Page 1
LES1208A-R2 LES1308A LES1408A LES1508A LES1216A-R2 LES1316A LES1416A LES1516A LES1232A LES1332A LES1432A LES1532A LES1248A-R2 LES1348A LES1448A LES1548A Value-Line and Advanced Console Servers User’s Manual Securely manage data center and network equipment from anywhere in the world. Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500)
Page 2
Value-Line and Advanced Console Servers Manual Trademarks Used in this Manual Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc. Cisco is a registered trademark of Cisco Technology, Inc. Mac is a registered trademark of Apple Computers, Inc.
Page 3
Value-Line and Advanced Console Servers Manual Federal Communications Commission and Industry Canada Radio Frequency Interference Statements This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause inter ference to radio communication. It has been tested and found to comply with the limits for a Class A computing device in accordance with the specifications in Subpart B of Part 15 of FCC rules, which are designed to provide reasonable protection against such interference when the equipment is operated in a commercial environment.
FCC and IC RFI Statements Instrucciones de Seguridad (Normas Oficiales Mexicanas Electrical Safety Statement) 1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado. 2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura. 3.
Page 9
Table of Contents 9.1.5 RADIUS/TACACS User Configuration ....................201 9.1.6 Group support with remote authentication ..................201 9.1.7 Remote groups with RADIUS authentication ..................202 9.1.8 Remote groups with LDAP authentication .................... 202 9.1.9 Remote groups with TACACS+ authentication ..................204 9.1.10 Idle timeout ............................204 9.1.11...
Page 10
Table of Contents 13.4 Power Management ............................ 242 14. Configuration from the Command Line ........................243 14.1 Accessing config from the command line ....................243 14.2 Serial Port configuration ..........................246 14.3 Adding and removing Users ........................249 14.4 Adding and removing User Groups ......................250 14.5 Authentication .............................
Page 11
Table of Contents 15.6.3 Installing the SSH Public/Private Keys (Clustering) .................286 15.6.4 Installing SSH Public Key Authentication (Linux) ...................286 15.6.5 Generating public/private keys for SSH (Windows) ................288 15.6.6 Fingerprinting............................290 15.6.7 SSH tunneled serial bridging .........................290 15.6.8 SDT Connector Public Key Authentication .................... 293 15.7 Secure Sockets Layer (SSL) Support ........................
Chapter 1 Overview INTRODUCTION This
M anual This
U ser’s
M anual
w alks
y ou
t hrough
i nstalling
a nd
c onfiguring
y our
B lack
B ox
C onsole
S erver
(LES1508A,
...
Page 13
11.
S ystem
M anagement
Covers
a ccess
t o
a nd
c onfiguration
o f
s ervices
t hat
w ill
r un
o n
t he
console
...
Page 14
A
User
can
also
use
the
Management
Console,
but
has
limited
menu
access
to
control
select
devices,
review
t heir
l ogs
a nd
a ccess
t hem
u sing
t he
b uilt-‐in
j ava
t erminal
o r
c ontrol
p ower
t o
t hem.
The
console
server
runs
an
embedded
Linux
operating
system,
and
experienced
Linux®
and
UNIX®
users
...
Page 15
October
2 011
2.0
Release
f or
V 2.8
f irmware
a nd
l ater
December
2 012
3.0
...
Chapter 2 Installation INSTALLATION Installation
This
c hapter
d escribes
h ow
t o
i nstall
t he
c onsole
s erver
h ardware
a nd
c onnect
i t
t o
c ontrolled
d evices.
...
DB9F-‐RJ45S
s traight
a nd
D B9F-‐RJ45S
c ross-‐over
c onnectors
USB micro-AB adapter cable Antenna with 10 foot extension cable Dual
I EC
A C
p ower
c ords
...
Power
c onnection
2.2.1
LES1508A
p ower
The
L ES1508A
i ncludes
a n
e xternal
D C
p ower
s upply
u nit.
T his
u nit
a ccepts
a n
A C
i nput
v oltage
b etween
100
and
250
VAC
with
a
frequency
of
50
Hz
or
60
Hz.
The
DC
power
supply
comes
with
a
selection
of
...
2.5
USB
P ort
c onnection
The LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers each also have one USB 1.1 port on the front face and two additional USB 2.0 ports at the rear face (adjacent to modem jack).
2.6
Antenna
a nd
S IM
The LES1408A, LES1416A, LES1432A and LES1448A console servers also have an internal CDMA cellular modem requiring an external antenna connection. The LES1308A, LES1316A, LES1332A and LES1348A console servers have an internal GSM cellular modem that requires a SIM card and an external antenna.
Chapter 3 Initial System Configuration SYSTEM
C ONFIGURATION
System
C onfiguration
This
c hapter
p rovides
s tep-‐by-‐step
i nstructions
f or
t he
c onsole
s erver’s
i nitial
c onfiguration,
a nd
f or
connecting
...
After
completing
each
of
the
above
steps,
you
can
return
to
the
configuration
list
by
clicking
in
the
top
left
c orner
o f
t he
s creen
o n
t he
B lack
B ox
l ogo.
...
Note There are no restrictions on the characters that can be used in the Password. It can contain up to 254 characters. However, only the first eight System Password characters are used to make the password hash. Click
A pply.
S ince
y ou
h ave
c hanged
t he
p assword
y ou
w ill
b e
p rompted
t o
l og
i n
a gain.
T his
time,
...
3.3
Network
I P
a ddress
The
n ext
s tep
i s
t o
e nter
a n
I P
a ddress
f or
t he
p rincipal
E thernet
( LAN/Network/Network1)
p ort
o n
t he
console
...
You may also enter a secondary address or comma-separated list of addresses in CIDR notation, e.g. 192.168.1.1/24 as an IP Alias. Note If you changed the console server IP address, you may need to reconfigure your PC/workstation so it has an IP address that is in the same network range as this new address. ...
Page 32
Upon
r egistering
w ith
t he
D DNS
s ervice
p rovider,
y ou
w ill
s elect
a
u sername
a nd
p assword,
a s
well
...
3.4
Services
a nd
S ervice
a ccess
The Administrator can access and configure the console server (and connected devices) using a range of access protocols/services. For each such access: the particular service must first be configured and enabled to run on the console server. then access through the firewall must be enabled for each network connection.
Page 34
be managed over any public network (e.g. the Internet). This ensures the Administrator has secure browser access to all the menus on the console server. It also allows appropriately configured Users secure browser access to selected Manage menus. For information on certificate and user client software configuration, refer to Chapter 9 - Authentication.
Page 35
The default TCP/IP base port address for telnet access is 2000, and the range for telnet is IP Address: Port (2000 + serial port #) i.e. 2001 – 2048. So if the Administrator were to set 8000 as a secondary base for telnet then serial port #2 on the console server can be telnet accessed at IP Address:2002 and at IP Address:8002.
Page 36
This will display the services currently enabled for the console server’s network interfaces. Depending on the particular console server model the interfaces displayed may include: Network interface (for the principal Ethernet connection). Management LAN / OOB Failover (second Ethernet connections). Dialout/Cellular (V90 and 3G modem).
The Respond to ICMP echos (i.e. ping) service access options can be configured at this stage. This allows the console server to respond to incoming ICMP echo requests. Ping is enabled by default, but, for security reasons, this service should generally be disabled post initial configuration. You can also configure to allow serial port devices to be accessed from nominated network interfaces ...
3.5
Communications
S oftware
You
h ave
c onfigured
a ccess
p rotocols
f or
t he
A dministrator
c lient
t o
u se
w hen
c onnecting
t o
t he
c onsole
server.
...
to
be
installed
onto
your
system.
PuTTY
(the
Telnet
and
SSH
client
itself)
can
be
downloaded
from
http://www.tucows.com/preview/195286.html
To
u se
P uTTY
f or
a n
S SH
t erminal
s ession
f rom
a
...
3.6.1
Enable
t he
M anagement
L AN
The
console
servers
provide
a
firewall,
router,
and
DHCP
server.
You
need
to
connect
an
external
LAN
switch
t o
N etwork
2
t o
a ttach
h osts
t o
t his
m anagement
L AN.
...
Note You can configure the second Ethernet port as either a gateway port or as an OOB/Failover port (but not both). Make sure you did not allocate Network 2 as the Failover Interface when you configured the principal Network connection on the System: IP menu. The
...
Page 42
Enter
t he
G ateway
a ddress
t hat
y ou
w ant
t o
i ssue
t o
t he
D HCP
c lients.
I f
y ou
l eave
t his
f ield
blank,
...
The
D HCP
s erver
a lso
s upports
p re-‐assigning
I P
a ddresses
t o
b e
a llocated
o nly
t o
s pecific
M AC
a ddresses
and
...
Page 44
Management
L AN
-‐
a n
a lternate
b roadband
E thernet
c onnection
( which
w ould
b e
t he
Network2
p ort
o n
t he
L ES1508A,
L ES1516A,
L ES1532A,
L ES1548A,
L ES1408A,
L ES1416A,
LES1432A,
...
