 30 120 seconds Normally this does not have to be changed 9 For Failed Heartbeat Attempts enter the number of consecutive heartbeats that must pass without a response before a CC NOC node is considered unavailable Default is 2 heartbeats Valid range is 2 4 heartbeats Normally this does not have to be changed 10 Click Next Add C NOC Configuration KN Add CC NOc Configuration go CC NOC Configuration in progress Activation Codes Activation Code A b703D30E718D2483 Activation Cade B lic762F8986FEALED Certificates Exchange Port 2080 Information go Please submit these two passcodes within 15 5 minutes to the administrator of the CC MOC uou want to add Once the integration procedure is initiated by CI MOC itcannat be cancelled If you do not complete this operation within the specified period CC NOC will nat be added Cancel Figure 227 CC NOC Passcodes 11 Either copy and paste the passcodes into CC NOC fields if you are the CC NOC administrator or submit the two passcodes to the CC NOC administrator As documented in the CommandCenter NOC Administrator Guide the CC NOC administrator will then enter the passcodes in CC NOC which initiates an exchange of security certificates Raritan CHAPTER 12 ADVANCED ADMINISTRATION 185 Important To increa
17. Dominion KX KSX etc Typically CC SG communicates with these devices over a TCP IP network local WAN or VPN and both TCP and UDP protocols are used as follows Communication Direction Port Protocol Purpose Configurable Number CC SG Local Broadcast 5000 Device Discovery CC SG Remote LAN IP 5000 Device Discovery CC SG Raritan Device 5000 TCP Device yes Control Raritan Device gt CC SG 5001 UDP Device no Events CC SG Clustering When the optional CC SG clustering feature is used that is two CC SGs are inter connected and function as one unit the following ports must be available for the inter connecting sub networks If the optional clustering feature is not used none of these ports need to be made available in the network ziz Raritan 232 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Each CC SG in the cluster may be on a separate LAN However the inter connection between the units should be very reliable and not prone to periods of congestion Communication Direction Port Protocol Purpose Configurable Number CC SG Local Broadcast 10000 UDP CC SG no Discovery CC SG Remote LAN IP 10000 UDP CC SG Discovery CC SG lt gt CC SG 5432 TCP DataBase Replication CC SG lt CC SG 8732 TCP Cluster Heartbeat Access to Infrastructure Services The CC SG can be configured to use several industry standard services like DHCP DNS and NTP In order for CC SG to communicate with these optiona
18. Edit CC NOC Configuration Ki Main Properties CC NOG Name Second MOE CC NOG IP Hostname 127 0 0 1 Sunchronization Properties IP Range From EREEREER IP Range To 22 22 22 22 E syncronization Time 05 00 00 es Heartbeat Properties Heartbeat Interval 30 120 seconds 120 Failed Heatbeat Attempts 2 41 2 OK Cancel Java Applet Vvindow Figure 229 Edit CC NOC Configuration Screen 3 Refer to the previous section Add a CC NOC for field details Launch CC NOC To launch CC NOC from CC SG 1 Inthe CC NOC Configuration screen highlight an available CC NOC 2 Click Launch This will connect you to a configured CC NOC CC NOC Configuration M CC NOCs List IP Hostname Name Status NOC 225 Selected CC NOC Properties Main Properties CC NOC IP Hostname 192 168 51 225 cc NOCNamei oC 225 CC NOC Status FH Synchronization Properties IP Range From hos2 168 51 20 IPRangeTo 192 168 51 40 Syncronization Time h2 00 00 Heartbeat Properties Heartbeat Interval seconds eo Heartbeat Failed Attempts Launch Figure 230 Launch CC NOC Raritan CHAPTER 12 ADVANCED ADMINISTRATION 187 Delete a CC NOC To remove and unregister a CC NOC in CC SG do the following 1 On the CommandCenter NOC menu click Configuration The CC NOC Configuration screen appears CC NOC Configuration CC
19. Gil Piste splat devine panpartier ba add Davee teas Haartbaat fenacut Dach ka Figure 54 Add Device Screen for Raritan Devices Brel Cette ege Davite hama Darra 16 av Harhama Byivlutiern Veer pommes JL l B Figure 55 Add Device Screen for iLO RILOE CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 10 11 12 Add Device Fe Please select device properties to add Device type PMI Server Device name Device IP or Hostname Description UDP Port 623 Check interval 600 Authentication Password Username Password Figure 56 Add Device Screen for IPMI Server v 1 5 Add Device 2 go Please select device properties to add I Device type Generic Device Device mame Device IP or Hostname Description Device Associations Category Element Apply To Ports Region US States and territories Figure 57 Add Device Screen for Generic Device Type the new device name in the Device name field Type the IP Address or Hostname of the new device in the Device IP or Hostname field For hostname rules see Terminology Acronyms in Chapter 1 Introduction The TCP UDP port number value will be populated automatically based on the device type For example the default UDP port for an IPMI device is 623 Type a description or location of the new device in the Description field Type the name used to log onto this device in the Username field Type the password nee
20. and asset inventory reports include Audit Trail Error Log Firmware Report Ping Report View By Groups and Users in Groups Raritan CHAPTER 1 INTRODUCTION 3 Comprehensive Logging Logs events locally Can use an external syslog server for event logs events are immediately posted or exported and the ability to have other Raritan products use it as a syslog server Provides full auditing and tracking capabilities Keeps an audit trail for tracking user activity Support for SNMP Agents and Traps Provides SNMP GET SET operations with third party enterprise Management Solutions such as HP OpenView To support the operations you must provide SNMP agent identifier information such as these MIB II System Group objects sysContact sysName and sysLocation Provides System level trap notification of CC SG s operational events Provides Application level trap notification regarding the monitoring of managed devices availability events and the audit events of user access and authorization to CC SG Infrastructure Support for Customizable Applets via GUI Customizable applets control ranges of devices including power strips HP s 1LO RILOE cards etc Target systems accessed through applets remote access to servers and other data center equipment managed by Raritan management appliances through downloadable applets COM controls Power strip outlet user authorization setting mappin
21. association infa as parameters m e e A a A V e n Boite D Miami Cisco Boxes in All Windows All Dell Port rt Group created w the rule Mi 5 e Grou ps Vendorz Cisco amp Site Miami lami ervers ervers Policies dictate what User Groups Polici have access to which Port Groups Oncies Se beis Ear Nie Networking NOC Outsourced User belong to multiple User Groups Admins Dell Service Org Groups CommandCenter s security scheme ensures that Users are Users logged auditable and secure Figure 131 Ports Port Groups Policies User Groups Users Raritan 110 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Policy Manager Policy Manager commands allow you to add edit delete and assign policies to Device and Port groups Policies give users rights to allow or deny access to groups Please see Appendix C Initial Setup Process Overview for more information on using policies Add Policy 1 On the Associations menu click Policy Manager The Policy Manager screen appears Policy Manager Falirg Sarria Ful Agence Palin d if rive Palmia Lar er AX Devine fart groupi AN Parts we Etart tirai D tir HG e End timai 23137159 Beate Any J Weekend Dy Week dag Ti Cubptum Si Mars ai ay Tih ida ay Wenger Vi Tat ep if Friday ET E burn at Ein rias Farmirsginri Dam j amp Lerner Figure 132 Policy Manager Screen 2 Click Add to add a new policy The Add Policy window appears Add
22. delay 1 waitfor ogin transmit ccclient M waitfor client transmit dest M waitfor callback transmit ATH M waitfor RING transmit ATA M waitfor CONNECT waitfor ogin Raritan 170 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE transmit ccclient M endproc Connect to CC SG with Modem To connect to CC SG 1 On the start menu click My Network Places 2 Click view network connections under Network Tasks 3 Double click on the CommandCenter connection Natwork Connections Creatm anew comecton Firm abes Change Windows C ll Conexant D110 MDC V 9x Modem Freval Settrvss i Figure 206 Connecting to CC SG 4 Type a username of ccclient and password of cbupass Connect CommandCenter Username Pes send E Spatz Hus user name and password tor Be Tolles users m im o Si mcm So Em Figure 207 Entering username and password 5 If not filled in already enter the phone number used to connect to CC SG This is NOT the dial back number 6 Click Dial If using call back the modem will dial CC SG and then CC SG will dial your client PC CHAPTER 12 ADVANCED ADMINISTRATION 171 7 If Show terminal window was checked as described in section Configure the Call back Connection earlier in this chapter then a window similar to the one below will be displayed After Dial Terminal Figure 208 After Dial Terminal 8 Wait 1 or 2 minutes and in a supported browser
23. enter the IP address of CC SG that was configured as the Server address under the Modem tab in Configuration Manager on CC SG and login to CC SG Raritan 172 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Connection Mode When connected to a device you have the option to pass data back and forth directly with that device Direct Mode or to route all the data through your CC SG unit Proxy Mode While Proxy Mode increases the bandwidth load on your CC SG server you only need to keep the CC SG TCP ports 80 443 and 2400 open in your firewall See Raritan s Digital Solution Deployment Guide for additional information 1 On the Setup menu click Configuration Manager When the Configuration Manager screen appears click on the Connection Mode tab 2 Click on the radio button for the connection mode you prefer a Click on the Direct Mode radio button to connect to a device directly b Click on the Proxy Mode radio button to connect to a device via your CC SG unit Configuration Manager Ta Plaj Pilia i6neachen moda L Hatvork Setup Logs Eriaetigsty Timar Tima Gute Modem Connection Mode Derive settings Shin Te Diag made Brosg mode o Both Ha Adieu a Hat Mask Figure 209 Configuration Manager Connection Screen Direct Mode or Proxy Mode c Click on the Both radio button if you want to connect to some devices directly but others through Proxy Mode Then specify settings for the devices
24. if Down is continual you may want to call Raritan Technical Support or try restarting CC SG with the admin account in Diagnostic Console Other information displayed includes CC SG software version cluster configuration web status etc 2 Exit the window by pressing Ctrl Q or Ctrl C Raritan Operation Menu 206 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Accessing Administrator Console At the time of logging into Administrator Console all information displayed is static If configuration changes occur through the CC SG GUI or the Diagnostic Console you need to re login to Administrator Console after the changes have taken effect to view the changes in Administrator Console l After login as type admin E cc v1 1 raritan com FuTTY login as admin Unauthorized prohibited all access and activities not explicitly authorized by management are unauthorized All activities are monitored and logged There is no privacy on this system Unauthorized access and activities or any Criminal activity will be reported to appropriate authorities teastadmin cc vl 1 s password a Figure 258 Login to Administrator Console 2 Type the CC SG password raritan is the default Re enter this password and when prompted type a new password See section Changing Passwords Admin later in this chapter for details on setting password strength The Administrator Console is then displayed In this
25. or upgrading the firmware of a device The administrator however will remain logged into CC SG Note Firmware upgrades and device configuration backups and restores are allowed to complete before the user s session with the device is terminated All other operations will be terminated immediately 1 Click on the Devices tab 2 Right click on the device you want to disconnect one or more users SERanhan CommandCenter Secure Gateway I perra ie Lubin Boots eee Lees feeder BOG gen Zeie es 1 E ea o ir iam ah bere eru J AA Lesen Duces Enneterect uber ETE fee poca he meri Fes Upa Mere CD yes Bae bar ban AKTER Ti tern Farti YT paale TORILL Lio sr bot Cope Far Camere Tee Dees fon Lipil bie A P sues Mie ajira H Depas ihipa Has gee Ful Cupmre ieee I Fart ates ips as Jagrarsart Clam e lrangm ted dram Figure 92 Disconnect Users 3 Click Disconnect Users 4 Highlight one or more users in the Disconnect users panel 5 Click Disconnect Note For Dominion SX devices only you can disconnect users who are directly logged onto the device as well as those who are connected to the device port via CC SG Raritan CHAPTER 6 CONFIGURING PORTS AND PORT GROUPS 75 Chapter 6 Configuring Ports and Port Groups This chapter discusses how to configure and edit ports and port groups Procedures on how to use ports connect disconnect bookmark ports search for p
26. rrrrrrrrnnnnnnnnrvnnnvvvvvnnnnrrrrrrnnnnnnnnrrrnnnnnennnnnnnnnnn 132 Figure 159 Certificate Request Generated enne nnne ia nnn nnns nna 132 Figure 160 Generate Self Signed Certificate Window rrrnnnnnnnrrrrnnnnnnnnnnrnrrrrvvrnnnnnrvrrnnnnnnnnnnrnrrrrrernnnnnnnnnn 133 Figure 161 Security Manager IP ACL SCreen rrrrnnnnnnnnvnnnnnnvrrnnnnnnnnnnnnnnrrrnnnnrrrnnnnnnnnsssenrrrssrnnnnnnrrnnnnnnnnnn 134 Figure 162 Active Users REPON vecsccasscncdiinssnecsuwsadasveisnncncuvijaraveaeeaneadnidnadutvenseueatuddennddnceaaussiuiadedesbsaiudenlexseses 135 Figure 163 Manage Report Window enn enne nnn enhn nsn enhn nnns nnn resta 136 Figure 164 Active Ports Report AAA 136 Figure 165 Asset Management Report nnnnnnnnnnnnnsennnsnrnesrrrrsrrrrsrrrrsrrrrsrrrrsnrrrrrrrrrrnntrnsntrnnrrnentnnnnn nenne 137 Figure 166 Audit Trail Screen essssssssssssssssssseeeeene nennen nennen nennen nenne nnn nnn nnne nennen nennen nnn 138 Foure T67 Audit Trat REDON RTI red 139 Figure 168 Error Log SCO EE 140 Figure 169 Eror Log I CO OM EE 141 HET PR 142 Figure 171 Accessed Devices Screen nennen nnne nn nennen nnne n nnns nin rrr ra 143 Figure 172 Accessed Devices Heport 144 Figure 173 Groups Report m 145 Figure 174 All Users Data Hepnort EEN 146 Figure 175 Users In Groups Ae EE 147 Fig re 176 Query Port COU NET T 148 Figure 177 View Stored Reports sisse nennen enne nennen nennen nnne nn nennen
27. terminal supports colors scrollback in the buffer of a window toqgle vertical split set a mark in a window so that vou can easily see what has changed since the last p DI Figure 277 Getting Help F1 Restarting CC SG Admin You can restart CC SG which will log off all current CC SG users and terminate their sessions to remote target servers Important It is is HIGHLY recommended to restart CC SG in the CC SG GUI instead unless it is absolutely necessary to restart it here See section Restart CC SG in Chapter 11 System Maintenance for additional information Restarting CC SG in Diagnostic Console will NOT notify CC SG GUI users that it is being restarted 1 To restart CC SG click Operation Admin then CC SG Restart Operation Status Console Network Interfaces System Logfile Viewer Utilities System Identification CC oG Restart CC S5G System Reboot Change Passwords Figure 278 Selecting CC SG Restart in Diagnostic Console Raritan 218 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2 Either click Restart CC SG Application or press ENTER Cl 90G NA te iniecreccr Console CC SG Restart COS Restart i j Thi Operation will restart the CC 8G Application This will log off all currently C 5G GUI users of the system and terminate any sessions to targets that they night have tification vent will happen They will get no Pot will provide a It is better to use the CC 36 G
28. you to manually create policies Association Manager Association Manager commands allow you to add modify or delete Categories and Elements In CC SG each device or port has an associated IP Address and Port Name by default For further differentiation additional types of attributes known as categories are associated to the device or port for ease of administration Each Category has elements associated with it For example the category Country might have the elements USA Japan and Germany associated with it the category Location might have the elements San Jose San Francisco and New York associated with it and so on Once the tree view is customized using these attributes you can easily find for example all Firewall devices located in the New York location without searching through an extensive list of managed devices ports Once you add a new category and its elements you can associate CC SG s configured devices ports When configuring devices ports you can choose one element from each category to associate with each device port Please see Appendix C Initial Setup Process Overview for a summary of this process within CC SG Raritan 38 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Add Category 1 On the Associations menu click Association Manager The Association Manager screen appears A amp onatgon Manager iC earn Cabegury natten Caunas af tha w
29. 15 11 EDT ccR oot Active Users Active Users Report 2005 10 30 at 15 15 11 EST ccRoot Active Users Active Users Report 2005 11 01 at 12 10 00 EST ccRoot Active Users Report 2005 10 24 at 14 31 12 EDT ccRoot Audit Trail Report 2005 10 24 at 14 32 04 EDT ccRoot Group Data Report 2005 10 28 at 15 31 00 EDT ccRoot Test Active Ports Report 2005 10 27 at 15 31 33 EDT ccRoot Active Users Report 2005 10 29 at 15 15 11 EDT ccRoot Active Users el Show Report Close Figure 177 View Stored Reports Click Get Reports to view the entire list of all scheduled reports that were created by all owners By default all reports that were scheduled an hour ago to the current time are displayed To filter the reports displayed you can select a particular Report Type such as Active Ports Report or Report Owner or alter the start and end dates in Reports generated between by highlighting the month date year or time fields and clicking the or buttons Also you can enter a Report Name to filter on the name enter a phrase or partial phrase of the name matches are case in sensitive and wildcards are not allowed Click Get Reports to view the filtered list Click on any of the column headers to sort the ports by that attribute such as Report Type in ascending order Click on the header again to sort the ports in descending order To view an individual report highlight the report in the list and click Show Report Raritan 150 COMMANDCENTER SEC
30. 168 5 com rarita 1 WV ARN exerute e Mast Manage Report Data Clear Close Figure 169 Error Log Report Click Manage Report Data to save or print the report Click Save to save the records that are displayed to a CSV file or click Save All to save all records Click Print to print the records that are displayed or Print All to print all records Click Close to close the window Click Clear to clear the contents of the report If the report is lengthy click Next or Previous to navigate through the pages Click Close to close the Error Log report Raritan 142 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Ping Report The Ping Report displays the status of all connections showing devices by name and IP address This report gives you the full accessibility picture for all devices on your system and will supply information that could be useful in case troubleshooting is necessary 1 On the Reports menu click Ping Report The Ping Report is generated Ping Report R Name IP Address Status CC 124 iLO 40 21 PC 111 Gayle s Laptop PC17 CC 52 175 5K 229 BianorTestDevice Dominion Kx powerstripinNYGC w2k aPSs KSK223 AD 92 Win XP PC 112 iLO 52 108 BianorWSTestDevice IPMI 22 192 168 51 124 192 168 40 21 192 168 51 111 192 168 50 218 192 168 51 17 192 168 52 175 192 168 51 229 127 0 0 1 192 168 51 200 192 168 53 135 192 168 51 223 192 168 51 92 192 168 53 1
31. 2 Click Add in the Group panel to add a new group The Add Port Group window appears x Add Port Group 2 Please enter port group name Enter part group name f est Group Ports Ok Cancel Figure 30 Add Port Group Window 3 Type the name for the new Port Group in the Enter Port Group Name field Click OK to add the new group 5 Create a desired rule such as PortType UNIX using pre defined categories and elements and then click Add Rule In this example PortType is a category and UNIX is an element Repeat for additional rules Raritan CHAPTER 3 EXAMPLE CONFIGURATION WORKFLOW 31 6 If needed enter the Boolean logic to apply additional rules in the Validate panel Example use Rule amp Rulel for AND or use Rule Rulel for OR Additional combinations can be used 7 Click Validate then Update 8 Click Close to close Port Groups Manager screen 9 Repeat steps 1 through 8 to add other port groups Create Edit Policies Polices specify the devices and ports a user can access as well as when they can be accessed Polices were automatically created per element when the Association Wizard was run see section Create Associations earlier in this chapter for additional information These policies for example Allow Linux Ports include the port group that was automatically generated and grant full access to the ports Once created you will then apply the policy to a user group 1 Onthe Associa
32. 30017 2 3 0 5 3 30018 30017 2 20 5 1 2 20 5 1 2 21 5 1 Cluster Management CommandCenter address Discover CommandCenters p Cluster Name m 3 Type a name for this cluster in Cluster Name If you do not provide a name now a default name will be provided such as cluster192 168 51 124 when the cluster is created gt Click Create Cluster WA one Cluster Configuration This CommandCenter is a member of cluster cluster192 168 51 124 Figure 232 Cluster Configuration Screen m Create Cluster Advanced Close Click Yes when prompted if you want to continue The CC SG you currently are using will become the Primary node and a default name will be provided unless you previously entered Cluster Name Node Address CommandCenter version cc rak 4 clusteri92 168 51 124 Raritan 192 168 51 102 192 168 51 201 192 168 51 74 192 168 51 66 192 168 51 218 192 168 51 238 192 168 51 150 192 168 51 124 Standalone Standalone Standalone Primary Standalone Standalone Standalone Primary 30017 2 3 0 5 3 3 0 0 1 8 30017 2 20 5 1 2 20 5 1 2 21 5 1 3 0 0 1 10 Figure 233 Cluster Configuration Primary Node Set CHAPTER 12 ADVANCED ADMINISTRATION 189 Set Secondary CC SG Node l Click Discover CommandCenters to scan and display all CC SG appliances on the same subset as your one you are currently using Alternatively you can add
33. 39 Delete Category Window 4 Click Yes to delete the category or No to close the window 5 Click Close to close the Association Manager screen 6 Repeat steps 1 through 5 to delete other categories Raritan 40 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Add Element 1 On the Associations menu click Association Manager The Associations Manager screen appears Assocation Manager C gore Cabegury natten Caunas af tha world Vals typar minag Applicable fer Both Klaearitg Par C atagnrs Alb aia Arm arsen Earn Aki IV a Ars eer ane Australia u rtria Ralgiiam Ranta Bolivia Bornig and Hiiop Brent amp ulgqua C Fila rn zolembia Costa Rita ZPO MT Tark e Figure 40 Association Manager Screen 2 Click Add in the Element for Category panel to add a new element The Add Element window appears Add Element Add Element a Please enter an element value Enter value for element OK Cancel Java Applet window Figure 41 Add Element Window 3 Type the new element name in the Enter Value for Element field Click OK to add the element or Cancel to exit the window The new element appears in the Elements For Category panel 5 Click Close to close the Association Manager screen Repeat steps 1 through 5 to add other elements Raritan CHAPTER 4 CREATING ASSOCIATIONS 41 Edit Element 1 On the Associations menu click Association Man
34. 49 375 27 13 49 0 Email info peppercon com Website www peppercon de
35. Access Raritan Device Figure 290 CC SG Deployment Elements Raritan APPENDIX B CC SG AND NETWORK CONFIGURATION 231 CC SG Communication Channels The communication channels are partitioned as follows e CC SG o Raritan Devices e CC SG gt CC SG Clustering optional e CC SG o Infrastructure Services e Clients e gt CC SG e Clients gt Targets Direct Mode e Clients e Targets Proxy Mode e Clients Targets In Band e CC SG o CC NOC For each communication channel the tables in the sections that follow e Represents the symbolic IP Addresses used by the communicating parties These addresses have to be allowed over any communication path between the entities e Indicates the Direction in which the communication is initiated This may be important for your particular site policies For a given CC SG role the path between the corresponding communicating parties must be available and for any alternate re route paths that might be used in the case of a network outage e Provides the Port Number and Protocol used by CC SG e States the Purpose of the port e Indicates if the port is Configurable which means the GUI or Diagnostic Console provides a field where you can change the port number to a different value from the default listed due to conflicts with other applications on the network or for security reasons CC SG and Raritan Devices A main role of CC SG is to manage and control Raritan devices for example
36. Apply will display ports with ALL statuses that are selected 4 Check the Show Ghosted Ports checkbox in conjunction with one or more port statuses to display ports that have the selected port status in addition to being ghosted A ghosted port can occur when managing Paragon devices and when a CIM or target server is removed from the system or powered off manually or accidentally Refer to Raritan s Paragon II User Manual for additional information 5 Click on any of the column headers to sort the ports by that attribute in ascending order Click on the header again to sort the ports in descending order 6 Click Close to close the Query Port report Raritan CHAPTER 10 GENERATING REPORTS 149 View Stored Reports The View Stored Reports displays reports that were scheduled in the Task Manager see section Task Manager in Chapter 12 Advanced Administration l On the Reports menu click View Stored Reports Scheduled Reports Report Filter Report Type N All v Report Owner DUC a ET Reports generated between 10 31 2004 14 07 56 E and 11 01 2005 15 05 20 Report Name by phrase Get Reports Report Type Generation Date Owner Task Name EZ Active Users Report 2005 10 28 at 15 15 11 EDT ccRoot Active Usersi E Error Log Report 2005 10 27 at 12 50 47 EDT ccRoot Error Logs Active Users Report 2005 10 28 at 15 15 11 EDT ccRoot Active Users Active Users Report 2005 10 29 at 15
37. CC SG can be accessed via the hostname since the IP address may not be known when using DHCP If you choose Static type an IP address subnet mask default gateway Primary DNS and Secondary DNS information and string for your domain setup in domain suffix 5 Click on the Adapter Speed drop down arrow and select a line speed from the list Click on the Adapter Mode drop down arrow and select a duplex mode from the list if applicable Click Update Configuration to update the Network Setup of your system 8 Click Close to close the Configuration Manager screen Log Configuration Il On the Setup menu click Configuration Manager When the Configuration Manager screen appears click on the Logs tab Configuration Manager fj Blade prosite 1653 configuration CR Halak Setup Lnge Enriivdy Timar Tithe D alba Mode fenton Mode Bara atiri HME Pur Led F 4 Servar sddress Level Ta Fareardi OFF F Tacmdasy Servar G rv r keddr ti L v l To Faredardi oe T Commman diantber Lag L v l Te Feed DERLIG Figure 195 Configuration Manager Logs Screen 2 Type IP addresses into the Server Address field zi Raritan 164 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Click on the Level to Forward drop down arrow to select a level Repeat steps 2 and 3 for Secondary Server fields note that Secondary Server is optional Click Update Configuration to save the server addresses to the system
38. CC SG range entered here includes a then CC NOC returns all known target partial list non null intersection of the device information within the intersecting range configured in CC NOC range If CC SG range is a superset of the range then CC NOC returns all known target configured in CC NOC device information within this range Essentially CC NOC returns targets that are defined in the CC NOC range If CC SG range does not overlap the then CC NOC will not return any target range configured in CC NOC device information at all Raritan 184 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE To stop CC NOC from monitoring a device it can be unmanaged see the CommandCenter NOC Administrator Guide Note Use the CC NOC Synchronization Report to view targets that the CC SG is subscribing to The report also displays any new targets that have been discovered by CC NOC See Chapter 10 Generating Reports CC NOC Synchronization Report for additional information 7 Specify a Synchronization Time to schedule when the target information is retrieved from the CC NOC database This will refresh the databases as targets are discovered or become unmanged The default is the current time as set on the client machine You may want to schedule synchronization during an off peak time so synchronization will not affect the performance of other processes 8 For Heartbeat Interval enter how often in seconds
39. Click on Product Documentation then CommandCenter NOC Add CC NOC Configuration Add CC NOc Configuration UU CC NOC Mame field is empty Main Properties CoO NOGC Name CC NOG IP Hostname gt Synchronization Properties IP Range From IP Range Ta Synchronization Time 15 06 41 EE HeartBeat Properties Heartbeat Interval 30 120 seconds eo Failed Heatbeat Attempts 2 4 JE Java Applet vvindow Figure 226 Add CC NOC Configuration Screen 4 Type a descriptive name of the CC NOC in the Name field Maximum length is 50 alphanumeric characters 5 Type the IP address or hostname of the CC NOC in the CC NOC IP Hostname field This is a required field For hostname rules see Terminology Acronyms in Chapter 1 Introduction 6 To retrieve daily information on targets in the CC NOC database type a discovery range in the IP Range From and IP Range To fields This IP range represents the range of addresses CC SG is interested in and instructs CC NOC to send events for these devices to CC SG This range is related to the discovery range that is configured in the CC NOC see Raritan s CommandCenter NOC Administrator Guide for details Type a range keeping the following rules in mind IP ADDRESS RANGE DESCRIPTION If CC SG range entered here is a subset of then CC NOC returns all known target the range configured in CC NOC device information within this range If
40. E e Teer hx16 J2 62 Power Suche Bower Sue Pod Max 1 onime 2 amp alact all I timar all h wt Le J ic wt canc Figure 23 Configuration Ports Raritan CHAPTER 3 EXAMPLE CONFIGURATION WORKFLOW 25 3 je e Is um 11 Click Configure next to the serial port line item you wish to configure The Configure Serial Port screen appears Configure Serial Fort d Hasra sal r p nrz purtiar t5 xdi d Ju 1 DagicA PA HNRE A2 2 Degieg J or Hp ngrr p haz d66 32 52 Part surhas LELE TIET T Purl faim Parti application namai FarflarGensole kl Kad rete SED T E ari xta hime hori F Flew amp urArili MER Agnes Qusmr sri RE d Vari fg nmciatimriu Cale gery Elan rrem Type UT za and taint OR Cara Figure 24 Configure Serial Ports Type a port name in Port Name field Typically you should name the port after the target server the device connects to for example NYC MsSrvl1 Click on the Application Name drop down menu and select an application name This application for example Raritan Console RC is used to manage the target system Click on the Baud Rate drop down arrow and select a rate Click on the Parity Data Bits drop down arrow and select a parity value Click on the Flow Control drop down arrow and select a flow control value Click on the Associate Power Strip drop down arrow and associate with a power strip if necessary Select the associated category a
41. Flare eee i L Mieke Roa F ichicege Markat Are a B b s Work Maret Aras perl aim Markat ham 2 amp me add More Pamana field another o Praverus meo pena Figure 16 Association Wizard Category and Elements Screen 3 Type the name of a category you wish to organize your ports by for example Location in the Category field 4 Type the name of each element in that category in the Elements fields below These elements are used to group your ports within the category for example LA Market Area Chicago Market Area etc If you require more than eight elements for this category click Add More Elements Raritan CHAPTER 3 EXAMPLE CONFIGURATION WORKFLOW 21 5 To create another category click Add Another Category and repeat steps 3 and 4 To review categories and elements you have created click Previous or Next to cycle through them Assodalon Wizard Sha ca Creaie f aslrueres arn E lerieerils 1 Overviews 2 Create Associations Category Funstinn 3 Confirm Choices Creating Port Groves EET and Pole L Hali ferari ai Planilenreg E Sue m Ptr A Frrdustias Ir adtina lack KbuaneRak X 7 amp Add More Flamanti Pravvius Add arver Eravibud M D g Figure 17 Adding Another Category 6 When you are done creating categories click Next at the bottom of the screen The Confirm Choices screen of the Wizard appears Assocaton Wizard lt a n n
42. GROUPS TT Port Icons For easier identification different ports have different icons in the tree In addition availability status of each port also has a different icon For a description of what the icons represent please see the table below ICON MEANING Device available Fa Port available Sr Ghosted Port a ghosted port can occur when managing Paragon devices and when a CIM or target server is removed from the system or powered off but a record of it remains KVM port connected in current user session Port unavailable because device is mavalable 18 Por busy otherusercomectediopot 8 Serial por availble notcomected o GH Serial por connected in curent userseson JH Serial port busy other user connecediopon HB Serial port unavailable device is down and unavailable S WM omena W Pwes O WM omami gt Important Many of the menu bar commands described in this section can be accessed by right clicking on a Port icon and selecting a command from the shortcut menu that appears ziz Raritan 78 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Configure Port Configure a Serial Port Click on the Devices tab and select a serial device from the Devices tree 1 On the Devices menu click Port Manager and then click Configure Ports The Configure Ports screen appears p Baets Bnten peu lp Puinams 0 0 Per yee 0 0 0 Pedia I EXT Hau mam a r SS
43. Host gt For example using above screen you can connect to SX 229 by typing ssh id 1370 3 192 168 51 124 PuTTY CommandCenter ccRoot ssh id 1370 Authenticating vG550 Authenticated User Type Administrator User Name vi550U Type help for all commands vaGb5l Command Figure 252 Access SX Device via SSH Raritan 202 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Connect to a Serial Port Connect to a serial port to access a target server You can access serial ports on a SX KSX or IP Reach device The SSH connection to the serial ports are in proxy mode l Typelistports to view the port ids 192 168 51 124 PuTTY CommandCenter ccRoot Fort ID PortName Appliance Admin serial port serial port 3 serial port 2 serial port CommandCenter ccRoot Figure 253 Listing Ports on CC SG 2 Type connect p port id to connect to the target server associated with the port E 192 168 51 124 PUTTY Admin serial port serial port 3 serial port Z serial port CommandCenter ccRoot S5 connect Connecting Figure 254 Connecting to a Serial Port Raritan CHAPTER 12 ADVANCED ADMINISTRATION 203 3 Once connected to the port type the default Escape keys of followed by a dot An intermediate prompt typically named after port name is displayed for example testport gt At this intermediate prompt you can enter specific commands
44. If a connection is made to ADI but you want to authenticate a user in AD2 you need to inform ADI the realm of the user realm AD2 to correctly redirect the authentication request In this case you need to configure CC SG to connect to ADI and specify realm AD2 to authenticate users against AD2 Raritan 120 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5 Specify a Base DN directory level entry under which the authentication search query will be executed EXAMPLE DESCRIPTION dc raritan dc com The search query for the user entry will be made over the whole directory structure cn Administrators cn Users dc raritan dc com The search query for the user entry will be performed only in the Administrators sub directory entry 6 Type a user s attributes in Filter so the search query will be restricted to only those entries that meet this criterion By default the filter is objectclass user which means that only entries of type user are searched 7 Specify the way in which the search query will be performed for the user entry If you check Use Bind CC SG attempts to connect bind to AD directly with the username and password supplied in the applet However if a username pattern is specified in Bind username pattern the pattern will be merged with the username supplied in the applet and the merged username will be used to connect to the AD server For example if you have cn 0 cn Users dc raritan dc com and TestUs
45. If you see a timed out error instead of a reply there is a breakdown somewhere between your computer and the domain In this case the next step is to perform a traceroute see the next section 6 Press CTRL C to terminate the ping session Note Pressing CTRL 0 displays a statistics summary for the session so far and continues to ping the destination Raritan 212 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Using Traceroute Network Interfaces Traceroute is often used for network troubleshooting By showing a list of routers traversed it allows you to identify the path taken from your computer to reach a particular destination on the network It will list all the routers it passes through until it reaches its destination or fails to and is discarded In addition to this it will tell you how long each hop from router to router takes This can help identify routing problems or firewalls that may be blocking access to a site 1 To perform a traceroute on an IP address or hostname click Operation Network Interfaces then Traceroute Maximum of Hops to test t UDF Destination Port amp to use Eug A T1 Fi o Ele L oe PALE EN D CEG lIr ceroute E e kabe ak ER A Ch Sap si Lu 1 Tr ceroute Figure 267 Performing Traceroute on a Target 2 Enter the IP address or hostname of the target you wish to check in the Traceroute Target field 3 Optionally select OPTION DESCRIP
46. Introduction 4 Click appropriate option button for either Primary Backup Mode or Active Active Mode See section Network Configuration earlier in this chapter for details 5 Click either DHCP or Static from the list If you choose DHCP and your DHCP server has been configured correctly the DNS information the domain suffix IP address default gateway and subnet mask will be automatically populated once Save is selected and you exit and re enter Admin Console Ifyou choose Static type an IP address subnet mask default gateway Primary DNS and Secondary DNS information and string for your domain setup in domain suffix Click Adapter Speed and use the VT keys to select a line speed from the list If you did not select AUTO for Adapter Speed click Adapter Duplex and use the 4T keys to select a duplex mode from the list if applicable 8 Repeat steps 6 through 8 for the second network interface if you selected Active Active Mode 9 Click save to save your changes CC SG will be restarted and will log off all CC SG GUI users and terminate their session Raritan CHAPTER 12 ADVANCED ADMINISTRATION 211 Ping an IP Address Network Interfaces Use ping to check that the connection between your computer and a particular IP address domain is working correctly 1 To ping an IP address or hostname click Operation Network Interfaces then Ping File Operation CC SG Administrator Console Ping Pang Target
47. NOCs List IP Hostname Name Status 127 0 0 1 First NOC Not Available 127 0 0 1 Second NOC Available 127 1 0 1 Third NOC Available Add Edit Delete Close Figure 231 Delete CC NOC Screen Highlight a CC NOC in the list and click Delete You are prompted to confirm the deletion 3 Click Yes to delete the CC NOC or No to exit without deleting A CC NOC Deleted Successfully message confirms that CC NOC has been deleted 4 Repeat steps 1 through 3 to delete other CC NOCs Cluster Configuration A CC SG cluster uses two CC SG nodes one Primary node and one Secondary node for backup security in case of Primary CC SG node failure Both nodes share common data for active users and active connections and all status data is replicated between the two nodes The primary and secondary nodes in a cluster must be running the same version of software Unless defined by the user CC SG will assign a default name to each cluster node Devices in a CC SG cluster must be aware of the IP of the Primary CC SG node in order to be able to notify the Primary node of status change events If the Primary node fails the Secondary node immediately assumes all Primary node functionality This requires initialization of the CC SG application and user sessions and all existing sessions originating on the Primary CC SG node will terminate The devices connected to the Primary CC SG unit will recognize that the Primary node is not responding and will
48. Policy Ta Please enter policy name Enter policy name Cancel Java Applet Window Figure 133 Add Appliance Policy Window 3 Type the name of the new policy in the Enter Policy Name field Click OK to add the new policy or Cancel to close the window If you clicked OK the new policy name appears in the Name field 5 Click on the Device Group drop down arrow and select a device group Click on the Port Group drop down arrow and select a port group 7 Click on the up or down arrows in the Start Time and End Time fields to assign a starting time and an ending time during a 24 hour period for this policy to be in effect 8 Select the appropriate option buttons for this policy to be in effect Any to apply policy every day Weekday to apply policy every working day Weekend to apply policy Saturdays and Sundays and Custom to manually choose the days policy to be applied If you choose Custom check on the days of the week to apply the policy 9 Select a permission type Deny or Control in the Permission field Raritan CHAPTER 8 CREATING POLICIES d 10 Click Update to add the policy The Update Policy window appears Update policy Figure 134 Update Policy Window 11 Click Yes to add the policy or No to close the window 12 Click Close to close the Policy Manager screen 13 Repeat steps 1 through 12 to add other policies Edit Policy 1 On the Associations menu click Policy Manager The Po
49. S Eum Pirar Claas 1 vervien Ea folling atadrmas an elarmants will h created Create Associgthons 3 Confirm Choices Creaking Port Graves Titiga flares aod Paliges SE SCH Lpiabun LA Patbrl Arta Chicago Marked Mean Hew Tock Mache Aree Allene Mahal Aree 5 Summary Furti aler Bmremra Horchoreg Brobau ign Tailireg Rach Geirs Aak as Li k l Figure 18 Association Wizard Confirm Choices 7 Review the list of categories and associated elements that will be created Click Previous if you need to go back and make changes If everything is correct click Finish Raritan 22 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 8 CC SG will show a progress bar while it is creating the associations port groups and policies When this is complete the Association Wizard Summary screen appears displaying the list what was created Click Done to exit the wizard Assocation Wizard Skape 1 Ovir d Create Aitonari 3 onem C heec 4 Crpaken Part Groupi and Palici s 5 Summ ry si ETE BT TE e y The following Poet groups have been created with their corresponding polices Sgr Locos lamint Grupi LA Pek a Pra Ch rago Harkat Ara Haw Tork Market Area aunts Market Goen LA Maret Area bont Chicago Market Area Port Hav Tork Harket Area Ports Dh prtp Moret Ares Enge i Senge Barre EL lar anti raup Salad J rvari Salted Barrani Porta Moritorisxg Henieeing Parti Paih dihi Produwition P
50. Secure Gateway fikset VET 17118 GMT 05 00 L Fx LEN Kr T o Ports Users um tones and Devices E tuber und ta ge Hos CG cieli Screen Display Area grr Z gore T foes ee re Selection tree Ce rop expandable C porto collapsible S Zoe I Tam ia using and signs TIL lias cola Legis l nti Erina Figure 18 CC SG Application Window The CC SG menu bar displays all operations and configuration commands Active commands are based upon the privileges of the user as established by the CC SG Administrator The user s privileges also determine the ports and devices that appear in the Ports and Devices trees Clicking on the Ports tab displays the Ports selection tree clicking on the Users tab displays the Users selection tree and clicking on the Devices tab displays the Devices selection tree Expand and collapse these trees by clicking on the and buttons in front of the icons to view all or a specific set of Ports Users or Devices Users can arrange listed ports by name or status by right clicking on the tree and selecting the desired Port Sorting Option Administrators must configure Ports Users and Devices in the CC SG system upon setup and before executing any commands Please see Appendix C Initial Setup Process Overview for an overview of this process Note The Quick Commands toolbar has been upgraded to include Back and Forward buttons the le
51. System icon in the Devices tree and select Launch Admin to launch the Paragon II System Controller application in a new browser window and configure your PII UMT units EL aw te stp Descrip Add Device Edit Device Delete Device Bulk Copy Configure Forts Delete Ports Launch Admin Disconnect users Remote User Station Admin Pause Management Device Group Manager Custom View Port Sorting Options b Figure 74 Paragon System Launch Admin Menu Option e Lh II EMI I EDDIE Dri INED Fie Cd Wew armis Tods Help ie Ei HSA AS 2 8 2 BR a Sip Fdw Home Seach Frack Meda Minn Mal Pa Ea Ducum muth AN rick de ven nr GRE Og eut the og ea son baron Second rl HEN PM PT Oecd SCID Lor umber Ske TL 2 pe min el sl Sach H ft Optore K Popup Docked Hong 2uezteg P Qna pr Sasson Vere Mea Selup Help Slegl iz sz sr ge br Aa Lee tel At umet e ALEP IIB aT SSS Le Lee ped r ba Syn oir Be For help press F1 Applet Por ager iyin oncle dren Ae EN 177 Figure 75 Paragon Manager Application Window Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 65 IP Reach and UST IP Administration You can also perform administrative diagnostics on IP Reach and UST IP devices connected to your Paragon System setup directly from the CC SG interface After adding the Paragon System device to CC SG it appears in the Devices tree Right click on the device icon in the Device
52. This is required for CC SG to complete all transactions close the databases and place the disk drives into a safe state for power removal CC SG Window Components CommandCenter Secure Gateway LLLI LE inert Liam Fihi Gsspss arng Papert L bs emabBallogi h i gz bee Fee 2 EET TE Perla cera Poems teers terna I FLL aw 05 00 7 i rp L Ode BED SU oU A D S ini EE 1 Ports Selection tab Click on the Ports tab to display all known target Ports in a Ports tree view Right click on a port and select Connect to connect to that port 2 Users Selection tab Click on the Users tab to display all registered Users and Groups in a Users tree view Click on the and signs to expand or collapse the tree 3 Devices Selection tab Click on the Devices tab to display all known Raritan devices in a Devices tree view Different device types have different icons Known target ports are grouped under their parent devices click on the and signs to expand or collapse the tree Right click on a port and select Connect to connect to that port Raritan 14 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Note To make ports easier to find right click on the tree and select the desired listing method under Port Sorting Options Ports sorted by name will be listed alphabetically ports sorted by status will be grouped in the order of Available Ports Busy Ports Unavailable Ports an
53. a possible interception by automated systems A phone call or exchange of written codes between trusted parties is better protection against automated interception zi Raritan 182 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Add a CC NOC Note To create a valid connection the time settings on both the CC NOC and CC SG should be synchronized The best method of achieving this synchronization it to use a common NTP Network Time Protocol server For this reason the CC NOC and CC SG are required to be configured to use an NTP server 1 On the CommandCenter NOC menu click Configuration The CC NOC Configuration screen appears CC NOC Configuration CC NOCs List IP Hostname Name Status 127 0 0 1 First NOC Not Available 197 603 Second NOC lAvailable 127 1 0 1 Third NOC Available Add Edit Delete Close Figure 224 CC NOC Configuration Screen 2 Click Add The Add CC NOC Configuration screen appears Add CC NOC Configuration k E4 Add CC NOc Configuration amp Please press lt Next gt to continue CC HOC Release Cc Noc eko T Cancel Figure 225 CC NOC Configuration Screen Raritan CHAPTER 12 ADVANCED ADMINISTRATION 183 3 Select a software version of CC NOC you want to add and click Next Version 5 1 has fewer integration features than 5 2 and only requires adding a name and an IP address For additional information on CC NOC 5 1 please see www raritan com support
