Restricting Access To The Remote Console Port - HP AB500A - Integrated Lights-Out Advanced Configuration
Planning and configuration recommendations for integrated lights-out processors
Hide thumbs
Also See for AB500A - Integrated Lights-Out Advanced:
- User manual (235 pages) ,
- Technology brief (43 pages) ,
- Technology brief (17 pages)
Table of Contents
Advertisement
Table 6. Example of distinguished and SAN user names
Authentication
Directory User Field
Method
Default Schema
distinguished name
SAN
Use of the SAN will:
• Authenticate against MS Active Directory, since AD has LDAP extensions that can map the SAN to
the correct user.
• Not authenticate against Novell eDirectory by itself.
• Authenticate against Novell if you have configured appropriate search context info. on iLO's
Directory Settings page.
NOTE:
When using the HP extended schema method, HP recommends selecting the
SAN option on the Two-Factor Authentication Settings page. SAN will
always work if the extended schema method is being used. The certificate
subject may not work if the DN is not the same as the subject. The only time
SAN would not work is if the UPN field (inside of the SAN) was not
configured as the user's email address, but it's the standard to populate this
field with the user's email address.
For more detailed instructions about setting up Two Factor Authentication see the "HP Integrated
Lights-Out 2 User Guide" at;
http://h20000.www2.hp.com/bc/docs/support/SupportManual/c00553302/c00553302.pdf
Restricting access to the Remote Console port
Because Telnet is not an inherently secure protocol, administrators may be reluctant to use its
functionality. The following describes how iLO overcomes this limitation and facilitates secure Telnet
access. The Remote Console port (port 23) allows an authorized user to establish a Remote Console
session with the host server. To provide tighter security, a user with supervisor rights can restrict
access to the Remote Console port and can turn on Remote Console encryption. The following lists
indicate the available options for access to the iLO and iLO 2 Remote Console ports respectively:
iLO Remote Console settings
• The Remote Console port is always disabled. A user trying to access the Remote Console will
always be denied access when this setting is in place. This setting provides the highest security, but
it may not allow adequate management capabilities.
• The Remote Console port is set to "auto-enable." This setting is the default for the Remote Console
port. This setting disables the port except when iLO senses the Remote Console applet starting. In
that case, iLO automatically enables the Remote Console port and automatically disables it when
the Remote Console session has ended. The iLO device actively refuses any other connection
attempt to port 23 so that the host server will be inaccessible via a standard Telnet application. iLO
maintains exclusive control over the port when using the remote console applet.
• The Remote Console is enabled. An authorized user can access the Remote Console port at any
time. This allows a Telnet connection or a Remote Console applet connection to be made to the
Remote Console port.
User Identification
CN=john.doe@MyCompany.com,OU=IT,DC=MyCompany,DC=com
john.doe@MyCompany.com
20
Advertisement
Table of Contents
