Opengear ACM7000 User Manual

page of 246

/ 246
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

User Manual

ACM7000 Remote Site Gateway

ACM7000-L Resilience Gateway

IM7200 Infrastructure Manager

CM7100 Console Servers

Version 4.6

2019-09-11

Table of Contents

Need help?

Do you have a question about the ACM7000 and is the answer not in the manual?

Questions and answers

Summary of Contents for Opengear ACM7000

Page 1 User Manual ACM7000 Remote Site Gateway ACM7000-L Resilience Gateway IM7200 Infrastructure Manager CM7100 Console Servers Version 4.6 2019-09-11...
Page 2: Fcc Warning Statement
This console server device is not approved for use as a life-support or medical system. Any changes or modifications made to this console server device without the explicit approval or consent of Opengear will void Opengear of any liability or responsibility of injury or loss caused by any malfunction.
Page 3 Information in this document is subject to change without notice and does not represent a commitment on the part of Opengear. Opengear provides this document “as is,” without warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose.
Page 4: Table Of Contents
TABLE OF CONTENTS THIS MANUAL ............................6 ............................6 YPES OF USERS ........................... 6 ANAGEMENT ONSOLE ..........................7 ORE INFORMATION SYSTEM CONFIGURATION ........................8 ......................8 ANAGEMENT ONSOLE ONNECTION .......................... 10 DMINISTRATOR ........................11 ETWORK ONFIGURATION ..................15 ERVICE CCESS AND RUTE ORCE ROTECTION...
Page 5 User Manual ALERTS, AUTO-RESPONSE & LOGGING ....................129 ........................129 ONFIGURE ESPONSE ..........................131 HECK ONDITIONS ..........................142 RIGGER CTIONS ..........................145 ESOLVE CTIONS SMTP, SMS, SNMP ........145 ONFIGURE AGIOS SERVICE FOR ALERT NOTIFICATIONS ............................. 150 OGGING POWER, ENVIRONMENT & DIGITAL I/O ..................... 153 (RPC) ......................
Page 6: This Manual
VLAN to the console server. 1.2 Management Console The Opengear Management Console allows you to configure and monitor the features of your Opengear console server. The Management Console runs in a browser and provides a view of the console server and all connected devices.
Page 7: More Information
User Manual For command line interface (CLI) commands and advanced instructions, download the Opengear CLI and Scripting Reference.pdf from http://ftp.opengear.com/download/manual/current/. 1.3 More information For more information, consult: • Opengear Products Web Site: See https://opengear.com/products. To get the most up-to-date information on what’s included with your console server, visit the What’s included section for your particular product.
Page 8: System Configuration
Chapter 2: System Configuration 2 SYSTEM CONFIGURATION This chapter provides step-by-step instructions for the initial configuration of your console server and connecting it to the Management or Operational LAN. The steps are: Activate the Management Console. § Change the administrator password. §...
Page 9 Enable IP masquerading for cellular connection (System > Firewall page. See Chapter 4) After completing each of the above steps, you can return to the configuration list by clicking the Opengear logo in the top left corner of the screen.
Page 10: Administrator Set Up
Chapter 2: System Configuration 2.2 Administrator Set Up 2.2.1 Change default root System Password Change the default password before granting the console server any access to your computers and network appliances. 1. Click Serial & Network > Users & Groups or, on the Welcome screen, click Change default administration password.
Page 11: Network Configuration
254 characters. 3. The MOTD Banner can be used to display a message of the day text to users. It appears on the upper left of the screen below the Opengear logo. 4. Click Apply. 2.3 Network Configuration Enter an IP address for the principal Ethernet (LAN/Network/Network1) port on the console server or enable its DHCP client to automatically obtain an IP address from a DHCP server.
Page 12 Chapter 2: System Configuration 1. Click System > IP and click the Network Interface tab. 2. Choose either DHCP or Static for the Configuration Method. If you choose Static, enter the IP Address, Subnet Mask, Gateway and DNS server details. This selection disables the DHCP client.
Page 13 User Manual NOTE In some cases, the user specified MTU may not take effect. Some NIC drivers may round oversized MTUs to the maximum allowed value and others will return an error code. You can also use a CLI command to manage MTU Size: configure # config -s config.interfaces.wan.mtu=1380 check...
Page 14 Chapter 2: System Configuration 2.3.2 Dynamic DNS (DDNS) configuration With Dynamic DNS (DDNS), a console server whose IP address is dynamically assigned can be located using a fixed host or domain name. Create an account with the supported DDNS service provider of your choice. When you set up your DDNS account, you choose a username, password, and hostname that you will use as the DNS name.
Page 15: Service Access And Brute Force Protection
User Manual 7. Click Apply. 2.4 Service Access and Brute Force Protection The administrator can access the console server and connected serial ports and managed devices using a range of access protocols/services. For each access: • The service must first be configured and enabled to run on the console server. •...
Page 16 USB flash. These servers are used to store config files, maintain access and transaction logs etc. Files transferred using tftp and ftp will be stored under /var/mnt/storage.usb/tftpboot/ (or /var/mnt/storage.nvlog/tftpboot/ on ACM7000- series devices). Unchecking Enable TFTP (FTP) service will disable the TFTP (FTP) service.
Page 17 User Manual SNMP Enables netsnmp in the console server. SNMP is disabled by default 6. Click Apply. A confirmation message appears: Message Changes to configuration succeeded The Services Access settings can be set to allow or block access. This specifies which enabled services administrators can use over each network interface to connect to the console server and through the console server to attached serial and network connected devices.
Page 18: Communications Software
User clients also use these protocols when accessing console server serial attached devices and network attached hosts. You need communications software tools set up on the administrator and user client’s computer. Opengear provides the SDT Connector as the recommended client software tool. You may use other tools such as PuTTY and SSHTerm.
Page 19: Management Network Configuration
User Manual SDT Connector is a Java client program that couples the trusted SSH tunneling protocol with popular access tools such as Telnet, SSH, HTTP, HTTPS, VNC, RDP to provide point-and-click secure remote management access to all the systems and devices being managed. Information on using SDT Connector for browser access to the console server’s Management Console, Telnet/SSH access to the console server command line, and TCP/UDP connecting to hosts that are network connected to the console server can be found in Chapter 5.
Page 20 Chapter 2: System Configuration NOTE The second Ethernet port can be configured as either a Management LAN gateway port or as an OOB/Failover port. Ensure you did not allocate NET2 as the Failover Interface when you configured the principal Network connection on the System > IP menu. To configure the Management LAN gateway: 1.
Page 21 User Manual 3. Enter the Gateway address to be issued to the DHCP clients. If this field is left blank, the console server’s IP address is used. 4. Enter the Primary DNS and Secondary DNS address to issue the DHCP clients. If this field is left blank, console server’s IP address is used.
Page 22 Chapter 2: System Configuration 2. Enter the Hostname, the Hardware Address (MAC) and the Statically Reserved IP address for the DHCP client and click Apply When DHCP has allocated hosts addresses, it is recommended to copy these into the pre-assigned list so the same IP address is reallocated in the event of a reboot.
Page 23 User Manual • By default, Interface Aggregation is disabled on the System > IP > General Settings menu • Select Bridge Interfaces or Bond Interfaces When bridging is enabled, network traffic is forwarded across all Ethernet ports with no firewall restrictions. All the Ethernet ports are all transparently connected at the data link layer (layer 2) so they retain their unique MAC addresses With bonding, the network traffic is carried between the ports but present with one MAC address...
Page 24 Chapter 2: System Configuration WAP configuration 1. Configure the IP Settings for the Wireless Network. If the device is being used as a Wireless AP, a static address is set here in the IP Settings. In this example, 192.168.10.1 is used. Set the IP address, and the netmask, but do not fill in the Gateway, Primary DNS, and Secondary DNS.
Page 25 User Manual If WEP is selected: • WEP Mode: Select Open System or Shared System. Open System is more secure than Shared, due to the way encryption keys are used. • WEP Key Length: Select the WEP key length. 128-bit keys offer more security but are not supported on all devices.
Page 26 Chapter 2: System Configuration For DHCP, the device looks for configuration details from a DHCP server on your management LAN. This selection disables any static address. The device MAC address can be found on a label on the base plate 2.
Page 27 User Manual To add to the static route to the route table of the System: 1. Select the Route Settings tab on the System > IP General Settings menu. 2. Click New Route 3. Enter a Route Name for the route. 4.
Page 28: Serial Port, Host, Device & User Configuration
Chapter 3: Serial Port, Device and User Configuration 3 SERIAL PORT, HOST, DEVICE & USER CONFIGURATION The console server enables access and control of serially-attached devices and network-attached devices (hosts). The administrator must configure access privileges for each of these devices and specify the services that can be used to control the devices.
Page 29 User Manual • Device mode sets the serial port up to communicate with an intelligent serial controlled PDU, UPS or Environmental Monitor Devices (EMD) • SDT mode enables graphical console access (with RDP, VNC, HTTPS etc.) to hosts that are serially connected •...
Page 30 Chapter 3: Serial Port, Device and User Configuration • Type in a label for the port • Select the appropriate Baud Rate, Parity, Data Bits, Stop Bits and Flow Control for each port • Set the Port Pinout. This menu item appears for IM7200 ports where pin-out for each RJ45 serial port can be set as either X2 (Cisco Straight) or X1 (Cisco Rolled) •...
