Black Box LES1108A, LES1208A, LES1216A, LES1116A, LES1248A User Manual

...

Download

LES1108A LES120 8A

LES1116 A LES121 6A

LES1148A LES124 8A

Value-Line and Advanced Console Servers User’s Manual

Securely manage data center and network equipment from anywhere in the world.

November 2009

Customer

Support

Information

Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500) FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018

Web site: w ww.blackbox.com • E-mail : info@blackbox.com

724-746-5500 | blackbox.com

Value-Line and Advanced Console Servers Manual

Trademarks Used in this Manual

Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc.

Mac is a registered trademark of Apple Computers, Inc.

Linux is a registered trademark of Linus Torvalds.

Internet Explorer, Windows, Windows Me, Windows NT, and Windows Vista are a registered trademarks of Microsoft Corporation.

Nagios is a registered trademark of Nagios Enterprises LLC.

Java and Solaris are trademarks of Sun Microsystems, Inc.

Unix is a registered trademark of X/Open Company Ltd.

Any other trademarks mentioned in this manual are acknowledged to be the property of the trademark owners.

Page 2

724-746-5500 | blackbox.com

Value-Line and Advanced Console Servers Manual

We‘re here to help! If you have any questions about your application

or our products, contact Black Box Tech Support at 724-746-5500

or go to blackbox.com and click on “Talk to Black Box.”

You’ll be live with one of our technical experts in less than 20 seconds.

724-746-5500 | blackbox.com

Page 3

724-746-5500 | blackbox.com

Value-Line and Advanced Console Servers Manual

Federal Communications Commission and Industry Canada Radio Frequency Interference Statements

This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause inter ference to radio communication. It has been tested and found to comply with the limits for a Class A computing device in accordance with the specifications in Subpart B of Part 15 of FCC rules, which are designed to provide reasonable protection against such interference when the equipment is operated in a commercial environment. Operation of this equipment in a residential area is likely to cause interference, in which case the user at his own expense will be required to take whatever measures may be necessary to correct the interference.

Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equipment.

This digital apparatus does not exceed the Class A limits for radio noise emis sion from digital apparatus set out in the Radio Interference Regulation of Industry Canada.

Le présent appareil numérique n’émet pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de la classe A prescrites dans le Règlement sur le brouillage radioélectrique publié par Industrie Canada.

Page 4

724-746-5500 | blackbox.com

Value-Line and Advanced Console Servers Manual

Instrucciones de Seguridad (Normas Oficiales Mexicanas Electrical Safety Statement)

1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado.

2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura.

3. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas.

4. Todas las instrucciones de operación y uso deben ser seguidas.

5. El aparato eléctrico no deberá ser usado cerca del agua—por ejemplo, cerca de la tina de baño, lavabo, sótano mojado o cerca de una alberca, etc..

6. El aparato eléctrico debe ser usado únicamente con carritos o pedestales que sean recomendados por el fabricante.

7. El aparato eléctrico debe ser montado a la pared o al techo sólo como sea recomendado por el fabricante.

8. Servicio—El usuario no debe intentar dar servicio al equipo eléctrico más allá a lo descrito en las instrucciones de operación. Todo otro servicio deberá ser referido a personal de servicio calificado.

9. El aparato eléctrico debe ser situado de tal manera que su posición no interfiera su uso. La colocación del aparato eléctrico sobre una cama, sofá, alfombra o superficie similar puede bloquea la ventilación, no se debe colocar en libreros o gabinetes que impidan el flujo de aire por los orificios de ventilación.

10. El equipo eléctrico deber ser situado fuera del alcance de fuentes de calor como radiadores, registros de calor, estufas u otros

aparatos (incluyendo amplificadores) que producen calor.

11. El aparato eléctrico deberá ser connectado a una fuente de poder sólo del tipo descrito en el instructivo de operación, o como

se indique en el aparato.

12. Precaución debe ser tomada de tal manera que la tierra fisica y la polarización del equipo no sea eliminada.

13. Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisados ni pellizcados por objetos colocados

sobre o contra ellos, poniendo particular atención a los contactos y receptáculos donde salen del aparato.

14. El equipo eléctrico debe ser limpiado únicamente de acuerdo a las recomendaciones del fabricante.

15. En caso de existir, una antena externa deberá ser localizada lejos de las lineas de energia.

16. El cable de corriente deberá ser desconectado del cuando el equipo no sea usado por un largo periodo de tiempo.

17. Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados sobre la cubierta u orificios de ventilación.

18. Servicio por personal calificado deberá ser provisto cuando:

A: El cable de poder o el contacto ha sido dañado; u B: Objectos han caído o líquido ha sido derramado dentro del aparato; o C: El aparato ha sido expuesto a la lluvia; o D: El aparato parece no operar normalmente o muestra un cambio en su desempeño; o E: El aparato ha sido tirado o su cubierta ha sido dañada.

724-746-5500 | blackbox.com

Page 5

INDEX

INTRODUCTION 11 INSTALLATION 15

2.1 Models 15

2.1.1 Kit components LES1208A, LES1216A and LES1248A Advanced Console Servers 16

2.1.2 Kit components LES1116A and LES1148A Console Servers 16

2.1.3 Kit components LES1108A Console Server 17

2.2 Power connection 17

2.2.1 LES1208A, LES1216A and LES1248A power 17

2.2.2 LES1116A and LES1148A power 17

2.2.3 LES1108A power 18

2.3 Network connection 18

2.4 Serial Port connection 18

2.5 USB Port Connection 19 SYSTEM CONFIGURATION 20

3.1 Management console connection 20

3.1.1 Connected PC/workstation set up 20

3.1.2 Browser connection 21

3.2 Administrator Password 22

3.3 Network IP address 23

3.3.1 IPv6 configuration 25

3.4 System Services 25

3.5 Communications Software 27

3.5.1 SDT Connector 27

3.5.2 PuTTY 28

3.5.3 SSHTerm 28

3.6 Management network configuration (LES1208A, LES1216A and LES1248A only) 29

3.6.1 Enable the Management LAN 29

3.6.2 Configure the DHCP server 30

3.6.3 Select Failover or broadband OOB 32

3.6.4 Bridging the network ports 33

SERIAL PORT AND NETWORK HOST 35

4.1 Configure Serial Ports 35

4.1.1 Common Settings 36

4.1.2 Console Server Mode 37

4.1.3 SDT Mode 42

4.1.4 Device (RPC, UPS, EMD) Mode 43

4.1.5 Terminal Server Mode 43

4.1.6 Serial Bridging Mode 43

4.1.8 Syslog 44

4.2 Add/ Edit Users 45

4.3 Authentication 47

4.4 Network Hosts 47

4.5 Trusted Networks 48

4.6 Serial Port Cascading 50

4.6.1 Automatically generate and upload SSH keys 50

4.6.2 Manually generate and upload SSH keys 51

4.6.3 Configure the slaves and their serial ports 53

4.6.4 Managing the Slaves 54

4.7 Serial Port Redirection 54

4.8 Managed Devices 55

_____________________________________________________________________

724-746-5500 | blackbox.com Page 6

FAILOVER AND OoB DIAL-IN 58

5.1 OoB Dial-In Access 58

5.1.1 Configure Dial-In PPP 59

5.1.2 Using SDT Connector client 61

5.1.3 Set up Windows XP/ 2003/Vista/7 client 61

5.1.4 Set up earlier Windows clients 62

5.1.5 Set up Linux clients for dial-in 62

5.2 OoB broadband access 62

5.3 Broadband Ethernet Failover 62

5.4 Dial-Out Failover 63 SECURE SSH TUNNELING AND SDT CONNECTOR 65

6.1 Configuring for SSH Tunneling to Hosts 66

6.2 SDT Connector Client Configuration 66

6.2.1 SDT Connector installation 67

6.2.2 Configuring a new console server gateway in the SDT Connector client 68

6.2.3 Auto-configure SDT Connector client with the user’s access privileges 69

6.2.4 Make an SDT connection through the gateway to a host 70

6.2.5 Manually adding hosts to the SDT Connector gateway 71

6.2.6 Manually adding new services to the new hosts 72

6.2.7 Adding a client program to be started for the new service 74

6.2.8 Dial in configuration 76

6.3 SDT Connector to Management Console 76

6.4 SDT Connector - telnet or SSH connect to serially attached devices 77

6.5 Using SDT Connector for out-of-band connection to the gateway 79

6.6 Importing (and exporting) preferences 80

6.7 SDT Connector Public Key Authentication 81

6.8 Setting up SDT for Remote Desktop access 81

6.8.1 Enable Remote Desktop on the target Windows computer to be accessed 82

6.8.2 Configure the Remote Desktop Connection client 83

6.9 SDT SSH Tunnel for VNC 87

6.9.1 Install and configure the VNC Server on the computer to be accessed 87

6.9.2 Install, configure and connect the VNC Viewer 88

6.10 Using SDT to IP connect to hosts that are serially attached to the gateway 90

6.10.1 Establish a PPP connection between the host COM port and console server 90

6.10.2 Set up SDT Serial Ports on console server 93

6.10.3 Set up SDT Connector to SSH port forward over the console server Serial Port 94

6.11 SSH Tunneling using other SSH clients (e.g. PuTTY) 94 ALERTS AND LOGGING 98

7.1 Configure SMTP/SMS/SNMP/Nagios alert service 98

7.1.1 Email alerts 98

7.1.2 SMS alerts 99

7.1.3 SNMP alerts 100

7.1.4 Nagios alerts 101

7.2 Activate Alert Events and Notifications 101

7.2.1 Add a new alert 102

7.2.2 Configuring general alert types 103

7.2.3 Configuring environment and power alert type 104

7.2.4 Configuring alarm sensor alert type 105

7.3 Remote Log Storage 105

7.4 Serial Port Logging 106

7.5 Network TCP or UDP Port Logging 106 POWER & ENVIRONMENTAL MANAGEMENT 108

8.1 Remote Power Control (RPC) 108

_____________________________________________________________________

724-746-5500 | blackbox.com Page 7

8.1.1 RPC connection 108

8.1.2 RPC access privileges and alerts 111

8.1.3 User power management 111

8.1.4 RPC status 112

8.2 Uninterruptible Power Supply Control (UPS) 112

8.2.1 Managed UPS connections 113

8.2.2 Remote UPS management 116

8.2.3 Controlling UPS powered computers 117

8.2.4 UPS alerts 118

8.2.5 UPS status 118

8.2.6 Overview of Network UPS Tools (NUT) 119

8.3 Environmental Monitoring 121

8.3.1 Connecting the EMD 122

8.3.2 Environmental alerts 123

8.3.3 Environmental status 123

AUTHENTICATION 125

9.1 Authentication Configuration 125

9.1.1 Local authentication 126

9.1.2 TACACS authentication 126

9.1.3 RADIUS authentication 127

9.1.4 LDAP authentication 128

9.1.5 RADIUS/TACACS user configuration 128

9.2 PAM (Pluggable Authentication Modules) 129

9.3 SSL Certificate 131 NAGIOS INTEGRATION 134

10.1 Nagios Overview 134

10.2 Central management and setting up SDT for Nagios 135

10.2.1 Set up central Nagios server 136

10.2.2 Set up distributed console servers 136

10.3 Configuring Nagios distributed monitoring 139

10.3.1 Enable Nagios on the console server 139

10.3.2 Enable NRPE monitoring 140

10.3.3 Enable NSCA monitoring 140

10.3.4 Configure selected Serial Ports for Nagios monitoring 141

10.3.5 Configure selected Network Hosts for Nagios monitoring 141

10.3.6 Configure the upstream Nagios monitoring host 142

10.4 Advanced Distributed Monitoring Configuration 142

10.4.1 Sample Nagios configuration 142

10.4.2 Basic Nagios plug-ins 145

10.4.3 Additional plug-ins 146

10.4.4 Number of supported devices 146

10.4.5 Distributed Monitoring Usage Scenarios 147

SYSTEM MANAGEMENT 150

11.1 System Administration and Reset 150

11.2 Upgrade Firmware 151

11.3 Configure Date and Time 152

11.4 Configuration Backup 153 STATUS REPORTS 156

12.1 Port Access and Active Users 156

12.2 Statistics 157

12.3 Support Reports 157

12.4 Syslog 158

12.5 Dashboard 158

_____________________________________________________________________

724-746-5500 | blackbox.com Page 8

12.5.1 Configuring the Dashboard 159

12.5.2 Creating custom widgets for the Dashboard 161

MANAGEMENT 162

13.1 Device Management 162

13.2 Port and Host Logs 163

13.3 Serial Port Terminal Connection 163

13.4 Power Management 164 CONFIGURATION FROM THE COMMAND LINE 165

14.1 Accessing config from the command line 165

14.2 Serial Port configuration 168

14.3 Adding and removing Users 171

14.4 Adding and removing user Groups 172

14.5 Authentication 173

14.6 Network Hosts 174

14.7 Trusted Networks 175

14.8 Cascaded Ports 176

14.9 UPS Connections 176

14.10 RPC Connections 177

14.11 Environmental 178

14.12 Managed Devices 179

14.13 Port Log 179

14.14 Alerts 180

14.15 SMTP & SMS 182

14.16 SNMP 183

14.17 Administration 183

14.18 IP settings 184

14.19 Date & Time settings 184

14.20 Dial-in settings 185

14.21 DHCP server 186

14.22 Services 186

14.23 NAGIOS 187 ADVANCED CONFIGURATION 189

15.1 Custom Scripting 189

15.1.1 Custom script to run when booting 189

15.1.2 Running custom scripts when alerts are triggered 190

15.1.3 Example script - Power cycling on pattern match 191

15.1.4 Example script - Multiple email notifications on each alert 191

15.1.5 Deleting configuration values from the CLI 191

15.1.6 Power cycle any device upon a ping request failure 194

15.1.7 Running custom scripts when a configurator is invoked 196

15.1.8 Backing-up the configuration and restoring using a local USB stick 196

15.1.9 Backing-up the configuration off-box 197

15.2 Advanced Portmanager 198

15.2.1 Portmanager commands 198

15.2.2 External Scripts and Alerts 199

15.3 Raw Access to Serial Ports 200

15.3.1 Access to serial ports 200

15.3.2 Accessing the console/modem port 201

15.4 IP- Filtering 201

15.5 Modifying SNMP Configuration 202

15.5.1 /etc/config/snmpd.conf 202

15.5.2 Adding more than one SNMP server 203

15.6 Secure Shell (SSH) Public Key Authentication 204

_____________________________________________________________________

724-746-5500 | blackbox.com Page 9

15.6.1 SSH Overview 204

15.6.2 Generating Public Keys (Linux) 205

15.6.3 Installing the SSH Public/Private Keys (Clustering) 205

15.6.4 Installing SSH Public Key Authentication (Linux) 206

15.6.5 Generating public/private keys for SSH (Windows) 207

15.6.6 Fingerprinting 209

15.6.7 SSH tunneled serial bridging 210

15.6.8 SDT Connector Public Key Authentication 212

15.7 Secure Sockets Layer (SSL) Support 213

15.8 HTTPS 213

15.8.1 Generating an encryption key 213

15.8.2 Generating a self-signed certificate with OpenSSL 213

15.8.3 Installing the key and certificate 214

15.8.4 Launching the HTTPS Server 214

15.9 Power Strip Control 215

15.9.1 The PowerMan tool 215

15.9.2 The pmpower tool 216

15.9.3 Adding new RPC devices 217

15.10 IPMItool 218

15.11 Custom Development Kit (CDK) 221

15.12 Scripts for Managing Slaves 222

APPENDIX

A. CLI Commands and Source Code

B. Hardware Specification

C. Safety and Certifications

D. Connectivity and Serial I/O

E. Terminology

F. End User License Agreement

G. Service and Warranty

_____________________________________________________________________

724-746-5500 | blackbox.com Page 10

Chapter 1 Introduction INTRODUCTION

This Manual

This User’s Manual walks you through installing and configuring your Black Box Console Server (LES1108A, LES1116A, LES1148A) or Advanced Console Server (LES1208A, LES1216A, LES1248A). Each of these products is referred to generically in this manual as a “console server.”