54. above If older versions exist they must be replaced LDAP and TACACS are used for remote authentication only not authorization CC SG can present the list of users logged in to leaf devices and can show which users are currently accessing an edge port through the active users on a edge port features If there are many devices under CC SG the user can scroll through the screens to view them all A user is able to open many screens each one corresponding to one edge port but the user is restricted on the KVM side by the actual capacity of KVM over IP channels to be able to access multiple KVM screens Logging on to CC SG through the CC SG console itself is the same as gaining the root privilege of the operating system Linux upon with CC SG is running Syslog will record such event but what the user types at the CC SG console itself will be lost Raritan 252 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 255 80 5140 00 Raritan APPENDIX G FAQS 253 Raritan North American Headquarters Raritan 400 Cottontail Lane Somerset NJ 08873 U S A Tel 732 764 8886 or 800 724 8090 Fax 732 764 8887 Email sales raritan com Website Raritan com Raritan NC 4901 Waters Edge Dr Suite 101 Raleigh NC 27606 Tel 919 277 0642 Email sales nc raritan com Website Raritan com Raritan Canada 4 Robert Speck Pkwy Suite 1500 Mississauga ON L4Z 1S1 Canada Tel 905 949 3650 Fax 9
55. access to Policies are applied to a user group and have several control parameters to determine the level of control such as date and time of access e Port Groups define ports that are accessible to a user Port groups are used when creating a policy to control access to the ports in the group e User Groups are a set of users that share the same level of access and privileges For example the default user group System Administrators has full access to all configuration tasks and target hosts and servers All other user groups have restricted CC SG access and should typically be employed for users who need port access only to a particular set of devices or target servers and systems Raritan 108 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE User Groups User groups are used to define a group of users and CC SG privileges they possess When a user logs on they will see the CC SG interface The user group privileges define what the user can do with CC SG The default System Administrators user group has access to all managed devices and ports as well as all CC SG functions A user may just be allowed access to ports and devices or have access to all of the tools of CC SG For example you could create a user group of UNIX administrators and just allow them access to ports that connect to UNIX target servers Or you could also create a group of system administrators and give access to CC SG tools as well as devices and ports You
56. and Private Key and submit it by clicking Export Raritan 132 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Generate Certificate Signing Request The following explains how to generate a CSR and a private key on CC SG The CSR will be submitted to the Certificate Server who will issue a signed certificate A root certificate will also be exported from the Certificate Server and saved in a file The signed certificate root certificate and private key will then be imported 1 Click Generate Certificate Signing Request and click Generate The Generate Certificate Signing Request window appears 2 Type the requested data for the CSR into the fields Generate Certificate Signing Request E E E Ei Generate Certificate Signing Request Please provide certificate details E Ti Certificate Details Private Key Bit Strength 1024 ww Certificate Validity Period in days 365 Common Name RARCCSGraritancom domain name for example www yoursitename com Country Name 2 letters ER gre OO EE State Province Marne mm Locality Somerset Organization Raritan Computer Ino Organization Unit Technical Support Email Address kechBrartancam 00 OK Cancel Figure 158 Generate Certificate Signing Request Screen 3 Click OK to generate the CSR or Cancel to exit the window The CSR and Private key appears in the corresponding fields of the Certificate screen Certificate Request MIIB1jCCAT
57. and perform some limited diagnostics such as changing the IP address of the CC SG or restarting CC SG Note If accessing Diagnostic Console via SSH the Status Console and the Administrator Console inherits the appearance settings that are configured in your SSH client and keyboard bindings Accessing Diagnostic Console via SSH 1 Launch a SSH client such as Putty 2 Enter the IP address or IP hostname if CC SG has been registered with a DNS server of the CC SG and specify 23 for the port S PuTTY Configuration Eq Category Session Basic options for your PuTTY session Logging spem RE opecity your connection by host name or IF address Keyboard Host Name or IP address Ball 192168 0192 TE Cem Features Eius G Mindoyw l o C ry e GEN d Raw Telnet Rlagin a 55H Behaviour Load save or delete a stored session Translation STEE CT Sessions Colours Connection e Data Load Proxy Telnet seve Plogin Delete E SSH Kex Auth AT Close window on exit Tunnels CO Always Never 8 Only an clean exit Bugs Figure 255 SSH Client 3 Click Open A window opens prompting you for a login Raritan CHAPTER 12 ADVANCED ADMINISTRATION 205 Accessing Status Console Entering a password to access the Status Console is not required but can be enforced if desired 1 After login as type status E ec v 1 1 raritan com PuTTY login as status Figure 256 Login to Status Cons
58. and port category associations leaving all pre associated element fields blank Raritan 42 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Association Wizard The Association Wizard guides you through steps to create categories and their associated elements as described in the Association Manager section above then automates the creation of related Port Groups and Policies for those elements I On the Associations menu click Association Wizard The Association Wizard screen appears Assocation Wizard raise Siap L Overview C rmirsarrdz asker PR dni ay iil aed ee or wi ea all baie ar nier S Cagatm fe octane ab igt ah managed hoe thit id Morad on Cammandrentarr databara We call thin een imbaeematian L Confer Cheareg Aga olen a ad Cre she Bort Grevupt y By eating and curbeenizing Celegoied alors be pour otemt ep sch enable Comman ehbir Lo work and Policies i reamlaraly with eseu yrket naede 5 Summary This wiramd vill ninpi siray a create al APO bared on Via Cabsgormi b masie bart Grasps Yau E Maby bdd ta of ada axing Categonad latter mest Sarai Figure 44 Association Wizard Overview 2 After reading the overview click Next The Category and Elements screen of the Wizard appears Association Wizard fpe Press next to continue s uy Steps Create Categories and Elements 1 Overview 2 Create Associations Category Location 3 Confirm Choices 4 Creating Port Groups Elements
59. and system configuration files If anything happens to your system you can restore your previous configurations from memory Note Only for Dominion SX 2 5 devices or later network settings such as IP address subnet mask IP gateway are not included in the backup file 1 Click on the Devices tab and select a device from the Devices tree 2 On the Devices menu click Device Manager and then click Backup Device Configuration The Backup Device Configuration screen appears Backup Device Configuration Dauice name 9X 6 121 lacu fira Dezte iop Figure 61 Backup Device Configuration Screen 3 Click OK to back up the device configuration or Cancel to exit without backing up A Device Configuration Backed Up Successfully message confirms that device configuration has been backed up 4 Repeat steps 1 through 3 to back up other device configurations Restore Device Configuration This command allows you to restore a previously backed up device configuration 1 Click on the Devices tab and select a device from the Devices tree 2 Onthe Devices menu click Device Manager and then click Restore Device Configuration The Restore Device Configuration screen appears Restore Device Configuration Devite name x L 1111 Backup data sl backup naa Description Figure 62 Restore Device Configuration Screen 3 Click on the Backup Date drop down arrow and select a date from the list of when you last made a back up
60. appears click on the IP ACL tab Security Manager Fe Please provide Access Control List Information N uy General Certificate IP ACL Access Control List Starting IP Ending IP Group Action Ers Starting IP Ending IP Group Action lt All Groups gt v Allow w Update Configuration Close Figure 161 Security Manager IP ACL Screen 2 To change the order of the line items in the Access Control List select the line item and click Up or Down Connecting users will be allowed or denied according to the first rule that applies from top to bottom 3 To add a new item to the list specify a range to apply the rule to by typing the starting IP value in the Starting IP field and the ending IP value in the Ending IP field Click on the Group drop down arrow to select a group to apply the rule to 5 Click on the Action drop down arrow and choose to Allow or Deny the group access to the IP range 6 Click Add to add the new rule to the Access Control List To remove any line item select it and click Remove 8 Click Update Configuration to update your system with the new access control rules Raritan CHAPTER 10 GENERATING REPORTS 135 Chapter 10 Generating Reports Reports can be sorted by clicking on the column headers Click on a column header such as User Name Access Time etc to sort report data by that value The data will refresh in ascending order alphabetically num
61. aroun L t ug Figure 141 Assigning User to a Group Raritan CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 117 Setup on CC SG 1 On CC SG click Security Manager from the Setup menu When the Security Manager screen appears click Add External AA Server 2 Inthe Add Module screen select AD from the Module Type pulldown menu e Add Module Add Module Please entr a module name Module Type AD Module Marne Ok Cancel Figure 142 Specifying a Name for Active Directory Server 3 Specify a name for the Active Directory server in Module name The name is optional and is specified only to distinguish this server from any others that may be configured The name is not connected to the actual Active Directory server name in any way 4 Click Next Raritan 118 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE General Settings on CC SG 1 Type the IP Address Hostname of the Active Directory server For hostname rules see Terminology Acronyms in Chapter 1 Introduction J Add Module x Add Module Password and Confirm Kr are not equal Module Marneifestap Module Type ap General Advanced Groups General Properties IP Address Hostname i52 168 0 43 Anonymous Bind User name len CommandCenter ou Service ccounts de contuso dc com Password EIEL Confirm Password effek ees Previous he aol Canc
62. arrange the Devices tree to reflect the selected custom view 5 Click Set Default if you want the selected custom view to be displayed when logging into CC SG 6 Click Close to close the Custom View screen 7 Repeat steps 1 through 5 to change custom view Known ports are nested under their parent devices Right click on the tree then click Port Sorting Options then Sort By Port Name or Sort By Port Status to arrange the ports within their devices alphabetically by name or by availability status Ports arranged by status are sorted alphabetically within their connection status grouping Devices will also be sorted accordingly Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 61 Add Custom View l 2 8 9 Click on the Devices tab On the Devices menu click Change View and then click Custom View The Custom View screen appears In the Custom View panel click Add An Add Custom View window appears Add Custom View rr e im 4 Please enter custom view name Enter custom view name Raritan Somerset Devices Ok Cancel Java Applet Window Figure 69 Add Custom View Window Type a new custom view name and click OK or click Cancel to close the window The new view name appears in the Name field In the Custom View Details panel click on the drop down arrow at the bottom of the panel This list contains categories that you can use to filter custom views Select a detail from the drop down
63. box implies that a remote server is being used for authentication If so a local password is not needed and the Password and Retype Password fields are grayed out Raritan 28 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5 If using local authentication type the new password into the Password field 6 16 characters alphanumeric characters and underscores 6 If using local authentication re type password in Retype Password field Type a dial back number in the Dial Back Number field if needed 8 Check the Login Enabled check box to authenticate against the system if not user cannot enter the system 9 Check the Force Change Password on Next Login check box if you want this user to be forced to change password the next time he or she logs in to CC SG 10 Check the Force Change Password Periodically check box if you want this user to have to change his or her password from time to time 11 Type the expiration period for this user s password in the Expiration Period field 12 Type an email address for this user in the Email Address field if desired 13 Click OK to add this user to the system A User Created successfully message indicates the user has been added to the system 14 Drag the new user icon to the desired user group 15 Repeat steps 1 through 14 to add additional users Important If you do not wish to restrict or control user access to systems or CC SG your installation is now complete Your users sho
64. deme rn fjerning BOG Me Heer pen Dem Le h p ege r CommandCenter Secure Gateway A ar JI Refresh shortcut button Figure 184 Refresh Shortcut Button Raritan CHAPTER 11 SYSTEM MAINTENANCE 157 Upgrade CC SG Note If you are operating a CC SG cluster you must remove the cluster first and upgrade each node separately Before you can upgrade CC SG you must be in Maintenance Mode See section Maintenance Mode in Chapter 11 System Maintenance for additional information 1 On the Setup menu click Upgrade CommandCenter The Upgrade CommandCenter screen appears Upgrade Cammandlenter Liti j brong Cp ed Figure 185 Upgrade CC SG Screen 2 Ifyou are upgrading from an older CC SG click Browse and navigate to the current location of your CC files 3 Click OK Restart CC SG 1 On the Setup menu click Restart CommandCenter The Restart CommandCenter screen appears Restart CommandCenter go Please enter password and timeout to confirm CommandCenter restart ily Figure 186 Restart Screen 2 Type your password in the Password field 3 Accept the default message or type a message to display to any users currently online in the Broadcast message field for example you might give users a brief time period to finish their tasks in CC SG or tell them why you are restarting the system All users will be disconnected when you restart CC SG 4 Type how much time in minutes s
65. expires the user can login again At any time during the lockout period an administrator can override this value and allow the user to log back into CC SG b If you choose Lockout until admin allows access this means that users are locked out until an administrator allows them to log back in To unlock a user please see Chapter 10 Generating Reports for additional information Raritan 178 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 6 Type an email address in Lockout notification email so notification is sent to the address informing the recipient that lockout has occurred If the field is blank notification is not sent 7 Type a phone number in Administrator s Phone if the administrator needs to be contacted 8 Click Update to save configuration settings User gayle is L locked out of Command Center until 2005 11 09 at 16 58 33 the CC administrator at ging raritan com Lox Figure 215 Error User Being Locked Out Screen You can conta Application Manager Add Application You can upload different custom applications to CC SG and assign the applications to different ports in order to access them individually as needed Future application versions will be available on the Raritan website 1 On the Setup menu click Application Manager The Application Manager screen appears Application Manager Applications Application name RemoteDesktop Viewer v Add Edit Delete Details Location
66. f er Kortnemar 197 16830128 TEP iir mariar i bnea Dur cigtiors Fx101 model X KIM var a Lire erria TELTET Poo H Homies Benut dacki sm Dasica Arpo ebion Falegery lege Apply Tu Purti Eaur rima of the snrld US Ctr br tiered pense Genel Figure 81 Add Device Screen 8 Type the user name and password that were created specifically for CC SG in the device in the Username and Password fields to allow CC SG to authenticate the device when communicating with it in the future Select a Category or Element to apply to the device 9 Click OK to add the new device or Cancel to exit without adding To return to the previous screen click Previous A Device Added Successfully message confirms that the device has been added 10 Click Previous to return to the Discover Devices screen and add another device from the list if so desired 11 Repeat steps 1 through 10 to find and add other devices Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 69 Device Group Manager Use the Device Groups Manager screen to add edit assign and remove device groups and the rules that govern them First add a Device Group then add a Device Rule s to make working with and viewing devices easier Add Device Group 1 On the Associations menu click Groups Manager and then click Device Group Manager The Device Group Manager screen appears Device Groups Manager rue
67. fi Please provide Time Date settings l Network Setup Logs Inactivity Timer Time Date Modem Connection Mode Device settings SNMP Date Time Jan ar y 20065 Current time 16 33 55 we Hour 1 1 2 3 4 5 6 7 Minutes 3 HEH HE Seconds 4 Time zone GMT 05 00 America New York N N N n N A N on N we N zl N e Figure 197 Configuration Manager Time Date Screen a To set the date and time manually To set the Date click on the drop down arrow to select the Month use the up down arrows to select the Year and click on the Day in the calendar area To set the Time use the up down arrows to set the Hour Minutes and Seconds and then click on the Time Zone drop down arrow to select the time zone in which you are operating CC SG b To set the date and time via NTP Click on the Enable Network Time Protocol check box at the bottom of the window and enter the IP addresses for both the Primary NTP Server and the Secondary NTP Server Note Network Time Protocol NTP is the protocol used to synchronize the attached computers date and time data with a referenced NTP server When CC SG is configured with NTP it can synchronize its clock time with the publicly available NTP reference server and maintain correct and consistent time 2 Click Update Configuration to apply the time and date changes to CC SG Ez i 3 Click Refr
68. hear a modem sound the number dialed is correct Figure 204 Phone Number to Dial 9 A smart card is not necessary to dial into CC SG If you are not using one click Do not use my smart card for this connection and click Next Raritan CHAPTER 12 ADVANCED ADMINISTRATION 169 10 In the next screen typically you want to click My use only in the next screen to make the connection available only to yourself 11 Click Finish in the last screen to save the connection settings Configure the Call back Connection If the CC SG uses a call back connection you need to use a script file that is described below To supply the script file for call back 1 On the start menu click My Network Places Click view network connections under Network Tasks Right click on the CommandCenter connection and click Properties Click the Security tab pv e CommandCenter Properties Gon ral Options Secun hotworking Aan secun opbond I Typical recommended settings Validate rim identity amp s follows Allow unsecured password Advanced custom settings hieractve logon and scripting fr Shomer urin winch 7 Run script higte Docurmentsycal back sep e Edit L Browse ox JP Geet Figure 205 Specify Dial up Script 5 Click the Show terminal window Click Run script and click Browse to enter the dial up script for example call back scp 7 Click OK Se Call back Script File Example proc main
69. in a closed rack environment may be greater than room temperature Do not exceed the rated maximum ambient temperature of the appliances see Appendix A Specifications Ensure sufficient airflow through the rack environment Mount equipment in the rack carefully to avoid uneven mechanical loading Connect equipment to the supply circuit carefully to avoid overloading circuits Ground all equipment properly especially supply connections such as power strips other than direct connections to the branch circuit Raritan CONTENTS i Contents rn vr 1 PP CNC GUNS SEERE NE 1 Intended PAU Ern Te 1 ral 6 6 Ue gal Leite S EE TE 1 Product Features and Benefits cccceccseseccseeeeeeeeeeeteeeteneeceueeseeeeeeeteneeteneetsueeseeeseseeeeeteneees 2 Terminology Acronyms cccccseeececseeeeeceeeeeecaeeeeeeseeeeeeeeseeessaeeeessaeeeeseaeeessaeeeessaeeeenseseeesaaneeeenes 3 KEE 6 Chapter NMS 7 See es ko 1 8 Ree 7 TN 9 SPI 9 Check and Upgrade CC SG Firmware Version 10 Check and Upgrade Application Versions ccccccsescccccsssseceeeeeeeeeceeeeseeeeceeseeseeeeeesaageeessenagaes 10 Connection to Console and KVM Management Appliances nn000nnnnnnnnnnnnnnnnnnnnnnnnnnnnnennnnnrennene 11 PN 13 GG SG Window Components 2 ememissanmemisinddeeneddgdedsdekddsdtddededebdgddngekdadse 13 OE EE ER NNA 14 Main Window Components Laesneunvamdnenseemjekemastedddnetebensenasnnerbidetsnemeneesieen dee 15 Configuring CC SG M
70. in the Message Device Name Port Name Username or User IP address fields 4 Click on the Level drop down arrow to select a tracing level for the report Raritan 144 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5 Click OK to run the report Accessed Devices Device 1 2006 01 kx 132 e6 Channel 3 ccRaaot 192 168 Connecti INFO al 2 2006 01 kx 132 e Channel 3 ccRoot 192 168 Connecti INFO 3 2006 01 kx 132 6 Channel 3 ccRoot 192 168 Connecti INFO 4 2006 01 kx 132 e Channel 1 ccRoot 192 168 Connecti INFO 5 2006 01 kx 132 e Channel 1 ccRoot 192 168 Connecti INFO 6 2006 01 kx 132 e Channel 1 ccRoot 192 168 Connecti INFO 7 2006 01 kx 132 amp ccR aot 192 168 Connecti n INFO 2006 01 kx 132 e ccR aat 192 168 Connecti n INFO 2 2006 01 kx 132 s ccR aot 192 168 Connescti INFO 10 2006 01 kx L32 4 ccRoot 192 1568 Connsecti INFO 1i1 20n06 D1 kx 132 e6 ccR oot 192 168 Connectii INFO 12 2006 01 kx 132 ccRoot 192 168 Connecti INFO 13 2006 01 kx L32 e4 ccRoot 192 168 Connecti INFO 14 2006 01 kx 132 e ccRoot 192 168 Connecti n INFO 15 2006 01 kx 132 e ccRoot 192 165 Connecti n INFO 16 2006 01 kx 132 e ccRoot 192 165 Connecti n INFO 17 2006 01 kx 132 s ccR nat 192 165 Connecti n INFO 18 20056 01 kx 13
71. information regarding the managed node 3 Click Update Agent Configuration to save the SNMP agent identifier information Under Traps Configuration check the box marked Enable SNMP Traps to enable sending SNMP traps from CC SG to a SNMP host 5 Check the box es before the trap s you want CC SG to push to your SNMP hosts Under Trap Sources there is a list of SNMP traps grouped into two different categories Raritan 176 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE System Log traps which include notifications for the status of the CC unit itself such as a hard disk failure and Application Log traps for notifications generated by events in the CC application such as modifications to a user account To enable traps by type check the boxes marked System Log and Application Log Individual traps can be enabled or disabled by checking their corresponding checkboxes Use Select All and Clear All to enable all traps or clear all checkboxes Refer to the MIB files for the list of SNMP traps that are provided see section MIB Files 6 Type the Trap Destination Host IP address and Port number used by SNMP hosts in the Trap Destinations panel Default port is 162 7 Type the Community string and Version v1 or v2 used by SNMP hosts in the Trap Destinations panel 8 Click Add to add this destination host to the list of configured hosts To remove a host from the list select the host and click Remove There is no limit to the nu
72. m l z Raritan When you re ready to take control CommandCenter Secure Gateway CC SG Administrator Guide Release 3 0 Copyright O 2006 Raritan Inc CCA 0B E May 2006 255 80 5140 00 This page intentionally left blank Raritan Copyright and Trademark Information This document contains proprietary information that is protected by copyright All rights reserved No part of this document may be photocopied reproduced or translated into another language without express prior written consent of Raritan Inc Copyright 2006 Raritan CommandCenter RaritanConsole Dominion and the Raritan company logo are trademarks or registered trademarks of Raritan Inc All rights reserved Java is a registered trademark of Sun Microsystems Inc Internet Explorer is a registered trademark of Microsoft Corporation Netscape and Netscape Navigator are registered trademarks of Netscape Communication Corporation All other marks are the property of their respective owners FCC Information This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a commercial installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications O
73. maximum number of configured user accounts Which version of Java will The earliest version CC SG will support will be at least the Java Raritan s CC SG be 2 platform Users must download the Java 2 plug in if using IE supporting By default Netscape will use Sun JVM For server and client side minimum Java requirements please see the Compatibility Matrix on http www raritan com support Click Firmware Upgrades and then CommandCenter An administrator added a To update the tree and see the newly assigned port click on the new port to the CC SG Refresh shortcut button on the toolbar Remember that database and assigned it to refreshing CC SG will close all of your current console sessions me how can I see it in my Ports tree How will the Windows Accessing CC SG from outside the firewall can be achieved by desktop be supported in the configuring the right ports on the firewall The following ports future are standard ports 80 for HTTP access via Web browser 443 for HTTPS access via Web browser 8080 for CC SG server operations 2400 for Proxy mode connections 5001 for IPR DKSX DKX P2 SC event notification If there is firewall between two cluster nodes the following ports should be opened for cluster to be worked properly 8732 for cluster nodes heartbeat 5432 for cluster nodes DB replication What are some design Raritan provides two models for server scalability the data guidelines for large scale center m
74. n aa anne n nnne nnns 221 Figure 285 Configuring ACCOUUIS oiuoae nore neuem cuu aant aee nave oe a moto aui toasex e creen x E Vase Eua esa tea aee 221 Figure 286 Selecting Disk Status in Diagnostic Console rrrrrrnrnnnnnnrvvvvnnrnnnnnrrrrrnnrrnnnnrrrrernnnnnrrrrrennnnnnnnn 222 Figure 287 Displaying Disk Status of CC SG in Diagnostic Console rrrrrrrrnnnrrrrvvvrrnnnnnrrrrvrnnrrnnnnrrrerennnn 223 Figure 288 Selecting Top Display in Diagnostic Console 223 Figure 289 Displaying CC SG Processes in Diagnostic CGonsole nnn 224 Figure 290 Association Management Hrocess 237 Figure 291 Port Group Failure seeeeeeeisssssssessseeeeeeeeennnn nennen nnne nnne nnnn nnn nnns sna na rrr nnn nnns nna 246 Raritan CHAPTER 1 INTRODUCTION 1 Chapter 1 Introduction Congratulations on your purchase of CommandCenter Secure Gateway CC SG Raritan s convenient and secure method for managing various UNIX servers firewalls routers load balancers Power Management devices and Windows servers CC SG provides central management and administration using a set of serial and KVM appliances It is designed to operate in a variety of environments from high density Data Centers to Service Provider environments to corporate environments handling large remote offices CC SG when used in conjunction with Raritan s Dominion or IP Reach port level management appliances streamlines and simplifies the management of the target devices easing
75. number i MI Login enabled Force change password on next login Force change password periodically Expiration period fin days Expiration Date MM ddfyysgy Jl d Li Email address Cancel Figure 116 Add User Screen 2 Type the user s name in the Username field 4 16 characters alphanumeric characters or underscores no spaces for locally authenticated users and no length restriction for users authenticated remotely 3 Check the Remote Authentication check box only if the user should be authenticated by TACACS Active Directory RADIUS or LDAP please see Chapter 9 Configuring Remote Authentication for additional information Note Checking the Remote Authentication box implies that a remote server is being used for authentication If so a local password is not required 4 For local CC SG authentication only type the new password into the Password field 6 16 characters alphanumeric characters and underscores no spaces 5 Re type password in Retype Password field The dial back number in the Dial Back Number field is configured under the Modem tab in Configuration Manager see Modem Configuration in Chapter 12 Advanced Administration 7 Check the Login Enabled check box to authenticate against the system if not user cannot enter the system Raritan 94 10 11 ES 13 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Check the Force Change Password on Next Lo
76. security tools such as LDAP AD RADIUS etc Security 249 ANSWER CC SG works with Microsoft Active Directory Sun 1Planet or Novell eDirectory If a user account already exists in an authentication server then CC SG supports remote authentication using AD TACACS RADIUS LDAP authentication CC SG permits local authentication as well remote authentication Remote authentication servers supported include AD TACACS RADIUS and LDAP Sometimes when I try to log on I receive a message that states my login is incorrect even though I am sure I am entering the correct User Name and Password Why is this How is a password secure Sometimes I receive a No longer logged in message when I click on any menu in CC SG after leaving my workstation idle for a period of time Why As Raritan has Root access to server this may potentially cause issue with Government bodies Can customers also have root access or can Raritan provide a method of auditability accountability Is SSL encryption internal as well as external not just WAN but LAN too Does CC SG support CRL List that is LDAP list of invalid certificates Does CC SG support Client Certificate Request There is a session specific ID that is sent out each time you begin to log on to CC SG This ID has a time out feature so if you do not log on to the unit before the time out occurs the session ID becomes invalid Performing a Shi
77. should decide upfront what user groups need to be created and what servers users in the group have access to The following is an example of a User Group implementation that could be created from our sample configuration USER GROUP ACCESS To Window admin group All Windows servers NYC Unix admin group All New York City Unix servers IT admin group All IT servers Port Groups As you add ports you link them to your predefined categories and elements When you create a port group you will use your categories and elements to define which ports go in each group You could create a port group of all UNIX ports only This could be used to only allow UNIX administrators access When you use the Association Wizard to define categories and elements a default port group is automatically created for each element For example New York City is an element of the Location category Therefore a New York City Ports group was created with one rule Location New York City Additional rules for example PortType UNIX could be added by using the Port Group Manager To control access to this group of ports you could create a policy to include this port group and apply it to the NYC Unix admin user group Device Groups As you add devices you link them to your predefined categories and elements When you create a device group you will use your categories and elements to define which devices go in each group You could create a device grou
78. supports 128 bit or lower strength for some geographies SSL encryption Call Raritan Tech Support for further information No testing has been done in this area No Because CC SG software resides on a dedicated server even if a device being proxied by the CC SG is turned off you will still be able to access CC SG Yes Contact your authorized Raritan sales representative or Raritan Inc directly CC SG 2 0 has a CD ROM drive to facilitate upgrades New version upgrades can also be done via FTP There is no specified limit to the number of ports and or Dominion and or IP Reach units that can be connected but the number is not limitless the performance of the processor and the amount of memory on the hosting server will determine how many ports can actually be connected To improve the performance of Microsoft IE when accessing the console disable the JIT compiler for virtual machine enabled Java logging enabled and Java console enabled options From the main menu bar select Tools Internet Options Advanced Scroll down until you see the above items and make sure that they are not checked What do I do if I am unable Assuming the console serial device is a Dominion ensure that Raritan 248 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE QUESTION ANSWER to add a console serial port the following conditions are met to CC SG The Dominion unit is active The Dominion unit has not reached the
79. the Host Name field For hostname rules see Terminology Acronyms in Chapter 1 Introduction Once Update Configuration is selected the field will be updated to reflect the Fully Qualified Domain Name FQDN if a domain server and domain suffix has been configured 3 Click either Primary Backup Mode or Active Active Mode A standard CC SG provides two Network Interface Controllers NIC s The NICSs labeled left to right from the rear are as follows MODEL LEFT MOST NIC PRIMARY INTERFACE RIGHT MOST NIC LANI LAND LANI LANG One interface could be used by itself or both could be used simultaneously For simplicity the discussion below uses LANI as the left most NIC primary and LAN2 as the right most NIC Some internal diagnostics and messages may refer to these interfaces as eth0 and eth1 Note If both interfaces are disconnected CC SG restarts Raritan 162 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE A Choose Primary Backup mode to implement network failover and redundancy In this mode only one NIC is active at a given point of time and only one network IP address assignment is possible aM CC Clients d ki a CC Cluster Dominion LAN port 1 LANport2 el oe Figure 193 Primary Backup Network Typically both NICs are attached to the same LAN sub network but different switches or hubs may be used for reliability When both NICs are us
80. updated to keep up with changing needs Streamlines provides wider process focus and offers productivity improvements organization wide Reduces Total Cost of Ownership TCO cost savings from high availability of applications high cost for downtime front ends and secures and improves reliability of high economic value equipment Handles scalability elegantly multiple data centers primary and backup growing number of locations Provides centralized management Role Based Access and Control RBAC and Reporting Capabilities Uncompromising Security Secure 128 bit encryption both intranet and Internet flexibility of access via SSL access restriction by time of day and or maximum session duration as part of user profile in user management Has the ability to restrict login access to products based on time of day the ability to restrict duration of on line sessions handle password expiration and prompt for password changes All user operations including access to port history buffer and access to logs will be granted or denied based on user authorization level IP ACL IP Filtering grants restricts access by domain name or IP addresses Grants or restricts access on an individual user basis Supports primary and secondary servers Fallback authentication through local database Single IP Address Access Reduces the complexities of managing multiple IP addresses with associated
81. user names and passwords Broad Support for Third Party Authentication Leverages existing investment in authentication protocols and allows centralized authentication and authorization Streamlines deployment of large multi unit systems and centralizes administration and control Supports LDAP including AD iPlanet eDirectory RADIUS and TACACS Support for Active Directory 9 authorization and the importing of user groups Comprehensive Administration Tools Reduces TCO for managing IT infrastructure found time can be used for proactive maintenance Provides powerful multi tired user and permissions grouping user leaf nodes targets by topology and by function CC SG s powerful user customizable categorization allows you to easily tailor your solution and security for example create a Location attribute and assign all users in a given LDAP or Active Directory group access to servers in that Location The possibilities are limitless Provides powerful user customizable views of all devices connected to CC SG supports automatic and manual device discovery Simplifies administration device upgrade reset diagnosis ping auto discover edit delete firmware upgrades monitoring and access for back up retrieval and push down of configuration to leaf nodes Dominion Series simplifies daily maintenance and firmware management Flexible Reporting Provides adjustable ways to view active devices users ports
82. via GH 201 Figure 253 Listing POMS on OG 56 E 202 Figure 254 Connecting to a Serial Port 202 FMS Ee TC P 204 Figure 256 Login to Status Console enne enne nnn nnns nena nnn nnn nnns nnn 205 Figure 257 Status Console 205 Figure 258 Login to Administrator Console nennen nnn nnne nnns nnn 206 Figure 259 Administrator Console nennen nnne nnne nnns nhan nnn ness naar nnn nnns nnn 206 Figure 260 Selecting to Edit Pre Login Message nnne nnne nennen nnn nnn 207 Figure 261 Editing MOTD for Status Console nnnnnnnnennnnnnennnnnnnnnennnrnnrnrnnnsrnnrrrrrnnsnnnrrrrnnsnnnrrrrensrnnnnnni 207 Figure 262 Selecting to Edit Status Console Config ccccccccsseseeeeceeeeeeeeeeeeeceeeeseaeeeeeeeeesseeeeeeeeeeeeseaas 208 Figure 263 Edit Status Console Config cccccccccccceseeeseececeeeeeeeeeeeeeeeeeeeaeeeeeeeeeessaeeeeeeeeesseeeaeeeeeeeeeeeesaas 209 Raritan FIGURES xi Figure 264 Selecting Network Interface Configuration seeeeeeeesssseseseeeeeeeeeeenne nnne 209 Figure 265 Editing Network Interfaces cccccsccccseeeeceeeeeeeeeeeeeseeeeeeseeeeesaaueeeseeeeeseeeeessseeesaeeeessaneessaaes 210 FE PITT 211 Figure 267 Performing Traceroute on a Target nennen nnne nnns 212 Figure 268 Selecting Static Houtes nennen nnn nnnn nnn nnns nana nnn nnns nena 213 Figure 269 Editing Static Houtes nennen nnne nnn nnne ann n nnne nnn risen e
83. view or No to close the window 6 Click Close to close the Custom View screen 7 Repeat steps 1 through 6 to delete other custom views Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 63 Topological View Use the Topological View command to view the structural setup of all the connected appliances in your configuration 1 Click on the Devices tab and select a device from the Devices tree 2 On the Devices menu click Topological View The Topological View for the selected device appears a ee mW Ee E mi ma Te ttt ILR Limpi Figure 73 Topological View Screen 3 Navigate through the Topological View in the same way you navigate through the Devices tree click on the or to expand or collapse the view 4 Click Close to close Topological View screen Raritan 64 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Special Access to Paragon II System Devices Paragon II System Controller P2 SC Paragon II System Integration users can add their P2 SC devices to the CC SG Devices tree and configure them via the P2 SC Admin application from within CC SG For more detailed directions on using P2 SC Admin please see Raritan s Paragon II System Controller User Guide After adding your Paragon System device the Paragon System includes the P2 SC device connected UMT units and connected IP Reach units to CC SG it will appear in the Devices tree Right click on the Paragon
84. window you can perform initial system network interface configuration edit Message of the Day in the Status window and view log files T gc v1 T raritan com PuTTY TOX m G Administrator Console Welcome f come to the Administration Admin section of the Diagnostic Console The menus in this area will let you Do initial system set up installation Configure and control the Status Screen Preform emergency repairs Collected some diagnostic information There are more navigation aids in the Admin Console The top title bar offers you a series of menus and sub menus Short cut to this menu bar is ctl X or using your mouse Exit o or C Menus Top bar E Figure 259 Administrator Console Raritan Pre Login Message CHAPTER 12 ADVANCED ADMINISTRATION 207 Navigating Administrator Console PRESS he CTRL C or CTRL Q To exit Diagnostic Console CTRL L Refresh screen and update information Move to next available option SPACE Select current option Allows you to move to various options Allows you to point and select an option Editing Pre Login Message MOTD Status Console The Pre Login message appears in the Administrator Console after entering any login username and before entering the password The Message of the Day MOTD appears at the top of the Status Console 1 To edit the Pre Login or MOTD message click Operation Status Console then Edi
85. you set up associations correctly first before adding devices and ports to them Another example of a Category is OS Type which may have elements such as Windows or Unix or Linux e Elements are the values of a category For example the New York City element belongs to the Location category Or the Windows element belongs to the OS Type category zi Raritan CHAPTER 4 CREATING ASSOCIATIONS 3 e Devices are Raritan products such as Dominion KX116 Dominion SX48 Dominion KSX440 IP Reach Paragon II System Controller Paragon II UMT832 with USTIP etc that are managed by CC SG These devices control the target servers and systems that are connected to them e Ports are connection points between a Raritan Device and a target system or server Or a port can be a device that is directly connected to a LAN CC SG via In band access In CC SG you click on a port to access and manage the target The port is essentially the destination system and should be named appropriately for that system for example NYC SunSRVI1 How to Create Associations An easy way to create categories and elements within these categories is by using CC SG s Association Wizard The wizard prompts you to create categories and elements and automatically creates port groups and default user policies based on the categories and elements defined You can also manually create or edit associations with the Association Manager This will require
86. your screen On the Setup menu click Cluster Configuration to view the updated Cluster Configuration table Note If the Primary and Secondary Nodes lose communication with one another the Secondary Node will assume the role of the Primary Node When connectivity resumes you may have two Primary Nodes You should then remove a Primary Node and reset it as a Secondary Node Raritan 190 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Remove Secondary CC SG Node 1 To remove Secondary Node status from a CC SG unit and reassign it to a different unit in your configuration select the Secondary CC SG Node in the Cluster Configuration table and click Remove Backup Node 2 When the confirmation message appears click Yes to remove Secondary Node status or click No to cancel Note Clicking Remove Backup Node does not delete the Secondary CC SG unit from your configuration it simply removes the designation of Secondary Node Remove Primary CC SG Node 1 To remove Primary Node status from a CC SG unit and reassign it to another unit in your configuration select the Primary CC SG Node in the Cluster Configuration table and click Remove Cluster 2 When the confirmation message appears click Yes to remove Primary Node status or click No to cancel Note Clicking Remove Cluster does not delete the Primary CC SG unit from your configuration it simply removes the designation of Primary Node Remove Cluster
87. 05 949 3651 Email sales canada raritan com Website Raritan ca European Headquarters Raritan Netherlands Eglantierbaan 16 2908 LV Capelle aan den lJssel The Netherlands Tel 31 10 284 4040 Fax 31 10 284 4049 Email sales europe raritan com Website Raritan info Raritan Germany LichtstraBe 2 D 45127 Essen Germany Tel 49 201 747 98 0 Fax 49 201 747 98 50 Email sales germany raritan com Website Raritan de Raritan France 120 Rue Jean Jaur s 92300 Levallois Perret France Tel 83 14 756 2039 Fax 33 14 756 2061 Email sales france raritan com Website Raritan fr Raritan U K 36 Great St Helen s London EC3A 6AP United Kingdom Tel 44 20 7614 7700 Fax 44 20 7614 7701 Email sales ukK raritan com Website Raritan co uk Raritan Italy Via dei Piatti 4 20123 Milan Italy Tel 39 02 454 76813 Fax 39 02 861 749 Email sales italy raritan com Website Raritan it Japanese Headquarters Raritan Japan 4th Floor Shinkawa NS Building 1 26 2 Shinkawa Chuo Ku Tokyo 104 0033 Japan Tel 81 03 3523 5991 Fax 81 03 3523 5992 Email sales raritan co jp Website Raritan co jp Raritan Osaka 1 15 8 Nishihonmachi Nishi ku Osaka 550 0005 Japan Tel 81 6 4391 7752 Fax 81 6 4391 7761 Email sales raritan co jp Website Raritan co jp Asia Pacific Headquarters Raritan Taiwan 5F 121 Lane 235 Pao Chiao Road Hsin Tien City Taipei Hsien Ta
88. 1 dy mimey o fane Figure 25 Configure Ports 3 Click Configure next to the KVM port line item you wish to configure The Configure KVM Port screen appears Configure KVM Port 2 Please select port properties to add Port Properties Device name Dominion KX J 00000000 Device IP or Hostname i92 168 51 200 EE Raritan port ID PRR4400020 SS Port number or EEE Port name Channel i 000000000000 Application name Raritan Remote Client v Port Associations Categor Element Department Location Region RU System Type Cisco Router v US States and territories Figure 26 Configure KVM Port 4 Type a port name in the Port Name field Typically you should name the port after the target server the device connects to for example NYC_MsSrvl Raritan CHAPTER 3 EXAMPLE CONFIGURATION WORKFLOW 27 5 Click on the Application Name drop down menu and select name This application for example Raritan Remote Console RRC is used to manage the target system All ports should use RRC except for those on an SX 6 Select the associated category and element from the Port Associations table by double clicking the element field 7 Click OK to save the KVM port configuration A Port Configured Successfully message confirms that port has been created 8 Repeat steps I through 7 to configure other KVM ports Add Users to System Administrato
89. 10 Click Test Configuration to send an email to the SMTP account specified 11 Click Update Configuration to save your changes zi Raritan 198 SSH Access to CC SG COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Use Secure Shell SSH clients such as Putty or OpenSHH Client to access a command line interface to SSH v2 server on CC SG Only a subset of CC SG commands is provided via SSH to administer devices and CC SG itself The SSH client user is authenticated by the CC SG in which existing authentication and authorization policies are applied to the SSH client The commands available to the SSH client are determined by the permissions for the user group s to which the SSH client user belongs Administrators who use SSH to access CC SG cannot logout a ccroot SSH user but are able to log out all other SSH client users including Administrators 1 Launch a SSH client such as Putty 2 Enter the IP address of the CC SG and specify 22 for the port You can permanently configure the port for SSH access in Security Manager see Configure Security earlier in this chapter for additional information ae PuTTY Configuration Categor E Session Basic options for your Pu T TY session Logging SE specify your connection by host name or IP address Keyboard Host Name for IP sddress Fort Bell 192 158 0 52 S io Frotocol Appoaranes CO Raw Telnet CO Rlogin SSH Behaviour Load save or delete a stored session Translatio