Page 31 Level 4: Log LOGIN, LOGOUT, SIGNAL and TXDATA events Input/RXDATA is data received by the Opengear device from the connected serial device, and output/TXDATA is data sent by the Opengear device (e.g. typed by the user) to the connected serial device.
Page 32 Chapter 3: Serial Port, Device and User Configuration <username>:<port label> <username>:<ttySX> <username>:<serial> For a user named chris to access serial port 2, when setting up the SSHTerm or the PuTTY SSH client, instead of typing username = chris and ssh port = 3002, the alternate is to type username = chris:port02 (or username = chris:ttyS1) and ssh port = 22.
Page 33 User Manual Logging into a device connected to the console server may require authentication. For Unauthenticated Telnet the default port address is IP Address _ Port (6000 + serial port #) i.e. 6001 – 6048 Unauthenticated SSH This enables SSH access to the serial port without authentication credentials. When a user accesses the console server to Telnet to a serial port, they are given a login prompt.
Page 34 Chapter 3: Serial Port, Device and User Configuration Encrypt Traffic / Authenticate Enable trivial encryption and authentication of RFC2217 serial communications using Portshare (for strong encryption use VPN). Accumulation Period Once a connection has been established for a particular serial port (such as a RFC2217 redirection or Telnet connection to a remote computer), any incoming characters on that port are forwarded over the network on a character by character basis.
Page 35 User Manual 3.1.3 SDT Mode This setting allows port forwarding of RDP, VNC, HTPP, HTTPS, SSH, Telnet, and other LAN protocols to computers that are locally connected to the console server by their serial COM port. Such port forwarding requires a PPP link to be set up over this serial port. For configuration details See Chapter 5.
Page 36 Chapter 3: Serial Port, Device and User Configuration 3.1.6 Serial Bridging Mode With serial bridging, the serial data on a nominated serial port on one console server is encapsulated into network packets and transported over a network to a second console server where it is represented as serial data.
Page 37 See Chapter 6. 3.1.8 NMEA Streaming ACM7000-L can provide GPS NMEA data streaming from the internal GPS /cellular modem. This data stream presents as a serial data stream on port 5 on the ACM models.
Page 38: Add And Edit Users
Chapter 3: Serial Port, Device and User Configuration 3.1.9 USB Consoles Console servers with USB ports support USB console connections to devices from a wide range of vendors, including Cisco, HP, Dell and Brocade. These USB ports can also function as plain RS-232 serial ports when a USB-to-serial adapter is connected.
Page 39 User Manual Users can be authorized to access specified services, serial ports, power devices and specified network- attached hosts. These users can also be given full administrator status (with full configuration and management and access privileges). Users can be added to groups. Six groups are set up by default: admin Provides unlimited configuration and management privileges.
Page 40 Chapter 3: Serial Port, Device and User Configuration The administrator can set up users with specific power device, serial port and host access permissions who are not a member of any groups. These users don’t have any access to the Management Console menu nor command line access to the console server.
Page 41 User Manual 3. Add a Username for each new user. You may also include information related to the user (e.g. contact details) in the Description field. The user Name can contain from 1 to 127 alphanumeric characters and the characters "-" "_" and ".". 4.
Page 42: Authentication
Chapter 3: Serial Port, Device and User Configuration There are no limits on the number of users you can set up or the number of users per serial port or host. Multiple users can control/monitor the one port or host. There are no limits on the number of groups and each user can be a member of a number of groups.
Page 43: Trusted Networks
User Manual 3. Enter the IP Address or DNS Name and a Host Name for the new network connected Host and optionally enter a Description. 4. Add or edit the Permitted Services (or TCP/UDP port numbers) that are authorized to be used in controlling this host.
Page 44 Chapter 3: Serial Port, Device and User Configuration 1. Select Serial & Network > Trusted Networks 2. To add a new trusted network, select Add Rule. In the absence of Rules, there are no access limitations as to the IP address at which users can be located. 3.
Page 45: Serial Port Cascading
Slave units appear as if they are part of the Master. Opengear’s clustering connects each Slave to the Master with an SSH connection. This is done using public key authentication, so the Master can access each Slave using the SSH key pair (rather than using passwords).
Page 46 Chapter 3: Serial Port, Device and User Configuration 1. Select System > Administration on Master’s Management Console 2. Check Generate SSH keys automatically. 3. Click Apply Next you must select whether to generate keys using RSA and/or DSA (if unsure, select only RSA). Generating each set of keys require two minutes and the new keys destroy old keys of that type.
Page 47 User Manual 3. Once the new keys have been generated, click the link Click here to return. The keys are uploaded to the Master and connected Slaves. 3.6.2 Manually generate and upload SSH keys Alternately if you have an RSA or DSA key pair you can upload them to the Master and Slave console servers.
Page 48 Chapter 3: Serial Port, Device and User Configuration 3. Click Apply The next step is to Fingerprint each new Slave-Master connection. This step validates that you are establishing an SSH session to who you think you are. On the first connection the Slave receives a fingerprint from the Master used on all future connections: To establish the fingerprint first log in the Master server as root and establish an SSH connection to the Slave remote host:...
Page 49: Serial Port Redirection (Portshare)
3.7 Serial Port Redirection (PortShare) Opengear’s Port Share software delivers the virtual serial port technology your Windows and Linux applications need to open remote serial ports and read the data from serial devices that are connected to your console server.
Page 50: Managed Devices
Quick Start for details on installation and operation. PortShare for Linux The PortShare driver for Linux maps the console server serial port to a host try port. Opengear has released the portshare-serial-client as an open source utility for Linux, AIX, HPUX, SCO, Solaris and UnixWare.
Page 51 User Manual This screen displays all the managed devices with their Description/Notes and lists of all the configured Connections: • Serial Port # (if serially connected) or • USB (if USB connected) • IP Address (if network connected) • Power PDU/outlet details (if applicable) and any UPS connections Devices such as servers may have more than one power connection (e.g.
Page 52: Ipsec Vpn
Device. 3.9 IPsec VPN The ACM7000, CM7100, and IM7200 include Openswan, a Linux implementation of the IPsec (IP Security) protocols, which can be used to configure a Virtual Private Network (VPN). The VPN allows multiple sites or remote administrators to access the console server and managed devices securely over the Internet.
Page 53 The road warrior administrator can use a VPN IPsec software client to remotely access the console server and every machine on the Management LAN subnet at the remote location Configuration of IPsec is quite complex so Opengear provides a GUI interface for basic set up as described below.
Page 54 Chapter 3: Serial Port, Device and User Configuration 4. Select the Authentication Method to be used, either RSA digital signatures or a Shared secret (PSK) If you select RSA you are asked to click here to generate keys. This generates an RSA public key for the console server (the Left Public Key).
Page 55: Openvpn
IPsec negotiation and authentication. Each ID must include an @ and can include a fully qualified domain name ( e.g. left@example.com) 7. Enter the public IP or DNS address of this Opengear VPN gateway as the Left Address. You can leave this blank to use the interface of the default route 8.
Page 56 Chapter 3: Serial Port, Device and User Configuration 2. Click Add and complete the Add OpenVPN Tunnel screen 3. Enter any descriptive name you wish to identify the OpenVPN Tunnel you are adding, for example NorthStOutlet-VPN 4. Select the authentication method to be used. To authenticate using certificates select PKI (X.509 Certificates) or select Custom Configuration to upload custom configuration files.
Page 57 User Manual 3.10.2 Configure as Server or Client 1. Complete the Client Details or Server Details depending on the Tunnel Mode selected. If Client has been selected, the Primary Server Address is the address of the OpenVPN Server. If Server has been selected, enter the IP Pool Network address and the IP Pool Network mask for the IP Pool.
Page 58 Chapter 3: Serial Port, Device and User Configuration 3. To enter authentication certificates and files, select the Manage OpenVPN Files tab. Upload or browse to relevant authentication certificates and files. 4. Apply to save changes. Saved files are displayed in red on the right-hand side of the Upload button.
Page 59 User Manual 6. Check the Enabled button. 7. Apply to save changes NOTE Make sure that the console server system time is correct when working with OpenVPN to avoid authentication issues. 8. Select Statistics on the Status menu to verify that the tunnel is operational.
Page 60 Chapter 3: Serial Port, Device and User Configuration 3.10.3 Windows OpenVPN Client and Server set up This section outlines the installation and configuration of a Windows OpenVPN client or a Windows OpenVPN server and setting up a VPN connection to a console server. Console servers generate Windows client config automatically from the GUI –...
Page 61 User Manual Using a text editor, create an xxxx.ovpn file and save in C:\Program Files\OpenVPN\config. For example, C:\Program Files\OpenVPN\config\client.ovpn An example of an OpenVPN Windows client configuration file is shown below: # description: IM4216_client client proto udp verb 3 dev tun remote 192.168.250.152 port 1194 ca c:\\openvpnkeys\\ca.crt...
Page 62 Chapter 3: Serial Port, Device and User Configuration remote <host> The hostname/IP of OpenVPN server when operating as a client. Enter either the DNS hostname or the static IP address of the server. Port The UDP/TCP port of the server. Keepalive Keepalive uses ping to keep the OpenVPN session alive.
