Page 1
LES1108A LES120 8A-R2 LES1308A LES1408A LES1508A
LES1116A LES1216A- R 2 LES1316A LES1416A
LES1132A LES1232A LES1332A LES1432A
LES1148A LES124 8A- R2 LES1348A LES1448A
Value-Line and Advanced Console Servers User’s Manual
Securely manage data center and network
equipment from anywhere in the world.
Customer
Support
Information
Order toll-free in the U.S.: Call 877-877-BBOX (outside U.S. call 724-746-5500)
FREE technical support 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746
Mailing address: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018
Web site: w ww.blackbox.com • E-mail : info@blackbox.com
Page 2
724-746-5500 | blackbox.com
Value-Line and Advanced Console Servers Manual
Trademarks Used in this Manual
Black Box and the Double Diamond logo are registered trademarks of BB Technologies, Inc.
Cisco is a registered trademark of Cisco Technology, Inc.
Mac is a registered trademark of Apple Computers, Inc.
Linux is a registered trademark of Linus Torvalds.
Internet Explorer, Windows, Windows Me, Windows NT, and Windows Vista are a registered trademarks of Microsoft Corporation.
Nagios is a registered trademark of Nagios Enterprises LLC.
Java and Solaris are trademarks of Sun Microsystems, Inc.
Unix is a registered trademark of X/Open Company Ltd.
Any other trademarks mentioned in this manual are acknowledged to be the property of the trademark owners.
Page 2
724-746-5500 | blackbox.com
Page 3
Value-Line and Advanced Console Servers Manual
We‘re here to help! If you have any questions about your application
or our products, contact Black Box Tech Support at 724-746-5500
or go to blackbox.com and click on “Talk to Black Box.”
You’ll be live with one of our technical experts in less than 30 seconds.
724-746-5500 | blackbox.com
Page 3
Page 4
724-746-5500 | blackbox.com
Value-Line and Advanced Console Servers Manual
Federal Communications Commission and Industry Canada Radio Frequency Interference
Statements
This equipment generates, uses, and can radiate radio-frequency energy, and if not installed and used properly, that is, in strict
accordance with the manufacturer’s instructions, may cause inter ference to radio communication. It has been tested and found to
comply with the limits for a Class A computing device in accordance with the specifications in Subpart B of Part 15 of FCC rules,
which are designed to provide reasonable protection against such interference when the equipment is operated in a commercial
environment. Operation of this equipment in a residential area is likely to cause interference, in which case the user at his own
expense will be required to take whatever measures may be necessary to correct the interference.
Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to
operate the equipment.
This digital apparatus does not exceed the Class A limits for radio noise emis sion from digital apparatus set out in the Radio
Interference Regulation of Industry Canada.
Le présent appareil numérique n’émet pas de bruits radioélectriques dépassant les limites applicables aux appareils numériques de
la classe A prescrites dans le Règlement sur le brouillage radioélectrique publié par Industrie Canada.
Page 4
724-746-5500 | blackbox.com
Page 5
Value-Line and Advanced Console Servers Manual
Instrucciones de Seguridad
(Normas Oficiales Mexicanas Electrical Safety Statement)
1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado.
2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura.
3. Todas las advertencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas.
4. Todas las instrucciones de operación y uso deben ser seguidas.
5. El aparato eléctrico no deberá ser usado cerca del agua—por ejemplo, cerca de la tina de baño, lavabo, sótano mojado o cerca
de una alberca, etc..
6. El aparato eléctrico debe ser usado únicamente con carritos o pedestales que sean recomendados por el fabricante.
7. El aparato eléctrico debe ser montado a la pared o al techo sólo como sea recomendado por el fabricante.
8. Servicio—El usuario no debe intentar dar servicio al equipo eléctrico más allá a lo descrito en las instrucciones de operación.
Todo otro servicio deberá ser referido a personal de servicio calificado.
9. El aparato eléctrico debe ser situado de tal manera que su posición no interfiera su uso. La colocación del aparato eléctrico
sobre una cama, sofá, alfombra o superficie similar puede bloquea la ventilación, no se debe colocar en libreros o gabinetes
que impidan el flujo de aire por los orificios de ventilación.
10. El equipo eléctrico deber ser situado fuera del alcance de fuentes de calor como radiadores, registros de calor, estufas u otros
aparatos (incluyendo amplificadores) que producen calor.
11. El aparato eléctrico deberá ser connectado a una fuente de poder sólo del tipo descrito en el instructivo de operación, o como
se indique en el aparato.
12. Precaución debe ser tomada de tal manera que la tierra fisica y la polarización del equipo no sea eliminada.
13. Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisados ni pellizcados por objetos colocados
sobre o contra ellos, poniendo particular atención a los contactos y receptáculos donde salen del aparato.
14. El equipo eléctrico debe ser limpiado únicamente de acuerdo a las recomendaciones del fabricante.
15. En caso de existir, una antena externa deberá ser localizada lejos de las lineas de energia.
16. El cable de corriente deberá ser desconectado del cuando el equipo no sea usado por un largo periodo de tiempo.
17. Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados sobre la cubierta u orificios de ventilación.
18. Servicio por personal calificado deberá ser provisto cuando:
A: El cable de poder o el contacto ha sido dañado; u
B: Objectos han caído o líquido ha sido derramado dentro del aparato; o
C: El aparato ha sido expuesto a la lluvia; o
D: El aparato parece no operar normalmente o muestra un cambio en su desempeño; o
E: El aparato ha sido tirado o su cubierta ha sido dañada.
724-746-5500 | blackbox.com
Page 5
Page 6
INDEX
INTRODUCTION 13
INSTALLATION 18
2.1 Models 18
2.1.1 Kit components LES1508A Console Server 19
2.1.2 Kit components LES1308A- LES1348A and LES1408A - LES1448A Advanced Console Servers 19
2.1.3 Kit components LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 Advanced Console Servers 20
2.1.4 Kit components LES1116A, LES1132A and LES1148A Console Servers 21
2.1.5 Kit components LES1108A Console Server 21
2.2 Power connection 21
2.2.1 LES1508A power 21
2.2.2 LES1408A - LES1448A, LES1308A- LES1348A and LES1208A - LES1248A power 22
2.2.2 LES1116A, LES1132A and LES1148A power 22
2.2.4 LES1108A power 23
2.3 Network connection 23
2.4 Serial Port connection 23
2.5 USB Port Connection 24
2.6 Antenna and SIM 25
SYSTEM CONFIGURATION 26
3.1 Management console connection 26
3.1.1 Connected PC/workstation set up 26
3.1.2 Browser connection 27
3.2 Administrator Password 29
3.2.1 Set up new administrator 30
3.2.2 Name the console server 30
3.3 Network IP address 30
3.3.1 IPv6 configuration 32
3.3.2 Dynamic DNS (DDNS) configuration 32
3.4 System Services 33
3.4.1 Service Access 33
3.4.2 Service Settings 35
3.5 Communications Software 36
3.5.1 SDT Connector 37
3.5.2 PuTTY 37
3.5.3 SSHTerm 38
3.6 Management network configuration 38
3.6.1 Enable the Management LAN 39
3.6.2 Configure the DHCP server 40
3.6.3 Select Failover or broadband OOB 41
3.6.4 Aggregating the network ports 43
3.6.5 Static routes 44
SERIAL PORT AND NETWORK HOST 46
4.1 Configure Serial Ports 46
4.1.1 Common Settings 47
4.1.2 Console Server Mode 48
4.1.3 SDT Mode 53
4.1.4 Device (RPC, UPS, EMD) Mode 54
4.1.5 Terminal Server Mode 54
4.1.6 Serial Bridging Mode 55
4.1.7 Syslog 55
_____________________________________________________________________
724-746-5500 | blackbox.com Page 6
Page 7
4.1.8 Cisco USB console connection 56
4.2 Add/ Edit Users 56
4.3 Authentication 60
4.4 Network Hosts 60
4.5 Trusted Networks 61
4.6 Serial Port Cascading 62
4.6.1 Automatically generate and upload SSH keys 62
4.6.2 Manually generate and upload SSH keys 63
4.6.3 Configure the slaves and their serial ports 65
4.6.4 Managing the Slaves 66
4.7 Serial Port Redirection 66
4.8 Managed Devices 67
4.9 IPsec VPN 69
4.9.1 Enable the VPN gateway 70
4.10 OpenVPN 71
4.10.1 Enable the OpenVPN 71
4.10.2 Configure as Server or Client 72
4.10.3 Windows OpenVPN Client and Server set up 73
4.11 PPTP VPN 77
4.11.1 Enable the PPTP VPN server 77
4.11.2 Add a PPTP user 79
4.11.3 Set up a remote PPTP client 79
FIREWALL, FAILOVER AND OoB DIAL-IN 81
5.1 OoB Dial-In Access 81
5.1.1 Configure Dial-In PPP 82
5.1.2 Using SDT Connector client 84
5.1.3 Set up Windows XP/ 2003/Vista/7 client 84
5.1.4 Set up earlier Windows clients 85
5.1.5 Set up Linux clients for dial-in 85
5.2 OoB broadband access 85
5.3 Broadband Ethernet Failover 86
5.4 Dial-Out Failover 87
5.4.1 Always-on dial-out 87
5.4.2 Failover dial-out 89
5.5 Cellular Modem Connection 89
5.6.1 Connect to the GSM HSUPA/UMTS carrier network 89
5.6.2 Connect to the CDMA EV-DO carrier network 91
5.6.3 Verify cellular connection 92
5.6.4 Cellular modem watchdog 92
5.7 Cellular Operation 93
5.7.1 OOB access set up 93
5.7.2 Cellular failover setup 93
5.7.3 Cellular routing 94
5.7.4 Cellular CSD dial-in setup 94
5.8 Firewall & Forwarding 95
5.8.1 Configuring network forwarding and IP masquerading 96
5.8.2 Configuring client devices 97
5.8.3 Port forwarding 98
5.8.4 Firewall rules 99
SECURE SSH TUNNELING AND SDT CONNECTOR 102
6.1 Configuring for SSH Tunneling to Hosts 103
6.2 SDT Connector Client Configuration 103
_____________________________________________________________________
724-746-5500 | blackbox.com Page 7
Page 8
6.2.1 SDT Connector installation 104
6.2.2 Configuring a new console server gateway in the SDT Connector client 105
6.2.3 Auto-configure SDT Connector client with the user’s access privileges 106
6.2.4 Make an SDT connection through the gateway to a host 107
6.2.5 Manually adding hosts to the SDT Connector gateway 108
6.2.6 Manually adding new services to the new hosts 109
6.2.7 Adding a client program to be started for the new service 111
6.2.8 Dial in configuration 113
6.3 SDT Connector to Management Console 113
6.4 SDT Connector - telnet or SSH connect to serially attached devices 114
6.5 Using SDT Connector for out-of-band connection to the gateway 116
6.6 Importing (and exporting) preferences 117
6.7 SDT Connector Public Key Authentication 118
6.8 Setting up SDT for Remote Desktop access 119
6.8.1 Enable Remote Desktop on the target Windows computer to be accessed 119
6.8.2 Configure the Remote Desktop Connection client 120
6.9 SDT SSH Tunnel for VNC 124
6.9.1 Install and configure the VNC Server on the computer to be accessed 124
6.9.2 Install, configure and connect the VNC Viewer 125
6.10 Using SDT to IP connect to hosts that are serially attached to the gateway 127
6.10.1 Establish a PPP connection between the host COM port and console server 127
6.10.2 Set up SDT Serial Ports on console server 131
6.10.3 Set up SDT Connector to SSH port forward over the console server Serial Port 132
6.11 SSH Tunneling using other SSH clients (e.g. PuTTY) 132
ALERTS AND LOGGING 135
7.2.1 UPS / Power Supply 137
7.2.2 UPS Status 137
7.2.3 Serial Login/Logout 138
7.2.4 ICMP Ping 138
7.2.5 Cellular Data 138
7.2.6 Custom Check 138
7.2.7 SMS Command 139
7.3 Trigger Actions 140
7.3.1 Send Email 140
7.3.2 Send SMS 141
7.3.3 Perform RPC Action 141
7.3.4 Run Custom Script 141
7.3.5 Send SNMP Trap 141
7.3.6 Send Nagios Event 141
7.4 Resolve Actions 142
7.5 Configure SMTP, SMS, SNMP and/or Nagios service for alert notifications 142
7.5.1 Send Email alerts 142
7.5.2 Send SMS alerts 143
7.5.3 Send SNMP trap alerts 145
7.5.4 Nagios alerts 146
7.6 Logging 146
7.6.1 Log storage 146
7.6.2 Serial port logging 147
7.6.3 Network TCP and UDP port logging 148
7.6.4 Auto-Response event logging 148
7.6.5 Power device logging 148
POWER & ENVIRONMENTAL MANAGEMENT 149
_____________________________________________________________________
724-746-5500 | blackbox.com Page 8
Page 9
8.1 Remote Power Control (RPC) 149
8.1.1 RPC connection 149
8.1.2 RPC access privileges and alerts 152
8.1.3 User power management 152
8.1.4 RPC status 153
8.2 Uninterruptible Power Supply Control (UPS) 153
8.2.1 Managed UPS connections 154
8.2.2 Remote UPS management 157
8.2.3 Controlling UPS powered computers 158
8.2.4 UPS alerts 159
8.2.5 UPS status 159
8.2.6 Overview of Network UPS Tools (NUT) 160
8.3 Environmental Monitoring 162
8.3.1 Connecting the EMD 163
8.3.2 Environmental alerts 165
8.3.3 Environmental status 165
AUTHENTICATION 166
9.1 Authentication Configuration 166
9.1.1 Local authentication 167
9.1.2 TACACS authentication 167
9.1.3 RADIUS authentication 168
9.1.4 LDAP authentication 169
9.1.5 RADIUS/TACACS User Configuration 171
9.1.6 Group support with remote authentication 171
9.1.7 Remote groups with RADIUS authentication 172
9.1.8 Remote groups with LDAP authentication 172
9.1.9 Remote groups with TACACS+ authenti c at ion 174
9.1.10 Idle timeout 174
9.1.11 Kerberos authenticat ion 174
9.2 PAM (Pluggable Authentication Modules) 175
9.3 SSL Certificate 177
NAGIOS INTEGRATION 180
10.1 Nagios Overview 181
10.2 Central management and setting up SDT for Nagios 181
10.2.1 Set up central Nagios server 182
10.2.2 Set up distributed console servers 183
10.3 Configuring Nagios distributed monitoring 185
10.3.1 Enable Nagios on the console server 185
10.3.2 Enable NRPE monitoring 186
10.3.3 Enable NSCA monitoring 186
10.3.4 Configure Selected Serial Ports for Nagios Monitoring 187
10.3.5 Configure Selected Network Hosts for Nagios Monitoring 187
10.3.6 Configure the upstream Nagios monitoring host 188
10.4 Advanced Distributed Monitoring Configuration 188
10.4.1 Sample Nagios configuration 188
10.4.2 Basic Nagios plug-ins 191
10.4.3 Additional plug-ins 192
10.4.4 Number of supported devices 192
10.4.5 Distributed Monitoring Usage Scenarios 193
SYSTEM MANAGEMENT 196
11.1 System Administration and Reset 196
11.2 Upgrade Firmware 197
_____________________________________________________________________
724-746-5500 | blackbox.com Page 9
Page 10
11.3 Configure Date and Time 197
11.4 Configuration Backup 198
11.5 Delayed Configuration Commit 201
11.6 FIPS Mode 202
STATUS REPORTS 203
12.1 Port Access and Active Users 203
12.2 Statistics 203
12.3 Support Reports 204
12.4 Syslog 204
12.5 Dashboard 205
12.5.1 Configuring the Dashboard 205
12.5.2 Creating custom widgets for the Dashboard 208
MANAGEMENT 209
13.1 Device Management 209
13.2 Port and Host Logs 210
13.3 Serial Port Terminal Connection 210
13.3.1 Web Terminal 210
13.3.2 SDT Connector access 211
13.4 Power Management 212
CONFIGURATION FROM THE COMMAND LINE 213
14.1 Accessing config from the command line 213
14.2 Serial Port configuration 216
14.3 Adding and Removing Users 219
14.4 Adding and removing user Groups 220
14.5 Authentication 221
14.6 Network Hosts 222
14.7 Trusted Networks 223
14.8 Cascaded Ports 223
14.9 UPS Connections 224
14.10 RPC Connections 225
14.11 Environmental 226
14.12 Managed Devices 227
14.13 Port Log 227
14.14 Alerts 228
14.15 SMTP & SMS 230
14.16 SNMP 231
14.17 Administration 231
14.18 IP settings 231
14.19 Date & Time Settings 232
14.20 Dial-in settings 233
14.21 DHCP server 233
14.22 Services 234
14.23 NAGIOS 235
ADVANCED CONFIGURATION 236
15.1 Custom Scripting 236
15.1.1 Custom script to run when booting 236
15.1.2 Running custom scripts when alerts are triggered 237
15.1.3 Example script - Power Cycling on Pattern Match 238
15.1.4 Example script - Multiple email notifications on each alert 238
15.1.5 Deleting Configuration Values from the CLI 238
15.1.6 Power Cycle any device when a ping request fails 241
15.1.7 Running custom scripts when a configurator is invoked 243
_____________________________________________________________________
724-746-5500 | blackbox.com Page 10
Page 11
15.1.8 Backing-up the configuration and restoring using a local USB stick 243
15.1.9 Backing-up the configuration off-box 244
15.2 Advanced Portmanager 245
15.2.1 Portmanager commands 245
15.2.2 External Scripts and Alerts 246
15.3 Raw Access to Serial Ports 247
15.3.1 Access to serial ports 247
15.3.2 Accessing the console/modem port 248
15.4 IP- Filtering 248
15.5 Modifying SNMP Configuration 249
15.5.1 /etc/config/snmpd.conf 249
15.5.2 Adding more than one SNMP server 250
15.6 Secure Shell (SSH) Public Key Authentication 251
15.6.1 SSH Overview 251
15.6.2 Generating Public Keys (Linux) 252
15.6.3 Installing the SSH Public/Private Keys (Clustering) 252
15.6.4 Installing SSH Public Key Authentication (Linux) 253
15.6.5 Generating public/private keys for SSH (Windows) 255
15.6.6 Fingerprinting 257
15.6.7 SSH tunneled serial bridging 258
15.6.8 SDT Connector Public Key Authentication 260
15.7 Secure Sockets Layer (SSL) Support 260
15.8 HTTPS 261
15.8.1 Generating an encryption key 261
15.8.2 Generating a self-signed certificate with OpenSSL 261
15.8.3 Installing the key and certificate 262
15.8.4 Launching the HTTPS Server 262
15.9 Power Strip Control 262
15.9.1 The PowerMan tool 263
15.9.2 The pmpower tool 264
15.9.3 Adding new RPC devices 264
15.10 IPMItool 266
15.11 Custom Development Kit (CDK) 269
15.12 Scripts for Managing Slaves 269
_____________________________________________________________________
724-746-5500 | blackbox.com Page 11
Page 12
APPENDIX
A. CLI Commands and Source Code
B. Hardware Specification
C. Safety and Certifications
D. Connectivity and Serial I/O
E. Terminology
F. End User License Agreement
G. Service and Warranty
_____________________________________________________________________
724-746-5500 | blackbox.com Page 12
Page 13
Chapter 1 Introduction INTRODUCTION
This Manual
This User’s Manual walks you through installing and configuring your Black Box Console Server
(LES1108A, LES1116A, LES1132A, LES1148A, LES1508A) or Advanced Console Server (LES1208A-R2,
LES1216A-R2, LES1232A, LES1248A-R2, LES1308A, LES1316A, LES1332A, LES1348A, LES1408A, LES1416A,
LES1432A, LES1448A). Each of these products is referred to generically in this manual as a “console
server.”