Once configured, you will be able to use your console server to securely monitor access and control the computers, networking devices, telecommunications equipment, power-supplies, and operating environments in your data room or communications centers. This manual guides you in managing this infrastructure locally (across your operations or management LAN or through the local serial console port), and remotely (across the Internet, private network, or via dial up).

Manual Organization

This manual contains the following chapters:

1. Introduction An overview of the features of console server and information on this manual.

2. Installation Physical installation of the console server and how to interconnect controlled devices.

3. System Configuration Describes the initial installation and configuration using the Management Console. Covers configuration of the console server on the network and the services that will be supported.

4. Serial & Network Covers configuring serial ports and connected network hosts, and setting up Users and Groups.

5. Failover and OoB dial-in Describes setting up the high availability access features of the console server.

6. Secure Tunneling (SDT) Covers secure remote access using SSH and configuring for RDP, VNC, HTTP, HTTPS, etc. access to network and serially connected devices.

7. Alerts and Logging Explains how to set up local and remote event/data logs and how to trigger SNMP and email alerts.

8. Power & Environment Describes how to manage USB, serial, and network attached power strips and UPS supplies including Network UPS Tool (NUT) operation, IPMI power control, and EMD environmental sensor configuration.

9. Authentication Access to the console server requires usernames and passwords that are locally or externally authenticated.

10. Nagios Integration Describes how to set Nagios central management with SDT extensions and configure the console server as a distributed Nagios server.

11. System Management Covers access to and configuration of services that will run on the console server.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 11

12. Status Reports View a dashboard summary and detailed status and logs of serial and network connected devices (ports, hosts, power, and environment)

13. Management Includes port controls that Users can access.

14 Basic Configuration Command line installation and configuration using the config command.

15. Advanced Config More advanced command line configuration activities where you will need to use Linux commands.

The latest update of this manual can be found online at www.Black Box.com/download.html

Types of users

The console server supports two classes of users:

I. First, there are the administrative users who will be authorized to configure and control the console

server; and to access and control all the connected devices. These administrative users will be set up

as members of the admin user group and any user in this class is referred to generically in this manual as the Administrator. An Administrator can access and control the console server using the

config utility, the Linux command line, or the browser-based Management Console. By default, the Administrator has access to all services and ports to control all the serial connected devices and network connected devices (hosts).

II. The second class of users are those who have been set up by the Administrator with specific limits of

their access and control authority. These users are set up as members of the users user group (or some other user groups the Administrator may have added). They are only authorized to perform specified controls on specific connected devices and are referred to as Users. These Users (when authorized) can access serial or network connected devices; and control these devices using the specified services (for example, Telnet, HHTPS, RDP, IPMI, Serial over LAN, Power Control). An authorized User also has a limited view of the Management Console and can only access authorized configured devices and review port logs.

In this manual, when the term user (lower case) is used, it refers to both the above classes of users. This document also uses the term remote users to describe users who are not on the same LAN segment as the console server. These remote users may be Users, who are on the road connecting to managed devices over the public Internet, or it may be an Administrator in another office connecting to the console server itself over the enterprise VPN, or the remote user may be in the same room or the same

office but connected on a separate VLAN than the console server.

Management Console

The Management Console provides a view of the console server and all the connected devices.

Administrators can use any browser to log into the Management Console either locally or from a remote

location. They can then use Management Console to manage the console server, the users, the serial ports and serially connected devices, network connected hosts, and connected power devices; and to view associated logs and configure alerts.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 12

Text presented like this highlights important information. Make sure you read and follow these warnings.

A User can also use the Management Console, but has limited menu access to control select devices, review their logs and access them using the built-in java terminal or control power to them.

The console server runs an embedded Linux operating system, and experienced Linux® and UNIX® users may prefer to configure it at the command line. To get command line access, connect through a terminal emulator or communications program to the console serial port; connect via ssh or telnet through the LAN; or connect through an SSH tunneling to the console server.

Manual Conventions

This manual uses different fonts and typefaces to show specific actions:

Note Text presented like this indicates issues to note.

 Text presented with an arrow head indent indicates an action you should take as part of the

procedure.

Bold text indicates text that you type, or the name of a screen object (for example, a menu or button) on the Management Console.

Italic text indicates a text command you enter at the command line level.

Publishing history

Date Revision Update details

September 2009 0.9 Prelease

_____________________________________________________________________

724-746-5500 | blackbox.com Page 13

Information in this document is subject to change without notice and does not represent a commitment on the part of Black Box. Black Box provides this document “as is,” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose.

Black Box may make improvements and/or changes in this manual or in the product(s) and/or the program(s) described in this manual at any time. This manual could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes may be incorporated in new editions of the publication.

Notice to Users

Use proper back-up systems and necessary safety devices to protect against injury, death, or property damage caused by system failure. This protection is the user’s responsibility.

This device is not approved for use as a life-support or medical system.

Any changes or modifications made to this device without the explicit approval or consent of Black Box will void Black Box of any liability or responsibility of injury or loss caused by any malfunction.

This equipment is for indoor use and all the communication wirings are limited to the inside of the building.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 14

To avoid physical and electrical hazards please read Appendix C on Safety.

Serial

Ports

USB

Ports

Network

Ports

Console

Port

Modem

Pinout

Power

Memory

(flash/RAM)

LES1248A

48 1 2 1 Internal

Dual DC

16/64MB

LES1216A

16 1 2 1 Internal

Dual AC

16/64MB

LES1208A

8 1 2 1 Internal

Dual AC

16/64MB

LES1148A

48 - 1 1 -

Single AC

16/64MB

LES1116A

16 - 1 1 -

Single AC

16/64MB

LES1108A

8 - 1 1 -

Ext AC/DC

8/16MB

Chapter 2 Installation INSTALLATION

Introduction

This chapter describes how to install the console server hardware and connect it to controlled devices.

2.1 Models

There are multiple console server models, each with a different number of network and serial ports or power supply configurations:

The next sections show the components shipped with each of these models.

 Unpack your kit and verify you have all the parts shown above, and that they all appear in good

working order.

 If you are installing the console server in a rack, you will need to attach the rack mounting

brackets supplied with the unit, then install the unit in the rack. Make sure you follow the Safety Precautions listed in Appendix C.

 Connect your console server to the network, to the serial ports of the controlled devices, and to

power as outlined next.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 15

LES1208A, LES1216A, or LES1248A Advanced Console Server

(2) UTP CAT5 blue cables

DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors

Dual IEC AC power cords

Printed Quick Start Guide and User’s Manual on CD-ROM

LES1116A or LES1148A Console Server

(2) UTP CAT5 blue cables

DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors

IEC AC power cord Printed Quick Start Guide and User’s Manual on CD-ROM

2.1.1 Kit components LES1208A, LES1216A and LES1248A Advanced Console Servers

2.1.2 Kit components LES1116A and LES1148A Console Servers

_____________________________________________________________________

724-746-5500 | blackbox.com Page 16

LES1108A Console Server (2) UTP CAT5 blue cables

DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors

5-VDC, 2.0A, Power Supply with IEC Socket and AC power cable

Printed Quick Start Guide and this User‘s Manual on CD-ROM

To avoid electrical shock, connect the power cord grounding conductor to ground!

2.1.3 Kit components LES1108A Console Server

2.2 Power connection

2.2.1 LES1208A, LES1216A and LES1248A power

The LES1208A, LES1216A and LES1248A console servers all have dual universal AC power supplies with auto failover built in. These power supplies each accept AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz. The total power consumption per console server is less than 30W. Two IEC AC power sockets are located at the rear of the metal case, and these IEC power inlets use conventional IEC AC power cords. Power cords for various regions are available, although the North American power cord is provided by default. There is a warning notice printed on the back of each unit.

2.2.2 LES1116A and LES1148A power

The LES1116A and LES1148A models have a built-in universal auto-switching AC power supply. This power supply accepts AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz. The power consumption is less than 20W.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 17

To avoid electrical shock, connect the power cord grounding conductor to ground.

SIGNAL

DEFINITION

DIRECTION

RTS

Request To Send

Output

DSR

Data Set Ready

Input

DCD

Data Carrier Detect

Input

RXD

Receive Data

Input

TXD

Transmit Data

Output

GND

Signal Ground

DTR

Data Terminal Ready

Output

CTS

Clear To Send

Input

Both LES1116A and LES1148A models have an IEC AC power socket located in the rear of the metal case. This IEC power inlet uses a conventional IEC AC power cord, and the power cords for various regions are available. Call Black Box Technical Support for details at 724-746-5500. (The North American power cord is provided by default.) There is a warning notice printed on the back of each unit.

2.2.3 LES1108A power

The LES1108A includes an external DC power supply unit. This unit accepts an AC input voltage between 100 and 250 VAC with a frequency of 50Hz or 60Hz. The DC power supply has an IEC AC power socket, which accepts a conventional IEC AC power cord. The power cord for North America is included in the kit. The 5-VDC connector from the power supply plugs into the 5VDC power socket on the rear of the LES1108A.

2.3 Network connection

The RJ-45 LAN ports are located on the rear panel of the LES1108A and on the front panel of the rackmount console servers. Use industry standard Cat5 cabling and connectors. Make sure that you only connect the LAN port to an Ethernet network that supports 10BASE-T/100BASE-T. To initially configure the console server, you must connect a PC or workstation to the console server’s principal network port (labeled NETWORK1 or LAN).

2.4 Serial Port connection

The RJ-45 serial ports are located on the LES1108A’s rear panel and on the rackmount console servers’ front panel.

The LES1108A, LES1116A and LES1148A Console Servers have the Black Box Classic RJ-45 pinout shown below:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 18

SIGNAL

DEFINITION

DIRECTION

RTS

Request To Send

Output

DTR

Data Terminal Ready

Output

TXD

Transmit Data

Output

GND

Signal Ground

CTS

Clear To Send

Input

RXD

Receive Data

Input

DCD

Data Carrier Detect

Input

DSR

Data Set Ready

Input

The LES1208A, LES1216A, and LES1248A Advanced Console Servers have the Cyclades RJ-45 pinout shown next:

The console servers also have a DB9 LOCAL (Console/Modem) port that is on the LE1108A’s rear panel and on the rackmount units’ front panels.

Conventional CAT5 cabling with RJ-45 jacks is used for serial connections. Before connecting an external device’s console port to the console server serial port, confirm that the device supports the standard RS-232C (EIA-232).

Black Box supplies a range of cables and adapters that may be required to connect to the more popular servers and network appliances. Call Technical Support at 724-746-5500 for details.

2.5 USB Port Connection

The LES1208A, LES1216A and LES1248A console servers each also have one USB port. These console servers ship with a USB memory. Install the memory stick in the USB port to store log files.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 19

Chapter 3 Initial System Configuration

SYSTEM CONFIGURATION

Introduction

This chapter provides step-by-step instructions for the console server’s initial configuration, and for connecting it to the Management or Operational LAN. The Administrator must:

 Activate the Management Console.  Change the Administrator password.  Set the IP address console server’s principal LAN port.  Select the network services that will be supported.

This chapter also discusses the communications software tools that the Administrator may use to access the console server.

3.1 Management console connection

Your console server is configured with a default IP Address 192.168.0.1 Subnet Mask 255.255.255.0

 Directly connect a PC or workstation to the console server.

Note For initial configuration we recommend that you connect the console server directly to a single PC

or workstation. However, if you choose to connect your LAN before completing the initial setup steps, it is important that:

 you make sure that there are no other devices on the LAN with an address of 192.168.0.1  the console server and the PC/workstation are on the same LAN segment, with no interposed

3.1.1 Connected PC/workstation set up

To configure the console server with a browser, the connected PC/workstation should have an IP address in the same range as the console server (e.g. 192.168.0.100):

router appliances.

 To configure the IP Address of your Linux or Unix PC/workstation simply run ifconfig  For Windows PCs (Win9x/Me/2000/XP/ Vista/ NT):

 Click Start -> (Settings ->) Control Panel and double click Network Connections (for

95/98/Me, double click Network).

 Right click on Local Area Connection and select Properties.  Select Internet Protocol (TCP/IP) and click Properties.  Select Use the following IP address and enter the following details:

o IP address: 192.168.0.100

_____________________________________________________________________

724-746-5500 | blackbox.com Page 20

o Subnet mask: 255.255.255.0

 If you want to retain your existing IP settings for this network connection, click Advanced

and Add the above as a secondary IP connection.

 If it is not convenient to change your PC/workstation network address, you can use the ARP-Ping

command to reset the console server IP address. To do this from a Windows PC:

 Click Start -> Run (or select All Programs then Accessories then Run).  Type cmd and click OK to bring up the command line.  Type arp –d to flush the ARP cache.  Type arp –a to view the current ARP cache (this should be empty).

Now add a static entry to the ARP table and ping the console server to assign the IP address to the console server. In the example below, a console server has a MAC Address 00:13:C6:00:02:0F (designated on the label on the bottom of the unit) and we are setting its IP address to

192.168.100.23. Also the PC/workstation issuing the arp command must be on the same network segment as the console server (that is, have an IP address of 192.168.100.xxx)

 Type arp -s 192.168.100.23 00-13-C6-00-02-0F (Note for UNIX the syntax is: arp -s

192.168.100.23 00:13:C6:00:02:0F).

 Type ping -t 192.18.100.23 to start a continuous ping to the new IP Address.  Turn on the console server and wait for it to configure itself with the new IP address. It will

start replying to the ping at this point.

 Type arp –d to flush the ARP cache again.

3.1.2 Browser connection

 Activate your preferred browser on the connected PC/workstation and enter

https://192.168.0.1 The Management Console supports all current versions of the popular

browsers (Internet Explorer, Mozilla Firefox, Chrome, and more).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 21

 You will be prompted to log in. Enter the default

administration username and administration password:

Username: root

Password: default

Note Console servers are factory configured with HTTPS access enabled and HTTP access disabled.

A Welcome screen, which lists four initial installation configuration steps, will be displayed:

1. Change the default administration password on the System/Administration page (Chapter 3).

2. Configure the local network settings on the System/IP page (Chapter 3).

3. Configure port settings and enable ….. the Serial & Network/Serial Port page (Chapter 4).

4. Configure users with access to serial ports on the Serial & Network/Users page (Chapter 3).

After completing each of the above steps, you can return to the configuration list by clicking in the top left corner of the screen on the Black Box logo.

Note If you are not able to connect to the Management Console at 192.168.0.1 or if the default

Username/Password were not accepted, then reset your console server (refer to Chapter 11).

3.2 Administrator Password

For security reasons, only the administrator user named root can initially log into your console server. Only people who know the root password can access and reconfigure the console server itself. However, anyone who correctly guesses the root password could gain access (and the default root password is default). To avoid this, enter and confirm a new root password before giving the console server any access to, or control of, your computers and network appliances.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 22

Note: We recommend that you set up a new Administrator user as soon as convenient and log in as this

new user for all ongoing administration functions (rather than root). This Administrator can be configured in the admin group with full access privileges through the Serial & Network: Users & Groups menu as detailed in Chapter 4.

 Select System: Administration.  Enter a new System Password then re-enter it in Confirm System Password. This is the new

password for root, the main administrative user account, so choose a complex password, and keep it safe.

 At this stage, you may also wish to enter a System Name and System Description for the

console server to give it a unique ID and make it simple to identify.

Note The System Name can contain from 1 to 64 alphanumeric characters (however you can also use

the special characters ―-‖, ―_‖, and ―.‖) There are no restrictions on the characters that can be used in the System Description or the

System Password (each can contain up to 254 characters). However, only the first eight System Password characters are used to make the password hash.

 Click Apply. Since you have changed the password you will be prompted to log in again. This

time, use the new password.