Page 63: Pptp Vpn
User Manual 5. Once established, the OpenVPN icon displays a message indicating a successful connection and assigned IP. This information, as well as the time the connection was established, is available by scrolling over the OpenVPN icon. 3.11 PPTP VPN Console servers include a PPTP (Point-to-Point Tunneling Protocol) server.
Page 64 Chapter 3: Serial Port, Device and User Configuration To set up a PPTP connection from a remote Windows client to your Opengear appliance and local network: 1. Enable and configure the PPTP VPN server on your Opengear appliance 2. Set up VPN user accounts on the Opengear appliance and enable the appropriate authentication 3.
Page 65 (e.g. 192.168.1.10-20). This must be a free IP address or range of addresses from the network that remote users are assigned while connected to the Opengear appliance 7. Enter the desired value of the Maximum Transmission Unit (MTU) for the PPTP interfaces into the MTU field (defaults to 1400) 8.
Page 66 Internet, you must set up two networking connections. One connection is for the ISP, and the other connection is for the VPN tunnel to the Opengear appliance. NOTE This procedure sets up a PPTP client in the Windows 7 Professional operating system. The steps may vary slightly depending on your network access or if you are using an alternate version of Windows.
Page 67 To connect remote VPN clients to the local network, you need to know the username and password for the PPTP account you added, as well as the Internet IP address of the Opengear appliance. If your ISP has not allocated you a static IP address, consider using a dynamic DNS service. Otherwise you must modify...
Page 68: Call Home
Chapter 3: Serial Port, Device and User Configuration 3.12 Call Home All console servers include the Call Home feature which initiates the setup of a secure SSH tunnel from the console server to a centralized Lighthouse VM, Lighthouse Standard, Lighthouse Enterprise, CMS6100 or VCMS server (referred to as CMS).
Page 69 User Manual 6. Click Apply These steps initiate the Call Home connection from the console server to the CMS. This creates an SSH listening port on the CMS and sets the console server up as a candidate. Once the candidate has been accepted on the CMS an SSH tunnel to the console server is redirected back across the Call Home connection.
Page 70 Chapter 3: Serial Port, Device and User Configuration The Remote Console Servers drop-down which lists all the console servers that have established a Call Home connection and are not being monitored (i.e. candidates). You can click Refresh to update To add a console server candidate to the Managed Console Server list, select it from the Remote Console Servers drop-down list and click Add.
Page 71: Ip Passthrough
(HTTP/HTTPS/SSH) may be terminated at the Opengear (Service Intercepts). Also, services running on the Opengear can initiate outbound cellular connections independent of the downstream router. This allows the Opengear to continue to be used for out-of-band management and alerting and also be managed via Lighthouse, while in IP Passthrough mode.
Page 72 Click Apply 3.13.4 Service Intercepts These allow the Opengear to continue to provide services, for example, for out-of-band management when in IP Passthrough mode. Connections to the modem address on the specified intercept port(s) are handled by the Opengear rather than passed through to the downstream router.
Page 73: Configuration Over Dhcp (Ztp)
User Manual Intercepts for local services will not work if the Opengear is using a default route other than the modem. Also, they will not work unless the service is enabled and access to the service is enabled (see System >...
Page 74 ~~ "^Opengear/"; vendor-option-space opengear; option opengear.config-url "https://example.com/opg/${class}.opg"; This setup can be modified to upgrade the configuration image using the opengear.image-url option, and providing a URI to the firmware image. Setup when the LAN is untrusted If the connection between the file server and a to-be-configured Opengear device includes an untrusted network, a two-handed approach can mitigate the issue.
Page 75: Enrollment Into Lighthouse
Errors are recorded in this log. 3.15 Enrollment into Lighthouse Use Enrollment into Lighthouse to enroll Opengear devices into a Lighthouse instance, providing centralized access to console ports, and allowing central configuration of the Opengear devices. See the Lighthouse User Guide for instructions for enrolling Opengear devices into Lighthouse.
Page 76: Firewall, Failover & Oob Access
(any brand) attached via a serial cable to the console/modem port for OOB dial-in access. • The serial ports on the ACM7000 are by default all configured as RJ serial console server ports. Port 1 can be configured to be the Local Console/Modem port. 4.2 OOB Dial-In Access Once a modem has been attached to the console server you can configure the console server for dial-in PPP access.
Page 77 9600 baud for the internal modem or external USB modem and for external modems connected to the Console serial ports which have been reassigned for dial-in access (on ACM7000) We recommend Serial Settings of 38400 baud with Hardware Flow Control for OOB dial-in.
Page 78 Chapter 4: Firewall, Failover & OOB Access 12. Select the Authentication Type required. Access is denied to remote users attempting to connect using an authentication scheme weaker than the selected scheme. The schemes are described below, from strongest to weakest. •...
Page 79: Dial-Out Access
User Manual 13. Select the Required Encryption Level. Access is denied to remote users attempting to connect not using this encryption level. NOTE The firmware supports multiple dial-in users, who are setup with dialin group membership. The username and password to be used for the dial-in PPP link and any dial-back phone numbers are configured when the user is set up.
Page 80 4.3.2 Failover dial-out The ACM7000, CM7100, and IM7200 can be configured so a dial-out PPP connection is automatically set up in the event of a disruption in the principal management network. NOTE SSH and HTTPS access is enabled on the failover connection so an administrator can SSH or HTTPS connect to the console server and fix the problem.
Page 81 Serial Console if you are using an external modem on the Console port or USB Modem if you are using a USB modem on an ACM7000. 2. Specify the Probe Addresses of two sites (the Primary and Secondary) that the console server is to ping to determine if Network / Network1 is operational 3.
Page 82 Chapter 4: Firewall, Failover & OOB Access NOTE By default, the console server supports automatic failure-recovery back to the original state prior to failover. The console server continually pings probe addresses while in original and failover states. The original state is automatically set as a priority and reestablished following three successful pings of the probe addresses during failover.
Page 83: Oob Broadband Ethernet Access
User Manual 4.4 OOB Broadband Ethernet Access The ACM7000, CM7100, and IM7200 have a second Ethernet port (NET2 on the CM7100 and ACM7000,) that can be configured for alternate and OOB (out-of-band) broadband access. With two active broadband access paths to these console servers, in the event you are unable to access through the primary...
Page 84: Cellular Modem Connection
Chapter 4: Firewall, Failover & OOB Access In this mode, Management LAN Interface is available as the transparent back-up port to Network Interface for accessing the management network. Management LAN Interface takes over the work of Network Interface in the event Network Interface becomes unavailable. NOTE SSH and HTTPS access is enabled on the failover connection so an administrator can connect to the console server and fix the problem.
Page 85 User Manual NOTE Your 3G carrier may have provided you with details for configuring the connection including APN (Access Point Name), Pin Code (optional PIN code which may be required to unlock the SIM card), Phone Number (the sequence to dial to establish the connection, defaults to *99***1#), Username / Password (optional) and Dial string (optional AT commands).
Page 86 Chapter 4: Firewall, Failover & OOB Access 6. Check Apply to establish a radio connection with your cellular carrier 4.6.2 Connecting to a CDMA EV-DO carrier network -GV and -GS models have an internal CDMA modem. Both connect to the Verizon network in North America.
Page 87 OTASP Activation: Before this can be achieved you need both a working account and an activated device in that the Opengear's ESN (Electronic Serial Number) needs to be registered with an appropriate plan on your Carriers account 1. Select Internal Cellular Modem panel on the System > Dial menu 2.
Page 88 For example, Verizon has used an MSL of 000000 and the phone number assigned to the Opengear device as both the MDN and MSID with no spaces or hyphens, e.g. 5551231234 for 555-123-1234 3.
Page 89 User Manual 4. Enter the carrier’s APN 5. If the SIM Card is configured with a PIN Code, unlock the Card by entering the PIN Code. You may also need to set Override DNS to use alternate DNS servers from those provided by your carrier. 6.
Page 90 Chapter 4: Firewall, Failover & OOB Access You can check your allocated IP address • Measure the received signal strength from the Cellular Statistics page on the Status > Statistics screen. This displays the current state of the cellular modem including the Received Signal Strength Indicator (RSSI).
Page 91 User Manual To configure dual SIM failover, you need to: 1. Choose which of the SIMs is to be the Primary. The other SIM will be the secondary/failover. It is recommended that an explicit slot is chosen, rather than leaving it on Automatic. Select Internal Cellular Modem panel on the System >...
Page 92 Some console server models are equipped with a reprogrammable cellular modem, allowing them to operate on more than one cellular network. Changes to the cellular modem firmware are unaffected by Opengear firmware upgrades or factory erase/configuration reset operations.
Page 93: Cellular Operation
User Manual 5. Click Download and Apply to start the update. The modem is only flashed if new firmware is available for the selected carrier. You can click Cancel to reject the update. 6. During the download/apply, an interstitial screen is displayed, showing upgrading cellular modem firmware.
Page 94 Chapter 4: Firewall, Failover & OOB Access • Cellular router mode. In this case the dial-out connection to the carrier cellular network is always on, and IP traffic is routed between the cellular connected network and the console server’s local network ports.