3.6.4
Aggregating
t he
n etwork
p orts
By
default,
you
can
only
access
the
console
server's
Management
LAN
network
ports
using
SSH
tunneling/port
...
Page 46
Un-tick the Disable box. WAP configuration: Configure the IP Settings for the Wireless Network. Generally, if the device is being used as a Wireless AP, a static address is set here in the IP Settings. In this example, 192.168.10.1 is used. Set the IP address, and the netmask (in this case, 255.255.255.0 to give 254 unique network addresses in subnet), but do not fill in the Gateway, Primary DNS, and Secondary DNS.
Page 47
Network Channel: Select the network channel. 6 is most commonly used, so it is best to do a site survey and pick another channel if the unit is being deployed into an office environment. Hardware Mode: The unit supports 802.11b, g and single band 802.11n. In most cases, selection 802.11b/g/n will provide for the best interoperability with other hardware.
Page 48
Note The Wireless screen on the Status: Statistics page shows the list of clients that are connected to the WAP. Wireless Client configuration: Select Wireless Client in the Wireless Settings section - which will make the Wireless Client Settings section visible.
Note: The Wireless screen in Status: Statistics will display all the locally accessible wireless LANs (with SSID and Encryption/Authentication settings). You can also use this screen to confirm you have successfully connected to the selected access point - refer to Chapter 12. 3.6.6
...
Page 50
may be useful for remotely accessing various subnets at a remote site when being accessed using the cellular out of band connection. To add to the static route to the route table of the system: Select the Route Settings tab on the System: IP General Settings menu. ...
Chapter 4 Serial Port and Network Host SERIAL PORT AND NETWORK HOST Introduction
The
Black
Box
console
server
enables
access
and
control
of
serially
attached
devices
and
network
attached
devices
(hosts).
The
Administrator
must
configure
access
privileges
for
each
of
these
devices,
...
Console
Server
Mode
is
the
default
and
this
enables
general
access
to
serial
console
port
on
the
serially
a ttached
d evices.
Device
Mode
sets
the
serial
port
up
to
communicate
with
an
intelligent
serial
controlled
PDU,
UPS,
...
Specify
a
l abel
f or
t he
p ort.
Select
the
appropriate
Baud
Rate,
Parity,
Data
Bits,
Stop
Bits,
and
Flow
Control
for
each
port.
(Note:
T he
R S-‐485/RS-‐422
o ption
i s
n ot
r elevant
f or
c onsole
s ervers.)
Before
proceeding
with
further
serial
port
configuration,
connect
the
ports
to
the
serial
devices
...
Page 54
Logging
L evel
This
s pecifies
t he
l evel
o f
i nformation
t o
b e
l ogged
a nd
m onitored
( referto
C hapter
7 —
Alerts
...
Page 55
If
the
remote
communications
are
tunneled
with
SDT
Connector,
then
you
can
use
Telnet
to
securely
a ccess
t hese
a ttached
d evices
( refer
t o
t he
N ote
b elow).
...
Page 56
PuTTY can be downloaded at http://www.tucows.com/preview/195286.html SSH
We
recommend
that
you
use
SSH
as
the
protocol
where
the
User
or
Administrator
connects
to
t he
c onsole
s erver
( or
c onnects
t hrough
t he
c onsole
s erver
t o
t he
a ttached
s erial
c onsoles)
over
...
Page 57
For
a
U ser
n amed
“ fred”
t o
a ccess
s erial
p ort
2 ,
w hen
s etting
u p
t he
S SHTerm
o r
t he
P uTTY
SSH
...
connects
a s
t he
c urrently
a uthenticated
M anagement
C onsole
u ser
a nd
d oes
n ot
r e-‐ authenticate.
S ee
s ection
1 3.3
f or
m ore
d etails.
Authenticate
...
4.2
Add/
E dit
U sers
The
Administrator
uses
this
menu
selection
to
set
up,
edit,
and
delete
users,
and
to
define
the
access
...
Page 63
2. Membership of the user group provides the user with limited access to the console server and connected Hosts and serial devices. These Users can access only the Management section of the Management Console menu and they have no command line access to the console server.
Page 64
Click
A dd
U ser
t o
a dd
a
n ew
u ser.
Add
a
U sername
a nd
a
c onfirmed
P assword
f or
e ach
n ew
u ser.
Y ou
m ay
a lso
i nclude
information
...
Note The above Trusted Networks will limit Users and Administrators access to the console serial ports. They do not restrict access to the console server itself or to attached hosts. To change the default settings for this access, you will to need to edit the IPtables rules as described in Chapter 15—Advanced Configurstion.
This
serial
port
redirector
software
is
loaded
in
your
desktop
PC,
and
it
allows
you
to
use
a
serial
device
that’s
c onnected
t o
t he
r emote
c onsole
s erver
a s
i f
i t
w ere
c onnected
t o
y our
l ocal
s erial
p ort.
...
Page 74
Select
t he
c onnection
t ype
f or
t he
n ew
c onnection
( Serial,
N etwork
H ost,
U PS,
o r
R PC)
a nd
t hen
select
...
Note To set up a new serially connected RPC UPS or EMD device, configure the serial port, designate it as a Device, then enter a Name and Description for that device in the Serial & Network: RPC Connections (or UPS Connections or Environmental). When applied, this will automatically create a corresponding new Managed Device with the same Name /Description as the RPC/UPS Host (refer to Chapter 8—Power and Environment).
interconnecting with other IPsec VPN gateways, and road warrior IPsec software, refer to http://wiki.openswan.org 4.9.1
Enable
t he
V PN
g ateway
Select IPsec VPN on the Serial & Networks menu. Click Add and complete the Add IPsec Tunnel screen. ...
If the VPN gateway is serving as a VPN gateway to a local subnet (e.g. the console server has a Management LAN configured), enter the private subnet details in Left Subnet. Use the CIDR notation (where the IP address number is followed by a slash and the number of ‘one’ bits in the binary notation of the netmask).
Enter any descriptive name you wish to identify the OpenVPN Tunnel you are adding, for example, NorthStOutlet-VPN. Select the Device Driver to be used, either Tun-IP or Tap-Ethernet. The TUN (network tunnel) and TAP (network tap) drivers are virtual network drivers that support IP tunneling and Ethernet tunneling, respectively.
If Server has been selected, enter the IP Pool Network address and the IP Pool Network mask for the IP Pool. The network defined by the IP Pool Network address/mask is used to provide the addresses for connecting clients. Click Apply to save changes. ...
Page 80
When the OpenVPN software is started, the C:\Program Files\OpenVPN\config folder will be scanned for “.opvn” files. This folder will be rechecked for new configuration files whenever the OpenVPN GUI icon is right-clicked. So once OpenVPN is installed, a configuration file will need to be created: ...
Page 81
5 = helps with debugging connection problems 9 = extremely verbose, excellent for troubleshooting dev tun Select ‘dev tun’ to create a routed IP tunnel or ‘dev tap’ to create an dev tap Ethernet tunnel. The client and server must use the same settings. remote <host>...
Page 82
The log file will be displayed as the connection is established. Once established, the OpenVPN icon will display a message notifying of the successful connection and assigned IP. This information, as well as the time the connection was established, is available anytime by scrolling over the OpenVPN icon.
4.11
PPTP
V PN
The
L ES1508A,
L ES1408A,
L ES1416A,
L ES1432A,
L ES1448A,
L ES1308A,
L ES1316A,
L ES1332A,
L ES1348A,
LES1208A-‐R2,
L ES1216A-‐R2,
L ES1232
a nd
L ES1248A-‐R2
c onsole
s ervers
i nclude a PPTP (Point-to-Point Tunneling Protocol) server.
Page 84
Select the Enable check box to enable the PPTP Server. Select the Minimum Authentication Required. Access is denied to remote users attempting to connect using an authentication scheme weaker than the selected scheme. The schemes are described below, from strongest to weakest. •...
Enable Verbose Logging to assist in debugging connection problems Click Apply Settings. 4.11.2 Add a PPTP user Select Users & Groups on the Serial & Networks menu and complete the fields as covered in section 4.2. Ensure the pptpd Group has been checked, to allow access to the PPTP VPN server. Note - users in this group will have their password stored in clear text.
Note: To connect remote VPN clients to the local network, you need to know the user name and password for the PPTP account you added, as well as the Internet IP address of the console server. If your ISP has not allocated you a static IP address, consider using a dynamic DNS service.
Note VCMS maintains public key authenticated SSH connections to each of its Managed Console Servers. These connections are used for monitoring, commanding and accessing the Managed Console Servers and the Managed Devices connected to the Managed Console Server. To manage Local Console Servers, or console servers that are reachable from the VCMS, the SSH connections are initiated by VCMS.