90. 16 Dominion SX48 Dominion KSX440 IP Reach Paragon II System Controller Paragon II UMT832 with USTIP etc that are managed by CC SG These devices control the target servers and systems that are connected to them e Elements are the values of a category For example the New York City element belongs to the Location category Or the Windows element belongs to the OS Type category e Generic Devices a device such as a hub Windows server or Cisco router that can be managed by CC SG Generic devices cannot be discovered by CC SG they have to be manually added see section Add Device in Chapter 5 Adding Devices and Device Groups e Ghosted Ports a ghosted port can occur when managing Paragon devices and when a CIM or target server is removed from the system or powered off manually or accidentally Refer to Raritan s Paragon II User Manual for additional information e Hostname A hostname can be used if DNS server support is enabled see section Network Configuration in Chapter 12 Advanced Administration for additional information The hostname and its Fully Qualified Domain Name FQDN Hostname Suffix cannot exceed 257 characters It can consist of any number of components as long as they are separated by gt Each component has a maximum size of 63 characters and the first character must be alphabetic The remaining characters can be alphabetic numeric or hyphen or minus The last ch
91. 2 5 ccR aat 192 158 Connecti INFO 19 2006 01 kx L32 e ccR nat 192 168 Connecti INFO 20 2006 01 kx 132 5 ccR aat 192 168 Connecti n IMFO Bu Wer Manage Report Data Clear Close Figure 172 Accessed Devices Report 6 The Accessed Devices report is generated displaying data about devices accessed during the designated time period 7 Chck Manage Report Data to save or print the report Click Save to save the records that are displayed to a CSV file or click Save All to save all records Click Print to print the records that are displayed or Print All to print all records Click Close to close the window 8 Click Clear to clear the contents of the report 9 Ifthe report is lengthy click Next or Previous to navigate through the pages 10 Click Close to close the Accessed Devices report Raritan CHAPTER 10 GENERATING REPORTS 145 Group Data Report The Group Data report displays user port and device Group information View user groups by name and description view port groups by name and view device groups by name all in one screen 1 On the Reports menu click Group Data The Groups report is generated Use the scroll bars to scroll through the lists and view all entries Groups User Group Marne Group Description Privileges Policies AllPowersk Users Testing user management CC Setup And Control D ccadgroupi Imported fram LDAP Ports Access Full Access Policy CC Us
92. 33 192 168 51 112 192 168 52 108 10 0 1 180 192 168 51 22 Accessible Accessible Accessible Accessible Accessible Accessible Accessible Accessible Accessible Unknown Accessible Unknown Accessible Accessible Accessible Accessible Accessible Not Accessible Accessible Manage Report Data Close Figure 170 Ping Report 2 Click Manage Report Data to save or print the report Click Save to save the report to a location of your choice or Print to print the report Click Close to close the window 3 Click Close to close the Ping Report Raritan CHAPTER 10 GENERATING REPORTS 143 Accessed Devices Report Run the Accessed Devices report to view information about any accessed devices when they were accessed and the user who accessed them Filters will help you define the search criteria for a more concise report 1 On the Reports menu click Accessed Devices The Accessed Devices screen appears Accessed Devices loge Falter nh datas ax 7 2005 1 52 15 ind data 3 07 2065 14 25 19 Laval FAT Al K Carscal Figure 171 Accessed Devices Screen 2 Select the date range for the report by either typing the date and time in the Start Date and End Date fields using the format yyyy mm dd hh mm ss or by using the lt gt gt key on your keyboard to advance through the sections and click on the up down arrows to build the date and time 3 Type the criteria with which to filter the report
93. 5 Appendix C Initial Setup Process Overview eee e eee eee eee e ee eee ee eee eSe 237 Appendix D User Group Privyile Ges i ionis eoa U e EHE EHKN Eee E HE PER REX T E o PEE aeaiia unind PEE EAE 239 REN ER eg Ku 243 Appendix F Troubleshooting visi ccccssscessanysctaacensecsestvoccaasesaceeass BERENS 245 Client Browser Requirements nennen nennen nsn nain nnn nsns 245 Import CSV File Category Device Port Error Message 245 Port and Policy Group Creation Failure sees 246 TK GIN 247 Raritan vi FIGURES Figures Figur 1 0CC 8G tel 1 Figure 2 CC SG Rear Panel 1 Figure 3 Securty Alen lee 7 Figure 4 Login VI EE 8 Figure 5 CC SG Application Window nennen nennen nnn nnn n nnn enar nnn nnns naar nns 8 Figure 6 IP Specification Window eeeessssssssseeeeeeee nnne nnne nnne nnn nnn nnn annia nnn nnns 9 Figure 7 Set IP Address with Configuration Manager Commande 001nnnnnno0annnnnnnnnennnnnnennennnnnnnnnennnnnnnne 9 Figure S Upgrade CO cM 10 Figure 9 CC SG Application Manager 10 Figure 10 CC SG Application Search Wmdow nennen nennen nnns 11 Figure 11 Security Warning for Signed Console Applei 12 Figure 12 RaritanConsole Appltcaton nennen nnne nnnm nennen nensis 12 Figure 3 0056 Applicaton e 15 HE 14 Compatibilty E NN RET 17 Figure 15 Association Wizard Overview ccccccccccecceeseeececeeeeeeeesecceeeeseaeeeeeeeeeesseeeeeeeee
94. 7541kB Thu Dec 15 12 44 00 EST backup 15 12 2005 12 3 0 0 2 3 CommandCenter backup 17600kB Thu Dec 15 12 54 44 EST backup 15 12 2005 12 3 0 0 2 4 CommandCenter backup 17585kB Mon Dec 05 12 14 34 EST backup 05 12 2005 12 3 0 0 2 2 CommandCenter backup 13230kB Fri Dec 30 21 36 28 EST backup 30 12 2005 21 3 0 0 2 4 CommandCenter backup 17557kB Tue Dec 13 16 26 41 EST backup 13 12 2005 16 3 0 0 2 3 CommandCenter backup 17593kB Wed Dec 21 14 22 22 ES backup 21 12 2005 14 3 0 0 2 4 CommandCenter backup 17569kB Fri Dec 30 10 20 20 EST backup 30 12 2005 10 3 0 0 2 4 CommandCenter backup 17534kB Do not restore logs Restore Data only Restore Firmware binaries Broadcast message CornmandCenter will be restored Restore after min lo Upload Close Figure 182 Restore CC SG Screen 3 When the Restore CommandCenter screen appears check Do not restore logs if you do not want the log files restored Check Restore Data only if you only want the configuration data devices ports users restored Check Restore Firmware binaries if you want the device firmware files restored Click on the backup that you want to restore to your CC SG unit and then click OK 5 If you want to download a backup and restore it in another CC SG unit select a backup and click Download Then on the CC SG unit you want to apply the backup click Upload to restore the backu
95. 8 iLO RILO 192 168 52 108 80 1 82 m adem Le bid ee maa EE Lem Manage Report Data Refresh Close Figure 165 Asset Management Report 2 Click on the Device Type drop down arrow to display a list of possible devices for which to run the report Select one and click Apply to run the report 3 Press Refresh to update the query and generate a new report Please note that the report may take several minutes based on the size of your system configuration 4 Click Manage Report Data to save or print the report Click OK to save the report to a location of your choice or Print to print the report Click Close to close the window 5 Click Close to close the Asset Management report Note The Version column will be marked in red for a device if that device s version does not satisfy the Compatibility Matrix Raritan 138 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Audit Trail Report The Audit Trail report displays audit logs and access in CC SG It captures actions such as adding editing or deleting devices or ports and other modifications CC SG maintains an Audit Trail of the following events When CC SG is launched When CC SG is stopped When a user logs on CC SG When a user logs off CC SG When a user starts a port connection 1 On the Reports menu click Audit Trail The Audit Trail screen appears Audit Trail Logs Filter Start date 11 29 2005 15 45 49 F
96. 95 BRUIT E Tom 96 Eoso DE NER 97 BUK GODY E 98 Add USEF TOA Telle T 99 BMW ECCE 99 Rat USer GrOUDS EE EE r EAA EN E E ENa sa 99 PV NN 100 FVN 101 Apply Edit User Group Policies cccccsseccecccsessecececaeesececeeasseeeceeeaeeeesseaeaeeessseaeesessaaags 102 pelete USer GOUD EE NE 103 PSTN 103 SP e 104 NAVIGATION RN 104 S pp rted 4 te 105 Chapter TMU 107 Controlling User Access with Policies esses nnne 107 mee MN 107 Beie le EE 108 FP OT OUD EE 108 PENN E 108 FN ee eee a re ee eee ee een ee eee eee 109 Apply Policies to User Group 109 FU a E INN UR PNE 109 PONG YIM IAG CF de T 110 PO OG EE 110 Raritan CONTENTS lii ze m 111 Deele ONG cis t 112 Chapter 9 Configuring Remote Authentication ecce eee eee eee e eee ene 113 Authentication and Authorization eene enne nnne nnne nnns 113 Flow for Authentication Me T 113 User Eeer ee 113 Establish Order of Authentication Databases nene 114 Distinguished Names for LDAP and Active Directory rrrrrvrrnnrrrvrrrnnnnnvvrvrnnnrnrnnnnnnnnennnnnnnnee 114 BM E 114 scrap M
97. A Group Created Successfully message confirms that a group has been created 7 Repeat steps 1 through 6 to add other groups Raritan 30 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Create Edit Port Groups CC SG uses port groups to control user access Policies can be applied to specific user groups that allow only access to those ports specified in the port group For example if you wanted to restrict user access to only UNIX ports you would create a port group that included only UNIX ports Then you would create a policy that included this port group and apply it to the desired user group Port groups were automatically created per element when the Association Wizard was run see Create Associations earlier in this chapter for additional information These port groups contain general rules so you may want to edit these port groups and add more specific rules 1 On the Associations menu click Groups Manager and then click Port Group Manager The Port Groups Manager screen appears Fort Groups Manager Grasp dup himal All Parti F add fice Crelete Show Contents Ea bei p Lr TT Dperat ri j L rn sit 7 Fart humba 1 el dd Rule Puahi EE LE DPA RGIA v alud ula Muma Delete Rule Part Hama LIFE Rule smsen x Shall esprengintet ule Valid ste Wein alisad mrprarsiai aom m mm ee RESCUE UN ee Part fare LIKT TN Update LI Figure 29 Port Groups Manager Screen
98. Active mode is required so CC SG routes proxied PC client sessions to their respective end points It is recommended that Raritan controlled devices be connected to LANI while proxied PC client connections are connected to LAN2 Both NICs should be on separate sub networks however if you are using DHCP this may not be possible and therefore it would not be a supported configuration While configuring both NICs specify a default gateway address for only one NIC and leave the other blank When a NIC fails CC SG attempts to route the packet from the other NIC based on the current IP routing table This routing may not be successful especially if firewalls are involved If additional routes are needed they can be added in Diagnostic Console please see Editing Static Routes Network Interfaces later in this chapter for additional information Note Clustering cannot be configured when using Active Active mode 4 Click on the Configuration drop down arrow and select either DHCP or Static from the list If you choose DHCP and your DHCP server has been configured correctly then type a hostname and select DHCP from the Configuration drop down arrow The DNS information the domain suffix IP address default gateway and subnet mask will be automatically populated once Update Configuration is selected With this information CC SG registers itself dynamically with the DNS server if it accepts dynamic updates After a successful registration
99. Application Manager removes it from the CC SG database although it is still retained in the local directory When you delete a custom application the serial port reverts to using RaritanConsole 1 On the Setup menu click Application Manager The Application Manager screen appears 2 Click on the Application Name drop down arrow and select the application to be deleted 3 Click the Delete button in the Applications panel to delete the application The Delete Application window appears Delete Application A IRAS Application is associated with ports but currently not selected as default Do you want to delete it Xes one Figure 220 Delete Application Window 4 Click Yes to delete the application or No to close the window 5 Click Close to close the Application Manager screen Firmware Manager Upload Firmware This command allows you to upload current versions of firmware to your system Future firmware versions will be available on the Raritan website 1 On the Setup menu click Firmware Manager The Firmware Manager screen appears Firmware Manager Firmwares Firmware Name IP Reach Upgrade ver 3 2 v Add Delete Details Version ba Date o2 16 2004 a Uploaded by ret Device Type rak 00000000000 Close Figure 221 Firmware Manager Screen Raritan CHAPTER 12 ADVANCED ADMINISTRATION 181 2 Click Add to add a new firmware file A search window appears Look inv nger cor
100. B8CAQAwgZUxCzAJBgNVBAYTAIVTMOQswCOQYTDVOOQIEw IO SjERMABGATLUE BxMITW9ubWe9idagxFDASBgNVBAaTCOUdpemwgUu2NvdERzMGQOwCwYDVQQLEwR D TW Tw EE Private key Proc Type ENCRYPTED DEK Info DES EDE3 CBC 449D6041DELZ208EF Bu Figure 159 Certificate Request Generated 4 Using an ASCII editor for example Notepad copy and paste the CSR into a file and save it with a cer extension 5 Using an ASCII editor for example Notepad copy and paste the Private Key into a file and save it as a text file 6 Submit the CSR file cer saved in Step 4 to the Certificate Server to obtain a signed certificate from the Server 7 Download or export the root certificate from the Certificate Server and save it to a file with a cer extension This is a different certificate from the signed certificate that will be issued by the Certificate Server in the next step 8 Once you receive the signed certificate from the Certificate Server click Import pasted certificate and private key 9 Copy and paste the signed certificate into the Certificate Request field Paste the Private Key that was saved previously into the Private Key field 10 Click Browse next to CA file and select the root certificate file that was saved in Step 6 Raritan CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 133 11 Type raritan in the Password field if the CSR was generated by CC SG If a different application generated the CSR use that password for that appli
101. DT Browse Owner name keot Date karanoan RE Company Raritan oS Version a 2Jj2 27527 2 c2 2 EE Application template RemoteDesktop Viewer Default sl Application type Jar Frame Managed by CC Open in new window In Band application Update Upload Templates Defaults Close Figure 216 Application Manager Screen 2 Click Add to add a new application The Add Application window appears Add Application t Please enter application name Enter name for application p Ok Cancel Java Applet Window Figure 217 Add Application Window 3 Type the new application name in the Enter Name for Application field Raritan CHAPTER 12 ADVANCED ADMINISTRATION 179 4 Click OK to add the new application or Cancel to close the window If you clicked OK a search window appears Borer x took tov Cim network ca e ca B zz Microsoft windows Metwork File Name Files of Type All Files v Open Cancel Figure 218 Search Window 5 Click on the Look In drop down arrow and navigate to locate the application in your system When you find the application select it and click Open The application name will appear in the Location field in the Application Manager screen 6 Click Upload to upload the application A progress window indicates that the new application is being uploaded When complete a new window will indicate that the application has
102. EL sb Tu Gel NENNE EGNET bU 1686 Terminal size 80x24 Press any key to exit this screen Figure 274 Displaying Information Raritan 216 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 7 If desired you can filter the log file with a regular expression Type e to add or edit a regular expression and select a log from the list if you have chosen to view several Select window re S00 sq logs bos OL fopt apache 1 02 fsg logs bos 03 sq logs shel Press G to abort Figure 275 Adding Expressions in Log Files 8 Type a to add a regular expression For example if you want to display information on the pam process in var log messages log file enter pam and select match Edit req ex ag logs jboss boot loq Baa Bait Biere Bit Edit regular expression Ban Usage of regexp Match u do not match Bolor fell Mell colorize eMecute ff Figure 276 Specifying a Regular Expression for a Log File Raritan CHAPTER 12 ADVANCED ADMINISTRATION 217 9 Select F1 to get help on all LogViewer options Pressing CTL C and CTL Q as well as a plain q terminates this LogViewer session Use cursor UP DOWN to scroll ctrltg to exit one can press the following keys quit the program this hel add a ms or add another file program to an existing window delete a window for a file program from a window swap the location of Z windows enter edit regular expressions set change colors fonly works if your
103. ER 9 CONFIGURING REMOTE AUTHENTICATION 113 Chapter 9 Configuring Remote Authentication Authentication and Authorization Users of CC SG can be locally authenticated and authorized on the CC SG or remotely authenticated using the following supported directory servers Microsoft Active Directory AD Netscape s Lightweight Directory Access Protocol LDAP TACACS RADIUS Any number of remote RADIUS TACACS and LDAP servers can be used for external authentication For example you could have three Active Directory AD servers two iPlanet LDAP servers and three RADIUS servers Flow for Authentication When remote authentication is enabled authentication and authorization follow these steps The user logs into CC SG with the appropriate user name and password CC SG connects to the external server and sends the user name and password 3 User name and password are either accepted or rejected and sent back If authentication is rejected this results in a failed login attempt 4 If authentication is successful local authorization is performed where CC SG checks if user name entered matches a group or users not in group and grants privileges per the assigned policy In the case of Active Directory authorization the server returns a list of group names that were assigned a policy CC SG will then match the groups and assign the appropriate privileges as specified in the policy When remote authentication is disabled both au
104. End date 11 29 2005 15 50 49 Es Message Username Class User IP address Level ALL OK Cancel Figure 166 Audit Trail Screen 2 Select the date range for the report by either typing the date and time in the Start Date and End Date fields using the format yyyy mm dd hh mm ss or by using the lt gt gt key on your keyboard to advance through the sections and click on the up down arrows to build the date and time 3 Type the criteria with which to filter the report in the Message User Name Class or User IP Address fields Click on the Level drop down arrow to select a tracing level for the report Click OK to run the report Note Leave some or all fields blank depending on information desired Leaving all fields blank retrieves the audit trail for the entire system Raritan CHAPTER 10 GENERATING REPORTS 139 6 The Audit Trail report is generated displaying data about sessions that occurred during the designated time period Audit Trail User IP Ad 301 2006 01 1 com rarita INFO User cch o0 al Previous BO2 7006 01 1 ccRoot 192 168 59 comrarita INFO User ccRoo 303 2006 01 1 192 158 59 com rarita INFO User ccR an 304 z006 01 1 192 158 59 cormrarita INFO User ccR aa 3095 2 006 01 1 come rarita INFO User ccR aa 306 2 006 01 1 come rarita INFO User ccR aa 307 2 006 01 1 ccRoot 192 168 5 com
105. Figure 72 Delete Custom View VWumdow nnne nnne nnn nnn nnne ninh nnn nsns nana nnns 62 Figure 73 Topological View Screen sssesssssssssssssssseee esee nnnnna nnn nnns nnn na nnne nensis anna annis 63 Figure 74 Paragon System Launch Admin Menu Option cccceceeeeceeeeeeeeeeeeeeeeeceeeeeeesaeaceeeeeeeesaaaaeees 64 Figure 75 Paragon Manager Application Window rrrrnnnnnnnnnnnnvnnnnnnennnnnrnnnnnrennnnnrennnnnrnnnnnennnnennnnnnennnnsnnne 64 Figure 76 Remote User Station Admin Option nenne nennen nennen nnns 65 Figure 77 IP Reach Administration Screen cccccccccsessecccceeeceeeseeeceeeeeeeeeeeeeeeeesssaaeeeeeeeesssaeeeeeeessaeaaaaeess 65 Figure 78 Device Power Manager Screen cccccccccessseecccceeeeaeeeeceeeeeesaeeeeeeeeeesseeeeeeeeeeesssaasseeeeeeessaaaaeess 66 Figure 79 Discover Devices Gcreen nennen nnn nnns nnnn arn nnns nsns a ann nne sss sans aan nns 67 Figure 80 Discovered Devices List Window rrrrnnnrrnnnnnnnnvvnvnnnnrrrnrnnnnnrrnvnnnnnrrnnnnnsnsennnnnnnsennnnnsnsennnnnsseennnnnn 67 Figure 81 Add Device Screen senise EE AERE EE EEEE 68 Figure 82 Device Groups Manager Gcreen sss esee nennen nens nnn nnns nnns nnns 69 Figure 83 Add Device Group VWumdow nnne nnnnnnr nnn nnns nnn a nnn nnns sns n nans 69 Figure 84 Device Groups Manager Gcreen 70 Figure 85 Edit DEVICE Group Window eee 70 Figure 86 Device Groups Manager Gcreen 71 Figure 87 Delete Device Group Window rrnrrrrnnnnnnnnvr
106. From Group Screen nnne nnns nnn nnne nnns 99 Figure 125 Add User Group Green 100 Figure 126 Edit User Group Gcreen inaani aaie aniraa Eae Hanae Kea Kania eaaa 101 Figure 127 Edit User Group Policies Gcreen nennen nnne nnne nnns nnn 102 Figure 128 Group Delete User Group Gcreen iosrcosert iania aE 103 Figure 129 Assign Users in Group Gcreen nni 103 Figure 130 Search for Users a aoeeeie et one EEE sa GcOs aaepe SEE REN Pa d USOSad E OEE S 104 Figure 131 Ports Port Groups Policies User Groups User 109 Figure 132 Policy Manager Gcreen nni 110 Figure 133 Add Appliance Policy Window rrrrrnnnnnrrnrnnnnnrvnrnnnnnrnnrnnnnnrnnrnnnnrrnnrnnnnrennnnnsesennnnnsnennnnnssernennnnn 110 Figure 134 Update Policy Window ccccccccsseseceeceeeeeeeeeeeeeeeeseeeeeeeesseseeeessaeeeeeeseaueeeessaaeeeeessaaeeeeeessaaess 111 Figure 135 Edit Appliance Policy VWumdow 111 Figure 136 Update Policy Window sssssessseseesseeeeeeen nennen nennen nennen nnn nnn hann nnns nna nnn ness 111 Figure 137 Delete Appliance Policy VWumdow 112 Figure 138 Security Manager General Gcreen aiae akie 114 Figure 139 Active Directory Account 115 Figure 140 Active Directory Users ssssssssssssesseeeeeeee nennen nennen nnne nnn hann nnns naar nnns inane nnn nsns 116 Figure 141 Assigning User to a Group 116 Figure 142 Specifying a Name for Active Directory Server rrrrrrrnnnrrevrrnnnrrrrvrnnnrevnrnnnrrennrnnnnrennnnns
107. IGURATION WORKFLOW 23 4 Click Next to proceed The Add Device description screen appears Depending on the type of device you selected you will see slightly different Add Device screens Add Device Tij Pins ialki davila piresurisi r wid Gelee type Kaw r pmg Dee n men aronplieer eee Murnhas s paris ke m Dpsirg docometions Y I Catagery pamant Apply Ta Porte LT Giated and tartsradid Prinesrug L Gare Figure 21 Add Device PowerStrip Add Device p Pi alid Sauce pr p rtad t idd Cavite Beta Kaenintee Bis aa Hiri Davita 9 dr HEER br Durcrigtinni Lia rr ATE Panama i Diiia Bibpppabens tego EES Hemert Apply To Ports E UB Hater aed Varribiesimi F Pravipus Sanmi Figure 22 Add Device SX 5 Type the device name in the Device Name field Do not use spaces Type the device description in the Description field 7 Type the Device IP address when you prepared the device and use the previously created CC SG Username and Password such as ccadmin password Please see Raritan s CommandCenter Secure Gateway Setup Guide for additional information 8 Select a category and appropriate element from the Category and Element double click on an element field to see and select element choices window Click OK to add the device A Raritan 24 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Created successfully mess
108. Install the standalone CC SG client located on the included CD ROM onto your PC 2 Double click on the CC Application icon on your desktop to launch the CC SG client An address specification window appears CommandCenter i Bl x IP to connect 192 168 53 1 11 v Secure Socket Layer SSL Show debug pane Start Close Figure 6 IP Specification Window 3 Type the IP address of the CC SG unit you wish to access in the IP to Connect field and press Start You will be warned if you are using an unsupported Java Runtime Environment version on your machine Once you have connected to a CC SG server its IP address is automatically saved in the client s History file and can be selected from the drop down menu in the future 4 After the standalone client successfully connects to CC SG the standard login menu appears and the client looks and behaves just like its browser based counterpart Type your Username and Password and click on Login to proceed Confirm IP Address After logging in you should confirm the IP address and check firmware and application versions 1 From the Setup menu click Configuration Manager The Network Setup screen should be visible if not click on the Network Setup tab Configuration Manager f Aase provida ganaral nated infomation Hatussk fabup Logs fnagbeite Tur gr Tirta D abe Heid are Santerclian Hie Gavia getline JHP HEFTE rh Komm andel arte L saler
109. Nominal Frequencies 50 60 Hz Nominal Voltage Range 100 240 VAC Maximum Current AC RMS AC Operating Range 100 to 240 VAC 10 50 60 Hz OUTPUT 5 VDC 12VDC C Maximum DC Power Output Maximum AC Power Average Power Consumption Consumption 249 7 250 8 Watts Max Power Consumption 250 8 Watts Maximum Heat Dissipation Average Heating Value 214 74k 215 69k cal Max Heating Value 215 69k cal Volt Ampere Rating Raritan APPENDIX B CC SG AND NETWORK CONFIGURATION 229 Appendix B CC SG and Network Configuration Introduction This appendix discloses network requirements addresses protocols and ports of a typical CommandCenter Secure Gateway CC SG deployment It provides what you need to know and how to configure your network for both external access if desired and internal security and routing policy enforcement if used Details are provided for the benefit of a TCP IP network administrator whose role and responsibilities may extend beyond that of a CC SG administrator and who may wish to incorporate CC SG and its components into site s security access and routing policies As depicted in the diagram below see Figure 1 a typical CC SG deployment may have none some or all of the features for example a firewall or a Virtual Private Network VPN The tables that follow disclose the protocols and ports that are needed by CC SG and its associated components which are essential to understand esp
110. OR GUIDE 4 Click on the Task Data tab and from the pulldown menu select the task to be scheduled such as Upgrade Device Firmware Note that the fields requiring data will vary according to the task selected With the exception of Restart Device and Restore Device a single device or devices in a group can be selected for tasks involving devices mam Ted Es passene rainy namhiaman Tab Spanne Legs Dente fress Tum datgailgu Caes Tepe Demi BA foes E ijy hia Fr stien 88H131 1 r rte Zeseieil rz satt E Oh ret Javn Applet Vind Figure 239 Selecting a Task to Schedule Note If filtering on fields of scheduled reports please see Chapter 10 Generating Reports for additional information 5 Click on the Recurrence tab and select a Period once periodic daily weekly monthly yearly For periods that do include an initial starting time for example Weekly enter a Start at time based on the CC SG server time as displayed near the top of the main window Start date and End date in Range of recurrence Grants Task man Tai ee ee Firm um pee ees Pi iwery i we dno Cep i V a Bs ret ae Zugttpe ajradi Ta nias Panzer S Pend ip B sich aa Word arg LN Dad omsmhig Marl ra ahy Haris of rar rrmin m Chart w r EIEX HE iket dater LNL THS dain Applet Yrd Figure 240 Specifying Task Recurrence 6 Click on the Retry tab to reset values for Retry C
111. P Address Manage Report Data Purge Purge All Cancel Figure 179 CC NOC Synchronization Report 2 Select a Last Discovered Date and click Get Targets The targets that were discovered on or earlier than the Last Discovered Date are displayed under Targets Discovered 3 You can purge some of the targets from the CC SG database by highlighting them and clicking Purge or purge the entire list by clicking Purge All If a generic device is associated with the target it too will be purged 4 Click Manage Report Data to print the list of targets or save them in a CSV formatted file Raritan 152 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Raritan CHAPTER 11 SYSTEM MAINTENANCE 153 Chapter 11 System Maintenance Reset CC SG Use the Reset CommandCenter command to reset CC SG database data please note that this command will not reset system configuration data such as the IP address of CC SG 1 On the Setup menu click Reset CommandCenter Reset Commandcenter M Enter password and click OK to reset CommandCenter database to its initial state Figure 180 Reset CC SG Screen Type your CC SG password 3 Either accept the current Broadcast message or edit to create one of your own Type the number of minutes in which to wait until CC SG is reset in Reset after min Default is 0 which will reset the CC SG unit immediately 5 Click OK to reset your CC SG unit A success message will appea
112. R 3 EXAMPLE CONFIGURATION WORKFLOW 19 Chapter 3 Example Configuration Workflow Create Associations The Association Wizard guides you through steps to create categories and their associated elements The Wizard then automatically creates a port group for each element and a policy for each port group I On the Associations menu click Association Wizard The Association Wizard screen appears Assocation Wizard Stapi rn L Overview Gorm nds asker P een ao iil acid ee rik uias Mefradles all beid oe in rnaten e Gieta Automat obit managed hoe tt id Morad Cammandrentarr databara We call thir een imbaematian 3 Ginem Cheeta SAd ib iilha d Cre ghey Bort cunei d i By eating and cuabeenizing Celegoied Lilorad be pour opahi wis sch enable Comman ehbir Lo work and Policies i rearnlara with gur birrinagr nesde 5 Summary This wiramd will sinp siira a Create al Azrocxatons bared on the Cabsgormi bh rra abu Dart Grape Teu Ep Aiepst dd ts g pda alinn Categonas latter Mirt tamm Figure 15 Association Wizard Overview Raritan 20 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2 After reading the overview click Next The Create Category and Elements screen of the Wizard appears Assocation Wizard Step L Orervie J Create Ax xmrenaatinmmns 3 Confirm Chinese Lrenirea Het Gates and Poles Surrey in Erenin atesgnee s aed Fleninnta Catagney Location
113. R SECURE GATEWAY ADMINISTRATOR GUIDE TACACS CC SG users who are remotely authenticated by a TACACS server need to be created on the TACACS server and on CC SG The user s user name on the TACACS server and on CC SG must be the same although the passwords may be different Please see Chapter 7 Adding Users and User Groups for additional information on adding users who will be remotely authenticated 1 On the Setup menu click Security Manager When the Security Manager screen appears click Add External AA Server in the General tab Add Module Add Module Please provide module properties Module Type TACACS ww Module Name testTACACS Cancel Figure 153 Security Manager Add Module Screen Raritan CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 129 2 a 20 2 In the Add Module screen select TACACS from the pulldown menu specify a name for the server and click Next p Add Module Add Module Please provide module properties Module Marne est Module Type TacAcS sss IP Address Hostname localhost ss Fort number rm Authentication port kant Shared key esee Shared key confirm bai Previous Figure 154 Specifying a TACACS Server Type the IP address or hostname of the TACACS server in the IP Address Hostname Name field For hostname rules see Terminology Acronyms in Chapter 1 Introduction Type the port number in the Port Number field Type the authenticatio
114. Raritan APPENDIX D USER GROUP PRIVILEGES 241 USERS GROUP PRIVILEGE AVAILABLE USER CAPABILITY COMMANDS Association Manager X Users are able to associate categories Device Group Manager Users are able to rename groups and Port Group Manager Users are able to rename groups and Policy Manager Edit User Group Policies Users are able to modify and assign Group Data Users are able to view group Users Tree Add User Users are able to add user to the parameters Change User Password Users are able to change other user Delete User Users are able to delete user from the Logoff User Users are able to logoff user Bulk User Copy Users are able to copy user s parameters Add User To Group Users are able to add user to a group Delete User From Group Users are able to delete user from group Add User Group Users are able to add user group Edit User Group Users are able to modify user group name and parameters Delete User Group Users are able to delete user group Assign Users To Group Users are able to assign users from other groups Active Users Users are able to view active ports Users Data Users are able to view users parameters Users In Groups Users are able to view users logged in the system Users Tree Users are able to view users tree User Security Management Note that this privilege is not configurable and is only assigned to the System Administrator user group by default User Management Not
115. SECURE GATEWAY ADMINISTRATOR GUIDE Raritan CO APPENDIX D USER GROUP PRIVILEGES 23 Appendix D User Group Privileges USERS GROUP PRIVILEGE AVAILABLE USER CAPABILITY COMMANDS CC SG parameters configuration of CC SG Restart CommandCenter Users are able to restart CC SG Shutdo Users are able to shutdown CC SG eege Backup Users are able to backup CC SG Restore Users are able to restore a previous CommandCenter 9 Te are able to configure cluster of CC SG ser d Users are able to view User data report CommandCenter NOC Users are able to view and configure CommandCenter NOC parameters Cross Compatibility Users are able to view Compatibility Matrix Matrix av Ping Device Users are able to ping other devices wn at Device Configuration And Backup Device Users are able to perform back up of Upgrade Management Configuration device configuration Restore Device Users are able to perform restore device Configuration configuration Copy Dev Users are able to copy device Configuration configuration e P Firmware Manager Users are able to upload firmware files for devices Devices Tree Users are able to view devices tree Cross Compatibility Users are able to view Compatibility Matrix Matrix ing Report Users are able to view ping report Active Users are able to view active ports report User data Users are able to view User data report Restart Device User
116. Selected Policies panel and assign it to the group 5 To remove an assigned policy from the Selected Policies list select the policy line item and click Delete Raritan CHAPTER 3 EXAMPLE CONFIGURATION WORKFLOW 33 6 d Click OK to add the policy or policies to the group A Group Policies Updated successfully message confirms that policies have been updated Repeat steps through 6 to edit other groups policies Add Users to User Group You now need to add users or drag and drop an existing user to the user group that has just been assigned a policy These users will then be able to login to the CC SG and have access or be denied access to the ports as specified in the policy l 2 10 11 Click on the Users tab and select the user group you wish to add the user to On the User menu click Add User Alternatively right click on a user and select Add User The Add User screen appears Add User Champa ursr nenpartiag ge adi Td Urarm rre i o Rarnute aulleniscaliunm iram penned Ewtypa Dastvordi Dial bach iaia iF bagin ansblad T Fnrem fange passert nn naut kepin Ferim shang piriti persrilikallv fapmatian pared tim dag pu d Email addremi Per foes Figure 34 Add User Screen Type the user s name in the Username field 1 32 characters alphanumeric characters or underscores no spaces Check the Remote Authentication check box only if the user should be authentic
117. TER SECURE GATEWAY ADMINISTRATOR GUIDE 2 You will be warned if you are using an unsupported Java Runtime Environment version on your machine From the window that pops up select whether you will download the correct JRE version from the CC SG server if available download it from the Sun Microsystems web site or continue with the incorrect version and click OK The Login window appears Logen SE Raritan eco Led eet Sante vann mie Logi Elta Figure 4 Login Window 3 Type your Username and Password and click Login Upon valid login the CC SG application window appears The menu bar and tool bar which contain commands for operating and configuring CC SG are at the top of the screen The Ports tab Users tab and Devices tab which contain the Ports selection tree Users selection tree and Devices selection tree appear on the left side of the window The central panel is where operations and configuration screens will appear Raritan CommandCenter Secure Gateway Jette Vien Brenn Fum Aden Sjakk GAP et MOS ng Aree ue Pa se b weg BR Me ren tern FLL GMT O00 Porta daas Bue Lige okt Woman isi Eta mad Figure 5 CC SG Application Window Raritan CHAPTER 2 ACCESSING CC SG 9 Standalone Client Access The standalone CC SG client allows you to connect to CC SG servers by launching a Java application instead of running an applet through a Web browser 1
118. TION Verbose Verbose output which lists received ICMP packets other than TIME EXCEEDED and UNREACHABLEs No DNS Resolution Does not resolve addresses to host names Use ICMP vs normal UDP Use ICMP ECHO instead of UDP datagrams 4 Optionally type values for how many hops the traceroute command will use in outgoing probe packets default is 30 the UDP destination port to use in probes default is 33434 and the size for the traceroute packets If left blank defaults will be used 5 Click Traceroute in the bottom right hand corner of the window Press CTRL C or CTRL Q to terminate the traceroute session A Return prompt appears press ENTER to return to the Traceroute menu The Return prompt also appears when Traceroute terminates due to destination reached or hop count exceeded events occur Editing Static Routes Network Interfaces In Static Routes you can view the current IP routing table and modify add or delete routes Careful use and placement of static routes may actually improve the performance of your network allowing you to conserve bandwidth for important business applications and may be useful for Raritan CHAPTER 12 ADVANCED ADMINISTRATION 213 Active Active network settings where each interface is attached to a separate IP domain see section Network Configuration in Chapter 12 Advanced Administration for additional information Click with the mouse or use the TAB 4 T keys to navigate and
119. UI to do this iL Countdown timer and notification of session termination Figure 279 Restarting CC SG in Diagnostic Console Rebooting CC SG Admin This option will reboot the entire CC SG which simulates a power cycle Users will NOT receive a notification at all CC SG SSH and Diagnostic Console users including this session will be logged off Any connections to remote target servers will also be terminated 1 To reboot CC SG click Operation Admin then CC SG System Reboot Moeration Statue Console gt gt C 8G System Reboot Network Interfaces system Logfile Viewer Utilities system Identification ES IG FESTA DEE mE RE Change Passwords Figure 280 Selecting CC SG System Reboot in Diagnostic Console Raritan CHAPTER 12 ADVANCED ADMINISTRATION 219 2 Either click REBOOT System or press ENTER to reboot CC SG A screen to confirm this action appears and needs to be acknowledged before this operation will commence CcC 5SG Administrator Console CC Bt System Reboot re system Simulating power cycle lo g off All currently active CC 5G GUI CC 36G 33H and I users including this session to this system and terminate any Q remote targets that they might have This could also im if so configured Users will get no notification that this event will happen c REBOOT System gt Figure 281 Rebooting CC SG in Diagnostic Console Changing Passwords Admin This option provid
120. URE GATEWAY ADMINISTRATOR GUIDE Locked Out Users Report The Locked Out Users report displays users who are currently locked out of CC SG You can unlock them from this report 1 On the Reports menu click Locked Out Users Lockout Report gt Locked out users User Last known IP address Lockout Set Lockout End gayle 192 168 50 27 2005 11 09 17 27 06 342 2005 11 09 17 29 06 342 Unlock User Cancel Figure 178 Locked Out Users Report 2 Highlight the user you want to unlock and click Unlock User An email notification is sent to the email address that was specified during lockout configuration For more information on how to enable lockout please see section Enable User Lockout in Chapter 12 Advanced Administration Raritan CHAPTER 10 GENERATING REPORTS 151 CC NOC Synchronization Report The CC NOC Synchronization report lists all targets along with their IP addresses that the CC SG subscribes to and are monitored by a CC NOC given a particular discovery date Any new targets that are discovered in the configured range are displayed here as well See Add a CC NOC in Chapter 12 Advanced Administration for details You can also purge targets from the CC SG database from this report 1 On the Reports menu click CC NOC Synchronization NEC Synchronization Filter Last Discovered Date 01 29 2006 Get Targets Targets Discovered Name Host IP Address Last Discovered Date CC NOC I
121. a CC SG perhaps from a different subnet by specifying an IP address in CommandCenter address in the bottom of the window Click Add CommandCenter Note Adding a backup CC SG from a different subnet or network may avoid issues affecting a single network or physical location 2 To add a Secondary Node or backup CC SG node select a CC SG unit with Standalone status from the Cluster Configuration table The version number must match the primary node s version Type a valid user name and password for the backup node Cluster Configuration This Carnman dCanterf ii i mambar ef duir 0994 Cluster Tart Chas bar Herr Rode Addi Hode fata ZGoronrean ienter resten Cen Ghugter Tast Lad 65 he Sab Primary a de 1 5 1972 1460 92 11 VERNE hr ad zm A 192 166 32 4 Bland aene Za der i 1927 1558 33 121 Etarid inris K RR T Charter Hien agent Co rmm ndcaectardl addearg sreosar CornmandCanterfr E I Laue ut rh rm werent FAR used ee a i ee Gl iber Join Backup Mode Puly adici Cid Figure 234 Cluster Configuration Set Secondary CC SG Click Join Backup Node A confirmation message will appear Click Yes to assign Secondary status to the selected node or click No to cancel After you click Yes CC SG will restart the newly selected Secondary node This process can take several minutes When restart is complete a confirmation message appears on
122. a KVM or serial interface as a transparent pass through 3 party KVM switches integration is typically done through keyboard macros when the 3 party KVM vendors do not publicize the communications protocols for the 3 party KVM switches Depending on the capability of the 3 party KVM APPENDIX G FAQS QUESTION 251 ANSWER or simply box level switches the tightness of integration will vary How would I mitigate the restriction of four simultaneous paths through any IP Reach box including the roadmap for the potential 8 path box Will the current Paragon boxes work with CC SG If not what is the upgrade path Authorization Can authorization be achieved via RADIUS TACACS LDAP User Experience How will I know if someone else is logged in to leaf nodes Does CC SG have the ability to look at multiple screens for devices Regarding console management via network port or local serial port for example COM2 What happens to the logging does CC SG capture local management or is this lost Currently the best possible implementation is to aggregate IP Reach boxes with CC SG In the future Raritan plans to increase simultaneous access paths per box These plans have yet to complete development as other projects have taken priority but we welcome comments about the market demand and use cases of an 8 path solution The CC SG V2 0 will work with Paragon that has 3 0 HW and firmware version 3 2 and
123. access to any ports Therefore a policy must be applied to the user group 1 Click on the Users tab Raritan CHAPTER 3 EXAMPLE CONFIGURATION WORKFLOW 29 2 On the Users menu click Add User Group Alternatively right click on a user group and select Add User Group The Add User Group screen appears Add User Group a Chonss urasgeoup nrppartias go add Lier grzup Aarne Darrriptinni See AICTE E Har 18 Harris Type E CC Tue And Cee C rmr ind Dave Aid Poit Mangere E primi rod E avis canhgquacpn And Upgrade F anagamarnt Command Ports Scrape Gormi krmi 1117 CC cCamfagurahizn oat LCGCenrgd iorc iargegersr amt L Bevin Sen Hahagetrenl Ewart F Dra vong bU iri sgarmasi O Ee Porbarnup tlamagarnarst Luanit Hceorrrmanmagearnrant Last Uper rcugpb antoerzzgrhb Ewart UrarMansgereni Erani Carral Figure 28 Add User Group Screen 3 Type the group name in the User Group Name field 1 16 characters alphanumeric characters and underscores 4 Type the group description for example based on department region or assignment in the Description field 5 In the Select Privileges section check the corresponding boxes in the Has it column to add those privileges to the group The Type column indicates whether the privilege is a Command type or Event type Most user groups should only have Ports Access enabled to allow them to access systems and servers 6 Click OK to add the group
124. administration of data center equipment by connecting to the IP network and presenting the serial console and KVM ports of all the target devices within the managed network Prerequisites Before configuring a CC SG according to the procedures in this document refer to Raritan s CommandCenter Secure Gateway Setup Guide for instructions on how to quickly install CC SG and its managed devices Refer to Raritan s Digital Solution Deployment Guide for more comprehensive instructions on deploying Raritan devices that are managed by CC SG Intended Audience This document is intended for Administrators who reside in the System Administrator user group These administrators typically have all privileges please see Appendix D User Group Privileges Users that reside outside these groups usually have fewer privileges such as being granted only the Ports Access privilege please refer to Raritan s CommandCenter Secure Gateway User Guide for additional information Product Photos SSS ee Ree Be Ee ae ET om mm bt D sac MA Co Figure 2 CC SG Hear Panel zizRaritan 2 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Product Features and Benefits Seamless Management CC SG offers seamless management of Dominion series and Paragon management appliances through Paragon remote User Stations USTIR UST2R leverage your embedded base with a CC SG to draw substantial incremental value Constantly
125. age remove the from the CSV file Please see Chapter 4 Creating Associations for additional information Raritan 246 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Port and Policy Group Creation Failure The default port groups and policies created in the Association Wizard are named after the elements of a category If the element names are not unique the default port groups and policies cannot be created see the screen below and will appear in red Rename the elements of the category so they are unique Summary The following Port groups have been created with their corresponding policies Category newcategory Elements Groups Policies test test Ports Allow test Ports testi testi Ports Allow testi Ports Red and Bold font indicates that creation of the item failed Click item for details Failure details Port Group kest Ports Reason for failure Port group test Ports already exists Java Applet Vvindow Figure 292 Port Group Failure Raritan APPENDIX G FAQS 247 Appendix G FAQs QUESTION General What is CC SG Why would I need CC SG What is CommandCenter NOC Which Raritan products does CC SG support How does CC SG integrate with other Raritan Products Is PDA access possible Is the status of CC SG limited by the status of the devices which it proxies Can I upgrade to newer versions of CC SG software as they become available How many target
126. age confirms that device has been added This step is very important Make sure you select the correct associations and elements for the device Some devices such as SX may take up to a minute to add 9 Repeat steps 1 through 8 to add additional devices Configure Ports You must now add ports for each device you just added The port is the connection to the actual target system or server After adding ports you can change the configuration of individual ports by clicking the Ports tab right clicking on a port and clicking Edit Port Serial Port l Click on the Devices tab and select a serial device for example Dominion SX from the Devices tree 2 On the Devices menu click Port Manager and then click Configure Ports Alternatively you can right click on the device and select Configure Ports The Configure Ports screen appears Configure Ports Devimm nama frie yy sos 1AAAZ F ov m Parti Harlan gore Port fares Port Lape Pert atatus A ferner Kann kann Bast fan Configure Fekk EE M Bxtemu i3 Penia Beda M O Fo krans beet Fan Poot ben __Cantigues Gxteniit Pena Fuad ero I a Riis Configure Branait Perig arial Poet Piu Contigues Btm Petr o aA Fers UOO M Bxtenn ord OO B a OO f kxtananM Posta fara Port Mex Configure r aana pa para r EE O O Bevan Part band Past aw _Configues Gxt Pett BenelPet ew L S pbgun F Bs Pa jia 0