Page 95 User Manual • For inbound OOB connection with this service, use Call Home with a Lighthouse/VCMS/CMS6110 or set up a VPN In out of band access mode the internal cellular modem stays connected. The alternative is to set up Failover mode on the console server as detailed in the next section. 4.7.2 Cellular failover setup In this mode, the appliance continually pings nominated probe addresses over the main network...
Page 96: Firewall & Forwarding
1. Select the Cellular Modem panel on the System > Dial menu Check Enable Dial-In and configure the Dial-In Settings 4.8 Firewall & Forwarding Opengear console servers have basic routing, NAT (Network Address Translation), packet filtering and port forwarding support on all network interfaces.
Page 97 User Manual This enables the , via cellular connections console server to function as an Internet or external network gateway or via other Ethernet networks on two Ethernet port models: • Network Forwarding allows the network packets on one network interface (i.e. LAN1 / eth0) to be forwarded to another network interface (i.e.
Page 98 Chapter 4: Firewall, Failover & OOB Access Console servers are configured so that they will not route traffic between networks. To use the console server as an Internet or external network gateway, forwarding must be enabled so that traffic can be routed from the internal network to the Internet/external network: 1.
Page 99 User Manual 4.8.2 Configuring client devices Client devices on the local network must be configured with Gateway and DNS settings. This can be done statically on each device or using DHCP (on IM and ACM models). Manual Configuration: Manually set a static gateway address (being the address of the console server) and set the DNS server address to be the same as used on the external network i.e.
Page 100 Chapter 4: Firewall, Failover & OOB Access 4. Check Enable DHCP Server 5. To configure the DHCP server, tick the Use interface address as gateway check box 6. Set the DNS server address to be the same as used on the external network, i.e. if the console server is acting as an internet gateway or a cellular router.
Page 101 User Manual The DHCP server also supports pre-assigning IP addresses to be allocated only to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses. To reserve an IP addresses for a particular host. Once applied, devices on the internal network can access resources on the external network.
Page 102 Chapter 4: Firewall, Failover & OOB Access Destination Address/Address Range: The destination IP address/address range to match. This may be left blank IP address ranges use the format ip/netmask (where netmask is in bits 1-32) Input Port Range: The range of ports to forward to the destination IP. These will be the port(s) specified when accessing the port forward.
Page 103 User Manual 3. Fill in the following fields: Name: Name the rule. This name should describe the policy the firewall rule is being used to implement (e.g. block ftp, Allow Tony) Interface: The interface that the firewall rule applies to (i.e. Any, Dialout/Cellular, VPN, Network Interface, Dial-in etc) Port Range: Specifies the Port or range of Ports (e.g.
Page 104 Chapter 4: Firewall, Failover & OOB Access Connection State: The state of connections that the firewall rule applies to (Any, Related/Established, or New). This can be used to only allow established connections out an interface. Action: The action (Accept or Block) that applies to the packets detected that match the Interface+ Port Range+ Source/destination Address Range+ Protocol+ Direction For example, to block all SSH traffic from leaving Dialout Interface, the following settings can be used:...
Page 105: Ssh Tunnels & Sdt Connector
5 SSH TUNNELS & SDT CONNECTOR Each Opengear console server has an embedded SSH server and uses SSH tunneling so remote users can securely connect through the console server to managed devices - using text-based console tools (such as SSH, Telnet, SoL) or graphical tools (like VNC, RDP, HTTPS, HTTP, X11, VMware, DRAC, iLO).
Page 106: Configuring For Ssh Tunneling To Hosts
5.2 SDT Connector Client Configuration The SDT Connector client works with all Opengear console servers. Each of these remote console servers have an embedded OpenSSH based server which can be configured to port forward connections from the SDT Connector client to hosts on their local network as detailed in the previous chapter.
Page 107 User Manual and serial port devices. SDT Connector can also be set up to make an out-of-band connection to the console server. 5.2.1 Configuring a new gateway in the SDT Connector client To create a secure SSH tunnel to a new console server: 1.
Page 108 Chapter 6: Alerts, Auto-Response & Logging 4. Optionally, enter a Descriptive Name to display instead of the IP or DNS address, and NOTEs or a Description of this gateway (such as its site location or anything special about its network configuration).
Page 109 User Manual NOTE The Retrieve Hosts function auto-configures all classes of user (i.e. they can be members of user or admin or some other group or no group). SDT Connector will not auto-configure the root 5.2.3 Make an SDT connection through the gateway to a host Point at the host to be accessed and click on the service to be used in accessing that host.
Page 110 Chapter 6: Alerts, Auto-Response & Logging 2. Enter the IP or DNS Host Address of the host. If this is a DNS address, it must be resolvable by the gateway. 3. Select which Services are to be used in accessing the new host. A range of service options are pre-configured in the default SDT Connector client (RDP, VNC, HTTP, HTTPS, Dell RAC, VMware etc).
Page 111 User Manual 4. Select which Client application is associated with the new service. A range of client application options are pre-configured in the default SDT Connector (RDP client, VNC client, HTTP browser, HTTPS browser, Telnet client etc). If you wish to add new client applications to this range, proceed to the next section (Adding a new client) and return here.
Page 112 Chapter 6: Alerts, Auto-Response & Logging 6. On the Add Service screen you can click Add as many times as needed to add multiple new port redirections and associated clients You may also specify Advanced port redirection options: 7. Enter the local address to bind to when creating the local endpoint of the redirection. It is not usually necessary to change this from localhost.
Page 113 User Manual 5.2.6 Adding a client program to be started for the new service Clients are local applications that may be launched when a related service is clicked. To add to the pool of client programs: 1. Select Edit > Preferences and click the Client tab. Click Add 2.
Page 114 Chapter 6: Alerts, Auto-Response & Logging Some clients are launched in a command line or terminal window. The Telnet client is an example of this so the Path to client executable file is telnet and the Command line format for client executable is cmd /c start %path% %host% %port% : 4.
Page 115: Sdt Connector To Management Console
User Manual 5.3 SDT Connector to Management Console SDT Connector can also be configured for browser access the gateway’s Management Console – and for Telnet or SSH access to the gateway command line. For these connections to the gateway, you must configure SDT Connector to access the gateway by setting the Console server up as a host, and configuring the appropriate services: 1.
Page 116 4. Scroll to the bottom and click Apply 5. Select Network Hosts from Serial & Network and click Add Host 6. In the IP Address/DNS Name field enter 127.0.0.1 (this is the Opengear's network loopback address) and enter Loopback in Description 7.
Page 117: Using Sdt Connector For Out-Of-Band Connection To The Gateway
User Manual 5.5 Using SDT Connector for out-of-band connection to the gateway SDT Connector can also be set up to connect to the console server (gateway) out-of-band (OOB). OOB access uses an alternate path for connecting to the gateway to that used for regular data traffic. OOB access is useful for when the primary link into the gateway is unavailable or unreliable.
Page 118: Importing (And Exporting) Preferences
Chapter 6: Alerts, Auto-Response & Logging § To initiate a pre-configured dial-up connection under Linux, use the following Start Command: pon network_connection where network_connection is the name of the connection. 4. Enter the command or path to a script to stop the OOB connection in Stop Command §...
Page 119: Sdt Connector Public Key Authentication
User Manual To save a configuration .xml file (for backup or for importing into other SDT Connector clients) select File > Export Preferences and select the location to save the configuration file To import a configuration select File > Import Preferences and select the .xml configuration file to be installed 5.7 SDT Connector Public Key Authentication SDT Connector can authenticate against an SSH gateway using your SSH key pair rather than requiring...
Page 120: Setting Up Sdt For Remote Desktop Access
Microsoft’s Remote Desktop Protocol (RDP) enables the system manager to securely access and manages remote Windows computers – to reconfigure applications and user profiles, upgrade the server’s operating system, reboot the machine etc. Opengear’s Secure Tunneling uses SSH tunneling, so this RDP traffic is securely transferred through an authenticated and encrypted tunnel.
Page 121: Sdt Ssh Tunnel For Vnc
User Manual To set the user(s) who can remotely access the system with RDP click Add on the Remote Desktop Users dialog box NOTE If you need to set up new users for Remote Desktop access, open User Accounts in the Control Panel and proceed through the steps to nominate the new user’s name, password and account type (Administrator or Limited).
Page 122 Chapter 6: Alerts, Auto-Response & Logging • When the Viewer PC is connected to the console server thru an SSH tunnel (over the public Internet, or a dial-in connection, or private network connection), enter localhost (or 127.0.0.1) as the IP VNC Server IP address; and the source port you entered when setting SSH tunneling /port forwarding, e.g.
Page 123: Using Sdt To Ip Connect To Hosts That Are Serially Attached To The Gateway
User Manual 5.10 Using SDT to IP connect to hosts that are serially attached to the gateway Network (IP) protocols like RDP, VNC and HTTP can also be used for connecting to host devices that are serially connected through their COM port to the console server. To do this you must: 1.