Once the candidate has been accepted on the VCMS (as outlined in the next section) an SSH tunnel to the console server is then redirected back across the Call Home connection. The console server has now become a Managed Console Server and the VCMS can connect to and monitor it through this tunnel.
The Local Console Servers drop-down list lists all the console servers that are on the same subnet as the CMS and are not currently being monitored. The Remote Console Servers drop-down list in the Detected Console Servers section lists all the console servers that have established a Call Home connection, and are not currently being monitored (i.e.
By selecting Listening Server, you may create a Remote port forward from the Server to this unit, or a Local port forward from this unit to the Server: Specify a Listening Port to forward from; leave this field blank to allocate an unused port. Enter the Target Server and Target Port that will be the recipient of forwarded connections.
...
For the other interfaces, configure as you would normally on the local network. For both interfaces, leave Gateway blank. Configure the Black Box modem in Always On Out-of-band mode For a cellular connection, click System: Dial: Internal Cellular Modem.
4.13.4 Service Intercepts These allow the console server to continue to provide services for e.g. out-of-band management when in IP Passthrough mode. Connections to the modem address on the specified intercept port(s) will be handled by the Console server, rather than being passed through to the downstream router. ...
Internal Modem Port tab under System -> Dial (as well as the Serial DB9 Port tab) The LES1208A-R2, LES1216A-R2, LES1232A, and LES1248A-R2 need to have an external modem attached via a serial cable to their DB9 port. This port is marked Local and is located on the back of the units.
5.2.1
Configure
D ial-‐In
P PP
To
e nable
d ial-‐in
P PP
a ccess
o n
t he
m odem Select
t he
S ystem:
D ial
m enu
o ption
a nd
t he
p ort
t o
b e
c onfigured
( Serial
D B9
P ort
o r
I nternal
Modem
...
Page 95
You
must
select
the
Authentication
Type
to
apply
to
the
dial-‐in
connection.
The
console
server
uses
authentication
to
challenge
Administrators
who
dial-‐in
to
the
console
server.
(For
dial-‐in
access,
...
5.2.2
Using
S DT
C onnector
c lient
Administrators
c an
u se
t heir
S DT
C onnector
c lient
t o
s et
u p
s ecure
O oB
d ial-‐in
a ccess
t o
a ll
t heir
r emote
console
...
5.2.4
Set
u p
e arlier
W indows
c lients
For
W indows
2 000,
t he
P PP
c lient
s et
u p
p rocedure
i s
t he
s ame
a s
a bove,
e xcept
y ou
g et
t o
t he
Dial-‐Up
...
Page 98
Override DNS is available for PPP Devices such as modems. Override DNS allows the use of alternate DNS servers from those provided by your ISP. For example, an alternative DNS may be required for OpenDNS used for content filtering. To enable Override DNS, check the Override returned DNS Servers box. Enter the IP of the DNS servers into the spaces provided.
5.3.2 Failover dial-out The advanced console servers can be configured so a dial-out PPP connection is automatically set up if the principal management network is disrupted. Note: Only SSH access is enabled on the failover connection. However in firmware versions later than 3.0.2, HTTPS access is also enabled.
Note: By default, the advanced console server supports automatic failure-recovery back to the original state prior to failover (V3.1.0 firmware and later). The advanced console server continually pings probe addresses whilst in original and failover states. The original state will automatically be set as a priority and reestablished following three successful pings of the probe addresses during failover.
On
t he
S ystem:
I P
m enu
s elect
N etwork
2
a nd
c onfigure
t he
I P
A ddress,
S ubnet
M ask,
Gateway,
...
Page 102
When
configuring
the
principal
network
connection,
specify
Network
2
(eth1)
as
the
Failover
Interface
t o
u se
w hen
a
f ault
i s
d etected
w ith
N etwork
1
( eth0).
...
Page 103
In
t his
m ode,
N etwork
2
( eth1)
i s
a vailable
a s
t he
t ransparent
b ack-‐up
p ort
t o
N etwork
1
( eth0)
f or
accessing
...
5.6
Cellular
M odem
C onnection The
L ES1508A,
L ES1516A,
L ES1532A,
L ES1548A,
L ES1308A, LES1316A, LES1332A, LES1348A, LES1408A, LES1416A, LES1432A, and LES1448A console servers support internal cellular modems. These modems first need to be installed (as described below in 5.6.1, 5.6.2 or 5.6.3) and then set up to validate they can connect to the carrier network (as described below in 5.6.4 and 5.6.5).
Page 106
Note: Your 3G carrier may have provided you with details for configuring the connection including APN (Access Point Name), Pin Code (optional PIN code, which may be required to unlock the SIM card), Phone Number (the sequence to dial to establish the connection, defaults to *99***1#), Username / Password (optional) and Dial string (optional AT commands).
Check Apply and a radio connection will be established with your cellular carrier. 5.6.2 Connecting to a CDMA EV-DO carrier network The LES1408A, LES1416A, LES1432A, and LES1448A models have an internal CDMA modem. Both will connect to the Verizon network in North America. After creating an account with the CDMA carrier some carriers require an additional step to provision the Internal Cellular Modem, referred to as Provisioning.
Page 108
Click Activate to initiate the OTASP call. The process is successful if no errors are displayed and you no longer see the CDMA Modem Activation form. ( If OTASP is unsuccessful you can consult the System Logs for clues to what went wrong at Status: Syslog). ...
console server as both the MDN and MSID with no spaces or hyphens e.g. “5551231234” for “555-123-1234” Click Activate. If no errors occur you will see the new values entered into the NAM Profile at the Cellular page on Status: Statistics. ...
With the cellular modem connection on, you can also see the connection status from the LEDs on top of the unit. 5.6.4 Cellular modem watchdog When you select Enable Dial-Out on the System: Dial menu, you will be given the option to configure a cellar modem watchdog service (with firmware V3.5.2u13 and later).
Page 111
Specify how the device will Failback from the failover SIM to the Primary SIM. There are two options: The 'On Disconnect' failback option will failback to the Primary SIM only after the connection on the failover SIM has failed its ping test. The 'On Timeout' failback option will failback to the Primary SIM after the connection on the failover SIM has been up for the timeout period.
Note: Dual SIM failover still applies to the cell modem interface when the cell modem itself is used as the console server's failover interface. Be aware that when the console server is failing over to the cell modem interface and the primary SIM fails, total time to fail over to the cell modem and then for the cell modem to failover to its secondary SIM can take several minutes - be patient.
5.7.1 OOB access set up In this mode, the dial-out connection to the carrier cellular network is always on, awaiting any incoming traffic. By default, the only traffic enabled are incoming SSH access to the console server and its serial ports, and incoming HTTPS access to the console server.
5.7.2 Cellular failover setup In this mode, a dial-out cellular connection is only established if the main network is disrupted. The cellular connection normally remains idle - in a low power state - and is only activated if a ping fails. This standby mode can suit remote sites with expensive power or very high cellular traffic costs.
The Operational Status will change as the cellular modem finds a channel and connects to the network. The Failover & Out-of-Band screen will display information relating to a configured Failover/OOB interface and the status of that connection. The IP Address of the Failover / OOB interface will be presented in the Failover &...
5.8
Firewall
&
F orwarding
The
c onsole
s erver
h as
r outing,
N AT,
p acket
f iltering,
a nd
p ort
f orwarding
s upport
o n
a ll
p hysical
a nd
virtual
...
Select
F orwarding
&
M asquerading
p anel
o n
t he
S ystem:
F irewall
m enu.
Check
E nable
I P
M asquerading
( SNAT)
o n
t he
n etwork
i nterfaces
w here
m asquerading
i s
b e
enabled.
...
Output
A ddress:
T he
t arget
o f
t he
p ort
f orward.
T his
i s
a n
a ddress
o n
t he
i nternal
n etwork
where
...
Page 122
Click
N ew
F irewall
R ule.
Fill
i n
t he
f ollowing
f ields:
N ame:
Name
t he
r ule.
T his
n ame
s hould
d escribe
t he
p olicy
t he
f irewall
r ule
i s
being
...
Chapter 6 Secure SSH Tunneling & SDT Connector SECURE SSH TUNNELING AND SDT CONNECTOR Introduction
Each
B lack
B ox
c onsole
s erver
h as
a n
e mbedded
S SH
s erver
a nd
u ses
S SH
t unneling
s o
r emote
u sers
c an
securely
connect
through
the
console
server
to
Managed
Devices—using
text-‐based
console
tools
(such
...
configure
a ccess
t o
n etwork
c onnected
H osts
t hat
t he
u ser
i s
a uthorized
t o
a ccess
and
s et
u p
( for
e ach
o f
t hese
H osts)
t he
s ervices
( for
e xample,
H TTPS,
I PMI2.0)
a nd
the
...
Note The SDT Connector client can be configured with unlimited number of Gateways (that is, console servers). You can configure each Gateway to port forward to an unlimited number of locally networked Hosts. There is no limit on the number of SDT Connector clients that can be configured to access the one Gateway.