127. ager The Association Manager screen appears 2 Select the element to be edited from the Element For Category list and click Edit in the Elements For Category panel The Edit Element window appears Edit Element Edit Element go Please provide element value Enter new value far element Eastern U S Eastern sx S OK Cancel Java Applet Window Figure 42 Edit Element Window 3 Type the new name of the element in the Enter New Value for Element field 4 Click OK to update the element or Cancel to close the window The new element name is displayed in the Element For Category list 5 Click Close to close the Association Manager screen 6 Repeat steps 1 through 5 to edit other elements Delete Element Deleting an element removes that element from all Port associations leaving association fields blank 1 On the Associations menu click Association Manager The Association Manager screen appears 2 Select the element to be deleted from the Element For Category list and click Delete in the Elements For Category panel The Delete Element window appears Delete Element Figure 43 Delete Element Window 3 Click Yes to delete the element or No to close the window The element name disappears from the Element For Category list Click Close to close the Association Manager screen 5 Repeat steps 1 through 4 to delete other elements Note Deleting an element removes the element from all device
128. anager Components nennen nennen nnns 16 Configurable Parameter 16 SO 101 02 OIE E EE 17 Chapter 3 Example Configuration Workflow ccccccccsssssssssssccccssssssssscsscccsssssesees 19 ee te e CN 19 Ale 22 Co 0 1 FOS NET UU E EEE 24 SeA Pee 24 KIT 26 Add Users to System Administrators Group 27 Serre LEE e 28 GERDT Ee Ee ER EEE 28 Credite EO POM GPS av peeraese eneeier TS 30 PEPE 31 Apply Policies to User Groupe 32 Add Users to User GO eee 33 Chapter 4 Creating Zeene 35 ASSOCIO E 35 Associations Defining Categories and Elements rrrrnnnrrrnrnnnnnnvnvrnnnnrennrnnnnnennrnnnnrnnnnnsnrennnnnsnrennnnnn 35 Association Termmology enne nnne nnne e nnne n nnn ne nnne nnn annee ereenn 36 How to EE de CN 37 Association VIA AC E 37 ee KO S EE 38 Bel ere ei EE 39 BIE CG E E 39 EIERE REND 40 Seid EE 41 MH SE EE 41 PRS SOC e eh VY 4 0 EE 42 Import Categories Devices Ports from CGNVFEile nn 45 Ss L s EE 46 COV EE 46 Chapter 5 Adding Devices and Device Groups s essssesessssssssnnnnnnnnnnnnnnnnnnnnesesesessesssnneee 49 PSIG SIV FAA Ol ONE EE EE ER 49 DEVICE ON SEE EE EEE EE 50 ele Do gt EEE EEE EEE EEE NE EE ES 51 EEE 54 BEI ERR EE 55 sU Or E 55 Backup Device NE E 56 Restore Device Conftguraion nennen nnn nnn nnn nnn nnn nnns nsns nan n nn en nnns 56 Raritan i CONTENTS Copy Device Configuration ccccccccccccsssseececceeeceeeeeecceeeeseeeeeeeeeesseseeeeeeeeeesssaeeseeeeeeesseaeeeeeeee
129. and Policies Line hia 5 Summar z 3 Boston 4 san Diego Uu 3 BM 33P3 OA 393 h OQDO m CO AZ21Km Add More Elements Add Another Category Previous Next Cancel Figure 45 Association Wizard Category And Elements Screen 3 Type the name of a category you wish to organize your ports by for example Location in the Category field Maximum length is 31 characters 4 Type a unique name of each element in that category in the Elements fields below Maximum length is 19 characters These elements are used to group your ports within the category for example LA Market Area Chicago Market Area etc If you require more elements for this category click Add More Elements Raritan CHAPTER 4 CREATING ASSOCIATIONS 43 5 If you wish to create another category click Add Another Category and repeat steps 3 and 4 Association Wizard fe Press next to continue Create Categories and Elements Steps 1 Overview Create Associations Category Function WMM E 3 Confirm Choices 4 Creating Port Groups Elements and Policies 1 Sales 2 Monitoring 5 Summary 3 Production 4 Testing Rack 5 Demo Rack 6 lle Add More Elements Add Another Category Previous Next Cancel Figure 46 Adding Another Category 6 When you are done creating categories click Next at the bottom of the screen The Confirm C
130. aracter of a component may not be While the system preserves the case of the characters entered into the system the FQDN is case insensitive when used e iLO RILOE Hewlett Packard s Integrated Lights Out Remote Insight Lights Out servers that can be managed by CC SG Data between CC SG and iLO RILOE device is SSL encrypted Targets of an ILO RILOE device are powered on off and recycled directly iLO RILOE devices cannot be discovered by CC SG they have to be manually added see section Add Device in Chapter 5 Adding Devices and Device Groups e In band Access going through the TCP IP network to correct or troubleshoot a target in your network KVM Serial and Generic devices can be accessed via these in band applications RemoteDesktop Viewer SSH Client VNC Viewer e IPMI Servers Intelligent Platform Management Interface servers that can be controlled by CC SG IPMI are discovered automatically but can be added manually as well see section Add Device in Chapter 5 Adding Devices and Device Groups e Out of Band Access using applications such as Raritan Remote Console RRC Raritan Console RC or Multi Platform Client MPC to correct or troubleshoot a KVM or serial managed target in your network e Policies define the permissions type of access and to which ports and or devices a user group has access to Policies are applied to a user group and have several control parameters to determine the level of control
131. as Warning this cnreim and alll gaiste thie urar fom iamrrnardcankar parre anaentis Figure 120 Delete User Screen Click OK to delete the user or Cancel to exit without deleting A User Deleted Successfully message confirms that user has been deleted Repeat steps 1 through 3 to delete other users Note A user cannot be deleted if currently logged into CC SG Raritan CHAPTER 7 ADDING USERS AND USER GROUPS 97 Logoff User s Use this command to disconnect any logged in user from CC SG 1 Click on the Users tab and select a user from the Users tree Note To select more than one user hold the CTRL key and click on additional users 2 On the Users menu click Logoff User s The Logoff Users screen appears Logoff Users repne T debui irl ok Cancel Figure 121 Logoff Users Screen 3 Click OK to disconnect the users or Cancel to exit without disconnecting users A User Logged off Successfully message confirms that the users have been logged off zi Raritan 98 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Bulk Copy To save time use the Bulk Copy command to duplicate user profiles or port assignments when creating new users 1 Click on the Users tab and select a user from the Users tree whose properties you want to copy to another user s 2 Onthe Users menu click Bulk Copy The Bulk Copy screen appears Bulk Copy ff babit det for bulk copy Jg TT ae ait Jannis AN iar le
132. ated by TACACS RADIUS LDAP or AD Note Checking the Remote Authentication box implies that a remote server is being used for authentication If so a local password is not needed and the Password and Retype Password fields are grayed out If using local authentication type the new password into the Password field 6 16 characters alphanumeric characters and underscores If using local authentication re type password in Retype Password field Type a dial back number in the Dial Back Number field if needed Check the Login Enabled check box to authenticate against the system if not user cannot enter the system Check the Force Change Password on Next Login check box if you want this user to be forced to change password the next time he or she logs in to CC SG Check the Force Change Password Periodically check box if you want this user to have to change his or her password from time to time Type the expiration period for this user s password in the Expiration Period field Raritan 34 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 12 Type an email address for this user in the Email Address field if desired 13 Click OK to add this user to the system A User Created successfully message indicates the user has been added to the system 14 Drag the new user icon to the desired user group 15 Repeat steps 1 through 14 to add additional users Raritan CHAPTER 4 CREATING ASSOCIATIONS 35 Chapter 4 Creati
133. atus of the CC SG click Operation Utilities then Disk Status Operation Status Console Network Interfaces ak gate Top Disp atus lay Figure 286 Selecting Disk Status in Diagnostic Console Raritan CHAPTER 12 ADVANCED ADMINISTRATION 223 2 Either click Refresh or press Enter to refresh the display Refreshing the display is especially useful when upgrading or installing and you want to see the progress of the RAID disks as they are being rebuilt and being synchronized File Operation CC SG Administrator Console Disk Status Fersonalities raidl mdl active raldl zdbzZ 1 l zdaz IHUd3548 blocks md active raidl sdbl 1 104320 blocks z Filesystem dev napper avg HEV md dev mapper svg opt ldev mapper 5vg 5sg dev mapper svg DB dev napper svg tmp ey mapper svg usr v mapper svg var R C E ET rm LI LI i Ts L3 CH PJ Qm LIT sh Gt Gt E E lal FA al DD d LU Figure 287 Displaying Disk Status of CC SG in Diagnostic Console The disk drives are fully synchronized and full RAID 1 protection is available when you see a screen as shown above note the status of both md and md1 arrays are UU Displaying Top Display Utilities This option displays the list of processes and their attributes that are currently running on CC SG as well as overall system health Il To display the processes running on the CC SG click Operation Utilities then Top D
134. be possible Just as one user can belong to multiple groups one device can belong to multiple groups Edge port groups are simply boolean expressions of attributes For example a Sun in NYC could be part of Group Sun Ostype Solaris and Group New York location NYC A console is generally considered a secure and reliable access path of last resort Some UNIX systems allow root login only on the console For security reasons other systems might prevent multiple logins so that if the administrator is logged in on the console other access is denied Finally from the console the administrator can also disable the network interfaces when if necessary to block all other access Normal command activity on the console has no greater impact than the equivalent command run from any other interface However since it 1s not dependent upon the network a system that is too overloaded to be able to respond to a network login may still support console login So another benefit of console access 1s trouble shooting and diagnosis of system and network problems Each CIM includes a serial number and target system name Our systems assume that a CIM remains connected to its named target when its connection is moved between switches This movement is automatically reflected in the system configuration and is propagated to CC SG If instead the CIM is moved to another server an administrator must rename it CC SG can support any device with
135. been added to the CC SG database and is available for configuration and attachment to a specific port 7 Click Close to close the Application Manager screen Note Once the application has been loaded into CC SG and assigned to a port verify that the application is operational Edit Application Use this command to modify an application name or change the location where the application 1s stored in your system 1 On the Setup menu click Application Manager The Application Manager screen appears 2 Click on the Application Name drop down arrow and select the application to be edited from the list 3 Click Edit in the Applications panel of the screen to rename the application The Edit Application window appears Edit Application x Edit Application Please enter new application name uy Enter new name for application iLo RiLa RemoteConsole iLa RiLa Remoteconsala Ok Cancel Java Applet Window Figure 219 Edit Application Window 4 Type the new application name in the Enter New Name for Application field 5 Click OK to edit the application name or Cancel to close the window Raritan 180 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 6 Modify parameters in the Parameters panel and click the Update button in the Details panel of the screen The parameters will be updated 7 Click Close to close the Application Manager screen Delete Application Deleting an application from the
136. bottom of the panel This list contains categories that you can use to filter custom views Select a detail from the drop down list and click Add to add the detail to the Custom View Details panel Select as many details as needed 6 To re order the details in the Custom User Details panel select a detail and use the Up and Down buttons to arrange details in the order you want devices sorted To remove a detail from the list select the detail and click the Delete button in the Custom User Details panel 7 Click Update to update custom view A Custom View Updated Successfully message confirms that the custom view has been updated 8 Click Set Current to arrange the Devices tree to reflect the selected custom view 9 Click Close to close the Custom View screen 10 Repeat steps 1 through 9 to edit other custom views Delete Custom View 1 Click on the Devices Tab 2 On the Devices menu click Change View and then click Custom View The Custom View screen appears Custom View Siete ioe Hama Fartar Soe et Darai Bei Dei esch Adi Edi Calais Figure 71 Custom View Screen 3 Click on the Name drop down arrow in the Custom View panel and select the custom view to be deleted 4 Click on the Delete button in the Custom View panel A Delete Custom View window appears Delete Custom View x Yes No Java Applet Window Figure 72 Delete Custom View Window 5 Click Yes to delete the custom
137. cation Note If the imported certificate is signed by a root and subroot CA certificate authority using only a root or subroot certificate will fail To resolve this copy and paste both root and subroot certificate into one file and then import it Generate Self Signed Certificate Request Click on the Generate Self Signed Certificate option button and click Generate The Generate Self Signed Certificate window appears Type the data needed for the self signed Certificate into the fields Click OK to generate the certificate or Cancel to exit the window The Certificate and Private Key will appear encrypted in the corresponding fields of the Certificate screen Generate Self Signed Certificate Generate Self Signed Certificate Invalid Gard Ki WW Tarulis Datini Eiaa Kee Bit Sirangkhhi TITA Carticata Validity Parad in daga Comm nami damain Mina f r v mpl www yauiriitaname cam Cousin barna 2 letters State France Nama Le cality Organiz atiori Gry anliadion iili Email Adian Figure 160 Generate Self Signed Certificate Window Raritan 134 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE IP ACL This feature restricts access to CC SG based on IP addresses Specify an IP access control list IP ACL by entering an IP address range the group to which it applies and an Allow Deny privilege 1 On the Setup menu click Security Manager When the Security Manager screen
138. cation and SSL data encryption e No authentication and no encryption Refer to Raritan s Dominion KX User Guide for definitions of these encryption modes Edit Device Use this command to rename a device and or modify its properties 1 Click on the Devices tab and select a device from Devices tree 2 On the Devices menu click Device Manager and then click Edit Device The Edit Device screen appears Edit Device ei Riets balad device prepared Eu dd Dac 16 or Hormari TE Lit 51 223 Devine FER Dominion KSX Eur fair d EARCE Paroripteet nubna mark 128m dina GAN 0 Guftautt gateway 152 145 51 26 TCP part sumbar nooo Haarll mal Ural ieil 120 David 2285 5 RHF n agony Hemant amp pplg To Porta Topuna cd thse weld UE Sieben aed barrfl rin Uk Figure 58 Edit Device Screen 3 Type the new device properties in the appropriate fields on this screen up to and including selecting different or new Category and Element properties from the Device Association panel 4 Click OK to edit the device or Cancel to exit with modifying A Device Updated Successfully message confirms that device has been modified 5 Repeat steps 1 through 4 to edit other devices Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 55 Delete Device 1 Click on the Devices tab and select a device from Devices tree 2 On the Devices menu click Device Manager and then click Delete Device The Delete Devic
139. ccccccseeeseeccceeeeeeeseececeeeseeseeeceeeeeeesaeaeeeeeeesssueaeeeeeeeeseesaaaaeess 51 Figure 53 Add Device Screen for Bowert ip a ai a aaa ae 51 Figure 54 Add Device Screen for Raritan Devices 52 Figure 55 Add Device Screen for iLO RILOE nennen nennen nnn nnns 52 Figure 56 Add Device Screen for IPMI Genverfv1 bi 53 Figure 57 Add Device Screen for Generic Device nennen nennen nnns 53 Figure 58 Edit DEVICE SEN eee 54 Figure 59 Delete Device Green 55 Figure 60 Bulk Copy Screen ccccccceseccccceccceeeseeeceeeseeeseeeeeeeeeeeeeeseeeeeeeesseeesseeeeeeesseaaeseessseeaeeeseeeeeeessagaeess 55 Figure 61 Backup Device Configuration Screen nnne nenne nnn nennen nnns 56 Figure 62 Restore Device Configuration Gcreen 56 Figure 63 Copy Device Configuration Gcreen nennen nnne nnn nnne nnns nnn nns 57 Figure AE leie e RE 57 Figure 65 Ping Device Screen serosa a e S EE 58 Figure 66 Restart Device Gcreen endie daedra daea 58 Figure 67 Devices Tree Regular View Screen rrrrrrnnnnnnnnnnnarnnnrrnnnnnnnsrnnnrnnnnnnnnrnnnnnnnnnnnnesnnnrnnnnsnnssnnnnnnnnn 59 Figure 68 Custom View Screen cceececccceecceeeeeecceeeeeeaeeeeeeeeeeeseeeeeeeeeesseeeuseeeeeeeseueaseeeeeesssaeaeeeeeeeeeeessaaaeess 60 Figure 69 Add Custom View Wimdouw 61 Figure 70 Edit Custom View VWumdow nennen nnn nnne nnnnnni nnn nnns sena arn n nne n nans 61 Figure 71 Custom View Screen erosen noinein akr aen ss pus es p a Ea pir te pEi DIU RPM R T Sc A PR Aea ETS 62
140. ct Ufari jich ast uti West 2 Ite gt d J j gt Third Figure 122 Bulk Copy Screen 3 In the All Users list select the user name s that will be adopting the profile of the user listed in the Username field 4 Click to move a user name to the Selected Users list 5 To remove a user name from the Selected Users list click on the name and click lt to move it back to the All Users list 6 Click OK to copy user properties or Cancel to exit without copying A User Copied Successfully message confirms that the user profile has been copied 7 Repeat steps 1 through 6 to make other bulk copies of user properties Raritan CHAPTER 7 ADDING USERS AND USER GROUPS 99 Add User to Group To manage users with similar privileges you can assign them to groups When you add a user to any group you are assigning the group s privileges to that user please see the section Add User Group in this chapter for more information about groups 1 Click on the Users tab and select a group the Group icon displays multiple people and a User icon displays a single person 2 Onthe Users menu click Add User To Group The Add User To Group screen appears Add User To Group Figure 123 Add User To Group Screen 3 Click on the Username drop down arrow and select a user from the list to add to the group shown in the User Group Name field 4 Click OK to add the selected user to the group or Cancel to exit wi
141. ctly to the target either via a Raritan device or In Band access which is called Direct Mode e Or if the PC client connects to the target through CC SG which acts as an application firewall and is called Proxy Mode Communication Direction Port Protocol Purpose Configurable Number Client CC SG via Proxy 2400 TCP Proxy Mode no Target on CC SG Client Raritan Target 5000 on TCP Raritan Direct yes Direct Mode device Client Dominion SX 51000 TCP Target Access yes Direct Mode CC SG amp Client for IPMI iLO RILOE Etc Another significant role of CC SG is to manage third party devices such as ILO RILOE Hewlett Packard s Integrated Lights Out Remote Insight Lights Out servers Targets of an 1LO RILOE device are powered on off and recycled directly Intelligent Platform Management Interface IPMI servers can also be controlled by CC SG Communication Direction Port Protocol Purpose Configurable Number C SG iLO RILOE uses 80 or 443 UDP Device Discovery no HTTP ports Raritan 234 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CC SG amp SNMP Simple Network Management Protocol SNMP allows CC SG to push SNMP traps event notifications to an existing SNMP manager on the network CC SG also supports SNMP GET SET operations with third party Enterprise Management Solutions such as HP OpenView Communication Direction Port Protocol Purpose Configurable Number SNMP Mana
142. curity Group Security Group Glib Sexuriby Group Sexurity Group Liner Security Group priv Gri Ball in kind hor admin h M gckba SPERRE Grea M sa Birri sde karer ideni DE ators Group DAT denks vihio arg permis orca grub ese edens ator AJ ors store and perve Adi dormant controller in th Al Spain quests fl Barna are Hierber inthis group canc Fn mung Por uec LL vw Gta or te Help and ai na Db ore Press Gr D s Por anon Edit ani cung Por r e Senariy Group GT KSSE LIS admin Sexuriy Group bore Microsoft areont nike Arad LAS Servers Secure Group Dra Serweri ni fr Group CA J setene Admins Security Gun Gobel Desionated sdministraborz ees Figure 140 Active Directory Users 3 On the Active Directory server assign CC SG users to a group such as CC Users The user group reflects the CC SG access requirements for the users For example joe raritan is assigned to the CC Users group by right clicking on the user selecting Properties and selecting CC Users in the Member Of tab S Botte D reng tnry Uer nl es Dm xm xg v8 Gg nmuvdrs Ae Directory Utere and Captar Likert T bihi GE Farian Tee ee la i pesi puro Buet conii Tonie iioi Poole COM i i Rats d dise EE e ca aan wi DJ Computers s Member Din Emeeomend Serio E el Doran CC rgtrcbert ke Hi Ferme ur v inc pink 1 Service mU Security Grou Doma vet nthe
143. d Help lt Fi gt 77 Status status Apr 1H 2646 Never lt gt Disabled lt gt Enabled nINoilazzunrd H 39999 7 1 J lt UPDATE gt New Password gt lt New Password gt Account Settings Admin admin Apr 1H 248086 Never lt UPDATE gt FS1 f 1 fpr 1H 2666 Never lt gt Disabled lt o gt Enabled 1 lt UPDATE gt File Operation E FS2 f 2 Apr 18 2646 Never lt o gt Disabled lt gt Enabled H lt UPDATE gt lt RESET to Factory Password Configuration gt Exit Q or C Menus Top bar X Figure 285 Configuring Accounts If you want to require a password for the Status account select Enabled underneath it This screen is split into three main areas The top displays read only information about the accounts on the system The middle section displays the various parameters related and pertinent to each ID along with a set of buttons to allow the parameters to be updated or new passwords provided for the accounts The final area restores the password configuration to Factory Defaults or how the system was initially shipped Raritan 222 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4 For the Admin and Status accounts you can configure SETTING DESCRIPTION User User Name This is the current user name or ID for this account This may be operator changeable in a future release Last Changed Read only This is t
144. d listed alphabetically within each group On the Devices tab devices are sorted and their respective ports are sorted underneath 4 Quick Commands toolbar This toolbar offers some shortcut buttons for executing common commands rapidly Note The Quick Commands toolbar includes Back and Forward buttons the left and right pointing arrows Please use these as you would use the Back and Forward commands in your Internet browser The Back arrow button will return you to the last screen you viewed and the Forward gt button moves you forward to the next screen you viewed after you have used the Back command 5 Operation and Configuration menu bar These drop down menus offer commands to operate and configure CC SG Please Note You can also execute some of these commands by right clicking on the icons in the Ports Users Devices tree view 6 Main Display area The commands you select from the menu bar and or the tool bar will display in this main area Displays here are referred to as screens and screens may be broken down into panels User ID Identification of current logged in user Language Information Indication of which language version of CC SG you are currently using 9 Time and timezone as configured on CC SG in Configuration Manager May be different on the client This time is used when scheduling tasks in Task Manager see section Task Manager in Chapter 12 Advanced Administration Impo
145. ded to access this device in the Password field If applicable type the time in seconds that should elapse before timeout between the new device and CC SG in the Heartbeat timeout sec field For IPMI Servers enter an Interval that is used to check for availability and an Authentication Method which needs to match what has been configured on the IPMI Server 53 Note You will not see a TCP port number or Heartbeat timeout field for HP iLO RILOE devices older Dominion SX units version 2 4 or earlier IPMI Servers and Generic devices 13 Click OK to add the device or Cancel to exit without saving 14 For Raritan devices if the firmware version of the device is not compatible with CC SG a 15 A Device Created Successfully message confirms that device has been added 16 Repeat steps 1 through 12 to add other devices message will alert you and ask if you want to proceed please see Chapter 2 Accessing CC SG for additional information Click Yes to add the device to CC SG or No to cancel the operation You can easily upgrade the device firmware after adding it to CC SG see section Upgrade Device later in this chapter Raritan 54 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE KX Devices with Encryption CC SG supports adding and managing Dominion KX devices such as KX101 that have been configured with e SSL authentication and no data encryption e SSL authentication and data encryption e SSL authenti
146. dedevice you can substitute the hostname for an IP address For hostname rules see Terminology Acronyms in Chapter 1 Introduction e The copydevice and restartdevice commands apply only to some Raritan devices for example Dominion SX IPMI servers generic devices are not supported by these commands Raritan CHAPTER 12 ADVANCED ADMINISTRATION 201 Create a SSH Connection to an SX Device You can create an SSH connection to an SX device to perform administrative operations on the device Once connected the administrative commands supported by the SX device are available Note Before you can connect ensure that the SX device has been added to the CC SG 1 Type listdevices to ensure the SX has been added to CC SG 192 168 514 124 PuTTY mx i Pet edad mec F c ommandcCenter ccRoot levice ID Appliance Address Type 133 KX 203 168 53 203 Dominion KX 1320 Ex2e4 lI58 5312Z2Z2 Dominion EX 1303 Cece DI 168 52 Generic Device 1560 Channel 32 168 52 Powerstrip 1370 GK Dominion SX IBMI Server Generic Device 223 Dominion KSX 223 PowerStrip 190 Dominion EX 17 Generic Device T LV T LV 1311 IPMI 22 1300 AD 92 al CH E Te an eben a Be E ET Fi LI e hola Ga sl CT 1304 aPS8 1350 Kx 199 1305 PCL CommandCenter ccRoot em r7 Li Li T LV Figure 251 Listing Devices on CC SG 2 Connect to the SX device by typing ssh id lt device id gt or ssh lt IP Address
147. devices ports and or Dominion units and or IP Reach units can be connected to CC SG Is there any way to optimize the performance of Microsoft Internet Explorer if it is my preferred Web browser ANSWER CC SG is a network management device for aggregating and integrating multiple servers and network equipment typically deployed in a datacenter and which are connected to a Raritan P enabled product As you deploy more and more datacenter servers and devices their management becomes exponentially complex CC SG allows a systems administrator or manager to access and manage all servers equipment and users from a single device CommandCenter NOC is a network monitoring device for auditing and monitoring the status of servers equipment and Raritan devices that CC SG provides access to CC SG supports all Dominion products Raritan s KVM over IP products Dominion KX Raritan s Secure Console Server products Dominion SX Raritan s Remote office management products Dominion KSX CC SG also supports Paragon II when used with the optional IP user stations CC SG uses a unique and proprietary search and discovery technology that identifies and connects to selected Raritan devices with a known network address Once CC SG is connected and configured the devices connected to CC SG are transparent and operation and administration is extremely simple Generic answer Yes as long has PDA has a Java enabled browser and
148. dmin Ping Utilities Traceroute Static Routes Figure 264 Selecting Network Interface Configuration Raritan 210 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2 If this is the first time accessing CC SG and the network interfaces have not been configured it is strongly recommended to use CC SG GUI to configure them instead of configuring them here If the network interfaces have already been configured you will see a Warning message stating that you should use the CC SG GUI to configure the interfaces If you want to continue click YES File Operation CC SG Administrator Console Network Interface Configuration Hostname Gommandcenter Domain Suffix ignored Primary DNS Secondary DNS Mode lt o gt Primary Backup lt gt Active Active Configuration lt gt DHCP Configuration lt gt DHCP lt o gt STATIC Oo STATIC IP Address 192 L6H 0 L92 IP Address Netmask FER r r JET Netmask Gateway Gateway Adapter Speed lt o gt AUTO y Adapter Speed Oo AUTO Adapter Duplex o HALF Adapter Duplex o HALF Help Fl Exit Q or C Menus Top bar X Figure 265 Editing Network Interfaces 3 Type your hostname in the Host Name field Once Save is selected and Admin Console re entered or on the CC SG GUI this field will be updated to reflect the Fully Qualified Domain Name FQDN if known For hostname rules see Terminology Acronyms in Chapter 1
149. dministrator can perform various operations without disruption Operations can be performed from the GUI or from an SSH command line interface via clients such as Putty OpenSSH Client etc Please see Chapter 12 Advanced Administration SSH Access for additional information Current users except the administrator who is initiating Maintenance Mode are alerted and logged out after the configurable time period expires While in Maintenance Mode other administrators are allowed to log into CC SG but non administrators are prevented from logging in An SNMP trap is generated each time CC SG enters or exits Maintenance Mode Note Maintenance Mode is only available on standalone CC SG s and not in a cluster configuration Raritan 160 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Scheduled Tasks Scheduled tasks cannot execute while CC SG is in Maintenance Mode please see section Task Manager in Chapter 12 Advanced Administration for additional information on scheduled tasks When CC SG exits Maintenance Mode scheduled tasks will be executed as soon as possible Entering Maintenance Mode To enter Maintenance Mode 1 On the Setup menu click Maintenance Mode 2 Click Enter Maintenance Mode Enter Maintenance Mode Po Please enter broadcast message and timeout in minutes between 0 and 30 to the moment when CommandCenter will enter ily maintenance mode Broadcast message fi he CommandCenter server is enteri
150. e case insensitive 1 Click on the Devices tab Ports Users Devices GP BianorWSTestDevice Gi cc 124 V Dominion KX Gi IPMI 22 Gi KEH223 Ge Dc17 Gei PC 111 Cd powerstripink yc Gi SK 229 gt Search For Device Figure 91 Search for Devices 2 Atthe bottom of the window enter a search string in Search For Device 3 Click Go or press ENTER Navigation Tips e When a device has been found and is highlighted in the Devices tree use the V and T keys to navigate to the next device e When a device is highlighted in the Devices tree press the TAB key to return to the Search For Device box e To clear the results and refresh the display in the Devices tree you can press the F5 key or click in the toolbar Supported Wildcards These wildcards are supported WILDCARD DESCRIPTION Indicates any character Indicates a character in range Indicates zero or more characters ziz Raritan 74 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Examples are as follows EXAMPLE DESCRIPTION Locates KX1 and KXZ but not KX1Z Locates KX1 KX KX1 and KX1Z KX 0 9 0 9 T Locates KX95T KX66T but not KXZ and KX5PT Disconnect Users Administrators can terminate any user s session with a device This includes users who are performing any kind of operation on a device such as connecting to ports backing up the configuration of a device restoring a device s configuration
151. e 197 Configuration Manager Time Date Gcreen nennen 165 Figure 198 Configuration Manager Modem Screen rrvvnvvrrvrnnnnnnnnnrnrrrrvrvnnnnvrrrnnnnnnnnnnnrrrrrrrennnnnrrrrnnnnnnnsnn 166 Fe Modems E TTT 166 Figure 200 Extra Initialization Commande 167 Figure 201 Create a new Connechon nennen nnne nnne nnn nnn nsn naar n nns aar en nennen 167 Figure 202 New Connection Wizard eene n nnne nennen nnns nnne EEn n nnn riri 168 Figure 203 Connection Name Arr AEEEEEEEEEEEENSSAAEAEEEEEEEEEEEEEESE EEEn nenn EEEE 168 Figure 204 Phone Number to Dal 168 Figure 205 Specify Dial up Script iiis nnns nennen nnn 169 Figure 206 Connecting to Cap 170 Figure 207 Entering username and password nennen nennen nnne nnn nnne nnn nnn nnne 170 Figure 208 After Dial Terminal cccccsssccccsssecccseeeceseecceseeceueeeceeueeeseseesseeeeseaeeeeseseeesenseeesseneesssags 171 Figure 209 Configuration Manager Connection Screen Direct Mode or Proxy Mode 172 Figure 210 Configuration Manager Connection Screen Bob 173 Raritan X FIGURES Figure 211 Configuration Settings Device Settings Gcreen 174 Figure 212 Configuration Settings Device Settings Gcreen 175 Figure 213 Security Manager General Gcreen nennen nnne 176 Figure 214 Lockout Settings nico e ssid onte suo Urb oue E sean E A 177 Figure 215 Error User Being Locked Out Screen ccccccccecces
152. e Terminology Acronyms in Chapter 1 Introduction Type the port number in the Port Number field 5 Type and confirm the shared key into the Shared Key field Click OK to update changes Certificate Options in this window can be used to generate a certificate signing request also CSR or certification request A CSR is a message sent from an applicant to a certificate authority to apply for a digital identity certificate Before creating a CSR the applicant first generates a key pair keeping the private key secret The CSR contains information identifying the applicant such as a directory name in the case of an X 509 certificate and the public key chosen by the applicant 1 On the Setup menu click Security Manager 2 When the Security Manager screen appears click on the Certificate tab Security Manager Po This panel allows IN to manage certificate dv General Certificate IP ACL 5 Export current certificate and private key Import pasted certificate and private key Generate certificate signing request e Generate self signed certificate Certificate Private Key EH SS gt Clear All Generate Figure 157 Security Manager Certificate Screen Export Current Certificate and Private Key Click Export Current Certificate and Private Key The certificate appears in the Certificate panel and the private key appears in Private Key panel Copy the text of the Certificate
153. e Users tab right clicking on the group and selecting Edit User Group Policies Look under Selected Policies to confirm the policy that the correct policy was assigned to the group x LES TAS SLi eS E ree AT Sey LAU aci gt i D 2 rii eed gale s p a Raritan CommandCenter Secure Gateway i Soto Sulake Kann Uiir Fr s re EE Viner CES ap retten DD mod in eo Pein Emwrm irag Pee tmp Fan i I i Tel el re Toe gt ee et AR AL AL AL IM euer Bee Cai ie tS CuaspimE 3 wA didxhOb q gL EE V FE a ae Biles r3 fumi lica Feat p do RA H H iF H g i H Lara Mine Friaren Porte Ad Passer Eet keng en abo eC E Hd MUI RN eee Sue Hesir E o Markattersg Pet DpnDKODIASA HN MM MINN canini pes ME Pacis HJE Peri up op 230 M ay uy HM iy H i Caper Bil POL Feet PT Pani KREE RT i gr MH y M cei I Alum Cua ere fee Ft iF Er uU d i Jg H v La eA few Unien fen Laien Rose ee oar EF MM T Y cames Eum Brin T n Bytes Tartes roe an MM AO MU canes Anra Wuert Fra ur irer Birti oe gan DD IEN FTP EI Besl asd Deisi Taim TE Finn me emm pages 0 Jett st el lpg froe ill immu TET AR Eesen A Fata foie 231 Be ee YoY Corr Lus JL zeegt hinge Ire Graes ae y Figure 148 Viewing Policy of Imported Group 11 When the user such as jraritan logs in they will be authenticated by the Active Directory server and the login appears at the b
154. e login screen to close the browser You can also shut CC SG down from SSH please see section SSH Access to CC SG in Chapter 12 Advanced Administration for additional information Restart CC SG after Shutdown After shutting down CC SG use one of these two methods to restart the unit l Use the Diagnostic Console please see section Diagnostic Console in Chapter 12 Advanced Administration for additional information 2 Recycle the power to your CC SG unit Raritan CHAPTER 11 SYSTEM MAINTENANCE 159 End CC SG Session Log Out To exit CC SG at the end of a session or to refresh the database in case you or another user has made changes while you were logged in log off from CC SG entirely then log in again 1 On the Session menu click Logout The Logout window appears x Are you sure you want to lag off CommandCenterE Yes Ho Figure 189 Logout Window 2 Click Yes to log out of CC SG or No to close the window Once you log out the CC SG login window appears 3 Log on to CC SG again or click Exit to shut down CC SG completely Exit CC SG If at any time you want to exit CC SG you can exit 1 On the Session menu click Exit The Exit window appears re you sure you want to exit CommandCenterig Yes No Figure 190 Exit Window 2 Click Yes to exit CC SG or No to close the Exit window and continue working Maintenance Mode This mode restricts access to CC SG so that an a
155. e screen appears Delata Device Figure 59 Delete Device Screen 3 Click OK to delete the device or Cancel to exit without deleting A Device Deleted Successfully message confirms that the device has been deleted 4 Repeat steps 1 through 3 to delete other devices Bulk Copy The Bulk Copy command allows you to copy the assigned categories and elements from one device to multiple other devices Please note that categories and elements are the only properties copied in this process l Click on the Devices tab and select a device from Devices tree 2 On the Devices menu click Device Manager and then click Bulk Copy The Bulk Copy screen appears Buk Copy Devers nimai BHEE LLE reg All D virer the chad D sicen a EOOT ISS Figure 60 Bulk Copy Screen In the All Devices list select the device s to which you are copying the categories and elements of the device in the Device Name field Click gt to add a device to the Selected Devices list To remove a device from the Selected Devices list select the device and click lt Click OK to bulk copy or Cancel to exit without copying A Device Copied Successfully message confirms that device categories and elements have been copied Repeat steps 1 through 6 to copy other categories and elements of other devices Raritan 56 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Backup Device Configuration Use this command to back up all user configuration
156. e specified All reports that have a Finished status are stored on CC SG for 30 days and can be viewed by selecting View Stored Reports under the Reports menu Please see Chapter 10 Generating Reports View Stored Reports for additional information Raritan CHAPTER 12 ADVANCED ADMINISTRATION Create a New Task To schedule a new task 1 On the Setup menu click Task Manager Gy Task Manager Filter 193 Server time 12 16 Creation date Task operation Task status Task owner From 10 01 2005 H PDRSLafL Vevile P re GEES Outlet port power management S pr EE d To 11 02 2005 EH Active users report E Se iie E pei g Active ports report UA ade pin tapart Finished kensearcy d ene a nem daba nom nh E marshall H Name Operation Status Last Execution Date Next Executi Description Owner Gayle s Report Active users report Finished Wed Dec 31 19 00 00 EST 1969 Schedule Act ccRoot Gayles Task Active users report Finished Wed Dec 31 19 00 00 EST 1969 Active Users ccRoot New Edit Delete Close Figure 237 Task Manager New Button 2 Click New Mam Tan Data Maiueranen pen gatt enpgn Tab Man Task MI Jerem Ate Week Figure 238 Create Task 3 spaces and description for the task In the Main tab type a name 1 32 characters alphanumeric characters or underscores no Raritan 194 COMMANDCENTER SECURE GATEWAY ADMINISTRAT
157. e that this privilege 1s not configurable and is only assigned to the System Administrator user group by default ziz Raritan 242 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Raritan APPENDXE SNMPTRAPS 20 Appendix E SNMP Traps CC SG provides the following traps SNMP TRAP DESCRIPTION RE detec CCImageUpgradeResults CC SG image upgrade results CCImageUpgradeStarted CC SG image upgrade started CCIncompatibleDeviceFirmware CC SG detected device with incompatible firmware E CCLeafNodeUnavailable CC SG detected a connection failure to a leaf node CC SG root password changed CCUserModified CC SG user modified EE CCDeviceAddedAfterCCNOCNotifica CC SG device added after NOC notification tion CCDiagnosticConsole CC SG user logged into Diagnostic Console CCDiagnosticConsoleLogout CC SG locked out user from login CCEnCer Maint cranceMode CC SG entered maintenance mode CCExitMaintenanceMode CC SG exited maintenance mode CC SGexited maintenance mode CC SG detected a LAN card failure Raritan 244 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Raritan APPENDIX F TROUBLESHOOTING 245 Appendix F Troubleshooting e In order to launch CC SG from your web browser it requires a Java plug in If your machine has an incorrect version CC SG will guide you through the installation steps If your machine does not have a Java plug in CC SG cannot automaticall
158. ears click on the SNMP tab Network Setup Logs Inactivity Timer Time Date Modem Connection Mode Device settings SNMP Agent Configuration N Version 2 IP Address 192 168 51 124 System Desc Raritan Computer CommandCenter Secure Gateway Version 3 0 1 1 1 G1 HW Port 161 System Contact Read Only Community public ti iti CSO System Name HEH Read Write Community private s lt s System Location DT Update Agent Configuration Traps Configuration V Enable SNMP Traps Trap Sources V System Log V Application Log Selected Name Description lv CCDevicellpgrade CC SecureGateway has upgraded the firmware on a EI v CCImagelpgradeResults CC SecureGateway Image Upgrade results el Select All Clear All Trap Destinations Host Port Version Community 192 168 51 150 162 v2 public Trap Destination Host Port 162 Community Version v1 M Update Trap Configuration Figure 212 Configuration Settings Device Settings Screen 2 To identify the SNMP agent running on CC SG to a third party enterprise Management Solutions provide agent information under Agent Configuration Type a Port for the agent default is 161 Type a Read Only Community string default is public and Read Write Community string default is private Multiple community strings are allowed separate them with a comma Type a System Contact System Name and System Location to provide
159. echanisms e Serial Port COMI e KVM Console e SSH IP network The Diagnostic Console offers three services e Status Display e Admin Console e Raritan Field Support This screen allows the selection of which services are available via the various access mechanisms Important Be careful not to completely lock out all Admin or Field Support access Raritan CHAPTER 12 ADVANCED ADMINISTRATION 209 ZEN operatheon BH k CC SG eee This amp M twork Interfaces Statul Admin Utilities Access Note ut access to Admin Console X Serial X Admin xX Field Support x KVM x Admin X Field Support Port Number x sen x Admin xX Field Support Port 23 for Diagnostic Console Menus Top bar Figure 263 Edit Status Console Contig 3 Click Save at the bottom of the screen or press the TAB key and press Enter once Save is highlighted Press Q or AC to exit Editing Network Interfaces Configuration Network Interfaces In Network Interface Configuration you can perform initial setup tasks such as setting the hostname and IP address of the CC SG Click with the mouse or use the TAB dT keys to navigate and press the Enter key to select a value 1 To edit network interface information click Operation Network Interfaces then Network Interface Config Operation status console Network Interfac gt gt Network Interface Config A
160. ecially if firewalls or VPNs are present in your network and access and security policies are to be enforced by the network Executive Summary In the sections below a very complete and thorough analysis of the communications and port usage by CC SG and its associated components 1s provided For those customers that just want to know what ports to open on a firewall to allow access to CC SG and the targets that it controls the following ports should be opened Port Protocol Purpose Number 80 TCP HTTP Access to CC SG HTTPS SSL Access to CC SG This list can be further trimmed e Port 80 can be dropped if all access to the CC SG is via HTTPS addresses e Ports 5000 and 51000 can be dropped if CC SG Proxy mode is used for any connections from the firewall s Thus a minimum configuration only requires three 3 ports 443 8080 and 2400 to be opened to allow external access to CC SG In the sections below the details about these access methods and ports are provided along with configuration controls and options These ports need to be opened per Raritan device that will be externally accessed The other ports in the table need to be opened only for accessing CC SG Raritan 230 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CG cients MEME Internet Unsecured Network CC Clients Firewall Internal Network Raritan Device KVM i Serial i Out of Band Taraet Access In Band
161. ed a level of network redundancy is provided For example if LANI is connected and is receiving a Link Integrity signal CC SG uses this NIC for all communications In the event of a LANI failure and assuming LAN2 is connected CC SG migrates the assigned possibly by DHCP IP address to LAN2 LAN2 will be used until LANI is repaired and returned to service When this happens CC SG reverts to using LANI As long as one interface 1s viable a PC client should not notice any disruption in service during a failure CC SG remains at the same logical IP address but attempts to keep communication channels and existing sessions up in the event of possible network failures All communication for example PC client Raritan device management cluster peer etc is carried over this single communication channel that is maintained by both NICs B Choose Active Active mode if you have special network conditions particularly if you have two networks where routing may not exist If network security is important and if you are using proxy type deployments you also should choose this mode Legg Trusted Zone Trusted Zone Figure 194 Active Active Network zizRaritan CHAPTER 12 ADVANCED ADMINISTRATION 163 In this mode CC SG acts as a router or traffic cop between two separate IP domains particularly when Proxy mode is being used please see Connection Mode later in this chapter for additional information In Proxy mode Active
162. ed independently and exclusively on the Active Directory server Setup on AD Server 1 On the Active Directory server set up an account that provides credentials for CC SG users to access the AD server For example you could set up a Command Center account in the ServiceAccounts organizational unit ou under the Contuso com domain This account is used to bind Active Directory to a CC SG query Active Directory Leere and Computers P G ile eh Ele Arten Yew Vinden Help ala xj ss mm xm XPOS GI oppen ed Tute Dvpdci ez Uert Md G g fe rer I abisi l PHE Saeed Gries gy Conse com Hull Og Comput ers Av Lei Deng Controle Pose uri vir o Command Cenber i i i D Lern Figure 139 Active Directory Account Raritan 116 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2 On the Active Directory server set up your users under the Users organizational unit ou These users will log into the CC SG but are authenticated on the Active Directory server Note that the display name of joe raritan can be different from the CC SG login user name for example jraritan EIL Direc borp Ue ERE and Ce ampute di EHEJ ead Quirites B cone cm T OG Bain MOL Compateec Bg Dora Controle e Perea thee rit vira a K NT mI Security Group Security Group E Zeche Grup Security Group Do Security Group E ey Gron Drury Grou Security Group Security Group Gk Se
163. eeeeeceeeeecaeeeeeeeeeeeeeeaeeeeeeeeeeeseeeeeeeeeeeeeaas 178 Figure 216 Application Manager Gcreen 178 Figure 217 Add Application Window cccccsssscccccesseeeeecaeeeeeeceeueceeeseauececeseaaeceesseeueceesseaaeeeessaageeeessaaass 178 Foure 218 Search VW INC OW 179 Figure 219 Edit Application Window ssesesssssssseeeeneeee nnne nnn nnne nnn nennen nnns 179 Figure 220 Delete Application Window NEEN 180 Figure 221 Firmware Manager Screen eene eene nennen nennen nnn nennen nennen nnne enirn 180 Foure 222 Search Vy TN OWN T E 181 Figure 223 Delete Firmware Wmdow AANEREN 181 Figure 224 CC NOC Configuration Screen ccccccccsseseeecceeeeceaeeeeeeceeeeeeeeeeeeeeeeseseeeeeeeeeeeesseeeaeeeeeeeseaaas 182 Figure 225 CC NOC Configuration Screen cccccccccseseeecceeeeceaeeececeeeeseueeeeeeeeeeseeeeeeeeeeeeesseaaeeeeeeeeseaaas 182 Figure 226 Add CC NOC Configuration SCr n cccccccccccsssssseeeseeeeeeeeeeeeeeeeeeeeeeaeaaesseeeeeeeeeeeeeeeeseesaaaagas 183 Figure 227 CC NOC Passcodes nene nennen nennen nnns sn nnnnne rrr nnn nenne enne n nnns nena n riri 184 Figure 228 CC NOC Configuration Screen ssssssssssssssssssssssssseseeen enne 185 Figure 229 Edit CC NOC Configuration Screen rrrnnnnnnnnnnnnnvrrnnnnnnnnnnnnrnrrrrrnnnnnnrrrrnnnnnnnnnsnrnrsrrrnnnnnnnnnnnnnn 186 Fig re 230 Launch CC NOG 186 Fi