Note If you are not confident that your console server has the current firmware release, you can

upgrade. Refer to Upgrade Firmware—Chapter 10.

3.3 Network IP address

The next step is to enter an IP address for the principal Ethernet (LAN/Network/Network1) port on the console server; or enable its DHCP client so that it automatically obtains an IP address from a DHCP

server on the network it will connect to.

 On the System: IP menu, select the Network Interface page then check dhcp or static for the

Configuration Method.

 If you selected Static, you must manually enter the new IP Address, Subnet Mask, Gateway,

and DNS server details. This selection automatically disables the DHCP client.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 23

 If you selected DHCP, the console server will look for configuration details from a DHCP server

on your management LAN. This selection automatically disables any static address. The console server MAC address is printed on a label on the base plate.

Note In its factory default state (with no Configuration Method selected) the console server has its

DHCP client enabled, so it automatically accepts any network IP address assigned by a DHCP server on your network. In this initial state, the console server will then respond to both its Static address (192.168.0.1) and its newly assigned DHCP address.

 By default the console server LAN port auto-detects the Ethernet connection speed. You can use

the Media menu to lock the Ethernet to 10 Mbps or 100 Mbps, and to Full Duplex (FD) or Half Duplex (HD).

Note If you changed the console server IP address, you may need to reconfigure your PC/workstation

so it has an IP address that is in the same network range as this new address.

 Click Apply.  Enter http://new IP address to reconnect the browser on the PC/workstation that is connected

to the console server.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 24

3.3.1 IPv6 configuration

You can also configure the console server Network and Management LAN Interfaces for IPv6 operation:

 On the System: IP menu select General Settings page and check Enable IPv6.  Then, configure the IPv6 parameters on each Interface page.

3.4 System Services

The Administrator can access and configure the console server and connect to the managed devices using a range of access protocols (services). The factory default enables HTTPS and SSH access to the console server and disables HTTP and Telnet.

A User or Administrator can also use nominated enabled services to connect through the console server to attached serial and network connected managed devices.

The Administrator can simply disable any of the services, or enable others:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 25

 Select the System: Services option, then select/deselect for the service to be enabled/disabled.

The following access protocol options are available:

HTTPS This ensures secure browser access to all the Management Console menus. It also

allows appropriately configured Users secure browser access to selected Management Console Manage menus. If you enable HTTPS, the Administrator will be able to use a secure browser connection to the Console server’s Management Console. For information on certificate and user client software configuration, refer to Chapter 9—Authentication. By default, HTTPS is enabled, and we recommend that that you only use HTTPS access if the console server will be managed over any public network (for example, the Internet).

HTTP By default HTTP is disabled. We recommend that the HTTP service remain disabled if

the console server will be remotely accessed over the Internet.

Telnet This gives the Administrator Telnet access to the system command line shell (Linux

commands). This may be suitable for a local direct connection over a management LAN. By default, Telnet is disabled. We recommend that this service remain disabled if you will remotely administer the console server.

SSH This service provides secure SSH access to the Linux command line shell. We

recommend that you choose SSH as the protocol where the Administrator connects to the console server over the Internet or any other public network. This will provide authenticated communications between the SSH client program on the remote PC/workstation and the SSH sever in the console server. By default SSH is enabled. For more information on SSH configuration refer Chapter 9—Authentication.

 You can configure related service options at this stage:

SNMP This will enable netsnmp in the console server, which will keep a remote log of all

posted information. SNMP is disabled by default. This SNMP service is only available in rackmount models. To modify the default SNMP settings, the Administrator must make the edits at the command line as described in Chapter 15—Advanced

Configuration.

TFTP This service will set up the default tftp server on the USB flash card (and is relevant

to LES1208A, LES1216A and LES1248A console servers only). This server can be used to store config files, and maintain access and transaction logs, etc.

Ping This allows the console server to respond to incoming ICMP echo requests. Ping is

enabled by default. For security reasons, you should disable this service after initial configuration.

 And there are some serial port access parameters that you can configure on this menu:

Base The console server uses specific default ranges for the TCP/IP ports for the various

access services that Users and Administrators can use to access devices attached to serial ports (as covered in Chapter 4—Configuring Serial Ports). The Administrator can also set alternate ranges for these services, and these secondary ports will then be used in addition to the defaults.

The default TCP/IP base port address for telnet access is 2000, and the range for telnet is IP Address: Port (2000 + serial port #) i.e. 2001 – 2048. If the Administrator

_____________________________________________________________________

724-746-5500 | blackbox.com Page 26

sets 8000 as a secondary base for telnet, then serial port #2 on the console server can be accessed via telnet at IP Address:2002 and at IP Address:8002.

The default base for SSH is 3000; for Raw TCP is 4000; and for RFC2217 it is 5000.

 Click Apply. As you apply your services selections, the screen will be updated with a

confirmation message:

Message Changes to configuration succeeded.

3.5 Communications Software

You have configured access protocols for the Administrator client to use when connecting to the console server. User clients (who you may set up later) will also use these protocols when accessing console server serial attached devices and network attached hosts. You will need to have appropriate

communications software tools set up on the Administrator (and User) PC/workstation.

Black Box provides the SDT Connector Java applet as the recommended client software tool. You can use other generic tools such as PuTTY and SSHTerm. These tools are all described below as well.

3.5.1 SDT Connector

Each console server has an unlimited number of SDT Connector licenses to use with that console server.

LAN

SDT connector

(RDP/VNC/Telnet/

HTTP client)

SSH encrypted

tunnel

RDP/VNC/Telnet/HTTP sessions forwarded to devices/computers/ service processors on the LAN

Network

appliance

Applications and

database server

Web

server

Desktop

SDT Connector is a lightweight tool that enables Users and Administrators to securely access the console server and the various computers, network devices, and appliances that may be serially or network connected to the console server.

SDT Connector is a Java applet that couples the trusted SSH tunneling protocol with popular access tools

such as Telnet, SSH, HTTP, HTTPS, VNC, and RDP to provide point-and-click secure remote management access to all the systems and devices being managed.

Information on using SDT Connector for browser access to the console server’s Management Console, Telnet/SSH access to the console server command line, and TCP/UDP connecting to hosts that are network connected to the console server is in Chapter 6—Secure Tunneling.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 27

 To use PuTTY for an SSH terminal session from a

Windows client, enter the console server’s IP address as the ”Host Name (or IP address).”

 To access the console server command line,

select “SSH” as the protocol, and use the

default IP Port 22.

 Click “Open” and the console server login

prompt will appear. (You may also receive a

“Security Alert” that the host’s key is not cached. Choose “yes” to continue.)

 Using the Telnet protocol is similarly simple -

but you use the default port 23.

 A new dialog box will appear for your “Connection Profile.”

Type in the host name or IP address (for the console server unit) and the TCP port that the SSH session will use (port 22). Then type in your username, choose password authentication, and click connect.

 You may receive a message about the host key fingerprint.

Select “yes” or “always” to continue.

 The next step is password authentication. The system

prompts you for your username and password from the remote system. This logs you on to the console server

SDT Connector can be installed on Windows 2000, XP, 2003, Vista PCs, and on most Linux, UNIX, and Solaris computers.

3.5.2 PuTTY

You can also use communications packages like PuTTY to connect to the console server command line (and to connect serially attached devices as covered in Chapter 4). PuTTY is a freeware implementation of Telnet and SSH for Windows and UNIX platforms. It runs as an executable application without needing to be installed onto your system. PuTTY (the Telnet and SSH client itself) can be downloaded from http://www.tucows.com/preview/195286.html

3.5.3 SSHTerm

Another popular communications package you can use is SSHTerm, an open source package that you can download from http://sourceforge.net/projects/sshtools

 To use SSHTerm for an SSH terminal session from a Windows Client, simply Select the “File” option

and click on “New Connection.”

_____________________________________________________________________

724-746-5500 | blackbox.com Page 28

3.6 Management network configuration (LES1208A, LES1216A and LES1248A

only)

The LES1208A, LES1216A, and LES1248A console servers have a second network port that you can configure as a management LAN port or as a failover/ OOB access port.

3.6.1 Enable the Management LAN

The LES1208A, LES1216A, and LES1248A console servers provide a firewall, router, and DHCP server. You need to connect an external LAN switch to Network 2 to attach hosts to this management LAN.

Gateway to the

management LAN

NETWORK 1

Operations

network

Serially connected

consoles

NETWORK 2

Management

network

This Management LAN feature is disabled by default. To configure the Management LAN gateway:

 Select the Management LAN page on the System: IP menu and uncheck Disable.  Configure the IP Address and Subnet Mask for the Management LAN (but leave the DNS fields

blank).

 Click Apply.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 29

Note You can configure the second Ethernet port as either a gateway port or as an OOB/Failover port

(but not both). Make sure you did not allocate Network 2 as the Failover Interface when you

The management gateway function is now enabled with default firewall and router rules. By default, these rules are configured so the Management LAN can only be accessible by SSH port forwarding. This ensures that the remote and local connections to Managed Devices on the Management LAN are secure. You can also configure the LAN ports in bridged mode (as described later in this chapter) or you can configure them from the command line.

3.6.2 Configure the DHCP server

The LES1208A, LES1216A, and LES1248A console servers also host a DHCP server which by default is disabled. The DHCP server enables the automatic distribution of IP addresses to hosts on the Management LAN that are running DHCP clients. To enable the DHCP server:

configured the principal Network connection on the System: IP menu.

 On the System: IP menu select the Management LAN page and click the Disable label in the

DHCP Server field (or go to the System: DHCP Server menu and check Enable DHCP Server).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 30

 Enter the Gateway address that you want to issue to the DHCP clients. If you leave this field

blank, the console server’s IP address will be used.

 Enter the Primary DNS and Secondary DNS address to issue the DHCP clients. If you leave this

field blank, the console server’s IP address is used. So, leave this field blank for automatic DNS server assignment.

 Optionally, enter a Domain Name suffix to issue DHCP clients.  Enter the Default Lease time and Maximum Lease time in seconds. The lease time is the time

that a dynamically assigned IP address is valid before the client must request it again.

 Click Apply.

The DHCP server will sequentially issue IP addresses from a specified address pool(s):

 Click Add in the Dynamic Address Allocation Pools field.  Enter the DHCP Pool Start Address and End Address and click Apply.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 31

The DHCP server also supports pre-assigning IP addresses to be allocated only to specific MAC addresses and reserving IP addresses to be used by connected hosts with fixed IP addresses. To reserve an IP addresses for a particular host:

 Click Add in the Reserved Addresses field.  Enter the Hostname, the Hardware Address (MAC), and the Statically Reserved IP address for

the DHCP client and click Apply.

When DHCP has initially allocated hosts addresses, copy these addresses into the pre-assigned list so the same IP address will be reallocated if you reboot the system.

3.6.3 Select Failover or broadband OOB

The LES1208A, LES1216A and LES1248A console servers provide a broadband failover option. If you have a problem using the main LAN connection for accessing the console server, an alternate access path is used.

NETWORK

Management

network

Redundant LAN connection

Serially

connected

consoles

 By default, the failover is not enabled. To enable, select the Network page on the System: IP

menu.

 Select the Failover Interface to be used if the main fails. This can be:

o an alternate broadband Ethernet connection (which would be the Network2 port on the

LES1208A, LES1216A, and LES1248A) or

_____________________________________________________________________

724-746-5500 | blackbox.com Page 32

o the internal modem, or o an external serial modem connected to the Console port (for dialing out to an ISP or the

remote management office).

 Click Apply. You have selected the failover method. It is not active until you specify the external

sites to be probed to trigger failover, and set up the failover ports themselves. This is covered in Chapter 5.

Note With the LES1208A, LES1216A, and LES1248A, you can configure the second Ethernet port as

either a gateway port or as an OOB/Failover port, but not both. Make sure you did not enable the Management LAN function on Network 2.

3.6.4 Bridging the network ports

By default, you can only access the console server's Management LAN network ports using SSH tunneling/port forwarding. However, all the wired network ports on the console servers can also be bridged.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 33

 Select Enable Bridging on the System: IP General Settings menu.  All the Ethernet ports are all transparently connected at the data link layer (layer 2) and they are

configured collectively using the Network Interface menu.

When bridging is enabled, network traffic is forwarded between all Ethernet ports with no firewall restrictions. This mode also removes all the Management LAN Interface and Out-of-Band/Failover Interface functions, and disables the DHCP Server.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 34

Chapter 4 Serial Port, Host, Device & User Configuration

SERIAL PORT AND NETWORK HOST

Introduction

The Black Box console server enables access and control of serially attached devices and network attached devices (hosts). The Administrator must configure access privileges for each of these devices, and specify the services that can be used to control the devices. The Administrator can also set up new users and specify each user’s individual access and control privileges.

Network

connected

(HTTP, HTTPS, IPMI, ALOM, SOL,

VNC, RDP,

SSH, X.Telnet)

Serial

connected

(Linux,

Solaris, Windows

UNIX, BSD servers)

VoIP PBX switch,

router, ﬁ rewall,

power strip, UPS

This chapter covers each of the steps in configuring hosts and serially attached devices:

Configure Serial Ports—setting up the protocols to be used in accessing serially-connected devices. Users & Groups—setting up users and defining the access permissions for each of these users. Authentication—covered in more detail in Chapter 9. Network Hosts—configuring access to network connected devices (referred to as hosts). Configuring Trusted Networks—nominate user IP addresses. Cascading and Redirection of Serial Console Ports. Connecting to Power (UPS PDU and IPMI) and Environmental Monitoring (EMD) devices. Managed Devices—presents a consolidted view of all the connections.

4.1 Configure Serial Ports

To configure a serial port, you must first set the Common Settings (the protocols and the RS-232 parameters (such as baud rate) that will be used for the data connection to that port.

Select what mode the port is to operate in. You can set each port to support one of five operating modes:

1) Console Server Mode is the default and this enables general access to serial console port on the

serially attached devices.

2) Device Mode sets the serial port up to communicate with an intelligent serial controlled PDU,

UPS, or Environmental Monitor Device (EMD).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 35

3) SDT Mode enables graphical console access (with RDP, VNC, HTTPS, etc.) to hosts that are serially

connected.

4) Terminal Server Mode sets the serial port to wait for an incoming terminal login session.

5) Serial Bridge Mode enables transparently interconnects two serial port devices over a network.

 Select Serial & Network: Serial Port and you will see the current labels, modes, logging levels,

and RS-232 protocol options that are currently set up for each serial port.

 By default, each serial port is set in Console Server mode. To reconfigure the port, click Edit.  When you have reconfigured the common settings (Chapter 4.1.1) and the mode (Chapters 4.1.2

–4.1.6) for each port, you can set up any remote syslog (Chapter 4.1.7), then click Apply.

Note If you want to set the same protocol options for multiple serial ports at once, click Edit Multiple

Ports and select which ports you want to configure as a group.

 If the console server has been configured with distributed Nagios monitoring enabled, then you

will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored (refer Chapter 10—Nagios Integration).

4.1.1 Common Settings

There are a number of common settings that you can set for each serial port. These are independent of the mode in which the port is being used. Set these serial port parameters to match the serial port parameters on the device you attach to that port.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 36

 Specify a label for the port.  Select the appropriate Baud Rate, Parity, Data Bits, Stop Bits, and Flow Control for each port.

(Note: The RS-485/RS-422 option is not relevant for console servers.)

 Before proceeding with further serial port configuration, connect the ports to the serial devices

they will be controlling, and make sure they have matching settings.

Note The serial ports are all set at the factory to RS232 9600 baud, no parity, 8 data bits, 1 stop bit,

and Console server Mode. You can change the baud rate to 2400–230400 baud using the management console. You can configure lower baud rates (50, 75, 110, 134, 150, 200, 300, 600, 1200, 1800 baud) from the command line. Refer to Chapter 14— Basic Configuration (Linux Commands).