6.2.6
Manually
a dding
n ew
s ervices
t o
t he
n ew
h osts
To
e xtend
t he
r ange
o f
s ervices
t hat
y ou
c an
u se
w hen
a ccessing
h osts
w ith
S DT
C onnector:
...
Page 132
An
e xample
i s
t he
D ell
R AC
s ervice.
T he
f irst
r edirection
i s
f or
t he
H TTPS
c onnection
t o
t he
R AC
s erver—
it
...
Note SDT Connector can also tunnel UDP services. SDT Connector tunnels the UDP traffic through the TCP SSH redirection, so it is a “tunnel within a tunnel.” Enter the UDP port where the service is running on the host. This will also be the local UDP port that SDT Connector binds as the local endpoint of the tunnel.
Page 134
Enter
a
N ame
f or
t he
c lient.
E nter
t he
P ath
t o
t he
e xecutable
f ile
f or
t he
c lient
( or
c lick
B rowse
to
...
Click
O K.
6.2.8
Dial
i n
c onfiguration
If
the
client
PC
is
dialing
into
Local/Console
port
on
the
console
server,
you
will
need
to
set
up
a
dial-‐in
PPP
...
Browse to the console server and select Network Hosts from Serial & Network, click Add Host, and in the IP Address/DNS Name field enter 127.0.0.1 (this is the Black Box network loopback address). Then, enter Loopback in Description.
Page 137
Assuming
y ou
h ave
a lready
s et
u p
t he
t arget
c onsole
s erver
a s
a
g ateway
i n
y our
S DT
C onnector
client
...
Description,
a nd
P assword/Confirm.
S elect
1 27.0.0.1
f rom
A ccessible
H ost(s)
a nd
s elect
P ort
2
from
A ccessible
P ort(s).
C lick
A pply.
...
Page 139
where
n etwork_connection
i s
t he
n ame
o f
t he
n etwork
c onnection
a s
d isplayed
i n
C ontrol
Panel
-‐ >
N etwork
C onnections,
l ogin
i s
t he
d ial-‐in
u sername,
a nd
p assword
i s
t he
d ial-‐in
password
...
Importing
( and
e xporting)
p references
To
e nable
t he
d istribution
o f
p re-‐configured
c lient
c onfig
f iles,
S DT
C onnector
h as
a n
E xport/Import
facility:
...
To
s et
t he
u ser(s)
w ho
c an
r emotely
a ccess
t he
s ystem
w ith
R DP,
c lick
A dd
o n
t he
R emote
Desktop
...
Page 143
In
t he
C omputer
f ield,
e nter
t he
a ppropriate
I P
A ddress
a nd
P ort
N umber:
Where
t here
i s
a
d irect
l ocal
o r
e nterprise
V PN
c onnection,
e nter
t he
I P
A ddress
o f
t he
...
Page 144
Click
C onnect.
Note The Remote Desktop Connection software is pre-installed with Windows XP, Vista and Server 2003/2008. For earlier Windows PCs, you need to download the RDP client: Go to the Microsoft Download Center site http://www.microsoft.com/downloads/details.aspx?familyid=80111F21-D48D-426E-96C2- 08AA2BD23A49&displaylang=en and click the Download button This software package will install the client portion of Remote Desktop on Windows 95, Windows...
Page 145
Note The rdesktop client is supplied with Red Hat 9.0: rpm -ivh rdesktop-1.2.0-1.i386.rpm For Red Hat 8.0 or other distributions of Linux; download source, untar, configure, make, make, then install. rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http://www.rdesktop.org/ ...
SDT
S SH
T unnel
f or
V NC
With
SDT
and
Virtual
Network
Computing
(VNC),
Users
and
Administrators
can
securely
access
and
control
Windows
98/NT/2000/XP/2003,
Linux,
Macintosh,
Solaris,
and
UNIX
computers.
There’s
a
range
...
To
s et
u p
a
p ersistent
V NC
s erver
o n
R ed
H at
E nterprise
L inux
4 :
Set
...
Page 148
To
establish
the
VNC
connection,
first
configure
the
VNC
Viewer,
entering
the
VNC
Server
IP
address.
A. When
t he
V iewer
P C
i s
c onnected
t o
t he
c onsole
s erver
t hru
a n
S SH
t unnel
( over
t he
p ublic
I nternet,
or
a
dial-‐in
connection,
or
private
network
connection),
enter
localhost
(or
127.0.0.1)
as
the
IP
VNC
...
Note For general background reading on Remote Desktop and VNC access we recommend the following: The Microsoft Remote Desktop How-To. http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx The Illustrated Network Remote Desktop help page. http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.ht What is Remote Desktop in Windows XP and Windows Server 2003? by Daniel Petri. http://www.petri.co.il/what's_remote_desktop.htm ...
Page 150
B. For
Windows
XP
and
2003
computers,
follow
the
steps
below
to
set
up
an
advanced
network
connection
between
the
Windows
computer,
through
its
COM
port
to
the
console
server.
Both
Windows
...
Page 151
Specify
w hich
U sers
w ill
b e
a llowed
t o
u se
t his
c onnection.
T his
s hould
b e
t he
s ame
U sers
w ho
were
...
Page 152
Or, you can set the advanced connection and access on the Windows computer to use the console server defaults: Specify 10.233.111.254 as the From: address. Select Allow calling computer to specify its own address. Also, you could use the console server default username and password when you set up the new Remote Desktop User and gave this User permission to use the advance connection to access the Windows computer: The console server default Username is portXX where XX is the serial port number on the...
Chapter 7 Alerts and Logging ALERTS AND LOGGING Introduction
This
chapter
describes
and
logging
features
of
the
console
the automated response, alert generation, server.
The new Auto-Response facility (in firmware V3.5.1 and later) extends the basic Alert facility available in earlier firmware revisions.
Page 159
To configure a new Auto-Response: Select New Auto-Response in the Configured Auto-Response field. You will be presented with a new Auto-Response Settings menu. Enter a unique Name for the new Auto-Response. Specify the Reset Timeout for the time in seconds after resolution to delay before this Auto- Response can be triggered again.
Check Conditions To configure the condition that will trigger the Auto-Response: Click on the Check Condition type (e.g. Environmental, UPS Status or ICMP ping) to be configured as the trigger for this new Auto-Response in the Auto-Response Settings menu 7.2.1 UPS / Power Supply To use the properties of any attached UPS as the trigger event:...
7.2.3 Serial Login/Logout To monitor serial ports and check for login/logout or pattern matches for Auto-Response triggers events: Click on Serial Login/Logout as the Check Condition. Then in the Serial Login/Logout Check menu, select Trigger on Login (to trigger when any user logs into the serial port) or Trigger on Logout and specify Serial Port to perform check on, and/or ...
7.2.8 Custom Check This check allows users to run a nominated custom script with nominated arguments whose return value is used as an Auto-Response trigger event: Click on Custom Check as the Check Condition. Create an executable trigger check script file e.g. /etc/config/test.sh #!/bin/sh logger "A test script"...
Note: The SMS command trigger condition can only be set if there is an internal or external USB cellular modem detected. 7.2.9 SMS Command An incoming SMS command from a nominated caller can trigger an Auto-Response: Click on SMS Command as the Check Condition. ...
Note: The SMS command trigger condition can only be set if there is an internal cellular modem detected 7.2.10 Log In/Out Check To configure Web Log In/Out as the trigger event: Click on the Web UI Authentication as the Check Condition. Check Trigger on Login (Logout) to trigger when a user logs into (or out of) the Web UI.
Select the Interface (Ethernet /Failover OOB Interface or Modem or VPN) to monitor. Check what type of network interface Event to trigger on (interface Down, Starting, Up or Stopping). Note: This check is not resolvable so Resolve actions will not be run. ...
The console server’s incoming Interface to monitor. An optional Source MAC/IP Address, to monitor traffic from a specific host (e.g. the downstream router). A Data Limit threshold; the Auto-Response will trigger when this is hit in the specified Time Period.
Note: A message text can be sent with Email, SMS, and Nagios actions. This configurable message can include selected values: $AR_TRIGGER_VAL = the trigger value for the check e.g. for UPS Status, it could be onbatt or battlow $AR_VAL = the value returned by the check e.g. for ups status, it could be online/onbatt/battlow $AR_CHECK_DEV = the device name of the device being checked e.g.
Click Save New Action. Note: To notify the central Nagios server of Alerts, NSCA must be enabled under System: Nagios and Nagios must be enabled for each applicable host or port. Resolve Actions Actions can also be scheduled to be taken a trigger condition has been resolved: ...
In
t he
S MTP
S erver
f ield,
e nter
t he
o utgoing
m ail
S erver’s
I P
a ddress.
If
t his
m ail
s erver
u ses
a
S ecure
C onnection,
s pecify
i ts
t ype.