164. eeesaaas 57 Upgrade DEVICE t H ee 57 PNO RE 58 Bing DEVICE EE 58 Pase DEVICE ee 59 EEE 59 Ve PEN 59 FE Ve 59 SHE B EEE EE EEE 60 NNN 61 FEN 61 pelete NNN 62 Kal ele e es EE EEE NE EEE EE EE mene 63 Special Access to Paragon II System Devices rrrrnnnnnrnrrnnrrrnnnnnnnnvvnnnrrnnnnnnrrnnnrrnnnnsnnssrnnnnnnnnnn 64 Paragon II System Controller PD 3 GC 64 IP Reach and UST IP Administration cccceccccceecccceeeececeeeceeceeceeeeeceeseaeceeseeeeessueeeeseueeessageeesaneees 65 Device Power Manager iis svesdierovavcuivssisncawasaesaneisacdens vesnedsuceseudasuanavbsaeennducndeauiseasevaadenteariweseeenavie 66 HE VSR WICC CS se T 67 Device Group ERE TREE 69 Pad Devi EAU MM 69 Edi Device Group Name assess 70 Delete Device Group 71 POT DOCO RUE aa e E E EE E 71 Delete Device Rule EE 72 PT 73 Navigation TipS EE 73 UO ONC VV Nr 73 DENE MN 74 Chapter 6 Configuring Ports and Port Groups sseeevevvvvvvvvvsvssnnnnnnnnnnnnnnnnennnesseseseeeseneee 75 Port Manager E 75 x91 1 01 EE EE at EE EE EE 77 Congue PO MER RR 78 ENN 88 PN ee 91 Chapter 7 Adding Users and User Groups ssssssscccssssssssssssscccccccccsssssssssccsssssesess 93 PS NSS EE 93 FN 94 Change User Password RR 95 GNAGE OWN P ASS WOTG EE EEE ER
165. een created 12 Repeat steps 1 through 11 to configure other KVM ports Note You can access a Generic device that is associated with a KVM port by right clicking on the port in the Ports tree and selecting Connect which uses the application selected such as Raritan Remote Console or by selecting In band Access which uses the in band application as configured in the In band Parameters screen Raritan CHAPTER 6 CONFIGURING PORTS AND PORT GROUPS 83 Configure a Generic Port with In Band Access In band access to Generic devices such as hubs Windows servers CISCO routers can be managed with one of these in band applications Windows Remote Desktop RDP Secure Shell SSH Virtual Network Computer VNC Click on the Devices tab and select a Generic device from the Devices tree On the Devices menu click Port Manager and then click Configure Ports The Configure Ports screen appears Configure Ports Device name p Ports Raritan port ID Port name Port type Port status M Unknown fwinzk BenencPot he Configure Select all Clear All 1 1 Q 5 gt Next Cancel Figure 102 Configure Ports Screen 3 Click the Configure button that corresponds to the Generic port line item you wish to configure The Configure Generic Port screen appears Configure Generic Port e Please select port properties to add Port Properties Port number i Port name win2k In Band application
166. eesseaaeeeeeeeesseaeaeess 19 Figure 16 Association Wizard Category and Elements Gcreen 20 Figure 17 Adding Another Category cccccccccccccccccecsssseeccceeeseeeseeeeeeesseeeeseeeeeeseeeeaeeeeeeeessaeaeeeeeeeeessaaaaaees 21 Figure 18 Association Wizard Confirm Choices 21 Figure 19 Association Wizard Summary Gcreen nennen nnne nnne 22 Figure 20 Add DEVICE CC cm 22 Figure 21 Add Device PowersStrip eeisssssssssesessssssseeee nennen nennen nnne nsns nna nnn nns n nnns nani 23 Figur 22 Add D vic SX E 23 Figure 23 Configuration en CN 24 Figure 24 Configure serial E 25 Figure 25 Configure POMS Jaaa 26 Figure 26 Configure KVM Port 26 Figure 27 Add User Gcreen 27 Figure 28 Add User Group Gcreen ereen 29 Figure 29 Port Groups Manager Screen ccccccccecseeseeeecceeeeaeeseeeceeeeseeseeeceeeeeseeeeeeeeeeeesssaeaeeeeeeeessasaaaaeess 30 Figure 30 Add Port Group Window sssssssesssseeseeeeenn nnne nnne nennen nnnnnnr nnn nnns sns nant nnn nsns aan nns 30 Figure 31 Policy Manager Gcreen ei Ea E r e Aa A Er REEE 31 Figure 32 Update Policy Window EE 32 Figure 33 Edit User Group Policies Green 32 EIN 33 Figure 35 CC SG Organization Example nennen nenne nnn nnna nnn nnns nnns a annis 35 Figure 36 Association Manager Green 38 Figure 37 Add Category Window rrrrrnnnnnnnnvrnrrrnnnnnnnrrrnrrnnnnnnnnrrnnrrnnenssennnrnnnnnnnssrnnnrnn
167. el Figure 143 Specifying General Values for Active Directory Server 2 Check Anonymous Bind if you want to connect to the Active Directory server without specifying a username and password If checking this option ensure your Active Directory server allows anonymous queries Note By default Windows 2003 does NOT allow anonymous queries Windows 2000 servers do allow certain anonymous operations whose query results are based on the permissions of each object 3 If not using anonymous binding type a User name The user name needs to be a valid user entry in the Active Directory directory structure and should have permissions to execute search queries The user name can be in one of the following three forms e cn Administrator cn Users dc raritan dc com e Administrator raritan com e Administrator Note If using SASL to securely connect to Active Directory use the third form Administrator for the user name Enter and confirm the Password for the user name if not using anonymous binding 5 Optionally click Test Connection to test the connection to the Active Directory server using the given parameters You should receive a confirmation of a successful connection If not review the settings carefully for errors and try again 6 Click Next to continue Raritan CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 119 Advanced Settings on CC SG 1 Ifyou want to configure advanced settings click on the Advanced
168. emote target device that is connected via a serial port click on the appropriate device in the Devices selection tree under the Devices tab If the port is configured for a console application a Security Warning appears indicating that the console applet is a signed applet from COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Raritan Systems Click Yes and the console port appears Warning The security warning display appearing in IE only appears the first time the user connects to a serial port Click Yes when this display appears if you click No the console application will not launch and you must exit CC SG close the browser re launch the browser and connect to CC SG again For additional details about RaritanConsole operation please refer to Raritan s RaritanConsole User Guide When a custom application is associated with a KVM or serial port selecting that port launches the associated application Raritan Remote Control and RaritanConsole are examples of custom Security Warning xX Do pou want to install and run CADOCUMETTYENNIF TYLOCALSTTAT emp MSE tmp signed on 6 26 2003 10 14 AM and distributed by Raritan Computer Inc Publisher authenticity verified by Thawte Server CA Caution Raritan Computer Inc asserts that this content iz safe you should only install view this content if you trust Raritan Computer Inc to make that assertion SIGNED WITH PERMISSIONS Full Permissions Alwa
169. ents are defined with the Association Wizard or Association Manager Raritan devices and ports are organized by category and elements Each category element pair is assigned to a device a port or both Therefore you need to define your categories and elements before you add a Raritan device and configure ports in CC SG A category is a group or set of similar elements For example you could have a category to group your Raritan devices by location So Location can be a category and could contain a set of elements such as New York City and Philadelphia These organizational capabilities are defined using the Association Wizard or Association Manager The categories and elements are also used by policies which are used to control user access to servers The above example can be used to create policies to control user access to only NYC servers or network ports or any combination such as MS2003 servers in NYC Raritan 36 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Other examples of typical Association configurations of Category and Elements are as follows CATEGORY ELEMENTS Location New York City Philadelphia DC1 OS Type Unix Windows Linux Sales IT Engineering Port Type KVM Serial Power Association configurations should be kept simple to accomplish server port organizational objectives and user access objectives It is important to realize that a port can only be assigned to a single element of a category F
170. er Figure 79 Discover Devices Screen 3 Type the range of IP addresses where you expect to find the devices in the From Address and To Address fields The To Address should be larger than the From Address Specify a mask to apply to the range If a mask is not specified then a broadcast address of 255 255 255 255 is sent which broadcasts to all local networks To discover devices across subnets you must specify a mask 4 Click Broadcast discovery if searching for devices on the same subnet on which CC SG resides Uncheck Broadcast discovery to discover devices across all subnets 5 To search for a particular type of device highlight it in the list of Device types By default ALL device types are highlighted Use Ctrl click to select one or more device types 6 Click OK to start the search or Cancel to exit without searching or Stop to discontinue the discovery process Discovered devices appear in a Discover Devices list v Discover Devices IP Address Type Name Status Description 192 168 51 124 CommandCenter Secure Known CommandCenter Secure 192 168 51 22 IPMI Server Known IPMI Server ver 1 5 192 168 51 201 CommandCenter Secure Unknown CommandCenter Secure 192 168 51 74 CommandCenter Secure Unknown CommandCenter Secure 1 1 192 168 51 223 Dominion KSX KSK223 1 Known Dominion KSX model Rx 192 168 51 224 Dominion Kx KR224 Known Dominion KX model DKY 192 168 51 229 Dominion Ga x 229 Known Domin
171. er Ports Access CharlieGroup Device And Port Manage Port Group Name All Ports Port Name LIKE cleaner Ports Mew Look UI Cat cleaner Clesrer Ports Another UI Cat Clearer clear Ports UI Cat clear Device Group Mame Full Rule Strin All Devices Device Name LIKE KSX devices Device Type Dominion Bsa kx 224 1 Device Name KA 274 1 Manage Report Data Close Figure 173 Groups Report 2 Click on the button next to a line entry to display either the policies associated with the user group or the list of ports that satisfy the port group rule or the list of devices that satisfy the device group rule 3 Click any of the Manage Report Data buttons to save or print the report for any particular section Click Save to save the report to a location of your choice or Print to print the report Click Close to close the window 4 Click Close to close the Groups report Raritan 146 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE User Data Report The User Data report displays certain data on all users in the CC SG database From User Name field you can see names of users currently in session and view details of users currently not in session From Phone field you can see user dial back telephone number From Enabled field you can see information if check box Login is enabled From Password Expiration you can see password expiration period in days 1 On the Reports menu click User Data The All User
172. er has been supplied in the applet then CC SG uses cn TestUser cn Users dc raritan dc com to connect to the AD server Only check Use Bind when the user logging in from the applet has permissions to perform search queries in the AD server 8 Check Use Bind After Search to use the username and password specified in the General tab to connect to the AD server The entry is searched in the specified Base DN and is found if it meets the specified filtering criterion and if the attribute samAccountName is equal to the username entered in the applet Then a second connection bind is attempted using the username and password supplied in the applet This second bind assures that the user provided the correct password Raritan CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 121 Group Settings on CC SG Use to retrieve groups from the AD server and import into CC SG local database for authorization purposes 1 Click on the Groups tab E Add Module Add Module Te Please provide module properties Module Name kest n Module Type lap Directory Search for Groups Base DH Filter Test Connection Previous Ve OK Cancel Figure 145 Specitying Group Values for Active Directory Server 2 Specify a Base DN directory level entry under which the groups containing the user to be authorized will be searched EXAMPLE DESCRIPTION dc raritan dc com The search query for the use
173. er their parent devices Right click on the tree then click Port Sorting Options then Sort By Port Name or Sort By Port Status to arrange the ports within their devices alphabetically by name or by availability status Ports arranged by status are sorted alphabetically within their connection status grouping Devices will also be sorted accordingly Raritan 60 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Custom View You can customize the Devices tree by organizing devices to appear in a particular format You might want to view devices by Country by Time Zone or by any other option that helps you differentiate between them Set up a Custom View using the next few sessions Please also see section Association Manager in Chapter 4 Creating Associations for more details on adding Categories to CC SG 1 Click on the Devices tab 2 On the Devices menu click Change View and then click Custom View The Custom View screen appears L en juma D strenge ar PLU ede sral terri r FP aig Duam aka L Sr 1 a ep bors ome ar L bat Dea Sid adem Eura Fieri Dabur pn s r E lipig kd hring Dimm Emir rada ligo adis fan Lunam L re Figure 68 Custom View Screen 3 To customize your view click on the Name drop down arrow and select a custom view that has already been saved in the database Details of the View categories appear in the Custom View Details field Click Set Current to
174. erically or chronologically Click on the column header again to sort in descending order Please note the arrowhead pointing upwards or down next to the cell name indicating how the report is sorted The column width in all reports can be sized by resting your mouse pointer on the column divider in the header row until it becomes a double headed arrow Click and drag the arrow to the left or right to adjust column width The sorting value and column width you use becomes the default report view the next time you log in and run CC SG reports For all reports you can double click on a row to view further details of the report Note In all reports use CTL click to deselect a highlighted row Active Users Report The Active Users report displays current users and user sessions You can view users and disconnect them from this report 1 On the Reports menu click Active Users The Active Users report is generated Active Users User Name Access Time Register Time Remote Address Remote Host Server Node Cluster Node Login Type ccRoot 2005 11 29 at 2005 11 29 at 192 168 50 59 192 168 50 59 192 168 51 124 CC Client ccRoot 2005 11 29 at 2005 11 29 at 192 168 50 13 192 168 50 13 192 168 51 124 CC Client ccRoot 2005 11 29 at 2005 11 29 at 192 168 51 37 192 168 51 37 192 168 51 124 CC Client ccRoot 2005 11 29 at 2005 11 29 at 192 168 51 91 192 168 51 91 192 168 51 124 CC Client ccRoo
175. es Click Close to close the Audit Trail report Raritan 140 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Error Log Report CC SG stores error messages in a series of Error Log files which can be brought up and used to help troubleshoot system problems You can filter the search criteria by date message type username class host and level Messages can be grouped by fatal error and warning level Once filters are selected you can view the report results and take precautionary actions 1 On the Reports menu click Error Log The Error Log screen appears Error Log Logs Filter Start date 11 29 2005 15 50 12 End date 11 29 2005 15 55 12 Message P 2 ge Username FO Class User IP address See Level WARN Ok Cancel Figure 168 Error Log Screen 2 Select the date range for the report by either typing the date and time in the Start Date and End Date fields using the format yyyy mm dd hh mm ss or by using the lt gt gt key on your keyboard to advance through the sections and click on the up down arrows to build the date and time 3 Type the criteria with which to filter the report in the Message User Name Class or User IP address fields Click on the Level drop down arrow to select a tracing level for the report 5 Click OK to run the report Note Leave some or all fields blank depending on information desired Leaving all fields blan
176. es the ability to configure the strength of passwords status and admin and allows you to configure password attributes such as the setting maximum number of days that must lapse before you need to change the password which should be done via the Account Configuration menu Password Configuration The settings configured here affect only the admin and status if enabled passwords upon the next password change To change password settings click Operation Admin Change Passwords then Password Configuration Opera ion RS H Status Console C S8G System Reboot Network Interfaces gt gt Admin gt gt Utilities System Logfile Viewer Es Restart CC 5G System Reboot Change Passwords Password Configuration Account Configuration Figure 282 Password Configuration Raritan 220 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE In Password Configuration enter the number of passwords that will be remembered This is the password history which discourages password reuse and ensures that the new password has not been used within the specified number of previous password changes Default is 5 With a setting of 5 the new password could not have been used within the last 5 password changes File Operation CC SG Administrator Console Password Settings Use this screen to update how all subsequent Diagnostic Console only password operations will work You can set the type of passwords regular stron
177. esh in the upper left portion of the window to see the new Server time reflected on your client GUI as seen in the screen above Click Close to close the Configuration Manager screen WA On the Setup menu click Restart CommandCenter Note Changing the time zone is disabled in a cluster configuration Raritan 166 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Modem Configuration Use this screen to access CC SG from a client machine over a dial up connection This method of accessing CC SG can be used in emergency situations Note A modem is not available and cannot be configured on the V1 platform Configure CC SG 1 On the Setup menu click Configuration Manager When the Configuration Manager screen appears click on the Modem tab Configuration Manager fh Plij prewida Meda patri Hatunrk Feia Lage Teactivery Temas Tim Data Modem Connection Mode Devine rattingr EHME Server address 10 0 0 11 Client addrasz 10 0 0 22 Chent phons 12 1 Figure 198 Configuration Manager Modem Screen 2 Type the Server Address that is the IP address of the CC SG 3 Type the Client Address that is the IP address of the client that will dial into CC SG 4 Type the Client Phone that is if using call back dialing this is the call back number that CC SG dials to connect to the client 5 Click Update Configuration to save the modem information to the system 6 Click Close to close the C
178. et Port Gcreen eene nennen nnne nens nnn ann nnn nsns naar nns 85 FAE TT RI SEN 86 Figure 108 Bulk Copy Screen osese ei e a E A E aE 87 Figure 109 Edit Serial Port Gcreen nnne nnns enhn nnn n nsns n nna nn nnns n naar nnns 88 Figure 110 Edit KVM Port Screen cccccccseseecceeceeeeeeesececeeeeeeeseeeeeeeeeesaeeeeeeeeeeeseeeeseeeeeesssueaeeeeeeeeeeeseaaaesss 89 Figure 111 Edit Generic Port SOIGBI EE 90 Figure 112 Port Groups Manager Screen ccccccccccsseseecceceeeeeeeeeeceeeseeseeceeeeeesseeeeeeeeeeessaeaeeeeeeesssaaaaaeess 91 Figure 113 Add Port Group Window sssssessssessseseeenn nnne nnne nennen nn nnnnnn innen nsns nnn a nnn nnns nsns aa nnns 91 Figure 114 Edit Port Group Window nnne nennen nennen nena n nnn nsns n nna nnn nnns nnns aan nns 92 Figure 115 Delete Port Group Window ssssssssesssssseeeennneeeennnnnnnn nennen nnns nsn nn narras n nans 92 Kiefer 93 ETEN 94 Figure 118 Change User Password Gcreen nennen nennen nnn nn nnns nnn a annis 95 Figure 119 Change My Profile Green 95 Figure 120 Delete User Gcreen eee ei nDeisi EEEEREE aeaRSE 96 Figure 121 Logoff Users Screen essei esent n tinere taco sant E E Den adn us dR rbU COO ONEN EENEN 97 Figure 122 BUIK Copy Steen NIRE iE 98 Figure 123 Add User To Group Screen cccccccccccseesseccceeeeeeeeeeeeeeeeeeseeeeeceeeeeseseeeseeeeeessseeaseeeeeeessaeaaaaeees 99 Figure 124 Delete User
179. file marked with an X More than one log file can be viewed at a time Some log files are not available a warning dialog will appear and the item will be de selected for you File Operation CC SG Administrator Console System Logfile Viewer Erie a ele KE cc 8G Server Log Console Log X Boot Log Viewer Display Options CC Access Log Shell Exec Log lt gt Individual Windows xo Merged Windows Web Access Log Initial Buffer 500 Error Log X SSL Request Control Logfile Upgrade Log Install Log Install Syslog Log System Install Log CC ocr mm Ee fen fe Fe E E fen fen EE E c3 n3 n3 kel kel kel kel kel kel kel kel kel lt Export gt lt View gt Help F1 Exit Q or C Menus Top bar X Figure 271 Selecting Log Files to View OPTION DESCRIPTION Individual Windows Display the selected logs in separate windows Merged Windows Merge the selected logs into one window Initial Buffer Sets initial buffer or history size 500 is default This system is configured to buffer all the new information that comes along Available to Field Support only in this release Raritan CHAPTER 12 ADVANCED ADMINISTRATION 215 3 When View is selected with Merged Windows the LogViewer displays I ce wM 1_rarilan com PuTTY ervice servicesLogging 16 02 57 429 DEBUG Log4 8ecvice Crea
180. ft Reload refreshes the page from CC SG Or you may close the current browser open a new browser and log on again This provides an additional security feature so that no one can recall information stored in the Web cache to access the unit Passwords are encrypted using MD5 encryption which is a one way hash This provides additional security to prevent unauthorized users from accessing the password list CC SG times each user session If no activity happens for pre defined period of time CC SG logs the user out The length of the time period is pre set to 60 minutes but can be reconfigured It is recommended that users exit CC SG when they finish an operation No party will have root access to server once the unit is shipped out of Raritan Inc Both The session is encrypted regardless of source 1 e LAN WAN The event times in the Audit Trail report seem Log event times are logged according to the time settings of the computer that CC SG is installed on You can correct this by incorrect Why Can audit logging abilities Direct power switch off is not logged but the power on off Raritan adjusting the computer s time and date settings 250 QUESTION track down to who switched on or off a power plug Performance COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE ANSWER through the CC SG GUI can be logged to audit logs As a CC SG Administrator I added over 500 ports and assigned all of t
181. ft and right pointing arrows Please use these as you would use the Back and Forward commands in your Internet browser The Back arrow button will return you to the last screen you viewed and the Forward gt button moves you forward to the next screen you viewed after you have used the Back command Raritan 16 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Configuring CC SG Manager Components In order to use CC SG effectively you must complete the following configuration steps as described in this and the next chapter e Configure and install Dominion series and IP Reach appliances both serial and KVM devices Configure the devices and establish them on your network Load and associate customized applications for serial ports Load and associate customized applications for KVM ports Install and load the KVM client application Define and configure categories and elements to display the information under the all tabs e Create and define users with appropriate privileges and devices they can manage please see Chapter 7 Adding Users and User Groups for additional information e Establish the appropriate security and authentication policies Only an Administrator who has root privileges in CC SG can do this please see Chapter 8 Creating Policies for additional information Configurable Parameters These fields are mandatory and must follow the guidelines as listed User Name Alphanumeric text
182. g parameter passing target server mapping Access to CommandCenter NOC CC NOC For detailed auditing monitoring and notification of infrastructure and Raritan devices Operational Flexibility Ease of Use Administrator Presentation Enhanced system setup entirely through graphical user interface state of the art UI standards with professional look and feel Designed for High Availability ATA Raid 1 card and two ATA hard drivers to provision for fault tolerance at the hardware and OS level Two network interfaces for failover or to be configured for public and private IP addresses on separate NICs Redundant power supplies and ECC memory Auto recovery watchdog timer Modem access for emergency administration Support for primary and secondary servers Support for Clustering and Geographic Redundancy Enabling backup availability with CC SGs located on the same or different networks Internationalization Language keyboard scope of support documentation available in French German Japanese Traditional Chinese Simplified Chinese and Korean Terminology Acronyms Terms and acronyms found in this document include Associations is the relationship between categories elements of a category and ports or devices or both For example if you want to associate the Location category with a device Create associations first before adding devices and ports in CC SG Category is a variable t
183. g or random that the system will let the user use on any subsequent password change operation Also the number of passwords henceforth that the system will remember and not let the user duplicate or reuse Password Configuration Password History Depth B Password Type amp Parameters N o Regular lt gt Random Size 20 Retries 10 lt gt Strong Retries 3 DiffOK 4 MinLEN 9 Digits 1 Upper 1 Lower 1 Other 1 lt Update gt Help Fl Exit Q or C Menus Top bar X Figure 283 Configuring Password Settings Select either Regular Random or Strong for the admin and status if enabled passwords PASSWORD SETTING DESCRIPTION Regular These are standard yet a fairly weak password system Passwords have to be longer than 4 characters with few restrictions This is the system default password configuration Random Provides randomly generated passwords Configure the maximum password size in bits minimum is 14 maximum is 70 default is 20 and number of retries default is 10 which is the number of times you will be asked if you want to accept the new password You can either accept by typing in the new password twice or reject the random password You cannot select your own password Enforce strong passwords Retries is the number of times you are prompted before an error message is issued DiffOK means how many characters can be the same in t
184. ger gt CC SG 161 UDP SNMP Get Set CC 5G amp CC NOC CC NOC can optional appliance that can be deployed in conjunction with CC SG CC NOC 1s a Raritan network monitoring appliance that audits and monitors the status of servers equipment and Raritan devices that CC SG manages Communication Direction Port Protocol Purpose Configurable Number CC SG CC NOC 9443 TCP CC SG CC NOC no Communications CC SG Internal Ports CC SG uses several ports for internal functions and its local firewall function blocks access to these ports However some external scanners may detect these as blocked or filtered External access to these ports is not required and can be further blocked The ports currently in use are 1088 1098 2222 4444 4445 8009 8083 and 8093 In addition to these ports CC SG may have a couple of TCP and UDP ports in the 32xxx or higher range open External access to these ports is not required and can be blocked CC SG Access via NAT enabled Firewall If the firewall is using NAT Network Address Translation along with possibly Port Address Translation PAT then Proxy mode should be used for all connections that use this firewall Moreover the firewall must be configured for external connections to Ports 80 non SSL 443 SSL 8080 and 2400 to be forwarded to CC SG since the PC Client will initiate sessions on these ports All In Band Access IBA connections use the CC SG as the Proxy c
185. gin check box if you want this user to be forced to change password the next time he or she logs in to CC SG Check the Force Change Password Periodically check box if you want this user to have to change his or her password from time to time Either type the expiration period in days for this user s password in the Expiration Period field or select a date in Expiration Date Selecting one method automatically performs the calculation for the other If blank check the Force strong password check checkbox if you want to enforce strong passwords for this particular user Strong passwords is a system wide setting that is configured in Security Manager see Configure Security in Chapter 12 Advanced Administration for additional information If strong passwords are enabled in Security Manager then you cannot change the setting m this screen Type an email address for the user By default the user will be added to the user group that is selected in the Users tree If you do not want the user added to the group deselect the Add to group checkbox which will add the user to the Users Not in Group user group The user can then be moved to the desired user group Click OK to add this user to the system or Cancel to exit without saving A User Created Successfully message indicates the user has been added to the system Note If New User submission fails an error message appears Possible explanations include New password is too short Pas
186. gure 231 Delete CC NOC Gereen nnnnnnn nnn nnns snnna aen n nre asas aan nnn rns a a 187 Figure 232 Cluster Configuration SCre n ccccccccccccccceceeeeneseeeeeeeeeeeeeeeeeeeeeaaaaaauseceeeeeeeeeeeeeeeeseaaesaaaagas 188 Figure 233 Cluster Configuration Primary Node Get 188 Figure 234 Cluster Configuration Set Secondary CC DO 189 Figure 235 Recovering a node from Waiting status ccccccccsseeeeeeeeeeeeeeeseeeeeeeeeaaeaeeeeeeeeseaaeeseeeeeeeaaaas 190 Figure 236 Cluster Configuration Advanced Settings cccccccsseeeeeeeeeeeeeeeeeeeeeeeeeseaeeeeeeeeesseeeneeeeeeeeesaas 191 gir FA uio c 193 Figure 238 Create Task RR 193 Figure 239 Selecting a Task to Gchecdule nennen nennen nnne nnn nnn 194 Figure 240 Specifying Task Recurrence nennen nennen nnne nnne neni n nnn 194 Figure 241 Specifying Task Email Notification cccccccecceeeeeeeeeseeeeeeeeseaeeeeeeeeeeeeeaeeaeeeeeseaeaneeeeeeeeeeenaas 195 Fig r 242 View a Task oe T reE n 195 FOUG LA Mr HTO EE 196 Figure 244 RI 196 Figure 245 Notification Manager 197 Figure 246 SSA le 198 Figure 247 Login to CC SG via GH 198 Figure 248 CC SG Commands via SSH rrrrnnnnnnnnnnnnnrrovvvnnnnnvrvrnnnnnnnnnnnnnnrrsrrrnnnnnnrnnnnnnnnnnnnsnssssernnnnnnnnnnnnnn 199 Figure 249 SA 199 Figure 250 SSH listfirmwares Help 200 Figure 251 Listing Devices on CC 201 Figure 252 Access SX Device
187. hat contains a set values or elements An example of a Category is Location which may have elements such as New York City Philadelphia or Data Center 1 When you add devices and ports to CC SG you will associate this information with them It is easier if you set up associations correctly first before adding devices and ports to them Another example of a Category is OS Type which may have elements such as Windows or Unix or Linux Raritan 4 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE e CIM Computer Interface Module is the hardware used to connect a target server and a Raritan device Each target requires a CIM except for the Dominion KX101 which is attached directly to one target and therefore does not require a CIM Targets servers should be powered on and connected to CIMs and CIMs should be connected to the Raritan Device BEFORE adding the ports in CC SG Otherwise the blank CIM name will overwrite the CC SG port name Servers need to be rebooted after connecting to a CIM e CommandCenter NOC CC NOC is a network monitoring appliance that audits and monitors the status of servers equipment and Raritan devices that CC SG manages e Device Group a defined group of devices see the Devices definition that are accessible to a user Device groups are used when creating a policy to control access to the devices in the group e Devices are Raritan products such as Dominion KX1
188. he application name will appear in the Location field in the Application Manager screen Click Upload to upload the application A progress window indicates that the new application is being uploaded When complete a new window will indicate that the application has been added to the CC SG database and is available for configuration and attachment to a specific port Edit the version field to reflect the new version uploaded and then click Update Click Close to close the Application Manager screen Connection to Console and KVM Management Appliances CC SG may interface with the Console and KVM management appliances of the Dominion series and the IP Reach series Both serial and KVM devices are supported Raritan provides a standard console access a vt100 Java terminal emulation for remote target devices that require a serial connection In addition Raritan offers a variety of specialized applications that allow users to set up a customized look and feel The application interface varies depending on device type selected In the case of the KVM device Raritan provides the complete keyboard video and mouse KVM of the remote target system through CC SG CC SG can also interface with HP servers that have iLO or RILOE access capabilities In this case CC SG will launch HP s own Java management applet when connecting to these devices and log into iLO RILOE without prompting the user to re authenticate Raritan 12 To access a r
189. he date of the last password change for this account Read only Tells the day that this account must change its password A configurable option if the account is disabled no login allowed or enabled authentication token required or access is allow and no password is required Great care should be taken to make certain that both the Admin and FS1 accounts are not locked out at the same time otherwise you may not be able to use Diagnostic Console Min Days The minimum number of days after a password has been changed before it can be changed again Default is 0 Max Days The maximum number of days the password will stay in affect Default is 99999 Warning The number of days that warning messages are issued before the password expires Warning messages are hard to see in a forms based system like Diagnostic Console Max of Logins The maximum number of concurrent logins the account will allow Negative numbers indicate no restrictions 1 is the default for status login 0 means no one can log in A positive number defines the number of concurrent users who can be logged in 2 is the default for admin login Update Param Install any changes for this ID that have been made Enter a new password for the account Displaying Disk Status Utilities This option displays status of CC SG disks such as size of disks if they are active and up and amount of space currently used by various file systems 1 To display disk st
190. he new password relative to the old MinLEN is the minimum length of characters required in the password Specify how many Digits Upper case letters Lower case letters and Other special characters are required in the password Positive numbers indicate the maximum amount of credit of this character class can be accrued towards the simplicity count Negative numbers implies that the password MUST have at least that many characters from this given class Thus numbers of 1 means that every password must have at least one digit in it Raritan CHAPTER 12 ADVANCED ADMINISTRATION Account Configuration By default the status account does not require a password but you can configure it to have one here Other aspects of the admin password can be configured and the Field Support accounts can be enabled or disabled l To configure accounts Configuration Operation Status Console Network Interfaces gtilities System Logfile Viewer EEG FESTE CE SG System Reboot Change Passwords 221 click Operation Admin Change Passwords then Account Password Configuration Account Configuration Figure 284 Account Configuration 2 View the settings for each account that is Status Admin FS1 and FS2 3 CC SG Administrator Console Account Configuration Field N User User Mame Last Changed Expire Mode Min Days Max Days Warn Max Logins Update Param New Passwor
191. heduling and not the time on your client PC Task Types These tasks can be scheduled Backup Device Configuration individual device or device group Restore Device Configuration does not apply to device groups Copy Device Configuration individual device or device group Upgrade Device Firmware individual device or device group Note that the firmware should be made available before scheduling this task Backup Command Center Secure Gateway e Restart Device does not apply to device groups Raritan 192 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE e Outlet Port Power Management Power On Off Recycle Outlet ports e Generate all Reports HTML or CSV formats e Purge Logs Scheduling Sequential Tasks You may want to schedule tasks sequentially to confirm that expected behavior was actually carried out For example you may want to schedule an Upgrade Device Firmware task for a given device group and then schedule generating an Asset Management Report task immediately after it to confirm that the correct versions of firmware were upgraded Email Notifications Upon completion of a task an email message can be sent to a specified recipient How the email is sent such as if it is sent securely via SSL is configured in the Notification Manager please see Notification Manager later in this chapter for additional information Stored Reports Reports that are scheduled are sent via email to the recipients that ar
192. hem to me Now it takes a long time to log on to CC SG What is the bandwidth usage per client Particularly as they aggregate up over many systems Grouping When you as Administrator have many ports assigned to you CC SG downloads all port information for all ports during the logging process which slows the process considerably It is recommended that Administrator accounts used primarily to manage CC SG configuration settings do not have many ports assigned to them Remote access to a serial console over TCT IP is about the same level of network activity as a telnet session However it is limited to the RS232 bandwidth of the console port itself plus SSL TCP IP overhead The Raritan Remote Client RRC controls remote access to a KVM console This application provides tunable bandwidth from LAN levels down to something suitable for a remote dial up user Is it possible to put a given server in more than one group What impact to other usage that would be blocked through the active usage of the console port for example some UNIX variants not allowing admin over network interfaces How do you recommend the issue of CIMs being moved swapped at the physical level with changes to the logical database Interoperability How does CC SG integrate with Blade Chassis products To what level is CC SG able to integrate with 3rd party KVM tools down to 3rd party KVM port level Raritan It should
193. hin Primary DMB1 Eacondary DHS Demain Tulio lacaldzn ae Binin Backup feoda Gare dive fede Configurations Static Configuration T IP addrarr 192 1568 32 33 P addrerr Subnet mask 153 233 233 0 Eubmat mask Default gakawag 192 16003 156 Dal au quteway AFE 160 92 126 adapter ipasud Arn F ad aper dpaed F Adatpter fread ai v Adapter Aden te Figure 7 Set IP Address with Configuration Manager Commands 2 Ensure that the network settings display the values entered while setting up the unit if not please modify and follow the steps below Raritan 10 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Click Update Configuration to submit the changes A confirmation window asks if you wish to restart CC SG in order to apply changes Click OK to log out from your current session and restart CC SG Access CC SG using the new IP address Check and Upgrade CC SG Firmware Version Note Before you can upgrade CC SG you must be in Maintenance Mode See section Maintenance Mode in Chapter 11 System Maintenance for additional information l 2 3 4 Log onto CC SG On the Help menu select About Raritan CommandCenter If the version is not current you must upgrade your firmware by following the next few steps On the Setup menu click Upgrade CommandCenter Upgrade Conmnmmandcenterge Figure 8 Upgrade CC SG Click Browse and locate the file The file must be accessible from y
194. his or her password from time to time and specify an expiration period for this user s password in the Expiration Period field 6 Check the Force strong password check checkbox if you want to enforce strong passwords for this user see Strong Password Rules in Chapter 12 Advanced Administration for additional information Type an email address for the user Click OK to submit the changes or Cancel to exit without saving An Updated Successfully message confirms the edits were submitted 9 Repeat steps 1 through 8 to edit other users Change User Password This command allows you to change any user s password 1 Click on the Users tab and select a user from the Users tree 2 On the User menu click Change User Password The Change User Password screen appears change User Pagzxword f i F l rt nas parrean for this user pr iam ar Lanser Farseoedi Kabe gai guid Figure 118 Change User Password Screen 3 Type the new password in the Password field Re type password in the Retype Password field 5 Click OK to change user password or Cancel to exit without saving A User Password Updated Successfully message confirms the password has been changed 6 Repeat steps 1 through 5 to change other users passwords Note For strong passwords minimum length is 6 characters For non strong passwords minimum length is 4 characters See section Configure Security in Chapter 12 Advanced Administration for additional i
195. hoices screen of the Wizard appears Association Wizard Steps Confirm Choices no edendis d The following categories and elements will be created 2 Create Associations 3 Confirm Choices 4 Creating Port Groups Category Elements and Policies Function Sales Monitoring Production Testing Rack Demo Rack 5 Summary Previous Finish Cancel Figure 47 Association Wizard Confirm Choices 7 Review the list of categories and associated elements that will be created Click Previous if you need to go back and make changes If everything is correct click Finish Raritan 44 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 8 CC SG will show a progress bar while it is creating the associations port groups and policies When this is complete the Association Wizard Summary screen appears displaying the list what was created Click Done to exit the wizard Association Wizard Steps Summary 1 Overview 2 Create Associations 3 Confirm Choices Category Location 4 Creating Port Groups and Policies Elements 5 Summary LA Market Area Chicago Market Area Mew York Market Area Atlanta Market Area Category Function Elements Sales Servers Monitoring Production Testing Rack Demo Rack Groups LA Market Area Ports Chicago Market Area Ports New York Market Area Ports Atlanta Market Area Ports Groups Sales Servers Ports Monitoring Ports Production Ports Testing Rack Ports Demo Rack Ports
196. hould pass before CC SG restarts in the Restart after min field Raritan 158 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5 Click OK to restart CC SG or Cancel to exit the screen without restarting Once you restart CC SG your Broadcast Message appears ES 4 A Commandtenter will be restarted in 5 minutes Ok Figure 187 Info Window 6 Click OK to restart CC SG 7 CC SG will restart and is ready for use Shut Down CC SG These are the recommended methods for Administrators to shut down and restart CC SG 1 On the Setup menu click Shutdown CommandCenter The Shutdown CommandCenter screen appears Shutdown CommandCenter ff Please enter password and timeout to confirm CommandCenter shutdown Figure 188 Shutdown CC SG Screen 2 Type your password in the Password field 3 Accept the default message or type a message to display to any users currently online in the Broadcast message field for example you might give users a brief time period to finish their tasks in CC SG and tell them when they can expect the system to be functional again All users will be disconnected when you shutdown CC SG 4 Type how much time in minutes should pass before CC SG shuts down in the Shutdown after min field 5 Click OK to shut down CC SG or Cancel to exit the screen without shutting down Once you shut down the CC SG login window appears Log on to CC SG again to continue working or click Exit on th
197. ia SSH Please see SSH Access to CC SG later in this chapter for additional information 5 Click Update to update the changes Click Close to close the Security Manager screen Note For information on the ordering of the authentication databases please see Chapter 9 Configuring Remote Authentication for additional information Raritan CHAPTER 12 ADVANCED ADMINISTRATION 177 Strong Password Rules Strong password rules require users to observe strict guidelines when creating passwords which makes the passwords more difficult to guess and in theory more secure Administrators can enable or disable this feature see the previous section Configure Security When strong passwords are enabled a password change will be rejected unless it meets the following criteria e Passwords must be at least six characters long e Passwords must contain at least one alphabetical character and one non alphabetical character number or punctuation symbol e The first four characters of the password and the username may not match Strong password rules apply only to user profiles stored locally Password rules on an authentication server must be managed by the authentication server itself Passwords stored on CC SG should be managed by CC SG and whatever rules it defines Enable User Lockout Administrators can lock out CC SG CC NOC users and SSH users after a specified number of failed login attempts This features applies to user
198. ic port to be edited 2 Onthe Ports menu click Edit Port The Edit Generic Port screen appears Edit Generic Port eS fr Please select port properties to add Port Properties Port number eS Port name Windows XP In Band application name None v TCP port number Target Username Port Associations Category Element System Type US States and territories OK Cancel Figure 111 Edit Generic Port Screen 3 Typea new port name in the Port Name field Click on the In band application name drop down arrow and select an application from the list Type a new port number in the TCP port number field Type a new username in the Target Username field Select a new category and element from the Port Associations table m m e Click OK to edit the port or Cancel to exit without saving the changes A Port Updated Successfully confirms that port has been updated 9 Repeat steps 1 through 8 to edit other ports Raritan CHAPTER 6 CONFIGURING PORTS AND PORT GROUPS 91 Port Group Manager Add Port Group l px ey a On the Associations menu click Groups Manager and then click Port Group Manager The Port Groups Manager screen appears Port Groups Manager Greg Cheuugn hame AN Beat add L n Dalits l This Contes Pouf T atagorgi G eht r hmat T Bast Hurabe a ll idd Mia l Fiafix C t g cs Op tin alid dula Hima 1 Bala Rule Burl dane LIFE 5 Fiscal k
199. id F or expre ib Ruled vadat Binrmaliraid auprarrinni Must Harna LISE Update clesia Figure 112 Port Groups Manager Screen Click Add in the Group panel to add a new group The Add Port Group window appears Add Port Group Add Port Group _ Please enter port group name Enter port group mame Udo OK Cancel Java Applet window Figure 113 Add Port Group Window Type the name for the new Port Group in the Enter Name for Port Group field Click OK to add the new group or Cancel to close the window Click Close to close Port Groups Manager screen Repeat steps 1 through 5 to add other port groups Raritan 92 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Edit Port Group 1 On the Associations menu click Groups Manager and then click Port Group Manager The Port Groups Manager screen appears 2 Click on the Group Name drop down arrow and select a group to edit Click Edit in the Group panel The Edit Port Group window appears Ed Port Group Edit Port Group E Please enter new part group name Enter new name for port group Sweatbox Rack Ibweatbox Rack OK I Cancel Java Applet Window Figure 114 Edit Port Group Window Type a new name for the group in the Enter New Name for Port Group field Click OK to update the change or Cancel to close the window Click Close to close the Port Groups Manager screen Repeat steps 1 through 5 to edit other po