4.1.2 Console Server Mode

Select Console Server Mode to enable remote management access to the serial console that is attached to this serial port:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 37

Logging Level This specifies the level of information to be logged and monitored (referto Chapter 7—

Alerts and Logging).

Telnet When the Telnet service is enabled on the console server, a Telnet client on a User or

Administrator’s computer can connect to a serial device attached to this serial port on the console server. The Telnet communications are unencrypted, so this protocol is generally

recommended only for local connections.

With Win2000/XP/NT you can run telnet from the command prompt (cmd.exe). Vista and Windows 7 include a Telnet client and server, but they are not enabled by default. To enable Telnet:

 Log in as Admin and go to Start/Control Panel/Programs and Features.  Select Turn Windows features on or off, check the Telnet Client, and click OK.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 38

If the remote communications are tunneled with SDT Connector, then you can use Telnet to securely access these attached devices (refer to the Note below).

Note In Console Server mode, Users and Administrators can use SDT Connector to set up secure

Telnet connections that are SSH tunneled from their client PC/workstations to the serial port on the console server. SDT Connector can be installed on Windows 2000, XP, 2003, Vista, and Windows 7 PCs and on most Linux platforms. You can also set up secure Telnet connections with a simple point-and-click.

To use SDT Connector to access consoles on the console server serial ports, you configure SDT Connector with the console server as a gateway, then configure it as a host, Next, you enable Telnet service on Port (2000 + serial port #) i.e. 2001–2048. Refer to Chapter 6 for more details on using SDT Connector for Telnet and SSH access to devices that are attached to the console server serial ports.

You can also use standard communications packages like PuTTY to set a direct Telnet (or SSH) connection to the serial ports (refer to the Note below).

Note PuTTY also supports Telnet (and SSH) and the procedure to set up a Telnet session is simple.

Enter the console server’s IP address as the ―Host Name (or IP address).‖ Select ―Telnet‖ as the protocol and set the ―TCP port‖ to 2000 plus the physical serial port number (that is, 2001 to

2048).

Click the ―Open‖ button. You may then receive a ―Security Alert‖ that the host‗s key is not cached. Choose ―yes‖ to continue. You will then be presented with the login prompt of the remote system

connected to the serial port chosen on the console server. Login as normal and use the host serial console screen.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 39

PuTTY can be downloaded at http://www.tucows.com/preview/195286.html

SSH We recommend that you use SSH as the protocol where the User or Administrator connects

to the console server (or connects through the console server to the attached serial consoles) over the Internet or any other public network. This will provide authenticated SSH communications between the SSH client program on the remote user’s computer and the

console server, so the user’s communication with the serial device attached to the console server is secure.

For SSH access to the consoles on devices attached to the console server serial ports, you can use SDT Connector. Configure SDT Connector with the console server as a gateway, then as a

host, and enable SSH service on Port (3000 + serial port #) i.e. 3001-3048. Chapter 6—Secure Tunneling has more information on using SDT Connector for SSH access to devices that are

attached to the console server serial ports.

You can also use common communications packages, like PuTTY or SSHTerm to SSH connect directly to port address IP Address _ Port (3000 + serial port #) i.e. 3001–3048.

SSH connections can be configured using the standard SSH port 22. Identify the the serial port that’s accessed by appending a descriptor to the username. This syntax supports:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 40

For a User named “fred” to access serial port 2, when setting up the SSHTerm or the PuTTY SSH client, instead of typing username = fred and ssh port = 3002, the alternate is to type username = fred:port02 (or username = fred:ttyS1) and ssh port = 22.

Or, by typing username=fred:serial and ssh port = 22. A port selection option appears to the User:

This syntax enables Users to set up SSH tunnels to all serial ports with only opening a single IP port 22 in their firewall/gateway.

TCP RAW TCP allows connections directly to a TCP socket. Communications programs like PuTTY

also support RAW TCP. You would usually access this protocol via a custom application.

For RAW TCP, the default port address is IP Address _ Port (4000 + serial port #) i.e. 4001 –

4048.

RAW TCP also enables the serial port to be tunneled to a remote console server, so two serial port devices can transparently interconnect over a network (see Chapter 4.1.6—Serial Bridging).

RFC2217 Selecting RFC2217 enables serial port redirection on that port. For RFC2217, the default port

address is IP Address _ Port (5000 + serial port #), that is, 5001 – 5048.

Special client software is available for Windows UNIX and Linux that supports RFC2217 virtual com ports, so a remote host can monitor and manage remote serially attached devices, as though they were connected to the local serial port (see Chapter 4.6—Serial Port Redirection for details).

RFC2217 also enables the serial port to be tunneled to a remote console server, so two serial port devices can transparently interconnect over a network (see Chapter 4.1.6—Serial Bridging).

Unauthenticated Telnet Selecting Unauthenticated Telnet enables telnet access to the serial port

without requiring the user to provide credentials. When a user accesses the console server to telnet to a serial port he normally is given a login prompt. With unauthenticated telnet, the user connects directly through to a port with any console server login. This mode is mainly used when you have an external system (such as conserver) managing user authentication and access privileges at the serial device level.

For Unauthenticated Telnet, the default port address is IP Address _ Port (6000 + serial port #) i.e. 6001 – 6048

_____________________________________________________________________

724-746-5500 | blackbox.com Page 41

Accumulation Period By default, once a connection is established for a particular serial port (such as a

RFC2217 redirection or Telnet connection to a remote computer) then any incoming characters on that port are forwarded over the network on a character by character basis. The accumulation period changes this by specifying a period of time that incoming characters will be collected before then being sent as a packet over the network.

Escape Character This enables you to change the character used for sending escape characters.

The default is ~.

Power Menu This setting enables the shell power command. A user can control the power connection

to a Managed Device from command line when they are connected to the device via telnet or ssh. To operate, the Managed Device must be set up with both its Serial port connection and Power connection configured. The command to bring up the power menu is ~p

Single Connection This setting limits the port to a single connection> If multiple users have access

privileges for a particular port, only one user at a time can access that port (that is, port

“snooping” is not permitted).

4.1.3 SDT Mode

This setting allows port forwarding of RDP, VNC, HTPP, HTTPS, SSH, Telnet, and other LAN protocols through to computers that are locally connected to the console server by their serial COM port. Port forwarding requires that you set up a PPP link over this serial port.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 42

For configuration details, refer to Chapter 6.6—Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the console server.

4.1.4 Device (RPC, UPS, EMD) Mode

This mode configures the selected serial port to communicate with a serial controlled Uninterruptable Power Supply (UPS), Remote Power Controller/Power Distribution Unit (RPC) or Environmental Monitoring Device (EMD).

 Select the desired Device Type (UPS, RPC or EMD)  Proceed to the appropriate device configuration page (Serial & Network: UPS Connections, RPC

Connection or Environmental) as detailed in Chapter 8—Power & Environmental Management.

4.1.5 Terminal Server Mode

 Select Terminal Server Mode and the Terminal Type (vt220, vt102, vt100, Linux, or ANSI) to

enable a getty on the selected serial port.

The getty will then configure the port and wait for a connection to be made. An active connection on a serial device is usually indicated by the Data Carrier Detect (DCD) pin on the serial device being raised. When a connection is detected, the getty program issues a login: prompt, and then invokes the login program to handle the actual system login.

Note Selecting Terminal Server mode will disable Port Manager for that serial port, so data is no longer

logged for alerts, etc.

4.1.6 Serial Bridging Mode

With serial bridging, the serial data on a nominated serial port on one console server is encapsulated into network packets and then transported over a network to a second console server. It is then represented on its serial port again as serial data. The two console servers effectively act as a virtual serial cable over an IP network.

One console server is configured as the Server. Set the Server serial port to be bridged in Console Server mode with either RFC2217 or RAW enabled (as described in Chapter 4.1.2—Console Server Mode).

For the Client console server, the serial port to bridge must be set in Bridging Mode:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 43

 Select Serial Bridging Mode and specify the IP address of the Server console server and the TCP

port address of the remote serial port (for RFC2217 bridging this will be 5001-5048).

 By default, the bridging client will use RAW TCP. Select RFC2217 if this is the console server

mode you have specified on the server console server.

Console Ser ver

COM port connected control PC

Local Ethernet

LAN

Serially connected

control PC

 You may secure the communications over the local Ethernet by enabling SSH. You will need to

generate and upload keys (refer to Chapter 14— Advanced Configuration).

4.1.8 Syslog

In addition to built-in logging and monitoring (which can be applied to serial-attached and networkattached management accesses, as covered in Chapter 7—Alerts and Logging), you can also configure the console server to support the remote syslog protocol on a per serial port basis:

 Select the Syslog Facility/Priority fields to enable logging of traffic on the selected serial port to

a syslog server; and to appropriately sort and action those logged messages (that is, redirect them/send alert email etc.).

For example, if the computer attached to serial port 3 should never send anything out on its serial console port, the Administrator can set the Facility for that port to local0 (local0 .. local7 are for site local values), and the Priority to critical. At this priority, if the console server syslog server does receive a message, it will automatically raise an alert. Refer to Chapter 7—Alerts & Logging.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 44

4.2 Add/ Edit Users

The Administrator uses this menu selection to set up, edit, and delete users, and to define the access permissions for each of these users.

Users can be authorized to access specified console server serial ports and specified network-attached hosts. These users can also be given full Administrator status (with full configuration and management and access privileges).

To simplify user set up, they can be configured as members of Groups. There are two Groups set up by default (admin and user).

1. Members of the admin group have full Administrator privileges. The admin user (Administrator)

can access the console server using any of the services that are enabled in System: Services. For example, if only HTTPS has been enabled, then the Administrator can only access the console server using HTTPS. Once logged in, they can reconfigure the console server settings (for example, to enabled HTTP/Telnet for future access). They can also access any of the connected Hosts or serial port devices using any of the services that have been enabled for these connections. The Administrator can reconfigure the access services for any Host or serial port. Only trusted users should have Administrator access.

Note: For convenience, the SDT Connector ―Retrieve Hosts‖ function retrieves and auto-configures

checked serial ports and checked hosts only, even for admin group users.

2. Members of the user group have limited access to the console server and connected Hosts and

serial devices. These Users can access only the Management section of the Management Console menu and they have no command line access to the console server. They also can only access those Hosts and serial devices that are checked for them, using services that are enabled.

3. The Administrator can also set up additional Groups with specific serial port and host access

permissions (same as Users). However, users in these additional groups don’t have any access to the Management Console menu or any command line access to the console server itself. Finally,

_____________________________________________________________________

724-746-5500 | blackbox.com Page 45

the Administrator can also set up users who are not a member of any Groups. They will have the same access as users in the additional groups.

To set up new Groups and new users, and to classify users as members of particular Groups:

 Select Serial & Network: Users & Groups to display the configured Groups and Users.  Click Add Group to add a new Group.  Add a Group name and Description for each new Group, then nominate the Accessible Hosts,

Accessible Ports, and Accessible RPC Outlets(s) that you want any users in this new Group to be able to access.

 Click Apply.

 Click Add User to add a new user.  Add a Username and a confirmed Password for each new user. You may also include

information related to the user (for example, contact details) in the Description field.

Note The User Name can contain from 1 to 127 alphanumeric characters (you can also use the special

characters ―-‖, ―_‖, and ―.‖ ). There are no restrictions on the characters that you can use in the user Password (each can

contain up to 254 characters). Only the first eight Password characters are used to make the password hash.

 Specify which Group (or Groups) you want the user to join.  Check specific Accessible Hosts and/or Accessible Ports to nominate the serial ports and

network connected hosts you want the user to have access privileges to.

 If there are configured RPCs, you can check Accessible RPC Outlets to specify which outlets the

user is able to control (that is, Power On/Off).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 46

 Click Apply. The new user can now access the Network Devices, Ports, and RPC Outlets you

nominated as accessible. Plus, if the user is a Group member they can also access any other device/port/outlet that was set up as accessible to the Group.

Note There are no specific limits on the number of users you can set up; nor on the number of users

per serial port or host. Multiple users (Users and Administrators) can control/monitor one port or host.

There are no specific limits on the number of Groups. Each user can be a member of a number of Groups (they take on the cumulative access privileges of each of those Groups). A user does not have to be a member of any Groups (but if the User is not even a member of the default user group. then he will not be able to use the Management Console to manage ports).

The time allowed to re-configure increases as the number and complexity increases. We recommend that you keep the aggregate number of users and groups under 250.

The Administrator can also edit the access settings for any existing users:

 Select Serial & Network: Users & Groups and click Edit for the User to be modified.

Note For more information on enabling the SDT Connector so each user has secure tunneled remote

RPD/VNC/Telnet/HHTP/HTTPS/SoL access to the network connected hosts, refer to Chapter 6.

4.3 Authentication

Refer to Chapter 9.1— Remote Authentication Configuration for authentication configuration details.

4.4 Network Hosts

To access a locally networked computer or device (referred to as a Host), you must identify the Host and specify the TCP or UDP ports/services that will be used to control that Host.

 Selecting Serial & Network: Network Hosts presents all the network connected Hosts that have

been enabled for access, and the related access TCP ports/services.

 Click Add Host to enable access to a new Host (or select Edit to update the settings for an

existing Host).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 47

 Enter the IP Address or DNS Name and a Host Name (up to 254 alphanumeric characters) for

the new network connected Host (and optionally enter a Description).

 Add or edit the Permitted Services (or TCP/UDP port numbers) that are authorized to be used in

controlling this host. Only these permitted services will be forwarded through by SDT to the Host. All other services (TCP/UDP ports) will be blocked.

 The Logging Level specifies the level of information to be logged and monitored for each Host

access (refer to Chapter 7—Alerts and Logging).

 If the Host is a PDU or UPS power device or a server with IPMI power control, then specify RPC

(for IPMI and PDU) or UPS and the Device Type. The Administrator can then configure these devices and enable which users have permission to remotely cycle power, etc. (refer to Chapter

8). Otherwise, leave the Device Type set to None.

 If the console server has been configured with distributed Nagios monitoring enabled, then you

will also be presented with Nagios Settings options to enable nominated services on the Host to be monitored (refer to Chapter 10— Nagios Integration).

 Click Apply. This will create the new Host and also create a new Managed Device (with the same

name).

4.5 Trusted Networks

The Trusted Networks facility gives you an option to nominate specific IP addresses where users (Administrators and Users) must be located to access console server serial ports.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 48

Network Address

204.15.5.0

Network Mask

255.255.255.0

Network Address

204.15.5.0

Network Mask

255.255.255.255

Host /Subnet Address

204.15.5.128

Subnet Mask

255.255.255.224

 Select Serial & Network: Trusted Networks.  To add a new trusted network, select Add Rule.

 Select the Accessible Port(s) that the new rule is to be applied to.  Then, enter the Network Address of the subnet to be permitted access.  Then, specify the range of addresses that are to be permitted by entering a Network Mask for

that permitted IP range, for example:

 To permit all the users located with a particular Class C network (for example, 204.15.5.0)

connection to the nominated port then you would add the following Trusted Network New Rule:

 If you want to permit only the one user who is located at a specific IP address (for example,

204.15.5.13 say) to connect:

 If, however, you want to allow all the users operating from within a specific range of IP

addresses (for example, any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to be permitted connection to the nominated port:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 49

 Click Apply.

Note The above Trusted Networks will limit Users and Administrators access to the console serial

ports. They do not restrict access to the console server itself or to attached hosts. To change the default settings for this access, you will to need to edit the IPtables rules as described in Chapter

14—Advanced.

4.6 Serial Port Cascading

Cascaded Ports enables you to cluster distributed console servers. A large number of serial ports (up to

1000) can be configured and accessed through one IP address and managed through one Management Console. One console server, the Master, controls other console servers as Slave units and all the serial ports on the Slave units appear as if they are part of the Master.