...
Page 171
Select
a
S ecure
C onnection
( if
a pplicable)
a nd
s pecify
t he
S MTP
p ort
t o
b e
u sed
( if
o ther
t han
the
...
Note The option to directly send SMS alerts via the cellular modem was included in the Management GUI in V3.4. Advanced console servers already had the gateway software (SMS Server Tools 3) embedded, but you this could only be accessed from the command line to send SMS messages. ...
All console servers have the snmptrap daemon to send traps/notifications to remote SNMP servers on defined trigger events as detailed above. LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232 and LES1248A-R2 console servers also embed the net-snmpd daemon. It accepts SNMP requests from remote SNMP management servers and provides information on network interface, running processes, etc.
Select the Alerts & Logging: Port Log menu option and specify the Server Type to be used, and the details to enable log server access. From the Manage: Devices menu the Administrator can view serial, network, and power device logs stored in the console reserve memory (or flash USB).
Level 4 Logs all data transferred to the port and all changes in hardware flow control status and all User connection events. Click Apply. Note A cache of the most recent 8K of logged data per serial port is maintained locally (in addition to the Logs which are transmitted for remote/USB flash storage).
Chapter 8 Power & Environmental Management POWER & ENVIRONMENTAL MANAGEMENT Introduction
Black
Box
console
servers
manage
embedded
software
that
you
can
use
to
manage
connected
Power
Distribution
...
Page 177
Select
t he
S erial
&
N etwork:
R PC
C onnections
m enu.
T his
w ill
d isplay
a ll
t he
R PC
c onnections
that
...
Page 178
Select
t he
a ppropriate
R PC
T ype
f or
t he
P DU
( or
I PMI)
b eing
c onnected:
If
y ou
a re
c onnecting
t o
t he
R PC
v ia
t he
n etwork,
y ou
w ill
b e
p resented
w ith
t he
I PMI
protocol
...
i n
t he
s elected
R PC
T ype
o r
w ill
q uery
t he
R PC
i tself
f or
t his
i nformation.
Note The Black Box console servers support most popular network and serial PDUs. If your PDU is not on the default list, then you can add support directly (as covered in Chapter 14—Advanced Configurations) or add the PDU support to either the Network UPS Tools or PowerMan open source projects.
8 .2.1
Managed
U PS
c onnections
A
M anaged
U PS
i s
a
U PS
t hat
i s
d irectly
c onnected
a s
a
M anaged
D evice
t o
t he
c onsole
s erver.
Y ou
c an
connect
...
Page 182
For
s erial
U PSes
a ttach
t he
U PS
t o
t he
s elected
s erial
p ort
o n
t he
c onsole
s erver.
F rom
t he
S erial
and
...
Page 183
Select
i f
t he
U PS
w ill
b e
C onnected
V ia
U SB,
o ver
a
p re-‐configured
s erial
p ort,
o r
v ia
SNMP/HTTP/HTTPS
...
Note : These login credentials are not related to the Users and access privileges you configured in Serial & Networks: Users & Groups. If
y ou
h ave
m ultiple
U PSes
a nd
r equire
t hem
t o
b e
s hut
d own
i n
a
s pecific
o rder,
s pecify
t he
Shutdown
...
8 .3.1
Connecting
t he
E MD
a nd
i ts
s ensors
The
E nvironmental
M onitor
D evice
( EMD)
c onnects
t o
a ny
s erial
p ort
o n
t he
c onsole
s erver
v ia
a
special
...
Page 191
Note L ES1108A,
You can attach two external sensors onto the terminals on EMDs that are connected to LES1116A,
L ES1132
a nd
L ES1148A
c onsole servers. LES1508A, LES1516A, LES1532A, LES1548A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1208A-‐R2,
...
The I/O ports are configured via the I/O port page which is found under the system menu. Each port can be configured with a default direction and state. Select the System: I/O Ports menu. 8.4.1 Digital I/O Output Configuration Each of the two digital I/O ports (DIO1 and DIO2) can be configured as an Input or Output port.
For example, to set pin 1 to a low output, type: ioc -p 1 -d 0 -v 0 To pulse one of these outputs, use a script like the following: ioc -p 1 -d 0 -v 1 sleep 1 ioc -p 1 -d 0 -v 0 This will set the output high for 1 second, then return it to low (assuming the initial state is low).
Chapter 9 Authentication AUTHENTICATION Introduction
The
console
server
is
a
dedicated
Linux
computer
with
a
myriad
of
popular
and
proven
Linux
software
modules
for
networking,
secure
access
(OpenSSH),
and
communications
(OpenSSL),
and
sophisticated
user
...
9.1.5
RADIUS/TACACS
U ser
C onfiguration
Users
m ay
b e
a dded
t o
t he
l ocal
c onsole
s erver
a ppliance.
I f
t hey
a re
n ot
a dded
a nd
t hey
l og
i n
v ia
remote
...
Select Serial & Network: Authentication. Select the relevant Authentication Method. Check the Use Remote Groups button. 9.1.7
Remote
g roups
w ith
R ADIUS
a uthentication
Enter the RADIUS Authentication and Authorization Server Address and Server Password. ...
Page 203
For example, in an existing Active Directory setup, a group of users may be part of the “UPS Admin” and “Router Admin” groups. On the console server, these users will be required to have access to a group “Router_Admin”, with access to port 1 (connected to the router), and another group “UPS_Admin”, with access to port 2 (connected to the UPS).
9.1.9 Remote groups with TACACS+ authentication When using TACACS+ authentication, there are two ways to grant a remotely authenticated user privileges. The first is to set the priv-lvl and port attributes of the raccess service to 12; this is discussed further in section 9.2 of this document.
Note: Kerberos is very sensitive to time differences between the Key Distribution Center (KDC) authentication server and the client device. Make sure that NTP is enabled, and the time zone is set correctly on the console server. When authenticating against Active Directory, the Kerberos Realm will be the domain name, and the Master KDC will be the address of the primary domain controller.
Page 206
TACACS+
-‐
p am_tacplus
(http://echelon.pl/pubs/pam_tacplus.html)
LDAP
-‐
p am_ldap
...
If
t here
i s
a lready
a
F ramed-‐Filter-‐Id,
s imply
a dd
t he
l ist
o f
g roup_names
a fter
t he
e xisting
entries,
...
Page 208
Select
S ystem:
S SL
C ertificate
a nd
f ill
o ut
t he
f ields
a s
e xplained
b elow:
Common
name:
This
is
the
network
name
of
the
console
server
once
it
is
installed
in
the
network
...
Page 209
Key
length:
This
is
the
length
of
the
generated
key
in
bits.
1024
Bits
are
supposed
to
be
sufficient
for
most
cases.
Longer
keys
may
result
in
slower
response
time
of
the
console
server
...
Chapter 10 Nagios Integration NAGIOS INTEGRATION Introduction
Nagios
i s
a
p owerful,
h ighly
e xtensible
o pen
s ource
t ool
f or
m onitoring
n etwork
h osts
a nd
s ervices.
T he
core
...
10.1
N agios
o verview
Nagios
p rovides
c entral
m onitoring
o f
t he
h osts
a nd
s ervices
i n
y our
d istributed
n etwork.
N agios
i s
f reely
downloadable,
...
10.2.2
Set
u p
d istributed
c onsole
s ervers
This
s ection
p rovides
a
b rief
w alkthrough
o n
c onfiguring
a
s ingle
c onsole
s erver
t o
m onitor
t he
s tatus
o f
o ne
a ttached
network
...
Page 214
Remove
a ll
P ermitted
S ervices.
T his
s erver
w ill
b e
a ccessible
u sing
T erminal
S ervices,
s o
c heck
T CP,
P ort
3 389
and
...
Select
U sers
&
G roups
f rom
t he
S erial
&
N etwork
m enu.
Click
A dd
U ser.
In
U sername,
e nter:
s dtnagiosuser,
t hen
e nter
a nd
c onfirm
a
P assword.
...
10.3.2
Enable
N RPE
m onitoring
Enabling
N RPE
a llows
y ou
t o
e xecute
p lug-‐ins
( such
a s
c heck_tcp
a nd
c heck_ping)
o n
t he
r emote
C onsole
s erver
t o
monitor
...
10.3.4
Configure
S elected
S erial
P orts
f or
N agios
M onitoring
The
i ndividual
S erial
P orts
c onnected
t o
t he
c onsole
s erver
t o
b e
m onitored
m ust
b e
c onfigured
f or
N agios
c hecks.
R efer
to
...
10.4
Advanced
d istributed
m onitoring
c onfiguration
10.4.1
Sample
N agios
c onfiguration
An
e xample
c onfiguration
f or
N agios
i s
l isted
b elow.
I t
s hows
h ow
t o
s et
u p
a
r emote
C onsole
s erver
t o
m onitor
a
s ingle
host,
...