Page 124 Chapter 6: Alerts, Auto-Response & Logging 2. Select Set up an advanced connection and click Next 3. On the Advanced Connection Options screen select Accept Incoming Connections and click Next 4. Select the Connection Device (i.e. the serial COM port on the Windows computer that you cabled through to the console server).
Page 125 User Manual You can choose any TCP/IP addresses used anywhere else on your network. The From address is assigned to the Windows computer and the To address is used by the console server. For simplicity, use the IP address as shown in the illustration above: From: 169.134.13.1 To: 169.134.13.2 Alternately you can set the advanced connection and access on the Windows computer to use...
Page 126 Chapter 6: Alerts, Auto-Response & Logging A. For earlier version Windows computers follow the steps in Section B above to get to the Make New Connection button: § For Windows 2000, click Start and select Settings at the Dial-Up Networking Folder click Network and Dial-up Connections and click Make New Connection.
Page 127: Ssh Tunneling Using Other Ssh Clients (E.g. Putty)
User Manual 5.11 SSH Tunneling using other SSH clients (e.g. PuTTY) We recommend you use the SDT Connector client software that is supplied with the console server. There are also commercial and free SSH client programs that can also provide the secure SSH connections to the console servers and secure tunnels to connected devices.
Page 128 Chapter 6: Alerts, Auto-Response & Logging • If your destination computer is serially connected to the console server, set the Destination as <port label>:3389 e.g. if the Label you specified on the serial port on the console server is win2k3, specify the remote host as win2k3:3389 . Alternative you can set the Destination as portXX:3389 where XX is the SDT enabled serial port number e.g.
Page 129: Alerts, Auto-Response & Logging
User Manual 6 ALERTS, AUTO-RESPONSE & LOGGING This chapter describes the automated response, alert generation and logging features of the console server. With Auto-Response the console server monitors selected serial ports, logins, the power status and environmental monitors and probes for Check Condition triggers. The console server initiates a sequence of actions in response to these triggers.
Page 130 Chapter 6: Alerts, Auto-Response & Logging To configure a new Auto-Response: 1. Select New Auto-Response in the Configured Auto-Response field. The Auto-Response Settings menu appears 2. Enter a descriptive Name for the new Auto-Response 3. Specify the Reset Timeout for the time in seconds after resolution to delay before this Auto- Response can be triggered again 4.
Page 131: Check Conditions
User Manual 6.2 Check Conditions To configure the condition that triggers the Auto-Response: Click on the Check Condition type (e.g. Environmental, UPS Status or ICMP ping) to be configured as the trigger for this new Auto-Response in the Auto-Response Settings menu 6.2.1 Environmental Before configuring Environmental Checks as the trigger in Auto-Response, configure the Temp and/or...
Page 132 Chapter 6: Alerts, Auto-Response & Logging 2. In the Environmental Check menu, select the Environmental Sensor to be checked for the trigger 3. Specify the Trigger value (in °C / °F for Temp and % for Humidity) that the check measurement must exceed or drop below to trigger the AutoResponse 4.
Page 133 User Manual 6.2.3 UPS/Power Supply Before configuring UPS checks in Auto-Response you first must configure the attached UPS. To use the properties of any attached UPS as the trigger event: 1. Click on UPS / Power Supply as the Check Condition 2.
Page 134 Chapter 6: Alerts, Auto-Response & Logging 2. Click on Serial Signal as the Check Condition. In the Serial Signal Check menu select the Signal (CTS, DCD, DSR) to trigger on, the Trigger condition (either on serial signal change, or check level) and specify Serial Port to perform check on, and/or 3.
Page 135 The Link Layer Discovery Protocol (LLDP) is a protocol that allows system administrators to glean information about devices physically connected to managed switches. It is available for use on IM7200, CM7100 and ACM7000 devices. Using LLDP The LLDP service is enabled through the System > Services page. When the service is enabled, the lldpd...
Page 136 Any Custom LLDP configurations must be stored as *.conf files in this directory. Security When enabled, LLDP frames issued by an Opengear Console Manager reveals sensitive information such as hostname and firmware version. LLDP frames are not passed through by 802.3ab compliant switches, and Opengear Console Managers have the LLDP service disabled by default.
Page 137 User Manual 6.2.10 Custom Check This check allows users to run a nominated custom script with nominated arguments whose return value is used as an Auto-Response trigger event: 1. Click on Custom Check as the Check Condition 2. Create an executable trigger check script file e.g. /etc/config/test.sh #!/bin/sh logger "A test script"...
Page 138 Chapter 6: Alerts, Auto-Response & Logging 6.2.11 SMS Command The SMS command trigger condition can only be set if there is an internal cellular modem. An incoming SMS command from a nominated caller can trigger an Auto-Response: 1. Click on SMS Command as the Check Condition 2.
Page 139 User Manual 6.2.12 CLI Log In/Out Check To configure a CLI Login/Out check: 1. Click on the CLI Session Event as the Check Condition 2. Check Trigger on Login (Logout) to trigger when a user logs into (or out of) the CLI 3.
Page 140 This check monitors the specified input interface for data usage that is being routed through the Opengear and out another interface such as the Internal Cellular Modem. It is useful in IP Passthrough mode to detect when the downstream router has failed over and is routing via the Opengear’s modem as a backup connection.
Page 141 User Manual • The Opengear’s incoming Interface to monitor • An optional Source MAC/IP Address, to monitor traffic from a host • Data Limit threshold, the Auto-Response triggers when this is reached in the specified Time Period • The Auto-Response resolves if no matching data is routed for the Resolve Period.
Page 142: Trigger Actions
Chapter 6: Alerts, Auto-Response & Logging 6.3 Trigger Actions To configure the sequence of actions to take in the event of the trigger condition: 1. For a nominated Auto-Response with a defined Check Condition, click on Add Trigger Action to select the action type to take. Configure the selected action as detailed in the following sections.
Page 143 User Manual 2. Specify the Recipient Email Address to send this email to and the Subject of the email. For multiple recipients you can enter comma separated addresses 3. Edit the Email Text message to send and click Save New Action An SMS alert can also be sent via an SMTP (email) gateway.
Page 144 2. Select the Interface (Modem or VPN service) and the Action (Start or Stop Interface) to take. You can start an IPsec VPN service in response to an incoming SMS or set up an OpenVPN tunnel whenever your Opengear device fails over to use the cellular connection.
Page 145: Resolve Actions
User Manual NOTE If any IPsec service or OpenVPN tunnel is to be controlled by the Network Interface Event Action, check the Control by Auto-Response box when configuring that service. Once selected, the default state for the VPN tunnel / service is Down 6.4 Resolve Actions Actions can be scheduled when a trigger condition has been resolved.
Page 146 Chapter 6: Alerts, Auto-Response & Logging 2. In the SMTP Server field enter the IP address of the outgoing mail Server If this mail server uses a Secure Connection, specify its type. You may also specify the IP port to use for SMTP.
Page 147 User Manual 1. In the SMTP Settings field in the Alerts & Logging > SMTP &SMS menu select SMS Gateway. An SMS via Email Gateway field appears 2. Enter the IP address of the outgoing mail Server SMS gateway 3. Select a Secure Connection (if applicable) and specify the SMTP port (if other than the default port 25) 4.
Page 148 Chapter 6: Alerts, Auto-Response & Logging 1. Select Cellular Modem in the SMS Settings field You may need to enter the phone number of the carrier’s SMS Message Centre if advised by your carrier or Support 3. Click Apply Settings to activate SMS-SMTP connection 6.5.3 Send SNMP Trap alerts An administrator can configure the Simple Network Management Protocol (SNMP) agent that resides on...
Page 149 User Manual 3. Select the Manager Protocol. SNMP is generally a UDP-based protocol though infrequently it uses TCP instead. 4. Enter the host address of the SNMP Network Manager into the Manager Address field. 5. Enter the TCP/IP port number into the Manager Trap Port field (default =162). 6.
Page 150: Logging
Chapter 6: Alerts, Auto-Response & Logging Specify the Security Level. The level of security has to be compatible with the settings of the remote SNMP Network Manager. noAuthNoPriv No authentication or encryption. authNoPriv Authentication only. An authentication protocol (SHA or MD5) and password is required.
Page 151 User Manual From the Manage > Devices menu, administrators can view serial, network and power device logs stored in the console reserve memory (or flash USB). Non-admin users only see logs for managed devices they or their group have access privileges for. Event logs on the USB can be viewed using the web terminal or by SSH/Telnet connecting to the console server.
Page 152 Chapter 6: Alerts, Auto-Response & Logging NOTE A cache of the most recent 8K of logged data per serial port is maintained locally (in addition to the logs which are transmitted for remote/USB flash storage). To view the local cache of logged serial port data select Manage >...
Page 153: Power, Environment & Digital I/O
The console server Management Console monitors and controls Remote Power Control (RPC) devices using the embedded PowerMan and Network UPS Tools open source management tools and Opengear’s power management software. RPCs include power distribution units (PDUs) and IPMI power devices.
Page 154 Chapter 7: Power, Environmental & Digital I/O 3. Select the Serial & Network > RPC Connections menu. This displays the RPC connections that have already been configured 4. Click Add RPC 5. Connected Via presents a list of serial ports and network Host connections that you have set up with device type RPC (but have yet to connect to a specific RPC device): If you select Connect Via for a Network RPC connection, enter the Host Name/Description •...
Page 155 If you are connecting to the RPC by a serial port, you will be presented with all the serial RPC • types supported by the embedded PowerMan and Opengear’s power manager: 7. Enter the Username and Password used to login into the RPC. These login credentials are not related the users and access privileges you configured in Serial &...