Black Box’s clustering connects each Slave to the Master with an SSH connection. This uses public key authentication so the Master can access each Slave using the SSH key pair (rather than using passwords). This ensures secure authenticated communications between Master and Slaves, enabling the Slave console server units to be distributed locally on a LAN or remotely around the world.

Local or remote

administration

The Master

Distributed slaves

4.6.1 Automatically generate and upload SSH keys

To set up public key authentication, you must first generate an RSA or DSA key pair and upload them into the Master and Slave console servers. This can all be done automatically from the Master.

 Select System: Administration on Master’s Management Console.  Check Generate SSH keys automatically and click Apply.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 50

Next, you must select whether to generate keys using RSA and/or DSA (if unsure, select only RSA). Generating each set of keys will require approximately two minutes, and the new keys will destroy any old keys of that type that may previously been uploaded.

Also, while the new generation is underway on the master, functions relying on SSH keys (for example, cascading) may stop functioning until they are updated with the new set of keys.

To generate keys:

 Select RSA Keys and/or DSA Keys.  Click Apply.  Once the new keys have been successfully generated, Click here to return and the keys will

automatically be uploaded to the Master and connected Slaves.

4.6.2 Manually generate and upload SSH keys

Or, if you have an RSA or DSA key pair. you can manually upload them to the Master and Slave console servers.

Note If you already have an RSA or DSA key pair that you do not want to use, you will need to create a

key pair using ssh-keygen, PuTTYgen or a similar tool as detailed in Chapter 15.6.

To manually upload the public and private key pair to the Master console server:

 Select System: Administration on Master’s Management Console.  Browse to the location where you have stored RSA (or DSA) Public Key and upload it to SSH RSA

(DSA) Public Key.

 Browse to the stored RSA (or DSA) Private Key and upload it to SSH RSA (DSA) Private Key.  Click Apply.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 51

Next, you must register the Public Key as an Authorized Key on the Slave. In a case that has only one Master with multiple Slaves, you only need to upload the one RSA or DSA public key for each Slave.

Note Using key pairs can be confusing since one file (Public Key) fulfills two roles— Public Key and

Authorized Key. For a more detailed explanation, refer to the Authorized Keys section of Chapter

15.6. Also, refer to this chapter if you need to use more than one set of Authorized Keys in the Slave.

 Select System: Administration on the Slave’s Management Console.  Browse again to the stored RSA (or DSA) Public Key and upload it to Slave’s SSH Authorized Key.  Click Apply.

The next step is to Fingerprint each new Slave-Master connection. This one-time step will validate that you are establishing an SSH session to who you think you are. On the first connection, the Slave will receive a fingerprint from the Master which will be used on all future connections:

 To establish the fingerprint, first log in the Master server as root and establish an SSH

connection to the Slave remote host:

# ssh remhost

Once the SSH connection has been established, the system asks you to accept the key. Answer yes and the fingerprint will be added to the list of known hosts. For more details on Fingerprinting, refer to Chapter 15.6.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 52

 If the system asks you to supply a password, then there is a problem with uploading keys. The

keys should remove any need to supply a password.

4.6.3 Configure the slaves and their serial ports

You can now begin setting up the Slaves and configuring Slave serial ports from the Master console server:

 Select Serial & Network: Cascaded Ports on the Master’s Management Console:  To add clustering support, select Add Slave.

Note You can‘t add any Slaves until you automatically or manually generate SSH keys.

To define and configure a Slave:

 Enter the remote IP Address (or DNS Name) for the Slave console server.  Enter a brief Description and a short Label for the Slave (use a convention here that enables you

to effectively manage large networks of clustered console servers and the connected devices).

 Enter the full number of serial ports on the Slave unit in Number of Ports.  Click Apply. This will establish the SSH tunnel between the Master and the new Slave.

The Serial & Network: Cascaded Ports menu displays all the Slaves and the port numbers that have been allocated on the Master. If the Master console server has 16 ports of its own, then ports 1-16 are pre-allocated to the Master. The first Slave added will be assigned port number 17 and up.

Once you have added all the Slave console servers, you can assign and access the Slave serial ports and

the connected devices from the Master’s Management Console menu. You can also access them through the Master’s IP address.

 Select the appropriate Serial & Network: Serial Port and Edit to configure the serial ports on the

Slave.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 53

 Select the appropriate Serial & Network: Users & Groups to add new users with access

privileges to the Slave serial ports (or to extend existing users’ access privileges).

 Select the appropriate Serial & Network: Trusted Networks to specify network addresses that

can access nominated Slave serial ports .

 Select the appropriate Alerts & Logging: Alerts to configure Slave port Connection, State

Change, or Pattern Match alerts.

 The configuration changes made on the Master are propagated out to all the Slaves when you

click Apply.

4.6.4 Managing the Slaves

The Master is in control of the Slave serial ports. For example, if you change User access privileges or edit any serial port setting on the Master, the updated configuration files will be sent out to each Slave in parallel. Each Slave will then automatically make changes to its local configuration (and only make those changes that relate to its particular serial ports).

You can still use the local Slave Management Console to change the settings on any Slave serial port (such as alter the baud rates). These changes will be overwritten next time the Master sends out a configuration file update.

Also, while the Master is in control of all Slave serial port related functions, it is not master over the Slave network host connections or over the Slave console server system itself.

You must access each Slave directly to manage Slave functions such as IP, SMTP & SNMP Settings, Date &Time, and DHCP server. These functions are not overwritten when configuration changes are propagated from the Master. Similarly, you have to configure the Slaves Network Host and IPMI settings at each Slave.

The Master’s Management Console provides a consolidated view of the settings for its own and all the Slave’s serial ports. The Master does not provide a fully consolidated view. For example, if you want to find out who's logged in to cascaded serial ports from the master, you’ll see that Status: Active Users only displays those users active on the Master’s ports, so you may need to write custom scripts to provide this view. This is covered in Chapter 11.

4.7 Serial Port Redirection

To allow an application on a client PC to access the virtual serial ports on the console server, you need to run client software (to redirect the local serial port traffic to remote console server serial port).

There’s a selection of commercial software available including Serial to Ethernet from Eltima (www.eltima.com) and Serial/IP™ COM Port Redirector from Tactical Software (www.tacticalsoftware.com/products/serialip.htm).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 54

Remote Console

Server

Retail data

systems

Remote Console

Serial device applications

Serial/ IP redirector virtual COM ports

Server

Remote Console

Server

Building

automation

systems

Contr ollers

Sensors

This serial port redirector software is loaded in your desktop PC, and it allows you to use a serial device that’s connected to the remote console server as if it were connected to your local serial port.

4.8 Managed Devices

Managed Devices presents a consolidated view of all the connections to a device that you can access and monitor through the console server. To view the connections to the devices:

 Select Serial & Network: Managed Devices.

This screen displays all the Managed Devices with their Description/Notes. It also lists all the configured Connections, that is, Serial Port # (if serially connected) or USB if USB connected; IP Address (if network connected); Power PDU/outlet details (if applicable), and any UPS connections. Devices such as servers will commonly have more than one power connections (for example, dual power supplied) and more than one network connection (for example, for BMC/service processor).

All Users can view (but not edit) these Managed Device connections by selecting Manage: Devices. The Administrator user can edit and add/delete these Managed Devices and their connections.

To edit an existing device and add a new connection:

 Select Edit on the Serial & Network: Managed Devices and click Add Connection.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 55

 Select the connection type for the new connection (Serial, Network Host, UPS, or RPC) and then

select the specific connection from the presented list of configured unallocated hosts/ports/outlets.

To add a new network-connected Managed Device:

 The Administrator adds a new network-connected Managed Device using Add Host on the Serial

& Network: Network Host menu. This automatically creates a corresponding new Managed

Device (as covered in Section 4.4—Network Hosts).

 When adding a new network-connected RPC or UPS power device, you set up a Network Host,

designate it as RPC or UPS, then go to RPC Connections (or UPS Connections) to configure the relevant connection. A corresponding new Managed Device (with the same Name /Description as the RPC/UPS Host) is not created until you complete this connection step (refer Chapter 8— Power and Environment).

Note The outlet names on this newly created PDU will by default be ―Outlet 1‖ and ―Outlet 2.‖ When

you connect a particular Managed Device (that draws power from the outlet), then the outlet will

To add a new serially connected Managed Device:

take the powered Managed Device‘s name.

 Configure the serial port using the Serial & Network: Serial Port menu (refer to Section 4.1—

Configure Serial Port).

 Select Serial & Network: Managed Devices and click Add Device.  Enter a Device Name and Description for the Managed Device.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 56

 Click Add Connection and select Serial and the Port that connects to the Managed Device.  To add a UPS/RPC power connection or network connection or another serial connection, click

Add Connection.

 Click Apply.

Note To set up a new serially connected RPC UPS or EMD device, configure the serial port, designate

it as a Device, then enter a Name and Description for that device in the Serial & Network: RPC Connections (or UPS Connections or Environmental). When applied, this will automatically

create a corresponding new Managed Device with the same Name /Description as the RPC/UPS Host (refer to Chapter 8—Power and Environment).

All the outlet names on the PDU will by default be ―Outlet 1‖ and ―Outlet 2.‖ When you connect a particular Managed Device (that draws power from the outlet) then the outlet will then take up the name of the powered Managed Device.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 57

Chapter 5 Failover and OoB Dial Access

FAILOVER AND OoB DIAL-IN

Introduction

The console server has a number of fail-over and out-of-band access capabilities to make sure it’s available if there are difficulties accessing the console server through the principal network path. This chapter covers:

 out-of-band (OoB) access from a remote location using dial-up modem.  out-dial failover.  OoB access using an alternate broadband link (LES1208A, LES1216A, and LES1248A

models only).

 broadband failover.

5.1 OoB Dial-In Access

To enable OoB dial-in access, you first configure the console server. Once it’s set up for dial-in PPP access, the console server will await an incoming dial-in connection. Set up the remote client dial-in software so it can establish a network connection from the Administrator’s client modem to the dial-in modem on the console server.

Dial-in

management

Modem

Note The LES1208A, LES1216A, and LES1248A models all have an internal modem and a DB9

Local/Console port for OoB access. With these models, you can still attach an external modem via a serial cable to the DB9 port, and you can configure the second Ethernet port for broadband OoB access.

Make sure you unplug the console server power before installing the modem. When it next boots, it will detect the modem and a PC Card Modem tab will appear under System -> Dial.

The LES1108A, LES1116A, and LES1148A models need to have an external modem attached via a serial cable to the DB9 port marked Local (located on the front of the unit).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 58

5.1.1 Configure Dial-In PPP

To enable dial-in PPP access on the modem:

 Select the System: Dial menu option and the port to be configured (Serial DB9 Port or Internal

Modem Port).

Note The console server console/modem serial port is set by default to 115200 baud, No parity, 8 data

bits and 1 stop bit, with software (Xon-Xoff) flow control enabled for the Serial DB9 Port and 9600 baud for the Internal modem and PC Card Ports. When enabling OoB dial-in, we recommend that

this be changed to 38,4000 baud with Hardware Flow Control.

 Select the Baud Rate and Flow Control that will communicate with the modem.

Note You can further configure the console/modem port (for example, to include modem init strings) by

editing /etc/mgetty.config files as described in the Chapter 15—Advanced Configuration.

 Check the Enable Dial-In Access box.  Enter the User name and Password to be used for the dial-in PPP link.  In the Remote Address field, enter the IP address to be assigned to the dial-in client. You can

select any address for the Remote IP Address. It, and the Local IP Address, must both be in the same network range (e.g. 200.100.1.12 and 200.100.1.67).

 In the Local Address field, enter the IP address for the Dial-In PPP Server. This is the IP address

that will be used by the remote client to access console server once the modem connection is established. You can select any address for the Local IP Address but it must be in the same network range as the Remote IP Address.

 The Default Route option enables the dialed PPP connection to become the default route for

the Console server.

 The Custom Modem Initialization option allows you to enter a custom AT string modem

initialization string (for example, AT&C1&D3&K3).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 59

 You must select the Authentication Type to apply to the dial-in connection. The console server

uses authentication to challenge Administrators who dial-in to the console server. (For dial-in access, the username and password received from the dial-in client are verified against the local authentication database stored on the console server). The Administrator must also configure the client PC/workstation to use the selected authentication scheme. Select PAP, CHAP,

MSCHAPv2, or None, and click Apply.

None With this selection, no username or password authentication is required for

dial-in access. We do not recommend this.

PAP Password Authentication Protocol (PAP) is the usual method of user

authentication used on the internet: sending a username and password to a server where they are compared with a table of authorized users. While most common, PAP is the least secure of the authentication options.

CHAP Challenge-Handshake Authentication Protocol (CHAP) is used to verify a user's

name and password for PPP Internet connections. It is more secure than PAP, the other main authentication protocol.

MSCHAPv2 Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is

authentication for PPP connections between a computer using a Microsoft Windows operating system and a network access server. It is more secure than PAP or CHAP, and is the only option that also supports data encryption.

 Console servers support dial-back for additional security. Check the Enable Dial-Back box and

enter the phone number to call to re-establish an OoB link once a dial-in connection is logged.

Note Chapter 15—Advanced Configuration) has examples of Linux commands that you can use to

control the modem port operation at the command line level.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 60

5.1.2 Using SDT Connector client

Administrators can use their SDT Connector client to set up secure OoB dial-in access to all their remote console servers. With a point and click, you can initiate a dial up connection. Refer to Chapter 6.5.

5.1.3 Set up Windows XP/ 2003/Vista/7 client

 Open Network Connections in Control Panel and click the

New Connection Wizard.

 Select Connect to the Internet and click Next.  On the Getting Ready screen, select Set up my connection manually and click Next.  On the Internet Connection screen, select Connect using a dial-up modem and click Next.  Enter a Connection Name (any name you choose) and the dial-up Phone number that will

connect through to the console server modem.

 Enter the PPP User name and Password you set up for the console server.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 61

5.1.4 Set up earlier Windows clients



For Windows 2000, the PPP client set up procedure is the same as above, except you get to the

Dial-Up Networking Folder by clicking the Start button and selecting Settings. Then, click Network and Dial-up Connections and click Make New Connection.



Similarly, for Windows 98, you double click My Computer on the Desktop, then open Dial-Up Networking and double click Make New Connection. Then, proceed as above.

5.1.5 Set up Linux clients for dial-in

The online tutorial http://www.yolinux.com/TUTORIALS/LinuxTutorialPPP.html presents a selection of methods for establishing a dial up PPP connection:

- Command line PPP and manual configuration (works with any Linux distribution).

- Using the Linuxconf configuration tool (for Red Hat compatible distributions). This configures

the scripts ifup/ifdown to start and stop a PPP connection.

- Using the Gnome control panel configuration tool.

- WVDIAL and the Redhat “Dialup configuration tool“ .

- GUI dial program X-isp. Download/Installation/Configuration.

For all PPP clients:

Note



Set the PPP link up with TCP/IP as the only protocol enabled.



Specify that the Server will assign IP address and do DNS.



Do not set up the console server PPP link as the default for Internet connection.

5.2 OoB broadband access

The LES1208A, LES1216A, and LES1248A console servers have a second Ethernet port (Network 2) that you can configure for alternate and OoB (out-of-band) broadband access. With two active broadband access paths to the console server, if you are unable to access it through the primary management network (Network or Network1), you can still access it through the alternate broadband path (for example, a T1 link).

 On the System: IP menu select Network 2 and configure the IP Address, Subnet Mask,

Gateway, and DNS with the access settings for the alternate link.

 Make sure that when you configure the principal Network 1 Settings connection, the Failover

Interface is set to None.

5.3 Broadband Ethernet Failover

The second Ethernet port on the LES1208A, LES1216A, and LES1248A Advanced Console Servers can also be configured for failover to ensure transparent high availability.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 62

 When configuring the principal network connection, specify Network 2 (eth1) as the Failover

Interface to use when a fault is detected with Network 1 (eth0).