Page 219
define
s ervice
{
service_description
Serial
S tatus
host_name
server
use
generic-‐service
check_command
check_serial_status
}
define
s ervice
{
...
Page 220
name
Black
B ox_nrpe_daemon_dep
host_name
Black
B ox
dependent_host_name
server
dependent_service_description
Port
L og
service_description
...
use
generic-‐service
check_command
check_conn_via_Black
B ox!tcp!22
}
define
s ervice
{
service_description
host-‐port-‐tcp-‐22-‐server
;
h ost-‐port-‐<protocol>-‐<port>-‐<host>
...
Time
No
3DES
SSH
t unnel
encryption
NSCA
f or
s ingle
c heck
~
½
s econd
~
½
s econd
~
...
Page 224
Remote
s ite
In
t his
s cenario,
c onfigure
t he
c onsole
s erver
N RPE
s erver
o r
N SCA
c lient
t o
a ctively
c heck
c onfigured
s ervices
a nd
upload
...
Page 225
Remote
s ite
w ith
n o
n etwork
a ccess
In
t his
s cenario
t he
c onsole
s erver
a llows
d ial-‐in
a ccess
f or
t he
N agios
s erver.
P eriodically,
t he
N agios
s erver
w ill
establish
...
Chapter 11 System Management SYSTEM MANAGEMENT Introduction
This
c hapter
d escribes
h ow
t he
A dministrator
c an
p erform
a
r ange
o f
g eneral
c onsole
s erver
s ystem
a dministration
a nd
configuration
...
Pushing
t he
E rase
b utton
o n
t he
r ear
p anel
t wice.
A
b all-‐point
p en
o r
b ent
p aper
c lip
i s
a
s uitable
t ool
f or
t his
procedure.
...
Select
t he
S ystem:
D ate
&
T ime
m enu
o ption.
Manually
s et
t he
Y ear,
M onth,
D ay,
H our,
a nd
M inute
u sing
t he
D ate
a nd
T ime
s election
b oxes,
t hen
c lick
S et
Time.
...
Page 229
With
a ll
c onsole
s ervers,
y ou
c an
s ave
t he
b ackup
f ile
r emotely
o n
y our
P C
a nd
y ou
c an
r estore
c onfigurations
f rom
remote
...
The
L ocal
C onfiguration
B ackup
m enu
w ill
d isplay
a ll
t he
c onfiguration
b ackup
f iles
y ou
h ave
s tored
o nto
t he
USB
...
Page 231
changes
t o
a
s pecific
d evice.
F or
e xample,
c hanges
t o
a uthentication
m ethods
o r
u ser
a ccounts
m ay
b e
g rouped
a nd
r un
once
...
Advanced Console Servers (LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232A, LES1248A-R2) use an embedded OpenSSL cryptographic module that has been validated to meet the FIPS 140-2 standards and has received Certificate #1051 When
...
Chapter 12 Status Reports STATUS REPORTS Introduction
This
c hapter
d escribes
t he
d ashboard
f eature
a nd
t he
s tatus
r eports
t hat
a re
a vailable:
Port
...
Enter
t he
r emote
S yslog
S erver
A ddress
a nd
S yslog
S erver
P ort
d etails
a nd
c lick
A pply.
The
...
Page 236
Click
N ext.
Note: You can configure a custom dashboard for any admin user or for the admin group, or you can reconfigure the default dashboard. The Status:Dashboard screen is the first screen displayed when admin users (other than root) log into the console manager.
Page 237
Note: The Alerts widget is a new screen that shows the current alerts status. When an alert gets triggered, a corresponding .XML file is created in /var/run/alerts/. The dashboard scans all these files and displays a summary status in the alerts widget.
Chapter 13 Management MANAGEMENT Introduction
The
c onsole
s erver
h as
a
s mall
n umber
o f
M anage
r eports
a nd
t ools
t hat
a re
a vailable
t o
b oth
A dministrators
a nd
U sers:
Access
...
13.3.1.2 Web Terminal to Serial Device To enable the Web Terminal service for each serial port you want to access: Select Serial & Network: Serial Port and click Edit. Ensure the serial port is in Console Server Mode. Check Web Terminal and click Apply. Administrator and Users can communicate directly with serial port attached devices from their browser: ...
Chapter 14 Command Line Configuration CONFIGURATION
F ROM
T HE
C OMMAND
L INE
Introduction
For
those
who
prefer
to
configure
their
console
server
at
the
Linux
command
line
level
(rather
than
use
a
browser
and
the
Management
Console),
this
chapter
describes
how
to
use
command
line
access
and
the
config
tool
to
manage
the
...
Page 244
This chapter is not intended to teach you Linux. We assume you already have a certain level of understanding before you execute Linux kernel level commands. The
c onfig
t ool
Syntax
config
[
-‐ ahv
]
[
-‐ d
i d
]
[
-‐ g
i d
]
[
-‐ p
p ath
]
[
-‐ r
c onfigurator
]
[
-‐ s
i d=value
]
[
-‐ P
i d
]
Description
...
Page 245
-‐e
-‐ -‐export=file
Save
a ctive
c onfiguration
t o
f ile.
-‐ i
-‐ -‐import=file
Load
...
Note: The config command does not verify whether the nodes edited/added by the user are valid. This means that any node may be added to the tree. If a user runs the following command: # /bin/config -s config.fruit.apple=sweet The configurator will not complain, but this command is useless. When the configurators are run (to turn the config.xml file into live config) they will simply ignore this <fruit>...
Page 247
Console
s erver
m ode
The
c ommand
t o
s et
t he
p ort
i n
p ortmanager
m ode:
#
c onfig
-‐ s
c onfig.ports.port5.mode=portmanager
To
...
Page 248
Terminal
s erver
m ode
Enable
a
T TY
l ogin
f or
a
l ocal
t erminal
a ttached
t o
s erial
p ort
5 :
#
...
14.3
Adding
a nd
r emoving
U sers
First,
d etermine
t he
t otal
n umber
o f
e xisting
U sers
( if
y ou
h ave
n o
e xisting
U sers
y ou
c an
a ssume
t his
i s
0 ):
#
...
#
c onfig
-‐ s
c onfig.sdt.hosts.host5.users.total=2
( total
n umber
o f
u sers
h aving
a ccess
t o
h ost)
To
edit
any
of
the
user
element
values,
use
the
same
approach
as
when
adding
user
elements,
that
is,
use
the
“-‐s”
parameter.
...
The
f ollowing
c ommand
w ill
s ynchronize
t he
l ive
s ystem
w ith
t he
n ew
c onfiguration:
#
c onfig
-‐ a
14.5
...
Page 252
#
c onfig
-‐ g
c onfig.sdt.hosts.total
Assume
t his
v alue
i s
e qual
t o
3 .
I f
y ou
a dd
a nother
h ost,
m ake
s ure
y ou
i ncrement
t he
t otal
n umber
o f
h osts
f rom
3
t o
4 :
#
...
To
g et
t he
c urrent
n umber
o f
m anaged
d evices:
#
c onfig
-‐ g
c onfig.devices.total
Assuming
w e
a lready
h ave
o ne
m anaged
d evice,
o ur
n ew
d evice
w ill
b e
d evice
2 .
I ssue
t he
f ollowing
c ommands:
#
...
#
c onfig
-‐ s
c onfig.cascade.slaves.slave1.ports=16
T he
t otal
n umber
o f
s laves
m ust
a lso
b e
i ncremented.
I f
t his
i s
t he
f irst
s lave
y ou’re
a dding,
t ype:
#
...
The
five
commands
below
will
add
the
UPS
to
Managed
devices.
Assuming
there
are
already
two
managed
devices
configured:
#
c onfig
-‐ s
" config.devices.device3.connections.connection1.name=My
U PS"
#
...
#
c onfig
-‐ s
c onfig.ports.port2.power.type=APC
7 900
#
c onfig
-‐ s
c onfig.ports.port2.power.name=MyRPC
#
c onfig
-‐ s
" config.ports.port2.power.description=RPC
i n
r oom
5 "
#
...
Assume
t he
r emote
l og
s erver
n eeds
a
u sername
' name1'
a nd
p assword
' secret':
#
c onfig
-‐ s
c onfig.eventlog.server.username=name1
#
...
Page 259
Pattern
M atch
A lert
To
t rigger
a n
a lert
i f
t he
r egular
e xpression
' .*0.0%
i d'
i s
f ound
i n
s erial
p ort
1 0's
c haracter
s tream.
#
...
#
c onfig
-‐ s
c onfig.alerts.alert2.enviro.low.critical=50
#
c onfig
-‐ s
c onfig.alerts.alert2.enviro.low.warning=70
#
c onfig
-‐ s
c onfig.alerts.alert2.rpc1=RPCInRoom20
#
c onfig
-‐ s
c onfig.alerts.alert2.sensor=load
#
...