Once configured, you will be able to use your console server to securely monitor access and control the
computers, networking devices, telecommunications equipment, power-supplies, and operating
environments in your data room or communications centers. This manual guides you in managing this
infrastructure locally (across your operations or management LAN or through the local serial console
port), and remotely (across the Internet, private network, or via dial up).
Manual Organization
This manual contains the following chapters:
1. Introduction An overview of the features of console server and information on this
manual.
2. Installation Physical installation of the console server and how to interconnect
controlled devices.
3. System Configuration Describes the initial installation and configuration using the
Management Console. Covers configuration of the console server on the
network and the services that will be supported.
4. Serial & Network Covers configuring serial ports and connected network hosts, and
setting up Users and Groups.
5. Firewall, Failover & OoB Describes setting up the high availability access features of the console
server.
6. Secure Tunneling (SDT) Covers secure remote access using SSH and configuring for RDP, VNC,
HTTP, HTTPS, etc. access to network and serially connected devices.
7. Auto-response & Logging Explains how to set up local and remote event/data logs, how to trigger
SNMP and email alerts
events.
8. Power & Environment Describes how to manage USB, serial, and network attached power
strips and UPS supplies including Network UPS Tool (NUT) operation,
IPMI power control, and EMD environmental sensor configuration.
and configuring auto-response actions to trigger
9. Authentication Access to the console server requires usernames and passwords that are
locally or externally authenticated.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 13
Page 14
10. Nagios Integration Describes how to set Nagios central management with SDT extensions
and configure the console server as a distributed Nagios server.
11. System Management Covers access to and configuration of services that will run on the
console server.
12. Status Reports View a dashboard summary and detailed status and logs of serial and
network connected devices (ports, hosts, power, and environment)
13. Management Includes port controls that Users can access.
14 Basic Configuration Command line installation and configuration using the config command.
15. Advanced Config More advanced command line configuration activities where you will
need to use Linux commands.
The latest update of this manual can be found online at www.blackbox.com
Types of users
The console server supports two classes of users:
I. First, there are the administrative users who will be authorized to configure and control the console
server; and to access and control all the connected devices. These administrative users will be set up
as members of the admin user group and any user in this class is referred to generically in this
manual as the Administrator. An Administrator can access and control the console server using the
config utility, the Linux command line, or the browser-based Management Console. By default, the
Administrator has access to all services and ports to control all the serial connected devices and
network connected devices (hosts).
II. The second class of users are those who have been set up by the Administrator with specific limits of
their access and control authority. These users are set up as members of the users user group (or
some other user groups the Administrator may have added). They are only authorized to perform
specified controls on specific connected devices and are referred to as Users. These Users (when
authorized) can access serial or network connected devices; and control these devices using the
specified services (for example, Telnet, HHTPS, RDP, IPMI, Serial over LAN, Power Control). An
authorized User also has a limited view of the Management Console and can only access authorized
configured devices and review port logs.
In this manual, when the term user (lower case) is used, it refers to both the above classes of users. This
document also uses the term remote users to describe users who are not on the same LAN segment as
the console server. These remote users may be Users, who are on the road connecting to managed
devices over the public Internet, or it may be an Administrator in another office connecting to the
console server itself over the enterprise VPN, or the remote user may be in the same room or the same
office but connected on a separate
VLAN than the console server.
Management Console
The Management Console provides a view of the console server and all the connected devices.
Administrators can use any browser to log into the Management Console either locally or from a remote
location. They can then use Management Console to manage the console server, the users, the serial
_____________________________________________________________________
724-746-5500 | blackbox.com Page 14
Page 15
ports and serially connected devices, network connected hosts, and connected power devices; and to
view associated logs and configure alerts.
A User can also use the Management Console, but has limited menu access to control select devices,
review their logs and access them using the built-in java terminal or control power to them.
The console server runs an embedded Linux operating system, and experienced Linux® and UNIX® users
may prefer to configure it at the command line. To get command line access, connect through a terminal
emulator or communications program to the console serial port; connect via ssh or telnet through the
LAN; or connect through an SSH tunneling to the console server.
Manual Conventions
This manual uses different fonts and typefaces to show specific actions:
Note Text presented like this indicates issue s t o note.
Text presented like this highlights important information. Make sure you read
and follow these warnings.
Text presented with an arrow head indent indicates an action you should take as part of the
procedure.
Bold text indicates text that you type, or the name of a screen object (for example, a menu or button)
on the Management Console.
Italic text indicates a text command you enter at the command line level.
Publishing history
_____________________________________________________________________
724-746-5500 | blackbox.com Page 15
Page 16
Date Revision Update details
September 2011 1.1 Prerelease
October 2011 2.0 Release for V2.8 firmware and later
December 2012 3.0 Release for V3.5 firmware and later
_____________________________________________________________________
724-746-5500 | blackbox.com Page 16
Page 17
Copyright
©Black Box Corporation 2011. All Rights Reserved.
Information in this document is subject to change without notice and does not represent a commitment
on the part of Black Box. Black Box provides this document “as is,” without warranty of any kind, either
expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability
for a particular purpose.
Black Box may make improvements and/or changes in this manual or in the product(s) and/or the
program(s) described in this manual at any time. This manual could include technical inaccuracies or
typographical errors. Changes are periodically made to the information herein; these changes may be
incorporated in new editions of the publication.
Notice to Users
Use proper back-up systems and necessary safety devices to protect against injury, death, or property
damage caused by system failure. This protection is the user’s responsibility.
This device is not approved for use as a life-support or medical system.
Any changes or modifications made to this device without the explicit approval or consent of Black Box
will void Black Box of any liability or responsibility of injury or loss caused by any malfunction.
This equipment is for indoor use and all the communication wirings are limited to the inside of the
building.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 17
Page 18
Serial
Ports
USB
Ports
Network
Ports
Console
Port
Modem
RJ
Pinout
Power
Memory
LES1508A
8 2 2 1 -
02
Ext AC/DC
16/64MB, 4GB
LES1448A
48 2 2
1
Internal CDMA
01
Dual AC
16/64MB, 16GB
LES1432A
32 2 2
1
Internal CDMA
01
Dual AC
16/64MB, 16GB
LES1416A
16 2 2
1
Internal CDMA
01
Dual AC
16/64MB, 16GB
LES1408A
8 2 2
1
Internal CDMA
01
Dual AC
16/64MB, 16GB
LES1348A
48 2 2
1
Internal GSM
01
Dual AC
16/64MB, 16GB
LES1332A
32 2 2
1
Internal GSM
01
Dual AC
16/64MB, 16GB
LES1316A
16 2 2
1
Internal GSM
01
Dual AC
16/64MB, 16GB
LES1308A
8 2 2
1
Internal GSM
01
Dual AC
16/64MB, 16GB
LES1248A-R2
48 3 2
1
Internal V.92
01
Dual AC
16/64MB, 16GB
LES1232A
32 3 2
1
Internal V.92
01
Dual AC
16/64MB, 16GB
LES1216A-R2
16 3 2
1
Internal V.92
01
Dual AC
16/64MB, 16GB
LES1208A-R2
8 3 2
1
Internal V.92
01
Dual AC
16/64MB, 16GB
LES1148A
48 - 1 1 -
00
Single AC
16/64MB
LES1132A
32 - 1 1 -
00
Single AC
16/64MB
LES1116A
16 - 1 1 -
00
Single AC
16/64MB
LES1108A
8 - 1 1 -
00
Ext AC/DC
8/16MB
Chapter 2 Installation
INSTALLATION
Introduction
This chapter describes how to install the console server hardware and connect it to controlled devices.
To avoid physical and electrical hazards please read Appendix C on Safety.
2.1 Models
There are multiple console server models, each with a different number of network and serial ports or
power supply configurations:
The next sections show the components shipped with each of these models.
Unpack your kit and verify you have all the parts shown above, and that they all appear in good
working order.
(flash/RAM)
_____________________________________________________________________
724-746-5500 | blackbox.com Page 18
Page 19
Printed Quick Start Guide and this User‘s Manual on CD-ROM
If you are installing the console server in a rack, you will need to attach the rack mounting
brackets supplied with the unit, then install the unit in the rack. Make sure you follow the Safety
Precautions listed in Appendix C.
Connect your console server to the network, to the serial ports of the controlled devices, and to
power as outlined next.
2.1.1 Kit components LES1508A Console Server
LES1508A Console Server
(2) UTP CAT5 blue cables
DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors
Power Supply 12VDC 1.0A Wall mount
2.1.2 Kit components LES1308A- LES1348A and LES1408A - LES1448A Advanced Console Servers
LES1308A, LES1316A, LES1332A, LES1348A, LES1408A,
LES1416A, LES1432A or LES1448A Advanced Console Server
(2) UTP CAT5 blue cables
_____________________________________________________________________
724-746-5500 | blackbox.com Page 19
Page 20
DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors
USB micro-AB adapter cable
Antenna with 10 foot extension cable
2.1.3 Kit components LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 Advanced Console
Servers
Dual IEC AC power cords
Printed Quick Start Guide and User’s Manual on CD-ROM
LES1208A-R2, LES1216A-R2, LES1232A or LES1248A-R2
Advanced Console Server
(2) UTP CAT5 blue cables
DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors
Dual IEC AC power cords
Printed Quick Start Guide and User’s Manual on CD-ROM
_____________________________________________________________________
724-746-5500 | blackbox.com Page 20
Page 21
5-VDC, 2.0A, Power Supply with IEC Socket and AC power cable
2.1.4 Kit components LES1116A, LES1132A and LES1148A Console Servers
LES1116A, LES1132A or LES1148A Console Server
(2) UTP CAT5 blue cables
DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors
IEC AC power cord
Printed Quick Start Guide and User’s Manual on CD-ROM
2.1.5 Kit components LES1108A Console Server
LES1108A Console Server
(2) UTP CAT5 blue cables
DB9F-RJ45S straight and DB9F-RJ45S cross-over connectors
Printed Quick Start Guide and this User‘s Manual on CD-ROM
2.2 Power connection
2.2.1 LES1508A power
The LES1508A includes an external DC power supply unit. This unit accepts an AC input voltage between
100 and 250 VAC with a frequency of 50Hz or 60Hz. The DC power supply comes with a selection of wall
socket adapters for each geographic region (North American, Europe, UK, Japan or Australia). The 12-
_____________________________________________________________________
724-746-5500 | blackbox.com Page 21
Page 22
VDC connector from the power supply plugs into the 12VDC (PWR) power socket on the side of the
LES1508A.
2.2.2 LES1408A - LES1448A, LES1308A- LES1348A and LES1208A - LES1248A power
The Advanced Console Server models (LES1208A-R2, LES1216A-R2, LES1232A, LES1248A-R2, LES1308A,
LES1316A, LES1332A, LES1348A, LES1408A, LES1416A, LES1432A and LES1448A) all have dual universal
AC power supplies with auto failover built in. These power supplies each accept AC input voltage
between 100 and 240 VAC with a frequency of 50 or 60 Hz. The total power consumption per console
server is less than 30W. Two IEC AC power sockets are located at the rear of the metal case, and these
IEC power inlets use conventional IEC AC power cords.
Power cords for various regions are available, although the North American power cord is provided by
default. There is a warning notice printed on the back of each unit.
To avoid electrical shock, connect the power cord grounding conductor to
ground!
2.2.2 LES1116A, LES1132A and LES1148A power
The LES1116A, LES1132A and LES1148A models have a built-in universal auto-switching AC power
supply. This power supply accepts AC input voltage between 100 and 240 VAC with a frequency of 50 or
60 Hz. The power consumption is less than 20W.
The LES1116A, LES1132A and LES1148A models have an IEC AC power socket located in the rear of the
metal case. This IEC power inlet uses a conventional IEC AC power cord, and the power cords for various
regions are available. Call Black Box Technical Support for details at 724-746-5500. (The North American
power cord is provided by default.) There is a warning notice printed on the back of each unit.
To avoid electrical shock, connect the power cord grounding conductor to
ground.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 22
Page 23
PIN
SIGNAL
DEFINITION
DIRECTION
1
CTS
Clear To Send
Input
2
DSR
Data Set Ready
Input
3
RXD
Receive Data
Input
4
GND
Signal Ground
NA
5
GND
Signal Ground
NA
6
TXD
Transmit Data
Output
7
DTR
Data Terminal Ready
Output
8
RTS
Request To Send
Output
2.2.4 LES1108A power
The LES1108A includes an external DC power supply unit. This unit accepts an AC input voltage between
100 and 250 VAC with a frequency of 50Hz or 60Hz. The DC power supply has an IEC AC power socket,
which accepts a conventional IEC AC power cord. The power cord for North America is included in the
kit. The 5-VDC connector from the power supply plugs into the 5VDC power socket on the rear of the
LES1108A.
2.3 Network connection
The RJ-45 LAN ports are located on the rear panel of the LES1108A and LES1508A, and on the front
panel of the rack-mount console servers. Use industry standard Cat5 cabling and connectors. Make sure
that you only connect the LAN port to an Ethernet network that supports 10BASE-T/100BASE-T. To
initially configure the console server, you must connect a PC or workstation to the console server’s
principal network port (labeled NETWORK1 or LAN).
2.4 Serial Port connection
The RJ-45 serial ports are located on the rear panel of the LES1108A and on the front panel of the
LES1508A and rackmount console servers.
The LES1508A Console Server has a Cisco RJ-45 pinout shown below:
The LES1108A, LES1116A, LES1132A and LES1148A Console Servers have the Black Box Classic RJ-45
pinout shown below:
_____________________________________________________________________
724-746-5500 | blackbox.com Page 23
Page 24
PIN
SIGNAL
DEFINITION
DIRECTION
1
RTS
Request To Send
Output
2
DSR
Data Set Ready
Input
3
DCD
Data Carrier Detect
Input
4
RXD
Receive Data
Input
5
TXD
Transmit Data
Output
6
GND
Signal Ground
NA
7
DTR
Data Terminal Ready
Output
8
CTS
Clear To Send
Input
PIN
SIGNAL
DEFINITION
DIRECTION
1
RTS
Request To Send
Output
2
DTR
Data Terminal Ready
Output
3
TXD
Transmit Data
Output
4
GND
Signal Ground
NA
5
CTS
Clear To Send
Input
6
RXD
Receive Data
Input
7
DCD
Data Carrier Detect
Input
8
DSR
Data Set Ready
Input
The LES1208A-R2, LES1216A-R2, LES1232A, LES1248A-R2, LES1308A, LES1316A, LES1332A, LES1348A,
LES1408A, LES1416A, LES1432A and LES1448A Advanced Console Servers have the Cyclades RJ-45
pinout shown next:
The rackmount console servers also have a DB9 LOCAL (Console/Modem) port on front panel. The
LE1108A has a DB9 LOCAL (Console/Modem) port on rear panel. With the LES1508, Serial Port 1 is
configured by default in Local Console (modem) mod e.