 Specify the Probe Addresses of two sites (the Primary and Secondary) that the Advanced Console

Server is to ping to determine if Network 1 (eth0) is still operating.

 On the Management LAN Interface - Network 2, configure the IP Address/Subnet Mask/Gateway

the same as Network Interface - Network 1.

In this mode, Network 2 (eth1) is available as the transparent back-up port to Network 1 (eth0) for accessing the management network. Network 2 will automatically and transparently take over the work of Network 1, if Network 1 becomes unavailable for any reason. When Network 1 becomes available again, it takes over the work again.

5.4 Dial-Out Failover

The console servers can be configured so a dial-out PPP connection is automatically set up in case the principal management network is disrupted:

 When configuring the principal network connection in System: IP, specify Internal Modem (or the

Dial Serial DB9 if you are using an external modem on the Console port) as the Failover Interface to

use when a fault is detected with Network1 (eth0).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 63

 Specify the Probe Addresses of two sites (the Primary and Secondary) that the console server is to

ping to determine if Network1 is still operating.

 Select the System: Dial menu option and the port to be configured (Serial DB9 Port or Internal

Modem Port).

 Select the Baud Rate and Flow Control that will communicate with the modem.

Note You can further configure the console/modem port (for example, to include modem init strings) by

editing /etc/mgetty.config files as described in Chapter 13.

 Check the Enable Dial-Out box in System: Dial and enter the access details to call the

remote PPP server.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 64

Chapter 6 Secure SSH Tunneling & SDT Connector SECURE SSH TUNNELING AND SDT CONNECTOR

Introduction

Each Black Box console server has an embedded SSH server and uses SSH tunneling so remote users can securely connect through the console server to Managed Devices—using text-based console tools (such as SSH, telnet, SoL) or graphical tools (such VNC, RDP, HTTPS, HTTP, X11, VMware, DRAC, iLO).

The Managed Devices you access can be located on the same local network as the console server or they can be attached to the console server via a serial port. The remote User/Administrator connects to the console server thru an SSH tunnel via dial-up, wireless or ISDN modem; a broadband Internet connection; the enterprise VPN network; or the local network.

Secure remote

management

Secure local

management

Network

connected

Serial

connected

Conso le

server

Secure OoB

(dial -in or

broadband)

To set up the secure SSH tunnel from the client PC to the console server, install and launch SSH client software on the User/Administrator’s PC. Black Box recommends you use the SDT Connector client software supplied with the console server for this. SDT Connector is simple to install and auto-configure and it provides all your users with point-and-click access to all the systems and devices in the secure network. With one click, SDT Connector sets up a secure SSH tunnel from the client to the selected console server, then establishes a port forward connection to the target network connected host or serial connected device. Next, it executes the client application that it uses in communicating with the host.

This chapter details the basic SDT Connector operations:

 Configuring the console server for SSH tunneled access to network attached hosts and setting up

permitted Services and user access (Section 6.1).

 Setting up the SDT Connector client with gateway, host, service, and client application details,

and making connections between the Client PC and hosts connected to the console server (Section 6.2).

 Using SDT Connector to access the Management Console via a browser (Section 6.3).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 65

 Using SDT Connector to Telnet or SSH connect to devices that are serially attached to the

console server (Section 6.4).

The chapter then covers more advanced SDT Connector and SSH tunneling topics:

 Using SDT Connector for out-of-band access (Section 6.5).  Automatic importing and exporting configurations (Section 6.6).  Configuring Public Key Authentication (Section 6.7).  Setting up a SDT Secure Tunnel for Remote Desktop (Section 6.8).  Setting up a SDT Secure Tunnel for VNC (Section 6.9).  Using SDT to IP connect to hosts that are serially attached to the console server (Section 6.10).

6.1 Configuring for SSH Tunneling to Hosts

To set up the console server to SSH tunnel access a network attached host:

 Add the new host and the permitted services using the Serial & Network: Network Hosts menu

as detailed in Network Hosts (Chapter 4.4). Only these permitted services will be forwarded through by SSH to the host. All other services (TCP/UDP ports) will be blocked.

Note Following are some of the TCP Ports used by SDT in the console server:

22 SSH (All SDT Tunneled connections) 23 Telnet on local LAN (forwarded inside tunnel) 80 HTTP on local LAN (forwarded inside tunnel) 3389 RDP on local LAN (forwarded inside tunnel) 5900 VNC on local LAN (forwarded inside tunnel) 73XX RDP over serial from local LAN – where XX is the serial port number (that is, 7301 to

7348 on a 48 port console server)

79XX VNC over serial from local LAN – where XX is the serial port number

 Add the new Users using Serial & Network: Users & Groups menu as detailed in

Network Hosts (Chapter 4.4). Users can be authorized to access the console server ports

and specified network attached hosts. To simplify configuration, the Administrator can first set up Groups with group access permissions, then Users can be classified as members of particular Groups.

6.2 SDT Connector Client Configuration

The SDT Connector client works with all Black Box console servers. Each of these remote console servers has an embedded OpenSSH based server that you can configure to port forward connections from the SDT Connector client to hosts on their local network (as detailed in the previous chapter). You can also pre-configure the SDT Connector with the access tools and applications that are available to run when you’ve established access to a particular host.

SDT Connector can connect to the console server using an alternate OoB access. It can also access the console server itself and access devices connected to serial ports on the console server.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 66

6.2.1 SDT Connector installation

 The SDT Connector set up program (SDTConnector Setup-1.n.exe or sdtcon-1.n.tar.gz) is

included on the CD supplied with your Black Box console server.

 Run the set-up program.

Note For Windows clients, the SDTConnectorSetup-1.n.exe application will install the SDT Connector

1.n.exe and the config file defaults.xml. If there is already a config file on the Windows PC, then it will not be overwritten. To remove an earlier config file, run the regedit command and search for

―SDT Connector,‖ then remove the directory with this name. For Linux and other Unix clients, SDTConnector.tar.gz application will install the sdtcon-1.n.jar

and the config file defaults.xml.

Once the installer completes you will have a working SDT Connector client installed on your machine and an icon on your desktop:

 Click the SDT Connector icon on your desktop to start the client.

Note SDT Connector is a Java application, so it must have a Java Runtime Environment (JRE)

installed. You can download this for free from http://java.sun.com/j2se/. It installs on Windows 2000, XP, 2003, Vista, and 7 PCs and on most Linux platforms. Solaris platforms are also supported, but they must have Firefox installed. SDT Connector can run on any system with Java 1.4.2 and above installed, but it assumes the web browser is Firefox, and that xterm -e telnet opens a telnet window.

To operate SDT Connector, you first need to add new gateways to the client software by entering the access details for each console server (refer to Section 6.2.2). Then, let the client auto-configure all host and serial port connections from each console server (refer to Section 6.2.3). Finally, point-and-click to connect to the Hosts and serial devices (refer to Section 6.2.4).

Or, you can manually add network connected hosts (refer to Section 6.2.5) and manually configure new services to use to access the console server and the hosts (refer to Section 6.2.6). Then, manually configure clients to run on the PC that will use the service to connect to the hosts and serial port devices

_____________________________________________________________________

724-746-5500 | blackbox.com Page 67

(refer to Section 6.2.7 and 6.2.9). You can also set up SDT Connector to connect out-of-band to the console server (refer to Section 6.2.9).

6.2.2 Configuring a new console server gateway in the SDT Connector client

To create a secure SSH tunnel to a new console server:

 Click the New Gateway icon or select the File: New Gateway menu option.

 Enter the IP or DNS Address of the console server and the SSH port that you will use (typically

22).

Note If SDT Connector is connecting to a remote console server through the public Internet or routed

network you will need to:  Determine the public IP address of the console server (or of the router/ firewall that connects

the console server to the Internet) as assigned by the ISP. One way to find the public IP address is to access http://checkip.dyndns.org/ or http://www.whatismyip.com/ from a computer on the same network as the console server and note the reported IP address.

 Set port forwarding for TCP port 22 through any firewall/NAT/router that is located between

SDT Connector and the console server so it points to the console server. http://www.portforward.com has port forwarding instructions for a range of routers. Also, you can use the Open Port Check tool from http://www.canyouseeme.org to check if port forwarding through local firewall/NAT/router devices has been properly configured.

 Enter the Username and Password of a user on the gateway that is enabled to connect via SSH

and/or create SSH port redirections.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 68

 Or, enter a Descriptive Name to display instead of the IP or DNS address, and any Notes or a

Description of this gateway (such as its firmware version, site location, or anything special about

its network configuration).

 Click OK and an icon for the new gateway will now appear in the SDT Connector home page.

Note For an SDT Connector user to access a console server (and then access specific hosts or serial

devices connected to that console server), that user must first be setup on the console server, and must be authorized to access the specific ports/hosts (refer to Chapter 5). Only these permitted services will be forwarded through by SSH to the Host. All other services (TCP/UDP ports) will be blocked.

6.2.3 Auto-configure SDT Connector client with the user’s access privileges

Each user on the console server has an access profile that was configured with those specific connected hosts and serial port devices the user has authority to access, and a specific set of the enabled services for each of these. You can upload this configuration automatically into the SDT Connector client:

 Click on the new gateway icon and select Retrieve Hosts. This will:

 configure access to network connected Hosts that the user is authorized to access

and set up (for each of these Hosts) the services (for example, HTTPS, IPMI2.0) and the related IP ports being redirected.

 configure access to the console server itself (this is shown as a Local Services host).  configure access with the enabled services for the serial port devices connected to

the console server.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 69

Note The Retrieve Hosts function will auto-configure all user classes (that is, they can be members

of user or admin or some other group or no group. SDT Connector will not auto-configure the root (and we recommend that you only use this account for initial config and to add an initial admin account to the console server).

6.2.4 Make an SDT connection through the gateway to a host

 Simply point at the host to be accessed and click on the service to use to access that host. The

SSH tunnel to the gateway is then automatically established, the appropriate ports redirected through to the host, and the appropriate local client application is launched pointing at the local endpoint of the redirection:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 70

Note You can configure the SDT Connector client can be configured with unlimited number of

Gateways (that is, console servers). You can configure each Gateway to port forward to an unlimited number of locally networked Hosts. There is no limit on the number of SDT Connector clients that can be configured to access the one Gateway. Nor are there limits on the number of Host connections that an SDT Connector client can concurrently have open through the one Gateway tunnel.

There is a limit on the number of SDT Connector SSH tunnels that can be open at the same time on a particular Gateway (console server). Each Gateway (console server) can support at least 50 such concurrent connections. At any time, you could have up to 50 users securely controlling an unlimited number of Managed Devices at a remote site through the on-site console server

6.2.5 Manually adding hosts to the SDT Connector gateway

For each gateway, you can manually specify the network connected hosts that you will access through that console server; and for each host, specify the services that you will use to communicate with the host.

Gateway.

 Select the newly added gateway and click the Host icon to create a host that will be

accessible via this gateway. (Alternatively select File: New Host).

 Enter the IP or DNS Host Address of the host (if this is a DNS address, it must be able to be

resolved by the gateway).

 Select which Services to use to access the new host. A range of service options are pre-

configured in the default SDT Connector client (RDP, VNC, HTTP, HTTPS, Dell RAC, VMware, etc.). However if you want to add new services to the range, then proceed to the next section (Adding a new service) then return here.

 Or, enter a Descriptive Name for the host to display instead of the IP or DNS address, and any

Notes or a Description of this host (such as its operating system/release, or anything special

about its configuration).

 Click OK.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 71

6.2.6 Manually adding new services to the new hosts

To extend the range of services that you can use when accessing hosts with SDT Connector:

 Select Edit: Preferences and click the Services tab. Click Add.  Enter a Service Name and click Add.  Under the General tab, enter the TCP Port that this service runs on (for example, 80 for HTTP).

Or, select the client to use to access the local endpoint of the redirection.

 Select which Client application is associated with the new service. A range of client application

options are pre-configured in the default SDT Connector (RDP client, VNC client, HTTP browser, HTTPS browser, Telnet client, etc.). If you want to add new client applications to this range, proceed to the next section (Adding a new client), then return here.

 Click OK, then Close.

A service typically consists of a single SSH port redirection and a local client to access it. It may consist of

several redirections, and some or all may have clients associated with them.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 72

An example is the Dell RAC service. The first redirection is for the HTTPS connection to the RAC server— it has a client associated with it (web browser) that it launches immediately when you click the button for this service.

The second redirection is for the VNC service that you may choose to later launch from the RAC web console. It automatically loads in a Java client served through the web browser, so it does not need to have a local client associated with it.

 On the Add Service screen, you can click Add as many times as needed to add multiple new port

redirections and associated clients.

You may also specify Advanced port redirection options:

 Enter the local address to bind to when creating the local endpoint of the redirection. It is not

usually necessary to change this from “localhost.”

 Enter a local TCP port to bind to when creating the local endpoint of the redirection. If you

leave this blank, a random port is selected.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 73

Note SDT Connector can also tunnel UDP services. SDT Connector tunnels the UDP traffic through

the TCP SSH redirection, so it is a ―tunnel within a tunnel.‖ Enter the UDP port where the service is running on the host. This will also be the local UDP port

that SDT Connector binds as the local endpoint of the tunnel. Note that for UDP services, you still need to specify a TCP port under General. This will be an

arbitrary TCP port that is not in use on the gateway. An example of this is the SOL Proxy service. It redirects local UDP port 623 to remote UDP port 623 over the arbitrary TCP port 6667.

6.2.7 Adding a client program to be started for the new service

Clients are local applications that you may launch when a related service is clicked. To add to the pool of client programs:

 Select Edit: Preferences and click the Client tab. Click Add.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 74

 Enter a Name for the client. Enter the Path to the executable file for the client (or click Browse

to locate the executable).

 Enter a Command Line associated with launching the client application. SDT Connector typically

launches a client using command line arguments to point it at the local endpoint of the redirection. There are three special keywords for specifying the command line format. When launching the client, SDT Connector substitutes these keywords with the appropriate values:

%path% is path to the executable file, that is, the previous field.

%host% is the local address to which the local endpoint of the redirection is bound, that is, the

Local Address field for the Service redirection Advanced options.

%port% is the local port to which the local endpoint of the redirection is bound, that is, the Local TCP Port field for the Service redirection Advanced options. If this port is unspecified (that is, “Any”), the appropriate randomly selected port will be substituted.

For example SDT Connector is preconfigured for Windows installations with a HTTP service client that will connect with the local browser that the local Windows user has configured as the default. Otherwise, the default browser used is Firefox:

Also some clients are launched in a command line or terminal window. The Telnet client is an example of this so the “Path to client executable file” is telnet and the “Command line format for client executable” is cmd /c start %path% %host% %port% :

_____________________________________________________________________

724-746-5500 | blackbox.com Page 75

 Click OK.

6.2.8 Dial in configuration

If the client PC is dialing into Local/Console port on the console server, you will need to set up a dial-in PPP link:

 Configure the console server for dial-in access (following the steps in the Configuring for Dial-In

PPP Access section in Chapter 5, Configuring Dial In Access).

 Set up the PPP client software at the remote User PC (following the Set up the remote Client

section in Chapter 5).

Once you have a dial-in PPP connection established, you then can set up the secure SSH tunnel from the remote Client PC to the console server.

6.3 SDT Connector to Management Console

You can also configure SDT Connector for browser access to the console server’s Management Console —and for Telnet or SSH access to the command line. For these connections to the console server itself, you must configure SDT Connector to access the Gateway itself by setting the Gateway (console server) up as a host, and then configuring the appropriate services:

 Launch SDT Connector on your PC. Assuming you have already set up the console server as a

Gateway in your SDT Connector client (with username/ password etc.), select this newly added Gateway and click the Host icon to create a host. Or, select File -> New Host.

 Enter 127.0.0.1 as the Host Address and provide details in Descriptive Name/Notes. Click OK.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 76

 Click the HTTP or HTTPS Services icon to access the Management Console, and/or click SSH

or Telnet to access the command line console.