#
c onfig
-‐ s
c onfig.system.smtp.password2=secret
#
c onfig
-‐ s
c onfig.system.smtp.subject2=SMTP
a lerts
The
f ollowing
c ommand
w ill
s ynchronize
t he
l ive
s ystem
w ith
t he
n ew
c onfiguration:
#
...
#
c onfig
-‐ s
c onfig.interfaces.wan.dns2=192.168.0.2
#
c onfig
-‐ s
c onfig.interfaces.wan.mode=static
#
c onfig
-‐ s
c onfig.interfaces.wan.media=[
A uto
|
1 00baseTx-‐FD
|
1 00baseTx-‐HD
|
1 0baseT-‐HD
]
1 0baseT-‐FD
To
...
#
c onfig
-‐ r
t ime
14.20
Dial-‐in
s ettings
To
e nable
d ial-‐in
a ccess
o n
t he
D B9
s erial
p ort
f rom
t he
c ommand
l ine
w ith
t he
f ollowing
a ttributes:
Local
...
Chapter 15 Advanced Configuration ADVANCED CONFIGURATION Introduction
Black
B ox
c onsole
s ervers
r un
t he
e mbedded
L inux
o perating
s ystem.
S o
A dministrator
c lass
u sers
c an
c onfigure
t he
console
...
15.1.3
Example
s cript
-‐
P ower
C ycling
o n
P attern
M atch
For
e xample,
w e
h ave
a n
R PC
( PDU)
c onnected
t o
p ort
1
o n
a
c onsole
s erver
a nd
a lso
h ave
a
t elecommunications
d evice
connected
...
Page 269
This
c reates
a n
o bvious
c omplication
b ecause
t his
s cript
d oes
N OT
c heck
f or
a ny
o ther
d ependencies
t hat
t he
n ode
being
...
Page 270
cp
/ etc/config/config.xml
/ etc/config/config.bak
echo
" backup
o f
/ etc/config/config.xml
s aved
i n
/ etc/config/config.bak"
if
[
-‐ z
$ NUMBER
]
#
t est
w hether
a
s ingular
n ode
i s
b eing
\
#deleted
...
The
p ing-‐detect
s cript
The
a bove
i s
j ust
o ne
e xample
o f
u sing
t he
p ing-‐detect
s cript.
T he
i dea
o f
t he
s cript
i s
t o
r un
a ny
n umber
o f
c ommands
when
...
The
s olution
i s
t o
c reate
a
c ustom
s cript
t hat
r uns
a fter
e ach
c onfigurator
r uns.
A fter
e ach
c onfigurator
r uns,
i t
w ill
c heck
whether
...
To
l oad
a ny
o ther
c onfig
f ile:
#
/ etc/scripts/backup-‐usb
l oad
{ filename}
The
/ etc/scripts/backup-‐usb
s cript
c an
b e
e xecuted
d irectly
w ith
v arious
C OMMANDS
o r
c alled
f rom
o ther
c ustom
s cripts
you
...
15.2
A dvanced
P ortmanager
Black
B ox’s
p ortmanger
p rogram
m anages
t he
c onsole
s erver
s erial
p orts.
I t
r outes
n etwork
c onnection
t o
s erial
p orts,
checks
...
user1
user2
Port
2 :
user1
Port
8 :
user2
T he
a bove
o utput
i ndicates
t hat
a
u ser
n amed
“ user1”
i s
a ctively
c onnected
t o
p orts
1
a nd
2 ,
w hile
“ user2”
i s
c onnected
to
...
echo
" Welcome
t o
p ort
$ PORT
$ USER"
<
/ etc/config/pmshell-‐start.sh>
The
r eturn
v alue
f rom
t he
s cript
c ontrols
w hether
t he
u ser
i s
a ccepted
o r
n ot,
i f
0
i s
r eturned
( or
n othing
i s
d one
o n
exit
...
Modem
i nitialization
s trings:
To
o verride
t he
s tandard
m odem
i nitialization
s tring
e ither
u se
t he
M anagement
C onsole
( refer
C hapter
5 )
o r
t he
command
...
iptables
– -‐append
I NPUT
\
–-‐match
s tate
– -‐state
E STABLISHED,RELATED
– -‐jump
A CCEPT
#
E xplicitly
a ccept
a ny
c onnections
f rom
c omputers
o n
#
...
15.5.2 Check firewall rules Select System: Services and ensure the SNMP daemon box has been checked for the interface required. This will allow SNMP requests through the firewall for the specified interface. 15.5.3 Enable SNMP Service The console server supports different versions of SNMP including SNMPv1, SNMPv2c and SNMPv3. SNMP, although an industry standard, brings with it a variety of security concerns.
Page 281
The Engine ID is used to localize the SNMPv3 user. It will be automatically generated from a Network Interface (eth0) hardware address, if left blank, or must be entered as a hex value e.g. 0x01020304. Specify the Security Level: noauth No authentication or encryption is required.
Page 282
Setup serial ports and devices as per operational requirements such as UPS, RPC/PDU and EMD Copy the mibs from /etc/snmp/mibs on the Black Box product to a local directory using scp or Winscp. For example: scp root@im4004:/etc/snmp/mibs/* Using the snmpwalk and snmpget commands, the status information can be retrieved from any console server.
Page 283
Authentication Password Privacy Protocol – DES or AES Privacy Password A mib browser may be used to explore the Black Box enterprise MIB structure. For example, the ogStatus tree is shown below: 15.5.4 Adding multiple remote SNMP managers You can add multiple SNMP servers for alert traps add the first and second SNMP servers using the Management Console (refer Chapter 7) or the command line config tool.
Page 284
Log in to the console server’s command line shell as root or an admin user. Refer back to the Management Console UI or user documentation for descriptions of each field. To set the SNMP Manager Address field: config –set="config.system.snmp.address3=w.x.y.z" .. replacing w.x.y.z with the IP address or DNS name. To set the Manager Trap Port field config --set=”config.system.snmp.trapport3=162”...
15.6
Secure
S hell
( SSH)
P ublic
K ey
A uthentication
This
s ection
c overs
h ow
t o
g enerate
p ublic
a nd
p rivate
k eys
i n
a
L inux
a nd
W indows
e nvironment
a nd
c onfigure
S SH
f or
public
...
Create
a
n ew
d irectory
t o
s tore
y our
g enerated
k eys.
Y ou
c an
a lso
n ame
t he
f iles
a fter
t he
d evice
t hey
w ill
b e
u sed
f or.
For
...
Page 287
root@192.168.0.1:/etc/config/users/fred/.ssh/authorized_keys
The
a uthorized_keys
f ile
o n
t he
c onsole
s erver
n eeds
t o
b e
o wned
b y
" fred",
s o
l ogin
t o
t he
M anagement
C onsole
a s
root
...
More
d ocumentation
o n
O penSSH
c an
b e
f ound
a t:
http://openssh.org/portable.html
http://www.openbsd.org/cgi-‐bin/man.cgi?query=ssh&sektion=1
http://www
o penbsd.org/cgi-‐bin/man.cgi?query=sshd.
15.6.5
Generating
p ublic/private
k eys
f or
S SH
( Windows)
This
...
Page 289
Execute
t he
P UTTYGEN.EXE
p rogram.
Select
t he
d esired
k ey
t ype
S SH2
D SA
( you
m ay
u se
R SA
o r
D SA)
w ithin
t he
P arameters
s ection.
It
...
#!/bin/sh
ssh
-‐ L9001:127.0.0.1:4001
-‐ N
-‐ o
S trictHostKeyChecking=no
t estuser@<server-‐ip>
&
This
w ill
r un
t he
t unnel
r edirecting
l ocal
p ort
9 001
t o
t he
s erver
p ort
4 001.
15.6.6
...
Page 291
As
d etailed
i n
C hapter
4 ,
t he
S erver
c onsole
s erver
i s
s etup
i n
C onsole
s erver
m ode
w ith
e ither
R AW
o r
R FC2217
e nabled
and
...
Page 292
To
g enerate
t he
k eys
u sing
O penBSD's
O penSSH
s uite,
w e
u se
t he
s sh-‐keygen
p rogram:
$
s sh-‐keygen
-‐ t
[ rsa|dsa]
Generating
...
OpenSSL
is
based
on
the
excellent
SSLeay
library
developed
by
Eric
A.
Young
and
Tim
J.
Hudson.
The
OpenSSL
toolkit
is
licensed
under
an
Apache-‐style
licence,
which
basically
means
that
you
are
free
to
get
and
use
it
for
commercial
and
non-‐commercial
purposes
subject
to
some
simple
license
conditions.
In
the
console
server,
OpenSSL
is
used
primarily
in
...
or
u sing
P SCP:
pscp
-‐ scp
s sl_key.pem
r oot@<address
o f
u nit>:/etc/config/
pscp
-‐ scp
s sl_cert.pem
r oot@<address
o f
u nit>:/etc/config/
PuTTY
...