Conventional CAT5 cabling with RJ-45 jacks is used for serial connections. Before connecting an external
device’s console port to the console server serial port, confirm that the device supports the standard
RS-232C (EIA-232).
Black Box supplies a range of cables and adapters that may be required to connect to the more popular
servers and network appliances. Call Technical Support at 724-746-5500 for details.
2.5 USB Port Connection
The LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers each also have one
USB1.1 port on the front face and two additional USB 2.0 ports at the rear face (adjacent to modem jack).
The LES1308A, LES1316A, LES1332A, LES1348A, LES1408A, LES1416A, LES1432A and LES1448A
console servers each also have one USB1.1 port on the f ront face and one additional USB 2.0 ports at
the rear face. This USB2.0 port is adjacent to antenna con nector and conne cts using the micro-AB USB
cable.
The LES1508A console server has twoUSB 2.0 ports on the front face.
The USB2.0 ports can be used for:
_____________________________________________________________________
724-746-5500 | blackbox.com Page 24
Page 25
− connecting to USB consoles of Managed Devices (e.g. for managing UPS supplies)
− attaching other external USB peripherals (e.g. an external USB memory stick or modem)
− adding supported Sierra Wireless cellular USB modems
− plugging in USB hubs to provide additional ports
The USB1.1 port is best reserved for use with an external USB memory stick dedicated t o recovery
firmware boot images/ extended log file storage et c.
2.6 Antenna and SIM
The LES1408A, LES1416A, LES1432A and LES14 48A console servers also have an internal CDMA
cellular modem requiring external antenna connect ion.
The LES1308A, LES1316A, LES1332A and LES1348A console servers have an internal GSM cellular
modem that requires a SIM card and an external antenna.
Before powering on the console server:
Screw the external antenna coax cable onto the MAIN
screw mount SMA connector on the rear of the
console server (2).
The AUX connector can be used either for receive
diversity or for GPS.
Your GSM cellular carrier will provide you with a SIM
card. Insert the SIM card (1.) and it will lock into place.
Take care to insert SIM card with contacts facing
downwards.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 25
Page 26
Chapter 3 Initial System Configuration
SYSTEM CONFIGURATION
Introduction
This chapter provides step-by-step instructions for the console server’s initial configuration, and for
connecting it to the Management or Operational LAN. The Administrator must:
Activate the Management Console.
Change the Administrator password.
Set the IP address console server’s principal LAN port.
Select the network services that will be supported.
This chapter also discusses the communications software tools that the Administrator may use to access
the console server.
3.1 Management console connection
Your console server is configured with a default IP Address 192.168.0.1 Subnet Mask 255.255.255.0
Directly connect a PC or workstation to the console server.
Note For initial configuration we recommend that you connect the console server directly to a single PC
or workstation. However, if you choose to connect your LAN before completing the initial setup
steps, it is important that:
you make sure that there are no other devices on the LAN with an address of 192.168.0.1
the console server and the PC/workstation are o n the same LAN segment, with no interposed
3.1.1 Connected PC/workstation set up
To configure the console server with a browser, the connected PC/workstation should have an IP
address in the same range as the console server (e.g. 192.168.0.100):
router appliances.
To configure the IP Address of your Linux or Unix PC/workstation simply run ifconfig
For Windows PCs (Win9x/Me/2000/XP/ Vista/ 7/NT):
Click Start -> (Settings ->) Control Panel and double click Network Connections (for
95/98/Me, double click Network).
Right click on Local Area Connection and select Properties.
Select Internet Protocol (TCP/IP) and click Properties.
Select Use the following IP address and enter the following details:
o IP address: 192.168.0.100
_____________________________________________________________________
724-746-5500 | blackbox.com Page 26
Page 27
o Subnet mask: 255.255.255.0
If you want to retain your existing IP settings for this network connection, click Advanced
and Add the above as a secondary IP connection.
If it is not convenient to change your PC/workstation network address, you can use the ARP-Ping
command to reset the console server IP address. To do this from a Windows PC:
Click Start -> Run (or select All Programs then Accessories then Run).
Type cmd and click OK to bring up the command line.
Type arp –d to flush the ARP cache.
Type arp –a to view the current ARP cache (this should be empty).
Now add a static entry to the ARP table and ping the console server to assign the IP address to
the console server. In the example below, a console server has a MAC Address 00:13:C6:00:02:0F
(designated on the label on the bottom of the unit) and we are setting its IP address to
192.168.100.23. Also the PC/workstation issuing the arp command must be on the same
network segment as the console server (that is, have an IP address of 192.168.100.xxx)
Type arp -s 192.168.100.23 00-13-C6-00-02-0F (Note for UNIX the syntax is: arp -s
192.168.100.23 00:13:C6:00:02:0F).
Type ping -t 192.18.100.23 to start a continuous ping to the new IP Address.
Turn on the console server and wait for it to configure itself with the new IP address. It will
start replying to the ping at this point.
Type arp –d to flush the ARP cache again.
3.1.2 Browser connection
Activate your preferred browser on the connected PC/workstation and enter
https://192.168.0.1 The Management Console supports all current versions of the popular
browsers (Internet Explorer, Mozilla Firefox, Chrome, and more).
_____________________________________________________________________
724-746-5500 | blackbox.com Page 27
Page 28
You will be prompted to log in. Enter the default
administration username and administration
password:
Username: root
Password: default
Note Console servers are factory configured wit h HTT P S access enabled and HTTP access disabled.
A Welcome screen, which lists initial installation configuration steps, will be displayed:
- Change the default administration password on the Users page (Chapter 3).
- Configure the local network settings on the System/IP page (Chapter 3).
- Configure port settings and enable ….. the Serial & Network/Serial Port page (Chapter 4).
- Configure users with access to serial ports on the Serial & Network/Users page (Chapter 4).
If your system has a cellular modem you will also be given the steps to configure the cellular router
features:
- Configure the cellular modem connection on System/Dial page (Chapter 5)
- Allow forwarding to the cellular destination network on System/Firewall page (Chapter 5)
- Enable IP masquerading for cellular connection on System/Firewall page (Chapter 5)
_____________________________________________________________________
724-746-5500 | blackbox.com Page 28
Page 29
After completing each of the above steps, you can return to the configuration list by clicking in the top
left corner of the screen on the Black Box logo.
Note If you are not able to connect to the Manageme nt Console at 192.168.0.1 or if the default
Username/Password were not accepted, then reset your console server (refer to Chapter 11).
3.2 Administrator Password
For security reasons, only the administrator user named root can initially log into your console server.
Only people who know the root password can access and reconfigure the console server itself. However,
anyone who correctly guesses the root password could gain access (and the default root password is
default). To avoid this, enter and confirm a new root password before giving the console server any
access to, or control of, your computers and network appliances.
The system password can be changed by editing the root user on the S erial & Network: Users
& Groups form
Select Change default administration password on the Welcome screen which will take you to
Serial & Network: Users & Groups where you can a dd a new confirmed Password for the user
root
Enter a new Password then re-enter it in Confirm . This is the new password for root, the main
administrative user account, so choose a complex password, and keep it safe.
Note There are no restrictions on the characters that can be used in the Password. It can contain up to
254 characters. However, only the first eight System Password characters are used to make the
password hash.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 29
Page 30
Click Apply. Since you have changed the password you will be prompted to log in again. This
time, use the new password.
Note If you are not confident that your console server has the current firmware release, you can
upgrade. Refer to Upgrade Firmware—Chapter 10.
3.2.1 Set up new administrator
It is also recommended that you set up a new Administrator user as soon as convenient and log-in as
this new user for all ongoing administration functions (rather than root).
This Administrator can be configured in the admin group with full access privileges through the Serial &
Network: Users & Groups menu (refer Chapter 4 for details)
3.2.2 Name the console server
It is also recommended that you set up a System Name for your console server to make it simple to
identify.
Select System: Administration
console server to give it a unique ID.
and enter a System Name and System Description for the
Note The System Name can contain from 1 to 64 alphanumeric characters (however you can also use
the special characters “-”, “_”, and “.”)
There are no restrictions on the characters t hat can be used in the System Description or the
System Password (each can contain up to 254 characters). However, only the first eight System
Password characters are used to make the password hash.
The MOTD Banner can be used to display a “message of the day” text to users
Click Apply
3.3 Network IP address
_____________________________________________________________________
724-746-5500 | blackbox.com Page 30
Page 31
The next step is to enter an IP address for the principal Ethernet (LAN/Network/Network1) port on the
console server; or enable its DHCP client so that it automatically obtains an IP address from a DHCP
server on the network it will connect to.
On the System: IP menu, select the Network Interface page then check dhcp or static for the
Configuration Method.
If you selected Static, you must manually enter the new IP Address, Subnet Mask, Gateway,
and DNS server details. This selection automatically disables the DHCP client.
If you selected DHCP, the console server will look for configuration details from a DHCP server
on your management LAN. This selection automatically disables any static address. The console
server MAC address is printed on a label on the base plate.
Note In its factory default state (with no Configuration Method selected) the console server has its
DHCP client enabled, so it automatically accepts any network IP address assigned by a DHCP
server on your network. In this initial state, the console server will then respond to both its Static
address (192.168.0.1) and its newly assigned DH CP address.
By default the console server LAN port auto-detects the Ethernet connection speed. You can use
the Media menu to lock the Ethernet to 10 Mbps or 100 Mbps, and to Full Duplex (FD) or Half
Duplex (HD).
Note If you changed the console server IP address, you may need to reconfigure your PC/workstation
so it has an IP address that is in the same network range a s t hi s new address.
Click Apply.
Enter http://new IP address to reconnect the browser on the PC/workstation that is connected
to the console server.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 31
Page 32
3.3.1 IPv6 configuration
You can also configure the console server Network and Management LAN Interfaces for IPv6 operation:
On the System: IP menu select General Settings page and check Enable IPv6.
Then, configure the IPv6 parameters on each Interface page.
3.3.2 Dynamic DNS (DDNS) configuration
With Dynamic DNS (DDNS) a console server whose IP address is dynamically assigned (and that may
change from time to time) can be located using a fixed host or domain name.
The first step in enabling DDNS is to create an account with the supported DDNS service
provider of your choice. Supported DDNS providers include:
- DyNS www.dyns.cx
- dyndns.org www.dyndns.org
- GNUDip gnudip.cheapnet.net
- ODS www.ods.org
- TZO www.tzo.com
- 3322.org (Chinese provider) www.3322.org
Upon registering with the DDNS service provider, you will select a username and password, as
well as a hostname that you will use as the DNS name (to allow external access to your machine
using a URL).
The Dynamic DNS service providers allow the user to choose a hostname URL and set an initial
IP address to correspond to that hostname URL. Many Dynamic DNS providers offer a selection
of URL hostnames available for free use with their service. However, with a paid plan, any URL
hostname (including your own registered domain name) can be used.
You can now enable and configure DDNS on any of the Ethernet or cellular network connections on the
console server (by default DDNS is disabled on all ports):
Select the DDNS service provider from the drop down Dynamic DNS list on the System:IP or
System:Dial menu
In DDNS Hostname enter the fully qualified DNS hostname for your console server e.g. your-
hostname.dyndns.org
Enter the DDNS Username and DDNS Password for the DDNS service provider account
Specify the Maximum interval between updates - in days. A DDNS update will be sent even if
the address has not changed
Specify the Minimum interval between checks for changed addresses - in seconds. Updates will
still only be sent if the address has changed
Specify the Maximum attempts per update i.e. the number of times to attempt an update
before giving up (defaults to 3)
_____________________________________________________________________
724-746-5500 | blackbox.com Page 32
Page 33
3.4 System Services
The Administrator can access and configure the console server (and connected devices) using a range of
access protocols/services – and for each such access, the particular service must be running with access
through the firewall enabled. Service Access specifies which access protocols/services can be used to
access the console server (and connected serial ports).
By default HTTP, HTTPS, Telnet and SSH services are running, and these services are enabled on all
network interfaces. However, again by default , only HTTPS and SSH access to the console server is
enabled, while HTTP and Telnet access is disabled.
For other services, such as SNMP/Nagios NRPE /NUT, the service must first be started on the relevant
network interface using Service Settings. T hen the Services Access can be set to allow or block access.
3.4.1 Service Access
Service Access specifies which access protocols/services can be used to access the console server (and
connected serial ports). To change the access settings:
Select the Service Access tab on the System: Services page. This will displays the services
currently enabled for the console server’s network interfaces. Depending on the particular
console server model the interfaces displayed may include :
− Network interface (for the principal Ethernet connection)
− Dial out (V90 and cellular modem)
− Dial in (internal or external V90 modem)
− OoB Failover (second Ethernet connections)
− VPN (IPSec or Open VPN connection over any network interface)
Check/uncheck for each network which service access is to be enabled /disabled
In the example shown below local administrators on local Network Interface LAN have HTTP and Telnet
and HTTPS and SSH access to the console server (and attached serial consoles). However while remote
administrators using Dial In only can access using the console server using HTTPS and SSH, they can
Telnet access attached serial consoles.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 33
Page 34
The Services Access settings specify which servi ces the Administrator can use over which network
interface to access the console server. It also nomi nates the enabled services that the Administrator and
the User can use to connect through the con sole serv er t o attached serial and network connected
devices.
The following general service access options can be specified:
HTTPS This ensures secure browser access to all the Management Console menus. It also
allows appropriately configured Users secure browser access to selected
Management Console Manage menus. If you enable HTTPS, the Administrator will be
able to use a secure browser connection to the Console server’s Management
Console. For information on certificate and user client software configuration, refer
to Chapter 9—Authentication. By default, HTTPS is enabled, and we recommend that
that you only use HTTPS access if the console server will be managed over any public
network (for example, the Internet).
HTTP By default HTTP is disabled. We recommend that the HTTP service remain disabled if
the console server will be remotely accessed over the Internet.
Telnet This gives the Administrator Telnet access to the system command line shell (Linux
commands). This may be suitable for a local direct connection over a management
LAN. By default, Telnet is disabled. We recommend that this service remain disabled
if you will remotely administer the console server.
SSH This service provides secure SSH access to the Linux command line shell. We
recommend that you choose SSH as the protocol where the Administrator connects
to the console server over the Internet or any other public network. This will provide
authenticated communications between the SSH client program on the remote
PC/workstation and the SSH server in the console server. By default SSH is enabled.
For more information on SSH configuration refer Chapter 9—Authentication.
You can configure related service options at this stage:
SNMP This will enable netsnmp in the console server, which will keep a remote log of all
posted information. SNMP is disabled by default. This SNMP service is only available
_____________________________________________________________________
724-746-5500 | blackbox.com Page 34
Page 35
in rackmount models. To modify the default SNMP settings, the Administrator must
make the edits at the command line as described in Chapter 15—Advanced
Configuration.
TFTP This service will set up the default tftp server on the USB flash card (and is relevant
to LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A,
LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2
console servers only). This server can be used to store config files, and maintain
access and transaction logs, etc.
Ping The
Respond to ICMP echos (i.e. ping) allows the console server to respond to
incoming ICMP echo requests. Ping is enabled by default. For security reasons, you
should disable this service after initial configuration.
Nagios Access to the Nagios NRPE monitoring daemons (refer Chapter 8)
NUT Access to the NUT UPS monitoring daemon (refer Chapter 10)
SNMP This will enable netsnmp in the console server, which will keep a remote log of all
posted information. SNMP is disabled by default. To modify the default SNMP
settings, the Administrator must make the edits at the command line as described in
Chapter 15 – Advanced Configuration
NTP Refer Chapter 11
Click Apply. As you apply your services selections, the screen will be updated with a
confirmation message:
Message Changes to configuration succeeded.
3.4.2 Service Settings
The Administrator can access the console server, and connected serial ports and managed devices, using
a range of access protocols/services. However for each such access the particular service must first be
configured and enabled to run on the console server.
To enable and configure a service:
Select the Service Settings tab on the System: Services page
_____________________________________________________________________
724-746-5500 | blackbox.com Page 35
Page 36
To enable a service check Enable. For some servces you will be asked to specify the TCP/IP port
to be used for thie service.
There are also some serial port access parameters that you can configure on this menu:
Base The console server uses specific default ranges for the TCP/IP ports for the various
access services that Users and Administrators can use to access devices attached to
serial ports (as covered in Chapter 4—Configuring Serial Ports). The Administrator
can also set alternate ranges for these services, and these secondary ports will then
be used in addition to the defaults.
The default TCP/IP base port address for telnet access is 2000, and the range for
telnet is IP Address: Port (2000 + serial port #) i.e. 2001 – 2048. If the Administrator
sets 8000 as a secondary base for telnet, then serial port #2 on the console server can
be accessed via telnet at IP Address:2002 and at IP Address:8002.
The default base for SSH is 3000; for Raw TCP is 4000; and for RFC2217 it is 5000.
RAW/Direct You can also specify that serial port devices can be accessed from nominated
network interfaces using Raw TCP, direct Telnet/SSH, unauthenticated Telnet
services etc
3.5 Communications Software
You have configured access protocols for the Administrator client to use when connecting to the console
server. User clients (who you may set up later) will also use these protocols when accessing console
server serial attached devices and network attached hosts. You will need to have appropriate
communications software tools set up on the Administrator (and User) PC/workstation.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 36
Page 37
Black Box provides the SDT Connector Java applet as the recommended client software tool. You can use
other generic tools such as PuTTY and SSHTerm. These tools are all described below as well.