Page 156 RPC Type or will query the RPC for this information NOTE Opengear’s console servers support the majority of the popular network and serial PDUs. If your PDU is not on the default list, support can be added directly or by having the PDU added to either the Network UPS Tools or PowerMan open source projects.
Page 157 User Manual 7.1.2 RPC access privileges and alerts Set PDU and IPMI alerts using Alerts & Logging > Alerts. You can also assign which user can access and control which particular outlet on each RPC using Serial & Network > Users & Groups 7.1.3 User power management The Power Manager enables users to access and control the configured serial and network attached PDU...
Page 158: Uninterruptible Power Supply(Ups) Control
Power screen 7.2 Uninterruptible Power Supply(UPS) Control All Opengear console servers can be configured to manage locally and remotely connected UPS hardware using Network UPS Tools. Network UPS Tools (NUT) is a group of open source programs that provide a common interface for monitoring and administering UPS hardware;...
Page 159 User Manual 7.2.1 Managed UPS connections A managed UPS is a UPS that is directly connected as a Managed deviceto the console server. It can be connected by serial or USB cable or by the network. The console server becomes the master of this UPS and runs a upsd server to allow other computers that are drawing power through the UPS (slaves) to monitor the UPS status and take appropriate action such as shutdown in event of low UPS battery.
Page 160 Chapter 7: Power, Environmental & Digital I/O 2. For each network connected UPS, go to Serial & Network > Network Hosts menu and configure the UPS as a connected Host by specifying it as Device Type > UPS and clicking Apply No such configuration is required for USB connected UPS hardware 3.
Page 161 User Manual 6. When you select a network UPS connection, the corresponding Host Name/Description that you set up for that connection will be entered as the Name and Description for the power device. Alternately if you selected to Connect Via a USB or serial connection, enter a Name and Description for the power device (and these details will also be used to create a new managed device entry for the serial/USB connected UPS devices) 7.
Page 162 (but not managed) by your console server. The upsc and upslog clients in the Opengear console server can configured to monitor remote servers that are running Network UPS Tools managing their locally connected UPSes. These remote servers might be other Opengear console servers or generic Linux servers running NUT.
Page 163 Description 4. Enter the IP Address or DNS name of the remote console server* that is managing the remote UPS. (*This may be another Opengear console server or it may be a generic Linux server running Network UPS Tools) 5.
Page 164 Chapter 7: Power, Environmental & Digital I/O 2. Click on any particular UPS System name in the table. A more detailed graphical information on the select UPS System appears 3. Click on any particular All Data for any UPS System in the table for more status and configuration information on the select UPS System 4.
Page 165 User Manual logged for all UPSes which were configured with Log Status checked. The information is also presented graphically 7.2.6 Overview of Network UPS Tools (NUT) NUT is built on a networked model with a layered scheme of drivers, server and clients. NUT can be configured using the Management Console as described above, or you can configure the tools and manage the UPSes from the command line.
Page 166 SNMP or through a binding to Powerman (open source software from Livermore Labs that also is embedded in Opengear console servers) These NUT clients and servers all are embedded in each Opengear console server (with a Management Console presentation layer added) … and they also are run remotely on distributed console servers and other remote NUT monitoring systems.
Page 167: Nvironmental Onitoring
7.3 Environmental Monitoring All Opengear console servers can be configured to monitor their operating environment. External Environmental Monitor Devices (EMDs) can be connected to any Opengear console server serial port. Each console server can support multiple EMDs. Each EMD device has an internal temperature and humidity sensor plus one or two general purpose status sensor ports which can be connected to smoke detectors, water detectors, vibration sensors or open-door sensors.
Page 168 ACM7000 models ship with an in-built, black, spring cage I/O connector block for attaching environmental sensors and digital I/O devices. ACM7000 models have dedicated I/O (DIO1 & DIO2) and output only pins (OUT1 & OUT2), the later having inverting outputs with higher voltage/current transistor.
Page 169 User Manual 2. Screw the bare wires on any smoke detector, water detector, vibration sensor, open-door sensor or general purpose open/close status sensors into the SENSOR or DIO terminals on the green connector block 3. When configured as Inputs, the SENSOR and DIO ports are notionally attached to the internal EMD.
Page 170 Chapter 7: Power, Environmental & Digital I/O 7.3.3 Adding EMDs and configuring the sensors 1. Select the Serial & Network > Environmental menu. This will display any external EMDs or any internal EMD (i.e. sensors that may be attached to an ACM) that have already been configured 2.
Page 171 User Manual 3. You may optionally calibrate the EMD with a Temperature Offset (+ or - °C) or Humidity Offset (+ or percent). If you check Temperature in Fahrenheit, the temperature will be reported in Fahrenheit. Otherwise it will be reported in degrees Celsius 4.
Page 172: Digital I/O Ports
2. Click on View Log or select the Environmental Logs menu. A table and graphical plot of the log history of the select EMD appears. 7.4 Digital I/O Ports ACM7000 models ship with an in-built, black, spring cage I/O connector block for attaching environmental sensors and digital I/O devices.
Page 173 User Manual These I/O ports are configured via System > I/O Ports. Each port can be configured with a default direction and state. Select the System > I/O Ports menu 7.4.1 Digital I/O Output Configuration Each of the two digital I/O ports (DIO1 and DIO2) can be configured as an Input or Output port. To use them as digital outputs first configure the port direction on the System >...
Page 174 Chapter 7: Power, Environmental & Digital I/O For example, to set pin 1 to a low output, type: ioc -p 1 -d 0 -v 0 To pulse one of these outputs, use a script like the following: ioc -p 1 -d 0 -v 1 sleep 1 ioc -p 1 -d 0 -v 0 This will set the output high for 1 second, return it to low (assuming the initial state is low)
Page 175: Authentication
User Manual OG-STATUS-MIB::ogDioStatusDirection.4 = INTEGER: input(1) OG-STATUS-MIB::ogDioStatusState.1 = INTEGER: low(0) OG-STATUS-MIB::ogDioStatusState.2 = INTEGER: high(1) OG-STATUS-MIB::ogDioStatusState.3 = INTEGER: high(1) OG-STATUS-MIB::ogDioStatusState.4 = INTEGER: high(1) OG-STATUS-MIB::ogDioStatusCounter.1 = Counter64: 0 OG-STATUS-MIB::ogDioStatusCounter.2 = Counter64: 0 OG-STATUS-MIB::ogDioStatusCounter.3 = Counter64: 0 OG-STATUS-MIB::ogDioStatusCounter.4 = Counter64: 0 OG-STATUS-MIB::ogDioStatusTriggerMode.1 = INTEGER: risingFallingEdge(3) OG-STATUS-MIB::ogDioStatusTriggerMode.2 = INTEGER: risingFallingEdge(3) OG-STATUS-MIB::ogDioStatusTriggerMode.3 = INTEGER: risingFallingEdge(3) OG-STATUS-MIB::ogDioStatusTriggerMode.4 = INTEGER: risingFallingEdge(3)
Page 176 Chapter 8: Authentication Any authentication method that is configured will be used for authentication of any user who attempts to log in through Telnet, SSH or the Web Manager to the console server and any connected serial port or network host devices. The console server can be configured to the default (Local) or an alternate authentication method (TACACS, RADIUS, LDAP or Kerberos) with the option of a selected order in which local and remote authentication is to be used:...
Page 177 NOTE An Opengear device interprets a user with a TACACS priv-lvl of 12 or above as an admin user. There is a special case where a user with a priv-lvl of 15 is also given access to all configured serial ports.
Page 178 (the groups they are in, etc). On an Opengear device, we may be configured to look at group information from an LDAP server for authentication and authorization. This group information is stored in a number of different ways. Active Directory has one method, and OpenLDAP has two other methods: •...
Page 179 NOTE The libldap library ensures SSL connections are using certificates signed by a trusted CA so it is often not easy to set up a connection to an LDAP server using SSL. See to https://opengear.zendesk.com/entries/29959515-LDAP-over-SSL Perform the following procedure to configure the LDAP authentication method to be used whenever the console server or any of its serial ports or hosts is accessed: 1.
Page 180 SSL. If LDAP over SSL fails, only the root account will be able to log in to the console server LDAP (no SSL) only: this setting will configure the Opengear device to only accept LDAP without SSL. If LDAP without SSL fails, only the root account will be able to log in to the console server 4.
Page 181 Users may be added to the local console server appliance. If they are not added and they log in via remote AAA, a user will be added for them. This user will not show up in the Opengear configurators unless they are specifically added, at which point they are transformed into a local user.
Page 182 Chapter 8: Authentication authentication service matches any local group names, the user is given permissions as configured in the local groups. To enable group support to be used by remote authentication services: 1. Select Serial & Network > Authentication 2. Select the relevant Authentication Method 3.
Page 183 User Manual When setting the Framed-Filter-Id, the system may also remove the leading colon for an empty field. To work around this, add some dummy text to the start of the string. For example: dummy:group_name=testgroup1,users: • If no group is specified for a user, for example AmandaJones, the user will have no user Interface and serial port access but limited console access •...
Page 184 Chapter 8: Authentication 8.1.8 Remote groups with LDAP authentication Unlike RADIUS, LDAP has built in support for group provisioning, which makes setting up remote groups easier. The console server will retrieve a list of all the remote groups that the user is a direct member of and compare their names with local groups on the console server.
Page 185 User Manual A user must be a member of the LDAP Console Server Group DN group in order to gain access to the console and user interface. For example, the user must be a member of MyGroup on the Active Server to gain access to the console server.