Note: To enable SDT access to the console, you must also configure the console server to allow the

port forwarded network access to itself:

 Browse to the console server and select Network Hosts from Serial & Network, click Add

Host, and in the IP Address/DNS Name field enter 127.0.0.1 (this is the Black Box network loopback address). Then, enter Loopback in Description.

 Remove all entries under Permitted Services except for those that you will use to access the

Management Console (80/http or 443/https) or the command line (22/ssh or 23/telnet). Scroll to the bottom and click Apply.

 Administrators by default have gateway access privileges. For Users to access the console

server Management Console, you will need to give those Users the required access

privileges. Select Users & Groups from Serial & Network. Click Add User. Enter a Username, Description and Password/Confirm. Select 127.0.0.1 from Accessible Host(s) and click Apply.

6.4 SDT Connector - telnet or SSH connect to serially attached devices

You can also use SDT Connector to access text consoles on devices that are attached to the console server serial ports. For these connections, you must configure the SDT Connector client software with a

Service that will access the target gateway serial port, and then set the gateway up as a host:

 Launch SDT Connector on your PC. Select Edit -> Preferences and click the Services tab. Click

Add.

 Enter "Serial Port 2" in Service Name and click Add.  Select Telnet client as the Client. Enter 2002 in TCP Port. Click OK, then Close and Close again.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 77

 Assuming you have already set up the target console server as a gateway in your SDT Connector

client (with username/ password etc), select this gateway and click the Host icon to create a host. Or, select File -> New Host.

 Enter 127.0.0.1 as the Host Address and select Serial Port 2 for Service. In Descriptive Name,

enter something such as Loopback ports, or Local serial ports. Click OK.

 Click Serial Port 2 icon for Telnet access to the serial console on the device attached to serial

port #2 on the gateway.

To enable SDT Connector to access to devices connected to the gateway’s serial ports, you must also configure the Console server itself to allow port forwarded network access to itself, and enable access to the nominated serial port:

 Browse to the Console server and select Serial Port from Serial & Network.  Click Edit next to selected Port # (for example, Port 2 if the target device is attached to the

second serial port). Make sure the port’s serial configuration is appropriate for the attached device.

 Scroll down to Console server Setting and select Console server Mode. Check Telnet (or SSH)

and scroll to the bottom and click Apply.

 Select Network Hosts from Serial & Network and click Add Host.  In the IP Address/DNS Name field enter 127.0.0.1 (this is the Black Box network loopback

address) and enter Loopback in Description.

 Remove all entries under Permitted Services, select TCP, and enter 200n in Port. (This

configures the Telnet port enabled in the previous step, so for Port 2 you would enter 2002.)

 Click Add, then scroll to the bottom and click Apply.  Administrators by default have gateway and serial port access privileges; however for Users to

access the gateway and the serial port, you will need to give those Users the required access privileges. Select Users & Groups from Serial & Network. Click Add User. Enter a Username, Description, and Password/Confirm. Select 127.0.0.1 from Accessible Host(s) and select Port 2 from Accessible Port(s). Click Apply.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 78

6.5 Using SDT Connector for out-of-band connection to the gateway

You can also set up SDT Connector to connect to the console server (gateway) out-of-band (OoB). OoB access uses an alternate path for connecting to the gateway to that used for regular data traffic. OoB access is useful for when the primary link into the gateway is unavailable or unreliable.

Typically, a gateway’s primary link is a broadband Internet connection or Internet connection via a LAN or VPN, and the secondary out-of-band connectivity is provided by a dial-up or wireless modem directly attached to the gateway. Out-of-band access enables you to access the hosts and serial devices on the network, diagnose any connectivity issues, and restore the gateway's primary link.

In SDT Connector, to configure OoB access, you provide the secondary IP address of the gateway, and tell SDT Connector how to start and stop the OoB connection. You can start an OoB connection by initiating a dial up connection, or adding an alternate route to the gateway. SDT Connector allows for maximum flexibility. It allows you to provide your own scripts or commands for starting and stopping the OoB connection.

To configure SDT Connector for OoB access:

 When adding a new Gateway or editing an existing Gateway select the Out Of Band tab.  Enter the secondary, OoB IP address of the gateway (for example, the IP address it is using when

dialed in directly). You also may modify the gateway’s SSH port if it's not using the default of 22.

 Enter the command or path to a script to start the OoB connection in Start Command.

 To initiate a pre-configured dial-up connection under Windows, use the following Start

Command:

cmd /c start "Starting Out of Band Connection" /wait /min rasdial network_connection login password

where network_connection is the name of the network connection as displayed in Control Panel -> Network Connections, login is the dial-in username, and password is the dial-in

password for the connection.

 To initiate a pre-configured dial-up connection under Linux, use the following Start

Command:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 79

pon network_connection

where network_connection is the name of the connection.

 Enter the command or path to a script to stop the OoB connection in Stop Command.

 To stop a pre-configured dial-up connection under Windows, use the following Stop

Command:

cmd /c start "Stopping Out of Band Connection" /wait /min rasdial network_connection /disconnect

where network connection is the name of the network connection as displayed in Control Panel -> Network Connections.

 To stop a pre-configured dial-up connection under Linux, use the following Stop Command:

poff network_connection

To make the OoB connection using SDT Connector:

 Select the console server and click Out Of Band. The status bar will change color to indicate that

this console server is now accessed using the OoB link rather than the primary link.

When you connect to a service on a host behind the console server, or to the console server itself, SDT Connector will initiate the OoB connection using the provided Start Command. The OoB connection does not stop (using the provided Stop Command) until you click off Out Of Band under Gateway Actions; then the status bar will return to its normal color.

6.6 Importing (and exporting) preferences

To enable the distribution of pre-configured client config files, SDT Connector has an Export/Import facility:

 To save a configuration.xml file (for backup or for importing into

other SDT Connector clients) select File -> Export Preferences and select the location where you want to save the configuration file.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 80

 To import a configuration, select File -> Import Preferences and select the .xml configuration file to

install.

6.7 SDT Connector Public Key Authentication

SDT Connector can authenticate against an SSH gateway using your SSH key pair instead of requiring you to enter your password. This is known as public key authentication.

To use public key authentication with SDT Connector, first you must add the public part of your SSH key pair to your SSH gateway:

 Make sure the SSH gateway allows public key authentication, this is typically the default

behavior.

 If you do not already have a public/private key pair for your client PC (the one running SDT

Connector), generate them now using ssh-keygen, PuTTYgen or a similar tool. You may use RSA or DSA; however, leave the passphrase field blank:

- PuTTYgen: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

- OpenSSH: http://www.openssh.org/

- OpenSSH (Windows): http://sshwindows.sourceforge.net/download/

 Upload the public part of your SSH key pair (this file is typically named id_rsa.pub or id_dsa.pub)

to the SSH gateway, or otherwise add to .ssh/authorized keys in your home directory on the SSH gateway.

 Next, add the private part of your SSH key pair (this file is typically named id_rsa or id_dsa) to

SDT Connector. Click Edit -> Preferences -> Private Keys -> Add, locate the private key file, and click OK.

You do not have to add the public part of your SSH key pair, the private key calculates it.

SDT Connector will now use public key authentication when connecting through the SSH gateway (console server). You may have to restart SDT Connector to shut down any existing tunnels that were established using password authentication.

If you have a host behind the console server that you connect to by clicking the SSH button in SDT Connector, you may also want to configure access to it for public key authentication as well. This configuration is entirely independent of SDT Connector and the SSH gateway. You must configure the SSH client that SDT Connector launches (for example, Putty, OpenSSH) and the host’s SSH server for public key authentication. Essentially what you are using is SSH over SSH, and the two SSH connections are entirely separate.

6.8 Setting up SDT for Remote Desktop access

The Microsoft Remote Desktop Protocol (RDP) enables the system manager to securely access and manage remote Windows computers—to reconfigure applications and user profiles, upgrade the server’s operating system, reboot the machine, etc. Black Box’s Secure Tunneling uses SSH tunneling, so this RDP traffic is securely transferred through an authenticated and encrypted tunnel.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 81

SDT with RDP also allows remote Users to connect to Windows XP, Vista, Server2003, and Server 2008 computers and to Windows 2000 Terminal Servers; and to access to all of the applications, files, and network resources (with full graphical interface just as though they were in front of the computer screen at work). To set up a secure Remote Desktop connection, enable Remote Desktop on the target Windows computer that you want to access and configure the RPD client software on the client PC.

6.8.1 Enable Remote Desktop on the target Windows computer to be accessed

To enable Remote Desktop on the Windows computer being accessed:

 Open System in the Control Panel and click the Remote tab.

 Check Allow users to connect remotely to this computer.  Click Select Remote Users.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 82

 To set the user(s) who can remotely access the system with RDP, click Add on the Remote

Desktop Users dialog box.

Note If you need to set up new users for Remote Desktop access, open User Accounts in the Control

Panel and follow the steps to nominate the new user‘s name, password, and account type

(Administrator or Limited).

Note With Windows XP Professional and Vista, you have only one Remote Desktop session and it

connects directly to the Windows root console. With Windows Server 2008, you can have multiple sessions (and with Server 2003 you have three sessions— the console session and two other general sessions). More than one user can have active sessions on a single computer.

When the remote user connects to the accessed computer on the console session, Remote Desktop automatically locks that computer (no other user can access the applications and files). When you come back to your computer at work, you can unlock it by typing CTRL+ALT+DEL.

6.8.2 Configure the Remote Desktop Connection client

Now that you have the Client PC securely connected to the console server (either locally, or remotely— through the enterprise VPN, or a secure SSH internet tunnel, or a dial-in SSH tunnel), you can establish the Remote Desktop connection from the Client. Simply enable the Remote Desktop Connection on the remote client PC, then point it to the SDT Secure Tunnel port in the console server:

A. On a Windows client PC

 Click Start. Point to Programs, then to Accessories, then Communications, and click Remote

Desktop Connection.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 83

 In Computer, enter the appropriate IP Address and Port Number:

 Where there is a direct local or enterprise VPN connection, enter the IP Address of the

console server, and the Port Number of the SDT Secure Tunnel for the console server serial port that you attach to the Windows computer you want to control. For example, if the Windows computer is connected to serial Port 3 on a console server located at

192.168.0.50, then you would enter 192.168.0.50:7303.

 Where there is an SSH tunnel (over a dial up PPP connection or over a public internet

connection or private network connection), simply enter the localhost as the IP address,

127.0.0.1. For Port Number, enter the source port you created when setting SSH tunneling /port forwarding (in Section 6.1.6), for example, :1234.

 Click Option. In the Display section, specify an appropriate color depth (for example, for a

modem connection we recommend that you not use over 256 colors). In Local Resources, specify the peripherals on the remote Windows computer that are to be controlled (printer, serial port, etc.).

 Click Connect.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 84

option

description

-a

Color depth: 8, 16, 24

-r

Device redirection. ( Redirect sound on remote machine to local device. -0 -r sound (MS/Windows 2003)

-g

Geometry: widthxheight or 70% screen percentage.

-p

Use -p - to receive password prompt.

Note The Remote Desktop Connection software is pre-installed with Windows XP, Vista and Server

2003/2008. For earlier Windows PCs, you need to download the RDP client:

 Go to the Microsoft Download Center site

http://www.microsoft.com/downloads/details.aspx?familyid=80111F21-D48D-426E-96C208AA2BD23A49&displaylang=en and click the Download button

This software package will install the client portion of Remote Desktop on Windows 95, Windows 98 and 98 Second Edition, Windows Me, Windows NT 4.0, and Windows 2000. When run, this software allows these older Windows platforms to remotely connect to a computer running current Windows.

B. On a Linux or UNIX client PC:

 Launch the open source rdesktop client:

rdesktop -u windows-user-id -p windows-password -g 1200x950 ms-windows-terminalserver-host-name

 You can use GUI front end tools like the GNOME Terminal Services Client tsclient to configure

and launch the rdesktop client. (Using tsclient also enables you to store multiple configurations of rdesktop for connection to many servers)

_____________________________________________________________________

724-746-5500 | blackbox.com Page 85

Note The rdesktop client is supplied with Red Hat 9.0:

 rpm -ivh rdesktop-1.2.0-1.i386.rpm

For Red Hat 8.0 or other distributions of Linux; download source, untar, configure, make, make, then install.

rdesktop currently runs on most UNIX based platforms with the X Window System and can be downloaded from http://www.rdesktop.org/

C. On a Macintosh client:

 Download Microsoft's free Remote Desktop Connection client for Mac OS X

http://www.microsoft.com/mac/otherproducts/otherproducts.aspx?pid=remotedesktopclient

_____________________________________________________________________

724-746-5500 | blackbox.com Page 86

RealVNC http://www.realvnc.com is fully cross-platform, so a desktop running on a Linux machine may be displayed on a Windows PC, on a Solaris machine, or on any number of other architectures. There is a Windows server, allowing you to view the desktop of a remote Windows machine on any of these platforms using exactly the same viewer. RealVNC was founded by members of the AT&T team who originally developed VNC.

TightVNC http://www.tightvnc.com is an enhanced version of VNC. It has added features such as file transfer, performance improvements, and readonly password support. They have just recently included a video drive much like UltraVNC. TightVNC is still free, cross-platform (Windows Unix, and Linux), and compatible with the standard (Real) VNC.

UltraVNC http://ultravnc.com is easy to use, fast, and free VNC software that has pioneered and perfected features that the other flavors have consistently refused or been very slow to implement for cross platform and minimalist reasons. UltraVNC runs under Windows operating systems (95, 98, Me, NT4, 2000, XP, 2003). Download UltraVNC from Sourceforge's UltraVNC file list.

6.9 SDT SSH Tunnel for VNC

With SDT and Virtual Network Computing (VNC), Users and Administrators can securely access and control Windows 98/NT/2000/XP/2003, Linux, Macintosh, Solaris, and UNIX computers. There’s a range of popular free and commercial VNC software available (UltraVNC, RealVNC, TightVNC). To set up a secure VNC connection, install and configure the VNC Server software on the computer the user will access, then install and configure the VNC Viewer software on the Viewer PC.

6.9.1 Install and configure the VNC Server on the computer to be accessed

Virtual Network Computing (VNC) software enables users to remotely access computers running Linux, Macintosh, Solaris, UNIX, all versions of Windows, and most other operating systems.

A. For Microsoft Windows servers (and clients):

Windows does not include VNC software, so you will need to download, install, and activate a third party VNC Server software package:

B. For Linux servers (and clients):

Most Linux distributions now include VNC Servers and Viewers and they generally can be launched from the (Gnome/KDE etc) front end; for example, with Red Hat Enterprise Linux 4 there’s VNC Server software and a choice of Viewer client software, and to launch:

 Select the Remote Desktop entry in the Main Menu -> Preferences menu.  Click the Allow other users… checkbox to allow remote users to view and control your

desktop.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 87

 To set up a persistent VNC server on Red Hat Enterprise Linux 4:

o Set a password using vncpasswd o Edit /etc/sysconfig/vncservers o Enable the service with chkconfig vncserver on o Start the service with service vncserver start o Edit /home/username/.vnc/xstartup if you want a more advanced session than just twm

and an xterm.

C. For Macintosh servers (and clients):

OSXvnc http://www.redstonesoftware.com/vnc.html is a robust, full-featured VNC server for Mac OS X that allows any VNC client to remotely view and/or control the Mac OS X machine. OSXvnc is supported by Redstone Software.

D. Most other operating systems (Solaris, HPUX, PalmOS etc) either come with VNC bundled, or have

third-party VNC software that you can download.

6.9.2 Install, configure and connect the VNC Viewer

VNC is truly platform-independent so a VNC Viewer on any operating system can connect to a VNC Server on any other operating system. There are Viewers (and Servers) from a wide selection of sources (for example, UltraVNC TightVNC or RealVNC) for most operating systems. There are also a wealth of Java viewers available so that any desktop can be viewed with any Java-capable browser (http://en.wikipedia.org/wiki/VNC lists many of the VNC Viewers sources).