3.5.1 SDT Connector
Each console server has an unlimited number of SDT Connector licenses to use with that console server.
SDT Connector is a lightweight tool that enables Users and Administrators to securely access the console
server and the various computers, network devices, and appliances that may be serially or network
connected to the console server.
SDT Connector is a Java applet that couples the trusted SSH tunneling protocol with popular access tools
such as Telnet, SSH, HTTP, HTTPS, VNC, and RDP to provide point-and-click secure remote management
access to all the systems and devices being managed.
Information on using SDT Connector for browser access to the console server’s Management Console,
Telnet/SSH access to the console server command line, and TCP/UDP connecting to hosts that are
network connected to the console server is in Chapter 6—Secure Tunneling.
SDT Connector can be installed on Windows 2000, XP, 2003, Vista and Windows 7 PCs, and on most
Linux, UNIX, and Solaris computers.
3.5.2 PuTTY
You can also use communications packages like PuTTY to connect to the console server command line
(and to connect serially attached devices as covered in Chapter 4). PuTTY is a freeware implementation
of Telnet and SSH for Windows and UNIX platforms. It runs as an executable application without needing
to be installed onto your system. PuTTY (the Telnet and SSH client itself) can be downloaded from
http://www.tucows.com/preview/195286.html
_____________________________________________________________________
724-746-5500 | blackbox.com Page 37
Page 38
To use PuTTY for an SSH terminal session from a
command line,
select “SSH” as the protocol, and use the
“Security Alert” that the host’s key is not
A new dialog box will appear for your “Connection Profile.”
Then type in your username, choose password
The next step is password authentication. The system
3.5.3 SSHTerm
Windows client, enter the console server’s IP
address as the ”Host Name (or IP address).”
To access the console server
default IP Port 22.
Click “Open” and the console server login
prompt will appear. (You may also receive a
cached. Choose “yes” to continue.)
Using the Telnet protocol is similarly simple -
but you use the default port 23.
Another popular communications package you can use is SSHTerm, an open source package that you can
download from http://sourceforge.net/projects/sshtools
To use SSHTerm for an SSH terminal session from a Windows Client, simply Select the “File” option
and click on “New Connection.”
Type in the host name or IP address (for the console server
unit) and the TCP port that the SSH session will use (port 22).
authentication, and click connect.
You may receive a message about the host key fingerprint.
Select “yes” or “always” to continue.
prompts you for your username and password from the
remote system. This logs you on to the console server
3.6 Management network configuration
The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A,
LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers have a second network port
that you can configure as a management LAN port or as a failover/ OOB access port.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 38
Page 39
3.6.1 Enable the Management LAN
The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A,
LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers provide a firewall, router, and
DHCP server. You need to connect an external LAN switch to Network 2 to attach hosts to this
management LAN.
This Management LAN feature is disabled by default. To configure the Management LAN gateway:
Select the Management LAN page on the System: IP menu and uncheck Disable.
Configure the IP Address and Subnet Mask for the Management LAN (but leave the DNS fields
blank).
Click Apply.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 39
Page 40
Note You can configure the second Ethernet port as either a gateway port or as an OOB/Failover port
(but not both). Make sure you did not allocate Network 2 as the Failover Interface when you
The management gateway function is now enabled with default firewall and router rules. By default,
these rules are configured so the Management LAN can only be accessible by SSH port forwarding. This
ensures that the remote and local connections to Managed Devices on the Management LAN are secure.
You can also configure the LAN ports in bridged mode (as described later in this chapter) or you can
configure them from the command line.
3.6.2 Configure the DHCP server
The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A,
LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers also host a DHCP server which
by default is disabled. The DHCP server enables the automatic distribution of IP addresses to hosts on
the Management LAN that are running DHCP clients. To enable the DHCP server:
configured the principal Network connection on the System: IP menu.
On the System: IP menu select the Management LAN page and click the Disable label in the
DHCP Server field (or directly go to the System: DHCP Server menu.
Check Enable DHCP Server.
Enter the Gateway address that you want to issue to the DHCP clients. If you leave this field
blank, the console server’s IP address will be used.
Enter the Primary DNS and Secondary DNS address to issue the DHCP clients. If you leave this
field blank, the console server’s IP address is used. So, leave this field blank for automatic DNS
server assignment.
Optionally, enter a Domain Name suffix to issue DHCP clients.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 40
Page 41
Enter the Default Lease time and Maximum Lease time in seconds. The lease time is the time
that a dynamically assigned IP address is valid before the client must request it again.
Click Apply.
The DHCP server will sequentially issue IP addresses from a specified address pool(s):
Click Add in the Dynamic Address Allocation Pools field.
Enter the DHCP Pool Start Address and End Address and click Apply.
The DHCP server also supports pre-assigning IP addresses to be allocated only to specific MAC addresses
and reserving IP addresses to be used by connected hosts with fixed IP addresses. To reserve an IP
addresses for a particular host:
Click Add in the Reserved Addresses field.
Enter the Hostname, the Hardware Address (MAC), and the Statically Reserved IP address for
the DHCP client and click Apply.
When DHCP has initially allocated hosts addresses, copy these addresses into the pre-assigned list so the
same IP address will be reallocated if you reboot the system.
3.6.3 Select Failover or broadband OOB
The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A,
LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers provide a broadband failover
option. If you have a problem using the main LAN connection for accessing the console server, an
alternate access path is used.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 41
Page 42
By default, the failover is not enabled. To enable, select the Network page on the System: IP
menu.
Select the Failover Interface to be used if the main fails. This can be:
o Management LAN - an alternate broadband Ethernet connection (which would be the
Network2 port on the LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A,
LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232A and LES1248AR2 console server) or
o Internal Modem - the internal V.92 modem in the LES1208A-R2, LES1216A-R2,
LES1232A and LES1248A-R2 console server, or
o Internal Cellular Modem - the CDMA modem in the LES1408A, LES1416A, LES1432 and
LES1448, or theGSM modem in the LES1308A, LES1316A, LES1332 and LES1348 console
server
o Serial DB9 - an external serial modem connected to the Console port for dialing out to
an ISP or the remote management office.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 42
Page 43
Click Apply. You have selected the failover method. It is not active until you specify the external
sites to be probed to trigger failover, and set up the failover ports themselves. This is covered in
Chapter 5.
Note You can configure the second Ethernet port as either a gateway port or as an OOB/Failover port,
but not both. Make sure you did not enable the Management LAN function on Network 2.
3.6.4 Aggregating the network ports
By default, you can only access the console server's Management LAN network ports using SSH
tunneling/port forwarding or by establishing an IPsec VPN tunnel to the console server. However, all the
wired network ports on the console servers can also aggregated by being bridged or bonded.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 43
Page 44
Select Enable Bridging on the System: IP General Settings menu.
Select Bridge Interfaces or Bond Interfaces
o When bridging is enabled, network traffic is forwarded across all Ethernet ports with no
firewall restrictions. All the Ethernet ports are all transparently connected at the data
link layer (layer 2) so they do retain their unique MAC addresses.
o With bonding the network traffic is carried between the ports but they present with one
MAC address.
o Both modes remove all the Management LAN Interface and Out-of-Band/Failover
Interface functions and disable the DHCP Server .
o All the Ethernet ports are all transparently connected at the data link layer (layer 2) and
they are configured collectively using the Network Interface menu.
3.6.5 Static routes
Static routes provide a very quick way to route data from one subnet t o di f ferent subnet. So you can hard
code a path that specifies to the console server to get to a certain subnet by using a certain path. This
may be useful for remotely accessing various subnets at a remote site when being accessed using the
cellular out of band connection.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 44
Page 45
To add to the static route to the route table of the sys tem:
Select the Route Settings tab on the System: IP General Settings menu.
Enter a meaningful Route Name for the route .
In the Destination Network/Host field enter the IP address of the destination network/host that
the route provides access to.
Enter a value in the Destination netmask field that identifies the dest i nation network or host. Any
number between 0 and 32. A subnet mask of 32 identifies a host route.
Enter Route Gateway with the IP address of a router that will route packets to the destinat ion
network.
Enter a value in the Metric field that represents the metric of this connection. This generally only
has to be set if two or more routes conflict or have overl apping targets. Any number equal to or
greater than 0.
Click Apply.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 45
Page 46
Chapter 4 Serial Port, Host, Device & User Configuration
SERIAL PORT AND NETWORK HOST
Introduction
The Black Box console server enables access and control of serially attached devices and network
attached devices (hosts). The Administrator must configure access privileges for each of these devices,
and specify the services that can be used to control the devices. The Administrator can also set up new
users and specify each user’s individual access and control privileges.
This chapter covers each of the steps in configuring hosts and serially attached devices:
Configure Serial Ports—setting up the protocols to be used in accessing serially-connected devices.
Users & Groups—setting up users and defining the access permissions for each of these users.
Authentication—covered in more detail in Chapter 9.
Network Hosts—configuring access to network connected devices (referred to as hosts).
Configuring Trusted Networks—nominate user IP addresses.
Cascading and Redirection of Serial Console Ports.
Connecting to Power (UPS PDU and IPMI) and Environmental Monitoring (EMD) devices.
Managed Devices—presents a consolidted view of all the connections.
IPSec – enabling VPN connection.
OpenVPN connection
PPTP connection
.
4.1 Configure Serial Ports
To configure a serial port, you must first set the Common Settings (the protocols and the RS-232
parameters [such as baud rate]) that will be used for the data connection to that port.
Select what mode the port is to operate in. You can set each port to support one of five operating
modes:
_____________________________________________________________________
724-746-5500 | blackbox.com Page 46
Page 47
1) Console Server Mode is the default and this enables general access to serial console port on the
serially attached devices.
2) Device Mode sets the serial port up to communicate with an intelligent serial controlled PDU,
UPS, or Environmental Monitor Device (EMD).
3) SDT Mode enables graphical console access (with RDP, VNC, HTTPS, etc.) to hosts that are serially
connected.
4) Terminal Server Mode sets the serial port to wait for an incoming terminal login session.
5) Serial Bridge Mode transparently interconnects two serial port devices over a network.
Select Serial & Network: Serial Port and you will see the current labels, modes, logging levels,
and RS-232 protocol options that are currently set up for each serial port.
By default, each serial port is set in Console Server mode. To reconfigure the port, click Edit.
When you have reconfigured the common settings (Chapter 4.1.1) and the mode (Chapters 4.1.2
–4.1.6) for each port, you can set up any remote syslog (Chapter 4.1.7), then click Apply.
Note If you want to set the same protocol options for multiple serial ports at once, click Edit Multiple
Ports and select which ports you want to configure as a group.
If the console server has been configured with distributed Nagios monitoring enabled, then you
will also be presented with Nagios Settings options to enable nominated services on the Host to
be monitored (refer Chapter 10—Nagios Integration).
4.1.1 Common Settings
There are a number of common settings that you can set for each serial port. These are independent of
the mode in which the port is being used. Set these serial port parameters to match the serial port
parameters on the device you attach to that port.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 47
Page 48
Specify a label for the port.
Select the appropriate Baud Rate, Parity, Data Bits, Stop Bits, and Flow Control for each port.
(Note: The RS-485/RS-422 option is not relevant for console servers.)
Before proceeding with further serial port configuration, connect the ports to the serial devices
they will be controlling, and make sure they have matching settings.
Note The serial ports are all set at the factory to RS232 9600 baud, no pa rity, 8 data bits, 1 stop bit,
and Console server Mode. You can change the baud rate to 2400–230400 baud using the
management console. You can configure lower baud rates (50, 75, 110, 134, 150, 200, 300, 600,
1200, 1800 baud) from the command line. Refer to Chapter 14— Basic Configuration (Linux
Commands).
4.1.2 Console Server Mode
Select Console Server Mode to enable remote management access to the serial console that is attached
to this serial port:
_____________________________________________________________________
724-746-5500 | blackbox.com Page 48
Page 49
Logging Level This specifies the level of information to be logged and monitored (referto Chapter 7—
Alerts and Logging).
Telnet When the Telnet service is enabled on the console server, a Telnet client on a User or
Administrator’s computer can connect to a serial device attached to this serial port on the
console server. The Telnet communications are unencrypted, so this protocol is generally
recommended only for local connections.
With Win2000/XP/NT you can run telnet from the command prompt (cmd.exe). Vista and
Windows 7 include a Telnet client and server, but they are not enabled by default. To enable
Telnet:
Log in as Admin and go to Start/Control Panel/Programs and Features.
Select Turn Windows features on or off, check the Telnet Client, and click OK.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 49
Page 50
If the remote communications are tunneled with SDT Connector, then you can use Telnet to
securely access these attached devices (refer to the Note below).
Note In Console Server mode, Users and Administrators can use SDT Connector to set up secure
Telnet connections that are SSH tunneled from their client PC/workstations to the serial port on
the console server. SDT Connector can be installed on Windows 2000, XP, 2003, Vista, and
Windows 7 PCs and on most Linux platforms. You can also set up secure Telnet connections
with a simple point-and-click.
To use SDT Connector to access consoles on the console server serial ports, you configure SDT
Connector with the console server as a gateway, then configure it as a host, Next, you enable
Telnet service on Port (2000 + serial port #) i.e. 2001–2048. Refer to Chapter 6 for more details
on using SDT Connector for Telnet and SSH access to devices that are attached to the console
server serial ports.
You can also use standard communications packages like PuTTY to set a direct Telnet (or SSH)
connection to the serial ports (refer to the Note below).
Note PuTTY also supports Telnet (and SSH) and the procedure to set up a Telnet session is simple.
Enter the console server’s IP address as the “Host Name (or IP address).” Select “Telnet” as the
protocol and set the “TCP port” to 2000 plus the physical serial port number (that is, 2001 to
2048).
Click the “Open” button. You may then receive a “Security Alert” that the host‘s key is not cached.
Choose “yes” to continue. You will then be presented with the login prompt of the remote system
connected to the serial port chosen on the console server. Login as normal and use the host
serial console screen.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 50
Page 51
PuTTY can be downloaded at http://www.tucows.com/preview/195286.html
SSH We recommend that you use SSH as the protocol where the User or Administrator connects
to the console server (or connects through the console server to the attached serial consoles)
over the Internet or any other public network. This will provide authenticated SSH
communications between the SSH client program on the remote user’s computer and the
console server, so the user’s communication with the serial device attached to the console
server is secure.
For SSH access to the consoles on devices attached to the console server serial ports, you can
use SDT Connector. Configure SDT Connector with the console server as a gateway, then as a
host, and enable SSH service on Port (3000 + serial port #) i.e. 3001-3048. Chapter 6—Secure
Tunneling has more information on using SDT Connector for SSH access to devices that are
attached to the console server serial ports.
You can also use common communications packages, like PuTTY or SSHTerm to SSH connect
directly to port address IP Address _ Port (3000 + serial port #) i.e. 3001–3048.
SSH connections can be configured using the standard SSH port 22. Identify the the serial
port that’s accessed by appending a descriptor to the username. This syntax supports:
<username>:<portXX>
<username>:<port label>
<username>:<ttySX>
<username>:<serial>
_____________________________________________________________________
724-746-5500 | blackbox.com Page 51
Page 52
For a User named “fred” to access serial port 2, when setting up the SSHTerm or the PuTTY
SSH client, instead of typing username = fred and ssh port = 3002, the alternate is to type
username = fred:port02 (or username = fred:ttyS1) and ssh port = 22.
Or, by typing username=fred:serial and ssh port = 22. A port selection option appears to the
User:
This syntax enables Users to set up SSH tunnels to all serial ports with only opening a single IP
port 22 in their firewall/gateway.
TCP RAW TCP allows connections directly to a TCP socket. Communications programs like PuTTY
also support RAW TCP. You would usually access this protocol via a custom application.
For RAW TCP, the default port address is IP Address _ Port (4000 + serial port #) i.e. 4001 –
4048.
RAW TCP also enables the serial port to be tunneled to a remote console server, so two serial
port devices can transparently interconnect over a network (see Chapter 4.1.6—Serial
Bridging).
RFC2217 Selecting RFC2217 enables serial port redirection on that port. For RFC2217, the default port
address is IP Address _ Port (5000 + serial port #), that is, 5001 – 5048.
Special client software is available for Windows UNIX and Linux that supports RFC2217 virtual
com ports, so a remote host can monitor and manage remote serially attached devices, as
though they were connected to the local serial port (see Chapter 4.6—Serial Port Redirection
for details).
RFC2217 also enables the serial port to be tunneled to a remote console server, so two serial
port devices can transparently interconnect over a network (see Chapter 4.1.6—Serial
Bridging).
Unauthenticated Telnet Selecting Unauthenticated Telnet enables telnet access to the serial port
without requiring the user to provide credentials. When a user accesses the console server to
telnet to a serial port he normally is given a login prompt. With unauthenticated telnet, the
user connects directly through to a port with any console server login. This mode is mainly
used when you have an external system (such as conserver) managing user authentication
and access privileges at the serial device level.
For Unauthenticated Telnet, the default port address is IP Address _ Port (6000 + serial port
#) i.e. 6001 – 6048
_____________________________________________________________________
724-746-5500 | blackbox.com Page 52
Page 53
Web Terminal Selecting Web Terminal enables web browser access to the serial port via Manage:
Devices: Serial using the Management Console's built in AJAX terminal. Web Terminal
connects as the currently authenticated Management Console user and does not reauthenticate. See section 13.3 for more details.