Page 186 Chapter 8: Authentication 8.1.9 Remote groups with TACACS+ authentication When using TACACS+ authentication, there are two ways to grant a remotely authenticated user privileges. The first is to set the priv-lvl and port attributes of the raccess service to 12, discussed further in section 8.2.
Page 187 User Manual 8.1.10 Idle timeout You can specify amount of time in minutes the console server waits before it terminates an idle SSH, pmshell or web connection. Select Serial & Network > Authentication • Web Management Session Timeout specifies the browser console session idle timeout in minutes.
Page 188: Pam (Pluggable Authentication Modules)
When a user attempts to log in but does not have an account on the console server, a new user account is created. This account will have no rights and no password set. They will not appear in the Opengear configuration tools. Automatically added accounts will not be able to log in if the remote servers are unavailable •...
Page 189: Ssl Certificate
User Manual Permission to access resources may be granted via TACACS by indicating an Opengear Appliance and a port or networked host the user may access. (See the example configuration files below for example.) TACACS Example: user = tim {...
Page 190 Chapter 8: Authentication To do this the console server must be enabled to generate a new cryptographic key and the associated Certificate Signing Request (CSR) that needs to be certified by a Certification Authority (CA). A certification authority verifies that you are the person who you claim you are and signs and issues a SSL certificate to you.
Page 191 User Manual • Key length This is the length of the generated key in bits. 1024 Bits are supposed to be sufficient for most cases. Longer keys may result in slower response time of the console server during connection establishment •...
Page 192: Adding Opengear Custom Attributes
Add the following “update reply {}” block to /etc/freeradius/$VERSION/sites-enabled/default inside the “authorize {}” section at the end. ( NOTE the ‘&' before 'Opengear’ should not be there in some older versions of freeradius eg. 2.1.12 authorize { update reply { &Opengear-MappedGroups = "group1,group2,group3"...
Page 193: Nagios Integration
User Manual 9 NAGIOS INTEGRATION Nagios is a powerful, highly extensible open source tool for monitoring network hosts and services. The core Nagios software package is installed the central Nagios server. Console servers operate in conjunction with a central/upstream Nagios server to provide distributing monitoring of attached network hosts and serial devices.
Page 194: Configuring Nagios Distributed Monitoring
Chapter 9: Nagios Integration 9.2 Configuring Nagios distributed monitoring To activate the console server Nagios distributed monitoring: § Nagios integration must be enabled and a path established to the central/upstream Nagios server § If the console server is to periodically report on Nagios monitored services, the NSCA client embedded in the console server must be configured –...
Page 195 5. Check the Disable SDT Nagios Extensions option if you wish to disable the SDT Connector integration with your Nagios server at the head end – this would only be checked if you want to run a vanilla Nagios monitoring 6.
Page 196 Chapter 9: Nagios Integration 9.2.3 Enable NSCA monitoring NSCA is the mechanism that allows you to send passive check results from the remote console server to the Nagios daemon running on the monitoring server. To enable NSCA: 1. Select System > Nagios and check NSCA Enabled 2.
Page 197 2. Select Enable Nagios, specify the name of the device on the upstream server and determine the check to be run on this port. Serial Status monitors the handshaking lines on the serial port and Check Port monitors the data logged for the serial port 9.2.5 Configure selected Network Hosts for Nagios monitoring The individual Network Hosts connected to the console server to be monitored must also be configured...
Page 198 Chapter 9: Nagios Integration 7. The Nagios Check nominated as the check-host-alive check is the check used to determine whether the network host is up or down 8. This will be Check Ping – although in some cases the host will be configured not to respond to pings 9.
Page 199: Advanced Distributed Monitoring Configuration
NRPE and NSCA. In practice, these would be combined into a single check which used NSCA as a primary method, falling back to NRPE if a check was late – for details see the Nagios documentation http://www.nagios.org/documentation/ on Service and Host Freshness Checks ; Host definitions ; Opengear Console server define host{ generic-host host_name...
Page 200 Chapter 9: Nagios Integration generic-service check_command check_serial_status active_checks_enabled passive_checks_enabled define servicedependency{ name opengear_nrpe_daemon_dep host_name opengear dependent_host_name server dependent_service_description Serial Status service_description NRPE Daemon execution_failure_criteria w,u,c ; Port Log define command{ command_name check_port_log command_line $USER1$/check_nrpe -H 192.168.254.147 -p 5666 -c port_log_$HOSTNAME$...
Page 201 { service_description host-ping-server host_name server generic-service check_command check_ping_via_opengear active_checks_enabled passive_checks_enabled define servicedependency{ name opengear_nrpe_daemon_dep host_name opengear dependent_host_name server dependent_service_description Host Ping service_description NRPE Daemon execution_failure_criteria w,u,c ; SSH Port define command{ command_name check_conn_via_opengear command_line $USER1$/check_nrpe -H 192.168.254.147 -p 5666 -c...
Page 202 Chapter 9: Nagios Integration 9.3.2 Basic Nagios plug-ins Plug-ins are compiled executables or scripts that can be scheduled to be run on the console server to check the status of a connected host or service. This status is communicated to the upstream Nagios server which uses the results to monitor the current status of the distributed network.
Page 203 § If the plug-in in a Perl script, it must be rewritten as the console server does not support Perl. However, if you do require Perl support, make a feature request to support@opengear.com § Individual compiled programs may be generated using gcc for ARM. Contact support@opengear.com for details...
Page 204 Chapter 9: Nagios Integration No encryption no encryption - tunneled over existing SSH session NRPE time to service 1 check 1/10 second second second NRPE time to service 10 1 second 3 seconds 1 ¼ seconds simultaneous checks Maximum number of 20 (1,2 and 25 (1,2 and 8 port), 35 (16 simultaneous checks before...
Page 205 Remote site In this scenario the console server NRPE server or NSCA client can be configured to make active checks of configured services and upload to the Nagios server waiting passively. It can also be configured to service NRPE commands to perform checks on demand. In this situation, the console server will perform checks based on both serial and network access.
Page 206 Chapter 9: Nagios Integration Remote site with no network access In this scenario the console server allows dial-in access for the Nagios server. Periodically, the Nagios server establishes a connection to the console server and execute any NRPE commands before dropping the connection...
Page 207: System Management
Before upgrading you should ascertain if you are already running the most current firmware in your Opengear device. Your Opengear device will not allow you to upgrade to the same or an earlier version. The Firmware version is displayed in the header of each page. Status > Support Report also reports the...
Page 208: Configure Date And Time
10.3 Configure Date and Time It is important to set the local Date and Time in your Opengear appliance as soon as it is configured. Features such as Syslog and NFS logging use the system time for time-stamping log entries, while certificate generation depends on a correct Timestamp to check the validity period of the certificate.
Page 209 NOTE Time Zone can also be set to UTC which replaced Greenwich Mean Time as the World standard for time in 1986. Configuring NTP ensures the Opengear appliance clock is kept accurate (once Internet connection has been established). 1. Select the Enable NTP checkbox in the Network Time Protocol section of the System > Date &...
Page 210: Configuration Backup
1. Enter the Year, Month, Day, Hour and Minute using the Date and Time selection boxes 2. Check Set Time NOTE All Opengear appliances have an internal battery-backed hardware clock. When the time and date is set through the management console or retrieved from an NTP server, the hardware clock of the Opengear appliance is automatically updated.
Page 211 With all console servers you can save the backup file remotely on your PC and you can restore configurations from remote locations: 2. Click Save Backup in the Remote Configuration Backup menu 3. The config backup file (System Name_date_config.opg) is downloaded to your PC and saved in the location you nominate To restore a remote backup: 1.
Page 212: Delayed Configuration Commit
Chapter 10: System Management After saving a local configuration backup, you may choose to use it as the alternate default configuration. When the console server is reset to factory defaults, it will load your alternate default configuration instead of its factory settings: To set an alternate default configuration, check Load On Erase and click Apply NOTE Before selecting Load On Erase, ensure you have tested your alternate default configuration by clicking Restore...
Page 213: Fips Mode
The console servers use an embedded cryptographic module that has been validated to meet the FIPS 140-2 standards. NOTE Opengear console servers use an embedded OpenSSL cryptographic module that has been validated to meet the FIPS 140-2 standards and has received Certificate #1051 When configured in FIPs mode all SSH, HTTPS and SDT Connector access to all services on the console servers will use the embedded FIPS compliant cryptographic module.
Page 214: Status Reports
Chapter 12: Management 11 STATUS REPORTS This chapter describes the dashboard feature and the status reports that are available: § Port Access and Active Users § Statistics Support Reports § Syslog § Dashboard § 11.1 Port Access and Active Users Administrators can see which users have access privileges with which serial ports.
Page 215: Statistics
Detailed statistics reports can be found by selecting the various submenus. 11.3 Support Reports The Support Report provides useful status information that will assist the Opengear technical support team to solve any problems you may experience with your console server.