200. ile of the port listed in the Port Name field above Click gt to move a port name to the Selected Ports list 5 To remove a port name from the Selected Ports list click on the name and click lt to move it back to the All Ports list 6 Click OK to copy port properties or Cancel to exit without copying A Port Copied Successfully message confirms that the port profile has been copied 7 Repeat steps 1 through 6 to make other bulk copies of port properties Raritan 88 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Edit Port Edit a Serial Port l Ss Click on the Ports tab and select a serial port to be edited On the Ports menu click Edit Port The Edit Serial Port screen appears Edit Seri Port ff Please select port properties to add Port Properties Port number Unknown Raritan port ID ser 2 Port name Serial Target 3 Application name Raritan Remote Client Port Associations Category Element adf System Type US States and territories In Band Parameters Figure 109 Edit Serial Port Screen Type the new port name in the Port Name field Click on the Application Name drop down arrow and select a new application name Click on the Baud Rate drop down arrow and select a new rate Click on the Parity Data Bits drop down arrow and select a new value Click on the Parity Check checkbox to enable or disable Click on the Recv Xmit Pace check box to enable or disable X
201. ion SX model S81 192 168 51 112 Dominion KSX billsksx Known Dominion KSX model RX 192 168 51 184 Dominion KA GMBDoNotUSE Unknown Dominion KX model DKY 192 168 51 187 Dominion KX astdkx116 VER13 Unknown Dominion KX model DES 192 168 51 172 Dominion KX101 KX101 172 Unknown KX101 model KX_KIM ver 192 168 51 202 Dominion KX Dominion KX203 Unknown Dominion KX model DKY 192 168 51 121 Dominion KX billskx121 Unknown Dominion KX model DKY 192 168 51 213 Dominion Kx ASTDKX416 VERLS Unknown Dominion KX model DKX 192 168 51 120 Dominion KX billskx120 Unknown Dominion KX model DKY 192 168 51 252 Dominion KX KX252 Unknown Dominion KX model DES 192 168 521 239 Dominion KX101 KK KIM 0004 Unknown KX101 model KX KIM ver 192 168 51 195 Dominion KX101 GMBKx101 195 Unknown KX101 model KX KIM ver 192 168 51 139 Dominion KX101 KA KIM 0008 Unknown KX101 model KX KIM ver 192 168 51 69 Dominion KX101 billskx101 Unknown KX101 model KX KIM ver 192 168 51 70 Dominion K3101 kx10i3 Unknown IK 101 model KX KIM JE Close Figure 80 Discovered Devices List Window Raritan 68 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 7 Select a device from the list and click Add to add the device to CC SG or click Close to exit without adding the device If you clicked Add the Add Device screen appears Add Device fy Haira palact dirii prepares to kd Device type Bonon EEE EE Davies ama i ka mim ypa Dawirm
202. ion serinati aE E Ea aE aa a EEES 187 cede a e EE 188 Remove Secondary CC SG Node nnne nnn nnna nnn nns sss nna ann n rri sss s aan nnne ens 190 Remove Primary CC SG Node ccccccccccsssseeececeeecaeeeeeceeeeeeeessceeeeeeseueeeeeeeeeessaeeaeeeeeesessaeaneeeeeees 190 Recover a Failed CC SG Node cccccccccssssecccceeecaeeeeeceeeeeeeeeeeeeeeeeeseeeeeeeceeeeessueaeeeeeesssaaaseeeeeeeees 190 Ser Advanced url e EE 191 EE Ge Let 191 IK e Ke 191 Scheduling Sequential Tasks ccccccccseseeccceeeeeeeeseeceeeeeeeaeeeeeeeeeeeseeeseeeeeeeessaeaeeeeeeeessseaeeeeeeesaaaaas 192 Email Notifications EE 192 REDO EEE N RE 192 credie ANEW Fas EE 193 View a Task Details of a Task and Task Hsion nnne 195 PSO TG AUP Manage EE TUTO 197 Be NC CSS UO EEE EEK EE 198 STN E 200 Create a SSH Connection to an SX Device cc ceeeccccccecceseeeeeeeeeeecaeeeeeeeeeeeeeeaeeeeeeeeessaeaeeeeeeeeeseaas 201 oe 202 FUN 203 Diagnostic ei EE EEE ee eee 204 Accessing Diagnostic Console via GH 204 Accessing Status Console rrrrrrrrrrrrnnnnnrrvrrrrrrnnnnnnrrrrnrrnnnnnsrrnnrrnnnnsnnssnnnrnnnnnnsssnnnnnnnnsssesennnnnnnnnen 205 Accessing Administrator Console ccccccccccsseeeecececeeeeeeeeceeeeeseeeeeeeeeesesaeeeeeeeeesesaaaeeeeeeeesssaaaeesess 206 Appendix A Eege CH EA E A NN PIT 225 General SPE ONS Gale 225 Hardware Specifications sssssssssssssssssssssseeeseeeeennnn nenne nnne nnn ness nena rn nnns nsns a nnne nn
203. is only available when no backup nodes exist 3 Click Close to exit the Cluster Configuration screen Recover a Failed CC SG Node When a node fails and failover occurs the failed node will recover in Waiting status 1 Select the Waiting node in the Cluster Configuration table 2 Addit as a backup node by clicking Join Waiting Node 3 Aconfirmation message will appear Click Yes to assign Secondary status to the selected node or click No to cancel If you click Yes you will need to wait for the secondary node to restart just as with Join Backup Node Note Once a node is in Waiting status it can be started in Standalone mode or Backup mode Cluster Configuration This Command enter is a member of cluster cluster132 1568 51 37 Cluster Name Mode Address Node State CaommandCenter versjon custeri92 168 51 97 192 168 51 97 Primary z z20 1 17 custeri92 18658 51 97 192 158 52 6Z2 Waiting 2 20 1 17 Cluster Management CommandCenter address Discover Commandcenters Backup username Password Start As Standalone I Join waiting Node I Advanced Close Figure 235 Recovering a node from Waiting status Raritan CHAPTER 12 ADVANCED ADMINISTRATION 191 Set Advanced Settings To configure advanced settings of a cluster configuration 1 Select the Primary node just created 2 Click Advanced The Advanced Settings window appears Advanced Settings X Advanced Settings
204. isplay Operation Status Console Network Interfaces Disk Status Top Display Figure 288 Selecting Top Display in Diagnostic Console Raritan 224 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2 View the total running sleeping total number and processes that have stopped top 12 08 26 up GE total 3 0 uz lt QTGUB4K total Tazka ZU 38oURk postgres postgres root 5g root root root root root root root root poot 5 Wi p amp e ry d a a p uo E SER Lo ME DO p 5m SE L A ke be Lab ET du E FE ke i a root Cece EoOt EOOt ea n GC CR LP LP oL d ke ac i Let DR Led j 3 7 sy total 3 days 20 43 2 running 93 sleeping L user O 0 ni Ok used 1335452k used r 22008 F960 22004 6100 2808 3460 0 J 0 J U La d C LP LA Aa Kl ad tar KP Ch C c PRI O 0 et ZUR Ft feat C eee Cu C BS B K e t d p C DO G DP te te re EE Ah h D T40632K 20 T6HUBE re EE T Lata C3 C L2 EG je mw wm E E HH HN HN EN 423 410 CO CO La Kb Lek my c c oc 2 5 O ok i i ma C CH 1 1 1 nn a OO c c c c ka BE sl ung stopped U U free tree CH CH Cc ccc cg c 1 ra ra ra ra ra mi mta mta load average 0 08 0 24 0 43 zombie 0 0 hi O 0 s 245097 Ek buffers S11I344e cached postnaster postnaster St tus po
205. itional information After configuring the SMTP server you can elect to send a test email to the designated recipient and notify the recipient of the result of the test To configure an external SMTP server l pU eM 9 On the Setup menu click Notification Manager Notification Manager ail Please provide SMTP configuration parameters M Enable SMTP Notification SMTP Notification Details SMTP host mailrartan com EE SMTP port Tr Account name ling Password bann Re enter Password bann E From fec mailrartanem WMM Sending retries ker Sending retry interval minutes Bo Use SSL The domain should be a valid MX record for which the SMTP host can relay messages Test Configuration Update Configuration Figure 245 Notification Manager Ensure Enable SMTP Notification is selected and type the SMTP host For hostname rules see Terminology Acronyms in Chapter 1 Introduction Type a valid SMTP port Type a valid Account name for logging onto the SMTP server Type and confirm the Password for the SMTP account Type a valid From email address that will identify the message is from CC SG Specify a number for the number of Retries in the case the email fails to be sent Type a number in minutes for the Retry Interval that will be used before the email is sent again in the event the email fails Check Use SSL if you want the email to be sent securely over Netscape s Secure Sockets Layer SSL
206. iwan ROC Tel 886 2 8919 1333 Fax 886 2 8919 1338 Email sales taiwan raritan com Chinese Website Raritan com tw English Website Raritan ap com Raritan Shanghai Rm 17E Cross Region Plaza No 899 Lingling Road Shanghai China 200030 Tel 86 21 5425 2499 Fax 86 21 5425 3992 Email sales china raritan com Website Raritan com cn Raritan Beijing Unit 1310 Air China Plaza No 36 XiaoYun Road Chaoyang District Beijing 100027 China Tel 86 10 8447 5706 Fax 86 10 8447 5700 Email sales china raritan com Website Raritan com cn Raritan Guangzhou Room 1205 F Metro Plaza 183 Tian He Bei Road Guangzhou 510075 China Tel 86 20 8755 5581 Fax 86 20 8755 5571 Email sales china raritan com Website Raritan com cn Raritan Korea 3602 Trade Tower World Trade Center Samsung dong Kangnam gu Seoul Korea Tel 82 2 557 8730 Fax 82 2 557 8733 Email sales korea raritan com Website Raritan co kr Raritan Australia Level 2 448 St Kilda Road Melbourne VIC 3004 Australia Tel 61 3 9866 6887 Fax 61 3 9866 7706 Email sales au raritan com Website Raritan co au Raritan India 210 2nd Floor Orchid Square Sushant Lok 1 Block B Gurgaon 122 002 Haryana India Tel 91 124 510 7881 Fax 91 124 510 7880 Email sales india raritan com Website Raritan co in Raritan OEM Division Peppercon AG Raritan OEM Division Scheringerstrasse 1 08056 Zwickau Germany Tel
207. k retrieves the logs for the entire system Raritan I HERA Kad 6 The Error Log report is generated displaying data about sessions that occurred during the designated time period Error Lag User IP Ad 1 27006 01 2 Corp rarita n WARN interceptiE al Previous 2 2006 01 2 ccRoot 192 165 5 3 com rarita WARN executere 3 2006 01 2 ccRoot 192 168 5 corm rarita WARN An invalid l 4 2006 01 2 ccRoot 192 168 5 com rarita WARM An invalid L 22006 01 2 com rarita WARN interceptiE e 20068 01 2 CcRoot 192 165 5 3 comu rarita WARN executere 7 2 0 086 01 2 com rarita n WARN interceptiE 2 2006 01 2 ccRoot 192 165 5 2 comi rarita n WARN executere 32006 01 2 com rarita n WARN intercept E 102006 01 2 ccR oot 1352 1658 5323 comu rarita n WARM executere 11 2006 01 2 comm rarita an WARN intercept E 12 2006 01 2 ccRoot 192 165 5 3 comu rarita n WARN executere 13 2006 01 2 ccR oot 192 168 5 4 comu rarita n WARN executere i4 2 0086 01 2 Corp rarita a WARN interceptiE 1532006 01 2 com rarita n WARN intercept E 16 2006 01 2 ccR oot 132 165 5 3 comu rarita n WARM executere i7 20 086 01 2 com rarita a WARN intercept E 15 2006 01 2 ccRoot 192 165 5 3 com rarita WARN executere 19 7006 01 2 com rarita n WARN intercept E 270 7006 01 2 ccRoot 192
208. k on the days of the week to apply the policy 9 Click on a Permission value to select a permission type Deny or Control 10 Click Update to add the policy The Update Policy window appears Update Policy E x Update Policy some Java Applet Window Figure 32 Update Policy Window 11 Click Yes to add the policy or No to close the window 12 Click Close to close the Policy Manager screen 13 Repeat steps 1 through 12 to add other policies Apply Policies to User Groups A user group does not specify the ports that can be accessed by the group and a policy does Therefore you need to apply a policy to a user group 1 Click on the Users tab and select a group 2 Onthe User menu click Edit User Group Policies Alternatively right click on a user group and select Edit User Group Policies The Edit User Group Policies screen appears Edit User Group Policies rar gei sareerurmenbatines Eu parte SP Paidat Policy Davide Groowe Fort Group Terrie fun H Tue Ww ls Falached Policia ayie Polity Caria row For Group Tiiri Tun Men Tus Wed Thu F da s EM Figure 33 Edit User Group Policies Screen 3 Scroll up or down to view all policies in this list Click on a line item in the Policies list under the AII Policies panel that you wish to assign to the group Click on the Day s check boxes to select which days of the week the policy should be assigned Click Add to add the policy to the
209. know how to enter DNs and in what order they should be listed For example specifying a DN for Active Directory would be as follows common name cn organizational unit ou domain component dc Specifying a DN for Netscape LDAP and eDirectory LDAP would be as follows user id uid organizational unit ou organization o Username When authenticating CC SG users on an Active Directory server by specifying cn administrator cn users dc xyz dc com in username if a CC SG is associated with an imported AD group they will be granted access with these credentials Note that you can specify more than one common name organizational unit and domain component Raritan CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 115 Base DN You also enter a Distinguished Name DN to specify where the search for users begins Enter a DN in the Base DN field to specify an Active Directory container in which the users can be found For example entering ou DCAdmins ou IT dc xyz dc com will search all users in the DCAdmins and IT organizational units under the xyz com domain Active Directory AD Microsoft Active Directory provides a directory service that allows organizations to administer their networked resources Active Directory is a directory server that is LDAP compliant and may be used for both authentication and authorization If your configuration uses both there is no need to add users to the CC SG server since AD users are maintain
210. l servers these ports and protocols are used Communication Direction Port Protocol Purpose Configurable Number DHCP Server CCSG 68 UDP DHCPLease no NTP Time Server gt CC SG CC SG gt DNS BE Name Server Queries PC Clients to CC SG PC Clients connect to the CC SG in one of these three modes e Web Java Applet CC SG GUI interface e CC SG Command Line Interface via SSH e CC SG Diagnostic Console Raritan APPENDIX B CC SG AND NETWORK CONFIGURATION 233 The first mode is the primary means for users and administrators to connect to CC SG The other two modes are less frequently used These modes require the following networking configuration Communication Direction Port Protocol Purpose Configurable Number Client CC SG GUI 443 TCP HTTPS no Access Client CC SG GUI TCP HTTP Access no redirect to HTTPS Client CC SG GUI 8080 TCP Tomcat no Access Client gt CC Diagnostic 23 TCP Status and yes Console Maintenance PC Clients to Targets Another significant role of CC SG is to connect PC clients to various targets or endpoints These targets can be serial or KVM console connections to Raritan devices called Out of Band connections Another mode is to use In Band access IBA methods for example Virtual Network Computer VNC Windows Remote Desktop RDP or Secure Shell SSH Another facet of PC client to target communication is whether e The PC client connects dire
211. ld type the port used by the In band application in Target TCP Port and type a username that is used to login to the in band application in the Target Username field Click OK to save the In band parameter settings or Cancel to exit without saving 13 Click OK to configure the serial port or Cancel to exit without configuring A Port Configured Successfully message confirms that the port has been created 14 Repeat steps 1 through 11 to configure other serial ports Note For KSX power ports and SX serial ports associating a device with the port is available in the Configure Serial screen and not in the In Band parameters screen Raritan CHAPTER 6 CONFIGURING PORTS AND PORT GROUPS 81 Configure a KVM Port 1 Click on the Devices tab and select a KVM device from the Devices tree 2 On the Devices menu click Port Manager and then click Configure Ports The Configure Ports screen appears Charice naar ken f 74FSFFFFFFFFpFFcccrv m ang ee Bamanpetin Part name paa mmm r ee minnast T kuzegon a Ehmm kuer Pr ed r rss ERewsdi ee cere r Eresi Ehannaliz kompon bed mcdiguem r Eimar kai ket Fmeed CM gi T Phen Enes kvMPad Lnd T bokcasoni 14 Khannali PKwMPot Hoas Sondiguem b HkriedOUi 15 Ehaneali amp KkwMBot ned omis mM p Hkzaso01 1 Ehamma i2 apen o o i o LEseBgum r Keen GE E m T fristen nn guarses
212. lease enter device group name EE SCH Enter new name for device group Pellinore Group Pellinore Group OK Cancel Java Applet Window Figure 85 Edit Device Group Window 3 Type the new name for the device group in the Enter New Name for Device Group field Click OK to edit the device group or Cancel to close the window The new name appears in the Group Name field Click Close to close Device Groups Manager screen 5 Repeat steps 1 through 4 to edit other device group names Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS T1 Delete Device Group l On the Associations menu click Groups Manager and then click Device Group Manager The Device Groups Manager screen appears Device Groups Manager raus Group name F llmnra rg E Add L rt Dalasa Shee Contents Figure 86 Device Groups Manager Screen 2 Click on the Group Names drop down arrow and select the device group to be deleted Click Delete and the Delete Device Group window appears Delete Device Group Figure 87 Delete Device Group Window 3 Click Yes to delete the group or No to Cancel and close the window 4 Click Close to close Device Groups Manager screen 5 Repeat steps 1 through 4 to delete other devices Add Device Rule After adding a device group apply one or more rules to the group so that devices can be grouped by matching parameters and you have a navigable Devices tree l On the Associations me
213. lease remember that you must be an Administrator to modify User Groups The category Users Not In Group cannot be modified Members of that group have observation rights only 1 Click on the Users tab and select a group 2 On the Users menu click Edit User Group The Edit User Group screen appears Edit User Group Ls 6 Cannot modify the System Administrators user group User group name Systern Administrators Description Do Not Delete Select Privileges Has It Name CC Setup And Control Device And Port Management V Device Configuration And Upgrade Management V Ports Access Cancel Figure 126 Edit User Group Screen 3 Typea new group name in the User Group Name field 4 Typeanew description in the Description field 5 Check the Select Privileges check box es in the Has it column to assign the specific feature line items to the group please see Appendix D User Group Privileges for more information 6 Click OK to update the group features or Cancel to exit without saving A Group Updated Successfully message confirms that group features have been updated Raritan 102 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Apply Edit User Group Policies Groups can be assigned policies or permissions that allow them to view and or control devices and ports Depending on which policies are assigned to them groups might have No Rights Some Rights Control Rights or Full Administration Rights Policie
214. li NT T ad atm 2 TEE Ro m Pic Fa lus i Rs OS DL 7 Vale Li KK i a al d E d al d dd Record Route Use Broadcast Address Adaptive timing Ping for this many seconds max t Send out this many Ping requests max Bytes Send Ping Packet with this 9172 Figure 266 Pinging a Target Enter the IP address or hostname of the target you wish to check in the Ping Target field 3 Optionally select OPTION DESCRIPTION Verbose Verbose output which lists other received ICMP packets in addition to ECHO RESPONSE packets No DNS Resolution Does not resolve addresses to host names Record Route Records route Sets the IP record route option which will store the route of the packet inside the IP header Use Broadcast Address Allows pinging a broadcast message Adaptive Timing Adaptive ping Interpacket interval adapts to round trip time so that effectively not more than one unanswered probes present in the network Minimal interval is 200 msec 4 Optionally type values for how many seconds the ping command will execute how many ping requests are sent and the size for the ping packets default 1s 56 which translates into 64 ICMP data bytes when combined with 8 bytes of ICMP header data If left blank defaults will be used 5 Click Ping in the bottom right hand corner of the window If the results show a series of replies the connection is working The time shows you how fast the connection 1s
215. licy Manager screen appears 2 Click on the Name drop down arrow to select a policy to edit Click Edit to edit the policy The Edit Policy screen appears Edit Policy Edit Policy Jo Please enter new policy name Enter policy name Beta Users Policy beta Users Policy OK I Cancel Java Applet Window Figure 135 Edit Appliance Policy Window 3 Type anew name for the policy in the Enter Policy Name field Click OK to rename policy or Cancel to close the window 5 Modify other policy elements and click Update to submit changes Update Policy window appears Update policy Figure 136 Update Policy Window 6 Click Yes to update the policy or No to close the window 7 Click Close to close the Policy Manager screen 8 Repeat steps I through 7 to edit other policies Raritan 112 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Delete Policy 1 On the Associations menu click Policy Manager The Policy Manager screen appears 2 Click on the Name drop down arrow to select a policy to be deleted Click Delete to delete the policy The Delete Policy window appears Delete Policy E Figure 137 Delete Appliance Policy Window 3 Click Yes to delete the policy or No to close the window Click Close to close the Policy Manager screen 5 Repeat steps 1 through 4 to delete other policies Note Deleting a policy removes the policy and its association from user groups Raritan CHAPT
216. list and click Add to add the detail to the Custom View Details panel Select as many details as needed To re order the details in the Custom User Details panel select a detail and use the Up and Down buttons to arrange details in the order you want devices sorted To remove a detail from the list select the detail and click the Delete button in the Custom User Details panel Click Update to update the custom view A Custom View Updated Successfully message confirms that the custom view has been updated Click Set Current to arrange the Devices tree to reflect the selected custom view Click Close to close the Custom View screen 10 Repeat steps 1 through 9 to add a new custom view Edit Custom View l 2 Click on the Devices tab On the Devices menu click Change View and then click Custom View The Custom View screen appears Click on the Name drop down arrow in the Custom View panel and select the custom view to be edited Click Edit An Edit Custom View window appears Edit Custom Yiew Edit Custom View Jo Please enter new custom view name Enter new mame for custom view Documentation View Documentation View OK Cancel Java Applet window Figure 70 Edit Custom View Window Type a new custom view name and click OK to confirm or Cancel to close window Raritan 62 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5 In the Custom View Details panel click on the drop down arrow at the
217. ller p D r rvend init ksoftirqd events khelper kacpid kb Leck pdt Lush pdt Lush aio khubd kawapdlu kseriod t a Figure 289 Displaying CC SG Processes in Diagnostic Console 3 Type h to bring up an extensive help screen for the top command The standard F1 help key is not operational at this point To return to the Admin Console use the standard CTL Q or CTL C Raritan APPENDIX A SPECIFICATIONS 225 Appendix A Specifications G1 V1 G1 Platform General Specifications E Dimensions DxWxH 22 1 x 17 32 x 1 75 563mm x 440mm x 44mm Weight 24 07 b 10 92kg Power Redundant hot swappable power supplies auto sensing 110 220 V 2 0A Mean Time Between Failure 38 269 hours MTBF KVM Admin Port DB15 PS2 Keyboard Mouse Hardware Specifications Processor Intel Pentium III 1 GHz Ms CD RON Driv mu Remote Connection Protocols TCP IP UDP RADIUS LDAP TACACS SNMP SNTP HTTP HTTPS Warranty Two years with Advanced Replacement Guardian Extended Warranty Also Available Environmental Requirements OPERATING Humidity 20 85 RH Altitude Operate properly at any altitude between 0 to 10 000 feet storage 40 000 feet est A Vibration 5 55 5 HZ 0 38mm minutes per cycle 30 minutes for each axis X Y Z Raritan 226 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE NON OPERATING Humidity 10 90 RH Altitude Operate proper
218. lter Creation date Task operation Task status Task owner From 10 01 2005 H Copy Device Configuration a Scheduled ccRoot al Upgrade Device Firmware E Pending charlie J Tel 11 01 2005 5 Backup Command Center Running gayle Restart Device Finished kensearcy Outlet port power management marshall sl View Tasks Operation Status Last Execution Date Next Executi Description Active users report Finished Wed Dec 31 19 00 00 EST 1969 Schedule Ac ccRoot Error log report Finished Wed Dec 31 19 00 00 EST 1969 ccRoot Backup Device C Finished Sun Oct 30 23 25 42 EST 2005 ccRoot Ping report Finished Wed Dec 31 19 00 00 EST 1969 ccRoot Backup Device C Finished Fri Oct 28 15 53 00 EDT 2005 ccRoot Group data report Finished Wed Dec 31 19 00 00 EST 1969 ccRoot Backup Device C Finished Sun Oct 30 23 24 42 EST 2005 ccRoot Active Usersi Active users report Pending Wed Dec 31 19 00 00 EST 1969 ccRoot Active Users Active users report Pending Wed Dec 31 19 00 00 EST 1969 ccRoot Active Users Active users report Pending Wed Dec 31 19 00 00 EST 1969 ccRoot Figure 242 View a Task 2 Click View Tasks to view the entire list of tasks created by all owners and with all statues By default all tasks that were created a month ago to today s date are displayed 3 To filter the tasks displayed you can alter the date by highlighting the month date or year fields and clicking the or buttons You can filter the list further by selecting
219. lves can include spaces such as Command Center Enter and confirm the password To specify where the search for users begins enter a Distinguished Name in Base DN For example ou Administrators ou TopologyManagement o NetscapeRoot searches all organizational units under the domain To narrow searching to only particular types of objects enter a value in Filter For example objectclass person will narrow searching to only person objects Raritan 126 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 11 Click Test Connection to test the LDAP server using the given parameters You should receive a confirmation of a successful connection If not review the settings carefully for errors and try again 12 Click on the Advanced tab to set advanced configuration options for the LDAP server e Add Module Add Module Password and Confirm Password fields are not equal Madule Name estLDAP Module Type LDAP General Advanced rPasswards Base 64 2 Plain Text Default Digest MDS Directory Search for Users User Attribute joe amp eceuntName WMM Group Membership Attribute memberof WWW Other Bind username pattern Ms aa Use bind e Use bind atter search Previous Net DE Cancel Figure 152 Security Manager LDAP Screen Advanced Tab 13 Click the radio button for Base 64 or Plain Text depending on whether you want the password to be sent to the LDAP server with e
220. ly at any altitude between 0 to 10 000 feet storage 40 000 feet est Vibration 5 55 5 HZ 0 38mm minutes per cycle 30 minutes for each axis X Y Z Electrical Specifications INPUT OUTPUT 5 VDC 12VDC 5 VDC 12VDC Maximum DC Power Output Maximum Heat Dissipation Volt Ampere Rating Consumption Raritan APPENDIX A SPECIFICATIONS 227 V1 Platform General Specifications lU Dimensions Dx WxH 24 2 x 19 09 x 1 75 615mm x 485mm x 44mm Weight 23 80Ib 10 80kg Operating Temperature 10 C 35 C 50 F 95 F Mean Time Between Failure 36 354 hours MTBF KVM Admin Port DB15 PS2 or USB Keyboard Mouse Console Port 2 x USB 2 0 Ports Hardware Specifications Remote Connection Protocols TCP IP UDP RADIUS LDAP TACACS SNMP SNTP HTTP HTTPS Warranty Two years with Advanced Replacement Guardian Extended Warranty Also Available Environmental Requirements OPERATING Humidity 8 90 RH Altitude Operate properly at any altitude between 0 to 10 000 feet storage 40 000 feet Estimated Vibration 5 55 5 HZ 0 38mm 1 minutes per cycle 30 minutes for each axis X Y Z Raritan 228 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE NON OPERATING Humidity 5 95 RH Altitude Operate properly at any altitude between ge 00 Vibration 5 55 5 HZ 0 38mm 1 minutes per cycle LL 30 minutes for each axis X Y Z Electrical Specifications INPUT
221. mber of managers that can be set in this list 9 When SNMP traps and their destinations are configured click Update Trap Configuration Configure Security The General properties allow you to configure SSL for client connections enable strong passwords enable user lockout and set the order of your authentication databases 1 On the Setup menu click Security Manager When the Security Manager screen appears click on the General tab Security Manager fS Please provide general security information General Certificate IP ACL Authentication M les Name Type Authentication Authorization Add External AA Server AD92 AD N Local DB DB V V radiusi RADIUS tacacsi TACACS Idap2 LDAP tacacs2 TACACS radius2 RADIUS test Server AD 111111 CommandCenter Settings Use SSL for client connections requires restart V Force strong password check for the entire system and all users SSH server port number 22 Figure 213 Security Manager General Screen 2 Check the Use SSL For Client Connections check box if you want SSL encrypted connections to CC SG A restart of CC SG is required after making a change 3 Check the Force strong password check for the entire system and all users check box if needed see the next section For strong passwords minimum length is 6 characters and for non strong passwords minimum length is 4 characters 4 Type the port number for accessing CC SG v
222. ment in category ELEMENT DEVICE Device Name Category Name For each device and for each Element Name category that applies to it PORT Device Name Raritan Port ID or Port For each port and for each category Number Port Name Category Name that applies to it For ILO RILOE Element Name PowerStrip and IPMI device the port number will be used for all other devices the Raritan Port ID will be used CSV File Example CATEGORY Memory String Port CATEGORYELEMENT Memory 256 MB CATEGORYELEMENT Memory 512 MB CATEGORYELEMENT Memory 1024 MB CATEGORY OS String Port CATEGORYELEMENT OS UNIX CATEGORYELEMENT OS WINDOWS CATEGORYELEMENT OS LINUX CATEGORY Location String Device CATEGORYELEMENT Location Aisle 1 CATEGORYELEMENT Location Aisle 2 CATEGORYELEMENT Location Aisle 3 DEVICE 192 168 32 20 Location Aisle 2 PORT 192 168 32 20 Raritan Port ID Port 3 OS UNIX PORT 192 168 32 20 Raritan Port ID Port 3 Memory 1024 MB Raritan CHAPTER 4 CREATING ASSOCIATIONS Once successfully imported you should see something like 47 Analysis report Actions Cl Categories C4 Memory Port String 256 me ER 512 MB Y 1024 me E os Port String unix IN winDows Linux Ea Location Device String EN m SPRF E Errors Description Figure 50 Analysis Report Screen If necessary refer to Appendix F Troubleshooting for problem resolution Raritan 48 Rarita
223. ments are added to the CC SG database and they are applied to the ports and devices as specified in the file The devices specified in the CSV file must have been added to CC SG prior to importing please see Add Device in Chapter 5 Adding Devices and Device Groups Also the ports specified in the CSV file must have been configured in CC SG prior to importing please see Configure Port in Chapter 6 Configuring Ports and Port Groups On the Setup menu click Scripts then Import Categories The Import Categories screen appears Import Categories Ls File Browse Analysis report Actions 3 Devices 3 Categories 3 Ports Errors Line Description Close Figure 49 Import Categories Screen l Click Browse and select a CSV file 2 Click Validate to ensure it is in the correct format If there are errors they will be displayed so they can be corrected and you can re import the file 3 Ifno errors are found or after correcting any errors click Import to import the file Raritan 46 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CSV File Format The entries in the CSV file are case sensitive and each row in the CSV file has this format tag value value TAG SUBSEQUENT FIELDS COMMENTS CATEGORY Category Name ValueType Value Type is String or Integer Applicability Applicability is Device Port Both CATEGORY Category Name Element Name For each ele
224. midd Edn Dalani Ehor Conmbarsti Brafix Category Lip alor i i Davira Hamia w we sl Add File Fradin Cated zn Oe ralio Value Rubi Rene Delete Rol rawice Hanner LEKE ii Baulep Thart ayer hens ule wal ater Bormalizad axprezrinn Davi Hamm ER at Clate Figure 82 Device Groups Manager Screen 2 Click Add in the Groups panel The Add Device Group window appears DS sj Add Device Group _ Please enter device group name Enter device group name Ok Cancel Java Applet Window Figure 83 Add Device Group Window 3 Type a device group name in the Enter Device Group Name field Click OK to add the group or Cancel to close the window The new group name will appear in the Group Name field Click Close to close Device Groups Manager screen 5 Repeat steps 1 through 4 to add other device groups Raritan 70 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Edit Device Group Name 1 On the Associations menu click Groups Manager and then click Device Group Manager The Device Group Manager screen appears Device Groups Manager nag Group name F llmnra rg E Add Ldit Dalasa whee Contents Figure 84 Device Groups Manager Screen 2 Click on the Groups drop down arrow and select the group to be edited from the list Click Edit and the Edit Device Group window appears Edit Device Group Ea Edit Device Group E i 6 P
225. n COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 49 Chapter 5 Adding Devices and Device Groups Device Manager Device Manager commands allow you to configure Dominion series and IP Reach units and their individual ports From a CC SG perspective connection to a remote target device is made via a serial or KVM port You can configure the system on a port by port basis in order to easily access remote target devices When you click on the Devices tab and select a device from the Devices tree the View Device screen will automatically appear displaying information about the selected device For easier identification KVM Serial and Power devices have different icons in the Devices tree In addition availability status of each device also has a different icon For a description of what the icons represent please see the table below resp uasa sati d jan bance ee mili Dcum DH ge Harriman Kai 6832 98 dech e EE cx DE B Geier Darker apen RAE reda BARAN ver Di 19 bet ak PaL HEFL Dad piii TEETE ET TLE pan namb Ekg bmg tee ad ranet j nanj jay Led E TEES E GT E Ppr gliese Figure 51 The Devices Tab And View Devices Screen Raritan 50 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Icons Cove MEANING x E z Device unavailable device restarted and e 33 is thrown od KR Power strip paused LS a R LIE 9 LE ARK Impor
226. n er er saved Sessions Colours E Connection Default Settings Proxy Tr E Dee Seve Delete x Delete Tunnels Bugs Close window on exit CO Always O Never Only on clean exit Figure 246 SSH Client 3 Click Open A window opens prompting you for the CC SG login and password Type CC SG login and password default is ccroot raritan0 192 168 52 107 PuTTY login as Figure 247 Login to CC SG via SSH Raritan CHAPTER 12 ADVANCED ADMINISTRATION 199 4 A shell prompt appears Type Is to display all commands available from SSH Sy 192 168 514 CommandCenter lactiveports clear connect ldisconnect entermaint i jlexitmaint grep jlistbackups listdevices Ilistports logoff more pingdevice irestartec restartdevice Ishutdowncc ssh exit help listfirmwares ls portcatalog restoredevice SU Figure 248 CC SG Commands via SSH 5 Typing help or provides the syntax and description of all available commands 9 192 168 51 124 PuTTY Figure 249 SSH Help Raritan 200 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 6 Typing the command with the h switch displays help for that command such as listfirmwares h gt 195 168 51 124 PuTTY LI Figure 250 SSH listfirmwares Help Command Tips The following describes several nuances of the SSH commands e For commands that pass an IP address such as upgra
227. n O Lj Rxi b ca323 KE Bes West D sser 7 Power bpp Figure 107 Delete Port Screen 3 Click OK to delete the port or Cancel to exit without deleting A Port Deleted Successfully window confirms that port has been deleted 4 Repeat steps 1 through 3 to delete other ports Raritan CHAPTER 6 CONFIGURING PORTS AND PORT GROUPS 87 Bulk Copy To save time use the Bulk Copy command to duplicate Port names or associations to other ports 1 Click on the Ports tab and select a port whose data you want to copy to another 2 On the Ports menu click Bulk Copy The Bulk Copy screen appears Bulk Copy Burt narn kirus 8 8 all Por alied Herta 1274 PEC 232 1 AD part PECE AN Adrnih LENN ZZ LU eU Il Lnt s0 211 02 40 21 FVM Targa 83 40 3221 iLO 4s23 Pewee Eupgig 8 5 8a0 21 xc LO A 199 LILOSRLLIS 155 1 LJ Bs 159 EM Targat iL OLI 359 LLO RU 18T Power Supply ib2 RU 2271 PEEL KE 273 Power Bupply KEE 223 KWR L tart ES5 2201 RM EX I3 EWM Target 3 RS PED zr FAM Target FER 123 Einuwfl d pele st Linh Pacey Ll map DMT I Liang 0 PHZ 223 1 Kiran 0 imc 2351 Duk L PYLU I Subat 1 Pane Budet 17 PELS et L8 PET AY Suet 19 Leal Duet It Sle Jg lach TU DEG I Caps past A rn Ier Dapy port larmnsstt r Cancel Figure 108 Bulk Copy Screen 3 Inthe All Ports list select the port name s that will be adopting the prof
228. n nns 225 Remote ConneCUO C 225 Environmental Requirements eesssssssssseseseeesee esee nennen nennen nnne nnns nn nnns na nnns sna nnns nnne 225 Elecirical SPECICATION aoc piens oeiotas e RE Ea E r Ra N Saer 226 VPA 227 General SPE CA ONS sere 227 Hardware Specification 2 lt ccccsscesescesanctececsadacseceecnccessadendeenscteunsenccedcccwansseasnccedasdeeecctenscesessenssess 227 Remote Connection eee 227 Environmental Requirements rrrnnnrrnnnnnvvnnnnnrnvnnnnvnrnnnnvnnnnrnnnnnsrnnnnnrennnnnrnnnnnnrnnnnsrnnnnnnrnnnnnsennnnnssen 227 Eleoirical SPECIGA ONS sicoor ea e eerd sedan 228 Appendix B CC SG and Network Configuration ccccssssssssssssssssssssssssssssssssssss 229 PATO UAC e EE 229 FEN EN EET ETE TEES 229 CC SG Communication Channels emere nemen nenne terrre tierra rre n rias 231 CC SG and Raritan Devices nennen hee nen rere trer herren rre treten rre rere rper perennis 231 Se CLONE MA tL ee 231 Access to Infrastructure Services cccccccecceeceeccecceeceeceeeeeaeeceeceeaeeaeeceecuececaesaeeaeeaeesueceesueeaeeaeeaaees 232 PENN Ge 232 FUNNET 233 CC SG amp Client for IPMI iLO RILOE Er 233 Raritan CONTENTS V e CET ae 234 9 cres Gp c O 234 Se CHI EE E 234 CC SG Access via NAT enabled Eirewalt 234 MT COC FORE SCANS P 23
229. n port in the Authentication Port field Type and confirm the shared key into the Shared Key field Click OK to update changes Raritan 130 RADIUS CC SG users who are remotely authenticated by a RADIUS server need to be created on the RADIUS server and on CC SG The user s user name on the RADIUS server and on CC SG must be the same although the passwords may be different Please see Chapter 7 Adding Users and User Groups for additional information on adding users who will be remotely authenticated 1 On the Setup menu click Security Manager When the Security Manager screen appears COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE click Add External AA Server in the General tab 2 In Add Module screen select RADIUS from the pulldown menu specify a name for the server and click Next Raritan P Add Module Add Module Please provide module properties Module Type RADIUS ww Module Name testR ADIUS Preuiou T Cancel Figure 155 Security Manager Add Module Screen P Add Module Add Module Please provide module properties Module Marne est Module Type RADIUS IP Address Hostname S216803 Port number HE e e E Shared key fatte Shared key confirm fatte Previaus I Figure 156 Specifying a RADIUS Server CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 131 3 Type the IP address or hostname of the RADIUS server in the IP Address Hostname field For hostname rules se
230. name None v TCP port number re Target Username H NE Port Associations Category Element System Type US States and territories OK Cancel Figure 103 Configure Generic Ports Screen Type a port name in the Port Name field For ease of use you should name the port after the server that is connected to the port Click on the In Band application name drop down arrow and select an in band application such as SSH Client VNC Viewer or RemoteDesktop Viewer to manage the device Type a TCP port number that the application will use as a Start up parameter Raritan 84 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 7 Type a Target Username that the application will use as a Start up parameter If a target name is supplied then only a password is required when accessing a target 8 Select the associated category and element from the Port Associations table 9 Click OK to configure the Generic port or Cancel to exit with configuring A Port Configured Successfully message confirms that port has been created 10 Repeat steps 1 through 9 to configure other Generic ports Configure an Outlet Port Outlet ports can be configured for PowerStrip devices and IPMI servers 1 Click on the Devices tab and select a PowerStrip device from the Devices tree 2 On the Devices menu click Port Manager and then click Configure Ports The Configure Ports screen appears Configure Ports Device name power
231. ncryption or as plain text 14 Click on the Default Digest drop down arrow and select the default encryption of user passwords 15 Type the user attribute and group membership attribute parameters in the User Attribute and Group Membership Attribute fields These values should be obtained from your LDAP directory schema 16 Type the bind pattern in the Bind Username Pattern field 17 Check Use Bind if you want CC SG to send the username and password entered at login to the LDAP server for authentication If Use Bind is not checked CC SG will search the LDAP server for the user name and if found will retrieve the LDAP object and locally compare the associated password with the one entered 18 On some LDAP servers the password cannot be retrieved as part of the LDAP object Check Use Bind After Search to instruct CC SG to bind the password to the LDAP object again and send it back to the server for authentication 19 Click OK Raritan CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 127 Sun One LDAP iPlanet Configuration Settings If using a Sun One LDAP server for remote authentication use this example for parameter settings PARAMETER NAME SUN ONE LDAP PARAMETERS IP Address Hostname lt Directory Server IP Address gt OpenLDAP eDirectory Configuration Settings If using an OpenLDAP server for remote authentication use this example PARAMETER NAME OPEN LDAP PARAMETERS Raritan 128 COMMANDCENTE
232. nd element from the Port Associations table by double clicking the element field Click OK to save the serial port configuration A Port Configured Successfully message confirms that port has been created 12 Repeat steps 1 through 11 to configure other serial ports Raritan 26 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE KVM Port 1 Click on the Devices tab and select a KVM device for example Dominion KX from the Devices tree 2 On the Devices menu click Port Manager and then click Configure Ports Alternatively you can right click on the device and select Configure Ports The Configure Ports screen appears Configure Ports Dawhca memar breij Poiti P aatan port TD Part typa Past atarua eS TD En ze i Kit Part Image Sunfigura F Euzgenm 5 Kchannal 10 ka gan Mota Op Sanfigues r BonkfesoOl 1 Ehammall ket fina Oai WR E A SI genet paa pa ES SG EES b HkresOni 15 chancel 16 wit Bort inated Loriga m pokzasoni o0 Ehameai2 age O gesngun 7 ETT TER Khameai3 komet hmuad Lutunhgum T P MKIe3OU1 4 Emamal apen Ines O teehgum UT rene Seer ye nes a TERRA TD Easa Ehamel kite fri LuEsehgem f Pees channel KvMPot O TT 1 Ganfiguen Co H 35 coopspooseso Game Gea her onhawa elect All hone All
233. nformation Change Own Password For security reasons you may choose to change your own password 1 On the Session menu click Change My Profile The Change My Profile screen appears Change My Froe a amp unply raw s armutian fer pour pretila jj Se Change Farreord Lipam are cioni Cid paaa i Pannsusd Rate bese Dial back muriha lana 7099 frm adirar aighi Upei cane enccl u en pariendi Figure 119 Change My Profile Screen Raritan SH ge e Du 6 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Type your old password in the Old Password field Type your new password in the Password field You cannot re use your old password Re type your password in the Retype Password field Click OK to change your password or Cancel to exit without saving A User Profile Updated Successfully message confirms that your password has been changed Repeat steps 1 through 4 to change your password whenever necessary Note For strong passwords minimum length is 6 characters For non strong passwords minimum length is 4 characters See section Configure Security in Chapter 12 Advanced Administration for additional information Delete User As an Administrator you can remove a user account that is no longer needed l 2 4 Click on the Users tab and select a user from the Users tree On the User menu click Delete User The Delete User screen appears Delete User rtin amt Vasen H
234. ng Associations Associations CC SG provides powerful highly customizable organizational capabilities Associations provide this organizational capability and are used to organize your equipment For example you may have Raritan devices that manage target servers in a New York data center and a Philadelphia data center Associations help in grouping and displaying Raritan device and target systems in the CC SG web interface For example the following screen is a custom view that hierarchically displays three data centers that is DataCenterl NYC and Philadelphia and the type of target servers in them You can customize the CC SG to organize and display your servers however you like CommandCenter Microsoft Internet Explorer Emi ic Raritan CommandCenter Session Users Devices Ports Associations Reports Setup Window View Help x i Bl m Ports Users Devices Hj ad DataCenterl lt 4 MS2003 F E Oci MsSRVi MJ DCi MsSRV2 eS unix s DCL SunSRVi E Dci Sunskwz EF g NYC EP eel Ms2003 L yre msskv1i Hj 22 Philadelphia Er 2l Network L j amp PHL CiscoRTR1 EF ze Location Unassociated EH 2 Port type Unassociated ENEE ERE el User ccRoot English United States ej Applet com raritan cc ui CommandCenterApplet MB Internet Figure 35 CC SG Organization Example Associations Defining Categories and Elements An important concept in CC SG 1s categories and elements Categories and elem
235. ng maintenance mode All users will be logged out Enter maintenance mode after min 5 OK Cancel Figure 191 Enter Maintenance Mode 3 Type a broadcast message or accept the default that is provided 4 Type a number that will start a count down clock on each CC SG client Type a number between 0 and 30 Default is 5 Typing 0 means that Maintenance Mode is starting immediately 5 Click OK Exiting Maintenance Mode To exit Maintenance Mode 1 On the Setup menu click Maintenance Mode 2 Click Exit Maintenance Mode Raritan CHAPTER 12 ADVANCED ADMINISTRATION 161 Chapter 12 Advanced Administration Configuration Manager Network Configuration 1 On the Setup menu click Configuration Manager When the Configuration Manager screen appears click on the Network Setup tab Configuration Manager ail 1 Plange provide ganaral rnatwork Information Ketek fabup Logs fidelity Tirs Timid Efe Hedam Cenneciam Heda Davis getline JHP HEF rrr Kcommandcantar lacaldormain Primary GAGs Eacandarg GAS Demain puffi locildani ris w Prima wW Bhup mod Fa alive rds Configurations Static E Configuration ec S addrarr 192 163 32 28 P addrerr Subnak mark 253 233 233 0 Eubrat mask Bata ult g bes p Fi TE NR T la Del a aabeuw ay hi2 14 32 3126 adapter ipaaud dite F ada EPT Adapter ee Figure 192 Configuration Manager Network Settings Screen 2 Type the CC SG hostname in
236. nn nnns 213 Figure 270 Viewing Log Files nennen nnnm nnnm nnn nnn nnne nnns nn nns nn nnn nnns 213 Figure 271 Selecting Log Files to View 214 Figure 272 Selecting Log Files to View 215 Figure 273 Changing Colors in Log Files ccccccccceccseeseeecceeeeeeaeeeeeeeeeeseeaeeeeeeeeeeeseaeeseeeeeeessaeeeeeeeseeeeaaas 215 Figure 274 Displaying Information cccsccccccseeecceeeeeecseeeecceeeeeseeeesaeeeeesaeeeeseueeessaeeeesseeeesaaeeeeenaaeessaaes 215 Figure 275 Adding Expressions in Log Files nnnnennnnnnnennnnesrnnenrrrrsnrrrsrrrrsrrrrsrrrrsrrrrsrrrsrrrrsrrrrsrrerssrrenne 216 Figure 276 Specifying a Regular Expression for a Loge 216 mU rursc iuilmsopi 217 Figure 278 Selecting CC SG Restart in Diagnostic CGonsole 217 Figure 279 Restarting CC SG in Diagnostic Console cccccceeeecccceeeeeeeeeceeeeeeeeaeeeeeeeeeseaeeeeeeesesseaaaeees 218 Figure 280 Selecting CC SG System Reboot in Diagnostic CGonsole nnn 218 Figure 281 Rebooting CC SG in Diagnostic Console seseesessesssssseeeeeenneeeenennn nennen 219 Figure 282 Password Configuration cccccccssseccccceecceeseeecceeeeeeeeeeeeeceeeeeseeeeeeeeeeeeseeeeeeeeeessssaaseeseeeeeeseaaas 219 Figure 283 Configuring Password Settings 000nnnnnn001nnnnnennennnnnnnnsrnnrnrnnnnennrrrrrnnsnnnrrrrensnnnrrrrensesennnni 220 Figure 284 Account CGonftguraion nnne nennen nenne nnn nna irn n nnns sss
237. nnect a port select the port to be disconnected and click Disconnect to disconnect the selected ports from their current sessions 3 Click Manage Report Data to save or print the report Click Save to save the report to a location of your choice or Print to print the report Click Close to close the window 4 Click Close to close the Active Ports report Raritan CHAPTER 10 GENERATING REPORTS 137 Asset Management Report The Asset Management report displays data on current devices 1 On the Reports menu click Asset Management Report The Asset Management report is generated Asset Management Filter Device type All Devices S Apply Name Description Type IP Address TCP Port Version AD 92 Generic Device 192 168 51 92 aj BianorTestDevice testing TargetMana Generic Device 127 0 0 1 BianorWSTestDevice Generic Device 10 0 1 180 CC 124 Generic Device 192 168 51 124 CC 52 175 Generic Device 192 168 52 175 Dominion Kx Dominion KX model Dominion KX 192 168 51 200 5000 1 4 0 1 5 Gayle s Laptop Gayle s Laptop Generic Device 192 168 50 218 IPMI 22 IPMI Server ver 1 5 IPMI Server 192 168 51 22 KSK223 Dominion KS 192 168 351 223 5000 3 21 9 PC 111 Generic Device 192 168 51 111 PC 112 Generic Device 192 168 51 112 DCL Generic Device 192 168 51 17 SK 229 Dominion SX 192 168 351 229 5000 2 562 Win XP WinkP Generic Device 192 168 53 133 aPSss PowerStrip iLO 40 21 iLO RILO 192 168 40 21 80 ez iLO 52 10
238. nnns sensn nnn nnn nra 149 Figure 178 Locked Out Users Report ccccccccceceecececeaeeecsseeeeeeeeeeeeeeeeeeeeeaaaaaesseeeeeeeeseeeeeeeeeseaaeaaaaaaas 150 Figure 179 CC NOC Synchronization Report 151 Figure 180 Reset CC SG Green 153 Figure 181 Backup CC SG Screen NE 153 Figure 182 Restore CC SG Screen cssssseeeeeceeeeceeeeeeaaaaeessceeeeeeeeeeeeeeeeeeeaaaaaeasseeeeeeeeeeeeeeeseeessaeeaaagaas 154 Figure 183 Browse to Upload a Backup of CC 155 Figure 184 Refresh Shortcut DButton nennen nnne nennen nennen nnne nnne nnne 156 Figure 185 Upgrade CC SG Screen ccccccccsececcccceeeceeeseeceeeeeeeeeeeeeeeeeeeeseeeeeeeeeeeseeeeeeeeeeessseeeeeeeeeeeeeeegs 157 ligure 186 Restar SCIeGI eaim rab ue renier arsa aeia ies Ux et pesa Us Ies sesbIP loculis T irabia d cune Eur MEME US 157 Figure 187 Info VN ING WY c 158 Figure 188 Shutdown CC SG Green 158 Figure 189 WOO OUI VINO EE 159 FET ET NNN 159 Figure 191 Enter Maintenance Mode AAA 160 Figure 192 Configuration Manager Network Settings Screen rrrrrrrnnnnnnnnnrrvrvnnrrnnnnrrrrrrnnrrnnnrrrrrrnnnnnnnnn 161 Figure 193 Primary Backup Network AAA 162 Figure 194 Active Active Network nennen nennen nnn enne ann n nsn n aar n nnns n nan n nnn nsns 162 Figure 195 Configuration Manager Logs Screen nennen nennen nennen 163 Figure 196 Configuration Manager Inactivity Timer Green 164 Figur
239. nnsnsesnnnnnnnnsnnsnssennnnnnnnn 38 Figure 38 Edit Category Window cccccccccsseseeeceeeecaeeeeeeeeeeeeeeeeeeceeeessaeeeeceeeeeeseeeeseeeeeesssaeaseeeeeeeeessaaaaeess 39 Figure 39 Delete Category Window rrrrrnrrnnnrnnnnnnnnrrnnrrnnnnnnnnrnnnrrnnnnnnnsrnnnrnnnnnnnnsennnnnnnsnsennnnnnnnannssssnnnnnnnnn 39 Figure 40 Association Manager Screen cccccccceecesseseececeeeeeeeseeeeeeeeeeaeeeeeceeeeesaaeeeeeeeeesssaeaeeeeeeesseseaaaeess 40 Figure 41 Add Element Wumdow nennen nnnm nn nnn nnns na nnne inna ann r sss a ann resina ns 40 Figure 42 Edit Element Wmdow reenn 41 Figure 43 Delete Element Wmdow reenn 41 Figure 44 Association Wizard Overview sssessesssssssseeeenen nennen nennen nennen nnn nnns nnn a nnn nnns anna annis 42 Figure 45 Association Wizard Category And Elements Screen rrrrrrnnnnnrrvrnnnnrrrnvrnnnrrennnnnnrrennnnnsrrennnnnn 42 Figure 46 Adding Another Categonm nennen nenne nennen nnn nnns sn na a nnn nnns sans a annis 43 Figure 47 Association Wizard Confirm Choices 43 Figure 48 Association Wizard Summary Gcreen 44 Figure 49 Import Categories Screen nennen nnn naar n nnn rss nnn a ann nsns nnns nans 45 Figure 50 Analysis Report Screen cccccccccssseeeeceeeeeaeeeececeeeeeaeeeeeeceeeeseeeeeeeeeeesseeeaeeeeeeesssaaaseeeeeeessaaaaeees 47 Figure 51 The Devices Tab And View Devices Gcreen nennen 49 Raritan FIGURES vil Figure 52 Add Device Selection Screen ccccc
240. nonymous Bind User name uid admin ou Adrninistrators ou TopologyManagement o NetscapeRoot Password EET confirm Password f es Directory Search for Users Base DN Jou Administrators ou TopologyManager o NetscapeRoct Filter lrabiectclass person Test Connection Previous Next Ok Cancel Figure 151 Security Manager LDAP Screen General Tab Type the IP address or hostname of the LDAP server in the IP Address Hostname field For hostname rules see Terminology Acronyms in Chapter 1 Introduction Type the port value in the Port field The default port is 389 Check Secure Connection for LDAP if using a secure LDAP server and enter a security realm Check Anonymous Bind if your LDAP server allows anonymous queries You do not need to enter a user name and password with anonymous binding Note By default Windows 2003 does NOT allow anonymous queries Windows 2000 servers do allow certain anonymous operations whose query results are based on the permissions of each object 15 10 If not using anonymous binding type a User name and Password Enter a Distinguished Name DN to specify the credentials used to query the AD server For DN enter the common name organizational unit and domain For example type uid admin ou Administrators ou TopologyManagement o NetscapeRoot Separate the values with commas but do not use spaces before or after the comma The value themse
241. nrrnnnnnnnorrnrrrnnnnnnnsrnnnrnnnnnnnnsennnnnnsnsrnnnnnnnnnnnssennennnnnnnn 71 Figure 88 Device Groups Manager Gcreen 71 Figure 89 Device Groups Manager Gcreen eene nnn nnne nennen nnns nnns nnn ran nnns 72 Figure 90 Delete Rule Window ssesssssssssssesseeeenn nennen nennen nnn nnne nnns nean n nne nr nnns 72 Figure 91 Search for Devices nennen nennen nnns nnnaa nnns ensis sna a arent enr n aa nnns 73 Fe 92 Disconnect EN 74 Figure 93 The Ports Tab And View KVM Port Screen rrrrrrrrnnrrnnnnnnrrrnnrrnnnnnnnrrrrnrrnnnnnnnsrnnnrnnnnennnsennnnnnnnn 76 Figure 94 Configure Ports Gcreen eene nnne nennen nena nnn nnne sinn na ann en nnns naar nns 78 Figure 95 Configure Serial Ports Green 79 Figure 96 Associated Generic Device with a Serial Port 79 Figure 97 In Band Harameters Abu 80 Figure 98 Configure Ports Gcreen 81 Figure 99 Configure KVM Port Gcreen nennen nnne nnnnnnna nnn nsns nasa nnn ness s anna annis 81 Figure 100 In Band barameierg nnne nnee 82 Figure 101 Associated Generic Device with a KVM Port rrrnnnnnrrnnnnnnnnvnnnrrnnnnnnnnvnnnrnnnnnnnnsrnnrrnnnnnnnnsrnnnnnnnnn 82 Figure 102 Configure Ports Green 83 Figure 103 Configure Generic Ports Screen ccccccccssseeeccceeeeeeeeseeeeeeeeeeaeeeeeeeeeesseeeaeseeeeeessaeaseeeeeeessaaaasees 83 Figure 104 Configure Ports Screen for Powerstrip Device 84 Raritan viii FIGURES Figure 105 Configure Ports Screen for IPMI Gernver 84 Figure 106 Configure Outl
242. nthe Devices tree select a device then on the Devices menu click Device Power Manager The Device Power Manager screen appears adi Device Power Manager ap hic E mus Cate Mk Ipsis Lita TE Lag ID FOR dg nans Soc a Seve abai per Posen Ad ever apes Fosen TF YA Linus c Tem Fri gee 213 5 St A Lin H Teo Ee Core ar tee tl er AE Lin uai zehn Tarrspemtaune 213 5 be iis Power fi faia Singel Bem died iE E Tr Staten Cer 40 134 Jf anom EE On e of Latpda jLO 2 214 Kid T LT M pro 4D 1UI Fora Eum L dn C 04 agile a 0o 03 225 m kagiag LS CG den o m OH Fade burs CT sl Ea a au e a E A F P 2 p TET S n UY end EB EE I Ed A lett Iuuen 13 dha j ti Eedede Gilet 1 Af aim T laudas x Or om E acea Af cud E 13 Gen pf esie 13 ITE Tan Go Renda FI 14 A e Mar 17 Muda 3 Dn ua On _Bacede A wi arab I j Un RET Korda Af Gain 1 ELLE at Ss dn Of acera A e lat 5i pf oie Dukas 3 x On UT Earp Z let 7 F Chat Eiv ien ue de OG oF Kagpile ff oita laudas 3 3 i Figure 78 Device Power Manager Screen 2 The outlets will be listed in the Outlets Status panel You may have to scroll to view all outlets Click the On or Off radio buttons for each outlet to power ON or power OFF the outlet Click Recycle to restart the device connected to the outlet Click Close to close the Device Power Manager screen Repeat steps through 5 to monito
243. nu click Groups Manager and then click Device Group Manager The Device Groups Manager screen appears Device Groups Manager arth Group tant Paine Dreem hi aid Lei eee Pete C pt pntr Pref Cal E Darts Claman Davice Haero F T id Rule Prufis tag BP OGparaticn Valo i 1 Rula Hanna Bal ti Fula Davies DP Addemra 168 EA ZOU 23 Rei Figure 88 Device Groups Manager Screen 2 Click on the Group Name drop down arrow and select the device group for which you want to set rules 3 Click on the Prefix Category Operator and Element drop down arrows to set up a rule and type the name of the rule in the Rule Name field 4 Click Add Rule The new rule appears in the rule table as a short regular expression Raritan 72 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Important You can combine the application of two or more rules by using operators such as amp meaning and or vertical bar that shares the lt gt key on your keyboard meaning or Note When you select a category make sure you select a proper operator that relates to the element in order for the rule to take effect For example if countries of the world category is selected relate it to operator to equal only the country you pick as an element of the rule Devices are grouped according to this rule once added to the system 1 Click Validate and the short regular expres
244. o proceed please see Chapter 2 Accessing CC SG for additional information Click Yes to upgrade the device or No to cancel the operation A Restart message appears click Yes to restart the device or No to close the window without restarting A Device Upgraded Successfully message confirms that the device has been upgraded Repeat steps 1 through 6 to upgrade other devices Note Firmware for iLO RILOE cannot be upgraded using CC SG Ping Device You can ping a device to determine if the device 1s available in your network l 2 Click on the Devices tab and select a device from the Devices tree On the Devices menu click Device Manager and then click Ping Device The Ping Device screen appears showing the result of the ping Ping Device Device Aimi Ex16 111 Davira DP oer Horitnamel 193 16691 111 Ping alatus phani ilm Figure 65 Ping Device Screen Click Close to clear this screen Repeat steps I through 3 to ping other devices Restart Device Use the Restart Device command to restart a device l 2 Click on the Devices tab and select a device from the Devices tree On the Devices menu click Device Manager and then click Restart Device The Restart Device screen appears Restart Device Device name sx eill Figure 66 Restart Device Screen Click OK to restart the device or Cancel to exit without restarting A Device Restart Successfully message confirms that the device has been restarted
245. odel and the network model systems any constraints or The data center model uses Paragon to scale to thousands of assumptions systems in a single data center This is the most effective and cost efficient way to scale a single location It also supports the network model with IP Reach and the IP User Station UST IP The network model scales through use of the TCP IP network and aggregates access through CC SG so users don t have to know IP addresses or the topology of access devices It also provides the convenience of single sign on Authentication How many user accounts Check your licensing restrictions There is no specified limit to can be created for CC SG the number of user accounts that can be created for CC SG but the number is not limitless The size of the database the performance of the processor and the amount of memory on the hosting server will determine how many user accounts can actually be created These user accounts can be any combination of Administrators and Operators with at least one Administrator account Can I assign specific port Yes if you have Administrator permissions Administrators access to a specific user have the ability to assign specific ports per user Raritan APPENDIX G FAQS QUESTION If we had more than 1 000 users how would this be managed That is do you support Active Directory What options are available for authentication with directory services and
246. of the device Click OK to restore the back up or Cancel to exit without restoring 5 When the Restart message appears click Yes to restart the device or No to close the window without restarting A Device Configuration Restored Successfully message confirms that all user and system configuration data has been restored 6 Repeat step 1 through 5 to restore other devices configurations Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS STi Copy Device Configuration This command allows you to copy configurations from one device to another or multiple devices Note Configuration can only be copied between Dominion SX units and DSX units that have the same number of ports l Click on the Devices tab and select the device whose configuration you wish to copy to other devices from the Devices tree On the Devices menu click Device Manager and then click Copy Device Configuration The Copy Device Configuration screen appears Copy Device Configuration E Fom Deier eben Ee rae Fram Saved Configuration SP 2a 2003 092419 Tail Badk up m humilablam Drag Copy rnnfeguratiar ta There are no other davicar from tha trame tape in the device tras ER Figure 63 Copy Device Configuration Screen If you have used the Backup Device option on this device you can copy that configuration instead by selecting From Saved Configuration and then selecting the configuration from the saved configuration drop down arr
247. ole The read only status console is displayed This screen dynamically displays information to help you determine the health of your system and if CC SG and its sub components are working The time in the upper right corner of the screen 1s the last time on the CC SG the data was polled Time of Last Polling Tue Apr 11 2006 Message of MIEEEREEEEEEEENEESUNI the Day Welcome to CommandCenter Secure Gateway Various components of this Diagnostic Console provide B 1 system status displav For assistance contact Rartian at 2 initial system configuration and Support raritan com 3 emergency repair 800 724 8090 Mg eae cba eigen ee ee a Database System Information Host Name CommandCenter E Status CC SG Version 3 0 0 2 14 Model CC SsG V1 CC SG Serial ACC6100010 Host ID 00304856B586 erver Information CC SG Status Up DB Status Responding Web Status Responding Secure Cluster Status standalone Cluster Peer Not Configured Network Network Information Interface Dev Link Auto Speed Duplex IPAddr RX Pkts TX Pkts th yes on 10Mb s Half 192 16B 0 192 41823 43 ethl no on Unknown Unknown Help FI Exit oor C Figure 257 Status Console Important information to hone in on includes the Up status for CC SG and other sub components such as Database If it is Down it may be in the process of rebooting Or
248. on Adding or Editing a User Group This chapter explains how to assign privileges to groups please see Appendix D User Group Privileges for more information on what each privilege means 1 On the Users menu click Add User Group The Add User Group screen appears Add User Group Po Choose usergroup properties to add ly N User group name Description Select Privileges Has It Name CC Setup And Control p Device And Port Management in Device Configuration And Upgrade Management i Ports Access Cancel Figure 125 Add User Group Screen 2 Type the group name in the User Group Name field 1 16 characters alphanumeric characters and underscores 3 Type the group description for example based on department region or assignment in the Description field 4 Inthe Select Privileges section check the check box es in the Has it column to assign the specific privilege line items to the group The Type column indicates whether the feature is a Command type feature or an Event type feature please see Appendix D User Group Privileges for more information 5 Click OK to add the group or Cancel to exit without saving A User Group Created Successfully message confirms that a group has been created 6 Repeat steps 1 through 5 to add other groups Raritan CHAPTER 7 ADDING USERS AND USER GROUPS 101 Edit User Group This command allows you to rename group and modify its Features Important P
249. on X off Click on the H W Flow Control check box to enable or disable Click on the In band Parameters if you want to change the in band parameters Select a new category and element from the Port Associations table Click OK to edit the port or Cancel to exit without saving the changes A Port Updated Successfully confirms that port has been updated Repeat steps 1 through 12 to edit other ports Raritan CHAPTER 6 CONFIGURING PORTS AND PORT GROUPS 89 Edit a KVM Port l Click on the Ports tab and select a KVM port to be edited 2 On the Ports menu click Edit Port The Edit KVM Port screen appears ps ee a Edit KVM Port ei Bisaia Palaa post preparian 25 ads Rarkan parl UTR Bast nurmbas D st harm i PVM Trad I Apobustian naso VEG ha Fip Agrtoacinpippg Cetegorg Elegie i hyrtmrm Tap Ub titat aed Karttsri d I or JI camem Figure 110 Edit KVM Port Screen Type a new port name in the Port Name field Click on the Application Name drop down arrow and select an application from the list Select a new category and element from the Port Associations table Click OK to edit the port or Cancel to exit without saving the changes A Port Updated Successfully confirms that port has been updated Repeat steps 1 through 7 to edit other ports Raritan 90 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Edit a Generic Port 1 Click on the Ports tab and select a Gener
250. on if desired Select the associated category and element from the Port Associations table Click In Band Parameters if you want to allow in band access for this KVM port In Band Parameters In Band Parameters Associate Generic Device None In Band application None T Target IP Address Target TCP Port Target Username Figure 100 In Band Parameters Click on the Associate Generic Device drop down arrow and select a Generic device which will be associated with this KVM port When a Generic device is associated with a KVM port it looks like this in the Devices tree Wd apse GP BianorWSTestDeyvice Gi CC 124 i Dominianks EH d Channel ifGayle s Laptop V ewaskXZ11 Figure 101 Associated Generic Device with a KVM Port 10 Click on the In band application drop down arrow and select either RemoteDesktop 11 Viewer SSH Client VNC Viewer Type the IP address of the target associated with this port in the Target IP Address field type the port used by the In band application in Target TCP Port and type a username that is used to login to the in band application in the Target Username field If a target name is supplied then only a password is required when accessing a target Click OK to save the In band parameter settings or Cancel to exit without saving Click OK to configure the KVM port or Cancel to exit with configuring A Port Configured Successfully message confirms that port has b
251. one or more Ctrl click tasks status or owner Click View Tasks to view the filtered list Note You cannot delete a task that is currently running Raritan 196 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4 To view the history of a task select a task and click Task History Task History Event Result Description OS 10 28 03 31 03 31 OPERATION EXE SUCCESS Task Mame TestTask Description Task Operation ara 05 10 27 03 32 CREATION SUCCESS Task was created successfully 05 10 27 03 32 EDITION SUCCESS Task was edited successfully Figure 243 Task History 5 To view details of a task double click on a task Details Name itive Usera o Operation active users report Status Pending WW Last Execution Date Wed Now 16 14 15 10 CST 2005 Next Execution Date Wed Now 23 14 15 10 CST 2005 Description Owner Java Applet Window Figure 244 Task Details Note If a task is changed or updated its prior history no longer applies and the Last Execution Date will be blank Raritan CHAPTER 12 ADVANCED ADMINISTRATION 197 Notification Manager Use Notification Manager to configure an external SMTP server so notifications can be sent from CC SG Notifications are used to email reports that have been scheduled email reports if users are locked out email status of failed or successful scheduled tasks please see section Task Manager earlier in this chapter for add
252. onfiguration Manager screen Configure the Modem on Client PC Connect a phone line to the CC SG which has a built in modem Optionally remove the LAN cables On the client that will be dialing in connect a modem to the client machine for example a Windows XP machine Connect a phone line to the client modem Restart the client machine and the connected modem is discovered as new hardware Install the modem on the client as follows which assumes a Windows XP client machine l Select Control Panel Phone and Modem Options 2 Click on the Modems tab Figure 199 Modems Tab 3 Click Properties Raritan CHAPTER 12 ADVANCED ADMINISTRATION 167 4 Click on the Advanced tab Driver General Extra Settings Extra initialization commands Figure 200 Extra Initialization Commands 5 Type an initialization command in Extra initialization commands that will be used by your modem to set the Carrier detection flag For example type at amp c for a SoftK56 Data Fax modem This is necessary to tell Windows not to close the started Modem connection process when the modem connection 1s closed from the other dialed in side Click OK to save the settings Configure the Dial Up Connection The following procedure illustrates creating an inbound dial up connection to CC SG from a Windows XP client machine 1 On the start menu click My Network Places 2 Right click in the window and select Proper
253. onnection and no additional configuration is required Out of Band Access OBA connections using the firewall must be configured on the Setup gt Configuration Manager gt Connection Mode menu to use Proxy mode This way CC SG will connect to the various targets either IBA or OBA on behalf of the PC Client requests However the CC SG will terminate the PC Client to Target TCP IP connection that comes through the firewall tit NOT recommended to run non SSL traffic through a firewall Raritan APPENDIX B CC SG AND NETWORK CONFIGURATION Security and Open Port Scans 235 As part of the CC SG Quality Assurance process several open port scanners are applied to the product and Raritan Computer makes certain that its product is not vulnerable to these known attacks All the open or filtered blocked ports are listed in the above sections Some of the more common exposures are Synopsis CVE 1999 0517 snmp 161 UDP the community CVE 1999 0186 name of the remote SNMP server can CVE 1999 0254 CVE 1999 0516 The remote telnet server shut the connection abruptly when given a long username followed by a password The remote host might be vulnerable to a sequence number approximation bug which may allow an attacker to send spoofed RST packets to the remote host and close established connections CVE 2004 0079 The remote host is using a version of CVE 2004 0081 OpenSSL which is older than 0 9 6m CVE 2004 0112 0 9 74
254. or aliases as described below COMMAND ALIAS DESCRIPTION quit q Terminates Port Connection and returns to SSH prompt get write gw Gets Write Access Allows SSH user to execute commands at target server while browser user can only observe proceedings in the port Gets History Displays the last few commands and results at target server I Sends Break Breaks the loop in target server initiated by browser user Prinshelpscreen Prints help screen From the CC SG GUI you can view an Active Report that displays connections initiated by SSH clients To view ports that are busy and have connections initiated by SSH clients you can run a Query Port Please see Chapter 10 Generating Reports for additional information Exit a Session To exit the entire SSH connection to CC SG type exit ziz Raritan 204 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Diagnostic Console The Diagnostic Console is a standard non graphical interface that provides local access to CC SG It can be accessed from a serial or KVM port or from Secure Shell SSH clients such as Putty or OpenSSH Client Two logins are provided one is status and the other is admin Default password for admin is raritan All login usernames and passwords are case sensitive Logging in as status displays current system information to ascertain the health of CC SG The admin account allows you to set initial parameters view log files
255. or example a target server cannot be assigned to both the Windows and Unix elements of the OS Type category above A useful approach for organizing your systems when servers are similar and need to be randomly organized is the following CATEGORY ELEMENT The design and specification of the Association requirements should be done prior to setting up CC SG You should give careful thought upfront on how you want to organize and display your Raritan devices and target systems and how you want to control user access to the ports As you add devices and ports you link them to your predefined categories and elements When you create port and device groups to include in a policy you will use your categories and elements to define which ports and devices go in each group Association Terminology You should read the following definitions to understand associations e Associations is the relationship between categories elements of a category and ports or devices or both For example you want to associate the Location category with a device You should create associations first or edit them later before adding devices and ports in CC SG e Category is a variable that contains a set values or elements An example of a Category is Location which may have elements such as New York City Philadelphia or Data Center 1 When you add devices and ports to CC SG you will associate this information with them It is easier if
256. or users who need port access only to a particular set of devices or target servers and systems Raritan 6 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE New 3 0 Features These administrator features are now available in CC SG 3 0 Note If viewing a PDF file click on the page number to navigate to the location in the document where the feature is described FEATURE LOCATION Import of Categories Devices Ports from CSV File Page 45 New CC SG 3 0 user features including Port Chat Bookmark Port and Search for Ports are documented in Raritan s CommandCenter Secure Gateway User Guide Raritan CHAPTER 2 ACCESSING CC SG 7 Chapter 2 Accessing CC SG Once you have configured CC SG with an IP address and have defined at least one user as described in Raritan s CommandCenter Secure Gateway Setup Guide the CC SG unit can be placed at its final destination Make all necessary hardware connections to make the unit operational You can access CC SG in several ways each described in this chapter Through a browser CC SG supports numerous Web browsers please see the Compatibility Matrix on http www raritan com support and click Firmware Upgrades then CommandCenter for a complete list of browsers and platforms Through a standalone client Install the executable from the included CD and run this instead of using the browser based applet This executable functions exactly like the downloaded applet Thro
257. orld Valse typa inng Applicable fea Both Klaearitg Par C atagnrs Alb TEST i Arrisnrkn Earn Anc Arann ane Austr alia Au rtria Ralgiiam B Tut Bolivia burnig are Asleep Brent Bulgaria Chil mE celermbia Costa Rita ZO MT dari e l Casa Figure 36 Association Manager Screen 2 Click Add in the Category panel to add a new category The Add Category window appears Badd Cateoy O O OOOO I I Add Category o Please enter a category name Category name Value type String Applicable for eth sl Ok Cancel Java Applet window Figure 37 Add Category Window 3 Typea category name in the Category Name field Maximum length is 31 characters Click on the Value Type drop down arrow to select a value type of String or Integer 5 Click on the Applicable For drop down arrow to select the type of device this category applies to Device Port or Both 6 Click OK to create the new category or Cancel to exit without creating The new category name appears in the Category Name field 7 Repeat steps 1 through 6 to add other new categories Raritan CHAPTER 4 CREATING ASSOCIATIONS 39 Edit Category 1 On the Associations menu click Association Manager The Association Manager screen appears Click on the Category Name drop down arrow and select the category to be edited 3 Click Edit in the Category panel of the screen to edit the category The Edit Category
258. ort Click on the Application Name drop down arrow and select an application name Click on the Baud Rate drop down arrow and select a rate Click on the Parity Data Bits drop down arrow and select a parity value Click on the Flow Control drop down arrow and select a flow control value Click on the Associate Device drop down arrow and select a Generic device IPMI Server or Powerstrip which will be associated with this Serial port When a Generic device is associated with a Serial port it looks like this in the Devices tree Ports Users Devices GP BianarwSsTestDevice G Daminian EX Gi IPMI 22 E o iu Gi KSEIIS Gi KSX 51 3 EH i Kv Target 1fcc 124 L RJ cc 124 amp Serial Target 7 w2k Figure 96 Associated Generic Device with a Serial Port 10 Select the associated category and element from the Port Associations table Raritan 80 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 11 Click In Band Parameters if you want to allow in band access for this Serial port In Band Parameters n Band Parafseters go a Please supply advanced port properties In Band application Mone T Target IP Address Target TCP Port Target Username OK Cancel Figure 97 In Band Parameters 12 Click on the In band application drop down arrow and select either RemoteDesktop Viewer SSH Client VNC Viewer Type the IP address of the target associated with this port in the Target IP Address fie
259. orts e CC Users initially has only the Ports Access privilege but the privileges can be changed in this group Policies can be applied to this group to provide access rights to ports Note The Users Not in Group is technically not a user group but can be considered as a holding area for users until they are moved into another group Raritan 100 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Add User Group Use the Add User Group command to create specific groups and assign them different privileges depending on the needs of your work environment Groups can help you keep your system organized Assign privileges or features to Groups upon creating them These Select Privileges are privileges of either a command type or an event type Command type privileges permit users to see and execute commands Event type privileges permit users to view events in the Ports and Devices trees Users inherit the features privileges assigned to the group to which they belong No user can have any rights other than those assigned to the group As an example if a group is assigned the User Management feature all users in that group can see and execute the User Manager commands in the Users menu Add User Edit User Change User Password etc In order to see Ports and Devices trees a user group has to be assigned the Device and Port Management feature To view other events that occur in the system those privileges must be selected up
260. orts Teding Rach Tasting Es Porti Dame Rach Famo Fadk Pork Palagi Allow LA Market Area Por Allow Chicago Market Area Porti Allow Har T rk HERE Gren Parte Allow Anlartak Market fires ieee Palasi Allow Buer Sarai Parti Allor Hnib rinmg Ports Allow Pr oduition Ports Allow Terbegn Fad Pors low Bard B sch Porti Figure 19 Association Wizard Summary Screen The Association Wizard has now created a port group for each element and a policy for each port group You can add ports to these port groups by using the Port Group Manager To make changes to any of the categories after using the Wizard from the Associations menu click Association Manager To make changes to any of the policies click Policy Manager from the Associations menu By default the Association Wizard sets the policy for control access at all times Add Devices Before adding devices to CC SG prepare them by assigning them an IP address creating a CC SG admin account Please see CommandCenter Secure Gateway Setup Guide for more information Important Ensure that no other users are logged into the device during CC SG configuration 1 Click on the Devices tab 2 On the Devices menu click Device Manager and then click Add Device The Add Device selection screen appears Add Divit Figure 20 Add Device CC SG 3 Click on the Device Type drop down arrow and select a type of device from the list Raritan CHAPTER 3 EXAMPLE CONF
261. orts create views use port power management use port chat are described in Raritan s Command Center Secure Gateway User Guide Port Manager Port Manager commands allow you to configure connect to and disconnect from ports of serial devices generic devices IPMI servers and KVM devices in your CC SG Once configured CC SG provides centralized access to the target devices s attached to Dominion and IP Reach units CC SG supports Raritan products as listed in the table below RARITAN UNITS NUMBER OF PORTS SSL Dominion sxe e uerge Dominion SX16 REECH Dominion KX416 Dominion KX101 Model Dependent Requires DKX firmware support Raritan 76 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE When you click on the Ports tab the Ports tree displays information about the Ports connected with CC SG Clicking on a port causes the View Port screen to appear Ports are arranged alphabetically by name or grouped by availability status Ports arranged by status are sorted alphabetically within their availability grouping To switch between arranging methods right click on the tree click Port Sorting Options then click Sort By Port Name or Sort By Port Status er KVA Port Lam name Fie Eamzzm hips Tra mmuar E 14 Beet karin Fam fene Badr pha Ip morta eee Te KEE EC regcm AET DATE Bes D SE A Cars Figure 93 The Ports Tab And View KVM Port Screen Raritan CHAPTER 6 CONFIGURING PORTS AND PORT
262. ottom of the window for example jraritan Idap1 e LED TL NLD E rier ar mrs Lal eee LL EI IL In EE toi L Raritan CommandCenter Secure Gateway Le het ee See r Berta rie rina od ag h bg L d tama perpe piper ee qr CEN T B3 vium eiweg greg tz a El Figure 149 Logging In as Remotely Authenticated User Raritan 124 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE LDAP Netscape Once the CC SG applet is started and a user name and password are entered a query is forwarded either through CC SG or directly to the LDAP server If the username and password match those in the LDAP directory the user is authenticated The user will then be authorized against the local user groups on the LDAP server 1 On the Setup menu click Security Manager When the Security Manager screen appears click Add External AA Server in the General tab B Add Module Add Module o Please enter a module name Module Type LDAP Module Name Cancel Figure 150 Security Manager Add Module Screen Raritan CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 125 2 In Add Module screen select LDAP from the pulldown menu specify a name for the server and click Next Add Module Add Module j Please provide module properties Module Mame he stLDAP Module Type LDAP General Advanced IF Address Hostname 192 168 0 125 389 El Secure Connection for LDAP A
263. ount and Retry Interval Select the unit for time seconds minutes hours or days Default is 3 and 5 respectively Retry Count specifies the number of times the task is attempted to execute if it fails and Retry Interval is the amount of time between attempts 7 Click on the Notification tab to specify email recipients By default the email address of the user currently logged in will be used The user s email is configured in the user profile see section Raritan CHAPTER 12 ADVANCED ADMINISTRATION 195 8 Change Own Password in Chapter 7 Adding Users and User Groups If an email was not configured then this field is blank By default email is sent if the task was successful To notify the recipient of failed tasks click the On Failure checkbox Sree Tyi px Task Dans braegeeg ber Betz air Pereri iret ihu Qn Ta I On Freie Dadra Bee a dri Ce I Add amaj Judd email o sad Stat bair ard eld d animi Aged tere inden o aa ji canal Jeu AA Va Figure 241 Specifying Task Email Notification 9 To send email to additional recipients click Add Enter a valid email address and click OK Then click On Success to have the recipient be notified if the task was successful or On Failure to have the recipient be notified if the task failed or both View a Task Details of a Task and Task History To view a task 1 On the Setup menu click Task Manager Task Manager Fi
264. our client PC This means that it must have been downloaded from the Raritan website or off a Raritan CD If you have just acquired the firmware as a zip file unzip the file and follow the instructions provided by the README file Check and Upgrade Application Versions Check and upgrade the CC SG applications for example Raritan Console RC or Raritan Remote Client RRC l On the Setup menu click Application Manager Appicston Manager Aepnliratisni agiplic en fame od FS fiarninteictnnrala Dataili Location Quiet nami Lat Stree ky ke rginp Apnliratb amp an ternplata HishaiiaCenssis Bala pr let Spe E Update Upload Templates Dafaults Class Figure 9 CC SG Application Manager Raritan 2 CHAPTER 2 ACCESSING CC SG 11 Select an application from the pull down menu and note the number in the version field If the firmware needs upgrading see the previous section Check and Upgrade CC SG Firmware Version and continue to step 3 Select the application name that needs to be upgraded Click Browse ETE E EI Look In CJ Entire Network v rs cl Dis ic dow rk s Netwo Microsoft Win File Name Files of Type All Files v Open Cancel Figure 10 CC SG Application Search Window Click on the Look In drop down menu and navigate to locate the application on your PC where the new firmware resides When you find the application select it and click Open T
265. ow Highlight the devices you want to copy this configuration to in the Available Devices column and click the right arrow to move them to the Copy Configuration To column The left arrow moves Selected devices out of the Copy Configuration To column Click OK to copy the configuration to the devices in the Copy Configuration To column or Cancel to exit without copying A Restart message appears after copying Click Yes to restart the device or No to close the window without restarting A Device Configuration Copied Successfully to message confirms that device configuration has been copied Repeat steps I through 6 to copy other devices configurations Upgrade Device Use the Upgrade Device command to download new versions of device firmware l Click on the Devices tab and select a device from the Devices tree 2 Onthe Devices menu click Device Manager and then click Upgrade Device The Upgrade Device screen appears Upg ade Device Davie Aare bxibi 11 Fires asm rimirim Figure 64 Upgrade Device Screen Click on the Firmware Name drop down arrow and select the appropriate firmware from the list Raritan or your reseller will provide this information Click OK to upgrade the device or Cancel to close the Upgrade Device screen Raritan 58 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE If the firmware version of the device is not compatible with CC SG a message will alert you and ask if you want t
266. p of all devices that have an IP address starting with 192 168 This could be used to only allow administrators access to those devices on a particular subnet To control access to this group of devices you could create a policy to include this device group and apply it to a particular administrator user group Raritan CHAPTER 8 CREATING POLICIES 109 Policies Policies define what you can do what you can do it to and when you can do it Policies allow specification of days and times port device access and if it was granted control access Read Write or deny access None Policies specify a port group or device group which defines the ports or devices a user will have access to or not It 1s important to remember that polices do not specify the user group Therefore you need to apply the policies to a user group Apply Policies to User Group By applying a policy to a user group you have specified which users have access to which ports and devices The policy governs what the user group can do what devices or ports they can access and when they can do it Through this process you can implement complex administrative and security objectives Policy Summary The following diagram is a visual representation of how to implement security with CC SG CommandCenter knows association info about each Port such as OSz Windows i Bi Ports and Site Dallas Define Port Groups with boolean rules using Port
267. p on that unit Raritan CHAPTER 11 SYSTEM MAINTENANCE 155 Saving and Uploading Backup Files You can also save and load CC SG backups to and from your local PC using the Restore CommandCenter screen 1 Click on the backup you wish to save to your PC and then click Download 2 Specify a location to save your CC SG backup file 3 To upload a backup to a CC SG unit click Upload on the Restore CommandCenter screen and browse your system for the backup of your CC SG configuration un Droe EE i Japanese J MozillaFirebird g ServSwitch ISS UG and 3253 Timeline and Tasks File Mame Files of Type Rfp File Open I Cancel Figure 183 Browse to Upload a Backup of CC SG 4 When you have located the file click Open to add it to the list of available backups on your CC SG server Note Saving and restoring can be used to move a backup from one CC SG unit to another Raritan 156 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Refresh CC SG Display Any edits or modifications made to users ports categories elements and other system components are not reflected in the system until the database is updated If you are logged in while another user is updating the database you will not see these changes unless you refresh your screen or log out of CC SG and log back in 1 Click on the Refresh shortcut button in the CC SG toolbar to refresh your browser Raritan inem m pemes Bum
268. peration of this equipment in a residential environment may cause harmful interference J apanese Approvals c OBI TESERLIEAEIB SE ERE AER AMES VCCI D EOC 72AXA TBSRI NX Cd CORE RERA TER d o CEN pE isdITCOLSBUETd OUelcud HE iH BEIERENDIENHVET Raritan is not responsible for damage to this product resulting from accident disaster misuse abuse non Raritan modification of the product or other events outside of Raritan s reasonable control or not arising under normal operating conditions CE Wes s LTE LISTED For assistance in the North or South America please contact the Raritan Technical Support Team by telephone 732 764 8666 by fax 732 764 8887 or by e mail tech raritan com Ask for Technical Support Monday through Friday 6 00am to 6 00pm Eastern For assistance around the world please see the last page of this guide for regional Raritan office contact information Raritan Safety Guidelines To avoid potentially fatal shock hazard and possible damage to Raritan equipment Do not use a 2 wire power cord in any product configuration Test AC outlets at your computer and monitor for proper polarity and grounding Use only with grounded outlets at both the computer and monitor When using a backup UPS power the computer monitor and appliance off the supply Rack Mount Safety Guidelines In Raritan products which require Rack Mounting please follow these precautions Operation temperature
269. press the Enter key to select a value 1 To view or change static routes click Operation Network Interfaces then Static Routes Operation Stars Console Network Tat Sra ape ERES Network Interface Config Admin Ping Utilities Traceroute Static Routes Figure 268 Selecting Static Routes 2 The current IP routing table is displayed You can add a host or network route or delete a route File Operation CC SG Administrator Console Static Routes This screen allows you to manage your IP routing table You can see the routes currently in effect add routes and delete routes L583 cape EN ipa Pol eects st E default IBz Il5pH SlI I25 B D 0 8 Add Host Route Add Network Route Delete Route Refresh Help Fl Exit Q or C Menus Top bar X Figure 269 Editing Static Houtes Viewing Log Files Admin You can view one or more log files simultaneously via LogViewer which allows browsing through several files at once to examine system activity 1 To view log files click Operation Admin then System Logfile Viewer Operation Status Console Network Interfaces T I System Logfile Viewer Utilities system Identifica 55 Restart CC 0G SVs ten Reboot Change Passwords Figure 270 Viewing Log Files Raritan 214 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2 Click with the mouse or use the VT keys to navigate and press the Enter key to select a log
270. r a user that satisfies the text entered in the search box Searches are case insensitive 1 Click on the Users tab Devices h CC Users Ki ccadgraupl z Charlie sAngels Ri Documenters v Ka User Group v Pre Windows 2000 Compat v Product Managers v Sustem Administrators i test v Users Not In Group UNS Search Far User od Figure 130 Search for Users 2 Atthe bottom of the window enter a search string in Search For User 3 Click Go or press ENTER Navigation Tips e When a user has been found the user is displayed in the Users tree Use the JL and T keys to navigate to the next user e When a user is highlighted in the Users tree press the TAB key to return to the Search For User box e To clear the results and refresh the display in the Users tree you can press the F5 key or click P in the toolbar Raritan CHAPTER 7 ADDING USERS AND USER GROUPS 105 Supported Wildcards These wildcards are supported WILDCARD DESCRIPTION Indicates any character Indicates a character in range Indicates zero or more characters Example EXAMPLE DESCRIPTION Locates root and rootN but not root1N Locates ccroot2SX ccroot12K X admin 0 9 0 9 Locates admin11 but not admin112 ziz Raritan 106 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Raritan CHAPTER 8 CREATING POLICIES 107 Chapter 8 Creating Policies Controlling User Access with Policies
271. r and control other devices SS a Note CC SG automatically recognizes the outlets of PowerStrips attached to Dominion KX and P2 SC devices as additional ports of those devices no PowerStrip association is necessary These outlets are added and configured the same as any other device port See section Port Manager in Chapter 6 Configuring Ports and Port Groups for instructions on adding and editing ports Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 67 Discover Devices Use this command to initiate a search for all devices on your system The search will automatically detect all newly attached and previously existing Raritan devices on your network including Paragon P2 SC IP Reach Dominion KX Dominion KSX units IPMI servers and CC SGs After locating the devices you may connect them to your CC SG system if they are not already connected Note iLO RILOE devices and Generic devices such as hubs Windows servers Cisco routers cannot be discovered They have to be manually added 1 Click on the Devices tab 2 Onthe Devices menu click Discover Devices The Discover Devices screen appears Discover Devices e Please provide IP range From address 192 168 51 0 To address 192 168 51 255 Mask 255 255 255 0 Device types CommandCenter Secure Gateway v Broadcast discovery Dominion KSX Dominion KX Dominion KX101 Dominion SX IP Reach IPMI Server Paragon II System Controll
272. r in the group will be made over the whole directory structure cn Administrators cn Users dc raritan dc com The search query for the user in the group will be performed only in the Administrators sub directory entry 3 Type a user s attributes in Filter so the search query for the user in the group will be restricted to only those entries that meet this criterion For example if you specify cn Groups dc raritan dc com as the Base DN and objectclass group as the Filter then all entries that are in the Groups entry and are of type group will be returned 4 Click OK to save the settings Raritan 122 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 5 On CC SG in the Security Manager screen click Import Groups to retrieve a list of user group values stored on the Active Directory server If any of the user groups are not already on the CC SG you can import them here and assign them an access policy import Gr ups m Pla rs rabat grnupr tos ropar ard theair opkoer rt applicata Sarr V geg ler Lirgrt Bete beeen eeu Plate lier emn c requutarsg Dia c ania y liari Scheme Adrrenir Friaren Admina Cart Pyblighera eriain amp dmnina Daun Ligen Dan Qus rtr Grup eEolos Creator Oe BAR and LAE Bareer D p A T PE re mF Lipi abalir d y DOE Uiii 000 acminutratorg Weta Eriin a Hyji nrtnn ird amp dmina IER APG I 45 IITTTEIILT admin re I Allow Seren Tar Fort E l Aloe Winapps Perii pa