Authenticate Enable for secure serial communications using Portshare and add password
Accumulation Period By default, once a connection is established for a particular serial port (such as a
RFC2217 redirection or Telnet connection to a remote computer) then any incoming
characters on that port are forwarded over the network on a character by character basis.
The accumulation period changes this by specifying a period of time that incoming characters
will be collected before then being sent as a packet over the network.
Escape Character This enables you to change the character used for sending escape characters.
The default is ~.
Power Menu This setting enables the shell power command. A user can control the power connection
to a Managed Device from command line when they are connected to the device via telnet
or ssh. To operate, the Managed Device must be set up with both its Serial port connection
and Power connection configured. The command to bring up the power menu is ~p
Single Connection This setting limits the port to a single connection> If multiple users have access
privileges for a particular port, only one user at a time can access that port (that is, port
“snooping” is not permitted).
4.1.3 SDT Mode
This setting allows port forwarding of RDP, VNC, HTPP, HTTPS, SSH, Telnet, and other LAN protocols
through to computers that are locally connected to the console server by their serial COM port. Port
forwarding requires that you set up a PPP link over this serial port.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 53
Page 54
For configuration details, refer to Chapter 6.6—Using SDT Connector to Telnet or SSH connect to devices
that are serially attached to the console server.
4.1.4 Device (RPC, UPS, EMD) Mode
This mode configures the selected serial port to communicate with a serial controlled Uninterruptable
Power Supply (UPS), Remote Power Controller/Power Distribution Unit (RPC) or Environmental
Monitoring Device (EMD).
Select the desired Device Type (UPS, RPC or EMD)
Proceed to the appropriate device configuration page (Serial & Network: UPS Connections, RPC
Connection or Environmental) as detailed in Chapter 8—Power & Environmental Management.
4.1.5 Terminal Server Mode
Select Terminal Server Mode and the Terminal Type (vt220, vt102, vt100, Linux, or ANSI) to
enable a getty on the selected serial port.
The getty will then configure the port and wait for a connection to be made. An active connection on a
serial device is usually indicated by the Data Carrier Detect (DCD) pin on the serial device being raised.
When a connection is detected, the getty program issues a login: prompt, and then invokes the login
program to handle the actual system login.
Note Selecting Terminal Server mode will disable Port Manager for that serial port, so data is no longer
logged for alerts, etc.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 54
Page 55
4.1.6 Serial Bridging Mode
With serial bridging, the serial data on a nominated serial port on one console server is encapsulated
into network packets and then transported over a network to a second console server. It is then
represented on its serial port again as serial data. The two console servers effectively act as a virtual
serial cable over an IP network.
One console server is configured as the Server. Set the Server serial port to be bridged in Console Server
mode with either RFC2217 or RAW enabled (as described in Chapter 4.1.2—Console Server Mode).
For the Client console server, the serial port to bridge must be set in Bridging Mode:
Select Serial Bridging Mode and specify the IP address of the Server console server and the TCP
port address of the remote serial port (for RFC2217 bridging this will be 5001-5048).
By default, the bridging client will use RAW TCP. Select RFC2217 if this is the console server
mode you have specified on the server console server.
You may secure the communications over the local Ethernet by enabling SSH. You will need to
generate and upload keys (refer to Chapter 14— Advanced Configuration).
4.1.7 Syslog
In addition to built-in logging and monitoring (which can be applied to serial-attached and networkattached management accesses, as covered in Chapter 7—Alerts and Logging), you can also configure
the console server to support the remote syslog protocol on a per serial port basis:
Select the Syslog Facility/Priority fields to enable logging of traffic on the selected serial port to
a syslog server; and to appropriately sort and action those logged messages (that is, redirect
them/send alert email etc.).
_____________________________________________________________________
724-746-5500 | blackbox.com Page 55
Page 56
For example, if the computer attached to serial port 3 should never send anything out on its serial
console port, the Administrator can set the Facility for that port to local0 (local0 .. local7 are for site
local values), and the Priority to critical. At this priority, if the console server syslog server does receive a
message, it will automatically raise an alert. Refer to Chapter 7—Alerts & Logging.
4.1.8 Cisco USB console connection
The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A,
LES1348A, LES1208A-R2, LES1216A-R2, LE S1232A and LES1248A-R2 console servers support direct
USB2.0 connection to one or two Cisco USB console port s (in addition to the traditional RS-232 serial
console port connections).
With such a USB console connection users can send IOS commands through the USB console port
remotely (using a browser and the console server’s built-in AJAX terminal) or monitor messages from the
Cisco USB console ports and take rule book actions (using the console server’s built-in Auto-Response
capabilities).
For configuration and control these USB consol es are presented as new “serial ports”
Network: Serial Port menu
and 10.
Common Settings, such baud rate, are ignored when configuring the Cisco USB “serial port”. However
you can apply all the Console Server Mode, Syslog and S erial Bridging settings to this port.
. So for an LES1508A any Cisco USB console ports would present as Port 9
on the Serial &
Note: The Cisco USB console is auto detected and the new “serial port” numbers are created. However
it must be manually configured on initial connection. Any subsequent USB console disconnection
is auto-detected. USB console re-connection on t he same physical USB port
detected, but only if the console server has been power cycled.
will also be auto-
4.2 Add/ Edit Users
The Administrator uses this menu selection to set up, edit, and delete users, and to define the access
permissions for each of these users.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 56
Page 57
Users can be authorized to access specified console server serial ports and specified network-attached
hosts. These users can also be given full Administrator status (with full configuration and management
and access privileges).
To simplify user set up, they can be configured as members of Groups. There are six Groups set up by
default (admin and user).
admin Provides users with unlimited configuration and ma nagement privileges
pptpd Group to allow access to the PPTP VPN server. Users in this group will have
their password stored in clear text.
dialin Group to allow dialin access via modems. Users in this group will have their
password stored in clear text.
ftp Group to allow ftp access and file access to storage devices
pmshell Group to set default shell to pmshell
users Provides users with basic management privi l eges
Note: 1. Members of the admin group have full Administrator privileges. The admin user
(Administrator) can access the console server using any of the services that are enabled in
System: Services. For example, if only HTTPS has been enabled, then the Administrator can
only access the console server using HTTPS. Once logged in, they can reconfigure the
console server settings (for example, to enabled HT TP/Telnet for future access). They can
also access any of the connected Hosts or serial port devices using any of the services that
have been enabled for these connections. The Administrator can reconfig ure t he access
services for any Host or serial port. Only trusted users should have Administrator access.
2. Membership of the user group provides the user with limited access to the console server
and connected Hosts and serial devices. These Users can access only the Management
section of the Management Console menu and they have no command line access to the
console server. They also can only access those Host s and serial devices that have been
checked for them, using services that have been e nabled
_____________________________________________________________________
724-746-5500 | blackbox.com Page 57
Page 58
3. If a user is set up with pptd, dialin, ftp or pmshell group membership they will have
restricted user shell access to the nominated managed devices but they will not have any
direct access to the console server itself. To add t hi s t he users must also be a member of the
"users" or "admin" groups
4. The Administrator can also set up additional Groups with specific power device, serial port
and host access permissions. However users in thes e additional groups don’t have any
access to the Management Console menu nor do the y have any command line access to the
console server itself.
5. The Administrator can also set up users with specific power device, serial port and host
access permissions, who are not a member of any Group s. Similarly these users don’t have
any access to the Management Console menu nor do they have any command line access to
the console server itself.
6. For convenience the SDT Connector “Retrieve Hosts” function retrieves and auto-configures
To set up new Groups and new users, and to classify users as members of particular Groups:
Select Serial & Network: Users & Groups to display the configured Groups and Users.
checked serial ports and checked hosts only, even for admin group users
Click Add Group to add a new Group.
Add a Group name and Description for each new Group, then nominate the Accessible Hosts,
Accessible Ports, and Accessible RPC Outlets(s) that you want any users in this new Group to be
able to access.
Click Apply.
Click Add User to add a new user.
Add a Username and a confirmed Password for each new user. You may also include
information related to the user (for example, contact details) in the Description field.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 58
Page 59
Note The User Name can contain from 1 to 127 alphanumeric characters (you can also use t he special
characters “-”, “_”, and “.” ).
There are no restrictions on the characters t hat you can use in the user Password (each can
contain up to 254 characters). Only the first eight Password characters are used to make the
password hash.
Specify which Group (or Groups) you want the user to join.
SSH pass-key authentication can be used. This is more secure than password based
authentication. Paste the public keys of authorized public/private keypairs for this user in the
Authorized SSH Keys field.
Check Disable Password Authentication if you wish to only allow public key authentication for
this user when using SSH.
Check Enable Dial-Back in the Dial-in Options menu to allow an out-going dial-back connection
to be triggered by logging into this port. Enter the Dial-Back Phone Number with the phone
number to call-back when user logs in.
Check specific Accessible Hosts and/or Accessible Ports to nominate the serial ports and
network connected hosts you want the user to have access privileges to.
If there are configured RPCs, you can check Accessible RPC Outlets to specify which outlets the
user is able to control (that is, Power On/Off).
Click Apply. The new user can now access the Network Devices, Ports, and RPC Outlets you
nominated as accessible. Plus, if the user is a Group member they can also access any other
device/port/outlet that was set up as accessible to the Group.
Note There are no specific limits on the number of users you can set up; nor on the number of users
per serial port or host. Multiple users (Users and Administrators) can control/monitor one port or
host.
There are no specific limits on the number of Groups. Each user can be a member of a number of
Groups (they take on the cumulative access privileges of each of those Groups). A user does not
have to be a member of any Groups (but if the User is not ev en a member of the default user
group. then he will not be able to use the Management Console to manage ports).
The time allowed to re-configure increases as t he number and complexity increases. We
recommend that you keep the aggregate number of users and groups under 250.
The Administrator can also edit the access settings for any existing users:
Select Serial & Network: Users & Groups and click Edit for the User to be modified.
Alternately click Delete to remove the User or click Disable to temporarily block any access
privileges
Note For more information on enabling the SDT Connector so each user has secure tunneled remote
RPD/VNC/Telnet/HHTP/HTTPS/SoL access to the network connected hosts, refer t o Chapt er 6.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 59
Page 60
4.3 Authentication
Refer to Chapter 9.1— Remote Authentication Configuration for authentication configuration details.
4.4 Network Hosts
To access a locally networked computer or device (referred to as a Host), you must identify the Host and
specify the TCP or UDP ports/services that will be used to control that Host.
Selecting Serial & Network: Network Hosts presents all the network connected Hosts that have
been enabled for access, and the related access TCP ports/services.
Click Add Host to enable access to a new Host (or select Edit to update the settings for an
existing Host).
Enter the IP Address or DNS Name and a Host Name (up to 254 alphanumeric characters) for
the new network connected Host (and optionally enter a Description).
Add or edit the Permitted Services (or TCP/UDP port numbers) that are authorized to be used in
controlling this host. Only these permitted services will be forwarded through by SDT to the
Host. All other services (TCP/UDP ports) will be blocked.
The Logging Level specifies the level of information to be logged and monitored for each Host
access (refer to Chapter 7—Alerts and Logging).
If the Host is a PDU or UPS power device or a server with IPMI power control, then specify RPC
(for IPMI and PDU) or UPS and the Device Type. The Administrator can then configure these
devices and enable which users have permission to remotely cycle power, etc. (refer to Chapter
8). Otherwise, leave the Device Type set to None.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 60
Page 61
Network Address
204.15.5.0
Network Mask
255.255.255.0
Network Address
204.15.5.0
If the console server has been configured with distributed Nagios monitoring enabled, then you
will also be presented with Nagios Settings options to enable nominated services on the Host to
be monitored (refer to Chapter 10— Nagios Integration).
Click Apply. This will create the new Host and also create a new Managed Device (with the same
name).
4.5 Trusted Networks
The Trusted Networks facility gives you an option to nominate specific IP addresses where users
(Administrators and Users) must be located to access console server serial ports.
Select Serial & Network: Trusted Networks.
To add a new trusted network, select Add Rule.
Select the Accessible Port(s) that the new rule is to be applied to.
Then, enter the Network Address of the subnet to be permitted access.
Then, specify the range of addresses that are to be permitted by entering a Network Mask for
that permitted IP range, for example:
To permit all the users located with a particular Class C network (for example, 204.15.5.0)
connection to the nominated port then you would add the following Trusted Network New
Rule:
If you want to permit only the one user who is located at a specific IP address (for example,
204.15.5.13 say) to connect:
_____________________________________________________________________
724-746-5500 | blackbox.com Page 61
Page 62
Network Mask
255.255.255.255
Host /Subnet Address
204.15.5.128
Subnet Mask
255.255.255.224
If, however, you want to allow all the users operating from within a specific range of IP
addresses (for example, any of the thirty addresses from 204.15.5.129 to 204.15.5.158) to
be permitted connection to the nominated port:
Click Apply.
Note The above Trusted Networks will limit Users and Administrators access to the console serial
ports. They do not restrict access to the console server itself or to attached hosts. To change the
default settings for this access, you will to need to edit the IPtables rules as described in Chapter
14—Advanced.
4.6 Serial Port Cascading
Cascaded Ports enables you to cluster distributed console servers. A large number of serial ports (up to
1000) can be configured and accessed through one IP address and managed through one Management
Console. One console server, the Master, controls other console servers as Slave units and all the serial
ports on the Slave units appear as if they are part of the Master.
Black Box’s clustering connects each Slave to the Master with an SSH connection. This uses public key
authentication so the Master can access each Slave using the SSH key pair (rather than using
passwords). This ensures secure authenticated communications between Master and Slaves, enabling
the Slave console server units to be distributed locally on a LAN or remotely around the world.
4.6.1 Automatically generate and upload SSH keys
To set up public key authentication, you must first generate an RSA or DSA key pair and upload them
into the Master and Slave console servers. This can all be done automatically from the Master.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 62
Page 63
Select System: Administration on Master’s Management Console.
Check Generate SSH keys automatically and click Apply.
Next, you must select whether to generate keys using RSA and/or DSA (if unsure, select only RSA).
Generating each set of keys will require approximately two minutes, and the new keys will destroy any
old keys of that type that may previously been uploaded.
Also, while the new generation is underway on the master, functions relying on SSH keys (for example,
cascading) may stop functioning until they are updated with the new set of keys.
To generate keys:
Select RSA Keys and/or DSA Keys.
Click Apply.
Once the new keys have been successfully generated, Click here to return and the keys will
automatically be uploaded to the Master and connected Slaves.
4.6.2 Manually generate and upload SSH keys
Or, if you have an RSA or DSA key pair, you can manually upload them to the Master and Slave console
servers.
Note If you already have an RSA or DSA key pair that you do not want to use, you will need to create a
key pair using ssh-keygen, PuTTYgen or a similar tool as detailed in Chapter 15.6.
To manually upload the public and private key pair to the Master console server:
Select System: Administration on Master’s Management Console.
Browse to the location where you have stored RSA (or DSA) Public Key and upload it to SSH RSA
(DSA) Public Key.
Browse to the stored RSA (or DSA) Private Key and upload it to SSH RSA (DSA) Private Key.
Click Apply.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 63
Page 64
Next, you must register the Public Key as an Authorized Key on the Slave. In a case that has only one
Master with multiple Slaves, you only need to upload the one RSA or DSA public key for each Slave.
Note Using key pairs can be confusing since one file (Public Key) fulfills two roles— Public Key and
Authorized Key. For a more detailed explanation, ref er to the Authorized Keys section of Chapter
15.6. Also, refer to this chapter if you need to use more than o ne set of Authorized Keys in the
Slave.
Select System: Administration on the Slave’s Management Console.
Browse again to the stored RSA (or DSA) Public Key and upload it to Slave’s SSH Authorized Key.
Click Apply.
The next step is to Fingerprint each new Slave-Master connection. This one-time step will validate that
you are establishing an SSH session to who you think you are. On the first connection, the Slave will
receive a fingerprint from the Master which will be used on all future connections:
To establish the fingerprint, first log in the Master server as root and establish an SSH
connection to the Slave remote host:
# ssh remhost
_____________________________________________________________________
724-746-5500 | blackbox.com Page 64
Page 65
Once the SSH connection has been established, the system asks you to accept the key. Answer yes and
the fingerprint will be added to the list of known hosts. For more details on Fingerprinting, refer to
Chapter 15.6.
If the system asks you to supply a password, then there is a problem with uploading keys. The
keys should remove any need to supply a password.
4.6.3 Configure the slaves and their serial ports
You can now begin setting up the Slaves and configuring Slave serial ports from the Master console
server:
Select Serial & Network: Cascaded Ports on the Master’s Management Console:
To add clustering support, select Add Slave.
Note You can’t add any Slaves until you automatically or manuall y generate SSH keys.
To define and configure a Slave:
Enter the remote IP Address (or DNS Name) for the Slave console server.
Enter a brief Description and a short Label for the Slave (use a convention here that enables you
to effectively manage large networks of clustered console servers and the connected devices).
Enter the full number of serial ports on the Slave unit in Number of Ports.
Click Apply. This will establish the SSH tunnel between the Master and the new Slave.