Page 216: Syslog
Chapter 12: Management 1. Select Status > Support Report. A status snapshot appears 2. Save the file as a text file and attach it to your support email 11.4 Syslog The Linux System Logger in the console server maintains a record of all system messages and errors, select Status >...
Page 217 • RFC 3339 This option displays a timestamp in milliseconds as well as fully qualified domain names (FQDN), for example: <46>2019-06-05T23:25:52.547326-04:00 syslog: [origin software="rsyslogd" swVersion="8.33.0" x-pid="3492" x- info="http://www.rsyslog.com"] start 11.4.2 Syslog Server Address and Port The syslog record can be redirected to a remote Syslog Server. Enter the remote Syslog Server Address and Syslog Server Port details and click Apply 11.4.3 Power State Changes in Syslog For IM72xx DDC or rev6a AC models with power monitoring capabilities, power state changes are...
Page 218: Dashboard
Chapter 12: Management 11.5 Dashboard The Dashboard provides administrators with a summary of the status of the console server and its managed devices. Custom dashboards can be configured for each user groups. 11.5.1 Configuring the Dashboard Admin group users can configure and access the dashboard. To configure a custom dashboard: Select System >...
Page 219 The Dashboard displays a configurable number of widgets. These widgets include status for major subsystems such as conma, Auto-Response, Managed Devices, and cellular. The admin user can configure which of these widgets is to be displayed where: 1. Go to the Dashboard layout panel and select which widget is to be displayed in each of the Widget Slots 2.
Page 220 Chapter 12: Management NOTE Dashboard configuration is stored in the /etc/config/config.xml file. Each configured dashboard will increase the config file. If this file gets too big, you can run out of memory space on the console server. 11.5.2 Creating custom widgets for the Dashboard To run a custom script inside a dashboard widget: Create a file called widget-<name>.sh in the folder /etc/config/scripts / where <name>...
Page 221: Management
12 MANAGEMENT The console server has a small number of Manage reports and tools that are available to all users: § Access and control authorized devices § View serial port logs and host logs for those devices Use SSH or the Web Terminal to access serially attached consoles §...
Page 222: Port And Host Logs
The Web Terminal connects to the command line or serial device using the same protocol that is being used to browse to the Opengear Management Console, i.e. if you are browsing using an https:/ / URL (this is the default), the Web Terminal connects using HTTPS.
Page 223 Administrators can communicate with the console server command line from their browser: Select Manage > Terminal to display the Web Terminal from which you can log in to the console server command line Web Terminal to Serial Device To enable the Web Terminal service for each serial port you want to access: 1.
Page 224: Power Management
Chapter 12: Management 2. Click Connect to SDT Connector. This will to activate the SDT Connector client on the computer you are browsing and load your local Telnet client to connect to the command line or serial port using SSH NOTE SDT Connector must be installed on the computer you are browsing from and the console server must be added as a gateway.
Page 225: Appendix A: Hardware Specification
DDC models dual +/- 36V to 72V DC Power consumption of IM7216-24E – 40W CM7100: SAC models – single socket universal 100-240V AC ACM7000: 110-240V AC to 12V DC external power adapter Power Consumption All less than 30W IM7200: 1GHz ARM SoC (Marvell 88F6283)
Page 226 Connectivity, TCP Ports & Serial I/O IM7216/32/48: Two 10/100/1000 GbE ports Cellular Modem Frequency Resilience Gateway Cellular UMTS/HSDPA CDMA EGSM ACM7000-L Modem HSUPA/HSPA 2100 MHz 1800 MHz 2100 MHz 2600 MHz 1900 MHz Sierra 1800 1900 ACM700x-x-LMR 900 MHz 850 MHz...
Page 227: Appendix B: Safety & Certifications
Do not remove the metal covers. There are no operator serviceable components inside. Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock. Refer all service to Opengear qualified personnel To avoid electric shock the power cord protective grounding conductor must be connected through to ground.
Page 228: Appendix C: Connectivity, Tcp Ports & Serial I/O
/ power devices have adopted their own unique pin-out, so custom connectors and cables may be required to interconnect your console server. Serial Port Pinout Opengear's console servers come with 1 to 48 serial connectors (notated SERIAL or SERIAL PORTS) for the RS232 serial ports: •...
Page 229 319001 or 319003 adaptors with standard UTP Cat 5 cable. To connect the LOCAL console ports to modems (for out of band access) use the 319004 adaptor with standard UTP Cat 5 cable. Each Opengear console server is supplied with UTP Cat 5 cables.
Page 230 Connectivity, TCP Ports & Serial I/O RS232 Standard Pinouts The RS232 pinout standards for the DB9 (and DB25) connectors are tabled below: DB25 SIGNAL DEFINITION Protective Ground Transmitted Data Received Data Request To Send Clear To Send Data Set Ready Signal Ground Received Line Signal Detector Reserved for data set testing...
Page 231 Connectors included in console server The ACM7000, CM7100 and IM7200 families have the Cisco pinout by default and ship with cross-over / straight RJ45-DB9 connectors: DB9F-RJ45S straight connector Part # 319014 DB9F-RJ45S cross- over connector Part # 319015 Other available connectors and adapters Opengear also supplies a range of cables and adapters that enables you to connect to popular servers and network appliances.
Page 232 319004 DB9M to RJ45 straight DTE adapter - Console server OOB modem connection For console servers with Opengear Classic pinouts: 319000 DB9F to RJ45 straight Console server with Opengear classic pinout to IP Power and other serial device 319001 DB9F to RJ45 crossover DCE adapter - Console server with Opengear classic pinout to X86 and...
Page 233 RLP (Resource Location Protocol) TACACS, TACACS+ BOOTP server BOOTP client TFTP Gopher Finger HTTP POP3 NNTP (Network News Transfer Protocol) 161/162 SNMP HTTPS...
Page 234: Appendix E: Terminology
Terminology 13 APPENDIX E: TERMINOLOGY TERM MEANING The Advanced Encryption Standard (AES) is a new block cipher standard to replace DES, developed by NIST, the US National Institute of Standards and Technology. AES ciphers use a 128-bit block and 128-, 192-, or 256-bit keys. The larger block size helps resist birthday attacks while the large key size prevents brute force attacks.
Page 235 The Data Encryption Standard is a block cipher with 64-bit blocks and a 56- bit key. DHCP Dynamic Host Configuration Protocol. A communications protocol that assigns IP addresses to computers when they are connected to the network. Domain Name System that allocates Internet domain names and translates them into IP addresses.
Page 236 Terminology to direct console server traffic to it. It is a 48-bit number written as a series of 6 hexadecimal octets, e.g. 00:d0:cf:00:5b:da. Each console server has its MAC address printed on a label underneath the device. MSCHAP Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is authentication for PPP connections between a computer using a Microsoft Windows operating system and a network access server.
Page 237 data center. The SMASH Command Line Protocol (SMASH CLP) specification provides an intuitive interface to heterogeneous servers independent of machine state, operating system or OS state, system topology or access method. It is a standard method for local and remote management of server hardware using out-of-band communication SMTP Simple Mail Transfer Protocol.
Page 238 Terminology Virtual Private Network (VPN) is a network that uses a public telecommunication infrastructure and Internet to provide remote offices or individual users with secure access to their organization's network Wide Area Network WINS Windows Internet Naming Service (WINS) manages the association of workstation names and locations with IP addresses...
Page 239: End User License Agreements
Software, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, Opengear is not willing to license the Software to you. In such event, do not use or install the Software.
Page 240 EULA. In the event the product fails to perform as warranted, Opengear’s sole obligation shall be, at Opengear’s discretion, to refund the purchase price paid by you for the Software on the defective media, or to replace the Software on new media.
Page 241 THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JCRAFT, INC. OR ANY CONTRIBUTORS TO THIS SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;...
Page 242 License Agreement the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works.
Page 243 conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
Page 244 END OF TERMS AND CONDITIONS Wireless Driver License The Opengear firmware includes 802.11 driver code which is used in various console server models. This code is: Copyright (c) 2007, Ralink Technology Corporation All rights reserved. Redistribution and use in binary form, without modification, are permitted provided that the following conditions are...
Page 245: Appendix G: Service & Standard Warranty
Purchaser) under normal and proper use and service for the period of four (4) years from the date of original purchase from an Authorized Opengear reseller. In the event that this product fails to meet this warranty within the applicable warranty period, and provided...
Page 246: Limitation Of Liability
Opengear, the Purchaser shall not be entitled to receive any incidental damages as that term is defined in Section 2-715 of the Uniform Commercial Code. Opengear waives the benefit of any rule that disclaimer of warranty shall be construed against Opengear and agrees that such disclaimers herein shall be construed liberally in favor of Opengear.

This manual is also suitable for:

Acm7000-l Im7200 Cm7100

Opengear ACM7000 User Manual

1 This Manual

2 System Configuration

3 Serial Port, Host, Device & User Configuration

4 Firewall, Failover & Oob Access

5 Ssh Tunnels & Sdt Connector

6 Alerts, Auto-Response & Logging

7 Power, Environment & Digital I/O

8 Authentication

9 Nagios Integration

10 System Management

11 Status Reports

12 Management

Appendix A: Hardware Specification

Appendix B: Safety & Certifications

Appendix C: Connectivity, Tcp Ports & Serial I/O

13 Appendix E: Terminology

14 Appendix G: Service & Standard Warranty

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Opengear ACM7000

Summary of Contents for Opengear ACM7000

This manual is also suitable for:

Table of Contents