Page 296
-‐f,
-‐ -‐flash
Turn
b eacon
O N
f or
t argets
( if
i mplemented
b y
R PC).
-‐u,
-‐ -‐unflash
Turn
...
15.9.2
The
p mpower
t ool
The
p mpower
u tility
i s
a
h igh
l evel
t ool
f or
m anipulating
r emote
p reconfigured
p ower
d evices
c onnected
t o
t he
c onsole
server
...
Page 300
-‐o
< oemtype>
Select
O EM
t ype
t o
s upport.
T his
u sually
i nvolves
m inor
h acks
i n
p lace
i n
t he
c ode
t o
w ork
a round
q uirks
i n
various
...
Devices can be connected with serial port, infrared or USB. 15.14 Multicast By default, all Black Box console servers come with Multicasting enabled. Multicasting provides Black Box products with the ability to simultaneously transmit information from a single device to a select group of hosts.
Create an OPG backup of the templated golden master appliance. Restore this configuration to each target devices via the CLI, web UI or using a USB thumb drive. Login via the CLI to complete configuration using setup-wizard. (Optional) On Lighthouse, use enrollment-wizard to automatically place appliances under management. This may be local/routable appliances, or remote appliances that have automatically Call Home using callhome-wizard.
1. Generate an X.509 certificate for the client. Place it and its private key file onto a USB flash drive (concatenated as a single file, client.pem). 2. Set up a HTTPS server that restricts access to the .opg or .xml file for HTTPS onnections providing the client certificate.
Page 306
Substring Replaced by Example ${model} the full model name, in lowercase acm5504-5-g-w-i ${class} the firmware hardware class ACM550x ${version} the firmware version number 3.15.1 The resulting URL must end in .opg or .xml (an optional ?query-string is permitted). It is doesn't, then it is skipped and the next URL is tried.
Appendix A Linux Commands & Source Code The
console
server
platform
is
a
dedicated
Linux
computer,
optimized
to
provide
m onitoring
and
secure
access
to
serial
and
n etwork
c onsoles
o f
c ritical
s erver
s ystems
a nd
t heir
s upporting
p ower
a nd
n etworking
i nfrastructure.
Black
Box
console
servers
are
built
on
the
2.4
uCLinux
kernel
as
developed
by
the
uCLinux
project.
This
is
GPL
code
and
...
Page 308
gen-‐keys
SSH
k ey
g eneration
p rogram
getopt
*
Parses
c ommand
o ptions
gettyd
Getty
d aemon
grep
*
Print
l ines
m atching
a
p attern
gunzip
...
Page 309
ping6
IPv6
p ing
pkill
Sends
a
s ignal
t o
p rocess(es)
s elected
b y
r egex
p attern
pmchat
Black
B ox
c ommand
s imilar
t o
t he
s tandard
c hat
c ommand
( via
p ortmanager)
pmdeny
...
Page 310
tar
*
The
t ar
a rchiving
u tility
tc
Show
t raffic
c ontrol
s ettings
tcpdump
Dump
t raffic
o n
a
n etwork
telnetd
...
Page 311
Network
U PS
T ools
( NUT)
p rovides
r eliable
m onitoring
o f
U PS
a nd
P DU
h ardware
a nd
e nsure
s afe
s hutdowns
o f
•...
Page 312
hash [-r] [-p pathname] [name ...] until COMMANDS; do COMMANDS; done help [-s] [pattern ...] variables - Some variable names an wait history [-c] [-d offset] [n] or hi if COMMANDS; then COMMANDS; [ elif while COMMANDS; do COMMANDS; jobs [-lnprs] [jobspec ...] or job kill [-s done { COMMANDS ;...
Appendix B Hardware Specifications FEATURE
VALUE
Dimensions
LES1408A/16A/32A/48A,
L ES1308A/16A/32A/48A,
LES1208A-‐R2/16A-‐R2/32A/48A-‐R2:
1 7
x
1 2
x
1 .75
i n
...
Appendix C Safety & Certifications Please
t ake
c are
t o
f ollow
t he
s afety
p recautions
b elow
w hen
i nstalling
a nd
o perating
t he
c onsole
s erver:
...
Serial Port Pinout Black Box console servers come with one to forty eight serial connectors (notated SERIAL or SERIAL PORTS) for the RS-232 serial ports:...
Page 316
RJ-45 or DB25 M to RJ-45 adapters with standard UTP Cat 5 cable. To connect the LOCAL console ports to modems (for out of band access) use the adapter with standard UTP Cat 5 cable. Each Black Box console server is supplied with UTP Cat 5 cables. _____________________________________________________________________ Page 316 724-746-5500 | blackbox.com...
Page 317
RS-232 Standard Pinouts The RS-232 pinout standards for the DB9 (and DB25) connectors are tabled below: DB25 SIGNAL DEFINITION Protective Ground Transmitted Data Received Data Request To Send Clear To Send Data Set Ready Signal Ground Received Line Signal Detector Reserved for data set testing Reserved for data set testing Unassigned...
Page 318
Connectors included in console server The LES1508A, LES1516A, LES1532A, LES1548A have the Cisco pinout by default and ship with “cross-over”/“straight” RJ-45-DB9 connectors: DB9F-RJ45S straight connector DB9F-RJ45S cross- over connector Part # LES1516A-9FT The LES1200/LES1300/LES1400 all have the Console server Classic pinout and ship with a “cross-over” and a “straight” RJ45-DB9 connector for connecting to other vendor’s products: DB9F-RJ45S straight connector...
Page 320
TCP/UDP Port Numbers Port numbers are divided into three ranges: Well Known Ports, Registered Ports and Dynamic and/or Private Ports. Well Known Ports are those from 0 through 1023. Registered Ports are those from 1024 through 49151. Dynamic and/or Private Ports are those from 49152 through 65535. Well Known Ports are assigned by IANA, and on most systems, can only be used by system processes or by programs executed by privileged users.
Page 321
Serial Port Pinouts –LES1508A Each serial RJ-45 ports on these models can be software selected to be RS-232, RS-422 or RS-485. • For RS232 they have the Cisco pinout Signal Direction RS422 Signal Description Input Receive Data • For RS-422 mode it’s 4-wire full duplex transmit Receive Data on TX+/TX- pair, receive on RX+/RX- pair with Input...
Page 322
Serial Port Pinouts –LES1101A-R2 The LES1101A-R2 has one DB9 serial port that can selected to be an RS232, RS485 or RS422 port. By default the LES1101A-R2 is configured in RS232 mode (with a vertical jumper in place on the left hand SEL pins). To set the port in RS-422 or RS-485 mode you must remove the SEL jumper and then configure the Signaling Protocol using the Management Console.
Page 323
RS-422 uses a full duplex transmit on TX+ (Transmit Data +) / TX- (Transmit Data -) pair, receive on RX+ (Receive Data +) / RX- (Receive Data –) pair. RS-485 uses half duplex over single pair. For RS-485 which is a 2-wire bus that drives D+ and D- from a native 4-wire interface you need to loop 3-6 and 2-7 on the DB-9.
Appendix E Terminology TERM
MEANING
Third-generation cellular technology. The standards that determine 3G call for greater bandwidth and higher speeds for cellular networks The Advanced Encryption Standard (AES) is a new block cipher standard to replace DES, developed by NIST, the US National Institute of Standards and Technology.
Page 325
Domain Name System that allocates Internet domain names and translates them into IP addresses. A domain name is a meaningful and easy to remember name for an IP address. Dial Up Networking Encryption The technique for converting a readable message (plaintext) into apparently random material (ciphertext) which cannot be read if intercepted.
Page 326
Network File System is a protocol that allows file sharing across a network. Users can view, store, and update files on a remote computer. Network Time Protocol (NTP) used to synchronize clock times in a network of computers OUT OF BAND Out-of-Band (OOB) management is any management done over channels and interfaces that are separate from those used for user/customer data.
Page 327
TCP/IP Transmission Control Protocol/Internet Protocol. The basic protocol for Internet communication. TCP/IP address Fundamental Internet addressing method that uses the form nnn.nnn.nnn.nnn. Telnet Telnet is a terminal protocol that provides an easy-to-use method of creating terminal connections to a network. User Datagram Protocol Coordinated Universal Time.
Page 328
Software, you agree to be bound by the terms of this EULA. If you do not agree to the terms of this EULA, Black Box is not willing to license the Software to you. In such event, do not use or install the Software.
Page 329
Black Box or its authorized retailer. Proof of date of purchase will be required. Any updates to the Software provided by Black Box (which may be provided by Black Box at its sole discretion) shall be governed by the terms of this EULA.
Page 330
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission.
Page 331
b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
Page 332
6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
Page 333
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Page 334
About Black Box Black Box Network Services is your source for an extensive range of networking and infrastructure products. You’ll find everything from cabinets and racks and power and surge protection products to media converters and Ethernet switches all supported by free, live 24/7 Tech support available in 60 seconds or less.