The Serial & Network: Cascaded Ports menu displays all the Slaves and the port numbers that have
been allocated on the Master. If the Master console server has 16 ports of its own, then ports 1-16 are
pre-allocated to the Master. The first Slave added will be assigned port number 17 and up.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 65
Page 66
Once you have added all the Slave console servers, you can assign and access the Slave serial ports and
the connected devices from the Master’s Management Console menu. You can also access them
through the Master’s IP address.
Select the appropriate Serial & Network: Serial Port and Edit to configure the serial ports on the
Slave.
Select the appropriate Serial & Network: Users & Groups to add new users with access
privileges to the Slave serial ports (or to extend existing users’ access privileges).
Select the appropriate Serial & Network: Trusted Networks to specify network addresses that
can access nominated Slave serial ports .
Select the appropriate Alerts & Logging: Alerts to configure Slave port Connection, State
Change, or Pattern Match alerts.
The configuration changes made on the Master are propagated out to all the Slaves when you
click Apply.
4.6.4 Managing the Slaves
The Master is in control of the Slave serial ports. For example, if you change User access privileges or
edit any serial port setting on the Master, the updated configuration files will be sent out to each Slave
in parallel. Each Slave will then automatically make changes to its local configuration (and only make
those changes that relate to its particular serial ports).
You can still use the local Slave Management Console to change the settings on any Slave serial port
(such as alter the baud rates). These changes will be overwritten next time the Master sends out a
configuration file update.
Also, while the Master is in control of all Slave serial port related functions, it is not master over the
Slave network host connections or over the Slave console server system itself.
You must access each Slave directly to manage Slave functions such as IP, SMTP & SNMP Settings, Date
&Time, and DHCP server. These functions are not overwritten when configuration changes are
propagated from the Master. Similarly, you have to configure the Slaves Network Host and IPMI settings
at each Slave.
The Master’s Management Console provides a consolidated view of the settings for its own and all the
Slave’s serial ports. The Master does not provide a fully consolidated view. For example, if you want to
find out who's logged in to cascaded serial ports from the master, you’ll see that Status: Active Users
only displays those users active on the Master’s ports, so you may need to write custom scripts to
provide this view. This is covered in Chapter 11.
4.7 Serial Port Redirection
To allow an application on a client PC to access the virtual serial ports on the console server, you need to
run client software (to redirect the local serial port traffic to remote console server serial port).
There’s a selection of commercial software available including Serial to Ethernet from Eltima
(www.eltima.com) and Serial/IP™ COM Port Redirector from Tactical Software
(www.tacticalsoftware.com/products/serialip.htm).
_____________________________________________________________________
724-746-5500 | blackbox.com Page 66
Page 67
This serial port redirector software is loaded in your desktop PC, and it allows you to use a serial device
that’s connected to the remote console server as if it were connected to your local serial port.
4.8 Managed Devices
Managed Devices presents a consolidated view of all the connections to a device that you can access
and monitor through the console server. To view the connections to the devices:
Select Serial & Network: Managed Devices.
This screen displays all the Managed Devices with their Description/Notes. It also lists all the configured
Connections, that is, Serial Port # (if serially connected) or USB if USB connected; IP Address (if network
connected); Power PDU/outlet details (if applicable), and any UPS connections. Devices such as servers
will commonly have more than one power connections (for example, dual power supplied) and more
than one network connection (for example, for BMC/service processor).
All Users can view (but not edit) these Managed Device connections by selecting Manage: Devices. The
Administrator user can edit and add/delete these Managed Devices and their connections.
To edit an existing device and add a new connection:
Select Edit on the Serial & Network: Managed Devices and click Add Connection.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 67
Page 68
Select the connection type for the new connection (Serial, Network Host, UPS, or RPC) and then
select the specific connection from the presented list of configured unallocated
hosts/ports/outlets.
To add a new network-connected Managed Device:
The Administrator adds a new network-connected Managed Device using Add Host on the Serial
& Network: Network Host menu. This automatically creates a corresponding new Managed
Device (as covered in Section 4.4—Network Hosts).
When adding a new network-connected RPC or UPS power device, you set up a Network Host,
designate it as RPC or UPS, then go to RPC Connections (or UPS Connections) to configure the
relevant connection. A corresponding new Managed Device (with the same Name /Description
as the RPC/UPS Host) is not created until you complete this connection step (refer Chapter 8—
Power and Environment).
Note The outlet names on this newly created PDU will by default be “Outlet 1” and “Outlet 2.” When
you connect a particular Managed Device (that draws power from the outlet), then the outlet will
To add a new serially connected Managed Device:
take the powered Managed Device’s name.
Configure the serial port using the Serial & Network: Serial Port menu (refer to Section 4.1—
Configure Serial Port).
Select Serial & Network: Managed Devices and click Add Device.
Enter a Device Name and Description for the Managed Device.
Click Add Connection and select Serial and the Port that connects to the Managed Device.
To add a UPS/RPC power connection or network connection or another serial connection, click
Add Connection.
Click Apply.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 68
Page 69
Note To set up a new serially connected RPC UPS or E M D device, configure the serial port, designate
it as a Device, then enter a Name and Description for that device in the Serial & Network: RPC
Connections (or UPS Connections or Environmental). When applied, this will automatically
create a corresponding new Managed Device with the same Name /Description as the RPC/UPS
Host (refer to Chapter 8—Power and Envi ronment).
All the outlet names on the PDU will by default be “Outlet 1” and “Outlet 2.” When you connect a
particular Managed Device (that draws power from the outlet) then the outlet will then take up the
name of the powered Managed Device.
4.9 IPsec VPN
The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A,
LES1348A,LES1208A-R2, LES1216A-R2, LES1232 and LES1248A-R2 console servers include Openswan, a
Linux implementation of the IPsec (IP Security) protocols, which can be used to configure a Virtual
Private Network (VPN). The
server (and Managed Devices) securely over the Internet.
The administrator can establish an encrypted authenticated VPN connection between advanced
console serves distributed at remote sites and a V PN gateway (such as Cisco router running IOS
IPsec) on their central office network:
VPN allows multiple sites or remote administrators to access the console
o Users and administrators at the centr al office can then securely access the remote
console servers and connected serial console devi ces and machines on the Management
LAN subnet at the remote location as though they we re l ocal
o With serial bridging, serial data from controller at the central office machine can be
securely connected to the serially controlled devices at the remote sites (refer Chapter
4.1)
The road warrior administrator can use a VPN IPsec sof tware client such as TheGreenBow
(www.thegreenbow.com/vpn_gateway.html) or Shrew Soft (www.shrew.net/support ) to remotely
access the console server and every machine on the Management LAN subnet at the remote
location
Configuration of IPsec is quite complex so the
LES1508A, LES1408A, LES1416A, LES1432A, LES1448A,
LES1308A, LES1316A, LES1332A, LES1348A,LES1208A-R2, LES1216A-R2, LES1232 and LES1248A-R2
_____________________________________________________________________
724-746-5500 | blackbox.com Page 69
Page 70
console servers provide a simple GUI interface for basic set up as described below. However for more
detailed information on configuring Openswan IPsec at the command line and interconnecting with other
IPsec VPN gateways and road warrior IPsec software refer http://wiki.openswan.org
4.9.1 Enable the VPN gateway
Select IPsec VPN on the Serial & Networks menu
Click Add and complete the Add IPsec Tunnel screen
Enter any descriptive name you wish to identify the IPsec Tunnel you are adding such as
WestStOutlet-VPN
Select the Authentication Method to be used, either RSA digital signatures or a Shared secret
(PSK)
o If you select RSA you will asked to click here to generate keys. This will generate an RSA
public key for the console server (the Left Public Key). You will need to find out the key
to be used on the remote gateway, then cut and paste i t into the Right Public Key
o If you select Shared secret you will need to enter a Pre-shared secret (PSK). The PSK
must match the PSK configured at the other end of the tunnel
In Authentication Protocol select the authentication protocol to be used. Either authenticate as
part of ESP (Encapsulating Security Payload) enc ryption or separately using the AH
(Authentication Header) protocol.
Enter a Left ID and Right ID. This is the identifier that the Local host/gateway and remote
host/gateway use for IPsec negotiation and authentication. Each ID must include an ‘@’ and can
include a fully qualified domain name preceded by ‘@’ ( e. g. left@example.com )
Enter the public IP or DNS address of this console server VPN gatewa y (or enter the address of
the device connecting the console server to the Inter net) as the Left Address. You can leave this
blank to use the interface of the default route
In Right Address enter the public IP or DNS address of the remote end of the tunnel (only if the
remote end has a static or dyndns address). Other wise leave this blank
_____________________________________________________________________
724-746-5500 | blackbox.com Page 70
Page 71
If the VPN gateway is serving as a VPN gateway to a local subnet (e.g. the console server has a
Management LAN configured) enter the privat e subnet details in Left Subnet. Use the CIDR
notation (where the IP address number is followed by a slash and the number of ‘one’ bits in the
binary notation of the netmask). For example 192.1 68.0.0/24 indicates an IP address where the
first 24 bits are used as the network address. This is t he same as 255.255.255.0. If the VPN
access is only to the console server itsel f and to its attached serial console devices then leave
Left Subnet blank
If there is a VPN gateway at the remote end, enter the private subnet detail s in Right Subnet.
Again use the CIDR notation and leave blank if there is only a remote host
Select Initiate Tunnel if the tunnel connection is to be initiated from the Left console server end.
This can only be initiated from the VPN gateway (Left) if the remote end was configured with a
static (or dyndns) IP address
Click Apply to save changes
Note It is essential the configuration details set up on the advanced console server (ref erre d to as the
Left or Local host) exactly matches the set up entere d when configuring the Remote (Right)
host/gateway or software client.
4.10 OpenVPN
The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A,
LES1208A-R2, LES1216A-R2, LES1232 and LES1248A-R2 console servers include OpenVPN which is based
on TSL (Transport Layer
cross-platform, point-to-point VPNs using x509 PKI (Public Key Infrastructure) or custom configuration
files.
OpenVPN allows secure tunneling of data throug h a single TCP/UDP port over an unsecured network,
thus providing secure access to multiple sites and secure remote administration to a console server over
the Internet.
OpenVPN also allows the use of Dynamic IP addresse s by both the server and client thus providing client
mobility. For example, an OpenVPN tunnel may be established between a roaming windows client and a
console server within a data centre.
Configuration of OpenVPN can be complex so a simpl e GUI interface is provided for basic set up as
described below. However for more detailed information on configuring OpenVPN Access server or client
refer to the HOW TO and FAQs at http://www.openvpn.net
4.10.1 Enable the OpenVPN
Select OpenVPN on the Serial & Networks menu
Click Add and complete the Add OpenVPN Tunnel screen
Security) and SSL (Secure Socket Layer). With OpenV PN, it is easy to build
_____________________________________________________________________
724-746-5500 | blackbox.com Page 71
Page 72
Enter any descriptive name you wish to identify the OpenVPN Tunnel y ou are adding, for
example NorthStOutlet-VPN
Select the Device Driver to be used, either Tun-IP or Tap-Ethernet. The TUN (network tunnel)
and TAP (network tap) drivers are virtual network d rivers that support IP tunneling and Ethernet
tunneling, respectively. TUN and TAP are part of the Linux kernel.
Select either UDP or TCP as the Protocol. UDP is the default and preferred protocol for
OpenVPN.
In Tunnel Mode, nominate whether this is the Client or Server end of the tunnel. When runni n g
as a server, the advanced console server support s multiple clients connecting to the VPN server
over the same port.
In Configuration Method, select the authentication method to be used. To aut henticate using
certificates select PKI (X.509 Certificates) or select Custom Configuration to upload custom
configuration files. Custom configuration s must be stored in /etc/config.
Note: If you select PKI (public key infrastructure) you will need to establ ish:
Separate certificate (also known as a public key). This Certificate File will be a *.crt file type
Private Key for the server and each client. This Private Key File will be a *.key file type
Master Certificate Authority (CA) certificate and key which is used to sign each of the server and
client certificates. This Root CA Certificate will be a *.crt file type
For a server you may also need dh1024.pem (Diffie Hellman parameters). Refer
http://openvpn.net/easyrsa.html for a guide to basi c RSA key management. For alternative authentication
methods see http://openvpn.net/index.php/documentation/howto.html#auth. For more information also
see http://openvpn.net/howto.html
Check or uncheck the Compression button to enable or disable compression, respectively
4.10.2 Configure as Server or Client
Complete the Client Details or Server Details depen di ng on the Tunnel Mode selected.
o If Client has been selected, the Primary Serv er A ddress will be the address of the
OpenVPN Server.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 72
Page 73
o If Server has been selected, enter the IP Pool Net work address and the IP Pool Network
mask for the IP Pool. The network defined by the IP Pool Network address/mask is used
to provide the addresses for connecting clients.
Click Apply to save changes
To enter authentication certificates and files, Edit the OpenVPN tunnel.
Select the Manage OpenVPN Files tab. Upload or browse to relevant authentication certificates
and files.
Apply to save changes. Saved files will be displayed in red on the right-hand side of the Upload
button.
To enable OpenVPN, Edit the OpenVPN tunnel
Check the Enabled button.
Apply to save changes
Note: Please make sure that the console server system time is correct when working with OpenVPN.
Otherwise authentication issues may arise
Select Statistics on the Status menu to verify that the tunnel is operational.
4.10.3 Windows OpenVPN Client and Server set up
Windows does not come with an OpenVPN server or client. This section outlines the installation and
configuration of a Windows OpenVPN client or a Windows OpenVPN server and setting up a VPN
connection to a console server.
The OpenVPN GUI for Windows software (which includes the stan dard OpenVPN package plus a
Windows GUI) can be downloaded from http://openvpn.se/download.html.
Once installed on the Windows machine, an OpenVPN icon wil l have been created in the
Notification Area located in the right side of the taskbar. Right click on this icon to start (and
stop) VPN connections, and to edit configurations and view logs
_____________________________________________________________________
724-746-5500 | blackbox.com Page 73
Page 74
Options
Description
#description:
This is a comment describing the configuration.
Comment lines start with a ‘#’ and are ignored by Op enVPN.
Client
Specify whether this will be a client or server configuration file.
For example, server 10.100.10.0 255.255.255.0
proto udp
proto tcp
Set the protocol to UDP or TCP. The client and server must use the
same settings.
mssfix <max. size>
Mssfix sets the maximum size of the packet. This is only useful for UDP
if problems occur.
verb <level>
Set log file verbosity level. Log verbosity level can be set from 0
3 = medium output, good for general usage
When the OpenVPN software is started, the C:\Program Files\OpenVPN\config folder will be scanned for
“.opvn” files. This folder will be rechecked for new configuration files whenever the OpenVPN GUI icon is
right-clicked. So once OpenVPN is installed, a confi guration file will need to be created:
Using a text editor, create an xxxx.ovpn file and save in C:\Program Files\OpenVPN\config. For
example, C:\Program Files\OpenVPN\config\client.ovpn
An example of an OpenVPN Windows client configuration file is shown below:
# description: les1216_client
client
proto udp
verb 3
dev tun
remote 192.168.250.152
port 1194
ca c:\\openvpnkeys\\ca.crt
cert c:\\openvpnkeys\\client.crt
key c:\\openvpnkeys\\client.key
nobind
persist-key
persist-tun
comp-lzo
server
An example of an OpenVPN Windows Server configuration file is shown below:
server 10.100.10.0 255.255.255.0
port 1194
keepalive 10 120
proto udp
mssfix 1400
persist-key
persist-tun
dev tun
ca c:\\openvpnkeys\\ca.crt
cert c:\\openvpnkeys\\server.crt
key c:\\openvpnkeys\\server.key
dh c:\\openvpnkeys\\dh.pem
comp-lzo
verb 1
syslog LES1216_OpenVPN_Server
The Windows client/server configuration file opt i ons are:
In the server configuration file, define the IP addre ss pool and netmask.
(minimum) to 15 (maximum). For example,
0 = silent except for fatal errors
_____________________________________________________________________
724-746-5500 | blackbox.com Page 74
Page 75
5 = helps with debugging connection problems
9 = extremely verbose, excellent for troubleshooti ng
dev tun
dev tap
Select ‘dev tun’ to create a routed IP tunnel or ‘dev ta p’ t o create an
Ethernet tunnel. The client and server must use the s ame settings.
remote <host>
The hostname/IP of OpenVPN server when operating as a client. Enter
either the DNS hostname or the static IP address of t he serv er.
Port
The UDP/TCP port of the server.
Keepalive
Keepalive uses ping to keep the OpenVPN sessi on alive. 'Keepalive 10
ping has been received over a 120 second time peri od.
http-proxy <proxy
server> <proxy port #>
If a proxy is required to access the server, enter the proxy server DNS
name or IP and port number.
ca <file name>
Enter the CA certificate file name and location.
example, c:\openvpnkeys\ca.crt will become c:\\openvpnkeys\\ca.crt
cert <file name>
Enter the client’s or servers’s certificate fi l e nam e and location.
Note: Ensure each ‘\’ in the directory path is replac ed with ‘ \\’.
key <file name>
Enter the file name and location of the client’s or serv er’s key.
Note: Ensure each ‘\’ in the directory path is replac ed with ‘ \\’.
dh <file name>
This is used by the server only.
Enter the path to the key with the Diffie-Hellman parameters.
Nobind
‘Nobind’ is used when clients do not need to bind to a local address or
specific local port number. This is the case in most client configurations.
persist-key
This option prevents the reloading of keys across restarts.
persist-tun
This option prevents the close and reopen of TUN/TAP devices across
restarts.
cipher BF-CBC Blowfish
Triple-DES
Select a cryptographic cipher. The client and server must use the same
comp-lzo
Enable compression on the OpenVPN link. This must be enabled on both
the client and the server.
syslog
By default, logs are located in syslog or, if running as a service on
Window, in \Program Files\OpenVPN\log directory.
120' pings every 10 seconds and assumes the remot e peer is down if no
The same CA certificate file can be used by the server and all clients.
Note: Ensure each ‘\’ in the directory path is replac ed with ‘ \\’. For
Each client should have its own certificate and key files.
Each client should have its own certificate and key files.
(default)
cipher AES-128-CBC
AES
cipher DES-EDE3-CBC
To initiate the OpenVPN tunnel following the creation of the client/server configuration files:
Right click on the OpenVPN icon in the Notification Area
Select the newly created client or server configuration. For example, LES1216_client
Click ‘Connect’ as shown below
settings.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 75
Page 76
The log file will be displayed as the connection is established
Once established, the OpenVPN icon will display a message notifying of the successful
connection and assigned IP. This information, as well as the time the connection was established,
is available anytime by scrolling over the OpenVPN icon.
Note: An alternate OpenVPN Windows client can be downloaded from
http://www.openvpn.net/index.php/openvpn-client/downloads.html. Refer to
http://www.openvpn.net/index.php/openvpn-client/howto-openvpn-client.html for help
_____________________________________________________________________
724-746-5500 | blackbox.com Page 76
Page 77
4.11 PPTP VPN
The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A,
LES1208A-R2, LES1216A-R2, LES1232 and LES1248A-R2 console servers
Tunneling Protocol) server. PPTP is typically us ed for communications over a physical or virtual serial
link. The PPP endpoints define a virtual IP address t o themselves. Routes to networks can then be
defined with these IP addresses as the gateway, which results in traffic being sent across the tunnel.
PPTP establishes a tunnel between the physical PPP endpoints and securely transports data across the
tunnel.
The strength of PPTP is its ease of configuration and integration into existing Microsoft infrastructure. It is
generally used for connecting single remote Windows clients. If you take your portable computer on a
business trip, you can dial a local number to connect to your Internet access service provider (ISP) and
then create a second connection (tunnel) into your office network across the Internet and have the same
access to your corporate network as if you were connected directly from your office. Similarly,
telecommuters can also set up a VPN tunnel over their cable modem or DSL links to their local ISP.
To set up a PPTP connection:
1. Enable and configure the PPTP VPN server on your console server
2. Set up VPN user accounts on the console server and enable the appropriate authentication
3. Configure the VPN clients at the remote sites. The client does not require special software as the
PPTP Server supports the standard PPTP client software included with Windows XP/ NT/ 2000/ 7
and Vista
include a PPTP (Point-to-Point
4. Connect to th e remote VPN
4.11.1 Enable the PPTP VPN server
Select PPTP VPN on the Serial & Networks menu
_____________________________________________________________________
724-746-5500 | blackbox.com Page 77
Page 78
Select the Enable check box to enable the PPTP Server
Select the Minimum Authentication Required. Access is denied to remote users attempting to
connect using an authentication scheme weaker than the selected scheme. The schemes are
described below, from strongest to weakest .
• Encrypted Authentication (MS-CHAP v2): The st rongest type of authentication to use; this
is the recommended option
• Weakly Encrypted Authentication (CHAP): This is the weakest type of encrypted password
authentication to use. It is not recommended that clients connect using this as it provides very
little password protection. Also note that clients connecting using CHAP are unable to encrypt
traffic
• Unencrypted Authentication (PAP): This is plain text password authentication. When using
this type of authentication, the client password is t ransmitted unencrypted.
• None
Select the Required Encryption Level. Access is denied to remote users attempting to con nect
not using this encryption level. Strong 40 bit or 128 bit encryption is recommended
In Local Address enter IP address to assign to the server's end of the VPN conn ect i on
In Remote Addresses enter the pool of IP addresses to assign to the incoming client's VPN
connections (e.g. 192.168.1.10-20). This must be a free IP addre ss (or a range of free IP
addresses), from the network (typically the LAN) that remote users are assigned while connected
to the Console server
Enter the desired value of the Maximum Transmission Unit (MTU) for the P PTP interfaces into
the MTU field (defaults to 1400)
In the DNS Server field, enter the IP address of the DNS server that assigns IP addresses to
connecting PPTP clients
In the WINS Server field, enter the IP address of the WINS server that assigns IP addresses to
connecting PPTP client
_____________________________________________________________________
724-746-5500 | blackbox.com Page 78
Page 79
Enable Verbose Logging to assist in debugging connection problems
Click Apply Settings
4.11.2 Add a PPTP user
Select Users & Groups on the Serial & Networks menu and complete the fields as covered in
section 4.2.
Ensure the pptpd Group has been checked, to allow access to the PPTP VPN server. Note -
users in this group will have their password stored in clear text.
Keep note of the username and password for when you need to connect to t he VPN connection
Click Apply
4.11.3 Set up a remote PPTP client
Ensure the remote VPN client PC has Internet connectivity. To create a VPN connection across the
Internet, you must set up two networking connections. One connection is for the ISP, and the other
connection is for the VPN tunnel to the console server .
Note: This procedure sets up a PPTP client in the Windows 7 Professional operating system. T he st eps
may vary slightly depending on your network acc ess or if you are using an alternate version of
Windows. More detailed instructions are available from the Microsoft web site.
Login to your Windows client with administrator privileges
From the Network & Sharing Center on the Control Panel select Network Connections and
create a new connection
Select Use My Internet Connection (VPN) and enter the IP Address of the console server
_____________________________________________________________________
724-746-5500 | blackbox.com Page 79
Page 80
Note: To connect remote VPN clients to the local network, you need to know the user name and
password for the PPTP account you added, as well as the Internet IP address of the console
server. If your ISP has not allocated you a static IP address, consider using a dynamic DNS
service. Otherwise you must modify the PPTP client configuration each time your Internet IP
address changes.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 80
Page 81
Chapter 5 Firewall, Failover and OoB Dial
Access
FIREWALL, FAILOVER AND OoB DIAL-IN
Introduction
The console server has a number of fail-over and out-of-band access capabilities to make sure it’s
available if there are difficulties accessing the console server through the principal network path. The
console server also has routing, NAT (Network Address Translation), packet filtering and port forwarding
support.
This chapter covers:
out-of-band (OoB) access from a remote location using dial-up modem.
out-dial failover.
OoB access using an alternate broadband link (LES1508A, LES1408A, LES1416A,
LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2,
LES1216A-R2, LES1232 and LES1248A-R2 models only).
broadband failover.
firewall and routing
5.1 OoB Dial-In Access
To enable OoB dial-in access, you first configure the console server. Once it’s set up for dial-in PPP
access, the console server will await an incoming dial-in connection. Set up the remote client dial-in
software so it can establish a network connection from the Administrator’s client modem to the dial-in
modem on the console server.
Note The LES1208A-R2, LES1216A-R2, LE S 1232 and LES1248A-R2 models all have an internal
modem and a DB9 Local/Console port for OoB acces s. With these models, you can still attach an
_____________________________________________________________________
724-746-5500 | blackbox.com Page 81
Page 82
external modem via a serial cable to the DB9 port, and you can configure the second Ethernet
port for broadband OoB access.
Make sure you unplug the console server power before installing the modem. When it next boots,
it will detect the modem and a PC Card Modem tab will appear under System -> Dial.
LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A,
The
LES1348A,
modem attached via a serial cable to the DB9 port m ark ed Local (located on the front of the unit).
5.1.1 Configure Dial-In PPP
To enable dial-in PPP access on the modem:
LES1108A, LES1116A, LES1132 and LES1148A models need to have an external
Select the System: Dial menu option and the port to be configured (Serial DB9 Port or Internal
Modem Port).
Check Enable Dial-In.
Note The console server console/modem serial port is set by default to 115200 baud, No parity, 8 data
bits and 1 stop bit, with software (Xon-Xoff) flow control enabled for the Serial DB9 Port and 9600
baud for the Internal modem and PC Card Ports. When enabling OoB dial-in, we recommend that
this be changed to 38,400 baud with Hardware Flow Control
.
Select the Baud Rate and Flow Control that will communicate with the modem.
Click Apply
Note You can further configure the console/modem port (for example, to include modem init strings) by
editing /etc/mgetty.config files as described in the Chapter 15—Advanced Configuration.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 82
Page 83
In the Remote Address field, enter the IP address to be assigned to the dial-in client. You can
select any address for the Remote IP Address. It, and the Local IP Address, must both be in the
same network range (e.g. 200.100.1.12 and 200.100.1.67).
In the Local Address field, enter the IP address for the Dial-In PPP Server. This is the IP address
that will be used by the remote client to access console server once the modem connection is
established. You can select any address for the Local IP Address but it must be in the same
network range as the Remote IP Address.
The Default Route option enables the dialed PPP connection to become the default route for
the Console server.
The Custom Modem Initialization option allows you to enter a custom AT string modem
initialization string (for example, AT&C1&D3&K3).
You must select the Authentication Type to apply to the dial-in connection. The console server
uses authentication to challenge Administrators who dial-in to the console server. (For dial-in
access, the username and password received from the dial-in client are verified against the local
authentication database stored on the console server). The Administrator must also configure
the client PC/workstation to use the selected authentication scheme. Select PAP, CHAP,
MSCHAPv2, or None, and click Apply.
None With this selection, no username or password authentication is required for
dial-in access. We do not recommend this.
PAP Password Authentication Protocol (PAP) is the usual method of user
authentication used on the internet: sending a username and password to a
server where they are compared with a table of authorized users. While most
common, PAP is the least secure of the authentication options.
CHAP Challenge-Handshake Authentication Protocol (CHAP) is used to verify a user's
name and password for PPP Internet connections. It is more secure than PAP,
the other main authentication protocol.
MSCHAPv2 Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is
authentication for PPP connections between a computer using a Microsoft
Windows operating system and a network access server. It is more secure than
PAP or CHAP, and is the only option that also supports data encryption.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 83
Page 84
Note: The User name and Password to be used for the dial-in PPP link are setup when the User is
initially set up with dialin Group membership. The dialin Group supports multiple dial-in users.
Any dial-back phone numbers are also configured when the User is set up.
Note Chapter 15—Advanced Configuration) has examples of Linux commands that you can use to
control the modem port operation at the command line level.
5.1.2 Using SDT Connector client
Administrators can use their SDT Connector client to set up secure OoB dial-in access to all their remote
console servers. With a point and click, you can initiate a dial up connection. Refer to Chapter 6.5.
5.1.3 Set up Windows XP/ 2003/Vista/7 client
Open Network Connections in Control Panel and click the
New Connection Wizard.
Select Connect to the Internet and click Next.
On the Getting Ready screen, select Set up my connection manually and click Next.
On the Internet Connection screen, select Connect using a dial-up modem and click Next.
Enter a Connection Name (any name you choose) and the dial-up Phone number that will
connect through to the console server modem.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 84
Page 85
Enter the PPP User name and Password you set up for the console server.
5.1.4 Set up earlier Windows clients
For Windows 2000, the PPP client set up procedure is the same as above, except you get to the
Dial-Up Networking Folder by clicking the Start button and selecting Settings. Then, click
Network and Dial-up Connections and click Make New Connection.
Similarly, for Windows 98, you double click My Computer on the Desktop, then open Dial-Up
Networking and double click Make New Connection. Then, proceed as above.
5.1.5 Set up Linux clients for dial-in
The online tutorial http://www.yolinux.com/TUTORIALS/LinuxTutorialPPP.html presents a selection of
methods for establishing a dial up PPP connection:
- Command line PPP and manual configuration (works with any Linux distribution).
- Using the Linuxconf configuration tool (for Red Hat compatible distributions). This configures
the scripts ifup/ifdown to start and stop a PPP connection.
- Using the Gnome control panel configuration tool.
- WVDIAL and the Redhat “Dialup configuration tool“ .
- GUI dial program X-isp. Download/Installation/Configuration.
For all PPP clients:
Note
Set the PPP link up with TCP/IP as the only protocol enabled.
Specify that the Server will assign IP address and do DNS.
Do not set up the console server PPP link as the default for Internet connection.
5.2 OoB broadband access
The LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A, LES1348A,
LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers have a second Ethernet port
(Network 2) that you can configure for alternate and OoB (out-of-band) broadband access. With two
_____________________________________________________________________
724-746-5500 | blackbox.com Page 85
Page 86
active broadband access paths to the console server, if you are unable to access it through the primary
management network (Network or Network1), you can still access it through the alternate broadband
path (for example, a T1 link).
On the System: IP menu select Network 2 and configure the IP Address, Subnet Mask,
Gateway, and DNS with the access settings for the alternate link.
Make sure that when you configure the principal Network 1 Settings connection, the Failover
Interface is set to None.
5.3 Broadband Ethernet Failover
The second Ethernet port on the LES1508A, LES1408A, LES1416A, LES1432A, LES1448A, LES1308A,
LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console
servers can also be configured for failover to ensure transparent high availability.
When configuring the principal network connection, specify Network 2 (eth1) as the Failover
Interface to use when a fault is detected with Network 1 (eth0).
Specify the Probe Addresses of two sites (the Primary and Secondary) that the Advanced Console
Server is to ping to determine if Network 1 (eth0) is still operating.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 86
Page 87
On the Management LAN Interface - Network 2, configure the IP Address/Subnet Mask/Gateway
the same as Network Interface - Network 1.
In this mode, Network 2 (eth1) is available as the transparent back-up port to Network 1 (eth0) for
accessing the management network. Network 2 will automatically and transparently take over the work
of Network 1, if Network 1 becomes unavailable for any reason. When Network 1 becomes available
again, it takes over the work again.
5.4 Dial-Out Failover
The internal or externally attached modem on the console server can be set up either
- in Failover mode where a dial-out connection is only established in event of a ping failure, or
- with the dial-out connection is always on
In both of the above cases in the event of a disruption in the dial-out connection, the console server will
endeavor to re-establish the connection.
5.4.1 Always-on dial-out
The console server modem can be configured for out-dial to be always on, with a permanent external
dial-up ppp connection.
Select the System: Dial menu option and check Enable Dial-Out to allow outgoing modem
communications
Select the Baud Rate and Flow Control that will communicate with the modem
In the Dial-Out Settings - Always On Out-of-Band field enter the access details for the remote
PPP server to be called
Override DNS is available for PPP Devices such as modems. Override DNS allows the use of alternate
DNS servers from those provided by your ISP. For example, an alternative DNS may be required for
OpenDNS used for content filtering.
To enable Override DNS, check the Override returned DNS Servers box. Enter the IP of the DNS
servers into the spaces provided.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 87
Page 88
_____________________________________________________________________
724-746-5500 | blackbox.com Page 88
Page 89
5.4.2 Failover dial-out
The console server modem can be configured so a dial-out PPP connection is automatically set up in the
event of a disruption in the principal management network.
When configuring the principal network connection in System: IP specify the Failover Interface
that will be used when a fault has been detected with Network / Network1 (eth0). This can be
either Internal Modem or the Dial Serial DB9 (if you are using an external modem on the
Console port) or USB Modem
Specify the Probe Addresses of two sites (the Primary and Secondary) that the IMG/IM console
server is to ping to determine if Network / Network1 is still operational
Select the System: Dial menu option and the port to be configured (Serial DB9 Port or PC Card
or Internal Modem Port)
Select the Baud Rate and Flow Control that will communicate with the modem
Note You can further configure the console/modem port (for example, to include modem init strings) by
editing /etc/mgetty.config files as described in Chapter 13.
5.5 Cellular Modem Connecti on
The LES1408A, LES1416A, LES1432A, LES1448A, LES1308A, LES1316A, LES1332A and LES1348A
console servers have an internal cellular modem. The LES1508A, LES1208A-R2, LES1216A-R2,
LES1232A and LES1248A-R2 console servers support external cellular modems.
- These modems first need to be set up to validate they can connect to the carrier network.
- They then can be configured for operation in Failover mode, OOB mode, Cellular router mode or
CSD mode.
5.6.1 Connect to the GSM HSUPA/UMTS carrier network
The LES1308A, LES1316A, LES1332A and LES1348A console servers have an internal GSM modem
that will connect to any major GSM carrier glob al l y. The LES1508A, LES1208A-R2, LES1216A-R2,
LES1232A and LES1248A-R2 console servers also support attaching an external USB GSM/HSPA
cellular modem from Sierra Wireless to one of i t s USB 2.0 ports.
Before powering on the console server you must instal l t he S IM card provided by your cellular carrier, and
attach the external aerial.
Select Internal Cellular Modem panel on the System: Dial menu
Check Enable Dial-Out Settings
_____________________________________________________________________
724-746-5500 | blackbox.com Page 89
Page 90
Note: Your 3G carrier may have provided you with details for configuring the connection including APN
(Access Point Name), Pin Code (optional PIN code which may be required to unlock the SIM card),
Phone Number (the sequence to dial to establish the connection, defaults to *99***1#), Username/
Password (optional) and Dial string (optional AT commands). However you generally will only
need to enter your provider’s APN and leave the other f i elds blank.
Enter the carrier’s APN e.g. for AT&T (USA) simply enter i2gold, for T-Mobile (USA) enter
epc.tmobile.com, for InterNode (Aust) enter internode and for Telstra (Aust) enter telstra.internet
If the SIM Card is configured with a PIN Code, you will be required to unlock the Card by entering
the PIN Code. If the PIN Code is entered incorrectly t hree t i m es, then the PUK Code will be
required to unlock the Card.
You may also need to set Override DNS to use alternat e DNS servers from those provided by your
carrier.
To enable Override DNS, check the Override returned DNS Servers box. Enter the IP of the
DNS servers into the spaces provided.
Check Apply and a radio connection will be established with your cellular carrier
_____________________________________________________________________
724-746-5500 | blackbox.com Page 90
Page 91
5.6.2 Connect to the CDMA EV-DO carrier network
The LES1408A, LES1416A, LES1432A and LES1448A console servers have an internal CDMA modem.
The LES1508A, LES1208A-R2, LES1216A-R2, LES1232A and LES1248A-R2 console servers also
support attaching an external USB CDMA cellular modem from Sierra Wireless to one of its USB 2.0
ports. Both will connect to the Verizon network in North America.
After creating an account with the CDMA carrier some carriers require an additional step to provision the
Internal Cellular Modem, referred to as Provisioning. Your console server supports:
- Over-the-Air Service Provisioning (OTASP) where m o dem specific parameters can be retrieved
via a voice call to a special phone number, and
- a manual process where the phone number and other parameters can be entered manually
OTASP Activation:
Before activating over the air, you will need to establish a data plan then register the device for
activation.
Contact your carrier and provide them with your ESN (Electronic Serial Number) which can be
found on the white label on the underside of the console server.
Select Internal Cellular Modem panel on the System: Dial menu.
A particular phone number will need to be dialed to complete OTASP e.g. Verizon uses *22899,
Telus uses *22886.
Click Activate to initiate the OTASP call. The process is successful if no errors a re di splayed and
you no longer see the CDMA Modem Activation form. ( If OTASP is unsuccessful you can consult
the System Logs for clues to what went wrong at Status: Syslog).
When OTASP has completed successfully you can proceed to enabling the Internal Cellular
Modem by entering the carriers phone number (which defaults to #777)
Click Apply.
The Cellular statistics page on Status: Statistics will display the current state of the modem.
OTASP success will result in a valid phone number being placed in the NAM Pr o file Account
MDN field.
Manual Activation:
Some carriers may not support OTASP in which case it may be necessary to manually provision the
modem.
Select Internal Cellular Modem panel on the System: Dial menu
Enter the MSL, MDN and MSID values. These values are specific to your carrier and for man ual
activation you will have to investigate what v alues your carrier uses in each field. For example
Verizon have been known to use an MSL of 000000 and the phone number assigned to your
console server device as both the MDN and MSID with no spaces or hyphens e. g. “5551231234”
for “555-123-1234”
Click Activate. If no errors occur you will see the new values entered into the N AM Profile at the
Cellular page on Status: Statistics
_____________________________________________________________________
724-746-5500 | blackbox.com Page 91
Page 92
Navigate to the Internal Cellular Modem tab on System: Dial. To connect to your carriers 3G
network enter the appropriate phone number (usually #777) and a Username and Password if
directed to by your account/plan documentation
Select Enable and then click Apply to initiate the Always On Out-of-Band connection
5.6.3 Verify cellular connection
Out-of-band access is enabled by default so the cellular m odem connection should now be on.
You can verify the connection status from the Status: Stati stics
o Select the Cellular tab and in Service Availability verify Mode is set to Online
o Select Failover& Out-of-Band and the Connection Status reads Connected
o You can check your allocated IP address
You can measure the received signal strength from the Cellular Statistics page on the Status:
Statistics screen. This will display the current state of the cellular modem including the Received
Signal Strength Indicator (RSSI)
Note: Received Signal Strength Indicator (RSSI) is a measurement of the Radio Frequency (RF)
power present in a received radio signal at the mobil e device. It is generally expressed
in dBm and the best throughput comes from placing the devic e i n an area with the highest
RSSI.
-100 dbm or less = Unacceptable coverage
-99 dbm to –90 dbm = Weak Coverage
-89 dbm to – 70 dbm = Medium to High Coverage
-69 dbm or greater = Strong Coverage
With the cellular modem connection on you can also see the connection status from the LEDs on
top of unit
5.6.4 Cellular modem watchdog
When you select Enable Dial-Out on the System: Dial menu you will be given the opt i on to configure a
cellar modem watchdog service (with firmware V3.5.2u13 and later). This service will periodically ping a
configurable IP address. If a threshold number of consecutive attempts fail, the service will cause the unit
to reboot. This can be used to force a clean resta rt of the modem and its services to work around any
carrier issues.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 92
Page 93
5.7 Cellular Operation
When set up as a console server the 3G cellular modem can b e set up to connect to the carrier in either:
- Failover mode. In this case a dial-out cellular connection is only established in event of a ping failure
- OOB mode. In this mode the dial-out connection to the carrier cellular network is always on - awaiting
any incoming access (from a remote site wanting to access to the console server or attached serial
consoles/network hosts)
- Cellular router mode. Again in this case the dial-out connection to the carrier cellular network is always
on, but IP traffic is routed between the cellular connected network and the console server’s local
network ports
- Circuit Switched Data (CSD) mode. In this dial-in mode the cellular modem can receive incom i ng calls
from remote modems who dial a special Data Termin ating number
5.7.1 OOB access set up
Out-of-band access is enabled by default and the cell ul ar m odem connection is always on. However to be
directly accessed the console server needs to hav e a Public IP address and it must not have SSH access
firewalled.
Almost all carriers offer corporate mobile data se rv i ce/plans with a Public (static or dynamic) IP address.
These plans often have a service fee attached.
If you have such a static Public IP address plan you can also now try acce ssin g the console
server using the Public IP Address provided by the carrier. However by default only HTTPS
and SSH access is enabled on the OOB connection. S o you can browse to the console
server, but you cannot ping it
If you have a dynamic Public IP address plan then a DDNS service will nee d to be configured
to enable the remote administrator to initiate incoming access. Once this is done you can
then also try accessing the console server using the allocated domain name
By default most providers offer a consumer grade service which provides dynamic Private IP address
assignments to 3G devices. This IP address is not v i sible across the Internet but generally it is adequate
for home and general business use.
With such a plan the Failover& Out-of-Band tab on the Status: Statistics shows will identify that
your carrier has allocated you a Private IP Address (i.e. in the range 10.0.0.0 – 10.255.255.255,
172.16.0.0 – 172.31.255.255 or 192.168.0. 0 – 192.168.255.255
In out of band access mode the internal cellular modem will continually stay connected. The alternative is
to set up Failover mode on the console server as det ai l ed in the next section.
5.7.2 Cellular failover setup
Once you have configured carrier connection, the cellular modem can be configured for failover.
This will tell the cellular connection to remain idle in a l ow power state. If the primary and secondary probe
addresses are not available it will bring up the cellular connection and connect back to the cellular carrier.
Navigate back to the Network Interface on the System:IP menu specify Internal Cellular
modem (cell modem 01) as the Failover Interface to be used when a fault has been detected
_____________________________________________________________________
724-746-5500 | blackbox.com Page 93
Page 94
Specify the Probe Addresses of two sites (the Primary and Secondary) that the console server
is to ping to determine if the principal network is still operat i onal
In event of a failure of the principal network the 3G network connection is activated as the access
path to the console server (and its Managed Devices). Only HTTPS and SSH access is enabled
on the failover connection (which should enable t he administrator to connect and fix the problem)
Note: By default, the console server supports automatic failure-recovery back to the original state prior
to failover .The console server continually pi ngs pr obe addresses whilst in original and failover
states. The original state will automatically be set as a priority and reestablished following three
successful pings of the probe addresses during failover. The failover state will be removed once
the original state has been re-established.
For earlier firmware that does not support automatic failure-recovery, to restore networking to a
recovered state the following command then needs to be run:
rm -f /var/run/*-failed-over && config -r ipconfig
If required, you can run a custom bash script when the device fails over. It is possible to use this
script to implement automatic failure recovery, depending on your network setup. The script to
create is:
/etc/config/scripts/interface-failover-alert
You can check the connection status by selecting the Cellular panel on the Sta tus: Statistics
menu
o The Operational Status will change as t he cellular modem finds a channel and connects to
the network
o The Failover & Out-of-Band screen will display informat i on relating to a configured
Failover/OOB interface and the status of that connection. The IP Address of the Failover/
OOB interface will be presented in the Failover & Out-of-Band screen once the
Failover/OOB interface has been triggered
5.7.3 Cellular routing
Once you have configured carrier connection, the cellular modem can be configured to route traffic
through the console server. This requires setting up forwarding and masquerading - as detailed in
Chapter 5.8.
5.7.4 Cellular CSD dial-in setup
Once you have configured carrier connection, the cellular modem can be configured to receive Circuit
Switched Data (CSD) calls.
Note: CSD is a legacy form of data transmission developed for the TDMA based mobile phone systems
like GSM. CSD uses a single radio time slot to deliver 9.6kb/s data transm i ssion to the
GSM Network and Switching Subsystem where it co ul d be connected through the equivalent of a
normal modem to the Public Switched Telephone Network (PSTN) allowing direct calls to
any dial-up service. CSD is provided selectively by carriers and it is important you receive a Data
Terminating number as part of the mobile service your carrier provides. This is the number which
external modems will call to access the console server
Select the Cellular Modem panel on the System: Dial menu
Check Enable Dial-In and configure the Dial-In Settings
_____________________________________________________________________
724-746-5500 | blackbox.com Page 94
Page 95
5.8 Firewall & Forwarding
The console server has routing, NAT, packet filtering and port forwarding support on all physical and
virtual network interfaces.
This enables the console server to function as an Internet or external network gateway:
− Network Forwarding allows the network packets on one network interface (i.e. LAN1/ eth0) to
be forwarded to another network interface (i.e. LAN2/eth1 or dial-out/cellular). So locally
networked devices can IP connect through the console server to devices on remote networks.
− IP Masquerading is used to allow all the devices on your local private network to hide behind
and share the one public IP address when connecting to a public network. This type of
translation is only used for connections originating within the private network destined for the
outside public network, and each outbound connection is maintained by using a different source
IP port number.
− When using IP Masquerading, devices on the external network cannot initiate connections to
devices on the internal network. Port Forwards allows external users to connect to a specific
port on the external interface of the console server/cellular router and be redirected to a
specified internal address for a device on the internal network.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 95
Page 96
− With Firewall Rules, packet filtering inspects each packet passing through the firewall and
accepts or rejects it based on user-defined rules.
− Then Service Access Rules can be set for connecting to the console server/router itself
5.8.1 Configuring network forwarding and IP masquerading
To use a console server as an Internet or external network gateway requires establishing an external
network connection and then setting up forwarding and masquerading.
Note: Network forwarding allows the network packets on one network interface (i.e. LAN1/ eth0) to be
forwarded to another network interface (i.e. LAN2/eth1 or dial-out/cellular). So locally
networked devices can IP connect through the console server to devices on remote networks. IP
masquerading is used to allow all the devices on your local private network to hide behind and
share the one public IP address when connecting to a public network. This type of translation is
only used for connections originating within the private network destined for the outside public
network, and each outbound connection is maintained by using a different source IP port
number.
By default, all console server models are configured so that they will not route traffic between networks.
To use the console server as an Internet or external network gateway, forwarding must be enabled so
that traffic can be routed from the internal network to the Internet/external network:
Navigate to the System: Firewall page, and then click on the Forwarding &Masquerading tab
Find the Source Network to be routed, and then tick the relevant Destination Network to
enable Forwarding
IP Masquerading is generally required if the console server will be routing to the Internet, or if the
external network being routed to does not have routing information about the internal network behind
the console server.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 96
Page 97
IP Masquerading performs Source Network Address Translation (SNAT) on outgoing packets, to make
them appear like they've come from the console server (rather than devices on the internal network).
When response packets come back devices on the external network, the console server will translate the
packet address back to the internal IP, so that it is routed correctly. This allows the console server to
provide full outgoing connectivity for internal devices using a single IP Address on the external network.
By default IP Masquerading is disabled for all networks. To enable masquerading:
Select Forwarding & Masquerading panel on the System: Firewall menu
Check Enable IP Masquerading (SNAT) on the network interfaces where masquerading is be
enabled
Generally this masquerading would be applied to any interface that is connecting with a public network
such as the Internet.
5.8.2 Configuring client devices
Client devices on the local network must be configured with Gateway and DNS settings. This can be
done statically on each device, or using DHCP.
Manual Configuration:
Manually set a static gateway address (being the address of the console server) and set the DNS server
address to be the same as used on the external network i.e. if the console server is acting as an internet
gateway or a cellular router, then use the ISP provided DNS server address.
DHCP Configuration:
Navigate to the System:IP page
Click the tab of the interface connected to the internal network. To use DHCP, a static address
must be set; check that the static IP and subnet mask fields are set.
_____________________________________________________________________
724-746-5500 | blackbox.com Page 97
Page 98
Click on the Disabled link next to DHCP Server which will bring up the System: DHCP Server page
Check Enable DHCP Server
To configure the DHCP server, tick the Use interface address as gateway check box
Set the DNS server address(es) to be the same as used on the external network i.e. if the console
server is acting as an internet gateway or a cellular router, then use the ISP provided DNS server
address
Enter the Default Lease time and Maximum Lease time in seconds. The lease time is the time
that a dynamically assigned IP address is valid before the client must request it again
Click Apply
The DHCP server will sequentially issue IP addresses from a specified address pool(s):
Click Add in the Dynamic Address Allocation Pools field
Enter the DHCP Pool Start Address and End Address and click Apply
The DHCP server also supports pre-assigning IP addresses to be allocated only to specific MAC addresses
and reserving IP addresses to be used by connected hosts with fixed IP addresses. To reserve an IP
addresses for a particular host.
Once applied, devices on the internal network will be able to access resources on the external network.
Note The DHCP server feature is available only on the LES1508A, LES1408A, LES1416A, LES1432A,
LES1448A, LES1308A, LES1316A, LES1332A, LES1348A, LES1208A-R2, LES1216A-R2,
LES1232A and LES1248A-R2 consol e servers
LES1132A and LES1148A console servers
5.8.3 Port forwarding
When using IP Masquerading, devices on the external network cannot initiate connections to devices on
the internal network.
To work around this, Port Forwards can be set up to allow external users to connect to a specific port,
or range of ports on the external interface of the console server/cellular router , and have the console
server/cellular router redirect the data to a specified internal address and port range. To setup a port
forward:
Navigate to the System: Firewall page, and click on the Port Forwarding tab
Click Add New Port Forward
Fill in the following fields:
Name: Name for the port forward. This should describe the target and the service that
the port forward is used to access
. It is not supported on LES1108A, LES1116A,
.
Input Interface: This allows the user to only forward the port from a specific interface. In most
cases, this should be left as "Any"
_____________________________________________________________________
724-746-5500 | blackbox.com Page 98
Page 99
Source Address: This allows the user to restrict access to a port forward to a specific address. In
most cases, this should be left blank
Input Port Range: The range of ports to forward to the destination IP. These will be the port(s)
specified when accessing the port forward. These ports need not be the same as
the output port range.
Protocol: The protocol of the data being forwarded. The options are TCP or UDP
Output Address: The target of the port forward. This is an address on the internal network
where packets sent to the Input Interface on the input port range are sent.
Output Port Range: The port or ports that the packets will be redirected to on the Output
Address.
For example, to forward port 8443 to an internal HTTPS server on 192.168.10.2, the following settings
would be used:
Input Interface: Any
Input Port Range: 8443
Protocol: TCP
Output Address: 192.168.10.2
Output Port Range: 443
5.8.4 Firewall rules
Firewall rules can be used to block or allow traffic through an interface based on port number, the
source and/or destination IP address (range), the direction (ingress or egress) and the protocol. This can
be used to allow custom on-box services, or block traffic based on policy.
To setup a firewall rule:
Navigate to the System: Firewall page, and click on the Firewall Rules tab
_____________________________________________________________________
724-746-5500 | blackbox.com Page 99
Page 100
Click New Firewall Rule
Fill in the following fields:
Name: Name the rule. This name should describe the policy the firewall rule is
being used to implement (e.g. block ftp, Allow Tony)
Interface: Select the interface that the firewall rule will be applied to (i.e. Any,
Dialout/Cellular, VPN, Network Interface, Dial-in etc)
Port Range: Specify the Port or range of Ports (e.g. 1000 – 1500) that the rule will
apply to. This may be left blank for Any
Source Address Range: Specify the source IP address (or address range) to match. IP address
ranges use the format ip/netmask (where netmask is in bits 1-32). This
may be left blank for Any
Destination Range: Specify the destination IP address/address range to match. IP address
ranges use the format ip/netmask (where netmask is in bits 1-32). This
may be left blank.
Protocol: Select if the firewall rule will apply to TCP or UDP
Direction: Select the traffic direction that the firewall rule will apply to (Ingress =
incoming or Egress)
Action: Select the action (Accept or Block) that will be applied to the packets
detected that match the Interface+ Port Range+ Source/destination
Address Range+ Protocol+ Direction
For example, to block all SSH traffic from leaving Dialout Interface, the following settings can be
used:
Interface: Dialout/Cellular
Port Range: 22
_____________________________________________________________________
724-746-5500 | blackbox.com Page 100
Loading...