273. r to confirm the reset Important Using the Reset command will flush the database of CC SG AII Devices Ports and Users will be removed from the CC SG Authentication is also reset to using Local DB You should back up the CC SG before using Reset Backup CC SG On the Setup menu click Backup CommandCenter 2 When the Backup CommandCenter screen appears if desired check Do not backup logs if you do not want the log files backed up Also check Do not backup firmware binaries if you do not want the device firmware binaries to be backed up Checking these options saves time and disk space 2ackup CommandCenter Click OK to make a backup copy of CommandCenter database Do not backup logs Do not backup firmware binaries Figure 181 Backup CC SG Screen 3 Click OK The backup file will be saved in the CC SG file system and can be restored at a later time and a success message will appear to confirm CC SG backup Raritan 154 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Restore CC SG 1 On the Setup menu click Restore CommandCenter 2 When the Restore CommandCenter screen appears choose if you want to click on the backup that you want to restore to your CC SG unit and then click OK Restor CommandCenter Data Version Wed Dec 21 14 47 04 ES backup 21 12 2005 14 3 0 0 2 4 CommandCenter backup 30037kB Mon Dec 19 15 55 24 EST backup 19 12 2005 15 3 0 0 2 4 CommandCenter backup 1
274. rarita INFO Appliance S08 2Z006 01 1 ccRoot 192 168 59 4 comu rarita n INFO Appliance a 309 2006 01 1 ccRoot 192 158 59 com rarita n WARM java mets 310 2006 01 1 ccRoot 192 168 5 com rarita INFO Added app 311 2006 01 1 ccRoot 192 168 5 com rarita INFO Added app 312 2006 01 1 com rarita WARN intercept E 313 20086 01 1 ccR oot 192 168 595 carmn rarita WARN execute rae 3i4 20086 01 1 ccRoot 192 168 59 com rarita n WARN 315 z2006 01 1 ccR oot 192 158 59 cormrarita INFO Appliance 316 2006 01 1 ccRoot 192 158 59 com rarita n INFO execute A 317 2006 01 1 ccRoot 192 168 9 com rarita n WARM executere 318 2 006 01 1 ccRoot 192 168 5 com rarita n INFO Audit Trail 319 2006 01 1 ccR oot 192 168 959 com rarita INFO Audit Trail 320 2006 01 1 ccR oot 192 168 5 com rarita INFO Audit Trail Hecht Manage Report Data Clear Close Figure 167 Audit Trail Report Click Manage Report Data to save or print the report Click Save to save the records that are displayed to a CSV file or click Save All to save all records Click Print to print the records that are displayed or Print All to print all records Click Close to close the window Click Clear to clear the contents of the report If the report is lengthy click Next or Previous to navigate through the pag
275. respond to requests initiated by the Secondary node Note In a cluster configuration only the Primary CC SG communicates with CC NOC Whenever a CC SG becomes primary it sends its IP address in addition to the IP address of the Secondary CC SG to CC NOC Raritan 188 Create a Cluster In the event of a failover the administrator should send an email to all CC SG users notifying them to use the IP address of the new Primary CC SG node Important It is recommended to backup your configuration on both nodes before setting up a cluster configuration Set Primary CC SG Node 1 On the Setup menu click Cluster Configuration The Cluster Configuration screen appears 2 Click Discover CommandCenters to scan and display all CC SG appliances on the same subset as your one you are currently using Alternatively you can add a CC SG perhaps from a different subnet by specifying an IP address in CommandCenter address in the bottom of the window Click Add CommandCenter Cluster Configuration This CommandCenter is not a member of any cluster Cluster Name Mode Address CommandCenter version COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE cc_rak_4 192 168 51 124 192 168 51 102 192 168 51 201 192 168 51 74 192 168 51 66 192 168 51 218 192 168 51 238 192 168 51 150 Standalone Standalone Standalone Standalone Primary Standalone Standalone Standalone 3 0 0 1 10
276. rnrnnnnnn 117 Figure 143 Specifying General Values for Active Directory Server ccccccccccceeceeeeseeeeeeeseseeeeeeeeeeeeaaas 118 Figure 144 Specifying Advanced Values for Active Directory Server rrrvrrrrnnnrrrrvvvvrrnnnnrrrrrrnnrrnnnnrrrrrnnnnn 119 Figure 145 Specifying Group Values for Active Directory Gerver 121 Figure 146 Importing Groups from Active Directory Server enne 122 Figure 147 Viewing Privileges of Imported Group 122 Figure 148 Viewing Policy of Imported Group 123 Figure 149 Logging In as Remotely Authenticated eer 123 Figure 150 Security Manager Add Module Screen cccccccceeceeesseeeceeeeceeeeeeeeceeeeseeeeeeeeeeeeseeeaeeeeeeeeeeaas 124 Figure 151 Security Manager LDAP Screen General Tab 125 Figure 152 Security Manager LDAP Screen Advanced Tab 126 Figure 153 Security Manager Add Module Screen cccccccccccseeseececeeeeeeeeeeeeeceeeesaeeeseeeeeeeeseeaeeeeeeeesaaas 128 Figure 154 Specifying a TACACS Gener 129 Figure 155 Security Manager Add Module Screen cccccccccceeeeseeeceeeeceaeeeeeeeeeeeseaeaeeeeeeseeseeeeeeeeeeeesaaas 130 Figure 156 Specifying a RADIUS Server rrnrrrrnnnnnnnnvnnnrrnnnnnrnvennnrnnnnnnnnrrnnnnnnnnnnnnsnnnnnnnnnnsnernnnnnnnnnsnnsesennnn 130 Figure 157 Security Manager Certificate Screen rrrrrrrrrnnnnnnnrvrrnrrnnnnnnrvrnnrrnnnnnnnrrrnnrnnnnnnnssnnnnnnnnsnnneennnn 131 Raritan FIGURES Figure 158 Generate Certificate Signing Request Screen
277. rs Group If you want your users to have access to all devices ports and CC SG you can simply create and place users in the System Administrators user group This simplifies the configuration process by eliminating the need to create user groups port groups and policies to control user access If you do not put users in the default System Administrators group you will need to complete the additional sections that follow this one After adding a user they will be able to log into CC SG and connect to ports configure the system etc Note Please remember that many of the commands in the Users menu can be accessed by right clicking on the user icon and using the shortcut menu that appears 1 Click on the Users tab 2 On the Users menu click Add User Alternatively right click on a user and select Add User The Add User screen appears Add User a Champa yrar neppartiag ge adi Liv Urarn rna o Berogte aulbantecaliur anpren Eatypa pastvord Dial bach iim Y Lagin anakblad Foree rangs pasruasd nn nas lagi M Forum zb ngg gaadexrd mereii ally fFaphatan pared tin das ER Emaili addres cancel Figure 27 Add User Screen 3 Type the user s name in the Username field 1 32 characters alphanumeric characters or underscores no spaces 4 Check the Remote Authentication check box only if the user should be authenticated by TACACS RADIUS LDAP or AD Note Checking the Remote Authentication
278. rt groups p AE s Delete Port Group 1 On the Associations menu click Groups Manager and then click Port Groups Manager The Port Groups Manager screen appears 2 Click on the Group Name drop down arrow and select a group to delete from the list Click Delete to delete the group The Delete Port Group window appears Delete Port Group Delete port group Sweasatbax Rack res No Figure 115 Delete Port Group Window 3 Click Yes to delete the port group or No to close the window 4 Click Close to close the Port Groups Manager screen 5 Repeat steps 1 through 4 to delete other port groups Raritan CHAPTER 7 ADDING USERS AND USER GROUPS 93 Chapter 7 Adding Users and User Groups User Manager commands are listed in the Users menu and allow you to define the CC SG user list and assign user privileges for performing various functions CC SG maintains a centralized user access list Only an Administrator a user with Administrator privileges can manage user accounts Important Many of the menu bar commands can be accessed by right clicking on a User icon in the Selection tree on the left side of your CC SG window and choosing a command from the shortcut menu that appears Add User 1 Right click on a user group in the Users tree and select Add User The Add User screen appears Add User ge 1 Choose user properties to add Username Remote authentication Password Retype password Dial back
279. rtant This guide is written to address CC SG Administrators in the second person Any phrase that addresses the reader as you is referring to users with Administrator privileges Administrators can assign subsets of Administrator privileges to other users Overview In addition to providing the capability to aggregate and manage multiple Dominion series serial units and IP Reach units from a central location CC SG has powerful built in features and capabilities for management and configuration Contains administrative tools to manage the application Runs health checks on all Dominion and IP Reach access devices it manages Automatically refreshes the Ports Users and Devices trees when new components are added Queries and sorts information as it is presented on the display Configures various authentication schemes based on operational environment needs Allows addition deletion and modification of users Allows addition deletion and modification of Dominion and IP Reach access devices managed e Allows addition deletion and modification of the applications associated with ports Raritan CHAPTER 2 ACCESSING CC SG Main Window Components Menu Bar Operation and Configuration commands Toolbar shortcuts for commands Selection tabs DP p Ce Busen ees Dacus Fa Sara Peace dente SOC Biip dae Vue pip j o moa AE at Me emi eer furens A sc Sie aia Eiin i La 15 CommandCenter
280. rten Wines ree Sy T M Readiris Fiat Buen para ipai amp dminlulic Caneel Figure 146 Importing Groups from Active Directory Server 6 Check the boxes next to the groups you wish to import to CC SG such as CC Users Note To save time in searching and finding the groups you want to import you can manually add the user groups in CC SG instead as long as the name and case of the user group is the same see Chapter 7 Adding Users and User Groups for details Then assign the user group an access policy L In the Policies column assign those groups to a CC SG access policy These policies should already be created please see Chapter 8 Creating Policies for details on adding policies Click Import to import the selected user groups To check that the group was imported properly and to view the privileges of the group just imported click on the Users tab right click on the group and select Edit User Group t User Group Choose usergroup properties to add Edi KI Uzer group name User Description Select Privileges Imported from LbAP Has It Marne CC Setup And Control Device And Part Management Device Configuration And Upgrade Management 21111 Ports Access Ok Cancel Figure 147 Viewing Privileges of Imported Group Raritan CHAPTER 9 CONFIGURING REMOTE AUTHENTICATION 123 10 Verify the policy of the group that was imported by clicking th
281. s Data report is generated Use the scroll bar to scroll through the list and view all entries All Users Data User Name Password Expir Groups Privileges User Type chucktest 102 true CC Users Ports Access local PatPublic 102 da Charlie sAngels Ports Access local kensearcy 102 true CC Users Ports Access local kenny 102 true System Admin CC Setup And local cdef 102 true remote kunal 102 true local BianorTestUser 102 true System Admin CC Setup And local Qing 102 true System Admin CC Setup And qing raritan c local mistermister 102 true CC Users Ports Access local charliem 102 true KG User Group CC Setup And remote tester 102 true System Admin CC Setup And local MrExpiration 102 true 3 Product Manag CC Setup And local MrExpirationi 102 true i19 Product Manag CC Setup And local t123 102 true T CC Users Ports Access local test2 102 true local charlie 102 true Product Manag CC Setup And charlesme rar local marshall 102 true Pre Windows 2 Ports Access local test 102 true Pre Windows 2 Ports Access local admin 102 true System Admin CC Setup And local Lese 102 true 2 System Admin CC Setup And Elizabeth Lelli local pavel 102 true System Admin CC Setup And local ccRoot 102 true System Admin CC Setup And cc30admin ra local navle i102 trie iC GSetunandC ICC Setup nd Norcal Manage Report Data Close Figure 174 All Users
282. s are able to restart other devices Upgrade Device Users are able to upgrade device E a ice Pause Resume Device _ Users are able to release device from Management CC SG control orts ziz Raritan 240 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE USERS GROUP PRIVILEGE AVAILABLE USER CAPABILITY COMMANDS Configuration Manager Users are able to change general device settings configuration of CC SG Add Device Users are able to add new devices Edit Device Users are able to modify devices name and parameters Bulk Device Copy Users are able to copy device E E o Management CC SG control topology of devices devices obs gt are able to manually discover Devices Raritan devices Change Port View Users are able to customize port view Edit Port Users are able to modify port name and ee Active Ports Users are able to view active ports e em e e em Asset Management Users are able to view asset devices tree CommandCenter NOC parameters Ports Devices Tree are able to view Compatibility Matrix connected users to 1t disconnect it Port Power Manager Users are able to turn on and off a port Change Port View Users are able to customize port view Ports Tree Users are able to view ports tree EE gt are able to view Active Ports report for own ports connected mm are able to view User data report ES are able to sort ports visible in Ports Tree
283. s can be set up using Policy Manager commands as described in the section Policy Manager later in this chapter 1 Click on the Users tab and select a group 2 On the User menu click Edit User Group Policies The Edit User Group Policies screen appears Edit User Group Polides Parr den S lsctad Pelles Barli Policy Davos Grieg Rest Grou Fieri H P fiat Moa Tua Wad Thu Fei Sat Figure 127 Edit User Group Policies Screen 3 Click on a line item in the Policies list under the All Policies panel that you wish to assign to the group Scroll up or down to view all policies in this list Click on the Day s check boxes to select which days of the week the policy should be assigned 4 Click Add to add the policy to the Selected Policies panel and assign it to the group 5 To remove an assigned policy from the Selected Policies list select the policy line item and click Delete 6 Click OK to add the policy or policies to the group or Cancel to exit without editing A User Group Policies Updated Successfully message confirms that policies have been updated 7 Repeat steps 1 through 6 to edit other groups policies Raritan CHAPTER 7 ADDING USERS AND USER GROUPS 103 Delete User Group This command allows you to remove a group name from the system Users from the deleted group will be re assigned to the category Users Not In Group displayed at the base of the Users tree l 2 Click on the Users tab and selec
284. s tree and select Remote User Station Admin The Remote User Station Admin screen appears listing all connected IP Reach and UST IP units Click the Launch Admin button in the row of the device you want to work with to activate Raritan Remote Console and launch the blue device configuration screen in a new window Lesc EH e testPIISC Add Device Edit Device Delete Device Bulk Copy Configure Ports Delete Ports Launch Admin Disconnect users Remote User Station Admin Pause Management Device Group Manager Custom View Port Sorting Optians Figure 76 Remote User Station Admin Option E Raritan Remote Client TP Reach at 193 168 3 1 11 Admin z E K lt onnecton Took Yew Windy Help ml sl JIE BR as BeBe ca ee Figure 77 IP Reach Administration Screen Raritan 66 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Power Manager Before using the Device Power Manager view make a physical connection of a PowerStrip to a Dominion SX or Dominion KSX unit When you add the PowerStrip device define this connection in CC SG Once the PowerStrip is added you can associate it with the Dominion SX serial ports or with Dominion KSX dedicated power ports The Device Power Manager view displays outlets connected to devices ports and allows you to remotely power on or power off associated ports as well as monitor power voltage current and temperature of the device 1 I
285. s who are authenticated and authorized locally by CC SG and does not apply to users who are remotely authenticated by external servers see Chapter 9 Configuring Remote Authentication for additional information Failed login attempts due to insufficient user licenses also do not apply Note By default the ccroot account is locked out for five minutes after three failed login attempts For ccroot the number of failed login attempts before lockout and after lockout is not configurable 1 On the Setup menu click Security Manager When the Security Manager screen appears click on the General tab 2 Scroll down until you see Lockout Settings Lockout Settings VM Lockout Enabled Failed Login Attempts 1 10 s Lockout Strategy f Lockout for period Lockout Period Properties Lockout period 1 1440 minutes 5 Lockout until admin allows access Lockout notification email ccrooti amp i CornmandCenter net Administrator s Phone 718 545 5430 Figure 214 Lockout Settings 3 Click Lockout Enabled The default number of failed login attempts before a user is locked out is 3 You can change this value by entering a number from 1 to 10 5 Choose a Lockout Strategy a Ifyou choose Lockout for period and specify a period of time in minutes the user will be locked out before they can login again The default number is 5 minutes but you can specify anywhere from 1 minute up to 1440 minutes 24 hours After the time
286. se security you must enter the passcodes in CC NOC within five minutes after they are generated on CC SG This will minimize the window of opportunity for intruders to breach the system with a brute force attack Avoid transmitting the passcodes over email or other electronic means to avoid a possible interception by automated systems A phone call or exchange of written codes between trusted parties is better protection against automated interception 12 Once the certificate exchange process is complete a secure channel has been established between CC NOC and CC SG The CC NOC data will be copied to CC SG Click OK to complete the process If the process does not complete within 5 minutes it times out and data is not saved in CC SG and any stored certificates are deleted Retry the procedure again go to Step 1 in Add a CC NOC on page 182 Note CommandCenter NOC can only be added to standalone or primary node CC SG servers Edit a CC NOC l On the CommandCenter NOC menu click Configuration The NOC Configuration screen appears CC NOC Configuration CC NOCs List IP Hostname Name Status 127 0 0 1 First NOC Not Available 127 0 0 1 Second NOC Available 127 1 0 1 Third NOC Available Add Edit Delete Close Figure 228 CC NOC Configuration Screen Raritan 186 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 2 Highlight a CC NOC in the list and click Edit The Edit CC NOC Configuration screen appears
287. sion expands into a normal expression of the rule in the lower field of the screen 2 Click Update to update the device group The new rule is associated with this device group from now on and any new devices will also comply with rules assigned to this device group LA Click Close to close the Device Groups Manager screen A Repeat steps 1 through 7 to add other rules to device groups Delete Device Rule l On the Associations menu click Groups Manager and then click Device Group Manager The Device Groups Manager screen appears Deyice Groups Manager arth group hana Paine Gresip S i dt alita Pete C pt pntr Prefix Cat dhry Chea rite Hlarnara Dagice H rmg F B Rule Prufis danagnrg Cparatxn V alcia Rula Hanna 1 Bele Mule Limuicm JP Egddrmrs 168 Tie 200 5 Bow des T Figure 89 Device Groups Manager Screen 2 Selecta rule to be deleted from the rule table and click Delete Rule The Delete Rule window appears Delete Rule NI Would you like to delete the selected Rule Yes No Figure 90 Delete Rule Window 3 Click Yes to delete the rule or No to close the window Click Close to close Device Groups Manager screen 5 Repeat steps 1 through 4 to delete other rules Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS 73 Search for Devices CC SG can search for a device name that satisfies the text entered in the search box Searches ar
288. stripinNYC Ports N Raritan port ID Port name Port type Port status Unknown oudeti Cutlet Pot New 00 0 0 0 000000 Configure M Unknown buet 3 udetPot few OO Configure n Unknown Outlet 3 Outlet Port New Configure ps Unknown oudet 4 Outlet Pot New Configure M Unknown owets ouer pen em LU Configure M Unknown foutlets jouetPot he LU Configure M Unknown jouet jouetPoet he UConfigure igi unknown outets oudetPot New Configure Select all Clear All Sc gt Figure 104 Configure Ports Screen for Powerstrip Device Configure Ports Device name IPMI 22 E Ports Raritan port ID Port name Port type Port status H Unknown frpm1 22 Power Supply Power Supply Port New Configure i unknown ksx223 Port 1 Outlet Port New Configure Figure 105 Configure Ports Screen for IPMI Server Raritan CHAPTER 6 CONFIGURING PORTS AND PORT GROUPS 85 3 Click the Configure button that corresponds to the outlet port line item you wish to configure A Configure Outlet Port screen appears Configure Outlet Port fi Alanis iali port preopebes Le add Ci FOETYLAG WR Bort rumba LD Post rama Eja 10 Addcdabad pos Mna Piri Abe ud alin d SREL Eaba zcg lamani Lteuntnas ef tha wald Ceiba Tuna F5 Grater and terttcaies Kl Tial Figure 106 Configure Outlet Port Screen 4 Type the por
289. such as date and time of access e Port Groups a defined group of ports that are accessible to a user Port groups are used when creating a policy to control access to the ports in the group Raritan CHAPTER 1 INTRODUCTION 5 e Ports are connection points between a Raritan Device and a target system or server Or a port can be a device that is directly connected to a LAN CC SG via In band access In CC SG you click on a port to access and manage the target The port is essentially the destination system and should be named appropriately for that system for example NYC SunSRVI1 e SASL Simple Authentication and Security Layer A method for adding authentication support to connection based protocols e SSH clients such as Putty or OpenSSH provide a command line interface to CC SG Only a subset of CC SG commands is provided via SSH to administer devices and CC SG itself please see Chapter 12 Advanced Administration for additional information e Target Usernames specified when configuring in band parameters of a serial KVM or generic port When a name is specified only a password is required when accessing the target e User Groups are a set of users that share the same level of access and privileges For example the default user group System Administrators has full access to all configuration tasks and target hosts and servers All other user groups have restricted CC SG access and should typically be employed f
290. sword should be at least six characters in length User Name or Password does not conform to requirements as stated above Password and Confirm Password do not match A user account with same User Name already exists on CC SG 14 Repeat steps 1 through 13 to add other users Edit User This command allows you as Administrator to edit a user s parameters l Click on the Users tab In the Users tab area a Group icon shows multiple figures and a User icon appears as a single person click on the sign before a group name to expand and view all users within it Select a user from the Users tree On the User menu click Edit User The Edit User screen appears Edit User Po Choose user properties in order to edit this user ly ge Username Ad Dial back number 102 V Login enabled Force change password on next login Force change password periodically Expiration period in days Force strong password check Email address charlesme raritan com Figure 117 Edit User Screen Check the Login enabled check box to authenticate the user against the system if not user cannot enter the system Check the Force Change Password on Next Login check box if you want this user to be forced to change password the next time he or she logs into CC SG Raritan CHAPTER 7 ADDING USERS AND USER GROUPS 95 5 Check the Force Change Password Periodically check box if you want this user to have to change
291. t 2005 11 29 at 2005 11 29 at 192 168 50 31 192 168 50 31 192 168 51 124 CC Client Manage Report Data Close Figure 162 Active Users Report 2 To disconnect user select the user name to be disconnected and click Logoff to disconnect the selected users from their current sessions Raritan 136 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3 Click Manage Report Data to save or print the report Click Save to save the report to a location of your choice or Print to print the report Active Users Results User Name Access Time Register Ti Remote Ad Remote Host Server Node Cluster Node Login T 2006 01 2 2006 01 2 192 1568 5 192 168 5 192 168 5 CC Client z006 01 2 2006 01 2 192 1563 5 192 168 5 i19z2 1565 5 occ Client Figure 163 Manage Report Window 4 Click Close to close the Manage Report window 5 Click Close to close the Active Users report Active Ports Report The Active Ports report displays ports that are currently in use You can view or disconnect ports from this report 1 On the Reports menu click Active Ports The Active Ports report is generated Active Ports Active Sessions User Device Port Allowed Opened User IP Address Connection Type ccRoot CC2 01 2 01 Wed Nov 09 11 3 Wed Now 09 11 3 192 168 50 27 In Band Manage Report Data Close Figure 164 Active Ports Report 2 To disco
292. t Pre Login Message or Edit MOTD operation RS status Conse NliEkdit Pre Login Me Network Interfaces gt gt Edit MOTD gt gt Status Console Config lt TBDI1 gt zTBDZ Figure 260 Selecting to Edit Pre Login Message 2 Using the Delete and Backspace keys type a new message in the box provided For Message of the Day the height is fixed and up to 76 characters can be entered CC 8G Administrator Console Edit MOTD l The Mezsage of thse Day MOTD is displayed as part of the Status Console edit any message that vou would like shown Include important information status contact numbers and warning as alte appropriate Note Only text shown in the top of the box will get displayed ielcome to CommandCenter Secure Gateway Various components of this Diagnostic Console provide 1 System status display For assistance contact HArtian t 2 initial system configuration and supportblraritan com emergency repair 600 724 8090 Figure 261 Editing MOTD for Status Console Raritan 208 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 3 Click Save as Default at the bottom of the screen or press the TAB key and press Enter once Save as Default is highlighted Press Q or C to exit The Pre Login and Message of the Day have three separate buffers or areas e Admin Console Screen starts with a copy of the Active Message and can be edited by this user session e A sys
293. t a group On the User menu click Delete User Group The Delete User Group screen appears Delete User Group Line grpup Faerun Zeng Figure 128 Group Delete User Group Screen Click OK to delete the group or Cancel to exit without deleting A User Group Deleted Successfully message confirms that group has been deleted Repeat steps 1 through 3 to delete other groups Assign Users to Group Use this command to assign users who are members of one group to a different group Users can be members of more than one group l 2 Click on the Users tab and select a group to which you want to add users On the User menu click Assign Users To Group The Assign Users in Group screen appears assign Users t Group laas Gee S r Ferummnitalkshn Group Hinger nct m group Figure 129 Assign Users in Group Screen All users in the system are listed in the Users not in group list Select a user or users to assign to the group listed in the User group name field Click to add the user name to the Users in group list To remove any user names from the Users in group list select the user names and click Raritan 104 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 6 Click OK to assign users to the group or Cancel to exit without saving A Users Assigned Successfully message confirms that users have been assigned 7 Repeat steps 1 through 6 to assign users to other groups Search for Users CC SG can search fo
294. t name in the Port Name field For ease of use you should name the port after the server that is connected to the port 5 If you want to associate this port with another port click on the Associated Port drop down arrow and select a port name For example an outlet of an IPMI server may be connected to a channel of a Raritan KX device 6 Click OK to configure the outlet port or Cancel to exit without configuring A Port Configured Successfully message confirms that outlet port has been created 7 Repeat steps 1 through 6 to configure other outlet ports Raritan 86 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Delete Ports Delete a port to remove the port entry from the Ports tree and Cancel all accessibility of the remote target device 1 Click on the Ports tab and select a port to be deleted 2 On the Devices menu click Port Manager and then click Delete Port The Delete Port screen appears T Deeice naar Bacitan porn ID Part name Port tipa Omen eanet i Exim 0 Aku Gea Oen Tine fest Oman 7 Fit BeilRo Ckaean 1 open Renaipen gt Ckaean TI BxiiiPemis Kaal San FF 1 Fan pen fatet i bzxsiii TT e feiet G Bemi o D OUD Pree un faat i Eresi BainPeetinew BanabPon Obie 02 bouge Beag O Eseni PAA BeiBot G Essi D pu iurad lt lt lt lt Fear huaii1 uuupgegg sai Por Oen 7 BxiiigenB mus haie
295. tab e Add Module Add Md amp ule O Please provide module properties Module Narne festaD Module Type lap General Advanced Groups Connection Properties Port 383 Secure Connection for LDAP Directory Search for Users Base DN Filter fobjectclass user Other Bind username pattern Use bind r Use bind after search Test Connection Previous OK Cancel Figure 144 Specifying Advanced Values for Active Directory Server 2 Specify a port default is 389 on which the Active Directory server is listening 3 Optionally check Secure Connection for LDAP if you want to use a secure channel for the connection If checked CC SG uses Simple Authentication and Security Layer SASL with Digest MD5 authentication 4 If using a secure connection specify a Security Realm against which users will be authenticated If using a single domain controller it will have a single realm whose name is the same as that of the domain controller For example if the Domain Controller is dc raritan dc com then the default realm will be raritan com If a realm is not specified the default will be used or one will be selected for you if there are multiple realms Note You may have multiple AD servers connected in a trusted forest Each AD server will have a separate security realm For example you may have ADI and AD2 with security realms of realm ADI and realm AD2 respectively
296. tant Many of the menu bar commands can be accessed by right clicking on a Device icon and selecting a command from the shortcut menu that appears Raritan CHAPTER 5 ADDING DEVICES AND DEVICE GROUPS o1 Add Device Use this command to add a new device to the system 1 Click on the Devices tab 2 On the Devices menu click Device Manager and then click Add Device The Add Device selection screen appears Add Device Device type Dominion Bos ww Next Close Figure 52 Add Device Selection Screen 3 Click on the Device Type drop down arrow and select a type of device from the list 4 Click Next to proceed The Add Device description screen appears Depending on the type of device you selected you will see a device in the Dominion family KSX KX KX101 or SX an IP Reach a Paragon II System Controller an Intelligent Platform Management Interface IPMI v1 5 device a PowerStrip a Generic device for example a hub Windows server or Cisco router or an ILO RILOE screen Add Device us Pisara rabet davire propertion bn add 7 Diii Ferd Pauasttrip Davie maria PR Eiger Humber m pastus 8 F cl Chie Hrrnriahzrr G tmydry Ela rrr Apply T Pena Crna of iw worked ILIG rata bd Terie rik d Previous E Canal Figure 53 Add Device Screen for PowerStrip Raritan 52 Davirs maman COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE A TU pare ar Device
297. tem buffer that is held across system resets e The Active Message buffer as seen by users when they interact with the system BUTTON DESCRIPTION Clear Removes all text in the currently displayed Admin Console screen Has no effect on the value used by the system Load System Default Replaces the Admin Console Screen with the contents of the System Buffer Save as Default Puts the current Admin Console Screen into System Buffer Has no effect on the Active Message display Make Active Replaces the current Active Message with the contents of the Admin Console screen All new users will see the new message Editing Status Console Configuration Status Console The Diagnostic Console can be accessed from a serial or KVM port or from Secure Shell SSH clients For each port type you can configure whether or not status or admin logins are allowed and if field support can also access Diagnostic Console from the port For SSH you can also configure the port number to be used 1 To edit status console configuration click Operation Status Console then Status Console Config operation i Status Console ER Edit Pre Login Message Network Interfaces gt gt Edit MOTD aai tatus Console Config lt TBDI1 gt zTBDZ Figure 262 Selecting to Edit Status Console Config 2 Click or use the TAB key VT keys and Enter keys to determine what you want displayed in status console There are three Diagnostic Console Access m
298. thentication and authorization are performed locally on CC SG User Accounts User Accounts must be added to the authentication server for remote authentication Except when using Active Directory for both authentication and authorization all remote authentication servers require that users be created on CC SG The user s user name on both the authentication server and on CC SG must be the same although the passwords may be different The local password is used only when remote authentication is disabled Please see Chapter 7 Adding Users and User Groups for additional information on adding users who will be remotely authenticated Note If remote authentication is used users have to contact their Administrators to change their passwords on the remote server Passwords cannot be changed on the CC SG server for remotely authenticated users To use CC SG for port level authorization a local account with assigned ports must be added Raritan 114 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Establish Order of Authentication Databases The General properties allow you to set the order of your authentication databases If the first checked option is unavailable CC SG will try the second then the third and so on until it is successful 1 On the Setup menu click Security Manager When the Security Manager screen appears click on the General tab Security Manager Po Please provide general security information I
299. thout adding An Added Successfully To User Group message confirms that the user has been added to a group 5 Repeat steps 1 through 4 to add more users to this or to other groups Delete User from Group This command removes a user from a specific group but not from the system If a user is not assigned to any other group that user is moved to Users Not In Group a non specific category shown at the base of the Users tree 1 Click on the Users tab and select a user to be deleted 2 On the Users menu click Delete User From Group The Delete User From Group screen appears Delete User From Group Lier group namafiacumaentaticn Cini Figure 124 Delete User From Group Screen 3 Click OK to delete the user or Cancel to exit without deleting A Deleted Successfully From Group message confirms that the user has been deleted from the group 4 Repeat steps I through 3 to delete other users from this or other groups Default User Groups A CC SG is shipped with these default user groups e System Administrators user group in which ccroot resides The account ccroot is a special type of super user Administrator which is always authenticated locally by CC SG Users in this group have all privileges as listed in Appendix D User Group Privileges but the privileges cannot be changed Users in this group can also manage add edit delete users and user groups Policies can be applied to users in this group to provide access rights to p
300. ties 3 Under Network Tasks in the Network Connections window click Create a new connection Network Connections He Edit View Favorites Tools Ads Back gt a yo Search Network Tasks s Create a new connection Change Windows Firewall settings Figure 201 Create a new connection Raritan 168 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE 4 Click Next Welcome to the New Connection Wizard kan ap mg Figure 202 New Connection Wizard 5 Click Connect to the network at my workplace 6 Click Dial up connection 7 Typea name for CC SG for example CommandCenter New Connection Wizard Connection Name specify a name for this connection to your workplace Type name for this connection in the following box Company Name CommandCenter For example you could type the name of your workplace or the name of a server wou will connect ta Figure 203 Connection Name 8 Type the phone number used to connect to CC SG and click Next This is NOT the dial back number that was configured as the Client phone under the Modem tab in Configuration Manager on CC SG New Connection Wizard Phone Number to Dial What is the phone number you will use to make this connection Type the phone number below Phone number Pe Cou might need to include a 1 orthe area code or both Ifyou are not sure you need the extra numbers dial the phone number on your telephone If au
301. ting jboss system typesLog4 Service zervic esLogginq 16 02 57 430 INFO Log4 S5ervicegsURLWatchTimerTask Configuring from URL rezour ce logq4 xm wf Pr bost dCenter does NOT match server name 7 Mon Jan UY 10 51 44 2006 warn RSA server cer ificate CommonMNHame CH Comman dCenrter does NOT match server namei Mon Jan 09 10 51 43 2006 notice Apache configured resuming normal operati teflect Gene Unloading cla reflect Gen S2902R 48895R 2240956K 0 474169 Full GC 52922K gt 48963K 124056X 52625R 49025kK 324056K Figure 272 Selecting Log Files to View 4 While viewing log files type CTRL C to return to the previous screen 5 If desired you can change colors in a log file to highlight what is important Type c to change colors of a log file and select a log from the list if you have chosen to view several Once color choices are displayed type q to exit the window EE colors Se SUD sq logs bos 01 fopt apache 1 02 sqg logs bos 03 sqg logs Shel Press G c abort Figure 273 Changing Colors in Log Files 6 Type i for info to display system information Note System load is static as of the start of this Admin Console session use the TOP utility to dynamically monitor system resources MultiTail 3 8 10 Written by folkert vanheusden com Website http www vanheusden com multitail EFE LON svete slo 0 08 Running on CC Vl Z raritan com Linux EEN H EE
302. tions menu click Policy Manager The Policy Manager screen appears Policy Manager Ealing LT tat Full Aupraegr DPnliry Add de Cie Eat mpi AX Davirenr Ka Fart graupi AM Porta E Piet tirai D 00 00 FS Ered time 23139159 Beate A4 Any J weekend Cy W dk dag T amp Cubpum af Mar ai ay Tuka af Wadnerdis A T Ped deg Kr Friday ET E auri jg at Ein au F rrni ri Dae Lk GA Figure 31 Policy Manager Screen 2 Click Add to add a new policy The Add Appliance Policy window appears x Add Policy Please enter policy name Enter policy name Weekend Testers Policy OK Cancel 3 Type the name of the new policy in the Enter Policy Name field Click OK to add the new policy If you clicked OK the new policy name appears in the Name field 5 Click on the Device Group drop down arrow and select a device group 6 Click on the Port Group drop down arrow and select a port group 7 Click on the up or down arrows in the Start Time and End Time fields to assign a starting time and an ending time during a 24 hour period for this policy to be in effect 8 Select the appropriate option buttons for this policy to be in effect Any to apply policy every day Weekday to apply policy every working day Weekend to apply policy Saturdays and Raritan 32 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Sundays and Custom to manually choose the days policy to be applied If you choose Custom chec
303. ugh SSH Please note that remote devices connected via the serial port can be accessed using this approach Please see Chapter 12 Advanced Administration for additional information Through the Diagnostic Console Provides emergency repair and diagnostics only and is not a replacement for the primary GUI to configure and operate the CC SG unit Please see Chapter 12 Advanced Administration for additional information Note Users can be connected simultaneously using the browser standalone client and SSH while accessing the application Browser Based Access l Using a supported Internet browser enter the URL of the CC SG https lt IP address gt for example https 10 0 3 30 When the security alert window appears click Yes to continue with the procedure CC SG is always SSL enabled when you connect via IE the Security Alert is displayed because the CA root certificate is not installed in the browser Warning Security E EI Do you want to trust the signed applet distributed by Raritan Publisher authenticity verified by Unknown issuer A The security certificate was issued by a company that is not trusted Gy The security certificate has not expired and is still valid Caution Raritan asserts thatthis content is safe You should only accept this content if you trust Raritan to make that assertion More Details Yes No Always Figure 3 Security Alert Window zi Raritan 8 COMMANDCEN
304. uld all be assigned to the system administrator s user group Control User Access You can control user access to devices ports and CC SG administration through user groups and policies User groups define a user s privileges and polices specify the devices and ports a user can access First create a user group apply a policy to the user group then add users to the user group Create User Groups Use the Add User Group command to create specific user groups and assign them privileges based on the needs of your work environment Groups can help you keep your system organized Assign privileges to Groups upon creating them These privileges are either a command type or an event type Command type privileges permit users to see and execute commands Event type privileges permit users to view events in the Ports and Devices trees Users inherit the privileges assigned to the group to which they belong No user can have any rights other than those assigned to the group As an example if a group is assigned the User Management privilege all users in that group can see and execute the User Manager commands in the Users menu Add User Edit User Change User Password etc In order to see Ports and Devices trees a user group has to be assigned the Device and Port Management privilege To view other events that occur in the system those privileges must be selected upon adding or editing a user group Note A user group by default has no
305. vmpot Unused LicConfigure Dominion K channe 12 kvmpot fUnused Configure Dominion KX Channel vMPot Unused Configure Dorninion KX Dominion KX Power Supply bauer Supply Pot Unused Configure bominien kx channeli4 kawpeng Unused Configure Dominion kx channel 213 KkvMPoet uusd LU Configure Dominion kx channel25 KkvMPot Unused Configure Dominion KX channel27 kvmpot Unused Configure Dorninion KX Channel 20 KVM Port unused Configure E E Fri a KUM Dart TE i Cnnfinure h ws2 gt Close a p Figure 176 Query Port Report 2 Click on one or more checkboxes to customize the port information you want to see in the report PORT STATUS DEFINITION New Port is available physical connection to target server is in place but the port has not been configured Click Configure next to the port in the report to configure it now Unused Port is unavailable physical connection to target server is not in place and the port has not been configured Click Configure next to the port in the report to configure it now if the device is available Available Port has been configured and connection to port is possible Unavailable Connection to port is not possible since the device is down and unavailable A user is connected to this port 3 Click Apply to generate the report Checking more than one checkbox and clicking
306. window appears Edit Category 3 E Please provide category properties Category name lus States and territories Applicable for Both sl QE I Cancel Java Applet Window Figure 38 Edit Category Window Type the new category name in Category Name field 5 Click the Applicable For drop down arrow to change whether this category applies to Device Port or Both Please note that a string value cannot be changed to an integer value and vice versa If you must make this type of change please delete the category and add a brand new one 6 Click OK to edit the category or Cancel to exit without editing The updated category name appears in the Category Name field Click Close to close the Association Manager screen 8 Repeat steps I through 7 to edit other categories Delete Category Deleting a category deletes all of the elements created within that category The deleted category will no longer appear in the Devices tree once the screen is refreshed or the user logs out and logs back into CC SG 1 On the Associations menu click Association Manager The Association Manager screen appears 2 Click on the Category Name drop down arrow and select the category to be deleted 3 Click Delete in the Category panel of the screen to delete the category The Delete Category window appears Delete Category CN This will also delete all elements for this category Would vau like to continue ves no Figure
307. y launch In this case you must uninstall or disable your old Java version and provide serial port connectivity to CC SG to ensure proper operation e Ifthe CC SG applet does not load check your Web browser settings In IE on the Tools menu click Internet Options and click on the Advanced tab Ensure Java Sun is enabled Open Java Plug in in your Control Panel click on the Browser tab and adjust the settings for your browser e Ifyou have problems adding devices ensure the devices have the correct firmware versions e If the network interface cable is disconnected between the device and CC SG wait for the configured heartbeat minutes and then plug the network interface cable back in During the configured heartbeat period the device operates in standalone mode and can be accessed through RRC MPC RC etc e If you receive an error message that states your client version is different from the server version and that behavior may be unpredictable you should restart or empty the cache of your browser Client Browser Requirements Please see your CC SG Compatibility Matrix for the most current matrix of Client Browser and PC Platform Requirements Go to http www raritan com support and click Firmware Upgrades then CommandCenter Import CSV File Category Device Port Error Message If you receive a No valid element was found in the analysed file error message or Element Category not found in definition mess
308. you wish to connect to directly i Type your client IP Address in the Net Address field at the base of the screen li Type your client net mask in the Net Mask field Raritan CHAPTER 12 ADVANCED ADMINISTRATION 173 ii Click the Add button to add the Net Address and Mask to the screen You may have to use the scroll bar on the right side of the screen to view the Add Remove Update buttons Figure 210 Configuration Manager Connection Screen Both Raritan 174 COMMANDCENTER SECURE GATEWAY ADMINISTRATOR GUIDE Device Settings 1 On the Setup menu click Configuration Manager When the Configuration Manager screen appears click on the Device Settings tab 2 To update device Default Port select a Device Type in the table and double click on the Default Port value Type the new Default Port value and press the Enter key 3 To update device timeout duration double click on the Heartbeat sec value at the bottom of the screen Type new timeout duration for this device Configuration Manager ai Please provide devices default port and heartbeat information Network Setup Logs Inactivity Timer Time Date Modern Connection Mode Device settings snme Device Type Default Port Dominion Kx 5000 IPMI Server 623 Dominion KSX 5000 IP Reach 5000 Dominion KX101 5000 Dominion SX 5000 Paragon II System Controller 5000 Heartbeat sec 600 Update Configuration Close
309. ys trust content from Raritan Computer Inc Yes Mare Info Figure 11 Security Warning for Signed Console Applet Harime feet 1 Desni A l al sl Calder L t Task Seige Ch Hab i Aiie Aeneas Tannin Type ST HOD Lire MM Come 3 legg Co Leg Figure 12 RaritanConsole Application applications that can be integrated into CC SG Raritan CHAPTER 2 ACCESSING CC SG 13 Power Down CC SG If running CC SG on the V1 platform and if it loses AC power while it is up and running the V1 unit remembers its last power state Once AC power is restored the V1 unit automatically reboots However if a V1 unit loses AC power when it is turned OFF the V1 unit will remain powered off when AC power is restored Important Do not hold the POWER button for four or more seconds to forcibly power down CC SG particularly when CC SG is up and running The recommended way to power down CC SG is to use the following procedure To power down the CC SG 1 Remove the bezel and firmly tap the POWER button 2 Wait for approximately one minute while CC SG gracefully powers down You can monitor the progress on the console that is attached to the KVM port Note If users are logged into CC SG via Diagnostic Console they will receive a short broadcast message Users logged into CC SG via the GUI or SSH will not receive a message 3 Ifremoving the AC power cord let the power down process completely finish before removing the power cord
Download Pdf Manuals
Related Search