 Install the VNC Viewer software and set it up for the appropriate speed connection.

Note To make VNC faster, when you set up the Viewer:

 Set encoding to ZRLE (if you have a fast enough CPU).  Decrease color level (e.g. 64 bit).  Disable the background transmission on the Server or use a plain wallpaper.

(Refer to http://doc.uvnc.com for detailed configuration instructions)

 To establish the VNC connection, first configure the VNC Viewer, entering the VNC Server IP

address.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 88

A. When the Viewer PC is connected to the console server thru an SSH tunnel (over the public Internet,

or a dial-in connection, or private network connection), enter localhost (or 127.0.0.1) as the IP VNC Server IP address; and the source port you entered when setting SSH tunneling /port forwarding (in Section 6.2.6) e.g. :1234

B. When the Viewer PC is connected directly to the console server (i.e. locally or remotely through a

VPN or dial in connection); and the VNC Host computer is serially connected to the console server; enter the IP address of the console server unit with the TCP port that the SDT tunnel will use. The TCP port will be 7900 plus the physical serial port number (i.e. 7901 to 7948, so all traffic directed to port 79xx on the console server is tunneled thru to port 5900 on the PPP connection on serial Port xx). For a Windows Viewer PC using UltraVNC connecting to a VNC Server attached to Port 1 on a console server, it is located at 192.168.0.1

 To establish the VNC connection, simply activate the VNC Viewer software on the Viewer PC and

enter the password.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 89

Note For general background reading on Remote Desktop and VNC access we recommend the

following:

 The Microsoft Remote Desktop How-To.  http://www.microsoft.com/windowsxp/using/mobility/getstarted/remoteintro.mspx  The Illustrated Network Remote Desktop help page.

http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.ht ml

 What is Remote Desktop in Windows XP and Windows Server 2003? by Daniel Petri.

http://www.petri.co.il/what's_remote_desktop.htm

 Frequently Asked Questions about Remote Desktop.

http://www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx

 Secure remote access of a home network using SSH, Remote Desktop and VNC for the home user

http://theillustratednetwork.mvps.org/RemoteDesktop/SSH-RDPVNC/RemoteDesktopVNCandSSH.html

 Taking your desktop virtual with VNC, Red Hat magazine.

http://www.redhat.com/magazine/006apr05/features/vnc/ and http://www.redhat.com/magazine/007may05/features/vnc/

 Wikipedia general background on VNC http://en.wikipedia.org/wiki/VNC.

6.10 Using SDT to IP connect to hosts that are serially attached to the gateway

Network (IP) protocols like RDP, VNC and HTTP can also be used for connecting to host devices that are serially connected through their COM port to the console server. To do this you must:

● establish a PPP connection (Section 6.7.1) between the host and the gateway, then

● set up Secure Tunneling—Ports on the console server (Section 6.7.2), then

● configure SDT Connector to use the appropriate network protocol to access IP consoles on the host

devices that are attached to the Console server serial ports (Section 6.7.3)

6.10.1 Establish a PPP connection between the host COM port and console server

(This step is only necessary for serially connected computers)

First, physically connect the COM port on the host computer you want to access to the serial port on the console server, then:

A. For non Windows (Linux, UNIX, Solaris, etc.) computers, establish a PPP connection over the serial

port. The online tutorial http://www.yolinux.com/TUTORIALS/LinuxTutorialPPP.html presents a selection of methods for establishing a PPP connection for Linux.

B. For Windows XP and 2003 computers, follow the steps below to set up an advanced network

connection between the Windows computer, through its COM port to the console server. Both

_____________________________________________________________________

724-746-5500 | blackbox.com Page 90

Windows 2003 and Windows XP Professional allow you to create a simple dial in service which can be used for the Remote Desktop/VNC/HTTP/X connection to the console server:

 Open Network Connections in Control Panel and click the New Connection Wizard.

 Select Set up an advanced connection and click Next.  On the Advanced Connection Options screen, select Accept Incoming Connections and click

Next.

 Select the Connection Device (i.e. the serial COM port on the Windows computer that you

cabled through to the console server). By default, select COM1. The COM port on the Windows computer should be configured to its maximum baud rate. Click Next.

 On the Incoming VPN Connection Options screen, select Do not allow virtual private

connections and click Next.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 91

 Specify which Users will be allowed to use this connection. This should be the same Users who

were given Remote Desktop access privileges in the earlier step. Click Next.

 On the Network Connection screen select TCP/IP and click Properties.

 Select Specify TCP/IP addresses on the Incoming TCP/IP Properties screen, select TCP/IP.

Nominate a From: and a To: TCP/IP address, and click Next.

Note You can choose any TCP/IP addresses so long as they are addresses that are not used

anywhere else on your network. The From: address will be assigned to the Windows XP/2003 computer and the To: address will be used by the console server. For simplicity, use the IP address as shown in the illustration above:

From: 169.134.13.1 To: 169.134.13.2 Or, you can set the advanced connection and access on the Windows computer to use the

console server defaults:

 Specify 10.233.111.254 as the From: address  Select Allow calling computer to specify its own address

Also, you could use the console server default username and password when you set up the new Remote Desktop User and gave this User permission to use the advance connection to access the Windows computer:

 The console server default Username is portXX where XX is the serial port number on the

console server.

 The default Password is portXX

To use the defaults for a RDP connection to the serial port 2 on the console server, you would have set up a Windows user named port02.

 When the PPP connection has been set up, a network icon will appear in the Windows task bar.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 92

Note The above notes describe setting up an incoming connection for Windows XP. The steps are

similar for Vista and Windows Server 2003/2008, but the set up screens present slightly differently:

You need to put a check in the box for Always allow directly connected devices such as

palmtop…..

The option for to Set up an advanced connection is not available in Windows 2003 if RRAS is configured. If RRAS has been configured, you can enable the null modem connection for the dialin configuration.

C. For earlier version Windows computers, follow the steps in Section B. above. To get to the Make

New Connection button:

 For Windows 2000, click Start, and select Settings. At the Dial-Up Networking Folder, click

Network and Dial-up Connections, and click Make New Connection. You may need to first set

up a connection over the COM port using Connect directly to another computer before proceeding to Set up an advanced connection.

 For Windows 98, double click My Computer on the Desktop, then open Dial-Up Networking

and double click.

6.10.2 Set up SDT Serial Ports on console server

To set up RDP (and VNC) forwarding on the console server Serial Port that is connected to the Windows computer COM port:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 93

 Select the Serial & Network: Serial Port menu option and click Edit (for the particular Serial Port

that is connected to the Windows computer COM port).

 On the SDT Settings menu, select SDT Mode (this will enable port forwarding and SSH tunneling)

and enter a Username and User Password.

Note When you enable SDT, it will override all other Configuration protocols on that port.

Note If you leave the Username and User Password fields blank, they default to portXX and portXX

where XX is the serial port number. The default username and password for Secure RDP over Port 2 is port02.

 Make sure the console server Common Settings (Baud Rate, Flow Control) are the same as those

set up on the Windows computer COM port and click Apply.

 RDP and VNC forwarding over serial ports is enabled on a Port basis. You can add Users who can

have access to these ports (or reconfigure User profiles) by selecting Serial & Network: User &

Groups menu tag—as described earlier in Chapter 4, Configuring Serial Ports.

6.10.3 Set up SDT Connector to SSH port forward over the console server Serial Port

In the SDT Connector software running on your remote computer, specify the gateway IP address of your console server and a username/password for a user you set up on the console server that has access to the desired port.

Next, add a New SDT Host. In the Host address, put portxx, where xx = the port you are connecting to. Example: for port 3 you would have a Host Address of: port03. Then select the RDP Service check box.

6.11 SSH Tunneling using other SSH clients (e.g. PuTTY)

As covered in the previous sections of this chapter, we recommend that you use the SDT Connector client software that is supplied with the console server. There’s also a wide selection of commercial and free SSH client programs that can provide the secure SSH connections to the console servers and secure tunnels to connected devices:

- PuTTY is a complete (though not very user friendly) freeware implementation of SSH for Win32 and

UNIX platforms.

- SSHTerm is a useful open source SSH communications package.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 94

- SSH Tectia is leading end-to-end commercial communications security solution for the enterprise.

- Reflection for Secure IT (formerly F-Secure SSH) is another good commercial SSH-based security

solution.

For example, the steps below show how to establish an SSH tunneled connection to a network connected device using the PuTTY client software.

 In the Session menu, enter the IP address of the console server in the Host Name or IP address

field.

 For dial-in connections, this IP address will be the Local Address that you assigned to the

console server when you set it up as the Dial-In PPP Server.

 For Internet (or local/VPN connections) connections, this will be the console server’s public IP

address.

 Select the SSH Protocol, and the Port will be set as 22.  Go to the SSH -> Tunnels menu and in Add new forwarded port enter any high unused port

number for the Source port, for example, 54321.

 Set the Destination: IP details.

 If your destination device is network-connected to the console server and you are connecting

using RDP, set the Destination as <Managed Device IP address/DNS Name>:3389. For example, if when setting up the Managed Device as Network Host on the console server you specified its IP address to be 192.168.253.1 (or its DNS Name was

accounts.myco.intranet.com), then specify the Destination as 192.168.523.1:3389 (or accounts.myco.intranet.com:3389 ). Only devices that are configured as networked Hosts can

_____________________________________________________________________

724-746-5500 | blackbox.com Page 95

be accessed using SSH tunneling (except by the “root” user who can tunnel to any IP address the console server can route to).

 If your destination computer is serially connected to the console server, set the Destination

as <port label>:3389. For example, if the Label you specified on the serial port on the console server is win2k3, then specify the remote host as win2k3:3389. Or, you can set the Destination as portXX:3389 (where XX is the SDT enabled serial port number). For example, if port 4 is on the console server is to carry the RDP traffic, then specify port04:3389

Note http://www.jfitz.com/tips/putty_config.html has useful examples on configuring PuTTY for SSH

tunneling.

 Select Local and click the Add button.  Click Open to SSH connect the Client PC to the console server. You will now be prompted for the

Username/Password for the console server user.

 If you are connecting as a User in the “users” group, then you can only SSH tunnel to Hosts

and Serial Ports where you have specific access permission.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 96

 If you are connecting as an Administrator (in the “admin” group), then you can connect to

any configured Host or Serial Ports (that has SDT enabled).

To set up the secure SSH tunnel for a HTTP browser connection to the Managed Device, specify port 80 (instead of port 3389 that was used for RDP) in the Destination IP address.

To set up the secure SSH tunnel from the Client (Viewer) PC to the console server for VNC, follow the steps above, but when you configure the VNC port redirection, specify port 5900 in the Destination IP address.

Note How secure is VNC? VNC access generally allows access to your whole computer, so security is

very important. VNC uses a random challenge-response system to provide the basic authentication that allows you to connect to a VNC server. This is reasonably secure and the password is not sent over the network.

Once connected, all subsequent VNC traffic is unencrypted. A malicious user could snoop your VNC session. There are also VNC scanning programs available, which will scan a subnet looking for PCs that are listening on one of the ports that VNC uses.

Tunneling VNC over a SSH connection ensures all traffic is strongly encrypted. No VNC port is ever open to the internet, so anyone scanning for open VNC ports will not be able to find your

computers. When tunneling VNC over a SSH connection, the only port that you‘re opening on

your console server is the SDT port 22. Sometimes it may be prudent to tunnel VNC through SSH even when the Viewer PC and the

console server are both on the same local network.

_____________________________________________________________________

724-746-5500 | blackbox.com Page 97

Chapter 7 Alerts and Logging ALERTS AND LOGGING

Introduction

This chapter describes the alert generation and logging features of the console server. The Alert facility monitors the serial ports, all logins, the power status, and environmental monitors and probes, and sends emails, SMS, Nagios, or SNMP alerts when specified trigger events occur.

 First, enable and configure the service that will be used to carry the alert (Section 7.1).  Then, specify the alert trigger condition and the actual destination to which that particular alert

will be sent (Section 7.2).

All console server models can maintain log records of all access and communications with the console server and with the attached serial devices. A log of all system activity is also maintained, as is a history of the status of any attached environmental monitors.

Some models also log access and communications with network attached hosts and maintain a history of the UPS and PDU power status.

 If port logs are to be maintained on a remote server, then configure the access path to this

location (Section 7.3).

 Then you need to activate and set the desired levels of logging for each serial (Section 7.4)

and/or network port (Section 7.5) and/or power and environment UPS (refer to Chapter 8).

7.1 Configure SMTP/SMS/SNMP/Nagios alert service

The Alerts facility monitors nominated ports/hosts/UPSs/PDUs/EMDs, etc. for trigger conditions. When triggered, the facility sends an alert notification over the nominated alert service. Before setting up the alert trigger, configure these alert services:

7.1.1 Email alerts

The console server uses SMTP (Simple Mail Transfer Protocol) for sending the email alert notifications. To use SMTP, the Administrator must configure a valid SMTP server for sending the email:

 Select Alerts & Logging: SMTP &SMS

_____________________________________________________________________

724-746-5500 | blackbox.com Page 98

 In the SMTP Server field, enter the outgoing mail Server’s IP address.  If this mail server uses a Secure Connection, specify its type.  You may enter a Sender email address which will appear as the “from” address in all email

notifications sent from this console server. Many SMTP servers check the sender’s email address with the host domain name to verify the address as authentic. So it may be useful to assign an email address for the console server such as consoleserver2@mydomain.com

 You may also enter a Username and Password if the SMTP server requires authentication.  You can specify the specific Subject Line that will be sent with the email.  Click Apply to activate SMTP.

7.1.2 SMS alerts

The console server uses email-to-SMS services to send SMS alert notifications to mobile devices. Sending SMS via email using SMTP (Simple Mail Transfer Protocol) is much faster than sending text pages via a modem using the TAP Protocol. Almost all mobile phone carriers provide an SMS gateway service that

forwards email to mobile phones on their networks. There’s also a wide selection of SMS gateway

aggregators that provide email to SMS forwarding to phones on any carriers. To use SMTP SMS, the Administrator must configure a valid SMTP server for sending the email:

_____________________________________________________________________

724-746-5500 | blackbox.com Page 99

 In the SMTP SMS Server field in the Alerts & Logging: SMTP &SMS menu, enter the IP address

of the outgoing mail Server (and Secure Connection if applicable).

 You may enter a Sender email address, which will appear as the “from” address in all email

notifications sent from this console server. Some SMS gateway service providers only forward email to SMS when the email has been received from authorized senders. You might need to assign a specific authorized email address for the console server.

 You may also enter a Username and Password, because some SMS gateway service providers

use SMTP servers which require authentication.

 You can specify the specific Subject Line that will be sent with the email. Generally, the email

subject will contain a truncated version of the alert notification message (which is contained in full in the body of the email). However some SMS gateway service providers require blank subjects or require specific authentication headers to be included in the subject line.

 Click Apply to activate SMTP.

7.1.3 SNMP alerts

The Administrator can configure the Simple Network Management Protocol (SNMP) agent that resides on the console server to send SNMP trap alerts to an NMS management application:

 Select Alerts & Logging: SNMP  Enter the SNMP transport protocol. SNMP is generally a UDP-based protocol, though

infrequently, it uses TCP instead.

 Enter the IP address of the SNMP Manager and the Port to use for connecting (default = 162)  Select the version being used. The console server SNMP agent supports SNMP v1, v2, and v3.  Enter the Community name for SNMP v1 or 2c. An SNMP community is the group that devices

and management stations running SNMP belong to. It helps define where information is sent. SNMP default communities are private for Write (and public for Read).

_____________________________________________________________________

724-746-5500 | blackbox.com Page 100

Black Box LES1108A, LES1208A, LES1216A, LES1116A, LES1248A User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual